From 32ba4d58fdda7717875759888a7565f800ad57a4 Mon Sep 17 00:00:00 2001 From: Andrew Hopkins Date: Thu, 20 Feb 2025 16:49:21 -0800 Subject: [PATCH] Run ./util/check_clang_format.sh --fix to format all C/C++ source code according to the .clang-format rules --- crypto/abi_self_test.cc | 12 +- crypto/asn1/a_gentm.c | 3 +- crypto/asn1/a_mbstr.c | 6 +- crypto/asn1/a_time.c | 2 +- crypto/asn1/a_utctm.c | 4 +- crypto/asn1/asn1_lib.c | 11 +- crypto/asn1/asn1_test.cc | 82 +- crypto/asn1/internal.h | 14 +- crypto/asn1/posix_time.c | 14 +- crypto/asn1/tasn_dec.c | 3 +- crypto/base64/base64.c | 18 +- crypto/bio/bio.c | 131 +- crypto/bio/bio_mem.c | 6 +- crypto/bio/bio_test.cc | 46 +- crypto/bio/connect.c | 23 +- crypto/bio/fd.c | 20 +- crypto/bio/hexdump.c | 6 +- crypto/bio/internal.h | 2 +- crypto/bio/pair.c | 8 +- crypto/bio/printf.c | 2 +- crypto/bio/socket.c | 4 +- crypto/bio/socket_helper.c | 6 +- crypto/blake2/blake2.c | 5 +- crypto/bn_extra/bn_asn1.c | 3 +- crypto/bn_extra/convert.c | 40 +- crypto/buf/buf.c | 2 +- crypto/bytestring/asn1_compat.c | 2 +- crypto/bytestring/ber.c | 6 +- crypto/bytestring/bytestring_test.cc | 118 +- crypto/bytestring/cbb.c | 54 +- crypto/bytestring/cbs.c | 8 +- crypto/bytestring/internal.h | 18 +- crypto/bytestring/unicode.c | 14 +- crypto/chacha/chacha.c | 22 +- crypto/chacha/chacha_test.cc | 6 +- crypto/cipher_extra/aead_test.cc | 37 +- crypto/cipher_extra/cipher_extra.c | 26 +- crypto/cipher_extra/cipher_test.cc | 144 +- crypto/cipher_extra/derive_key.c | 2 +- crypto/cipher_extra/e_aes_cbc_hmac_sha1.c | 62 +- crypto/cipher_extra/e_aes_cbc_hmac_sha256.c | 57 +- crypto/cipher_extra/e_aesgcmsiv.c | 16 +- crypto/cipher_extra/e_chacha20poly1305.c | 130 +- crypto/cipher_extra/e_des.c | 2 +- crypto/cipher_extra/e_null.c | 4 +- crypto/cipher_extra/e_rc2.c | 4 +- crypto/cipher_extra/internal.h | 18 +- crypto/cipher_extra/tls_cbc.c | 37 +- crypto/compiler_test.cc | 29 +- crypto/conf/conf.c | 14 +- crypto/conf/conf_def.h | 127 +- crypto/conf/conf_test.cc | 4 +- crypto/crypto.c | 16 +- crypto/crypto_test.cc | 12 +- crypto/curve25519_extra/curve25519_extra.c | 17 +- crypto/curve25519_extra/internal.h | 26 +- crypto/decrepit/bio/base64_bio.c | 15 +- crypto/decrepit/blowfish/blowfish.c | 418 +-- crypto/decrepit/cast/cast.c | 22 +- crypto/decrepit/cast/internal.h | 2 +- crypto/decrepit/cfb/cfb.c | 72 +- crypto/decrepit/cfb/cfb_test.cc | 276 +- crypto/decrepit/dh/dh_decrepit.c | 6 +- crypto/decrepit/evp/evp_do_all.c | 9 +- crypto/decrepit/obj/obj_decrepit.c | 30 +- crypto/decrepit/ripemd/ripemd.c | 362 +- crypto/decrepit/rsa/rsa_decrepit.c | 10 +- crypto/des/des.c | 481 ++- crypto/des/des_test.cc | 5 +- crypto/dh_extra/dh_asn1.c | 15 +- crypto/dh_extra/dh_test.cc | 295 +- crypto/dh_extra/params.c | 52 +- crypto/digest_extra/digest_extra.c | 70 +- crypto/digest_extra/digest_test.cc | 531 +-- crypto/dsa/dsa.c | 42 +- crypto/dsa/dsa_asn1.c | 56 +- crypto/dsa/dsa_test.cc | 65 +- crypto/dynamic_loading_test.c | 11 +- crypto/ec_extra/ec_derive.c | 2 +- crypto/ec_extra/hash_to_curve.c | 15 +- crypto/ecdh_extra/ecdh_extra.c | 1 - crypto/ecdh_extra/ecdh_test.cc | 170 +- crypto/ecdsa_extra/ecdsa_asn1.c | 14 +- crypto/endian_test.cc | 35 +- crypto/engine/engine.c | 15 +- crypto/err/err.c | 29 +- crypto/err/err_test.cc | 18 +- crypto/evp_extra/evp_asn1.c | 48 +- crypto/evp_extra/evp_extra_test.cc | 1100 ++++--- crypto/evp_extra/evp_test.cc | 830 ++--- crypto/evp_extra/p_dh.c | 45 +- crypto/evp_extra/p_dh_asn1.c | 3 +- crypto/evp_extra/p_dsa.c | 12 +- crypto/evp_extra/p_dsa_asn1.c | 70 +- crypto/evp_extra/p_ec_asn1.c | 50 +- crypto/evp_extra/p_ed25519_asn1.c | 48 +- crypto/evp_extra/p_ed25519ph.c | 29 +- crypto/evp_extra/p_kem_asn1.c | 50 +- crypto/evp_extra/p_methods.c | 34 +- crypto/evp_extra/p_pqdsa_asn1.c | 84 +- crypto/evp_extra/p_pqdsa_test.cc | 2642 +++++++-------- crypto/evp_extra/p_rsa_asn1.c | 106 +- crypto/evp_extra/p_x25519_asn1.c | 32 +- crypto/evp_extra/print.c | 14 +- crypto/evp_extra/scrypt.c | 14 +- crypto/evp_extra/scrypt_test.cc | 2 +- crypto/evp_extra/sign.c | 3 +- crypto/ex_data.c | 6 +- crypto/fipsmodule/aes/aes.c | 2 +- crypto/fipsmodule/aes/aes_test.cc | 294 +- crypto/fipsmodule/aes/internal.h | 51 +- crypto/fipsmodule/aes/key_wrap.c | 4 +- crypto/fipsmodule/aes/mode_wrappers.c | 20 +- crypto/fipsmodule/bcm.c | 118 +- crypto/fipsmodule/bn/asm/x86_64-gcc.c | 4 +- crypto/fipsmodule/bn/bn.c | 38 +- crypto/fipsmodule/bn/bn_test.cc | 132 +- crypto/fipsmodule/bn/bytes.c | 25 +- crypto/fipsmodule/bn/cmp.c | 12 +- crypto/fipsmodule/bn/ctx.c | 6 +- crypto/fipsmodule/bn/div.c | 52 +- crypto/fipsmodule/bn/div_extra.c | 3 +- crypto/fipsmodule/bn/exponentiation.c | 78 +- crypto/fipsmodule/bn/gcd.c | 6 +- crypto/fipsmodule/bn/gcd_extra.c | 36 +- crypto/fipsmodule/bn/internal.h | 52 +- crypto/fipsmodule/bn/jacobi.c | 5 +- crypto/fipsmodule/bn/montgomery.c | 53 +- crypto/fipsmodule/bn/montgomery_inv.c | 6 +- crypto/fipsmodule/bn/mul.c | 16 +- crypto/fipsmodule/bn/prime.c | 38 +- crypto/fipsmodule/bn/random.c | 5 +- crypto/fipsmodule/bn/rsaz_exp.c | 6 +- crypto/fipsmodule/bn/rsaz_exp.h | 41 +- crypto/fipsmodule/bn/rsaz_exp_x2.c | 966 +++--- crypto/fipsmodule/bn/shift.c | 4 +- crypto/fipsmodule/bn/sqrt.c | 28 +- crypto/fipsmodule/cipher/aead.c | 4 +- crypto/fipsmodule/cipher/cipher.c | 10 +- crypto/fipsmodule/cipher/e_aes.c | 4 +- crypto/fipsmodule/cipher/e_aesccm.c | 40 +- crypto/fipsmodule/cmac/cmac.c | 14 +- crypto/fipsmodule/cmac/cmac_test.cc | 161 +- crypto/fipsmodule/cpucap/cpu_aarch64.c | 22 +- crypto/fipsmodule/cpucap/cpu_aarch64.h | 7 +- .../fipsmodule/cpucap/cpu_aarch64_dit_test.cc | 23 +- crypto/fipsmodule/cpucap/cpu_aarch64_linux.c | 2 +- .../fipsmodule/cpucap/cpu_aarch64_openbsd.c | 6 +- crypto/fipsmodule/cpucap/cpu_arm_linux.h | 23 +- crypto/fipsmodule/cpucap/cpu_intel.c | 48 +- crypto/fipsmodule/cpucap/cpu_ppc64le.c | 9 +- crypto/fipsmodule/cpucap/cpucap.c | 8 +- crypto/fipsmodule/cpucap/internal.h | 19 +- crypto/fipsmodule/curve25519/curve25519.c | 88 +- .../fipsmodule/curve25519/curve25519_nohw.c | 81 +- .../curve25519/curve25519_s2n_bignum_asm.c | 57 +- crypto/fipsmodule/curve25519/ed25519_test.cc | 209 +- crypto/fipsmodule/curve25519/internal.h | 117 +- crypto/fipsmodule/curve25519/x25519_test.cc | 38 +- crypto/fipsmodule/dh/check.c | 4 +- crypto/fipsmodule/dh/dh.c | 159 +- crypto/fipsmodule/digest/digest.c | 5 +- crypto/fipsmodule/digest/digests.c | 30 +- crypto/fipsmodule/digest/internal.h | 8 +- crypto/fipsmodule/ec/builtin_curves.h | 108 +- crypto/fipsmodule/ec/ec.c | 35 +- crypto/fipsmodule/ec/ec_key.c | 70 +- crypto/fipsmodule/ec/ec_montgomery.c | 2 +- crypto/fipsmodule/ec/ec_nistp.c | 151 +- crypto/fipsmodule/ec/ec_nistp.h | 77 +- crypto/fipsmodule/ec/ec_test.cc | 1250 ++++--- crypto/fipsmodule/ec/felem.c | 4 +- crypto/fipsmodule/ec/internal.h | 72 +- crypto/fipsmodule/ec/oct.c | 7 +- crypto/fipsmodule/ec/p224-64.c | 33 +- crypto/fipsmodule/ec/p256-nistz.c | 66 +- crypto/fipsmodule/ec/p256-nistz.h | 8 +- crypto/fipsmodule/ec/p256-nistz_test.cc | 78 +- crypto/fipsmodule/ec/p256.c | 34 +- crypto/fipsmodule/ec/p384.c | 259 +- crypto/fipsmodule/ec/p384_table.h | 60 +- crypto/fipsmodule/ec/p521.c | 303 +- crypto/fipsmodule/ec/scalar.c | 4 +- crypto/fipsmodule/ec/simple.c | 8 +- crypto/fipsmodule/ec/simple_mul.c | 12 +- crypto/fipsmodule/ec/util.c | 2 +- crypto/fipsmodule/ec/wnaf.c | 15 +- crypto/fipsmodule/ecdh/ecdh.c | 5 +- crypto/fipsmodule/ecdsa/ecdsa.c | 29 +- crypto/fipsmodule/ecdsa/ecdsa_test.cc | 188 +- crypto/fipsmodule/evp/digestsign.c | 13 +- crypto/fipsmodule/evp/evp.c | 50 +- crypto/fipsmodule/evp/evp_ctx.c | 30 +- crypto/fipsmodule/evp/evp_ctx_test.cc | 61 +- crypto/fipsmodule/evp/internal.h | 65 +- crypto/fipsmodule/evp/p_ec.c | 61 +- crypto/fipsmodule/evp/p_hkdf.c | 36 +- crypto/fipsmodule/evp/p_hmac.c | 23 +- crypto/fipsmodule/evp/p_kem.c | 87 +- crypto/fipsmodule/evp/p_pqdsa.c | 92 +- crypto/fipsmodule/evp/p_rsa.c | 156 +- crypto/fipsmodule/fips_empty_main.c | 1 - .../fipsmodule/fips_shared_library_marker.c | 25 +- crypto/fipsmodule/hkdf/hkdf.c | 5 +- crypto/fipsmodule/hkdf/hkdf_test.cc | 379 ++- crypto/fipsmodule/hmac/hmac.c | 113 +- crypto/fipsmodule/hmac/internal.h | 6 +- crypto/fipsmodule/kdf/sskdf.c | 2 +- crypto/fipsmodule/kem/internal.h | 25 +- crypto/fipsmodule/kem/kem.c | 89 +- crypto/fipsmodule/md5/internal.h | 5 +- crypto/fipsmodule/md5/md5_test.cc | 2 +- crypto/fipsmodule/ml_dsa/ml_dsa.c | 418 ++- crypto/fipsmodule/ml_dsa/ml_dsa.h | 132 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/ntt.c | 127 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.c | 322 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.h | 54 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.c | 41 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h | 7 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.c | 1153 ++++--- crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.h | 57 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.c | 665 ++-- crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.h | 64 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c | 78 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.h | 2 +- .../fipsmodule/ml_dsa/ml_dsa_ref/rounding.c | 150 +- crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c | 433 ++- crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.h | 67 +- crypto/fipsmodule/ml_kem/ml_kem.c | 128 +- crypto/fipsmodule/ml_kem/ml_kem.h | 127 +- crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.c | 148 +- crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h | 2 +- crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c | 368 +-- crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h | 18 +- crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c | 276 +- crypto/fipsmodule/ml_kem/ml_kem_ref/kem.h | 12 +- crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.c | 129 +- crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h | 3 +- crypto/fipsmodule/ml_kem/ml_kem_ref/params.c | 4 +- crypto/fipsmodule/ml_kem/ml_kem_ref/params.h | 13 +- crypto/fipsmodule/ml_kem/ml_kem_ref/poly.c | 397 ++- crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h | 8 +- crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.c | 271 +- crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h | 11 +- crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.c | 52 +- crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h | 4 +- .../ml_kem/ml_kem_ref/symmetric-shake.c | 121 +- .../fipsmodule/ml_kem/ml_kem_ref/symmetric.h | 19 +- crypto/fipsmodule/ml_kem/ml_kem_ref/verify.c | 56 +- crypto/fipsmodule/modes/cbc.c | 6 +- crypto/fipsmodule/modes/ctr.c | 6 +- crypto/fipsmodule/modes/gcm.c | 101 +- crypto/fipsmodule/modes/gcm_nohw.c | 2 +- crypto/fipsmodule/modes/gcm_test.cc | 7 +- crypto/fipsmodule/modes/internal.h | 20 +- crypto/fipsmodule/modes/polyval.c | 4 +- crypto/fipsmodule/modes/xts.c | 21 +- crypto/fipsmodule/modes/xts_test.cc | 1006 +++--- crypto/fipsmodule/pbkdf/pbkdf.c | 5 +- crypto/fipsmodule/pbkdf/pbkdf_test.cc | 14 +- crypto/fipsmodule/pqdsa/internal.h | 49 +- crypto/fipsmodule/pqdsa/pqdsa.c | 38 +- crypto/fipsmodule/rand/cpu_jitter_test.cc | 19 +- crypto/fipsmodule/rand/ctrdrbg.c | 6 +- crypto/fipsmodule/rand/ctrdrbg_test.cc | 4 +- crypto/fipsmodule/rand/fork_detect.c | 10 +- crypto/fipsmodule/rand/fork_detect_test.cc | 1 - crypto/fipsmodule/rand/internal.h | 23 +- crypto/fipsmodule/rand/rand.c | 106 +- crypto/fipsmodule/rand/snapsafe_detect.c | 4 +- crypto/fipsmodule/rand/snapsafe_detect.h | 4 +- .../fipsmodule/rand/snapsafe_detect_test.cc | 37 +- crypto/fipsmodule/rand/urandom.c | 32 +- crypto/fipsmodule/rand/urandom_test.cc | 20 +- crypto/fipsmodule/rsa/blinding.c | 6 +- crypto/fipsmodule/rsa/internal.h | 122 +- crypto/fipsmodule/rsa/padding.c | 13 +- crypto/fipsmodule/rsa/rsa.c | 334 +- crypto/fipsmodule/rsa/rsa_impl.c | 67 +- crypto/fipsmodule/self_check/fips.c | 41 +- crypto/fipsmodule/self_check/self_check.c | 1779 +++++----- .../fipsmodule/service_indicator/internal.h | 35 +- .../service_indicator/service_indicator.c | 62 +- .../service_indicator_test.cc | 2931 ++++++++--------- crypto/fipsmodule/sha/internal.h | 137 +- crypto/fipsmodule/sha/keccak1600.c | 630 ++-- crypto/fipsmodule/sha/sha1-altivec.c | 4 +- crypto/fipsmodule/sha/sha1.c | 25 +- crypto/fipsmodule/sha/sha256.c | 30 +- crypto/fipsmodule/sha/sha3.c | 94 +- crypto/fipsmodule/sha/sha512.c | 65 +- crypto/fipsmodule/sha/sha_test.cc | 2 +- crypto/fipsmodule/sshkdf/sshkdf.c | 11 +- crypto/fipsmodule/sshkdf/sshkdf_test.cc | 159 +- crypto/fipsmodule/tls/kdf.c | 25 +- crypto/hmac_extra/hmac_test.cc | 176 +- crypto/hpke/hpke.c | 7 +- crypto/hpke/hpke_test.cc | 6 +- crypto/hrss/hrss.c | 76 +- crypto/hrss/hrss_test.cc | 25 +- crypto/hrss/internal.h | 4 +- crypto/impl_dispatch_test.cc | 188 +- crypto/internal.h | 125 +- crypto/kyber/kem_kyber.c | 175 +- crypto/kyber/kem_kyber.h | 17 +- .../kyber/pqcrystals_kyber_ref_common/api.h | 28 +- .../kyber/pqcrystals_kyber_ref_common/cbd.c | 146 +- .../kyber/pqcrystals_kyber_ref_common/cbd.h | 4 +- .../pqcrystals_kyber_ref_common/fips202.c | 1183 ++++--- .../pqcrystals_kyber_ref_common/fips202.h | 6 +- .../pqcrystals_kyber_ref_common/indcpa.c | 346 +- .../pqcrystals_kyber_ref_common/indcpa.h | 4 +- .../kyber/pqcrystals_kyber_ref_common/kem.c | 219 +- .../kyber/pqcrystals_kyber_ref_common/kem.h | 14 +- .../kyber/pqcrystals_kyber_ref_common/ntt.c | 129 +- .../kyber/pqcrystals_kyber_ref_common/ntt.h | 3 +- .../kyber/pqcrystals_kyber_ref_common/poly.c | 393 ++- .../kyber/pqcrystals_kyber_ref_common/poly.h | 8 +- .../pqcrystals_kyber_ref_common/polyvec.c | 268 +- .../pqcrystals_kyber_ref_common/polyvec.h | 14 +- .../pqcrystals_kyber_ref_common/reduce.c | 52 +- .../pqcrystals_kyber_ref_common/reduce.h | 4 +- .../pqcrystals_kyber_ref_common/verify.c | 56 +- crypto/lhash/lhash.c | 4 +- crypto/lhash/lhash_test.cc | 15 +- crypto/mem.c | 22 +- crypto/mem_set_test.cc | 20 +- crypto/mem_test.cc | 36 +- crypto/obj/obj.c | 22 +- crypto/obj/obj_test.cc | 8 +- crypto/obj/obj_xref.c | 3 +- crypto/ocsp/ocsp_asn.c | 2 +- crypto/ocsp/ocsp_http.c | 12 +- crypto/ocsp/ocsp_print.c | 4 +- crypto/ocsp/ocsp_verify.c | 3 +- crypto/pem/pem_all.c | 2 +- crypto/pem/pem_lib.c | 7 +- crypto/pem/pem_test.cc | 76 +- crypto/pkcs7/bio/bio_md_test.cc | 9 +- crypto/pkcs7/bio/cipher.c | 4 +- crypto/pkcs7/bio/md.c | 2 +- crypto/pkcs7/pkcs7.c | 7 +- crypto/pkcs7/pkcs7_test.cc | 9 +- crypto/pkcs8/p5_pbev2.c | 5 +- crypto/pkcs8/pkcs12_test.cc | 34 +- crypto/pkcs8/pkcs8.c | 28 +- crypto/pkcs8/pkcs8_test.cc | 35 +- crypto/pkcs8/pkcs8_x509.c | 87 +- crypto/poly1305/poly1305.c | 4 +- crypto/poly1305/poly1305_vec.c | 15 +- crypto/pool/pool.c | 8 +- crypto/pool/pool_test.cc | 8 +- crypto/rand_extra/entropy_passive.c | 1 - crypto/rand_extra/forkunsafe.c | 4 +- crypto/rand_extra/getentropy_test.cc | 3 +- crypto/rand_extra/rand_extra.c | 40 +- crypto/rand_extra/rand_test.cc | 33 +- crypto/rand_extra/windows.c | 5 +- crypto/refcount_c11.c | 14 +- crypto/refcount_win.c | 12 +- crypto/rsa_extra/internal.h | 1 - crypto/rsa_extra/rsa_asn1.c | 48 +- crypto/rsa_extra/rsa_crypt.c | 14 +- crypto/rsa_extra/rsa_print.c | 3 +- crypto/rsa_extra/rsa_test.cc | 162 +- crypto/rsa_extra/rsassa_pss_asn1.c | 30 +- crypto/rsa_extra/rsassa_pss_asn1_test.cc | 57 +- crypto/rwlock_static_init.cc | 12 +- crypto/spake25519/spake25519.c | 39 +- crypto/spake25519/spake25519_test.cc | 6 +- crypto/stack/stack.c | 4 +- crypto/stack/stack_test.cc | 26 +- crypto/test/abi_test.cc | 19 +- crypto/test/abi_test.h | 66 +- crypto/test/file_test.cc | 14 +- crypto/test/file_test.h | 4 +- crypto/test/file_util.h | 12 +- crypto/test/gtest_main.cc | 2 +- crypto/test/test_util.cc | 34 +- crypto/test/test_util.h | 11 +- crypto/test/wycheproof_util.h | 3 +- crypto/thread_pthread.c | 17 +- crypto/thread_test.cc | 8 +- crypto/thread_win.c | 26 +- crypto/trust_token/pmbtoken.c | 102 +- crypto/trust_token/trust_token.c | 22 +- crypto/trust_token/trust_token_test.cc | 125 +- crypto/trust_token/voprf.c | 85 +- crypto/x509/algorithm.c | 7 +- crypto/x509/asn1_gen.c | 8 +- crypto/x509/internal.h | 16 +- crypto/x509/policy.c | 3 +- crypto/x509/rsa_pss.c | 3 +- crypto/x509/tab_test.cc | 2 +- crypto/x509/v3_conf.c | 4 +- crypto/x509/v3_ocsp.c | 30 +- crypto/x509/v3_purp.c | 4 +- crypto/x509/v3_skey.c | 2 +- crypto/x509/v3_utl.c | 4 +- crypto/x509/x509_cmp.c | 6 +- crypto/x509/x509_def.c | 4 +- crypto/x509/x509_lu.c | 65 +- crypto/x509/x509_test.cc | 301 +- crypto/x509/x509_trs.c | 2 +- crypto/x509/x509_vfy.c | 8 +- fuzz/bn_div.cc | 6 +- fuzz/bn_mod_exp.cc | 36 +- fuzz/decode_client_hello_inner.cc | 2 +- fuzz/der_roundtrip.cc | 6 +- fuzz/ocsp_http.cc | 22 +- fuzz/pkcs7_decrypt.cc | 18 +- fuzz/pkcs7_verify.cc | 7 +- fuzz/pkcs8.cc | 3 +- fuzz/pkcs8_v2.cc | 3 +- fuzz/spki.cc | 3 +- fuzz/ssl_ctx_api.cc | 2 +- fuzz/ssl_serialization.cc | 9 +- include/openssl/aead.h | 5 +- include/openssl/arm_arch.h | 52 +- include/openssl/asm_base.h | 9 +- include/openssl/asn1t.h | 534 ++- include/openssl/base.h | 25 +- include/openssl/bio.h | 60 +- include/openssl/blowfish.h | 4 +- include/openssl/bn.h | 32 +- include/openssl/boringssl_prefix_symbols.h | 4 +- .../openssl/boringssl_prefix_symbols_asm.h | 4 +- include/openssl/cmac.h | 3 +- include/openssl/crypto.h | 12 +- include/openssl/ctrdrbg.h | 2 +- include/openssl/curve25519.h | 97 +- include/openssl/des.h | 15 +- include/openssl/dh.h | 2 +- include/openssl/digest.h | 3 +- include/openssl/err.h | 95 +- include/openssl/evp.h | 65 +- .../experimental/kem_deterministic_api.h | 16 +- include/openssl/hmac.h | 35 +- include/openssl/kdf.h | 26 +- include/openssl/lhash.h | 9 +- include/openssl/mem.h | 47 +- include/openssl/objects.h | 2 +- include/openssl/poly1305.h | 2 +- include/openssl/pool.h | 2 +- include/openssl/ripemd.h | 10 +- include/openssl/rsa.h | 82 +- include/openssl/service_indicator.h | 49 +- include/openssl/sshkdf.h | 19 +- include/openssl/ssl.h | 112 +- include/openssl/ssl3.h | 6 +- include/openssl/stack.h | 22 +- include/openssl/target.h | 5 +- include/openssl/tls1.h | 16 +- include/openssl/trust_token.h | 8 +- include/openssl/type_check.h | 28 +- include/openssl/x509.h | 35 +- ssl/bio_ssl.cc | 8 +- ssl/custom_extensions.cc | 16 +- ssl/d1_both.cc | 22 +- ssl/d1_lib.cc | 4 +- ssl/d1_pkt.cc | 4 +- ssl/d1_srtp.cc | 12 +- ssl/dtls_method.cc | 24 +- ssl/dtls_record.cc | 5 +- ssl/encrypted_client_hello.cc | 20 +- ssl/extensions.cc | 485 ++- ssl/handoff.cc | 40 +- ssl/handshake_client.cc | 45 +- ssl/handshake_server.cc | 61 +- ssl/internal.h | 86 +- ssl/s3_both.cc | 37 +- ssl/ssl_asn1.cc | 23 +- ssl/ssl_buffer.cc | 40 +- ssl/ssl_cert.cc | 2 +- ssl/ssl_cipher.cc | 501 +-- ssl/ssl_decrepit.c | 3 +- ssl/ssl_file.cc | 5 +- ssl/ssl_key_share.cc | 563 ++-- ssl/ssl_lib.cc | 84 +- ssl/ssl_session.cc | 49 +- ssl/ssl_test.cc | 2656 ++++++++------- ssl/ssl_text.cc | 1 - ssl/ssl_transcript.cc | 14 +- ssl/ssl_versions.cc | 19 +- ssl/ssl_x509.cc | 36 +- ssl/t1_enc.cc | 3 +- ssl/test/async_bio.cc | 12 +- ssl/test/bssl_shim.cc | 7 +- ssl/test/fuzzer.h | 3 +- ssl/test/handshake_util.cc | 15 +- ssl/test/handshake_util.h | 2 +- ssl/test/handshaker.cc | 15 +- ssl/test/mock_quic_transport.cc | 6 +- ssl/test/packeted_bio.cc | 16 +- ssl/test/ssl_transfer.cc | 22 +- ssl/test/ssl_transfer.h | 12 +- ssl/test/test_config.cc | 55 +- ssl/test/test_config.h | 2 +- ssl/test/test_state.cc | 21 +- ssl/test/test_state.h | 2 +- ssl/tls13_both.cc | 21 +- ssl/tls13_client.cc | 25 +- ssl/tls13_enc.cc | 3 +- ssl/tls13_server.cc | 31 +- ssl/tls_method.cc | 80 +- ssl/tls_record.cc | 29 +- tests/ci/test_apps/seccomp_app.c | 8 +- .../builtin_swap_check.c | 14 +- tests/compiler_features_tests/c11.c | 6 +- tests/compiler_features_tests/linux_u32.c | 4 +- .../memcmp_invalid_stripped_check.c | 7 +- .../compiler_features_tests/stdalign_check.c | 18 +- tool-openssl/crl.cc | 22 +- tool-openssl/crl_test.cc | 167 +- tool-openssl/internal.h | 11 +- tool-openssl/rsa.cc | 38 +- tool-openssl/rsa_test.cc | 115 +- tool-openssl/s_client.cc | 45 +- tool-openssl/s_client_test.cc | 3 +- tool-openssl/test_util.h | 53 +- tool-openssl/verify.cc | 45 +- tool-openssl/verify_test.cc | 194 +- tool-openssl/version.cc | 4 +- tool-openssl/x509.cc | 176 +- tool-openssl/x509_test.cc | 501 ++- tool/args.cc | 17 +- tool/benchmark.cc | 7 +- tool/bssl_bm.h | 14 +- tool/ciphers.cc | 21 +- tool/client.cc | 181 +- tool/const.cc | 1079 +++--- tool/digest.cc | 13 +- tool/file.cc | 3 +- tool/generate_ech.cc | 7 +- tool/generate_ed25519.cc | 11 +- tool/genrsa.cc | 9 +- tool/internal.h | 40 +- tool/ossl_bm.h | 48 +- tool/pkcs12.cc | 9 +- tool/rand.cc | 18 +- tool/server.cc | 66 +- tool/speed.cc | 846 ++--- tool/tool.cc | 49 +- tool/transport_common.cc | 29 +- util/asm_dev/armv8/p256/src/beeu_scratch.c | 99 +- util/asm_dev/armv8/p256/src/main.c | 290 +- util/asm_dev/armv8/p256/src/p256.h | 11 +- .../ec/p256_awslc_ossl/src/benchmark.c | 108 +- .../ec/p256_awslc_ossl/src/benchmark.h | 24 +- .../ec/p256_awslc_ossl/src/benchmark_ecdh.c | 314 +- .../ec/p256_awslc_ossl/src/benchmark_ecdsa.c | 179 +- util/benchmark/ec/p256_awslc_ossl/src/main.c | 184 +- .../acvp/modulewrapper/modulewrapper.cc | 121 +- .../acvp/modulewrapper/modulewrapper.h | 14 +- .../inject_hash/macho_parser/common.h | 9 +- .../inject_hash/macho_parser/macho_parser.c | 396 +-- .../inject_hash/macho_parser/macho_parser.h | 44 +- .../macho_parser/tests/macho_tests.cc | 83 +- .../macho_parser/tests/macho_tests.h | 527 +-- util/fipstools/test_fips.c | 87 +- 560 files changed, 25308 insertions(+), 25126 deletions(-) diff --git a/crypto/abi_self_test.cc b/crypto/abi_self_test.cc index 96814985e9..63385d8ae6 100644 --- a/crypto/abi_self_test.cc +++ b/crypto/abi_self_test.cc @@ -12,8 +12,8 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include #include +#include #include @@ -187,7 +187,7 @@ TEST(ABITest, X86_64) { EXPECT_EQ(0, abi_test_get_and_clear_direction_flag()) << "CHECK_ABI did not insulate the caller from direction flag errors"; } -#endif // OPENSSL_X86_64 && SUPPORTS_ABI_TEST +#endif // OPENSSL_X86_64 && SUPPORTS_ABI_TEST #if defined(OPENSSL_X86) && defined(SUPPORTS_ABI_TEST) extern "C" { @@ -243,7 +243,7 @@ TEST(ABITest, X86) { EXPECT_EQ(0, abi_test_get_and_clear_direction_flag()) << "CHECK_ABI did not insulate the caller from direction flag errors"; } -#endif // OPENSSL_X86 && SUPPORTS_ABI_TEST +#endif // OPENSSL_X86 && SUPPORTS_ABI_TEST #if defined(OPENSSL_ARM) && defined(SUPPORTS_ABI_TEST) extern "C" { @@ -340,7 +340,7 @@ TEST(ABITest, ARM) { EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d15), "d15 was not restored after return"); } -#endif // OPENSSL_ARM && SUPPORTS_ABI_TEST +#endif // OPENSSL_ARM && SUPPORTS_ABI_TEST #if defined(OPENSSL_AARCH64) && defined(SUPPORTS_ABI_TEST) extern "C" { @@ -520,7 +520,7 @@ TEST(ABITest, AArch64) { CHECK_ABI_NO_UNWIND(abi_test_clobber_v14_upper); CHECK_ABI_NO_UNWIND(abi_test_clobber_v15_upper); } -#endif // OPENSSL_AARCH64 && SUPPORTS_ABI_TEST +#endif // OPENSSL_AARCH64 && SUPPORTS_ABI_TEST #if defined(OPENSSL_PPC64LE) && defined(SUPPORTS_ABI_TEST) extern "C" { @@ -806,4 +806,4 @@ TEST(ABITest, PPC64LE) { CHECK_ABI_NO_UNWIND(abi_test_clobber_ctr); CHECK_ABI_NO_UNWIND(abi_test_clobber_lr); } -#endif // OPENSSL_PPC64LE && SUPPORTS_ABI_TEST +#endif // OPENSSL_PPC64LE && SUPPORTS_ABI_TEST diff --git a/crypto/asn1/a_gentm.c b/crypto/asn1/a_gentm.c index c0c730d469..20dace227b 100644 --- a/crypto/asn1/a_gentm.c +++ b/crypto/asn1/a_gentm.c @@ -104,7 +104,8 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, } ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, - int64_t posix_time, int offset_day, + int64_t posix_time, + int offset_day, long offset_sec) { struct tm data; if (!OPENSSL_posix_to_tm(posix_time, &data)) { diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 4c5d7b092c..40c2848910 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -255,8 +255,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, } uint8_t *data = NULL; size_t data_len; - if (// OpenSSL historically NUL-terminated this value with a single byte, - // even for |MBSTRING_BMP| and |MBSTRING_UNIV|. + if ( // OpenSSL historically NUL-terminated this value with a single byte, + // even for |MBSTRING_BMP| and |MBSTRING_UNIV|. !CBB_add_u8(&cbb, 0) || !CBB_finish(&cbb, &data, &data_len) || data_len < 1 || data_len > INT_MAX) { OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR); @@ -280,7 +280,7 @@ int asn1_is_printable(uint32_t value) { if (value > 0x7f) { return 0; } - return OPENSSL_isalnum(value) || // + return OPENSSL_isalnum(value) || // value == ' ' || value == '\'' || value == '(' || value == ')' || value == '+' || value == ',' || value == '-' || value == '.' || value == '/' || value == ':' || value == '=' || value == '?'; diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index 7264f830b8..0ef234ff5f 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -177,7 +177,7 @@ int ASN1_TIME_set_string(ASN1_TIME *s, const char *str) { int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str) { CBS cbs; - CBS_init(&cbs, (const uint8_t*)str, strlen(str)); + CBS_init(&cbs, (const uint8_t *)str, strlen(str)); int type; struct tm tm; if (CBS_parse_utc_time(&cbs, /*out_tm=*/NULL, diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c index f79114d891..ad3651c6f5 100644 --- a/crypto/asn1/a_utctm.c +++ b/crypto/asn1/a_utctm.c @@ -106,8 +106,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, int64_t posix_time) { return ASN1_UTCTIME_adj(s, posix_time, 0, 0); } -ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, int64_t posix_time, int offset_day, - long offset_sec) { +ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, int64_t posix_time, + int offset_day, long offset_sec) { struct tm data; if (!OPENSSL_posix_to_tm(posix_time, &data)) { return NULL; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 1089d7efd2..b8b431ddcb 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -63,9 +63,9 @@ #include #include +#include "../bytestring/internal.h" #include "../internal.h" #include "internal.h" -#include "../bytestring/internal.h" // Cross-module errors from crypto/x509/i2d_pr.c. @@ -170,8 +170,9 @@ int asn1_get_object_maybe_indefinite(const unsigned char **inp, long *out_len, int ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag, int *out_class, long in_len) { - return asn1_get_object_maybe_indefinite(inp, out_len, out_tag, out_class, in_len, - /*indefinite_ok=*/1); + return asn1_get_object_maybe_indefinite(inp, out_len, out_tag, out_class, + in_len, + /*indefinite_ok=*/1); } // class 0 is constructed constructed == 2 for indefinite length constructed @@ -367,9 +368,7 @@ void ASN1_STRING_free(ASN1_STRING *str) { OPENSSL_free(str); } -void ASN1_STRING_clear_free(ASN1_STRING *str) { - ASN1_STRING_free(str); -} +void ASN1_STRING_clear_free(ASN1_STRING *str) { ASN1_STRING_free(str); } int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { // Capture padding bits and implicit truncation in BIT STRINGs. diff --git a/crypto/asn1/asn1_test.cc b/crypto/asn1/asn1_test.cc index 70b9dd5213..d3a544ff45 100644 --- a/crypto/asn1/asn1_test.cc +++ b/crypto/asn1/asn1_test.cc @@ -108,8 +108,7 @@ void TestSerialize(T obj, int (*i2d_func)(U a, uint8_t **pp), static bssl::UniquePtr BIGNUMPow2(unsigned bit) { bssl::UniquePtr bn(BN_new()); - if (!bn || - !BN_set_bit(bn.get(), bit)) { + if (!bn || !BN_set_bit(bn.get(), bit)) { return nullptr; } return bn; @@ -387,8 +386,8 @@ TEST(ASN1Test, Integer) { SCOPED_TRACE(pair.first); const ASN1_INTEGER *obj = pair.second.get(); EXPECT_EQ(t.type, ASN1_STRING_type(obj)); - EXPECT_EQ(Bytes(t.data), Bytes(ASN1_STRING_get0_data(obj), - ASN1_STRING_length(obj))); + EXPECT_EQ(Bytes(t.data), + Bytes(ASN1_STRING_get0_data(obj), ASN1_STRING_length(obj))); // The object should encode correctly. TestSerialize(obj, i2d_ASN1_INTEGER, t.der); @@ -883,7 +882,8 @@ TEST(ASN1Test, StringToUTF8) { {{0, 0, 0xfe, 0xff, 0, 0, 0, 88}, V_ASN1_UNIVERSALSTRING, nullptr}, // Otherwise, BOMs should pass through. {{0, 88, 0xfe, 0xff}, V_ASN1_BMPSTRING, "X\xef\xbb\xbf"}, - {{0, 0, 0, 88, 0, 0, 0xfe, 0xff}, V_ASN1_UNIVERSALSTRING, + {{0, 0, 0, 88, 0, 0, 0xfe, 0xff}, + V_ASN1_UNIVERSALSTRING, "X\xef\xbb\xbf"}, // The maximum code-point should pass though. {{0, 16, 0xff, 0xfd}, V_ASN1_UNIVERSALSTRING, "\xf4\x8f\xbf\xbd"}, @@ -947,7 +947,7 @@ static bool ASN1Time_check_posix(const ASN1_TIME *s, int64_t t) { !OPENSSL_gmtime_diff(&day, &sec, &ttm, &stm)) { return false; } - return day == 0 && sec ==0; + return day == 0 && sec == 0; } static std::string PrintStringToBIO(const ASN1_STRING *str, @@ -968,7 +968,9 @@ static std::string PrintStringToBIO(const ASN1_STRING *str, // MSVC 2015 does not support compound literals e.g. using (struct tm){0,0,...}} // in the list of test vectors below. Note: this returns a copy of the stack // allocated value t. -static struct tm make_tm(int sec, int min, int hour, int mday, int mon, int year, int wday, int yday, int isdst, long gmtoff, char* zone) { +static struct tm make_tm(int sec, int min, int hour, int mday, int mon, + int year, int wday, int yday, int isdst, long gmtoff, + char *zone) { struct tm t; t.tm_sec = sec; t.tm_min = min; @@ -994,25 +996,31 @@ TEST(ASN1Test, SetTime) { const char *printed; const struct tm expected_tm; // struct tm years are deltas from 1900 and months start at 0 - // AWS-LC does not calculate or set year day, weekday, timezone, or daylight savings + // AWS-LC does not calculate or set year day, weekday, timezone, or daylight + // savings } kTests[] = { {-631152001, "19491231235959Z", nullptr, "Dec 31 23:59:59 1949 GMT", make_tm(59, 59, 23, 31, 11, 49, 0, 0, 0, 0, nullptr)}, - {-631152000, "19500101000000Z", "500101000000Z", "Jan 1 00:00:00 1950 GMT", + {-631152000, "19500101000000Z", "500101000000Z", + "Jan 1 00:00:00 1950 GMT", make_tm(0, 0, 0, 1, 0, 50, 0, 0, 0, 0, nullptr)}, {0, "19700101000000Z", "700101000000Z", "Jan 1 00:00:00 1970 GMT", make_tm(0, 0, 0, 1, 0, 70, 0, 0, 0, 0, nullptr)}, - {981173106, "20010203040506Z", "010203040506Z", "Feb 3 04:05:06 2001 GMT", + {981173106, "20010203040506Z", "010203040506Z", + "Feb 3 04:05:06 2001 GMT", make_tm(6, 5, 4, 3, 1, 101, 0, 0, 0, 0, nullptr)}, - {951804000, "20000229060000Z", "000229060000Z", "Feb 29 06:00:00 2000 GMT", + {951804000, "20000229060000Z", "000229060000Z", + "Feb 29 06:00:00 2000 GMT", make_tm(0, 0, 6, 29, 1, 100, 0, 0, 0, 0, nullptr)}, // NASA says this is the correct time for posterity. - {-16751025, "19690621025615Z", "690621025615Z", "Jun 21 02:56:15 1969 GMT", + {-16751025, "19690621025615Z", "690621025615Z", + "Jun 21 02:56:15 1969 GMT", make_tm(15, 56, 2, 21, 5, 69, 0, 0, 0, 0, nullptr)}, // -1 is sometimes used as an error value. Ensure we correctly handle it. {-1, "19691231235959Z", "691231235959Z", "Dec 31 23:59:59 1969 GMT", make_tm(59, 59, 23, 31, 11, 69, 0, 0, 0, 0, nullptr)}, - {2524607999, "20491231235959Z", "491231235959Z", "Dec 31 23:59:59 2049 GMT", + {2524607999, "20491231235959Z", "491231235959Z", + "Dec 31 23:59:59 2049 GMT", make_tm(59, 59, 23, 31, 11, 149, 0, 0, 0, 0, nullptr)}, {2524608000, "20500101000000Z", nullptr, "Jan 1 00:00:00 2050 GMT", make_tm(0, 0, 0, 1, 0, 150, 0, 0, 0, 0, nullptr)}, @@ -1044,7 +1052,9 @@ TEST(ASN1Test, SetTime) { EXPECT_EQ(PrintStringToBIO(utc.get(), &ASN1_UTCTIME_print), t.printed); EXPECT_EQ(PrintStringToBIO(utc.get(), &ASN1_TIME_print), t.printed); EXPECT_EQ(ASN1_TIME_to_tm(utc.get(), &actual_time_t), 1); - EXPECT_EQ(OPENSSL_memcmp(&t.expected_tm, &actual_time_t, sizeof(actual_time_t)), 0); + EXPECT_EQ( + OPENSSL_memcmp(&t.expected_tm, &actual_time_t, sizeof(actual_time_t)), + 0); } else { EXPECT_FALSE(utc); } @@ -1064,7 +1074,9 @@ TEST(ASN1Test, SetTime) { EXPECT_EQ(PrintStringToBIO(generalized.get(), &ASN1_TIME_print), t.printed); EXPECT_EQ(ASN1_TIME_to_tm(generalized.get(), &actual_time_t), 1); - EXPECT_EQ(OPENSSL_memcmp(&t.expected_tm, &actual_time_t, sizeof(actual_time_t)), 0); + EXPECT_EQ( + OPENSSL_memcmp(&t.expected_tm, &actual_time_t, sizeof(actual_time_t)), + 0); } else { EXPECT_FALSE(generalized); } @@ -1083,7 +1095,9 @@ TEST(ASN1Test, SetTime) { EXPECT_EQ(ASN1_TIME_to_posix(choice.get(), &tt), 1); EXPECT_EQ(tt, t.time); EXPECT_EQ(ASN1_TIME_to_tm(choice.get(), &actual_time_t), 1); - EXPECT_EQ(OPENSSL_memcmp(&t.expected_tm, &actual_time_t, sizeof(actual_time_t)), 0); + EXPECT_EQ( + OPENSSL_memcmp(&t.expected_tm, &actual_time_t, sizeof(actual_time_t)), + 0); } else { EXPECT_FALSE(choice); } @@ -1717,8 +1731,8 @@ TEST(ASN1Test, MBString) { ERR_clear_error(); ASN1_STRING *str = nullptr; - EXPECT_EQ(-1, ASN1_mbstring_copy(&str, t.in.data(), t.in.size(), - t.format, t.mask)); + EXPECT_EQ(-1, ASN1_mbstring_copy(&str, t.in.data(), t.in.size(), t.format, + t.mask)); ERR_clear_error(); EXPECT_EQ(nullptr, str); } @@ -1866,9 +1880,9 @@ TEST(ASN1Test, StringByCustomNID) { ASN1_STRING_length(str.get()))); // Minimum and maximum lengths are enforced. - str.reset(ASN1_STRING_set_by_NID( - nullptr, reinterpret_cast("1234"), 4, MBSTRING_UTF8, - nid1)); + str.reset(ASN1_STRING_set_by_NID(nullptr, + reinterpret_cast("1234"), 4, + MBSTRING_UTF8, nid1)); EXPECT_FALSE(str); ERR_clear_error(); str.reset(ASN1_STRING_set_by_NID( @@ -2001,7 +2015,7 @@ TEST(ASN1Test, StringTableSorted) { size_t table_len; asn1_get_string_table_for_testing(&table, &table_len); for (size_t i = 1; i < table_len; i++) { - EXPECT_LT(table[i-1].nid, table[i].nid); + EXPECT_LT(table[i - 1].nid, table[i].nid); } } @@ -2078,8 +2092,7 @@ TEST(ASN1Test, Unpack) { ASSERT_TRUE(str); static const uint8_t kValid[] = {0x30, 0x00}; - ASSERT_TRUE( - ASN1_STRING_set(str.get(), kValid, sizeof(kValid))); + ASSERT_TRUE(ASN1_STRING_set(str.get(), kValid, sizeof(kValid))); bssl::UniquePtr val(static_cast( ASN1_item_unpack(str.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS)))); ASSERT_TRUE(val); @@ -2308,14 +2321,15 @@ const struct GetObjectTestData { {{0x81, 0x00}, 0x00, 0x01, 0x80, 0}, {{0xC1, 0x00}, 0x00, 0x01, 0xC0, 0}, {{0x1F, 0x20, 0x00}, 0x00, 0x20, 0x00, 0}, - // Rejected to avoid ambiguity with V_ASN1_NEG. Ruby has a test case expecting this to succeed. + // Rejected to avoid ambiguity with V_ASN1_NEG. Ruby has a test case + // expecting this to succeed. {{0x1F, 0xC0, 0x20, 0x00}, 0x80, 0x00, 0x00, 0}, {{0x41, 0x02, 0xAB, 0xCD}, 0x00, 0x01, 0x40, 2}, {{0x61, 0x00}, 0x20, 0x01, 0x40, 0}, {{0x61, 0x80, 0xC2, 0x02, 0xAB, 0xCD, 0x00, 0x00}, 0x21, 0x01, 0x40, 0}, }; -static void verifyGetObject(const GetObjectTestData& t) { +static void verifyGetObject(const GetObjectTestData &t) { long length; int tag; int tag_class; @@ -2337,8 +2351,8 @@ TEST(ASN1Test, GetObject) { } { - GetObjectTestData test_case{ {0x41, 0x81, 0x80}, 0x00, 0x01, 0x40, 128 }; - for(int i = 0; i < 64; i++) { + GetObjectTestData test_case{{0x41, 0x81, 0x80}, 0x00, 0x01, 0x40, 128}; + for (int i = 0; i < 64; i++) { test_case.in.push_back(0xAB); test_case.in.push_back(0xCD); } @@ -2346,14 +2360,14 @@ TEST(ASN1Test, GetObject) { } { - GetObjectTestData test_case{ {0x41, 0x82, 0x01, 0x00}, 0x00, 0x01, 0x40, 256 }; - for(int i = 0; i < 128; i++) { + GetObjectTestData test_case{ + {0x41, 0x82, 0x01, 0x00}, 0x00, 0x01, 0x40, 256}; + for (int i = 0; i < 128; i++) { test_case.in.push_back(0xAB); test_case.in.push_back(0xCD); } verifyGetObject(test_case); } - } template @@ -2472,13 +2486,15 @@ static void *d2i_ASN1_TYPE_void(void **a, const unsigned char **in, long len) { static int i2d_ECPrivateKey_void(const void *a, unsigned char **out) { return i2d_ECPrivateKey((EC_KEY *)a, out); } -static void *d2i_ECPrivateKey_void(void **a, const unsigned char **in, long len) { +static void *d2i_ECPrivateKey_void(void **a, const unsigned char **in, + long len) { return d2i_ECPrivateKey((EC_KEY **)a, in, len); } static int i2d_X509_PUBKEY_void(const void *a, unsigned char **out) { return i2d_X509_PUBKEY((X509_PUBKEY *)a, out); } -static void *d2i_X509_PUBKEY_void(void **a, const unsigned char **in, long len) { +static void *d2i_X509_PUBKEY_void(void **a, const unsigned char **in, + long len) { return d2i_X509_PUBKEY((X509_PUBKEY **)a, in, len); } diff --git a/crypto/asn1/internal.h b/crypto/asn1/internal.h index 304b4b5a26..cb1e59e895 100644 --- a/crypto/asn1/internal.h +++ b/crypto/asn1/internal.h @@ -217,10 +217,11 @@ void asn1_type_cleanup(ASN1_TYPE *a); // ASN.1 PrintableString, and zero otherwise. int asn1_is_printable(uint32_t value); -// asn1_get_object_maybe_indefinite parses an ASN.1 header, including tag, class, -// and length information. The tag number is written to |*out_tag|. The class is -// written to |*out_class|. If the tag is not indefinite, the content length is -// written to |*out_len|. |inp| is advanced past the header in the input buffer. +// asn1_get_object_maybe_indefinite parses an ASN.1 header, including tag, +// class, and length information. The tag number is written to |*out_tag|. The +// class is written to |*out_class|. If the tag is not indefinite, the content +// length is written to |*out_len|. |inp| is advanced past the header in the +// input buffer. // // If |indefinite_ok| is non-zero, indefinite-length encoding and universal tags // are allowed, otherwise these will produce errors. @@ -229,8 +230,9 @@ int asn1_is_printable(uint32_t value); // * 0x80: error occurred while parsing. // * 0x20: the encoding is constructed, not primitive. // * 0x01: indefinite-length constructed encoding. -int asn1_get_object_maybe_indefinite(const unsigned char **inp, long *out_len, int *out_tag, - int *out_class, long in_len, int indefinite_ok); +int asn1_get_object_maybe_indefinite(const unsigned char **inp, long *out_len, + int *out_tag, int *out_class, long in_len, + int indefinite_ok); // asn1_bit_string_length returns the number of bytes in |str| and sets // |*out_padding_bits| to the number of padding bits. diff --git a/crypto/asn1/posix_time.c b/crypto/asn1/posix_time.c index 976979032c..90646ab809 100644 --- a/crypto/asn1/posix_time.c +++ b/crypto/asn1/posix_time.c @@ -203,11 +203,11 @@ int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec) { return 0; } OPENSSL_STATIC_ASSERT(INT_MAX <= INT64_MAX / SECS_PER_DAY, - day_offset_in_seconds_cannot_overflow) + day_offset_in_seconds_cannot_overflow) OPENSSL_STATIC_ASSERT(MAX_POSIX_TIME <= INT64_MAX - INT_MAX * SECS_PER_DAY, - addition_cannot_overflow) + addition_cannot_overflow) OPENSSL_STATIC_ASSERT(MIN_POSIX_TIME >= INT64_MIN - INT_MIN * SECS_PER_DAY, - addition_cannot_underflow) + addition_cannot_underflow) posix_time += offset_day * SECS_PER_DAY; if (posix_time > 0 && offset_sec > INT64_MAX - posix_time) { return 0; @@ -232,9 +232,11 @@ int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from, return 0; } // Times are in range, so these calculations can not overflow. - OPENSSL_STATIC_ASSERT(SECS_PER_DAY <= INT_MAX, seconds_per_day_does_not_fit_in_int) - OPENSSL_STATIC_ASSERT((MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX, - range_of_valid_POSIX_times_in_days_does_not_fit_in_int) + OPENSSL_STATIC_ASSERT(SECS_PER_DAY <= INT_MAX, + seconds_per_day_does_not_fit_in_int) + OPENSSL_STATIC_ASSERT( + (MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX, + range_of_valid_POSIX_times_in_days_does_not_fit_in_int) int64_t timediff = time_to - time_from; int64_t daydiff = timediff / SECS_PER_DAY; timediff %= SECS_PER_DAY; diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 329422cbd8..8310e5156d 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -861,7 +861,8 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, const unsigned char *p; p = *in; - i = asn1_get_object_maybe_indefinite(&p, &plen, &ptag, &pclass, len, /*indefinite_ok=*/0); + i = asn1_get_object_maybe_indefinite(&p, &plen, &ptag, &pclass, len, + /*indefinite_ok=*/0); if (i & 0x80) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER); return 0; diff --git a/crypto/base64/base64.c b/crypto/base64/base64.c index b3a3868412..15999c3597 100644 --- a/crypto/base64/base64.c +++ b/crypto/base64/base64.c @@ -126,9 +126,7 @@ EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) { return OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX)); } -void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { - OPENSSL_free(ctx); -} +void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { OPENSSL_free(ctx); } void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) { OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX)); @@ -307,10 +305,8 @@ static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes, const uint32_t v = ((uint32_t)a) << 18 | ((uint32_t)b) << 12 | ((uint32_t)c) << 6 | (uint32_t)d; - const unsigned padding_pattern = (in[0] == '=') << 3 | - (in[1] == '=') << 2 | - (in[2] == '=') << 1 | - (in[3] == '='); + const unsigned padding_pattern = (in[0] == '=') << 3 | (in[1] == '=') << 2 | + (in[2] == '=') << 1 | (in[3] == '='); switch (padding_pattern) { case 0: @@ -413,8 +409,7 @@ int EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out, } size_t max_len; - if (!EVP_DecodedLength(&max_len, in_len) || - max_out < max_len) { + if (!EVP_DecodedLength(&max_len, in_len) || max_out < max_len) { return 0; } @@ -450,7 +445,7 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) { // Trim newlines, spaces and tabs from the end of the line. while (src_len > 0) { - switch (src[src_len-1]) { + switch (src[src_len - 1]) { case ' ': case '\t': case '\r': @@ -463,8 +458,7 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) { } size_t dst_len; - if (!EVP_DecodedLength(&dst_len, src_len) || - dst_len > INT_MAX || + if (!EVP_DecodedLength(&dst_len, src_len) || dst_len > INT_MAX || !EVP_DecodeBase64(dst, &dst_len, dst_len, src, src_len)) { return -1; } diff --git a/crypto/bio/bio.c b/crypto/bio/bio.c index c0ce6850bd..256956ee10 100644 --- a/crypto/bio/bio.c +++ b/crypto/bio/bio.c @@ -74,7 +74,7 @@ // modify and return to the caller. Used only in callbacks that pass in // |processed|. static int call_bio_callback_with_processed(BIO *bio, const int oper, - const void *buf, int len, int ret) { + const void *buf, int len, int ret) { if (HAS_CALLBACK(bio)) { size_t processed = 0; // The original BIO return value can be an error value (less than 0) or @@ -85,7 +85,8 @@ static int call_bio_callback_with_processed(BIO *bio, const int oper, // Pass the original BIO's return value to the callback. If the callback // is successful return processed from the callback, if the callback is // not successful return the callback's return value. - long callback_ret = bio->callback_ex(bio, oper, buf, len, 0, 0L, ret, &processed); + long callback_ret = + bio->callback_ex(bio, oper, buf, len, 0, 0L, ret, &processed); if (callback_ret <= INT_MAX && callback_ret >= INT_MIN) { ret = (int)callback_ret; if (ret > 0) { @@ -156,13 +157,9 @@ int BIO_up_ref(BIO *bio) { return 1; } -void BIO_vfree(BIO *bio) { - BIO_free(bio); -} +void BIO_vfree(BIO *bio) { BIO_free(bio); } -void BIO_free_all(BIO *bio) { - BIO_free(bio); -} +void BIO_free_all(BIO *bio) { BIO_free(bio); } int BIO_read(BIO *bio, void *buf, int len) { int ret = 0; @@ -175,7 +172,8 @@ int BIO_read(BIO *bio, void *buf, int len) { } if (HAS_CALLBACK(bio)) { - long callback_ret = bio->callback_ex(bio, BIO_CB_READ, buf, len, 0, 0L, 1L, NULL); + long callback_ret = + bio->callback_ex(bio, BIO_CB_READ, buf, len, 0, 0L, 1L, NULL); if (callback_ret <= 0) { if (callback_ret >= INT_MIN) { return (int)callback_ret; @@ -229,7 +227,8 @@ int BIO_gets(BIO *bio, char *buf, int len) { } if (HAS_CALLBACK(bio)) { - long callback_ret = bio->callback_ex(bio, BIO_CB_GETS, buf, len, 0, 0L, 1L, NULL); + long callback_ret = + bio->callback_ex(bio, BIO_CB_GETS, buf, len, 0, 0L, 1L, NULL); if (callback_ret <= 0) { if (callback_ret >= INT_MIN) { return (int)callback_ret; @@ -261,7 +260,8 @@ int BIO_write(BIO *bio, const void *in, int inl) { } if (HAS_CALLBACK(bio)) { - long callback_ret = bio->callback_ex(bio, BIO_CB_WRITE, in, inl, 0, 0L, 1L, NULL); + long callback_ret = + bio->callback_ex(bio, BIO_CB_WRITE, in, inl, 0, 0L, 1L, NULL); if (callback_ret <= 0) { if (callback_ret >= INT_MIN) { return (int)callback_ret; @@ -285,7 +285,8 @@ int BIO_write(BIO *bio, const void *in, int inl) { return ret; } -int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_bytes) { +int BIO_write_ex(BIO *bio, const void *data, size_t data_len, + size_t *written_bytes) { if (bio == NULL) { OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER); return 0; @@ -328,13 +329,14 @@ int BIO_write_all(BIO *bio, const void *data, size_t len) { int BIO_puts(BIO *bio, const char *in) { // Check for bwrites here since we use that if bputs is NULL - if (bio == NULL || bio->method == NULL || (bio->method->bwrite == NULL && - bio->method->bputs == NULL)) { + if (bio == NULL || bio->method == NULL || + (bio->method->bwrite == NULL && bio->method->bputs == NULL)) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } - if(HAS_CALLBACK(bio)) { - long callback_ret = bio->callback_ex(bio, BIO_CB_PUTS, in, 0, 0, 0L, 1L, NULL); + if (HAS_CALLBACK(bio)) { + long callback_ret = + bio->callback_ex(bio, BIO_CB_PUTS, in, 0, 0, 0L, 1L, NULL); if (callback_ret <= 0) { if (callback_ret >= INT_MIN) { return (int)callback_ret; @@ -362,15 +364,13 @@ int BIO_puts(BIO *bio, const char *in) { if (ret > 0) { bio->num_write += ret; } - ret = call_bio_callback_with_processed(bio, BIO_CB_PUTS | BIO_CB_RETURN, - in, 0, ret); - + ret = call_bio_callback_with_processed(bio, BIO_CB_PUTS | BIO_CB_RETURN, in, + 0, ret); + return ret; } -int BIO_flush(BIO *bio) { - return (int)BIO_ctrl(bio, BIO_CTRL_FLUSH, 0, NULL); -} +int BIO_flush(BIO *bio) { return (int)BIO_ctrl(bio, BIO_CTRL_FLUSH, 0, NULL); } long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) { if (bio == NULL) { @@ -392,7 +392,7 @@ long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) { ret = bio->method->ctrl(bio, cmd, larg, parg); if (HAS_CALLBACK(bio)) { ret = bio->callback_ex(bio, BIO_CB_CTRL | BIO_CB_RETURN, parg, 0, cmd, larg, - ret, NULL); + ret, NULL); } return ret; } @@ -413,21 +413,13 @@ long BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg) { return BIO_ctrl(b, cmd, larg, (void *)&i); } -int BIO_reset(BIO *bio) { - return (int)BIO_ctrl(bio, BIO_CTRL_RESET, 0, NULL); -} +int BIO_reset(BIO *bio) { return (int)BIO_ctrl(bio, BIO_CTRL_RESET, 0, NULL); } -int BIO_eof(BIO *bio) { - return (int)BIO_ctrl(bio, BIO_CTRL_EOF, 0, NULL); -} +int BIO_eof(BIO *bio) { return (int)BIO_ctrl(bio, BIO_CTRL_EOF, 0, NULL); } -void BIO_set_flags(BIO *bio, int flags) { - bio->flags |= flags; -} +void BIO_set_flags(BIO *bio, int flags) { bio->flags |= flags; } -int BIO_test_flags(const BIO *bio, int flags) { - return bio->flags & flags; -} +int BIO_test_flags(const BIO *bio, int flags) { return bio->flags & flags; } int BIO_should_read(const BIO *bio) { return BIO_test_flags(bio, BIO_FLAGS_READ); @@ -449,9 +441,7 @@ int BIO_get_retry_reason(const BIO *bio) { return bio->retry_reason; } void BIO_set_retry_reason(BIO *bio, int reason) { bio->retry_reason = reason; } -void BIO_clear_flags(BIO *bio, int flags) { - bio->flags &= ~flags; -} +void BIO_clear_flags(BIO *bio, int flags) { bio->flags &= ~flags; } void BIO_set_retry_read(BIO *bio) { bio->flags |= BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY; @@ -463,9 +453,7 @@ void BIO_set_retry_write(BIO *bio) { static const int kRetryFlags = BIO_FLAGS_RWS | BIO_FLAGS_SHOULD_RETRY; -int BIO_get_retry_flags(BIO *bio) { - return bio->flags & kRetryFlags; -} +int BIO_get_retry_flags(BIO *bio) { return bio->flags & kRetryFlags; } void BIO_clear_retry_flags(BIO *bio) { bio->flags &= ~kRetryFlags; @@ -496,7 +484,7 @@ long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) { } size_t BIO_pending(const BIO *bio) { - const long r = BIO_ctrl((BIO *) bio, BIO_CTRL_PENDING, 0, NULL); + const long r = BIO_ctrl((BIO *)bio, BIO_CTRL_PENDING, 0, NULL); assert(r >= 0); if (r < 0) { @@ -505,12 +493,10 @@ size_t BIO_pending(const BIO *bio) { return r; } -size_t BIO_ctrl_pending(const BIO *bio) { - return BIO_pending(bio); -} +size_t BIO_ctrl_pending(const BIO *bio) { return BIO_pending(bio); } size_t BIO_wpending(const BIO *bio) { - const long r = BIO_ctrl((BIO *) bio, BIO_CTRL_WPENDING, 0, NULL); + const long r = BIO_ctrl((BIO *)bio, BIO_CTRL_WPENDING, 0, NULL); assert(r >= 0); if (r < 0) { @@ -608,9 +594,7 @@ static int print_bio(const char *str, size_t len, void *bio) { return BIO_write_all((BIO *)bio, str, len); } -void ERR_print_errors(BIO *bio) { - ERR_print_errors_cb(print_bio, bio); -} +void ERR_print_errors(BIO *bio) { ERR_print_errors_cb(print_bio, bio); } // bio_read_all reads everything from |bio| and prepends |prefix| to it. On // success, |*out| is set to an allocated buffer (which should be freed with @@ -772,7 +756,7 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) { return 0; } - if ((len32 >> ((num_bytes-1)*8)) == 0) { + if ((len32 >> ((num_bytes - 1) * 8)) == 0) { // Length should have been at least one byte shorter. OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR); return 0; @@ -781,9 +765,7 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) { len = len32; } - if (len + header_len < len || - len + header_len > max_len || - len > INT_MAX) { + if (len + header_len < len || len + header_len > max_len || len > INT_MAX) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); return 0; } @@ -831,27 +813,23 @@ BIO_METHOD *BIO_meth_new(int type, const char *name) { return method; } -void BIO_meth_free(BIO_METHOD *method) { - OPENSSL_free(method); -} +void BIO_meth_free(BIO_METHOD *method) { OPENSSL_free(method); } -int BIO_meth_set_create(BIO_METHOD *method, - int (*create)(BIO *)) { +int BIO_meth_set_create(BIO_METHOD *method, int (*create)(BIO *)) { method->create = create; return 1; } -int (*BIO_meth_get_create(const BIO_METHOD *method)) (BIO *) { +int (*BIO_meth_get_create(const BIO_METHOD *method))(BIO *) { return method->create; } -int BIO_meth_set_destroy(BIO_METHOD *method, - int (*destroy)(BIO *)) { +int BIO_meth_set_destroy(BIO_METHOD *method, int (*destroy)(BIO *)) { method->destroy = destroy; return 1; } -int (*BIO_meth_get_destroy(const BIO_METHOD *method)) (BIO *) { +int (*BIO_meth_get_destroy(const BIO_METHOD *method))(BIO *) { return method->destroy; } @@ -861,19 +839,17 @@ int BIO_meth_set_write(BIO_METHOD *method, return 1; } -int BIO_meth_set_read(BIO_METHOD *method, - int (*read)(BIO *, char *, int)) { +int BIO_meth_set_read(BIO_METHOD *method, int (*read)(BIO *, char *, int)) { method->bread = read; return 1; } -int BIO_meth_set_gets(BIO_METHOD *method, - int (*gets)(BIO *, char *, int)) { +int BIO_meth_set_gets(BIO_METHOD *method, int (*gets)(BIO *, char *, int)) { method->bgets = gets; return 1; } -int (*BIO_meth_get_gets(const BIO_METHOD *method)) (BIO *, char *, int) { +int (*BIO_meth_get_gets(const BIO_METHOD *method))(BIO *, char *, int) { return method->bgets; } @@ -883,7 +859,7 @@ int BIO_meth_set_ctrl(BIO_METHOD *method, return 1; } -long (*BIO_meth_get_ctrl(const BIO_METHOD *method)) (BIO *, int, long, void *) { +long (*BIO_meth_get_ctrl(const BIO_METHOD *method))(BIO *, int, long, void *) { return method->ctrl; } @@ -893,7 +869,8 @@ int BIO_meth_set_callback_ctrl(BIO_METHOD *method, return 1; } -long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *method)) (BIO *, int, bio_info_cb) { +long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *method))(BIO *, int, + bio_info_cb) { return method->callback_ctrl; } @@ -914,7 +891,7 @@ int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) { return 1; } -int (*BIO_meth_get_puts(const BIO_METHOD *method)) (BIO *, const char *) { +int (*BIO_meth_get_puts(const BIO_METHOD *method))(BIO *, const char *) { return method->bputs; } @@ -922,18 +899,12 @@ void BIO_set_callback_ex(BIO *bio, BIO_callback_fn_ex callback) { bio->callback_ex = callback; } -void BIO_set_callback_arg(BIO *bio, char *arg) { - bio->cb_arg = arg; -} +void BIO_set_callback_arg(BIO *bio, char *arg) { bio->cb_arg = arg; } -char *BIO_get_callback_arg(const BIO *bio) { - return bio->cb_arg; -} +char *BIO_get_callback_arg(const BIO *bio) { return bio->cb_arg; } -int BIO_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_unused *unused, - CRYPTO_EX_dup *dup_unused, - CRYPTO_EX_free *free_func) { +int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { int index; if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, free_func)) { diff --git a/crypto/bio/bio_mem.c b/crypto/bio/bio_mem.c index 54243f9df4..1d547d372d 100644 --- a/crypto/bio/bio_mem.c +++ b/crypto/bio/bio_mem.c @@ -290,7 +290,7 @@ int BIO_mem_contents(const BIO *bio, const uint8_t **out_contents, if (out_contents != NULL) { *out_contents = (uint8_t *)b->data; } - if(out_len) { + if (out_len) { *out_len = b->length; } return 1; @@ -308,6 +308,4 @@ int BIO_set_mem_eof_return(BIO *bio, int eof_value) { return (int)BIO_ctrl(bio, BIO_C_SET_BUF_MEM_EOF_RETURN, eof_value, NULL); } -const BIO_METHOD *BIO_s_secmem(void) { - return BIO_s_mem(); -} +const BIO_METHOD *BIO_s_secmem(void) { return BIO_s_mem(); } diff --git a/crypto/bio/bio_test.cc b/crypto/bio/bio_test.cc index 0c9f904e30..275e0ff875 100644 --- a/crypto/bio/bio_test.cc +++ b/crypto/bio/bio_test.cc @@ -37,8 +37,8 @@ #include #include #else -#include #include +#include OPENSSL_MSVC_PRAGMA(warning(push, 3)) #include #include @@ -875,7 +875,7 @@ TEST(BIOTest, FileMode) { bio.reset(BIO_new_file(temp.path().c_str(), "r")); ASSERT_TRUE(bio); // NOTE: Our behavior here aligns with OpenSSL which is to |_setmode| the file - // to binary. BoringSSL would |expect_text_mode| below because it respects + // to binary. BoringSSL would |expect_text_mode| below because it respects // default mode on Windows which is text and doesn't call |_setmode| (unless // |BIO_FP_TEXT| is set, which is not the case here). expect_binary_mode(bio.get()); @@ -1215,19 +1215,16 @@ TEST(BIOTest, TestPutsAsWrite) { namespace { // Define custom BIO and BIO_METHODS to test BIO_puts without write -static int customPuts(BIO *b, const char *in) { - return 0; -} +static int customPuts(BIO *b, const char *in) { return 0; } static int customNew(BIO *b) { - b->init=1; + b->init = 1; return 1; } static const BIO_METHOD custom_method = { - BIO_TYPE_NONE, "CustomBioMethod", NULL /* write */, - NULL, customPuts, NULL, - NULL, customNew, NULL, - NULL -}; + BIO_TYPE_NONE, "CustomBioMethod", NULL /* write */, + NULL, customPuts, NULL, + NULL, customNew, NULL, + NULL}; static const BIO_METHOD *BIO_cust(void) { return &custom_method; } @@ -1240,16 +1237,12 @@ TEST(BIOTest, TestCustomPuts) { // Test setting new puts method by creating a new BIO bssl::UniquePtr method(BIO_meth_new(0, nullptr)); ASSERT_TRUE(method); - ASSERT_TRUE(BIO_meth_set_create( - method.get(), [](BIO *b) -> int { - BIO_set_init(b, 1); - return 1; + ASSERT_TRUE(BIO_meth_set_create(method.get(), [](BIO *b) -> int { + BIO_set_init(b, 1); + return 1; })); ASSERT_TRUE(BIO_meth_set_puts( - method.get(), [](BIO *b, const char *in) -> int { - return 100; - } - )); + method.get(), [](BIO *b, const char *in) -> int { return 100; })); bssl::UniquePtr bio1(BIO_new(method.get())); ASSERT_TRUE(bio1); ASSERT_TRUE(bio1.get()->method->bputs); @@ -1262,10 +1255,9 @@ TEST(BIOTest, TestPutsNullMethod) { // Create new BIO to test when neither puts nor write is set bssl::UniquePtr method(BIO_meth_new(0, nullptr)); ASSERT_TRUE(method); - ASSERT_TRUE(BIO_meth_set_create( - method.get(), [](BIO *b) -> int { - BIO_set_init(b, 1); - return 1; + ASSERT_TRUE(BIO_meth_set_create(method.get(), [](BIO *b) -> int { + BIO_set_init(b, 1); + return 1; })); bssl::UniquePtr bio(BIO_new(method.get())); ASSERT_TRUE(bio); @@ -1274,11 +1266,11 @@ TEST(BIOTest, TestPutsNullMethod) { ASSERT_FALSE(bio.get()->method->bwrite); ASSERT_EQ(-2, BIO_puts(bio.get(), "hello world")); } -} //namespace +} // namespace TEST(BIOTest, TestPutsCallbacks) { bio_callback_cleanup(); - BIO* bio = BIO_new(BIO_s_mem()); + BIO *bio = BIO_new(BIO_s_mem()); ASSERT_TRUE(bio); BIO_set_callback_ex(bio, bio_cb_ex); @@ -1314,7 +1306,7 @@ TEST(BIOTest, TestPutsCallbacks) { TEST(BIOTest, TestGetsCallback) { bio_callback_cleanup(); - BIO* bio = BIO_new(BIO_s_mem()); + BIO *bio = BIO_new(BIO_s_mem()); ASSERT_TRUE(bio); // write data to BIO, then set callback EXPECT_EQ(TEST_DATA_WRITTEN, BIO_write(bio, "12345", TEST_DATA_WRITTEN)); @@ -1350,7 +1342,7 @@ TEST(BIOTest, TestGetsCallback) { TEST(BIOTest, TestCtrlCallback) { bio_callback_cleanup(); - BIO* bio = BIO_new(BIO_s_mem()); + BIO *bio = BIO_new(BIO_s_mem()); ASSERT_TRUE(bio); BIO_set_callback_ex(bio, bio_cb_ex); diff --git a/crypto/bio/connect.c b/crypto/bio/connect.c index 0916d0cfa1..40342faad0 100644 --- a/crypto/bio/connect.c +++ b/crypto/bio/connect.c @@ -63,9 +63,9 @@ #include #if !defined(OPENSSL_WINDOWS) -#include -#include #include +#include +#include #include #else OPENSSL_MSVC_PRAGMA(warning(push, 3)) @@ -77,8 +77,8 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #include #include -#include "internal.h" #include "../internal.h" +#include "internal.h" enum { @@ -109,9 +109,7 @@ typedef struct bio_connect_st { } BIO_CONNECT; #if !defined(OPENSSL_WINDOWS) -static int closesocket(int sock) { - return close(sock); -} +static int closesocket(int sock) { return close(sock); } #endif // split_host_and_port sets |*out_host| and |*out_port| to the host and port @@ -231,7 +229,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { } BIO_clear_retry_flags(bio); - ret = connect(bio->num, (struct sockaddr*) &c->them, c->them_length); + ret = connect(bio->num, (struct sockaddr *)&c->them, c->them_length); if (ret < 0) { if (bio_socket_should_retry(ret)) { BIO_set_flags(bio, (BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY)); @@ -261,7 +259,8 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { BIO_clear_retry_flags(bio); OPENSSL_PUT_SYSTEM_ERROR(); OPENSSL_PUT_ERROR(BIO, BIO_R_NBIO_CONNECT_ERROR); - ERR_add_error_data(4, "host=", c->param_hostname, ":", c->param_port); + ERR_add_error_data(4, "host=", c->param_hostname, ":", + c->param_port); ret = 0; } goto exit_loop; @@ -323,7 +322,7 @@ static int conn_new(BIO *bio) { } static void conn_close_socket(BIO *bio) { - BIO_CONNECT *c = (BIO_CONNECT *) bio->ptr; + BIO_CONNECT *c = (BIO_CONNECT *)bio->ptr; if (bio->num == -1) { return; @@ -342,7 +341,7 @@ static int conn_free(BIO *bio) { conn_close_socket(bio); } - BIO_CONNECT_free((BIO_CONNECT*) bio->ptr); + BIO_CONNECT_free((BIO_CONNECT *)bio->ptr); return 1; } @@ -514,11 +513,11 @@ static const BIO_METHOD methods_connectp = { const BIO_METHOD *BIO_s_connect(void) { return &methods_connectp; } int BIO_set_conn_hostname(BIO *bio, const char *name) { - return (int)BIO_ctrl(bio, BIO_C_SET_CONNECT, 0, (void*) name); + return (int)BIO_ctrl(bio, BIO_C_SET_CONNECT, 0, (void *)name); } int BIO_set_conn_port(BIO *bio, const char *port_str) { - return (int)BIO_ctrl(bio, BIO_C_SET_CONNECT, 1, (void*) port_str); + return (int)BIO_ctrl(bio, BIO_C_SET_CONNECT, 1, (void *)port_str); } int BIO_set_conn_int_port(BIO *bio, const int *port) { diff --git a/crypto/bio/fd.c b/crypto/bio/fd.c index 3b38db8028..023d37ef48 100644 --- a/crypto/bio/fd.c +++ b/crypto/bio/fd.c @@ -70,20 +70,20 @@ #include #include -#include "internal.h" #include "../internal.h" +#include "internal.h" #if defined(OPENSSL_WINDOWS) - #define BORINGSSL_CLOSE _close - #define BORINGSSL_LSEEK _lseek - #define BORINGSSL_READ _read - #define BORINGSSL_WRITE _write +#define BORINGSSL_CLOSE _close +#define BORINGSSL_LSEEK _lseek +#define BORINGSSL_READ _read +#define BORINGSSL_WRITE _write #else - #define BORINGSSL_CLOSE close - #define BORINGSSL_LSEEK lseek - #define BORINGSSL_READ read - #define BORINGSSL_WRITE write +#define BORINGSSL_CLOSE close +#define BORINGSSL_LSEEK lseek +#define BORINGSSL_READ read +#define BORINGSSL_WRITE write #endif BIO *BIO_new_fd(int fd, int close_flag) { @@ -231,5 +231,5 @@ int BIO_set_fd(BIO *bio, int fd, int close_flag) { } int BIO_get_fd(BIO *bio, int *out_fd) { - return (int)BIO_ctrl(bio, BIO_C_GET_FD, 0, (char *) out_fd); + return (int)BIO_ctrl(bio, BIO_C_GET_FD, 0, (char *)out_fd); } diff --git a/crypto/bio/hexdump.c b/crypto/bio/hexdump.c index 019bd638b6..b959b7ef8e 100644 --- a/crypto/bio/hexdump.c +++ b/crypto/bio/hexdump.c @@ -73,13 +73,13 @@ struct hexdump_ctx { static void hexbyte(char *out, uint8_t b) { static const char hextable[] = "0123456789abcdef"; - out[0] = hextable[b>>4]; - out[1] = hextable[b&0x0f]; + out[0] = hextable[b >> 4]; + out[1] = hextable[b & 0x0f]; } static char to_char(uint8_t b) { if (b < 32 || b > 126) { - return '.'; + return '.'; } return b; } diff --git a/crypto/bio/internal.h b/crypto/bio/internal.h index 06f88c9aa1..907af6f9a9 100644 --- a/crypto/bio/internal.h +++ b/crypto/bio/internal.h @@ -65,8 +65,8 @@ // newlib uses u_short in socket.h without defining it. typedef unsigned short u_short; #endif -#include #include +#include #else OPENSSL_MSVC_PRAGMA(warning(push, 3)) #include diff --git a/crypto/bio/pair.c b/crypto/bio/pair.c index 90954eccec..5a482b8d9c 100644 --- a/crypto/bio/pair.c +++ b/crypto/bio/pair.c @@ -354,7 +354,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) { assert(b != NULL); switch (cmd) { - // specific CTRL codes + // specific CTRL codes case BIO_C_GET_WRITE_BUF_SIZE: ret = (long)b->size; @@ -392,7 +392,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) { ret = 1; break; - // standard CTRL codes follow + // standard CTRL codes follow case BIO_CTRL_GET_CLOSE: ret = bio->shutdown; @@ -449,8 +449,8 @@ static const BIO_METHOD methods_biop = { static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; } -int BIO_new_bio_pair(BIO** bio1_p, size_t writebuf1_len, - BIO** bio2_p, size_t writebuf2_len) { +int BIO_new_bio_pair(BIO **bio1_p, size_t writebuf1_len, BIO **bio2_p, + size_t writebuf2_len) { BIO *bio1 = BIO_new(bio_s_bio()); BIO *bio2 = BIO_new(bio_s_bio()); if (bio1 == NULL || bio2 == NULL || diff --git a/crypto/bio/printf.c b/crypto/bio/printf.c index 102256bccb..4b58bc8895 100644 --- a/crypto/bio/printf.c +++ b/crypto/bio/printf.c @@ -75,7 +75,7 @@ int BIO_printf(BIO *bio, const char *format, ...) { return -1; } - if ((size_t) out_len >= sizeof(buf)) { + if ((size_t)out_len >= sizeof(buf)) { const int requested_len = out_len; // The output was truncated. Note that vsnprintf's return value // does not include a trailing NUL, but the buffer must be sized diff --git a/crypto/bio/socket.c b/crypto/bio/socket.c index c86b618b20..0edbe8e0aa 100644 --- a/crypto/bio/socket.c +++ b/crypto/bio/socket.c @@ -73,9 +73,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #if !defined(OPENSSL_WINDOWS) -static int closesocket(int sock) { - return close(sock); -} +static int closesocket(int sock) { return close(sock); } #endif static int sock_free(BIO *bio) { diff --git a/crypto/bio/socket_helper.c b/crypto/bio/socket_helper.c index 0b62974b92..4cf75f176f 100644 --- a/crypto/bio/socket_helper.c +++ b/crypto/bio/socket_helper.c @@ -22,10 +22,10 @@ #if !defined(OPENSSL_NO_SOCK) -#include #include #include #include +#include #if !defined(OPENSSL_WINDOWS) #include @@ -37,8 +37,8 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3)) OPENSSL_MSVC_PRAGMA(warning(pop)) #endif -#include "internal.h" #include "../internal.h" +#include "internal.h" int bio_ip_and_port_to_socket_and_addr(int *out_sock, @@ -69,7 +69,7 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock, ret = 0; for (cur = result; cur; cur = cur->ai_next) { - if ((size_t) cur->ai_addrlen > sizeof(struct sockaddr_storage)) { + if ((size_t)cur->ai_addrlen > sizeof(struct sockaddr_storage)) { continue; } OPENSSL_memset(out_addr, 0, sizeof(struct sockaddr_storage)); diff --git a/crypto/blake2/blake2.c b/crypto/blake2/blake2.c index 96f65eb95d..968c43a5a8 100644 --- a/crypto/blake2/blake2.c +++ b/crypto/blake2/blake2.c @@ -59,9 +59,10 @@ static uint64_t blake2b_load(const uint8_t block[BLAKE2B_CBLOCK], size_t i) { return CRYPTO_load_u64_le(block + 8 * i); } -static void copy_digest_words_to_dest(uint8_t* dest, uint64_t* src, size_t word_count) { +static void copy_digest_words_to_dest(uint8_t *dest, uint64_t *src, + size_t word_count) { #ifdef OPENSSL_BIG_ENDIAN - for(size_t i = 0; i < word_count; i++) { + for (size_t i = 0; i < word_count; i++) { CRYPTO_store_u64_le(&dest[i * sizeof(uint64_t)], src[i]); } #else diff --git a/crypto/bn_extra/bn_asn1.c b/crypto/bn_extra/bn_asn1.c index a8333d419b..7c8413c292 100644 --- a/crypto/bn_extra/bn_asn1.c +++ b/crypto/bn_extra/bn_asn1.c @@ -47,8 +47,7 @@ int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) { // The number must be padded with a leading zero if the high bit would // otherwise be set or if |bn| is zero. (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) || - !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) || - !CBB_flush(cbb)) { + !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR); return 0; } diff --git a/crypto/bn_extra/convert.c b/crypto/bn_extra/convert.c index f863dd6ae6..276cb727c8 100644 --- a/crypto/bn_extra/convert.c +++ b/crypto/bn_extra/convert.c @@ -112,7 +112,7 @@ char *BN_bn2hex(const BIGNUM *bn) { // decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. static int decode_hex(BIGNUM *bn, const char *in, int in_len) { - if (in_len > INT_MAX/4) { + if (in_len > INT_MAX / 4) { OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG); return 0; } @@ -163,8 +163,7 @@ static int decode_dec(BIGNUM *bn, const char *in, int in_len) { l *= 10; l += in[i] - '0'; if (++j == BN_DEC_NUM) { - if (!BN_mul_word(bn, BN_DEC_CONV) || - !BN_add_word(bn, l)) { + if (!BN_mul_word(bn, BN_DEC_CONV) || !BN_add_word(bn, l)) { return 0; } l = 0; @@ -174,10 +173,11 @@ static int decode_dec(BIGNUM *bn, const char *in, int in_len) { return 1; } -typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len); -typedef int (*char_test_func) (int c); +typedef int (*decode_func)(BIGNUM *bn, const char *in, int in_len); +typedef int (*char_test_func)(int c); -static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) { +static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, + char_test_func want_char) { BIGNUM *ret = NULL; int neg = 0, i; int num; @@ -191,9 +191,10 @@ static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_ in++; } - for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {} + for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) { + } - if(i == 0) { + if (i == 0) { OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT); return 0; } @@ -243,8 +244,7 @@ char *BN_bn2dec(const BIGNUM *a) { // and fix at the end. BIGNUM *copy = NULL; CBB cbb; - if (!CBB_init(&cbb, 16) || - !CBB_add_u8(&cbb, 0 /* trailing NUL */)) { + if (!CBB_init(&cbb, 16) || !CBB_add_u8(&cbb, 0 /* trailing NUL */)) { goto err; } @@ -275,8 +275,7 @@ char *BN_bn2dec(const BIGNUM *a) { } } - if (BN_is_negative(a) && - !CBB_add_u8(&cbb, '-')) { + if (BN_is_negative(a) && !CBB_add_u8(&cbb, '-')) { goto err; } @@ -287,7 +286,7 @@ char *BN_bn2dec(const BIGNUM *a) { } // Reverse the buffer. - for (size_t i = 0; i < len/2; i++) { + for (size_t i = 0; i < len / 2; i++) { uint8_t tmp = data[i]; data[i] = data[len - 1 - i]; data[len - 1 - i] = tmp; @@ -313,7 +312,7 @@ int BN_asc2bn(BIGNUM **outp, const char *in) { } if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) { - if (!BN_hex2bn(outp, in+2)) { + if (!BN_hex2bn(outp, in + 2)) { return 0; } } else { @@ -382,9 +381,7 @@ size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) { } const size_t len = bytes + extend; - if (len < bytes || - 4 + len < len || - (len & 0xffffffff) != len) { + if (len < bytes || 4 + len < len || (len & 0xffffffff) != len) { // If we cannot represent the number then we emit zero as the interface // doesn't allow an error to be signalled. if (out) { @@ -416,10 +413,8 @@ BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) { OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING); return NULL; } - const size_t in_len = ((size_t)in[0] << 24) | - ((size_t)in[1] << 16) | - ((size_t)in[2] << 8) | - ((size_t)in[3]); + const size_t in_len = ((size_t)in[0] << 24) | ((size_t)in[1] << 16) | + ((size_t)in[2] << 8) | ((size_t)in[3]); if (in_len != len - 4) { OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING); return NULL; @@ -461,8 +456,7 @@ BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) { } int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len) { - if (len < 0 || - !BN_bn2bin_padded(out, (size_t)len, in)) { + if (len < 0 || !BN_bn2bin_padded(out, (size_t)len, in)) { return -1; } return len; diff --git a/crypto/buf/buf.c b/crypto/buf/buf.c index 1fe8fe6126..741efa8f35 100644 --- a/crypto/buf/buf.c +++ b/crypto/buf/buf.c @@ -58,8 +58,8 @@ #include -#include #include +#include #include "../internal.h" diff --git a/crypto/bytestring/asn1_compat.c b/crypto/bytestring/asn1_compat.c index a565c44b37..7dd9f20921 100644 --- a/crypto/bytestring/asn1_compat.c +++ b/crypto/bytestring/asn1_compat.c @@ -21,8 +21,8 @@ #include -#include "internal.h" #include "../internal.h" +#include "internal.h" int CBB_finish_i2d(CBB *cbb, uint8_t **outp) { diff --git a/crypto/bytestring/ber.c b/crypto/bytestring/ber.c index b3ba7711b7..0446236366 100644 --- a/crypto/bytestring/ber.c +++ b/crypto/bytestring/ber.c @@ -95,8 +95,7 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { // cbs_get_eoc returns one if |cbs| begins with an "end of contents" (EOC) value // and zero otherwise. If an EOC was found, it advances |cbs| past it. static int cbs_get_eoc(CBS *cbs) { - if (CBS_len(cbs) >= 2 && - CBS_data(cbs)[0] == 0 && CBS_data(cbs)[1] == 0) { + if (CBS_len(cbs) >= 2 && CBS_data(cbs)[0] == 0 && CBS_data(cbs)[1] == 0) { return CBS_skip(cbs, 2); } return 0; @@ -208,8 +207,7 @@ int CBS_asn1_ber_to_der(CBS *in, CBS *out, uint8_t **out_storage) { } size_t len; - if (!CBB_init(&cbb, CBS_len(in)) || - !cbs_convert_ber(in, &cbb, 0, 0, 0) || + if (!CBB_init(&cbb, CBS_len(in)) || !cbs_convert_ber(in, &cbb, 0, 0, 0) || !CBB_finish(&cbb, out_storage, &len)) { CBB_cleanup(&cbb); return 0; diff --git a/crypto/bytestring/bytestring_test.cc b/crypto/bytestring/bytestring_test.cc index 6d9ac9ead5..5299521ced 100644 --- a/crypto/bytestring/bytestring_test.cc +++ b/crypto/bytestring/bytestring_test.cc @@ -491,12 +491,7 @@ TEST(CBBTest, DiscardChild) { bssl::UniquePtr scoper(buf); static const uint8_t kExpected[] = { - 0xaa, - 0, - 1, 0xbb, - 0, 2, 0xcc, 0xcc, - 0, 0, 3, 0xdd, 0xdd, 0xdd, - 1, 0xff, + 0xaa, 0, 1, 0xbb, 0, 2, 0xcc, 0xcc, 0, 0, 3, 0xdd, 0xdd, 0xdd, 1, 0xff, }; EXPECT_EQ(Bytes(kExpected), Bytes(buf, buf_len)); } @@ -520,7 +515,7 @@ TEST(CBBTest, Misuse) { EXPECT_FALSE(CBB_add_u8_length_prefixed(&child, &contents)); EXPECT_FALSE(CBB_add_u16_length_prefixed(&child, &contents)); EXPECT_FALSE(CBB_add_asn1(&child, &contents, 1)); - EXPECT_FALSE(CBB_add_bytes(&child, (const uint8_t*) "a", 1)); + EXPECT_FALSE(CBB_add_bytes(&child, (const uint8_t *)"a", 1)); ASSERT_TRUE(CBB_finish(cbb.get(), &buf, &buf_len)); bssl::UniquePtr scoper(buf); @@ -531,15 +526,41 @@ TEST(CBBTest, Misuse) { TEST(CBBTest, ASN1) { static const uint8_t kExpected[] = { // SEQUENCE { 1 2 3 } - 0x30, 3, 1, 2, 3, + 0x30, + 3, + 1, + 2, + 3, // [4 CONSTRUCTED] { 4 5 6 } - 0xa4, 3, 4, 5, 6, + 0xa4, + 3, + 4, + 5, + 6, // [APPLICATION 30 PRIMITIVE] { 7 8 9 } - 0x5e, 3, 7, 8, 9, + 0x5e, + 3, + 7, + 8, + 9, // [APPLICATION 31 PRIMITIVE] { 10 11 12 } - 0x5f, 0x1f, 3, 10, 11, 12, + 0x5f, + 0x1f, + 3, + 10, + 11, + 12, // [PRIVATE 2^29-1 CONSTRUCTED] { 13 14 15 } - 0xff, 0x81, 0xff, 0xff, 0xff, 0x7f, 3, 13, 14, 15, + 0xff, + 0x81, + 0xff, + 0xff, + 0xff, + 0x7f, + 3, + 13, + 14, + 15, }; uint8_t *buf; size_t buf_len; @@ -553,13 +574,9 @@ TEST(CBBTest, ASN1) { CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 4)); ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x04\x05\x06", 3)); - ASSERT_TRUE( - CBB_add_asn1(cbb.get(), &contents, - CBS_ASN1_APPLICATION | 30)); + ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_APPLICATION | 30)); ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x07\x08\x09", 3)); - ASSERT_TRUE( - CBB_add_asn1(cbb.get(), &contents, - CBS_ASN1_APPLICATION | 31)); + ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_APPLICATION | 31)); ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x0a\x0b\x0c", 3)); ASSERT_TRUE( CBB_add_asn1(cbb.get(), &contents, @@ -874,10 +891,10 @@ static const ASN1Uint64Test kASN1Uint64Tests[] = { {127, "\x02\x01\x7f", 3}, {128, "\x02\x02\x00\x80", 4}, {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7}, - {UINT64_C(0x0102030405060708), - "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10}, + {UINT64_C(0x0102030405060708), "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", + 10}, {UINT64_C(0xffffffffffffffff), - "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11}, + "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11}, }; struct ASN1InvalidUint64Test { @@ -1140,7 +1157,7 @@ TEST(CBSTest, BitString) { {0x00, 0xff}, // 8 bits {0x06, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc0}, // 42 bits }; - for (const auto& test : kValidBitStrings) { + for (const auto &test : kValidBitStrings) { SCOPED_TRACE(Bytes(test.data(), test.size())); CBS cbs; CBS_init(&cbs, test.data(), test.size()); @@ -1158,7 +1175,7 @@ TEST(CBSTest, BitString) { // All unused bits must be cleared. {0x06, 0xff, 0xc1}, }; - for (const auto& test : kInvalidBitStrings) { + for (const auto &test : kInvalidBitStrings) { SCOPED_TRACE(Bytes(test.data(), test.size())); CBS cbs; CBS_init(&cbs, test.data(), test.size()); @@ -1192,7 +1209,7 @@ TEST(CBSTest, BitString) { {{0x06, 0x0f, 0x40}, 16, false}, {{0x06, 0x0f, 0x40}, 1000, false}, }; - for (const auto& test : kBitTests) { + for (const auto &test : kBitTests) { SCOPED_TRACE(Bytes(test.in.data(), test.in.size())); SCOPED_TRACE(test.bit); CBS cbs; @@ -1311,13 +1328,13 @@ TEST(CBBTest, FlushASN1SetOf) { const struct { std::vector in, out; } kValidInputs[] = { - // No elements. - {{}, {}}, - // One element. - {{0x30, 0x00}, {0x30, 0x00}}, - // Two identical elements. - {{0x30, 0x00, 0x30, 0x00}, {0x30, 0x00, 0x30, 0x00}}, - // clang-format off + // No elements. + {{}, {}}, + // One element. + {{0x30, 0x00}, {0x30, 0x00}}, + // Two identical elements. + {{0x30, 0x00, 0x30, 0x00}, {0x30, 0x00, 0x30, 0x00}}, + // clang-format off {{0x30, 0x02, 0x00, 0x00, 0x30, 0x00, 0x01, 0x00, @@ -1336,7 +1353,7 @@ TEST(CBBTest, FlushASN1SetOf) { 0x30, 0x02, 0x00, 0x00, 0x30, 0x03, 0x00, 0x00, 0x00, 0x30, 0x03, 0x00, 0x00, 0x01}}, - // clang-format on + // clang-format on }; for (const auto &t : kValidInputs) { @@ -1360,9 +1377,9 @@ TEST(CBBTest, FlushASN1SetOf) { } const std::vector kInvalidInputs[] = { - {0x30}, - {0x30, 0x01}, - {0x30, 0x00, 0x30, 0x00, 0x30, 0x01}, + {0x30}, + {0x30, 0x01}, + {0x30, 0x00, 0x30, 0x00, 0x30, 0x01}, }; for (const auto &t : kInvalidInputs) { @@ -1559,17 +1576,17 @@ TEST(CBBTest, Unicode) { } static const uint32_t kBadCodePoints[] = { - // Surrogate pairs. - 0xd800, - 0xdfff, - // Non-characters. - 0xfffe, - 0xffff, - 0xfdd0, - 0x1fffe, - 0x1ffff, - // Too big. - 0x110000, + // Surrogate pairs. + 0xd800, + 0xdfff, + // Non-characters. + 0xfffe, + 0xffff, + 0xfdd0, + 0x1fffe, + 0x1ffff, + // Too big. + 0x110000, }; bssl::ScopedCBB cbb; ASSERT_TRUE(CBB_init(cbb.get(), 0)); @@ -1651,11 +1668,8 @@ TEST(CBSTest, BogusTime) { static const struct { const char *timestring; } kUTCTZTests[] = { - {"480711220333-0700"}, - {"140704000000-0700"}, - {"480222202332-0500"}, - {"480726113216-0000"}, - {"480726113216-2359"}, + {"480711220333-0700"}, {"140704000000-0700"}, {"480222202332-0500"}, + {"480726113216-0000"}, {"480726113216-2359"}, }; for (const auto &t : kUTCTZTests) { SCOPED_TRACE(t.timestring); @@ -1733,7 +1747,7 @@ TEST(CBSTest, GetU64Decimal) { for (const auto &t : kTests) { SCOPED_TRACE(t.text); CBS cbs; - CBS_init(&cbs, reinterpret_cast(t.text), strlen(t.text)); + CBS_init(&cbs, reinterpret_cast(t.text), strlen(t.text)); uint64_t v; ASSERT_TRUE(CBS_get_u64_decimal(&cbs, &v)); EXPECT_EQ(v, t.val); diff --git a/crypto/bytestring/cbb.c b/crypto/bytestring/cbb.c index 94d89735a9..f7cdbdfcf2 100644 --- a/crypto/bytestring/cbb.c +++ b/crypto/bytestring/cbb.c @@ -18,15 +18,13 @@ #include #include -#include #include +#include #include "../internal.h" -void CBB_zero(CBB *cbb) { - OPENSSL_memset(cbb, 0, sizeof(CBB)); -} +void CBB_zero(CBB *cbb) { OPENSSL_memset(cbb, 0, sizeof(CBB)); } static void cbb_init(CBB *cbb, uint8_t *buf, size_t cap, int can_resize) { cbb->is_child = 0; @@ -200,8 +198,7 @@ int CBB_flush(CBB *cbb) { assert(child->base == base); size_t child_start = child->offset + child->pending_len_len; - if (!CBB_flush(cbb->child) || - child_start < child->offset || + if (!CBB_flush(cbb->child) || child_start < child->offset || base->len < child_start) { goto err; } @@ -215,7 +212,7 @@ int CBB_flush(CBB *cbb) { uint8_t len_len; uint8_t initial_length_byte; - assert (child->pending_len_len == 1); + assert(child->pending_len_len == 1); if (len > 0xfffffffe) { OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); @@ -403,8 +400,7 @@ int CBB_add_zeros(CBB *cbb, size_t len) { } int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) { - if (!CBB_flush(cbb) || - !cbb_buffer_add(cbb_get_base(cbb), out_data, len)) { + if (!CBB_flush(cbb) || !cbb_buffer_add(cbb_get_base(cbb), out_data, len)) { return 0; } return 1; @@ -421,9 +417,7 @@ int CBB_reserve(CBB *cbb, uint8_t **out_data, size_t len) { int CBB_did_write(CBB *cbb, size_t len) { struct cbb_buffer_st *base = cbb_get_base(cbb); size_t newlen = base->len + len; - if (cbb->child != NULL || - newlen < base->len || - newlen > base->cap) { + if (cbb->child != NULL || newlen < base->len || newlen > base->cap) { return 0; } base->len = newlen; @@ -450,33 +444,23 @@ static int cbb_add_u(CBB *cbb, uint64_t v, size_t len_len) { return 1; } -int CBB_add_u8(CBB *cbb, uint8_t value) { - return cbb_add_u(cbb, value, 1); -} +int CBB_add_u8(CBB *cbb, uint8_t value) { return cbb_add_u(cbb, value, 1); } -int CBB_add_u16(CBB *cbb, uint16_t value) { - return cbb_add_u(cbb, value, 2); -} +int CBB_add_u16(CBB *cbb, uint16_t value) { return cbb_add_u(cbb, value, 2); } int CBB_add_u16le(CBB *cbb, uint16_t value) { return CBB_add_u16(cbb, CRYPTO_bswap2(value)); } -int CBB_add_u24(CBB *cbb, uint32_t value) { - return cbb_add_u(cbb, value, 3); -} +int CBB_add_u24(CBB *cbb, uint32_t value) { return cbb_add_u(cbb, value, 3); } -int CBB_add_u32(CBB *cbb, uint32_t value) { - return cbb_add_u(cbb, value, 4); -} +int CBB_add_u32(CBB *cbb, uint32_t value) { return cbb_add_u(cbb, value, 4); } int CBB_add_u32le(CBB *cbb, uint32_t value) { return CBB_add_u32(cbb, CRYPTO_bswap4(value)); } -int CBB_add_u64(CBB *cbb, uint64_t value) { - return cbb_add_u(cbb, value, 8); -} +int CBB_add_u64(CBB *cbb, uint64_t value) { return cbb_add_u(cbb, value, 8); } int CBB_add_u64le(CBB *cbb, uint64_t value) { return CBB_add_u64(cbb, CRYPTO_bswap8(value)); @@ -583,8 +567,7 @@ int CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value, CBS_ASN1_TAG tag) { int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_OCTETSTRING) || - !CBB_add_bytes(&child, data, data_len) || - !CBB_flush(cbb)) { + !CBB_add_bytes(&child, data, data_len) || !CBB_flush(cbb)) { cbb_on_error(cbb); return 0; } @@ -595,8 +578,7 @@ int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) { int CBB_add_asn1_bool(CBB *cbb, int value) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_BOOLEAN) || - !CBB_add_u8(&child, value != 0 ? 0xff : 0) || - !CBB_flush(cbb)) { + !CBB_add_u8(&child, value != 0 ? 0xff : 0) || !CBB_flush(cbb)) { cbb_on_error(cbb); return 0; } @@ -630,24 +612,20 @@ int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len) { // OIDs must have at least two components. uint64_t a, b; - if (!parse_dotted_decimal(&cbs, &a) || - !parse_dotted_decimal(&cbs, &b)) { + if (!parse_dotted_decimal(&cbs, &a) || !parse_dotted_decimal(&cbs, &b)) { return 0; } // The first component is encoded as 40 * |a| + |b|. This assumes that |a| is // 0, 1, or 2 and that, when it is 0 or 1, |b| is at most 39. - if (a > 2 || - (a < 2 && b > 39) || - b > UINT64_MAX - 80 || + if (a > 2 || (a < 2 && b > 39) || b > UINT64_MAX - 80 || !add_base128_integer(cbb, 40u * a + b)) { return 0; } // The remaining components are encoded unmodified. while (CBS_len(&cbs) > 0) { - if (!parse_dotted_decimal(&cbs, &a) || - !add_base128_integer(cbb, a)) { + if (!parse_dotted_decimal(&cbs, &a) || !add_base128_integer(cbb, a)) { return 0; } } diff --git a/crypto/bytestring/cbs.c b/crypto/bytestring/cbs.c index 5bb5f2e793..d09fbad2f6 100644 --- a/crypto/bytestring/cbs.c +++ b/crypto/bytestring/cbs.c @@ -317,8 +317,9 @@ static int parse_asn1_tag(CBS *cbs, CBS_ASN1_TAG *out, int universal_tag_ok) { } int cbs_get_any_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag, - size_t *out_header_len, int *out_ber_found, - int *out_indefinite, int ber_ok, int universal_tag_ok) { + size_t *out_header_len, int *out_ber_found, + int *out_indefinite, int ber_ok, + int universal_tag_ok) { CBS header = *cbs; CBS throwaway; @@ -481,7 +482,8 @@ int CBS_get_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value) { int CBS_peek_asn1_tag(const CBS *cbs, CBS_ASN1_TAG tag_value) { CBS copy = *cbs; CBS_ASN1_TAG actual_tag; - return parse_asn1_tag(©, &actual_tag, /*universal_tag_ok=*/0) && tag_value == actual_tag; + return parse_asn1_tag(©, &actual_tag, /*universal_tag_ok=*/0) && + tag_value == actual_tag; } int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) { diff --git a/crypto/bytestring/internal.h b/crypto/bytestring/internal.h index 7465e24373..390b1c16f5 100644 --- a/crypto/bytestring/internal.h +++ b/crypto/bytestring/internal.h @@ -88,12 +88,13 @@ OPENSSL_EXPORT int cbb_add_latin1(CBB *cbb, uint32_t u); OPENSSL_EXPORT int cbb_add_ucs2_be(CBB *cbb, uint32_t u); OPENSSL_EXPORT int cbb_add_utf32_be(CBB *cbb, uint32_t u); -// cbs_get_any_asn1_element parses an ASN.1 element from |cbs|. |*out_indefinite| -// is set to one if the length was indefinite and zero otherwise. On success, -// if the length is indefinite |out| will only contain the ASN.1 header, -// otherwise is will contain both the header and the content. If |out_tag| is -// not NULL, |*out_tag| is set to the element's tag number. If |out_header_len| -// is not NULL, |*out_header_len| is set to the length of the header. +// cbs_get_any_asn1_element parses an ASN.1 element from |cbs|. +// |*out_indefinite| is set to one if the length was indefinite and zero +// otherwise. On success, if the length is indefinite |out| will only contain +// the ASN.1 header, otherwise is will contain both the header and the content. +// If |out_tag| is not NULL, |*out_tag| is set to the element's tag number. If +// |out_header_len| is not NULL, |*out_header_len| is set to the length of the +// header. // // If |ber_ok| is one, BER encoding is permitted. In this case, if // |out_ber_found| is not NULL and BER-specific encoding was found, @@ -106,8 +107,9 @@ OPENSSL_EXPORT int cbb_add_utf32_be(CBB *cbb, uint32_t u); // // It returns one on success and zero on failure. int cbs_get_any_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag, - size_t *out_header_len, int *out_ber_found, - int *out_indefinite, int ber_ok, int universal_tag_ok); + size_t *out_header_len, int *out_ber_found, + int *out_indefinite, int ber_ok, + int universal_tag_ok); #if defined(__cplusplus) } // extern C diff --git a/crypto/bytestring/unicode.c b/crypto/bytestring/unicode.c index 244839ea9e..f33cf23f06 100644 --- a/crypto/bytestring/unicode.c +++ b/crypto/bytestring/unicode.c @@ -19,13 +19,12 @@ static int is_valid_code_point(uint32_t v) { // References in the following are to Unicode 15.0.0. - if (// The Unicode space runs from zero to 0x10ffff (3.4 D9). + if ( // The Unicode space runs from zero to 0x10ffff (3.4 D9). v > 0x10ffff || // Values 0x...fffe, 0x...ffff, and 0xfdd0-0xfdef are permanently reserved // as noncharacters (3.4 D14). See also 23.7. As our APIs are intended for // "open interchange", such as ASN.1, we reject them. - (v & 0xfffe) == 0xfffe || - (v >= 0xfdd0 && v <= 0xfdef) || + (v & 0xfffe) == 0xfffe || (v >= 0xfdd0 && v <= 0xfdef) || // Surrogate code points are invalid (3.2 C1). (v >= 0xd800 && v <= 0xdfff)) { return 0; @@ -66,15 +65,13 @@ int cbs_get_utf8(CBS *cbs, uint32_t *out) { return 0; } for (size_t i = 0; i < len; i++) { - if (!CBS_get_u8(cbs, &c) || - (c & TOP_BITS(2)) != TOP_BITS(1)) { + if (!CBS_get_u8(cbs, &c) || (c & TOP_BITS(2)) != TOP_BITS(1)) { return 0; } v <<= 6; v |= c & BOTTOM_BITS(6); } - if (!is_valid_code_point(v) || - v < lower_bound) { + if (!is_valid_code_point(v) || v < lower_bound) { return 0; } *out = v; @@ -93,8 +90,7 @@ int cbs_get_latin1(CBS *cbs, uint32_t *out) { int cbs_get_ucs2_be(CBS *cbs, uint32_t *out) { // Note UCS-2 (used by BMPString) does not support surrogates. uint16_t c; - if (!CBS_get_u16(cbs, &c) || - !is_valid_code_point(c)) { + if (!CBS_get_u16(cbs, &c) || !is_valid_code_point(c)) { return 0; } *out = c; diff --git a/crypto/chacha/chacha.c b/crypto/chacha/chacha.c index 21274bc874..8ded2ac50b 100644 --- a/crypto/chacha/chacha.c +++ b/crypto/chacha/chacha.c @@ -26,10 +26,10 @@ // sigma contains the ChaCha constants, which happen to be an ASCII string. // "expand 32-byte k" static const uint32_t sigma_words[4] = { - 0x61707865, // 'e' 0x65, 'x' 0x78, 'p' 0x70, 'a' 0x61, - 0x3320646e, // 'n' 0x6E, 'd' 0x64, ' ' 0x20, '3' 0x33, - 0x79622d32, // '2' 0x32, '-' 0x2D, 'b' 0x62, 'y' 0x79, - 0x6b206574 // 't' 0x74, 'e' 0x65, ' ' 0x20, 'k' 0x6B + 0x61707865, // 'e' 0x65, 'x' 0x78, 'p' 0x70, 'a' 0x61, + 0x3320646e, // 'n' 0x6E, 'd' 0x64, ' ' 0x20, '3' 0x33, + 0x79622d32, // '2' 0x32, '-' 0x2D, 'b' 0x62, 'y' 0x79, + 0x6b206574 // 't' 0x74, 'e' 0x65, ' ' 0x20, 'k' 0x6B }; // QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. @@ -48,11 +48,11 @@ void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], uint32_t x[16]; OPENSSL_memcpy(x, sigma_words, sizeof(sigma_words)); #ifdef OPENSSL_BIG_ENDIAN - for(size_t i = 4; i < 12; i++) { - x[i] = CRYPTO_load_u32_le(key + (i-4) * sizeof(uint32_t)); + for (size_t i = 4; i < 12; i++) { + x[i] = CRYPTO_load_u32_le(key + (i - 4) * sizeof(uint32_t)); } - for(size_t i = 12; i < 16; i++) { - x[i] = CRYPTO_load_u32_le(nonce + (i-12) * sizeof(uint32_t)); + for (size_t i = 12; i < 16; i++) { + x[i] = CRYPTO_load_u32_le(nonce + (i - 12) * sizeof(uint32_t)); } #else OPENSSL_memcpy(&x[4], key, 32); @@ -71,11 +71,11 @@ void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], } #ifdef OPENSSL_BIG_ENDIAN - for(size_t i = 0; i < 4; i++) { + for (size_t i = 0; i < 4; i++) { CRYPTO_store_u32_le(out + i * sizeof(uint32_t), x[i]); } - for(size_t i = 12; i < 16; i++) { - CRYPTO_store_u32_le(out + (i-8) * sizeof(uint32_t), x[i]); + for (size_t i = 12; i < 16; i++) { + CRYPTO_store_u32_le(out + (i - 8) * sizeof(uint32_t), x[i]); } #else OPENSSL_memcpy(out, &x[0], sizeof(uint32_t) * 4); diff --git a/crypto/chacha/chacha_test.cc b/crypto/chacha/chacha_test.cc index 3a379a9e88..9eef316a29 100644 --- a/crypto/chacha/chacha_test.cc +++ b/crypto/chacha/chacha_test.cc @@ -12,21 +12,21 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include #include +#include #include #include #include -#include #include +#include -#include "internal.h" #include "../internal.h" #include "../test/abi_test.h" #include "../test/test_util.h" +#include "internal.h" static const uint8_t kKey[32] = { diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc index 2300d4a6a2..aaccbefd16 100644 --- a/crypto/cipher_extra/aead_test.cc +++ b/crypto/cipher_extra/aead_test.cc @@ -133,7 +133,7 @@ static const struct KnownAEAD kAEADs[] = { "aes_128_cbc_sha256_tls_implicit_iv_tests.txt", kLimitedImplementation | RequiresADLength(11)}, - {"AES_256_CBC_SHA384_TLS", EVP_aead_aes_256_cbc_sha384_tls, + {"AES_256_CBC_SHA384_TLS", EVP_aead_aes_256_cbc_sha384_tls, "aes_256_cbc_sha384_tls_tests.txt", kLimitedImplementation | RequiresADLength(11)}, @@ -835,11 +835,12 @@ TEST_P(PerAEADTest, AliasedBuffers) { #define UNALIGNED_TEST_ALIGNMENT __BIGGEST_ALIGNMENT__ #else #define UNALIGNED_TEST_ALIGNMENT 8 -#endif // defined(__BIGGEST_ALIGNMENT__) +#endif // defined(__BIGGEST_ALIGNMENT__) TEST_P(PerAEADTest, UnalignedInput) { alignas(UNALIGNED_TEST_ALIGNMENT) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH + 1]; - alignas(UNALIGNED_TEST_ALIGNMENT) uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1]; + alignas(UNALIGNED_TEST_ALIGNMENT) + uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1]; alignas(UNALIGNED_TEST_ALIGNMENT) uint8_t plaintext[32 + 1]; alignas(UNALIGNED_TEST_ALIGNMENT) uint8_t ad[32 + 1]; OPENSSL_memset(key, 'K', sizeof(key)); @@ -860,7 +861,8 @@ TEST_P(PerAEADTest, UnalignedInput) { ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction( ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH, evp_aead_seal)); - alignas(UNALIGNED_TEST_ALIGNMENT) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD]; + alignas(UNALIGNED_TEST_ALIGNMENT) + uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD]; size_t ciphertext_len; ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext + 1, &ciphertext_len, sizeof(ciphertext) - 1, nonce + 1, nonce_len, @@ -1371,16 +1373,17 @@ TEST(AEADTest, TestGCMSIV256Change16Alignment) { } TEST(AEADTest, TestMonotonicityCheck) { - static const uint8_t kEvpAeadCtxKey[32] = {0}; // Only the tls13() ciphers have monotonicity checks - const EVP_AEAD *aeads_to_test[] = { EVP_aead_aes_128_gcm_tls13(), EVP_aead_aes_256_gcm_tls13() }; + const EVP_AEAD *aeads_to_test[] = {EVP_aead_aes_128_gcm_tls13(), + EVP_aead_aes_256_gcm_tls13()}; for (const EVP_AEAD *cipher : aeads_to_test) { bssl::ScopedEVP_AEAD_CTX encrypt_ctx; - ASSERT_TRUE(EVP_AEAD_CTX_init(encrypt_ctx.get(), cipher, kEvpAeadCtxKey, cipher->key_len, 16, NULL)) + ASSERT_TRUE(EVP_AEAD_CTX_init(encrypt_ctx.get(), cipher, kEvpAeadCtxKey, + cipher->key_len, 16, NULL)) << ERR_error_string(ERR_get_error(), NULL); uint8_t nonce[12] = {0}; @@ -1393,18 +1396,19 @@ TEST(AEADTest, TestMonotonicityCheck) { // as long as monotonicity is preserved. Here the implicit IV is presumed // to be a zero-filled array. That lets us update the nonce value directly // with an increasing sequence number. - for (size_t sequence_num = 0; sequence_num <= 255; sequence_num+=10) { + for (size_t sequence_num = 0; sequence_num <= 255; sequence_num += 10) { nonce[last_byte] = sequence_num; - ASSERT_TRUE(EVP_AEAD_CTX_seal(encrypt_ctx.get(), ciphertext, &out_len, - sizeof(ciphertext), nonce, sizeof(nonce), plaintext, - sizeof(plaintext), nullptr /* ad */, 0)); + ASSERT_TRUE(EVP_AEAD_CTX_seal( + encrypt_ctx.get(), ciphertext, &out_len, sizeof(ciphertext), nonce, + sizeof(nonce), plaintext, sizeof(plaintext), nullptr /* ad */, 0)); } - // Attempting to encrypt with a decreased sequence number causes the monotonicity check to fail. + // Attempting to encrypt with a decreased sequence number causes the + // monotonicity check to fail. nonce[last_byte] = 0; - ASSERT_FALSE(EVP_AEAD_CTX_seal(encrypt_ctx.get(), ciphertext, &out_len, - sizeof(ciphertext), nonce, sizeof(nonce), plaintext, - sizeof(plaintext), nullptr /* ad */, 0)); + ASSERT_FALSE(EVP_AEAD_CTX_seal( + encrypt_ctx.get(), ciphertext, &out_len, sizeof(ciphertext), nonce, + sizeof(nonce), plaintext, sizeof(plaintext), nullptr /* ad */, 0)); } } @@ -1427,8 +1431,7 @@ static const uint8_t kEvpAeadCtxKey[80] = { 0xb0, 0x3f, 0x35, 0xe6, 0xb5, 0x2f, 0x3b, 0xee, 0xbc, 0xf9, 0x11, 0xb1, 0x9e, 0x58, 0xf6, 0xb7, 0xf3, 0x3e, 0x5b, 0x66, 0x28, 0x85, 0x0c, 0x66, 0x2b, 0x75, 0xb7, 0x86, 0xfd, 0xa4, 0x2d, 0x4b, 0x8c, 0xe0, 0x9a, 0x58, - 0xbf, 0xc6, 0x22, 0x4c, 0x39, 0x25, 0x66, 0xfd -}; + 0xbf, 0xc6, 0x22, 0x4c, 0x39, 0x25, 0x66, 0xfd}; static const EvpAeadCtxSerdeTestParams kEvpAeadCtxSerde[] = { {"EVP_aead_aes_128_gcm", EVP_aead_aes_128_gcm(), kEvpAeadCtxKey, 16, 16, diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c index f67cb233fe..5cce0004a9 100644 --- a/crypto/cipher_extra/cipher_extra.c +++ b/crypto/cipher_extra/cipher_extra.c @@ -63,8 +63,8 @@ #include #include -#include "internal.h" #include "../internal.h" +#include "internal.h" static const struct { @@ -105,17 +105,13 @@ static const struct { }; static const struct { - const char* alias; - const char* name; + const char *alias; + const char *name; } kCipherAliases[] = { - {"3des", "des-ede3-cbc"}, - {"DES", "des-cbc"}, - {"aes256", "aes-256-cbc"}, - {"aes128", "aes-128-cbc"}, - {"id-aes128-gcm", "aes-128-gcm"}, - {"id-aes192-gcm", "aes-192-gcm"}, - {"id-aes256-gcm", "aes-256-gcm"} -}; + {"3des", "des-ede3-cbc"}, {"DES", "des-cbc"}, + {"aes256", "aes-256-cbc"}, {"aes128", "aes-128-cbc"}, + {"id-aes128-gcm", "aes-128-gcm"}, {"id-aes192-gcm", "aes-192-gcm"}, + {"id-aes256-gcm", "aes-256-gcm"}}; const EVP_CIPHER *EVP_get_cipherbynid(int nid) { for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) { @@ -126,7 +122,7 @@ const EVP_CIPHER *EVP_get_cipherbynid(int nid) { return NULL; } -static const EVP_CIPHER *get_cipherbyname(const char* name) { +static const EVP_CIPHER *get_cipherbyname(const char *name) { for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) { if (OPENSSL_strcasecmp(kCiphers[i].name, name) == 0) { return kCiphers[i].func(); @@ -141,7 +137,7 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { return NULL; } - const EVP_CIPHER * ec = get_cipherbyname(name); + const EVP_CIPHER *ec = get_cipherbyname(name); if (ec != NULL) { return ec; } @@ -149,10 +145,10 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { // These are not names used by OpenSSL, but tcpdump registers it with // |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a no-op, so we // support the name here. - for(size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherAliases); i++) { + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherAliases); i++) { if (OPENSSL_strcasecmp(name, kCipherAliases[i].alias) == 0) { name = kCipherAliases[i].name; - const EVP_CIPHER * cipher = get_cipherbyname(name); + const EVP_CIPHER *cipher = get_cipherbyname(name); assert(cipher != NULL); return cipher; } diff --git a/crypto/cipher_extra/cipher_test.cc b/crypto/cipher_extra/cipher_test.cc index 5290a69f23..f4653571f7 100644 --- a/crypto/cipher_extra/cipher_test.cc +++ b/crypto/cipher_extra/cipher_test.cc @@ -225,9 +225,9 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding, } // CCM needs tag length (M) set via EVP_CTRL_AEAD_SET_TAG during encryption. if ((is_aead && !encrypt) || is_ccm) { - ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, - tag.size(), encrypt ? nullptr - : const_cast(tag.data()))); + ASSERT_TRUE(EVP_CIPHER_CTX_ctrl( + ctx.get(), EVP_CTRL_AEAD_SET_TAG, tag.size(), + encrypt ? nullptr : const_cast(tag.data()))); } ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), /*cipher=*/nullptr, /*engine=*/nullptr, @@ -239,10 +239,10 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding, if (use_evp_cipher) { len = EVP_Cipher(ctx.get(), nullptr, nullptr, in.size()); } else { - ASSERT_TRUE(EVP_CipherUpdate(ctx.get(), nullptr, &len, nullptr, - in.size())); + ASSERT_TRUE( + EVP_CipherUpdate(ctx.get(), nullptr, &len, nullptr, in.size())); } - ASSERT_EQ(len, (int) in.size()); + ASSERT_EQ(len, (int)in.size()); } // Note: the deprecated |EVP_CIPHER|-based AEAD API is sensitive to whether @@ -308,9 +308,9 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding, } } else { int expected_ret = is_invalid_ccm ? 0 : 1; - ASSERT_EQ(expected_ret, EVP_CipherUpdate(ctx.get(), result.data() + total, - &len, in.data(), - static_cast(todo))); + ASSERT_EQ(expected_ret, + EVP_CipherUpdate(ctx.get(), result.data() + total, &len, + in.data(), static_cast(todo))); } ASSERT_GE(len, 0); total += static_cast(len); @@ -323,14 +323,14 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding, // Passing all nulls should act like |EVP_CipherFinal_ex|. ASSERT_TRUE(is_custom_cipher); int expected_ret = is_ccm ? 0 : -1; - EXPECT_EQ(expected_ret, EVP_Cipher(ctx.get(), result.data() + total, - nullptr, 0)); + EXPECT_EQ(expected_ret, + EVP_Cipher(ctx.get(), result.data() + total, nullptr, 0)); } else { // Invalid padding and invalid tags all appear as a failed // |EVP_CipherFinal_ex|. In CCM, this happens in |EVP_CipherUpdate|. int expected_ret = is_ccm ? 1 : 0; - EXPECT_EQ(expected_ret, EVP_CipherFinal_ex(ctx.get(), - result.data() + total, &len)); + EXPECT_EQ(expected_ret, + EVP_CipherFinal_ex(ctx.get(), result.data() + total, &len)); } } else { if (use_evp_cipher) { @@ -359,10 +359,12 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding, } } -static void TestLowLevelAPI( - const EVP_CIPHER *cipher, Operation op, bool in_place, size_t chunk_size, - bssl::Span key, bssl::Span iv, - bssl::Span plaintext, bssl::Span ciphertext) { +static void TestLowLevelAPI(const EVP_CIPHER *cipher, Operation op, + bool in_place, size_t chunk_size, + bssl::Span key, + bssl::Span iv, + bssl::Span plaintext, + bssl::Span ciphertext) { bool encrypt = op == Operation::kEncrypt; bssl::Span in = encrypt ? plaintext : ciphertext; bssl::Span expected = encrypt ? ciphertext : plaintext; @@ -595,23 +597,24 @@ struct AeadCipherParams { }; static const struct AeadCipherParams AeadCiphers[] = { - {"ChaCha20Poly1305", EVP_chacha20_poly1305, "chacha20_poly1305_tests.txt"}, - {"AES_128_CCM_BLUETOOTH", EVP_aes_128_ccm, "aes_128_ccm_bluetooth_tests.txt"}, - {"AES_128_CCM_BLUETOOTH_8", EVP_aes_128_ccm, - "aes_128_ccm_bluetooth_8_tests.txt"}, - {"AES_128_CCM_Matter", EVP_aes_128_ccm, "aes_128_ccm_matter_tests.txt"}, + {"ChaCha20Poly1305", EVP_chacha20_poly1305, "chacha20_poly1305_tests.txt"}, + {"AES_128_CCM_BLUETOOTH", EVP_aes_128_ccm, + "aes_128_ccm_bluetooth_tests.txt"}, + {"AES_128_CCM_BLUETOOTH_8", EVP_aes_128_ccm, + "aes_128_ccm_bluetooth_8_tests.txt"}, + {"AES_128_CCM_Matter", EVP_aes_128_ccm, "aes_128_ccm_matter_tests.txt"}, }; class AeadCipherTest : public testing::TestWithParam { -public: - const EVP_CIPHER *getTestCipher() { - return GetParam().func(); - } + public: + const EVP_CIPHER *getTestCipher() { return GetParam().func(); } }; -INSTANTIATE_TEST_SUITE_P(All, AeadCipherTest, testing::ValuesIn(AeadCiphers), - [](const testing::TestParamInfo ¶ms) - -> std::string { return params.param.name; }); +INSTANTIATE_TEST_SUITE_P( + All, AeadCipherTest, testing::ValuesIn(AeadCiphers), + [](const testing::TestParamInfo ¶ms) -> std::string { + return params.param.name; + }); TEST_P(AeadCipherTest, TestVector) { std::string test_vectors = "crypto/cipher_extra/test/"; @@ -640,14 +643,15 @@ TEST_P(AeadCipherTest, TestVector) { // Given a size_t, return true if it's valid. These hardcoded validators are // necessary because the Wychefproof test vectors are not consistent about // setting the right validity flags. -typedef bool(*validate_f)(size_t); +typedef bool (*validate_f)(size_t); -static void WycheproofFileTest(FileTest *t, std::vector key, - std::vector iv, std::vector msg, std::vector ct, - std::vector aad, std::vector tag, WycheproofResult result, - const EVP_CIPHER *cipher, validate_f iv_validate, validate_f tag_validate) { +static void WycheproofFileTest( + FileTest *t, std::vector key, std::vector iv, + std::vector msg, std::vector ct, std::vector aad, + std::vector tag, WycheproofResult result, const EVP_CIPHER *cipher, + validate_f iv_validate, validate_f tag_validate) { std::unique_ptr uctx( - EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free); + EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free); EVP_CIPHER_CTX *ctx = uctx.get(); ASSERT_TRUE(ctx); @@ -674,8 +678,7 @@ static void WycheproofFileTest(FileTest *t, std::vector key, // Set the tag size for CCM if (is_ccm) { - res = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag.size(), - nullptr); + res = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag.size(), nullptr); if (!valid_tag && !result.IsValid()) { ASSERT_FALSE(res); t->SkipCurrent(); @@ -692,14 +695,15 @@ static void WycheproofFileTest(FileTest *t, std::vector key, int out_len = 0; if (is_ccm) { ASSERT_TRUE(EVP_CipherUpdate(ctx, nullptr, &out_len, nullptr, msg.size())); - ASSERT_EQ(out_len, (int) msg.size()); + ASSERT_EQ(out_len, (int)msg.size()); } // Insert AAD uint8_t junk_buf[1]; uint8_t *in = aad.empty() ? junk_buf : aad.data(); - ASSERT_TRUE(EVP_EncryptUpdate(ctx, /*out*/ nullptr, &out_len, in, aad.size())); - ASSERT_EQ(out_len, (int) aad.size()); + ASSERT_TRUE( + EVP_EncryptUpdate(ctx, /*out*/ nullptr, &out_len, in, aad.size())); + ASSERT_EQ(out_len, (int)aad.size()); // Insert plaintext std::vector computed_ct(ct.size()); @@ -708,32 +712,32 @@ static void WycheproofFileTest(FileTest *t, std::vector key, uint8_t *out = computed_ct.empty() ? junk_buf : computed_ct.data(); out_len = 0; ASSERT_TRUE(EVP_EncryptUpdate(ctx, out, &out_len, in, msg.size())); - ASSERT_EQ(out_len, (int) msg.size()); + ASSERT_EQ(out_len, (int)msg.size()); // Finish the cipher out_len = 0; - out = computed_ct.empty() ? - junk_buf : computed_ct.data() + computed_ct.size(); + out = + computed_ct.empty() ? junk_buf : computed_ct.data() + computed_ct.size(); ASSERT_TRUE(EVP_EncryptFinal(ctx, out, &out_len)); ASSERT_EQ(out_len, 0); // Get the tag std::vector computed_tag(tag.size()); ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag.size(), - computed_tag.data())); + computed_tag.data())); // Initialize the decrypt context std::unique_ptr udctx( - EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free); + EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free); EVP_CIPHER_CTX *dctx = udctx.get(); ASSERT_TRUE(dctx); ASSERT_TRUE(EVP_DecryptInit_ex(dctx, cipher, nullptr, nullptr, nullptr)); // Set the CTRL parameters - ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(dctx, EVP_CTRL_AEAD_SET_IVLEN, iv.size(), - nullptr)); - ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(dctx, EVP_CTRL_AEAD_SET_TAG, tag.size(), - tag.data())); + ASSERT_TRUE( + EVP_CIPHER_CTX_ctrl(dctx, EVP_CTRL_AEAD_SET_IVLEN, iv.size(), nullptr)); + ASSERT_TRUE( + EVP_CIPHER_CTX_ctrl(dctx, EVP_CTRL_AEAD_SET_TAG, tag.size(), tag.data())); // Initialize with the key/iv ASSERT_TRUE(EVP_DecryptInit_ex(dctx, NULL, NULL, key.data(), iv.data())); @@ -741,14 +745,14 @@ static void WycheproofFileTest(FileTest *t, std::vector key, // Set the message length for CCM if (is_ccm) { ASSERT_TRUE(EVP_CipherUpdate(dctx, nullptr, &out_len, nullptr, msg.size())); - ASSERT_EQ(out_len, (int) msg.size()); + ASSERT_EQ(out_len, (int)msg.size()); } // Insert AAD out_len = 0; in = aad.empty() ? junk_buf : aad.data(); ASSERT_TRUE(EVP_DecryptUpdate(dctx, NULL, &out_len, in, aad.size())); - ASSERT_EQ(out_len, (int) aad.size()); + ASSERT_EQ(out_len, (int)aad.size()); // Insert ciphertext std::vector computed_pt(msg.size()); @@ -759,13 +763,13 @@ static void WycheproofFileTest(FileTest *t, std::vector key, res = EVP_DecryptUpdate(dctx, computed_pt.data(), &out_len, in, ct.size()); ASSERT_EQ(expected_res, res); if (!is_invalid_ccm) { - ASSERT_EQ((int) msg.size(), out_len); + ASSERT_EQ((int)msg.size(), out_len); } // Finish decryption out_len = 0; - out = computed_pt.empty() ? - junk_buf : computed_pt.data() + computed_pt.size(); + out = + computed_pt.empty() ? junk_buf : computed_pt.data() + computed_pt.size(); expected_res = is_invalid_ccm ? 1 : result.IsValid() ? 1 : 0; res = EVP_DecryptFinal(dctx, out, &out_len); @@ -784,9 +788,7 @@ static void WycheproofFileTest(FileTest *t, std::vector key, } } -static bool ChaCha20Poly1305IvValidate(size_t iv_size) { - return iv_size == 12; -} +static bool ChaCha20Poly1305IvValidate(size_t iv_size) { return iv_size == 12; } static bool ChaCha20Poly1305TagValidate(size_t tag_size) { return tag_size <= 16; @@ -794,7 +796,7 @@ static bool ChaCha20Poly1305TagValidate(size_t tag_size) { TEST(CipherTest, WycheproofChaCha20Poly1305) { std::string test_vectors = - "third_party/wycheproof_testvectors/chacha20_poly1305_test.txt"; + "third_party/wycheproof_testvectors/chacha20_poly1305_test.txt"; FileTestGTest(test_vectors.c_str(), [&](FileTest *t) { t->IgnoreInstruction("type"); t->IgnoreInstruction("tagSize"); @@ -836,7 +838,7 @@ static bool AesCcmTagValidate(size_t tag_size) { TEST(CipherTest, WycheproofAesCcm) { std::string test_vectors = - "third_party/wycheproof_testvectors/aes_ccm_test.txt"; + "third_party/wycheproof_testvectors/aes_ccm_test.txt"; FileTestGTest(test_vectors.c_str(), [&](FileTest *t) { t->IgnoreInstruction("type"); t->IgnoreInstruction("tagSize"); @@ -1436,9 +1438,9 @@ TEST(CipherTest, GCMIncrementingIV) { } #define CHECK_ERROR(function, err) \ - ERR_clear_error(); \ - EXPECT_FALSE(function); \ - EXPECT_EQ(err, ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); \ + EXPECT_FALSE(function); \ + EXPECT_EQ(err, ERR_GET_REASON(ERR_peek_last_error())); TEST(CipherTest, Empty_EVP_CIPHER_CTX_V1187459157) { int in_len = 10; @@ -1446,11 +1448,19 @@ TEST(CipherTest, Empty_EVP_CIPHER_CTX_V1187459157) { int out_len = in_len + 256; std::vector out_vec(out_len); - CHECK_ERROR(EVP_EncryptUpdate(nullptr, out_vec.data(), &out_len, in_vec.data(), in_len), ERR_R_PASSED_NULL_PARAMETER); + CHECK_ERROR(EVP_EncryptUpdate(nullptr, out_vec.data(), &out_len, + in_vec.data(), in_len), + ERR_R_PASSED_NULL_PARAMETER); bssl::UniquePtr ctx(EVP_CIPHER_CTX_new()); - CHECK_ERROR(EVP_EncryptUpdate(ctx.get(), out_vec.data(), &out_len, in_vec.data(), in_len), ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - CHECK_ERROR(EVP_EncryptFinal(ctx.get(), out_vec.data(), &out_len), ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - CHECK_ERROR(EVP_DecryptUpdate(ctx.get(), out_vec.data(), &out_len, in_vec.data(), in_len), ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - CHECK_ERROR(EVP_DecryptFinal(ctx.get(), out_vec.data(), &out_len), ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + CHECK_ERROR(EVP_EncryptUpdate(ctx.get(), out_vec.data(), &out_len, + in_vec.data(), in_len), + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + CHECK_ERROR(EVP_EncryptFinal(ctx.get(), out_vec.data(), &out_len), + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + CHECK_ERROR(EVP_DecryptUpdate(ctx.get(), out_vec.data(), &out_len, + in_vec.data(), in_len), + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + CHECK_ERROR(EVP_DecryptFinal(ctx.get(), out_vec.data(), &out_len), + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); } diff --git a/crypto/cipher_extra/derive_key.c b/crypto/cipher_extra/derive_key.c index 750a99e06c..f54443a220 100644 --- a/crypto/cipher_extra/derive_key.c +++ b/crypto/cipher_extra/derive_key.c @@ -59,8 +59,8 @@ #include #include -#include #include +#include int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, diff --git a/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c b/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c index 71323427e3..6758f4c302 100644 --- a/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c +++ b/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c @@ -31,7 +31,8 @@ typedef struct { // Used to compute(init, update and final) HMAC-SHA1. // head stores the initialised inner hash state. // tail stores the outer hash state. - // These storage are for using in subsequent invocations with the same MAC key. + // These storage are for using in subsequent invocations with the same MAC + // key. SHA_CTX head, tail, md; // In encrypt case, it's eiv_len + plaintext_len. eiv is explicit iv(required // TLS 1.1+). In decrypt case, it's |EVP_AEAD_TLS1_AAD_LEN(13)|. @@ -55,12 +56,12 @@ typedef struct { } EVP_AES_HMAC_SHA1; void aesni_cbc_sha1_enc(const void *inp, void *out, size_t blocks, - const AES_KEY *key, uint8_t iv[AES_BLOCK_SIZE], SHA_CTX *ctx, - const void *in0); + const AES_KEY *key, uint8_t iv[AES_BLOCK_SIZE], + SHA_CTX *ctx, const void *in0); static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, - const uint8_t *inkey, - const uint8_t *iv, int enc) { + const uint8_t *inkey, const uint8_t *iv, + int enc) { EVP_AES_HMAC_SHA1 *key = (EVP_AES_HMAC_SHA1 *)(ctx->cipher_data); int ret; @@ -83,25 +84,33 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, return 1; } -// aesni_cbc_hmac_sha1_cipher implements TLS-specific CBC-mode+HMAC-SHA1 cipher suite based encryption and decryption. +// aesni_cbc_hmac_sha1_cipher implements TLS-specific CBC-mode+HMAC-SHA1 cipher +// suite based encryption and decryption. // // For encryption in TLS version 1.0 // |in|: payload/fragment // |len|: (|payload| + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE -// |out|: Must point to allocated memory of at least (|payload| + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes -// If the function returns successfully |out| will contain AES-CBC(aes_key, IV, payload || hmac-sha1(mac_key, aad || payload) || padding || padding_length) +// |out|: Must point to allocated memory of at least (|payload| + +// SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes If the function +// returns successfully |out| will contain AES-CBC(aes_key, IV, payload || +// hmac-sha1(mac_key, aad || payload) || padding || padding_length) // For encryption in TLS version 1.1 and 1.2 // |in|: payload/fragment -// |len|: (|IV| + |payload| + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE -// |out|: Must point to allocated memory of at least (|IV| + |payload| + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes -// If the function returns successfully |out| will contain AES-CBC(aes_key, mask, IV || payload || hmac-sha1(mac_key, aad || payload) || padding || padding_length) -// |len|: should be (eiv_len + plaintext_len + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE). -// The mask and IV are according to method 2.b from https://datatracker.ietf.org/doc/html/rfc2246#section-6.2.3.2 +// |len|: (|IV| + |payload| + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & +// -AES_BLOCK_SIZE |out|: Must point to allocated memory of at least (|IV| + +// |payload| + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes If +// the function returns successfully |out| will contain AES-CBC(aes_key, mask, +// IV || payload || hmac-sha1(mac_key, aad || payload) || padding || +// padding_length) |len|: should be (eiv_len + plaintext_len + SHA_DIGEST_LENGTH +// + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE). The mask and IV are according to +// method 2.b from https://datatracker.ietf.org/doc/html/rfc2246#section-6.2.3.2 // -// WARNING: Do not set explicit |IV| = |mask|. It will result in aes(aes_key, 0) being used at the effective IV for all records. +// WARNING: Do not set explicit |IV| = |mask|. It will result in aes(aes_key, 0) +// being used at the effective IV for all records. // -// In decryption, this function performs decrytion, removing padding, and verifying mac value. +// In decryption, this function performs decrytion, removing padding, and +// verifying mac value. static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t len) { EVP_AES_HMAC_SHA1 *key = (EVP_AES_HMAC_SHA1 *)(ctx->cipher_data); @@ -132,7 +141,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } if (len != ((plen + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) { - // The input should have space for plen(eiv + plaintext) + SHA_DIGEST_LENGTH + padding. + // The input should have space for plen(eiv + plaintext) + + // SHA_DIGEST_LENGTH + padding. OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } else if (key->aux.tls_ver >= TLS1_1_VERSION) { @@ -143,8 +153,9 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t sha_off = SHA_CBLOCK - key->md.num; size_t blocks; - // Use stitch code |aesni_cbc_sha1_enc| when there are multiple of SHA_CBLOCK - // so |aesni_cbc_sha1_enc| can use AES and SHA on the same data block. + // Use stitch code |aesni_cbc_sha1_enc| when there are multiple of + // SHA_CBLOCK so |aesni_cbc_sha1_enc| can use AES and SHA on the same data + // block. // // Assembly stitch handles AVX-capable processors, but its // performance is not optimal on AMD Jaguar, ~40% worse, for @@ -155,16 +166,15 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, // either even XOP-capable Bulldozer-based or GenuineIntel one. // But SHAEXT-capable go ahead... if ((CRYPTO_is_SHAEXT_capable() || - (CRYPTO_is_AVX_capable() && - (CRYPTO_is_AMD_XOP_support() | CRYPTO_is_intel_cpu()))) && + (CRYPTO_is_AVX_capable() && + (CRYPTO_is_AMD_XOP_support() | CRYPTO_is_intel_cpu()))) && plen > (sha_off + iv_len) && (blocks = (plen - (sha_off + iv_len)) / SHA_CBLOCK)) { // Before calling |aesni_cbc_sha1_enc|, |key->md| should not // include not hashed data(partial data). SHA1_Update(&key->md, in + iv_len, sha_off); - aesni_cbc_sha1_enc(in, out, blocks, &key->ks, - ctx->iv, &key->md, + aesni_cbc_sha1_enc(in, out, blocks, &key->ks, ctx->iv, &key->md, in + iv_len + sha_off); // Update the offset to record and skip the part processed // (encrypted and hashed) by |aesni_cbc_sha1_enc|. @@ -322,11 +332,11 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, } case EVP_CTRL_AEAD_TLS1_AAD: { // p is - // additional_data = |seq_num + content_type + protocol_version + payload_eiv_len|. - // seq_num: 8 octets long. - // content_type: 1 octets long. + // additional_data = |seq_num + content_type + protocol_version + + // payload_eiv_len|. seq_num: 8 octets long. content_type: 1 octets long. // protocol_version: 2 octets long. - // payload_eiv_len: 2 octets long. eiv is explicit iv required by TLS 1.1+. + // payload_eiv_len: 2 octets long. eiv is explicit iv required by + // TLS 1.1+. uint8_t *p = ptr; if (arg != EVP_AEAD_TLS1_AAD_LEN) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); diff --git a/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c b/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c index ca5c9cfad3..41c5c2605f 100644 --- a/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c +++ b/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c @@ -31,7 +31,8 @@ typedef struct { // Used to compute(init, update and final) HMAC-SHA256. // head stores the initialised inner hash state. // tail stores the outer hash state. - // These storage are for using in subsequent invocations with the same MAC key. + // These storage are for using in subsequent invocations with the same MAC + // key. SHA256_CTX head, tail, md; // In encrypt case, it's eiv_len + plaintext_len. eiv is explicit iv(required // TLS 1.1+). In decrypt case, it's |EVP_AEAD_TLS1_AAD_LEN(13)|. @@ -55,8 +56,8 @@ typedef struct { } EVP_AES_HMAC_SHA256; void aesni_cbc_sha256_enc(const void *inp, void *out, size_t blocks, - const AES_KEY *key, uint8_t iv[AES_BLOCK_SIZE], - SHA256_CTX *ctx, const void *in0); + const AES_KEY *key, uint8_t iv[AES_BLOCK_SIZE], + SHA256_CTX *ctx, const void *in0); static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx, @@ -81,25 +82,34 @@ static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx, return ret < 0 ? 0 : 1; } -// aesni_cbc_hmac_sha256_cipher implements TLS-specific CBC-mode+HMAC-SHA256 cipher suite based encryption and decryption. +// aesni_cbc_hmac_sha256_cipher implements TLS-specific CBC-mode+HMAC-SHA256 +// cipher suite based encryption and decryption. // // For encryption in TLS version 1.0 // |in|: payload/fragment // |len|: (|payload| + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE -// |out|: Must point to allocated memory of at least (|payload| + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes -// If the function returns successfully |out| will contain AES-CBC(aes_key, IV, payload || hmac-sha256(mac_key, aad || payload) || padding || padding_length) +// |out|: Must point to allocated memory of at least (|payload| + +// SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes If the +// function returns successfully |out| will contain AES-CBC(aes_key, IV, payload +// || hmac-sha256(mac_key, aad || payload) || padding || padding_length) // For encryption in TLS version 1.1 and 1.2 // |in|: payload/fragment -// |len|: (|IV| + |payload| + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE -// |out|: Must point to allocated memory of at least (|IV| + |payload| + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes -// If the function returns successfully |out| will contain AES-CBC(aes_key, mask, IV || payload || hmac-sha256(mac_key, aad || payload) || padding || padding_length) -// |len|: should be (eiv_len + plaintext_len + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE). -// The mask and IV are according to method 2.b from https://datatracker.ietf.org/doc/html/rfc2246#section-6.2.3.2 +// |len|: (|IV| + |payload| + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & +// -AES_BLOCK_SIZE |out|: Must point to allocated memory of at least (|IV| + +// |payload| + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE bytes If +// the function returns successfully |out| will contain AES-CBC(aes_key, mask, +// IV || payload || hmac-sha256(mac_key, aad || payload) || padding || +// padding_length) |len|: should be (eiv_len + plaintext_len + +// SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE). The mask and IV +// are according to method 2.b from +// https://datatracker.ietf.org/doc/html/rfc2246#section-6.2.3.2 // -// WARNING: Do not set explicit |IV| = |mask|. It will result in aes(aes_key, 0) being used at the effective IV for all records. +// WARNING: Do not set explicit |IV| = |mask|. It will result in aes(aes_key, 0) +// being used at the effective IV for all records. // -// In decryption, this function performs decrytion, removing padding, and verifying mac value. +// In decryption, this function performs decrytion, removing padding, and +// verifying mac value. static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t len) { EVP_AES_HMAC_SHA256 *key = (EVP_AES_HMAC_SHA256 *)(ctx->cipher_data); @@ -134,15 +144,17 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } if (len != ((plen + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) { - // The input should have space for plen(eiv + plaintext) + SHA256_DIGEST_LENGTH + padding. + // The input should have space for plen(eiv + plaintext) + + // SHA256_DIGEST_LENGTH + padding. OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } else if (key->aux.tls_ver >= TLS1_1_VERSION) { iv_len = AES_BLOCK_SIZE; } - // Use stitch code |aesni_cbc_sha256_enc| when there are multiple of SHA_CBLOCK - // so |aesni_cbc_sha1_enc| can use AES and SHA on the same data block. + // Use stitch code |aesni_cbc_sha256_enc| when there are multiple of + // SHA_CBLOCK so |aesni_cbc_sha1_enc| can use AES and SHA on the same data + // block. // // Assembly stitch handles AVX-capable processors, but its // performance is not optimal on AMD Jaguar, ~40% worse, for @@ -161,9 +173,8 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, // include not hashed data(partial data). SHA256_Update(&key->md, in + iv_len, sha_off); - aesni_cbc_sha256_enc(in, out, blocks, &key->ks, - ctx->iv, &key->md, - in + iv_len + sha_off); + aesni_cbc_sha256_enc(in, out, blocks, &key->ks, ctx->iv, &key->md, + in + iv_len + sha_off); blocks *= SHA256_CBLOCK; aes_off += blocks; sha_off += blocks; @@ -322,11 +333,11 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return 0; } // p is - // additional_data = |seq_num + content_type + protocol_version + payload_eiv_len|. - // seq_num: 8 octets long. - // content_type: 1 octets long. + // additional_data = |seq_num + content_type + protocol_version + + // payload_eiv_len|. seq_num: 8 octets long. content_type: 1 octets long. // protocol_version: 2 octets long. - // payload_eiv_len: 2 octets long. eiv is explicit iv required by TLS 1.1+. + // payload_eiv_len: 2 octets long. eiv is explicit iv required by + // TLS 1.1+. uint8_t *p = ptr; uint16_t len = p[arg - 2] << 8 | p[arg - 1]; diff --git a/crypto/cipher_extra/e_aesgcmsiv.c b/crypto/cipher_extra/e_aesgcmsiv.c index 1be9b15a02..97c99b72db 100644 --- a/crypto/cipher_extra/e_aesgcmsiv.c +++ b/crypto/cipher_extra/e_aesgcmsiv.c @@ -55,7 +55,7 @@ static struct aead_aes_gcm_siv_asm_ctx *asm_ctx_from_ctx( // ctx->state must already be 8-byte aligned. Thus, at most, we may need to // add eight to align it to 16 bytes. const uintptr_t actual_offset = ((uintptr_t)&ctx->state) & 8; - if(ctx->state_offset != actual_offset) { + if (ctx->state_offset != actual_offset) { return NULL; } return (struct aead_aes_gcm_siv_asm_ctx *)(&ctx->state.opaque[actual_offset]); @@ -91,7 +91,7 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, ctx->state_offset = ((uintptr_t)&ctx->state) & 8; struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx); - if(gcm_siv_ctx == NULL) { + if (gcm_siv_ctx == NULL) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); return 0; } @@ -341,7 +341,7 @@ static int aead_aes_gcm_siv_asm_seal_scatter( size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, size_t ad_len) { const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx); - if(gcm_siv_ctx == NULL) { + if (gcm_siv_ctx == NULL) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_ALIGNMENT_CHANGED); return 0; } @@ -428,7 +428,7 @@ static int aead_aes_gcm_siv_asm_open_gather( } const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx); - if(gcm_siv_ctx == NULL) { + if (gcm_siv_ctx == NULL) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_ALIGNMENT_CHANGED); return 0; } @@ -657,8 +657,8 @@ static void gcm_siv_polyval( } uint8_t length_block[16]; - CRYPTO_store_u64_le(length_block, ((uint64_t) ad_len) * 8); - CRYPTO_store_u64_le(length_block + 8, ((uint64_t) in_len) * 8); + CRYPTO_store_u64_le(length_block, ((uint64_t)ad_len) * 8); + CRYPTO_store_u64_le(length_block + 8, ((uint64_t)in_len) * 8); CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block, sizeof(length_block)); @@ -867,8 +867,6 @@ const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) { return &aead_aes_128_gcm_siv; } const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) { return &aead_aes_256_gcm_siv; } -int x86_64_assembly_implementation_FOR_TESTING(void) { - return 0; -} +int x86_64_assembly_implementation_FOR_TESTING(void) { return 0; } #endif // AES_GCM_SIV_ASM diff --git a/crypto/cipher_extra/e_chacha20poly1305.c b/crypto/cipher_extra/e_chacha20poly1305.c index 94c47a0b7e..7983d011ad 100644 --- a/crypto/cipher_extra/e_chacha20poly1305.c +++ b/crypto/cipher_extra/e_chacha20poly1305.c @@ -35,7 +35,7 @@ #define CHACHA_CTR_IV_LEN 16 // ChaCha-Poly specific context within an EVP_CIPHER_CTX -#define CCP_CTX(ctx) ((CIPHER_CHACHA_POLY_CTX *) ctx->cipher_data) +#define CCP_CTX(ctx) ((CIPHER_CHACHA_POLY_CTX *)ctx->cipher_data) // Return the CIPHER_CHACHA_KEY from a CIPHER_CHACHA_POLY_CTX #define CC_KEY(ccp) (&(ccp)->key) // Return the poly1305_state from a CIPHER_CHACHA_POLY_CTX @@ -63,7 +63,9 @@ typedef struct cipher_chacha_poly_ctx { uint8_t tag_len; uint8_t tag[POLY1305_TAG_LEN]; // Use 64-bit integers so this struct can be passed directly into poly1305 - struct { uint64_t aad, text; } len; + struct { + uint64_t aad, text; + } len; int32_t poly_initialized; int32_t pad_aad; poly1305_state poly_ctx; @@ -78,8 +80,7 @@ OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >= static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len) { - AEAD_CHACHA_POLY_CTX *c20_ctx = - (AEAD_CHACHA_POLY_CTX *)&ctx->state; + AEAD_CHACHA_POLY_CTX *c20_ctx = (AEAD_CHACHA_POLY_CTX *)&ctx->state; if (tag_len == 0) { tag_len = POLY1305_TAG_LEN; @@ -221,8 +222,7 @@ static int aead_chacha20_poly1305_seal_scatter( size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, size_t ad_len) { - const AEAD_CHACHA_POLY_CTX *c20_ctx = - (AEAD_CHACHA_POLY_CTX *)&ctx->state; + const AEAD_CHACHA_POLY_CTX *c20_ctx = (AEAD_CHACHA_POLY_CTX *)&ctx->state; return chacha20_poly1305_seal_scatter( c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce, @@ -234,8 +234,7 @@ static int aead_xchacha20_poly1305_seal_scatter( size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, size_t ad_len) { - const AEAD_CHACHA_POLY_CTX *c20_ctx = - (AEAD_CHACHA_POLY_CTX *)&ctx->state; + const AEAD_CHACHA_POLY_CTX *c20_ctx = (AEAD_CHACHA_POLY_CTX *)&ctx->state; if (nonce_len != 24) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); @@ -305,8 +304,7 @@ static int aead_chacha20_poly1305_open_gather( const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad, size_t ad_len) { - const AEAD_CHACHA_POLY_CTX *c20_ctx = - (AEAD_CHACHA_POLY_CTX *)&ctx->state; + const AEAD_CHACHA_POLY_CTX *c20_ctx = (AEAD_CHACHA_POLY_CTX *)&ctx->state; return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in, in_len, in_tag, in_tag_len, ad, ad_len, @@ -317,8 +315,7 @@ static int aead_xchacha20_poly1305_open_gather( const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad, size_t ad_len) { - const AEAD_CHACHA_POLY_CTX *c20_ctx = - (AEAD_CHACHA_POLY_CTX *)&ctx->state; + const AEAD_CHACHA_POLY_CTX *c20_ctx = (AEAD_CHACHA_POLY_CTX *)&ctx->state; if (nonce_len != 24) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); @@ -384,10 +381,9 @@ const EVP_AEAD *EVP_aead_xchacha20_poly1305(void) { return &aead_xchacha20_poly1305; } -static int cipher_chacha20_poly1305_init_key(CIPHER_CHACHA_POLY_CTX *ctx, - const uint8_t user_key[CHACHA_KEY_LEN], - const uint8_t counter_nonce[CHACHA_CTR_IV_LEN]) -{ +static int cipher_chacha20_poly1305_init_key( + CIPHER_CHACHA_POLY_CTX *ctx, const uint8_t user_key[CHACHA_KEY_LEN], + const uint8_t counter_nonce[CHACHA_CTR_IV_LEN]) { CIPHER_CHACHA_KEY *key = CC_KEY(ctx); uint32_t i; if (user_key) { @@ -405,8 +401,8 @@ static int cipher_chacha20_poly1305_init_key(CIPHER_CHACHA_POLY_CTX *ctx, } static int cipher_chacha20_poly1305_init(EVP_CIPHER_CTX *ctx, - const uint8_t *key, - const uint8_t *iv, int32_t enc) { + const uint8_t *key, const uint8_t *iv, + int32_t enc) { CIPHER_CHACHA_POLY_CTX *cipher_ctx = CCP_CTX(ctx); cipher_ctx->len.aad = 0; cipher_ctx->len.text = 0; @@ -421,7 +417,7 @@ static int cipher_chacha20_poly1305_init(EVP_CIPHER_CTX *ctx, // Start the counter at 0 and copy over the nonce(iv) uint8_t counter_nonce[CHACHA_CTR_IV_LEN] = {0}; OPENSSL_memcpy(counter_nonce + CHACHA_CTR_IV_LEN - CHACHA_IV_LEN, iv, - CHACHA_IV_LEN); + CHACHA_IV_LEN); cipher_chacha20_poly1305_init_key(cipher_ctx, key, counter_nonce); // Nonce occupies the last 3 indices of the array cipher_ctx->iv[0] = cipher_ctx->key.counter_nonce[1]; @@ -434,9 +430,8 @@ static int cipher_chacha20_poly1305_init(EVP_CIPHER_CTX *ctx, } static int cipher_chacha20_do_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, - const uint8_t *in, size_t in_len) -{ - CIPHER_CHACHA_POLY_CTX *cipher_ctx = CCP_CTX(ctx); + const uint8_t *in, size_t in_len) { + CIPHER_CHACHA_POLY_CTX *cipher_ctx = CCP_CTX(ctx); CIPHER_CHACHA_KEY *key = CC_KEY(cipher_ctx); uint32_t n, rem, counter; @@ -471,17 +466,16 @@ static int cipher_chacha20_do_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, // |CRYPTO_chacha_20| expects the input as a little-endian byte array. uint8_t chacha_key[CHACHA_KEY_LEN]; uint8_t nonce[CHACHA_IV_LEN]; - for(size_t i = 0; i < CHACHA_KEY_LEN / 4; i++) { + for (size_t i = 0; i < CHACHA_KEY_LEN / 4; i++) { CRYPTO_store_u32_le(chacha_key + (i * sizeof(uint32_t)), cipher_ctx->key.key[i]); } - for(size_t i = 0; i < CHACHA_IV_LEN / 4; i++) { - CRYPTO_store_u32_le(nonce + (i * sizeof(uint32_t)), - cipher_ctx->iv[i]); + for (size_t i = 0; i < CHACHA_IV_LEN / 4; i++) { + CRYPTO_store_u32_le(nonce + (i * sizeof(uint32_t)), cipher_ctx->iv[i]); } #else - const uint8_t *chacha_key = (const uint8_t *) cipher_ctx->key.key; - const uint8_t *nonce = (const uint8_t *) cipher_ctx->iv; + const uint8_t *chacha_key = (const uint8_t *)cipher_ctx->key.key; + const uint8_t *nonce = (const uint8_t *)cipher_ctx->iv; #endif // Truncate down to the last complete block prior to the bulk cipher @@ -493,7 +487,7 @@ static int cipher_chacha20_do_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, // 1<<28 is just a not-so-small yet not-so-large number... Below // condition is practically never met, but it has to be checked for code // correctness. - if (sizeof(size_t) > sizeof(uint32_t) && blocks > (1U<<28)) { + if (sizeof(size_t) > sizeof(uint32_t) && blocks > (1U << 28)) { blocks = (1U << 28); } @@ -501,14 +495,13 @@ static int cipher_chacha20_do_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, // overflow. 'if' below detects the overflow, which is then handled by // limiting the amount of blocks to the exact overflow point. This while // loop then continues the cipher by wrapping around with counter=0. - counter += (uint32_t) blocks; + counter += (uint32_t)blocks; if (counter < blocks) { blocks -= counter; counter = 0; } blocks *= CHACHA_BLOCK_LEN; - CRYPTO_chacha_20(out, in, blocks, chacha_key, nonce, - key->counter_nonce[0]); + CRYPTO_chacha_20(out, in, blocks, chacha_key, nonce, key->counter_nonce[0]); in_len -= blocks; in += blocks; out += blocks; @@ -531,9 +524,10 @@ static int cipher_chacha20_do_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return 1; } -static int cipher_chacha20_poly1305_do_cipher( - EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, - size_t in_len) { +static int cipher_chacha20_poly1305_do_cipher(EVP_CIPHER_CTX *ctx, + unsigned char *out, + const unsigned char *in, + size_t in_len) { CIPHER_CHACHA_POLY_CTX *cipher_ctx = CCP_CTX(ctx); poly1305_state *poly_ctx = POLY_CTX(cipher_ctx); size_t remainder; @@ -543,17 +537,16 @@ static int cipher_chacha20_poly1305_do_cipher( // |CRYPTO_chacha_20| expects the input as a little-endian byte array. uint8_t chacha_key[CHACHA_KEY_LEN]; uint8_t nonce[CHACHA_IV_LEN]; - for(int i = 0; i < CHACHA_KEY_LEN / 4; i++) { + for (int i = 0; i < CHACHA_KEY_LEN / 4; i++) { CRYPTO_store_u32_le(chacha_key + (i * sizeof(uint32_t)), cipher_ctx->key.key[i]); } - for(size_t i = 0; i < CHACHA_IV_LEN / 4; i++) { - CRYPTO_store_u32_le(nonce + (i * sizeof(uint32_t)), - cipher_ctx->iv[i]); + for (size_t i = 0; i < CHACHA_IV_LEN / 4; i++) { + CRYPTO_store_u32_le(nonce + (i * sizeof(uint32_t)), cipher_ctx->iv[i]); } #else - const uint8_t *chacha_key = (const uint8_t *) cipher_ctx->key.key; - const uint8_t *nonce = (const uint8_t *) cipher_ctx->iv; + const uint8_t *chacha_key = (const uint8_t *)cipher_ctx->key.key; + const uint8_t *nonce = (const uint8_t *)cipher_ctx->iv; #endif // Obtain the poly1305 key by computing the 0th chacha20 key alignas(16) uint8_t poly1305_key[CHACHA_KEY_LEN]; @@ -577,14 +570,15 @@ static int cipher_chacha20_poly1305_do_cipher( CRYPTO_poly1305_update(poly_ctx, in, in_len); cipher_ctx->len.aad += in_len; cipher_ctx->pad_aad = 1; - return (int32_t) in_len; + return (int32_t)in_len; } else { // Finish AAD by applying padding if (cipher_ctx->pad_aad) { remainder = cipher_ctx->len.aad % POLY1305_TAG_LEN; if (remainder != 0) { static const uint8_t padding[POLY1305_TAG_LEN] = {0}; - CRYPTO_poly1305_update(poly_ctx, padding, sizeof(padding) - remainder); + CRYPTO_poly1305_update(poly_ctx, padding, + sizeof(padding) - remainder); } cipher_ctx->pad_aad = 0; } @@ -633,13 +627,13 @@ static int cipher_chacha20_poly1305_do_cipher( CRYPTO_store_u64_le(length_bytes + sizeof(uint64_t), cipher_ctx->len.text); #else // For a little-endian platform, the struct's layout in memory works as-is. - const uint8_t *length_bytes = (const uint8_t *) &cipher_ctx->len; + const uint8_t *length_bytes = (const uint8_t *)&cipher_ctx->len; #endif CRYPTO_poly1305_update(poly_ctx, length_bytes, 2 * sizeof(uint64_t)); // Compute the tag and write it to scratch or the cipher context - CRYPTO_poly1305_finish(poly_ctx, EVP_CIPHER_CTX_encrypting(ctx) ? - cipher_ctx->tag : temp); + CRYPTO_poly1305_finish( + poly_ctx, EVP_CIPHER_CTX_encrypting(ctx) ? cipher_ctx->tag : temp); cipher_ctx->poly_initialized = 0; // Check the tags if we're decrypting @@ -649,7 +643,7 @@ static int cipher_chacha20_poly1305_do_cipher( } } } - return (int32_t) in_len; + return (int32_t)in_len; } static void cipher_chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx) { @@ -659,7 +653,7 @@ static void cipher_chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx) { } static int32_t cipher_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int32_t type, - int32_t arg, void *ptr) { + int32_t arg, void *ptr) { CIPHER_CHACHA_POLY_CTX *cipher_ctx = CCP_CTX(ctx); switch (type) { case EVP_CTRL_INIT: @@ -683,9 +677,9 @@ static int32_t cipher_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int32_t type, // The poly1305 context needs to be aligned on a 64-byte boundary. // The destination context doesn't necessarily have the same // alignment so we have to fix that here. - EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *) ptr; - void *source_base = align_pointer((void *) POLY_CTX(CCP_CTX(ctx)), 64); - void *dest_base = align_pointer((void *) POLY_CTX(CCP_CTX(dst)), 64); + EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr; + void *source_base = align_pointer((void *)POLY_CTX(CCP_CTX(ctx)), 64); + void *dest_base = align_pointer((void *)POLY_CTX(CCP_CTX(dst)), 64); // We have 63 bytes of padding for alignment, so the actual size of // the poly1305 context is the difference of that and the total buffer. size_t length = sizeof(poly1305_state) - 63; @@ -699,14 +693,14 @@ static int32_t cipher_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int32_t type, return 1; case EVP_CTRL_AEAD_GET_TAG: if (arg <= 0 || arg > POLY1305_TAG_LEN || - !EVP_CIPHER_CTX_encrypting(ctx)) { + !EVP_CIPHER_CTX_encrypting(ctx)) { return 0; } OPENSSL_memcpy(ptr, cipher_ctx->tag, arg); return 1; case EVP_CTRL_AEAD_SET_TAG: if (arg <= 0 || arg > POLY1305_TAG_LEN || - EVP_CIPHER_CTX_encrypting(ctx)) { + EVP_CIPHER_CTX_encrypting(ctx)) { return 0; } if (ptr != NULL) { @@ -720,20 +714,18 @@ static int32_t cipher_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int32_t type, } static EVP_CIPHER cipher_chacha20_poly1305 = { - NID_chacha20_poly1305, - 1, // stream cipher - CHACHA_KEY_LEN, - CHACHA_IV_LEN, - sizeof(CIPHER_CHACHA_POLY_CTX), - EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT | - EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER, - cipher_chacha20_poly1305_init, - cipher_chacha20_poly1305_do_cipher, - cipher_chacha20_poly1305_cleanup, - cipher_chacha20_poly1305_ctrl -}; - -const EVP_CIPHER *EVP_chacha20_poly1305(void) -{ - return(&cipher_chacha20_poly1305); + NID_chacha20_poly1305, + 1, // stream cipher + CHACHA_KEY_LEN, + CHACHA_IV_LEN, + sizeof(CIPHER_CHACHA_POLY_CTX), + EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT | + EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER, + cipher_chacha20_poly1305_init, + cipher_chacha20_poly1305_do_cipher, + cipher_chacha20_poly1305_cleanup, + cipher_chacha20_poly1305_ctrl}; + +const EVP_CIPHER *EVP_chacha20_poly1305(void) { + return (&cipher_chacha20_poly1305); } diff --git a/crypto/cipher_extra/e_des.c b/crypto/cipher_extra/e_des.c index 62ac2a03a6..f494eb541a 100644 --- a/crypto/cipher_extra/e_des.c +++ b/crypto/cipher_extra/e_des.c @@ -191,7 +191,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } in_len -= ctx->cipher->block_size; - DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; + DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) { DES_ecb3_encrypt_ex(in + i, out + i, &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], ctx->encrypt); diff --git a/crypto/cipher_extra/e_null.c b/crypto/cipher_extra/e_null.c index ad99df924c..c5d8d636cc 100644 --- a/crypto/cipher_extra/e_null.c +++ b/crypto/cipher_extra/e_null.c @@ -69,8 +69,8 @@ static int null_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, return 1; } -static int null_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, - const uint8_t *in, size_t in_len) { +static int null_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, + size_t in_len) { if (in != out) { OPENSSL_memcpy(out, in, in_len); } diff --git a/crypto/cipher_extra/e_rc2.c b/crypto/cipher_extra/e_rc2.c index c2a143ebac..57eeeb706e 100644 --- a/crypto/cipher_extra/e_rc2.c +++ b/crypto/cipher_extra/e_rc2.c @@ -138,7 +138,9 @@ } \ } while (0) -typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY; +typedef struct rc2_key_st { + uint16_t data[64]; +} RC2_KEY; static void RC2_encrypt(uint32_t *d, RC2_KEY *key) { int i, n; diff --git a/crypto/cipher_extra/internal.h b/crypto/cipher_extra/internal.h index 55169af9ba..481f144a46 100644 --- a/crypto/cipher_extra/internal.h +++ b/crypto/cipher_extra/internal.h @@ -63,8 +63,8 @@ #include #include -#include "../internal.h" #include "../fipsmodule/cpucap/internal.h" +#include "../internal.h" #if defined(__cplusplus) extern "C" { @@ -225,19 +225,15 @@ extern void chacha20_poly1305_seal(uint8_t *out_ciphertext, OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) { return 0; } -OPENSSL_INLINE void chacha20_poly1305_open(uint8_t *out_plaintext, - const uint8_t *ciphertext, - size_t plaintext_len, const uint8_t *ad, - size_t ad_len, - union chacha20_poly1305_open_data *data) { +OPENSSL_INLINE void chacha20_poly1305_open( + uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data) { abort(); } -OPENSSL_INLINE void chacha20_poly1305_seal(uint8_t *out_ciphertext, - const uint8_t *plaintext, - size_t plaintext_len, const uint8_t *ad, - size_t ad_len, - union chacha20_poly1305_seal_data *data) { +OPENSSL_INLINE void chacha20_poly1305_seal( + uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data) { abort(); } #endif diff --git a/crypto/cipher_extra/tls_cbc.c b/crypto/cipher_extra/tls_cbc.c index d60f4b857f..4f023f5ce3 100644 --- a/crypto/cipher_extra/tls_cbc.c +++ b/crypto/cipher_extra/tls_cbc.c @@ -57,9 +57,9 @@ #include #include +#include "../fipsmodule/cipher/internal.h" #include "../internal.h" #include "internal.h" -#include "../fipsmodule/cipher/internal.h" // The length of the additional data field in AES-CBC-HMAC based AEADs. #define AEAD_TLS_AES_CBC_HMAC_AD_LENGTH (13) @@ -184,8 +184,7 @@ int EVP_final_with_secret_suffix_sha1(SHA_CTX *ctx, // redundant with TLS record size limits. This also ensures |input_idx| below // does not overflow. size_t max_len_bits = max_len << 3; - if (ctx->Nh != 0 || - (max_len_bits >> 3) != max_len || // Overflow + if (ctx->Nh != 0 || (max_len_bits >> 3) != max_len || // Overflow ctx->Nl + max_len_bits < max_len_bits || ctx->Nl + max_len_bits > UINT32_MAX) { return 0; @@ -212,7 +211,7 @@ int EVP_final_with_secret_suffix_sha1(SHA_CTX *ctx, // We now construct and process each expected block in constant-time. uint8_t block[SHA_CBLOCK] = {0}; - uint32_t result[5] = {0}; // The size of SHA1 state = 160 bits = 5*32 bits. + uint32_t result[5] = {0}; // The size of SHA1 state = 160 bits = 5*32 bits. // input_idx is the index into |in| corresponding to the current block. // However, we allow this index to overflow beyond |max_len|, to simplify the // 0x80 byte. @@ -334,8 +333,7 @@ int EVP_final_with_secret_suffix_sha256(SHA256_CTX *ctx, // redundant with TLS record size limits. This also ensures |input_idx| below // does not overflow. size_t max_len_bits = max_len << 3; - if (ctx->Nh != 0 || - (max_len_bits >> 3) != max_len || // Overflow + if (ctx->Nh != 0 || (max_len_bits >> 3) != max_len || // Overflow ctx->Nl + max_len_bits < max_len_bits || ctx->Nl + max_len_bits > UINT32_MAX) { return 0; @@ -362,7 +360,7 @@ int EVP_final_with_secret_suffix_sha256(SHA256_CTX *ctx, // We now construct and process each expected block in constant-time. uint8_t block[SHA256_CBLOCK] = {0}; - uint32_t result[8] = {0}; // The size of SHA256 state = 256 bits = 8*32 bits. + uint32_t result[8] = {0}; // The size of SHA256 state = 256 bits = 8*32 bits. // input_idx is the index into |in| corresponding to the current block. // However, we allow this index to overflow beyond |max_len|, to simplify the // 0x80 byte. @@ -448,7 +446,8 @@ static int EVP_tls_cbc_digest_record_sha256( // minimum length for |data_size|. size_t min_data_size = 0; if (data_plus_mac_plus_padding_size > SHA256_DIGEST_LENGTH + 256) { - min_data_size = data_plus_mac_plus_padding_size - SHA256_DIGEST_LENGTH - 256; + min_data_size = + data_plus_mac_plus_padding_size - SHA256_DIGEST_LENGTH - 256; } // Hash the public minimum length directly. This reduces the number of blocks @@ -487,8 +486,7 @@ int EVP_final_with_secret_suffix_sha384(SHA512_CTX *ctx, // redundant with TLS record size limits. This also ensures |input_idx| below // does not overflow. size_t max_len_bits = max_len << 3; - if (ctx->Nh != 0 || - (max_len_bits >> 3) != max_len || // Overflow + if (ctx->Nh != 0 || (max_len_bits >> 3) != max_len || // Overflow ctx->Nl + max_len_bits < max_len_bits || ctx->Nl + max_len_bits > UINT32_MAX) { return 0; @@ -538,7 +536,7 @@ int EVP_final_with_secret_suffix_sha384(SHA512_CTX *ctx, block_start = ctx->num; } if (input_idx < max_len) { - size_t to_copy = SHA384_CBLOCK- block_start; + size_t to_copy = SHA384_CBLOCK - block_start; if (to_copy > max_len - input_idx) { to_copy = max_len - input_idx; } @@ -584,8 +582,8 @@ int EVP_final_with_secret_suffix_sha384(SHA512_CTX *ctx, } } - // Write the output. For SHA384 the resulting hash is truncated to the left-most - // 384-bits (6 64-bit words). + // Write the output. For SHA384 the resulting hash is truncated to the + // left-most 384-bits (6 64-bit words). for (size_t i = 0; i < 6; i++) { CRYPTO_store_u64_be(out + 8 * i, result[i]); } @@ -655,14 +653,11 @@ int EVP_tls_cbc_record_digest_supported(const EVP_MD *md) { (EVP_MD_type(md) == NID_sha384); } -int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out, - size_t *md_out_size, - const uint8_t header[AEAD_TLS_AES_CBC_HMAC_AD_LENGTH], - const uint8_t *data, size_t data_size, - size_t data_plus_mac_plus_padding_size, - const uint8_t *mac_secret, - unsigned mac_secret_length) { - +int EVP_tls_cbc_digest_record( + const EVP_MD *md, uint8_t *md_out, size_t *md_out_size, + const uint8_t header[AEAD_TLS_AES_CBC_HMAC_AD_LENGTH], const uint8_t *data, + size_t data_size, size_t data_plus_mac_plus_padding_size, + const uint8_t *mac_secret, unsigned mac_secret_length) { // The specific hash algorithm is public knowledge. if (EVP_MD_type(md) == NID_sha1) { return EVP_tls_cbc_digest_record_sha1( diff --git a/crypto/compiler_test.cc b/crypto/compiler_test.cc index a476bd2484..28a94d2746 100644 --- a/crypto/compiler_test.cc +++ b/crypto/compiler_test.cc @@ -222,13 +222,14 @@ TEST(CompilerTest, PointerRepresentation) { static bool verify_memory_alignment(void *aligned_ptr, size_t requested_alignment) { - if ((((uintptr_t) aligned_ptr) % requested_alignment) == 0) { + if ((((uintptr_t)aligned_ptr) % requested_alignment) == 0) { return true; - } - else { + } else { std::cerr << "requested_alignment = " << requested_alignment << std::endl; - std::cerr << "aligned_ptr = " << reinterpret_cast(aligned_ptr) << std::endl; - std::cerr << "aligned_ptr % requested_alignment = " << ((uintptr_t) aligned_ptr) % requested_alignment << std::endl; + std::cerr << "aligned_ptr = " << reinterpret_cast(aligned_ptr) + << std::endl; + std::cerr << "aligned_ptr % requested_alignment = " + << ((uintptr_t)aligned_ptr) % requested_alignment << std::endl; } return false; @@ -244,11 +245,16 @@ typedef union union_array_type { uint8_t buffer_uint8_t[16]; } union_array_st; -#define CHECK_STACK_ALIGNMENT(type, power_of_two, memory_size) \ - stack_align_type buffer_##type##_##power_of_two##_##memory_size[power_of_two + memory_size]; \ - type *aligned_##type##_##power_of_two##_##memory_size = (type *) align_pointer(buffer_##type##_##power_of_two##_##memory_size, power_of_two); \ - ASSERT_TRUE(aligned_##type##_##power_of_two##_##memory_size); \ - ASSERT_TRUE(verify_memory_alignment(aligned_##type##_##power_of_two##_##memory_size, power_of_two)); +#define CHECK_STACK_ALIGNMENT(type, power_of_two, memory_size) \ + stack_align_type \ + buffer_##type##_##power_of_two##_##memory_size[power_of_two + \ + memory_size]; \ + type *aligned_##type##_##power_of_two##_##memory_size = \ + (type *)align_pointer(buffer_##type##_##power_of_two##_##memory_size, \ + power_of_two); \ + ASSERT_TRUE(aligned_##type##_##power_of_two##_##memory_size); \ + ASSERT_TRUE(verify_memory_alignment( \ + aligned_##type##_##power_of_two##_##memory_size, power_of_two)); // Macro lists produced with the following Python script: // MACRO_NAME = 'CHECK_STACK_ALIGNMENT' @@ -257,7 +263,8 @@ typedef union union_array_type { // for type_name in type_names: // for power_of_two in power_of_twos: // for memory_size in range(1, power_of_two): -// print '{}({}, {}, {})'.format(MACRO_NAME, type_name, power_of_two, memory_size) +// print '{}({}, {}, {})'.format(MACRO_NAME, type_name, power_of_two, +// memory_size) // Windows doesn't like the big virtual functions produced. So, split this into // several test fixtures. diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 7e049bb303..1d57332ba3 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -56,8 +56,8 @@ #include -#include #include +#include #include #include @@ -65,9 +65,9 @@ #include #include +#include "../internal.h" #include "conf_def.h" #include "internal.h" -#include "../internal.h" static const char kDefaultSectionName[] = "default"; @@ -258,7 +258,7 @@ static CONF_VALUE *get_section(const CONF *conf, const char *section) { CONF_VALUE template; OPENSSL_memset(&template, 0, sizeof(template)); - template.section = (char *) section; + template.section = (char *)section; return lh_CONF_VALUE_retrieve(conf->data, &template); } @@ -268,7 +268,7 @@ const STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, if (section_value == NULL) { return NULL; } - return (STACK_OF(CONF_VALUE)*) section_value->value; + return (STACK_OF(CONF_VALUE) *)section_value->value; } const char *NCONF_get_string(const CONF *conf, const char *section, @@ -280,8 +280,8 @@ const char *NCONF_get_string(const CONF *conf, const char *section, } OPENSSL_memset(&template, 0, sizeof(template)); - template.section = (char *) section; - template.name = (char *) name; + template.section = (char *)section; + template.name = (char *)name; value = lh_CONF_VALUE_retrieve(conf->data, &template); if (value == NULL) { return NULL; @@ -291,7 +291,7 @@ const char *NCONF_get_string(const CONF *conf, const char *section, static int add_string(const CONF *conf, CONF_VALUE *section, CONF_VALUE *value) { - STACK_OF(CONF_VALUE) *section_stack = (STACK_OF(CONF_VALUE)*) section->value; + STACK_OF(CONF_VALUE) *section_stack = (STACK_OF(CONF_VALUE) *)section->value; CONF_VALUE *old_value; value->section = OPENSSL_strdup(section->section); diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index d2c285aef9..72e9c42f7e 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -4,21 +4,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -33,10 +33,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -48,7 +48,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -59,64 +59,61 @@ // // TODO(davidben): Replace it with something more readable. -#define CONF_NUMBER 1 -#define CONF_UPPER 2 -#define CONF_LOWER 4 -#define CONF_UNDER 256 -#define CONF_PUNCTUATION 512 -#define CONF_WS 16 -#define CONF_ESC 32 -#define CONF_QUOTE 64 -#define CONF_COMMENT 128 -#define CONF_EOF 8 -#define CONF_HIGHBIT 4096 -#define CONF_ALPHA (CONF_UPPER|CONF_LOWER) -#define CONF_ALPHA_NUMERIC (CONF_ALPHA|CONF_NUMBER|CONF_UNDER) -#define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \ - CONF_PUNCTUATION) +#define CONF_NUMBER 1 +#define CONF_UPPER 2 +#define CONF_LOWER 4 +#define CONF_UNDER 256 +#define CONF_PUNCTUATION 512 +#define CONF_WS 16 +#define CONF_ESC 32 +#define CONF_QUOTE 64 +#define CONF_COMMENT 128 +#define CONF_EOF 8 +#define CONF_HIGHBIT 4096 +#define CONF_ALPHA (CONF_UPPER | CONF_LOWER) +#define CONF_ALPHA_NUMERIC (CONF_ALPHA | CONF_NUMBER | CONF_UNDER) +#define CONF_ALPHA_NUMERIC_PUNCT \ + (CONF_ALPHA | CONF_NUMBER | CONF_UNDER | CONF_PUNCTUATION) -#define KEYTYPES(c) CONF_type_default -#define IS_COMMENT(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT) -#define IS_EOF(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_EOF) -#define IS_ESC(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_ESC) -#define IS_NUMBER(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_NUMBER) -#define IS_WS(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_WS) -#define IS_ALPHA_NUMERIC(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC) -#define IS_ALPHA_NUMERIC_PUNCT(c,a) \ - (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC_PUNCT) -#define IS_QUOTE(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_QUOTE) +#define KEYTYPES(c) CONF_type_default +#define IS_COMMENT(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_COMMENT) +#define IS_EOF(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_EOF) +#define IS_ESC(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_ESC) +#define IS_NUMBER(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_NUMBER) +#define IS_WS(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_WS) +#define IS_ALPHA_NUMERIC(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_ALPHA_NUMERIC) +#define IS_ALPHA_NUMERIC_PUNCT(c, a) \ + (KEYTYPES(c)[(a)&0xff] & CONF_ALPHA_NUMERIC_PUNCT) +#define IS_QUOTE(c, a) (KEYTYPES(c)[(a)&0xff] & CONF_QUOTE) -static const unsigned short CONF_type_default[256]={ - 0x0008,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000, - 0x0000,0x0010,0x0010,0x0000,0x0000,0x0010,0x0000,0x0000, - 0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000, - 0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000, - 0x0010,0x0200,0x0040,0x0080,0x0000,0x0200,0x0200,0x0040, - 0x0000,0x0000,0x0200,0x0200,0x0200,0x0200,0x0200,0x0200, - 0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001, - 0x0001,0x0001,0x0000,0x0200,0x0000,0x0000,0x0000,0x0200, - 0x0200,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002, - 0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002, - 0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002, - 0x0002,0x0002,0x0002,0x0000,0x0020,0x0000,0x0200,0x0100, - 0x0040,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004, - 0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004, - 0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004, - 0x0004,0x0004,0x0004,0x0000,0x0200,0x0000,0x0200,0x0000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - }; +static const unsigned short CONF_type_default[256] = { + 0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0010, 0x0200, 0x0040, 0x0080, + 0x0000, 0x0200, 0x0200, 0x0040, 0x0000, 0x0000, 0x0200, 0x0200, 0x0200, + 0x0200, 0x0200, 0x0200, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, + 0x0001, 0x0001, 0x0001, 0x0001, 0x0000, 0x0200, 0x0000, 0x0000, 0x0000, + 0x0200, 0x0200, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, + 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, + 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, + 0x0002, 0x0000, 0x0020, 0x0000, 0x0200, 0x0100, 0x0040, 0x0004, 0x0004, + 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, + 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, + 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0000, 0x0200, 0x0000, + 0x0200, 0x0000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, + 0x1000, 0x1000, 0x1000, 0x1000, +}; diff --git a/crypto/conf/conf_test.cc b/crypto/conf/conf_test.cc index 92e52db5f9..aa325d931a 100644 --- a/crypto/conf/conf_test.cc +++ b/crypto/conf/conf_test.cc @@ -13,9 +13,9 @@ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include +#include #include #include -#include #include #include @@ -385,7 +385,7 @@ TEST(ConfTest, ParseList) { /*remove_whitespace=*/1, {"ab cd", "", "ef gh"}}, }; - for (const auto& t : kTests) { + for (const auto &t : kTests) { SCOPED_TRACE(t.list); SCOPED_TRACE(t.sep); SCOPED_TRACE(t.remove_whitespace); diff --git a/crypto/crypto.c b/crypto/crypto.c index 8d008c8811..aa606eb984 100644 --- a/crypto/crypto.c +++ b/crypto/crypto.c @@ -22,11 +22,11 @@ OPENSSL_STATIC_ASSERT(sizeof(ossl_ssize_t) == sizeof(size_t), - ossl_ssize_t_should_be_the_same_size_as_size_t) + ossl_ssize_t_should_be_the_same_size_as_size_t) #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_STATIC_ARMCAP) && \ - (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ - defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \ + (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ + defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \ defined(OPENSSL_PPC64LE)) // x86, x86_64, the ARMs and ppc64le need to record the result of a // cpuid/getauxval call for the asm to work correctly, unless compiled without @@ -61,19 +61,19 @@ static CRYPTO_once_t once = CRYPTO_ONCE_INIT; #elif defined(_MSC_VER) #pragma section(".CRT$XCU", read) static void __cdecl do_library_init(void); -__declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) = +__declspec(allocate(".CRT$XCU")) void (*library_init_constructor)(void) = do_library_init; #else -static void do_library_init(void) __attribute__ ((constructor)); +static void do_library_init(void) __attribute__((constructor)); #endif // do_library_init is the actual initialization function. If // BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static // initializer. Otherwise, it is called by CRYPTO_library_init. static void OPENSSL_CDECL do_library_init(void) { - // WARNING: this function may only configure the capability variables. See the - // note above about the linker bug. - // In the FIPS build the module itself has to call |OPENSSL_cpuid_setup|. + // WARNING: this function may only configure the capability variables. See the + // note above about the linker bug. + // In the FIPS build the module itself has to call |OPENSSL_cpuid_setup|. #if defined(NEED_CPUID) && !defined(BORINGSSL_FIPS) OPENSSL_cpuid_setup(); #endif diff --git a/crypto/crypto_test.cc b/crypto/crypto_test.cc index db3a79a2f7..3402106ef8 100644 --- a/crypto/crypto_test.cc +++ b/crypto/crypto_test.cc @@ -17,10 +17,10 @@ #include -#include #include -#include +#include #include +#include #include #include @@ -212,7 +212,7 @@ TEST(CryptoTest, FIPSdownstreamPrecompilationFlag) { ASSERT_TRUE(0); #endif } -#endif // defined(BORINGSSL_FIPS) +#endif // defined(BORINGSSL_FIPS) #if defined(BORINGSSL_FIPS_140_3) TEST(Crypto, QueryAlgorithmStatus) { @@ -228,12 +228,10 @@ TEST(Crypto, QueryAlgorithmStatus) { EXPECT_FALSE(FIPS_query_algorithm_status("FakeEncrypt")); EXPECT_FALSE(FIPS_query_algorithm_status("")); } -#endif //BORINGSSL_FIPS_140_3 +#endif // BORINGSSL_FIPS_140_3 #if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN) -TEST(Crypto, OnDemandIntegrityTest) { - BORINGSSL_integrity_test(); -} +TEST(Crypto, OnDemandIntegrityTest) { BORINGSSL_integrity_test(); } #endif OPENSSL_DEPRECATED static void DeprecatedFunction() {} diff --git a/crypto/curve25519_extra/curve25519_extra.c b/crypto/curve25519_extra/curve25519_extra.c index 4ec619e5e9..7f9ad4b4f2 100644 --- a/crypto/curve25519_extra/curve25519_extra.c +++ b/crypto/curve25519_extra/curve25519_extra.c @@ -1,8 +1,8 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include "../fipsmodule/service_indicator/internal.h" #include "../fipsmodule/curve25519/internal.h" +#include "../fipsmodule/service_indicator/internal.h" #include "internal.h" int ED25519ctx_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], @@ -92,8 +92,8 @@ int ED25519ph_sign_digest(uint8_t out_sig[ED25519_SIGNATURE_LEN], int ED25519ph_sign_digest_no_self_test( uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t digest[SHA512_DIGEST_LENGTH], - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t *context, size_t context_len) { + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, + size_t context_len) { return ed25519_sign_internal(ED25519PH_ALG, out_sig, digest, SHA512_DIGEST_LENGTH, private_key, context, context_len); @@ -134,10 +134,10 @@ int ED25519ph_verify_digest(const uint8_t digest[SHA512_DIGEST_LENGTH], const uint8_t *context, size_t context_len) { FIPS_service_indicator_lock_state(); boringssl_ensure_hasheddsa_self_test(); - int res = ED25519ph_verify_digest_no_self_test( - digest, signature, public_key, context, context_len); + int res = ED25519ph_verify_digest_no_self_test(digest, signature, public_key, + context, context_len); FIPS_service_indicator_unlock_state(); - if(res) { + if (res) { FIPS_service_indicator_update_state(); } return res; @@ -148,7 +148,6 @@ int ED25519ph_verify_digest_no_self_test( const uint8_t signature[ED25519_SIGNATURE_LEN], const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, size_t context_len) { - return ed25519_verify_internal(ED25519PH_ALG, digest, - SHA512_DIGEST_LENGTH, signature, public_key, - context, context_len); + return ed25519_verify_internal(ED25519PH_ALG, digest, SHA512_DIGEST_LENGTH, + signature, public_key, context, context_len); } diff --git a/crypto/curve25519_extra/internal.h b/crypto/curve25519_extra/internal.h index 1f08bef58e..bcf577aaf0 100644 --- a/crypto/curve25519_extra/internal.h +++ b/crypto/curve25519_extra/internal.h @@ -12,40 +12,38 @@ extern "C" { #include int ED25519ctx_sign_no_self_test( - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, size_t context_len); int ED25519ctx_verify_no_self_test( const uint8_t *message, size_t message_len, const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *context, size_t context_len); + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len); int ED25519ph_sign_no_self_test( - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, size_t context_len); int ED25519ph_sign_digest_no_self_test( uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t digest[SHA512_DIGEST_LENGTH], - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t *context, size_t context_len); + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, + size_t context_len); int ED25519ph_verify_no_self_test( const uint8_t *message, size_t message_len, const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *context, size_t context_len); + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len); int ED25519ph_verify_digest_no_self_test( const uint8_t digest[SHA512_DIGEST_LENGTH], const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *context, size_t context_len); + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len); #if defined(__cplusplus) } diff --git a/crypto/decrepit/bio/base64_bio.c b/crypto/decrepit/bio/base64_bio.c index eff72032db..138073c7c0 100644 --- a/crypto/decrepit/bio/base64_bio.c +++ b/crypto/decrepit/bio/base64_bio.c @@ -73,7 +73,7 @@ #define B64_NONE 0 #define B64_ENCODE 1 #define B64_DECODE 2 -#define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) +#define EVP_ENCODE_LENGTH(l) (((l + 2) / 3 * 4) + (l / 48 + 1) * 2 + 80) typedef struct b64_struct { int buf_len; @@ -123,7 +123,7 @@ static int b64_read(BIO *b, char *out, int outl) { if (out == NULL) { return 0; } - ctx = (BIO_B64_CTX *) b->ptr; + ctx = (BIO_B64_CTX *)b->ptr; if (ctx == NULL || b->next_bio == NULL) { return 0; @@ -283,8 +283,8 @@ static int b64_read(BIO *b, char *out, int outl) { } i = z; } else { - i = EVP_DecodeUpdate(&(ctx->base64), (uint8_t *)ctx->buf, - &ctx->buf_len, (uint8_t *)ctx->tmp, i); + i = EVP_DecodeUpdate(&(ctx->base64), (uint8_t *)ctx->buf, &ctx->buf_len, + (uint8_t *)ctx->tmp, i); ctx->tmp_len = 0; } ctx->buf_off = 0; @@ -396,8 +396,8 @@ static int b64_write(BIO *b, const char *in, int inl) { ret += n; } } else { - if(!EVP_EncodeUpdate(&(ctx->base64), (uint8_t *)ctx->buf, &ctx->buf_len, - (uint8_t *)in, n)) { + if (!EVP_EncodeUpdate(&(ctx->base64), (uint8_t *)ctx->buf, &ctx->buf_len, + (uint8_t *)in, n)) { return ((ret == 0) ? -1 : ret); } assert(ctx->buf_len <= (int)sizeof(ctx->buf)); @@ -454,7 +454,8 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr) { case BIO_CTRL_WPENDING: // More to write in buffer assert(ctx->buf_len >= ctx->buf_off); ret = ctx->buf_len - ctx->buf_off; - if ((ret == 0) && (ctx->encode != B64_NONE) && (ctx->base64.data_used != 0)) { + if ((ret == 0) && (ctx->encode != B64_NONE) && + (ctx->base64.data_used != 0)) { ret = 1; } else if (ret <= 0) { ret = BIO_ctrl(b->next_bio, cmd, num, ptr); diff --git a/crypto/decrepit/blowfish/blowfish.c b/crypto/decrepit/blowfish/blowfish.c index 124764e6a1..8bd0bd7b51 100644 --- a/crypto/decrepit/blowfish/blowfish.c +++ b/crypto/decrepit/blowfish/blowfish.c @@ -61,8 +61,8 @@ #include #include -#include "../../internal.h" #include "../../fipsmodule/cipher/internal.h" +#include "../../internal.h" #include "../macros.h" @@ -138,8 +138,8 @@ void BF_decrypt(uint32_t *data, const BF_KEY *key) { data[0] = r & 0xffffffffL; } -void BF_ecb_encrypt(const uint8_t *in, uint8_t *out, - const BF_KEY *key, int encrypt) { +void BF_ecb_encrypt(const uint8_t *in, uint8_t *out, const BF_KEY *key, + int encrypt) { uint32_t d[2]; n2l(in, d[0]); @@ -235,211 +235,211 @@ static const BF_KEY bf_init = { 0xbe5466cfL, 0x34e90c6cL, 0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L, 0x9216d5d9L, 0x8979fb1b}, { - 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 0xb8e1afedL, - 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 0x24a19947L, 0xb3916cf7L, - 0x0801f2e2L, 0x858efc16L, 0x636920d8L, 0x71574e69L, 0xa458fea3L, - 0xf4933d7eL, 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, - 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 0xc5d1b023L, - 0x286085f0L, 0xca417918L, 0xb8db38efL, 0x8e79dcb0L, 0x603a180eL, - 0x6c9e0e8bL, 0xb01e8a3eL, 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, - 0x55605c60L, 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, - 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 0xa15486afL, - 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 0x2ba9c55dL, 0x741831f6L, - 0xce5c3e16L, 0x9b87931eL, 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, - 0x28958677L, 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, - 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 0xef845d5dL, - 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 0x23893e81L, 0xd396acc5L, - 0x0f6d6ff3L, 0x83f44239L, 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, - 0x9e1f9b5eL, 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, - 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 0x6eef0b6cL, - 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 0xa1f1651dL, 0x39af0176L, - 0x66ca593eL, 0x82430e88L, 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, - 0x3b8b5ebeL, 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, - 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 0x37d0d724L, - 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 0x075372c9L, 0x80991b7bL, - 0x25d479d8L, 0xf6e8def7L, 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, - 0x04c006baL, 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, - 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 0x6dfc511fL, - 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 0xbee3d004L, 0xde334afdL, - 0x660f2807L, 0x192e4bb3L, 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, - 0xb9d3fbdbL, 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, - 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 0x3c7516dfL, - 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 0x323db5faL, 0xfd238760L, - 0x53317b48L, 0x3e00df82L, 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, - 0xdf1769dbL, 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, - 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 0x10fa3d98L, - 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 0x9a53e479L, 0xb6f84565L, - 0xd28e49bcL, 0x4bfb9790L, 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, - 0xcee4c6e8L, 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, - 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 0xd08ed1d0L, - 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 0x8ff6e2fbL, 0xf2122b64L, - 0x8888b812L, 0x900df01cL, 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, - 0xb3a8c1adL, 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, - 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 0xb4a84fe0L, - 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 0x165fa266L, 0x80957705L, - 0x93cc7314L, 0x211a1477L, 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, - 0xfb9d35cfL, 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, - 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 0x2464369bL, - 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 0x78c14389L, 0xd95a537fL, - 0x207d5ba2L, 0x02e5b9c5L, 0x83260376L, 0x6295cfa9L, 0x11c81968L, - 0x4e734a41L, 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, - 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 0x08ba6fb5L, - 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 0xb6636521L, 0xe7b9f9b6L, - 0xff34052eL, 0xc5855664L, 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, - 0x6e85076aL, 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, - 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 0xecaa8c71L, - 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 0x193602a5L, 0x75094c29L, - 0xa0591340L, 0xe4183a3eL, 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, - 0x99f73fd6L, 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, - 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 0x09686b3fL, - 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 0x687f3584L, 0x52a0e286L, - 0xb79c5305L, 0xaa500737L, 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, - 0x5716f2b8L, 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, - 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 0xd19113f9L, - 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 0x3ae5e581L, 0x37c2dadcL, - 0xc8b57634L, 0x9af3dda7L, 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, - 0xa4751e41L, 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, - 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 0x2cb81290L, - 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 0xde9a771fL, 0xd9930810L, - 0xb38bae12L, 0xdccf3f2eL, 0x5512721fL, 0x2e6b7124L, 0x501adde6L, - 0x9f84cd87L, 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, - 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 0xef1c1847L, - 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 0x12a14d43L, 0x2a65c451L, - 0x50940002L, 0x133ae4ddL, 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, - 0x5f11199bL, 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, - 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 0x86e34570L, - 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 0x771fe71cL, 0x4e3d06faL, - 0x2965dcb9L, 0x99e71d0fL, 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, - 0x9c10b36aL, 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, - 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 0x5223a708L, - 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 0xe3bc4595L, 0xa67bc883L, - 0xb17f37d1L, 0x018cff28L, 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, - 0x68ab9802L, 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, - 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 0x13cca830L, - 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 0xb5735c90L, 0x4c70a239L, - 0xd59e9e0bL, 0xcbaade14L, 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, - 0xb2f3846eL, 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, - 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 0x9b540b19L, - 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 0xf837889aL, 0x97e32d77L, - 0x11ed935fL, 0x16681281L, 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, - 0x7858ba99L, 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, - 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 0x58ebf2efL, - 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 0x5d4a14d9L, 0xe864b7e3L, - 0x42105d14L, 0x203e13e0L, 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, - 0xfacb4fd0L, 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, - 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 0xcf62a1f2L, - 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 0x7f1524c3L, 0x69cb7492L, - 0x47848a0bL, 0x5692b285L, 0x095bbf00L, 0xad19489dL, 0x1462b174L, - 0x23820e00L, 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, - 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 0x7cde3759L, - 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 0xa6078084L, 0x19f8509eL, - 0xe8efd855L, 0x61d99735L, 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, - 0x800bcadcL, 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, - 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 0xc5c43465L, - 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 0x153e21e7L, 0x8fb03d4aL, - 0xe6e39f2bL, 0xdb83adf7L, 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, - 0x94692934L, 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, - 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 0x1e39f62eL, - 0x97244546L, 0x14214f74L, 0xbf8b8840L, 0x4d95fc1dL, 0x96b591afL, - 0x70f4ddd3L, 0x66a02f45L, 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, - 0x31cb8504L, 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, - 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 0x68dc1462L, - 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 0x4f3ffea2L, 0xe887ad8cL, - 0xb58ce006L, 0x7af4d6b6L, 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, - 0x406b2a42L, 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, - 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 0x3a6efa74L, - 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 0xfb0af54eL, 0xd8feb397L, - 0x454056acL, 0xba489527L, 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, - 0xd096954bL, 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, - 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 0xfdf8e802L, - 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 0x95c11548L, 0xe4c66d22L, - 0x48c1133fL, 0xc70f86dcL, 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, - 0x5d886e17L, 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, - 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 0x0e12b4c2L, - 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 0x6b2395e0L, 0x333e92e1L, - 0x3b240b62L, 0xeebeb922L, 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, - 0x2da2f728L, 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, - 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 0x0a476341L, - 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 0xa812dc60L, 0xa1ebddf8L, - 0x991be14cL, 0xdb6e6b0dL, 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, - 0xdcd0e804L, 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, - 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 0xbb132f88L, - 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 0x37392eb3L, 0xcc115979L, - 0x8026e297L, 0xf42e312dL, 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, - 0x782ef11cL, 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, - 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 0x44421659L, - 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 0x64af674eL, 0xda86a85fL, - 0xbebfe988L, 0x64e4c3feL, 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, - 0x6003604dL, 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, - 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 0x77a057beL, - 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 0x4e58f48fL, 0xf2ddfda2L, - 0xf474ef38L, 0x8789bdc2L, 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, - 0x46fcd9b9L, 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, - 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 0xb90bace1L, - 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 0xb77f19b6L, 0xe0a9dc09L, - 0x662d09a1L, 0xc4324633L, 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, - 0x1d6efe10L, 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, - 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 0x50115e01L, - 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 0x9af88c27L, 0x773f8641L, - 0xc3604c06L, 0x61a806b5L, 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, - 0x30dc7d62L, 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, - 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 0x6f05e409L, - 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 0x86e3725fL, 0x724d9db9L, - 0x1ac15bb4L, 0xd39eb8fcL, 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, - 0x4dad0fc4L, 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, - 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 0xd79a3234L, - 0x92638212L, 0x670efa8eL, 0x406000e0L, 0x3a39ce37L, 0xd3faf5cfL, - 0xabc27737L, 0x5ac52d1bL, 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, - 0x99bc9bbeL, 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, - 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 0x5748ab2fL, - 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 0x530ff8eeL, 0x468dde7dL, - 0xd5730a1dL, 0x4cd04dc6L, 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, - 0xbe5ee304L, 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, - 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 0x83c061baL, - 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 0x2826a2f9L, 0xa73a3ae1L, - 0x4ba99586L, 0xef5562e9L, 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, - 0x77fa0a59L, 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, - 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 0x96d5ac3aL, - 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 0x1f9f25cfL, 0xadf2b89bL, - 0x5ad6b472L, 0x5a88f54cL, 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, - 0xed93fa9bL, 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, - 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 0x15056dd4L, - 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 0xc3eb9e15L, 0x3c9057a2L, - 0x97271aecL, 0xa93a072aL, 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, - 0x26dcf319L, 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, - 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 0x4de81751L, - 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 0xea7a90c2L, 0xfb3e7bceL, - 0x5121ce64L, 0x774fbe32L, 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, - 0x6413e680L, 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, - 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 0x5bbef7ddL, - 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 0xdda26a7eL, 0x3a59ff45L, - 0x3e350a44L, 0xbcb4cdd5L, 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, - 0xbf3c6f47L, 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, - 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 0x4040cb08L, - 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 0xe1b00428L, 0x95983a1dL, - 0x06b89fb4L, 0xce6ea048L, 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, - 0x277227f8L, 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, - 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 0xe01cc87eL, - 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 0x1a908749L, 0xd44fbd9aL, - 0xd0dadecbL, 0xd50ada38L, 0x0339c32aL, 0xc6913667L, 0x8df9317cL, - 0xe0b12b4fL, 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, - 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 0xfae59361L, - 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 0xb6c1075eL, 0xe3056a0cL, - 0x10d25065L, 0xcb03a442L, 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, - 0x3278e964L, 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, - 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 0xdf359f8dL, - 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 0xe54cda54L, 0x1edad891L, - 0xce6279cfL, 0xcd3e7e6fL, 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, - 0xf6fb2299L, 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, - 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 0xde966292L, - 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 0xe6c6c7bdL, 0x327a140aL, - 0x45e1d006L, 0xc3f27b9aL, 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, - 0x35bdd2f6L, 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, - 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 0xba38209cL, - 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 0x85cbfe4eL, 0x8ae88dd8L, - 0x7aaaf9b0L, 0x4cf9aa7eL, 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, - 0xd6ebe1f9L, 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, - 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, + 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 0xb8e1afedL, + 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 0x24a19947L, 0xb3916cf7L, + 0x0801f2e2L, 0x858efc16L, 0x636920d8L, 0x71574e69L, 0xa458fea3L, + 0xf4933d7eL, 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, + 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 0xc5d1b023L, + 0x286085f0L, 0xca417918L, 0xb8db38efL, 0x8e79dcb0L, 0x603a180eL, + 0x6c9e0e8bL, 0xb01e8a3eL, 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, + 0x55605c60L, 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, + 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 0xa15486afL, + 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 0x2ba9c55dL, 0x741831f6L, + 0xce5c3e16L, 0x9b87931eL, 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, + 0x28958677L, 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, + 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 0xef845d5dL, + 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 0x23893e81L, 0xd396acc5L, + 0x0f6d6ff3L, 0x83f44239L, 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, + 0x9e1f9b5eL, 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, + 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 0x6eef0b6cL, + 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 0xa1f1651dL, 0x39af0176L, + 0x66ca593eL, 0x82430e88L, 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, + 0x3b8b5ebeL, 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, + 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 0x37d0d724L, + 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 0x075372c9L, 0x80991b7bL, + 0x25d479d8L, 0xf6e8def7L, 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, + 0x04c006baL, 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, + 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 0x6dfc511fL, + 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 0xbee3d004L, 0xde334afdL, + 0x660f2807L, 0x192e4bb3L, 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, + 0xb9d3fbdbL, 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, + 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 0x3c7516dfL, + 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 0x323db5faL, 0xfd238760L, + 0x53317b48L, 0x3e00df82L, 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, + 0xdf1769dbL, 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, + 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 0x10fa3d98L, + 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 0x9a53e479L, 0xb6f84565L, + 0xd28e49bcL, 0x4bfb9790L, 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, + 0xcee4c6e8L, 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, + 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 0xd08ed1d0L, + 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 0x8ff6e2fbL, 0xf2122b64L, + 0x8888b812L, 0x900df01cL, 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, + 0xb3a8c1adL, 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, + 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 0xb4a84fe0L, + 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 0x165fa266L, 0x80957705L, + 0x93cc7314L, 0x211a1477L, 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, + 0xfb9d35cfL, 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, + 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 0x2464369bL, + 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 0x78c14389L, 0xd95a537fL, + 0x207d5ba2L, 0x02e5b9c5L, 0x83260376L, 0x6295cfa9L, 0x11c81968L, + 0x4e734a41L, 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, + 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 0x08ba6fb5L, + 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 0xb6636521L, 0xe7b9f9b6L, + 0xff34052eL, 0xc5855664L, 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, + 0x6e85076aL, 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, + 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 0xecaa8c71L, + 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 0x193602a5L, 0x75094c29L, + 0xa0591340L, 0xe4183a3eL, 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, + 0x99f73fd6L, 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, + 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 0x09686b3fL, + 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 0x687f3584L, 0x52a0e286L, + 0xb79c5305L, 0xaa500737L, 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, + 0x5716f2b8L, 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, + 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 0xd19113f9L, + 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 0x3ae5e581L, 0x37c2dadcL, + 0xc8b57634L, 0x9af3dda7L, 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, + 0xa4751e41L, 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, + 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 0x2cb81290L, + 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 0xde9a771fL, 0xd9930810L, + 0xb38bae12L, 0xdccf3f2eL, 0x5512721fL, 0x2e6b7124L, 0x501adde6L, + 0x9f84cd87L, 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, + 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 0xef1c1847L, + 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 0x12a14d43L, 0x2a65c451L, + 0x50940002L, 0x133ae4ddL, 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, + 0x5f11199bL, 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, + 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 0x86e34570L, + 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 0x771fe71cL, 0x4e3d06faL, + 0x2965dcb9L, 0x99e71d0fL, 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, + 0x9c10b36aL, 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, + 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 0x5223a708L, + 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 0xe3bc4595L, 0xa67bc883L, + 0xb17f37d1L, 0x018cff28L, 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, + 0x68ab9802L, 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, + 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 0x13cca830L, + 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 0xb5735c90L, 0x4c70a239L, + 0xd59e9e0bL, 0xcbaade14L, 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, + 0xb2f3846eL, 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, + 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 0x9b540b19L, + 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 0xf837889aL, 0x97e32d77L, + 0x11ed935fL, 0x16681281L, 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, + 0x7858ba99L, 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, + 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 0x58ebf2efL, + 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 0x5d4a14d9L, 0xe864b7e3L, + 0x42105d14L, 0x203e13e0L, 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, + 0xfacb4fd0L, 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, + 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 0xcf62a1f2L, + 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 0x7f1524c3L, 0x69cb7492L, + 0x47848a0bL, 0x5692b285L, 0x095bbf00L, 0xad19489dL, 0x1462b174L, + 0x23820e00L, 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, + 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 0x7cde3759L, + 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 0xa6078084L, 0x19f8509eL, + 0xe8efd855L, 0x61d99735L, 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, + 0x800bcadcL, 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, + 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 0xc5c43465L, + 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 0x153e21e7L, 0x8fb03d4aL, + 0xe6e39f2bL, 0xdb83adf7L, 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, + 0x94692934L, 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, + 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 0x1e39f62eL, + 0x97244546L, 0x14214f74L, 0xbf8b8840L, 0x4d95fc1dL, 0x96b591afL, + 0x70f4ddd3L, 0x66a02f45L, 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, + 0x31cb8504L, 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, + 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 0x68dc1462L, + 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 0x4f3ffea2L, 0xe887ad8cL, + 0xb58ce006L, 0x7af4d6b6L, 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, + 0x406b2a42L, 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, + 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 0x3a6efa74L, + 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 0xfb0af54eL, 0xd8feb397L, + 0x454056acL, 0xba489527L, 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, + 0xd096954bL, 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, + 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 0xfdf8e802L, + 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 0x95c11548L, 0xe4c66d22L, + 0x48c1133fL, 0xc70f86dcL, 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, + 0x5d886e17L, 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, + 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 0x0e12b4c2L, + 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 0x6b2395e0L, 0x333e92e1L, + 0x3b240b62L, 0xeebeb922L, 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, + 0x2da2f728L, 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, + 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 0x0a476341L, + 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 0xa812dc60L, 0xa1ebddf8L, + 0x991be14cL, 0xdb6e6b0dL, 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, + 0xdcd0e804L, 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, + 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 0xbb132f88L, + 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 0x37392eb3L, 0xcc115979L, + 0x8026e297L, 0xf42e312dL, 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, + 0x782ef11cL, 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, + 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 0x44421659L, + 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 0x64af674eL, 0xda86a85fL, + 0xbebfe988L, 0x64e4c3feL, 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, + 0x6003604dL, 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, + 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 0x77a057beL, + 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 0x4e58f48fL, 0xf2ddfda2L, + 0xf474ef38L, 0x8789bdc2L, 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, + 0x46fcd9b9L, 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, + 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 0xb90bace1L, + 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 0xb77f19b6L, 0xe0a9dc09L, + 0x662d09a1L, 0xc4324633L, 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, + 0x1d6efe10L, 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, + 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 0x50115e01L, + 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 0x9af88c27L, 0x773f8641L, + 0xc3604c06L, 0x61a806b5L, 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, + 0x30dc7d62L, 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, + 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 0x6f05e409L, + 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 0x86e3725fL, 0x724d9db9L, + 0x1ac15bb4L, 0xd39eb8fcL, 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, + 0x4dad0fc4L, 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, + 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 0xd79a3234L, + 0x92638212L, 0x670efa8eL, 0x406000e0L, 0x3a39ce37L, 0xd3faf5cfL, + 0xabc27737L, 0x5ac52d1bL, 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, + 0x99bc9bbeL, 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, + 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 0x5748ab2fL, + 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 0x530ff8eeL, 0x468dde7dL, + 0xd5730a1dL, 0x4cd04dc6L, 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, + 0xbe5ee304L, 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, + 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 0x83c061baL, + 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 0x2826a2f9L, 0xa73a3ae1L, + 0x4ba99586L, 0xef5562e9L, 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, + 0x77fa0a59L, 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, + 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 0x96d5ac3aL, + 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 0x1f9f25cfL, 0xadf2b89bL, + 0x5ad6b472L, 0x5a88f54cL, 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, + 0xed93fa9bL, 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, + 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 0x15056dd4L, + 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 0xc3eb9e15L, 0x3c9057a2L, + 0x97271aecL, 0xa93a072aL, 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, + 0x26dcf319L, 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, + 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 0x4de81751L, + 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 0xea7a90c2L, 0xfb3e7bceL, + 0x5121ce64L, 0x774fbe32L, 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, + 0x6413e680L, 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, + 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 0x5bbef7ddL, + 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 0xdda26a7eL, 0x3a59ff45L, + 0x3e350a44L, 0xbcb4cdd5L, 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, + 0xbf3c6f47L, 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, + 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 0x4040cb08L, + 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 0xe1b00428L, 0x95983a1dL, + 0x06b89fb4L, 0xce6ea048L, 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, + 0x277227f8L, 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, + 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 0xe01cc87eL, + 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 0x1a908749L, 0xd44fbd9aL, + 0xd0dadecbL, 0xd50ada38L, 0x0339c32aL, 0xc6913667L, 0x8df9317cL, + 0xe0b12b4fL, 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, + 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 0xfae59361L, + 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 0xb6c1075eL, 0xe3056a0cL, + 0x10d25065L, 0xcb03a442L, 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, + 0x3278e964L, 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, + 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 0xdf359f8dL, + 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 0xe54cda54L, 0x1edad891L, + 0xce6279cfL, 0xcd3e7e6fL, 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, + 0xf6fb2299L, 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, + 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 0xde966292L, + 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 0xe6c6c7bdL, 0x327a140aL, + 0x45e1d006L, 0xc3f27b9aL, 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, + 0x35bdd2f6L, 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, + 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 0xba38209cL, + 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 0x85cbfe4eL, 0x8ae88dd8L, + 0x7aaaf9b0L, 0x4cf9aa7eL, 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, + 0xd6ebe1f9L, 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, + 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, }, }; @@ -556,7 +556,7 @@ static void BF_cfb64_encrypt(const uint8_t *in, uint8_t *out, size_t length, } static int bf_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, - const uint8_t *iv, int enc) { + const uint8_t *iv, int enc) { BF_KEY *bf_key = ctx->cipher_data; BF_set_key(bf_key, ctx->key_len, key); return 1; diff --git a/crypto/decrepit/cast/cast.c b/crypto/decrepit/cast/cast.c index 1b80b8f386..c50bb4dbf3 100644 --- a/crypto/decrepit/cast/cast.c +++ b/crypto/decrepit/cast/cast.c @@ -87,19 +87,19 @@ void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out, const CAST_KEY *ks, #if defined(OPENSSL_WINDOWS) && defined(_MSC_VER) #define ROTL(a, n) (_lrotl(a, n)) #else -#define ROTL(a, n) ((((a) << (n)) | ((a) >> ((-(n))&31))) & 0xffffffffL) +#define ROTL(a, n) ((((a) << (n)) | ((a) >> ((-(n)) & 31))) & 0xffffffffL) #endif -#define E_CAST(n, key, L, R, OP1, OP2, OP3) \ - { \ - uint32_t a, b, c, d; \ - t = (key[n * 2] OP1 R) & 0xffffffff; \ - t = ROTL(t, (key[n * 2 + 1])); \ - a = CAST_S_table0[(t >> 8) & 0xff]; \ - b = CAST_S_table1[(t)&0xff]; \ - c = CAST_S_table2[(t >> 24) & 0xff]; \ - d = CAST_S_table3[(t >> 16) & 0xff]; \ - L ^= (((((a OP2 b)&0xffffffffL)OP3 c) & 0xffffffffL)OP1 d) & 0xffffffffL; \ +#define E_CAST(n, key, L, R, OP1, OP2, OP3) \ + { \ + uint32_t a, b, c, d; \ + t = (key[n * 2] OP1 R) & 0xffffffff; \ + t = ROTL(t, (key[n * 2 + 1])); \ + a = CAST_S_table0[(t >> 8) & 0xff]; \ + b = CAST_S_table1[(t)&0xff]; \ + c = CAST_S_table2[(t >> 24) & 0xff]; \ + d = CAST_S_table3[(t >> 16) & 0xff]; \ + L ^= (((((a OP2 b)&0xffffffffL)OP3 c) & 0xffffffffL) OP1 d) & 0xffffffffL; \ } void CAST_encrypt(uint32_t *data, const CAST_KEY *key) { diff --git a/crypto/decrepit/cast/internal.h b/crypto/decrepit/cast/internal.h index 4b25efcfe6..1a1e9ed42c 100644 --- a/crypto/decrepit/cast/internal.h +++ b/crypto/decrepit/cast/internal.h @@ -89,7 +89,7 @@ void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, const CAST_KEY *ks, uint8_t *iv, int enc); #if defined(__cplusplus) -} // extern C +} // extern C #endif #endif // OPENSSL_HEADER_CAST_INTERNAL_H diff --git a/crypto/decrepit/cfb/cfb.c b/crypto/decrepit/cfb/cfb.c index a55a497daa..72dee9a34f 100644 --- a/crypto/decrepit/cfb/cfb.c +++ b/crypto/decrepit/cfb/cfb.c @@ -19,12 +19,12 @@ #include #include -#include "../../internal.h" #include "../../fipsmodule/cipher/internal.h" +#include "../../internal.h" // MAXBITCHUNK is used in |aes_cfb1_cipher| to avoid overflow because // |AES_cfb1_encrypt| operates data on bit level. -#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) +#define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4)) typedef struct { AES_KEY ks; @@ -40,8 +40,8 @@ static int aes_cfb_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, return 1; } -static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, - const uint8_t *in, size_t len) { +static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, + size_t len) { if (!out || !in) { return 0; } @@ -50,32 +50,32 @@ static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) { int num = ctx->num; AES_cfb1_encrypt(in, out, len, &cfb_ctx->ks, ctx->iv, &num, - ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); + ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); ctx->num = num; return 1; } while (len >= MAXBITCHUNK) { int num = ctx->num; - AES_cfb1_encrypt(in, out, MAXBITCHUNK * 8, &cfb_ctx->ks, ctx->iv, &num, - ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); + AES_cfb1_encrypt(in, out, MAXBITCHUNK * 8, &cfb_ctx->ks, ctx->iv, &num, + ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); ctx->num = num; len -= MAXBITCHUNK; out += MAXBITCHUNK; - in += MAXBITCHUNK; + in += MAXBITCHUNK; } if (len) { int num = ctx->num; AES_cfb1_encrypt(in, out, len * 8, &cfb_ctx->ks, ctx->iv, &num, - ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); + ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); ctx->num = num; } return 1; } -static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, - const uint8_t *in, size_t len) { +static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, + size_t len) { if (!out || !in) { return 0; } @@ -83,7 +83,7 @@ static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, EVP_CFB_CTX *cfb_ctx = (EVP_CFB_CTX *)ctx->cipher_data; int num = ctx->num; AES_cfb8_encrypt(in, out, len, &cfb_ctx->ks, ctx->iv, &num, - ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); + ctx->encrypt ? AES_ENCRYPT : AES_DECRYPT); ctx->num = num; return 1; @@ -105,17 +105,15 @@ static int aes_cfb128_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } static const EVP_CIPHER aes_128_cfb1 = { - NID_aes_128_cfb1, 1 /* block_size */, 16 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb1_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_aes_128_cfb1, 1 /* block_size */, 16 /* key_size */, 16 /* iv_len */, + sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, aes_cfb_init_key, aes_cfb1_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER aes_128_cfb8 = { - NID_aes_128_cfb8, 1 /* block_size */, 16 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb8_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_aes_128_cfb8, 1 /* block_size */, 16 /* key_size */, 16 /* iv_len */, + sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, aes_cfb_init_key, aes_cfb8_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER aes_128_cfb128 = { @@ -126,17 +124,15 @@ static const EVP_CIPHER aes_128_cfb128 = { }; static const EVP_CIPHER aes_192_cfb1 = { - NID_aes_192_cfb1, 1 /* block_size */, 24 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb1_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_aes_192_cfb1, 1 /* block_size */, 24 /* key_size */, 16 /* iv_len */, + sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, aes_cfb_init_key, aes_cfb1_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER aes_192_cfb8 = { - NID_aes_192_cfb8, 1 /* block_size */, 24 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb8_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_aes_192_cfb8, 1 /* block_size */, 24 /* key_size */, 16 /* iv_len */, + sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, aes_cfb_init_key, aes_cfb8_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER aes_192_cfb128 = { @@ -147,23 +143,21 @@ static const EVP_CIPHER aes_192_cfb128 = { }; static const EVP_CIPHER aes_256_cfb1 = { - NID_aes_256_cfb1, 1 /* block_size */, 32 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb1_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_aes_256_cfb1, 1 /* block_size */, 32 /* key_size */, 16 /* iv_len */, + sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, aes_cfb_init_key, aes_cfb1_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER aes_256_cfb8 = { - NID_aes_256_cfb8, 1 /* block_size */, 32 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb8_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_aes_256_cfb8, 1 /* block_size */, 32 /* key_size */, 16 /* iv_len */, + sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, aes_cfb_init_key, aes_cfb8_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER aes_256_cfb128 = { - NID_aes_256_cfb128, 1 /* block_size */, 32 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - aes_cfb_init_key, aes_cfb128_cipher, NULL /* cleanup */, + NID_aes_256_cfb128, 1 /* block_size */, 32 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb128_cipher, NULL /* cleanup */, NULL /* ctrl */, }; diff --git a/crypto/decrepit/cfb/cfb_test.cc b/crypto/decrepit/cfb/cfb_test.cc index 03b9c2a449..b98ac73921 100644 --- a/crypto/decrepit/cfb/cfb_test.cc +++ b/crypto/decrepit/cfb/cfb_test.cc @@ -28,123 +28,159 @@ struct CFBTestCase { }; static const CFBTestCase kCFBTestCases[] = { - // CFB1 - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.1, for CFB1-AES128 - EVP_aes_128_cfb1(), - {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1}, - {0x68, 0xb3}, - }, - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.3, CFB1-AES192 - EVP_aes_192_cfb1(), - {0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, - 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1}, - {0x93, 0x59}, - }, - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.5, CFB1-AES256 - EVP_aes_256_cfb1(), - {0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, - 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1}, - {0x90, 0x29}, - }, - // CFB8 - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.7, for CFB8-AES128 - EVP_aes_128_cfb8(), - {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d}, - {0x3b, 0x79, 0x42, 0x4c, 0x9c, 0x0d, 0xd4, 0x36, 0xba, 0xce, 0x9e, 0x0e, 0xd4, 0x58, 0x6a, 0x4f, 0x32, 0xb9}, - }, - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.9, CFB8-AES192 - EVP_aes_192_cfb8(), - {0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, - 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d}, - {0xcd, 0xa2, 0x52, 0x1e, 0xf0, 0xa9, 0x05, 0xca, 0x44, 0xcd, 0x05, 0x7c, 0xbf, 0x0d, 0x47, 0xa0, 0x67, 0x8a}, - }, - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.11, CFB8-AES256 - EVP_aes_256_cfb8(), - {0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, - 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d}, - {0xdc, 0x1f, 0x1a, 0x85, 0x20, 0xa6, 0x4d, 0xb5, 0x5f, 0xcc, 0x8a, 0xc5, 0x54, 0x84, 0x4e, 0x88, 0x97, 0x00}, - }, - // CFB/CFB128 - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.13, for CFB128-AES128 - EVP_aes_128_cfb128(), - {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, - 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, - 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, - 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10}, - {0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20, 0x33, 0x34, 0x49, 0xf8, 0xe8, 0x3c, 0xfb, 0x4a, - 0xc8, 0xa6, 0x45, 0x37, 0xa0, 0xb3, 0xa9, 0x3f, 0xcd, 0xe3, 0xcd, 0xad, 0x9f, 0x1c, 0xe5, 0x8b, - 0x26, 0x75, 0x1f, 0x67, 0xa3, 0xcb, 0xb1, 0x40, 0xb1, 0x80, 0x8c, 0xf1, 0x87, 0xa4, 0xf4, 0xdf, - 0xc0, 0x4b, 0x05, 0x35, 0x7c, 0x5d, 0x1c, 0x0e, 0xea, 0xc4, 0xc6, 0x6f, 0x9f, 0xf7, 0xf2, 0xe6}, - }, - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.15, CFB128-AES192 - EVP_aes_192_cfb128(), - {0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, - 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, - 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, - 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, - 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10}, - {0xcd, 0xc8, 0x0d, 0x6f, 0xdd, 0xf1, 0x8c, 0xab, 0x34, 0xc2, 0x59, 0x09, 0xc9, 0x9a, 0x41, 0x74, - 0x67, 0xce, 0x7f, 0x7f, 0x81, 0x17, 0x36, 0x21, 0x96, 0x1a, 0x2b, 0x70, 0x17, 0x1d, 0x3d, 0x7a, - 0x2e, 0x1e, 0x8a, 0x1d, 0xd5, 0x9b, 0x88, 0xb1, 0xc8, 0xe6, 0x0f, 0xed, 0x1e, 0xfa, 0xc4, 0xc9, - 0xc0, 0x5f, 0x9f, 0x9c, 0xa9, 0x83, 0x4f, 0xa0, 0x42, 0xae, 0x8f, 0xba, 0x58, 0x4b, 0x09, 0xff}, - }, - { - // This is the test case from - // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, - // section F.3.17, CFB128-AES256 - EVP_aes_256_cfb128(), - {0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, - 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4}, - {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, - {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, - 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, - 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, - 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10}, - {0xdc, 0x7e, 0x84, 0xbf, 0xda, 0x79, 0x16, 0x4b, 0x7e, 0xcd, 0x84, 0x86, 0x98, 0x5d, 0x38, 0x60, - 0x39, 0xff, 0xed, 0x14, 0x3b, 0x28, 0xb1, 0xc8, 0x32, 0x11, 0x3c, 0x63, 0x31, 0xe5, 0x40, 0x7b, - 0xdf, 0x10, 0x13, 0x24, 0x15, 0xe5, 0x4b, 0x92, 0xa1, 0x3e, 0xd0, 0xa8, 0x26, 0x7a, 0xe2, 0xf9, - 0x75, 0xa3, 0x85, 0x74, 0x1a, 0xb9, 0xce, 0xf8, 0x20, 0x31, 0x62, 0x3d, 0x55, 0xb1, 0xe4, 0x71}, - }, + // CFB1 + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.1, for CFB1-AES128 + EVP_aes_128_cfb1(), + {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, + 0x09, 0xcf, 0x4f, 0x3c}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1}, + {0x68, 0xb3}, + }, + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.3, CFB1-AES192 + EVP_aes_192_cfb1(), + {0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, + 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, + 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1}, + {0x93, 0x59}, + }, + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.5, CFB1-AES256 + EVP_aes_256_cfb1(), + {0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, + 0xf0, 0x85, 0x7d, 0x77, 0x81, 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, + 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1}, + {0x90, 0x29}, + }, + // CFB8 + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.7, for CFB8-AES128 + EVP_aes_128_cfb8(), + {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, + 0x09, 0xcf, 0x4f, 0x3c}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, + 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d}, + {0x3b, 0x79, 0x42, 0x4c, 0x9c, 0x0d, 0xd4, 0x36, 0xba, 0xce, 0x9e, 0x0e, + 0xd4, 0x58, 0x6a, 0x4f, 0x32, 0xb9}, + }, + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.9, CFB8-AES192 + EVP_aes_192_cfb8(), + {0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, + 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, + 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, + 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d}, + {0xcd, 0xa2, 0x52, 0x1e, 0xf0, 0xa9, 0x05, 0xca, 0x44, 0xcd, 0x05, 0x7c, + 0xbf, 0x0d, 0x47, 0xa0, 0x67, 0x8a}, + }, + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.11, CFB8-AES256 + EVP_aes_256_cfb8(), + {0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, + 0xf0, 0x85, 0x7d, 0x77, 0x81, 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, + 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, + 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d}, + {0xdc, 0x1f, 0x1a, 0x85, 0x20, 0xa6, 0x4d, 0xb5, 0x5f, 0xcc, 0x8a, 0xc5, + 0x54, 0x84, 0x4e, 0x88, 0x97, 0x00}, + }, + // CFB/CFB128 + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.13, for CFB128-AES128 + EVP_aes_128_cfb128(), + {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, + 0x09, 0xcf, 0x4f, 0x3c}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, + 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, + 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, + 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, + 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, + 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10}, + {0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20, 0x33, 0x34, 0x49, + 0xf8, 0xe8, 0x3c, 0xfb, 0x4a, 0xc8, 0xa6, 0x45, 0x37, 0xa0, 0xb3, + 0xa9, 0x3f, 0xcd, 0xe3, 0xcd, 0xad, 0x9f, 0x1c, 0xe5, 0x8b, 0x26, + 0x75, 0x1f, 0x67, 0xa3, 0xcb, 0xb1, 0x40, 0xb1, 0x80, 0x8c, 0xf1, + 0x87, 0xa4, 0xf4, 0xdf, 0xc0, 0x4b, 0x05, 0x35, 0x7c, 0x5d, 0x1c, + 0x0e, 0xea, 0xc4, 0xc6, 0x6f, 0x9f, 0xf7, 0xf2, 0xe6}, + }, + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.15, CFB128-AES192 + EVP_aes_192_cfb128(), + {0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, + 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, + 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, + 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, + 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, + 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, + 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, + 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10}, + {0xcd, 0xc8, 0x0d, 0x6f, 0xdd, 0xf1, 0x8c, 0xab, 0x34, 0xc2, 0x59, + 0x09, 0xc9, 0x9a, 0x41, 0x74, 0x67, 0xce, 0x7f, 0x7f, 0x81, 0x17, + 0x36, 0x21, 0x96, 0x1a, 0x2b, 0x70, 0x17, 0x1d, 0x3d, 0x7a, 0x2e, + 0x1e, 0x8a, 0x1d, 0xd5, 0x9b, 0x88, 0xb1, 0xc8, 0xe6, 0x0f, 0xed, + 0x1e, 0xfa, 0xc4, 0xc9, 0xc0, 0x5f, 0x9f, 0x9c, 0xa9, 0x83, 0x4f, + 0xa0, 0x42, 0xae, 0x8f, 0xba, 0x58, 0x4b, 0x09, 0xff}, + }, + { + // This is the test case from + // http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf, + // section F.3.17, CFB128-AES256 + EVP_aes_256_cfb128(), + {0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, + 0xf0, 0x85, 0x7d, 0x77, 0x81, 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, + 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4}, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f}, + {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, + 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, + 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, + 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, + 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, + 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10}, + {0xdc, 0x7e, 0x84, 0xbf, 0xda, 0x79, 0x16, 0x4b, 0x7e, 0xcd, 0x84, + 0x86, 0x98, 0x5d, 0x38, 0x60, 0x39, 0xff, 0xed, 0x14, 0x3b, 0x28, + 0xb1, 0xc8, 0x32, 0x11, 0x3c, 0x63, 0x31, 0xe5, 0x40, 0x7b, 0xdf, + 0x10, 0x13, 0x24, 0x15, 0xe5, 0x4b, 0x92, 0xa1, 0x3e, 0xd0, 0xa8, + 0x26, 0x7a, 0xe2, 0xf9, 0x75, 0xa3, 0x85, 0x74, 0x1a, 0xb9, 0xce, + 0xf8, 0x20, 0x31, 0x62, 0x3d, 0x55, 0xb1, 0xe4, 0x71}, + }, }; TEST(CFBTest, TestVectors) { @@ -159,7 +195,8 @@ TEST(CFBTest, TestVectors) { for (size_t stride = 1; stride <= input_len; stride++) { bssl::ScopedEVP_CIPHER_CTX ctx; - ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), evp_cipher, nullptr, test.key, test.iv)); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), evp_cipher, nullptr, test.key, + test.iv)); size_t done = 0; while (done < input_len) { @@ -180,7 +217,8 @@ TEST(CFBTest, TestVectors) { } bssl::ScopedEVP_CIPHER_CTX decrypt_ctx; - ASSERT_TRUE(EVP_DecryptInit_ex(decrypt_ctx.get(), evp_cipher, nullptr, test.key, test.iv)); + ASSERT_TRUE(EVP_DecryptInit_ex(decrypt_ctx.get(), evp_cipher, nullptr, + test.key, test.iv)); std::unique_ptr plaintext(new uint8_t[input_len]); int num_bytes; diff --git a/crypto/decrepit/dh/dh_decrepit.c b/crypto/decrepit/dh/dh_decrepit.c index c24c5af5dd..7bc1bef046 100644 --- a/crypto/decrepit/dh/dh_decrepit.c +++ b/crypto/decrepit/dh/dh_decrepit.c @@ -62,7 +62,7 @@ struct wrapped_callback { // callback_wrapper converts an “old” style generation callback to the newer // |BN_GENCB| form. static int callback_wrapper(int event, int n, BN_GENCB *gencb) { - struct wrapped_callback *wrapped = (struct wrapped_callback *) gencb->arg; + struct wrapped_callback *wrapped = (struct wrapped_callback *)gencb->arg; wrapped->callback(event, n, wrapped->arg); return 1; } @@ -70,12 +70,12 @@ static int callback_wrapper(int event, int n, BN_GENCB *gencb) { DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int, int, void *), void *cb_arg) { if (prime_len < 0 || generator < 0) { - return NULL; + return NULL; } DH *ret = DH_new(); if (ret == NULL) { - return NULL; + return NULL; } BN_GENCB gencb_storage; diff --git a/crypto/decrepit/evp/evp_do_all.c b/crypto/decrepit/evp/evp_do_all.c index 1b2a833163..f304089100 100644 --- a/crypto/decrepit/evp/evp_do_all.c +++ b/crypto/decrepit/evp/evp_do_all.c @@ -100,9 +100,8 @@ void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher, callback(EVP_sha512_256(), "sha512-256", NULL, arg); } -void EVP_MD_do_all(void (*callback)(const EVP_MD *cipher, - const char *name, const char *unused, - void *arg), - void *arg) { - EVP_MD_do_all_sorted(callback, arg); +void EVP_MD_do_all(void (*callback)(const EVP_MD *cipher, const char *name, + const char *unused, void *arg), + void *arg) { + EVP_MD_do_all_sorted(callback, arg); } diff --git a/crypto/decrepit/obj/obj_decrepit.c b/crypto/decrepit/obj/obj_decrepit.c index 70eb04e427..03c49ab778 100644 --- a/crypto/decrepit/obj/obj_decrepit.c +++ b/crypto/decrepit/obj/obj_decrepit.c @@ -1,16 +1,16 @@ -/* Copyright (c) 2016, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* Copyright (c) 2016, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include @@ -42,7 +42,7 @@ static void cipher_callback(const EVP_CIPHER *cipher, const char *name, static void md_callback(const EVP_MD *md, const char *name, const char *unused, void *arg) { - const struct wrapped_callback *wrapped = (struct wrapped_callback*) arg; + const struct wrapped_callback *wrapped = (struct wrapped_callback *)arg; OBJ_NAME obj_name; OPENSSL_memset(&obj_name, 0, sizeof(obj_name)); @@ -51,7 +51,7 @@ static void md_callback(const EVP_MD *md, const char *name, const char *unused, obj_name.data = (const char *)md; wrapped->callback(&obj_name, wrapped->arg); -} +} void OBJ_NAME_do_all_sorted(int type, void (*callback)(const OBJ_NAME *, void *arg), diff --git a/crypto/decrepit/ripemd/ripemd.c b/crypto/decrepit/ripemd/ripemd.c index 553431a5f5..6f64f63a30 100644 --- a/crypto/decrepit/ripemd/ripemd.c +++ b/crypto/decrepit/ripemd/ripemd.c @@ -58,8 +58,8 @@ #include -#include "../../internal.h" #include "../../fipsmodule/digest/md32_common.h" +#include "../../internal.h" #define RIPEMD160_A 0x67452301L @@ -154,332 +154,332 @@ int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *c) { #define KR3 0x7A6D76E9L #define KR4 0x00000000L -#define WL00 0 +#define WL00 0 #define SL00 11 -#define WL01 1 +#define WL01 1 #define SL01 14 -#define WL02 2 +#define WL02 2 #define SL02 15 -#define WL03 3 +#define WL03 3 #define SL03 12 -#define WL04 4 -#define SL04 5 -#define WL05 5 -#define SL05 8 -#define WL06 6 -#define SL06 7 -#define WL07 7 -#define SL07 9 -#define WL08 8 +#define WL04 4 +#define SL04 5 +#define WL05 5 +#define SL05 8 +#define WL06 6 +#define SL06 7 +#define WL07 7 +#define SL07 9 +#define WL08 8 #define SL08 11 -#define WL09 9 +#define WL09 9 #define SL09 13 #define WL10 10 #define SL10 14 #define WL11 11 #define SL11 15 #define WL12 12 -#define SL12 6 +#define SL12 6 #define WL13 13 -#define SL13 7 +#define SL13 7 #define WL14 14 -#define SL14 9 +#define SL14 9 #define WL15 15 -#define SL15 8 +#define SL15 8 -#define WL16 7 -#define SL16 7 -#define WL17 4 -#define SL17 6 +#define WL16 7 +#define SL16 7 +#define WL17 4 +#define SL17 6 #define WL18 13 -#define SL18 8 -#define WL19 1 +#define SL18 8 +#define WL19 1 #define SL19 13 #define WL20 10 #define SL20 11 -#define WL21 6 -#define SL21 9 +#define WL21 6 +#define SL21 9 #define WL22 15 -#define SL22 7 -#define WL23 3 +#define SL22 7 +#define WL23 3 #define SL23 15 #define WL24 12 -#define SL24 7 -#define WL25 0 +#define SL24 7 +#define WL25 0 #define SL25 12 -#define WL26 9 +#define WL26 9 #define SL26 15 -#define WL27 5 -#define SL27 9 -#define WL28 2 +#define WL27 5 +#define SL27 9 +#define WL28 2 #define SL28 11 #define WL29 14 -#define SL29 7 +#define SL29 7 #define WL30 11 #define SL30 13 -#define WL31 8 +#define WL31 8 #define SL31 12 -#define WL32 3 +#define WL32 3 #define SL32 11 #define WL33 10 #define SL33 13 #define WL34 14 -#define SL34 6 -#define WL35 4 -#define SL35 7 -#define WL36 9 +#define SL34 6 +#define WL35 4 +#define SL35 7 +#define WL36 9 #define SL36 14 #define WL37 15 -#define SL37 9 -#define WL38 8 +#define SL37 9 +#define WL38 8 #define SL38 13 -#define WL39 1 +#define WL39 1 #define SL39 15 -#define WL40 2 +#define WL40 2 #define SL40 14 -#define WL41 7 -#define SL41 8 -#define WL42 0 +#define WL41 7 +#define SL41 8 +#define WL42 0 #define SL42 13 -#define WL43 6 -#define SL43 6 +#define WL43 6 +#define SL43 6 #define WL44 13 -#define SL44 5 +#define SL44 5 #define WL45 11 #define SL45 12 -#define WL46 5 -#define SL46 7 +#define WL46 5 +#define SL46 7 #define WL47 12 -#define SL47 5 +#define SL47 5 -#define WL48 1 +#define WL48 1 #define SL48 11 -#define WL49 9 +#define WL49 9 #define SL49 12 #define WL50 11 #define SL50 14 #define WL51 10 #define SL51 15 -#define WL52 0 +#define WL52 0 #define SL52 14 -#define WL53 8 +#define WL53 8 #define SL53 15 #define WL54 12 -#define SL54 9 -#define WL55 4 -#define SL55 8 +#define SL54 9 +#define WL55 4 +#define SL55 8 #define WL56 13 -#define SL56 9 -#define WL57 3 +#define SL56 9 +#define WL57 3 #define SL57 14 -#define WL58 7 -#define SL58 5 +#define WL58 7 +#define SL58 5 #define WL59 15 -#define SL59 6 +#define SL59 6 #define WL60 14 -#define SL60 8 -#define WL61 5 -#define SL61 6 -#define WL62 6 -#define SL62 5 -#define WL63 2 +#define SL60 8 +#define WL61 5 +#define SL61 6 +#define WL62 6 +#define SL62 5 +#define WL63 2 #define SL63 12 -#define WL64 4 -#define SL64 9 -#define WL65 0 +#define WL64 4 +#define SL64 9 +#define WL65 0 #define SL65 15 -#define WL66 5 -#define SL66 5 -#define WL67 9 +#define WL66 5 +#define SL66 5 +#define WL67 9 #define SL67 11 -#define WL68 7 -#define SL68 6 +#define WL68 7 +#define SL68 6 #define WL69 12 -#define SL69 8 -#define WL70 2 +#define SL69 8 +#define WL70 2 #define SL70 13 #define WL71 10 #define SL71 12 #define WL72 14 -#define SL72 5 -#define WL73 1 +#define SL72 5 +#define WL73 1 #define SL73 12 -#define WL74 3 +#define WL74 3 #define SL74 13 -#define WL75 8 +#define WL75 8 #define SL75 14 #define WL76 11 #define SL76 11 -#define WL77 6 -#define SL77 8 +#define WL77 6 +#define SL77 8 #define WL78 15 -#define SL78 5 +#define SL78 5 #define WL79 13 -#define SL79 6 +#define SL79 6 -#define WR00 5 -#define SR00 8 +#define WR00 5 +#define SR00 8 #define WR01 14 -#define SR01 9 -#define WR02 7 -#define SR02 9 -#define WR03 0 +#define SR01 9 +#define WR02 7 +#define SR02 9 +#define WR03 0 #define SR03 11 -#define WR04 9 +#define WR04 9 #define SR04 13 -#define WR05 2 +#define WR05 2 #define SR05 15 #define WR06 11 #define SR06 15 -#define WR07 4 -#define SR07 5 +#define WR07 4 +#define SR07 5 #define WR08 13 -#define SR08 7 -#define WR09 6 -#define SR09 7 +#define SR08 7 +#define WR09 6 +#define SR09 7 #define WR10 15 -#define SR10 8 -#define WR11 8 +#define SR10 8 +#define WR11 8 #define SR11 11 -#define WR12 1 +#define WR12 1 #define SR12 14 #define WR13 10 #define SR13 14 -#define WR14 3 +#define WR14 3 #define SR14 12 #define WR15 12 -#define SR15 6 +#define SR15 6 -#define WR16 6 -#define SR16 9 +#define WR16 6 +#define SR16 9 #define WR17 11 #define SR17 13 -#define WR18 3 +#define WR18 3 #define SR18 15 -#define WR19 7 -#define SR19 7 -#define WR20 0 +#define WR19 7 +#define SR19 7 +#define WR20 0 #define SR20 12 #define WR21 13 -#define SR21 8 -#define WR22 5 -#define SR22 9 +#define SR21 8 +#define WR22 5 +#define SR22 9 #define WR23 10 #define SR23 11 #define WR24 14 -#define SR24 7 +#define SR24 7 #define WR25 15 -#define SR25 7 -#define WR26 8 +#define SR25 7 +#define WR26 8 #define SR26 12 #define WR27 12 -#define SR27 7 -#define WR28 4 -#define SR28 6 -#define WR29 9 +#define SR27 7 +#define WR28 4 +#define SR28 6 +#define WR29 9 #define SR29 15 -#define WR30 1 +#define WR30 1 #define SR30 13 -#define WR31 2 +#define WR31 2 #define SR31 11 #define WR32 15 -#define SR32 9 -#define WR33 5 -#define SR33 7 -#define WR34 1 +#define SR32 9 +#define WR33 5 +#define SR33 7 +#define WR34 1 #define SR34 15 -#define WR35 3 +#define WR35 3 #define SR35 11 -#define WR36 7 -#define SR36 8 +#define WR36 7 +#define SR36 8 #define WR37 14 -#define SR37 6 -#define WR38 6 -#define SR38 6 -#define WR39 9 +#define SR37 6 +#define WR38 6 +#define SR38 6 +#define WR39 9 #define SR39 14 #define WR40 11 #define SR40 12 -#define WR41 8 +#define WR41 8 #define SR41 13 #define WR42 12 -#define SR42 5 -#define WR43 2 +#define SR42 5 +#define WR43 2 #define SR43 14 #define WR44 10 #define SR44 13 -#define WR45 0 +#define WR45 0 #define SR45 13 -#define WR46 4 -#define SR46 7 +#define WR46 4 +#define SR46 7 #define WR47 13 -#define SR47 5 +#define SR47 5 -#define WR48 8 +#define WR48 8 #define SR48 15 -#define WR49 6 -#define SR49 5 -#define WR50 4 -#define SR50 8 -#define WR51 1 +#define WR49 6 +#define SR49 5 +#define WR50 4 +#define SR50 8 +#define WR51 1 #define SR51 11 -#define WR52 3 +#define WR52 3 #define SR52 14 #define WR53 11 #define SR53 14 #define WR54 15 -#define SR54 6 -#define WR55 0 +#define SR54 6 +#define WR55 0 #define SR55 14 -#define WR56 5 -#define SR56 6 +#define WR56 5 +#define SR56 6 #define WR57 12 -#define SR57 9 -#define WR58 2 +#define SR57 9 +#define WR58 2 #define SR58 12 #define WR59 13 -#define SR59 9 -#define WR60 9 +#define SR59 9 +#define WR60 9 #define SR60 12 -#define WR61 7 -#define SR61 5 +#define WR61 7 +#define SR61 5 #define WR62 10 #define SR62 15 #define WR63 14 -#define SR63 8 +#define SR63 8 #define WR64 12 -#define SR64 8 +#define SR64 8 #define WR65 15 -#define SR65 5 +#define SR65 5 #define WR66 10 #define SR66 12 -#define WR67 4 -#define SR67 9 -#define WR68 1 +#define WR67 4 +#define SR67 9 +#define WR68 1 #define SR68 12 -#define WR69 5 -#define SR69 5 -#define WR70 8 +#define WR69 5 +#define SR69 5 +#define WR70 8 #define SR70 14 -#define WR71 7 -#define SR71 6 -#define WR72 6 -#define SR72 8 -#define WR73 2 +#define WR71 7 +#define SR71 6 +#define WR72 6 +#define SR72 8 +#define WR73 2 #define SR73 13 #define WR74 13 -#define SR74 6 +#define SR74 6 #define WR75 14 -#define SR75 5 -#define WR76 0 +#define SR75 5 +#define WR76 0 #define SR76 15 -#define WR77 3 +#define WR77 3 #define SR77 13 -#define WR78 9 +#define WR78 9 #define SR78 11 #define WR79 11 #define SR79 11 diff --git a/crypto/decrepit/rsa/rsa_decrepit.c b/crypto/decrepit/rsa/rsa_decrepit.c index 2c06fe34e6..0efb91842c 100644 --- a/crypto/decrepit/rsa/rsa_decrepit.c +++ b/crypto/decrepit/rsa/rsa_decrepit.c @@ -69,9 +69,7 @@ RSA *RSA_generate_key(int bits, uint64_t e_value, void *callback, RSA *rsa = RSA_new(); BIGNUM *e = BN_new(); - if (rsa == NULL || - e == NULL || - !BN_set_u64(e, e_value) || + if (rsa == NULL || e == NULL || !BN_set_u64(e, e_value) || !RSA_generate_key_ex(rsa, bits, e, NULL)) { goto err; } @@ -95,9 +93,9 @@ int RSA_verify_PKCS1_PSS(const RSA *rsa, const uint8_t *mHash, return RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, NULL, EM, sLen); } -int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, - const uint8_t *from, size_t from_len, - const uint8_t *param, size_t param_len) { +int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, const uint8_t *from, + size_t from_len, const uint8_t *param, + size_t param_len) { return RSA_padding_add_PKCS1_OAEP_mgf1(to, to_len, from, from_len, param, param_len, NULL, NULL); } diff --git a/crypto/des/des.c b/crypto/des/des.c index 693c178b6b..05b04f2840 100644 --- a/crypto/des/des.c +++ b/crypto/des/des.c @@ -147,232 +147,232 @@ how to use xors :-) I got it to its final state. #define HALF_ITERATIONS 8 static const uint32_t des_skb[8][64] = { - { // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 - 0x00000000, 0x00000010, 0x20000000, 0x20000010, 0x00010000, - 0x00010010, 0x20010000, 0x20010010, 0x00000800, 0x00000810, - 0x20000800, 0x20000810, 0x00010800, 0x00010810, 0x20010800, - 0x20010810, 0x00000020, 0x00000030, 0x20000020, 0x20000030, - 0x00010020, 0x00010030, 0x20010020, 0x20010030, 0x00000820, - 0x00000830, 0x20000820, 0x20000830, 0x00010820, 0x00010830, - 0x20010820, 0x20010830, 0x00080000, 0x00080010, 0x20080000, - 0x20080010, 0x00090000, 0x00090010, 0x20090000, 0x20090010, - 0x00080800, 0x00080810, 0x20080800, 0x20080810, 0x00090800, - 0x00090810, 0x20090800, 0x20090810, 0x00080020, 0x00080030, - 0x20080020, 0x20080030, 0x00090020, 0x00090030, 0x20090020, - 0x20090030, 0x00080820, 0x00080830, 0x20080820, 0x20080830, - 0x00090820, 0x00090830, 0x20090820, 0x20090830, }, - { // for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 - 0x00000000, 0x02000000, 0x00002000, 0x02002000, 0x00200000, - 0x02200000, 0x00202000, 0x02202000, 0x00000004, 0x02000004, - 0x00002004, 0x02002004, 0x00200004, 0x02200004, 0x00202004, - 0x02202004, 0x00000400, 0x02000400, 0x00002400, 0x02002400, - 0x00200400, 0x02200400, 0x00202400, 0x02202400, 0x00000404, - 0x02000404, 0x00002404, 0x02002404, 0x00200404, 0x02200404, - 0x00202404, 0x02202404, 0x10000000, 0x12000000, 0x10002000, - 0x12002000, 0x10200000, 0x12200000, 0x10202000, 0x12202000, - 0x10000004, 0x12000004, 0x10002004, 0x12002004, 0x10200004, - 0x12200004, 0x10202004, 0x12202004, 0x10000400, 0x12000400, - 0x10002400, 0x12002400, 0x10200400, 0x12200400, 0x10202400, - 0x12202400, 0x10000404, 0x12000404, 0x10002404, 0x12002404, - 0x10200404, 0x12200404, 0x10202404, 0x12202404, }, - { // for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 - 0x00000000, 0x00000001, 0x00040000, 0x00040001, 0x01000000, - 0x01000001, 0x01040000, 0x01040001, 0x00000002, 0x00000003, - 0x00040002, 0x00040003, 0x01000002, 0x01000003, 0x01040002, - 0x01040003, 0x00000200, 0x00000201, 0x00040200, 0x00040201, - 0x01000200, 0x01000201, 0x01040200, 0x01040201, 0x00000202, - 0x00000203, 0x00040202, 0x00040203, 0x01000202, 0x01000203, - 0x01040202, 0x01040203, 0x08000000, 0x08000001, 0x08040000, - 0x08040001, 0x09000000, 0x09000001, 0x09040000, 0x09040001, - 0x08000002, 0x08000003, 0x08040002, 0x08040003, 0x09000002, - 0x09000003, 0x09040002, 0x09040003, 0x08000200, 0x08000201, - 0x08040200, 0x08040201, 0x09000200, 0x09000201, 0x09040200, - 0x09040201, 0x08000202, 0x08000203, 0x08040202, 0x08040203, - 0x09000202, 0x09000203, 0x09040202, 0x09040203, }, - { // for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 - 0x00000000, 0x00100000, 0x00000100, 0x00100100, 0x00000008, - 0x00100008, 0x00000108, 0x00100108, 0x00001000, 0x00101000, - 0x00001100, 0x00101100, 0x00001008, 0x00101008, 0x00001108, - 0x00101108, 0x04000000, 0x04100000, 0x04000100, 0x04100100, - 0x04000008, 0x04100008, 0x04000108, 0x04100108, 0x04001000, - 0x04101000, 0x04001100, 0x04101100, 0x04001008, 0x04101008, - 0x04001108, 0x04101108, 0x00020000, 0x00120000, 0x00020100, - 0x00120100, 0x00020008, 0x00120008, 0x00020108, 0x00120108, - 0x00021000, 0x00121000, 0x00021100, 0x00121100, 0x00021008, - 0x00121008, 0x00021108, 0x00121108, 0x04020000, 0x04120000, - 0x04020100, 0x04120100, 0x04020008, 0x04120008, 0x04020108, - 0x04120108, 0x04021000, 0x04121000, 0x04021100, 0x04121100, - 0x04021008, 0x04121008, 0x04021108, 0x04121108, }, - { // for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 - 0x00000000, 0x10000000, 0x00010000, 0x10010000, 0x00000004, - 0x10000004, 0x00010004, 0x10010004, 0x20000000, 0x30000000, - 0x20010000, 0x30010000, 0x20000004, 0x30000004, 0x20010004, - 0x30010004, 0x00100000, 0x10100000, 0x00110000, 0x10110000, - 0x00100004, 0x10100004, 0x00110004, 0x10110004, 0x20100000, - 0x30100000, 0x20110000, 0x30110000, 0x20100004, 0x30100004, - 0x20110004, 0x30110004, 0x00001000, 0x10001000, 0x00011000, - 0x10011000, 0x00001004, 0x10001004, 0x00011004, 0x10011004, - 0x20001000, 0x30001000, 0x20011000, 0x30011000, 0x20001004, - 0x30001004, 0x20011004, 0x30011004, 0x00101000, 0x10101000, - 0x00111000, 0x10111000, 0x00101004, 0x10101004, 0x00111004, - 0x10111004, 0x20101000, 0x30101000, 0x20111000, 0x30111000, - 0x20101004, 0x30101004, 0x20111004, 0x30111004, }, - { // for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 - 0x00000000, 0x08000000, 0x00000008, 0x08000008, 0x00000400, - 0x08000400, 0x00000408, 0x08000408, 0x00020000, 0x08020000, - 0x00020008, 0x08020008, 0x00020400, 0x08020400, 0x00020408, - 0x08020408, 0x00000001, 0x08000001, 0x00000009, 0x08000009, - 0x00000401, 0x08000401, 0x00000409, 0x08000409, 0x00020001, - 0x08020001, 0x00020009, 0x08020009, 0x00020401, 0x08020401, - 0x00020409, 0x08020409, 0x02000000, 0x0A000000, 0x02000008, - 0x0A000008, 0x02000400, 0x0A000400, 0x02000408, 0x0A000408, - 0x02020000, 0x0A020000, 0x02020008, 0x0A020008, 0x02020400, - 0x0A020400, 0x02020408, 0x0A020408, 0x02000001, 0x0A000001, - 0x02000009, 0x0A000009, 0x02000401, 0x0A000401, 0x02000409, - 0x0A000409, 0x02020001, 0x0A020001, 0x02020009, 0x0A020009, - 0x02020401, 0x0A020401, 0x02020409, 0x0A020409, }, - { // for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 - 0x00000000, 0x00000100, 0x00080000, 0x00080100, 0x01000000, - 0x01000100, 0x01080000, 0x01080100, 0x00000010, 0x00000110, - 0x00080010, 0x00080110, 0x01000010, 0x01000110, 0x01080010, - 0x01080110, 0x00200000, 0x00200100, 0x00280000, 0x00280100, - 0x01200000, 0x01200100, 0x01280000, 0x01280100, 0x00200010, - 0x00200110, 0x00280010, 0x00280110, 0x01200010, 0x01200110, - 0x01280010, 0x01280110, 0x00000200, 0x00000300, 0x00080200, - 0x00080300, 0x01000200, 0x01000300, 0x01080200, 0x01080300, - 0x00000210, 0x00000310, 0x00080210, 0x00080310, 0x01000210, - 0x01000310, 0x01080210, 0x01080310, 0x00200200, 0x00200300, - 0x00280200, 0x00280300, 0x01200200, 0x01200300, 0x01280200, - 0x01280300, 0x00200210, 0x00200310, 0x00280210, 0x00280310, - 0x01200210, 0x01200310, 0x01280210, 0x01280310, }, - { // for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 - 0x00000000, 0x04000000, 0x00040000, 0x04040000, 0x00000002, - 0x04000002, 0x00040002, 0x04040002, 0x00002000, 0x04002000, - 0x00042000, 0x04042000, 0x00002002, 0x04002002, 0x00042002, - 0x04042002, 0x00000020, 0x04000020, 0x00040020, 0x04040020, - 0x00000022, 0x04000022, 0x00040022, 0x04040022, 0x00002020, - 0x04002020, 0x00042020, 0x04042020, 0x00002022, 0x04002022, - 0x00042022, 0x04042022, 0x00000800, 0x04000800, 0x00040800, - 0x04040800, 0x00000802, 0x04000802, 0x00040802, 0x04040802, - 0x00002800, 0x04002800, 0x00042800, 0x04042800, 0x00002802, - 0x04002802, 0x00042802, 0x04042802, 0x00000820, 0x04000820, - 0x00040820, 0x04040820, 0x00000822, 0x04000822, 0x00040822, - 0x04040822, 0x00002820, 0x04002820, 0x00042820, 0x04042820, - 0x00002822, 0x04002822, 0x00042822, 0x04042822, }}; + { + // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 + 0x00000000, 0x00000010, 0x20000000, 0x20000010, 0x00010000, 0x00010010, + 0x20010000, 0x20010010, 0x00000800, 0x00000810, 0x20000800, 0x20000810, + 0x00010800, 0x00010810, 0x20010800, 0x20010810, 0x00000020, 0x00000030, + 0x20000020, 0x20000030, 0x00010020, 0x00010030, 0x20010020, 0x20010030, + 0x00000820, 0x00000830, 0x20000820, 0x20000830, 0x00010820, 0x00010830, + 0x20010820, 0x20010830, 0x00080000, 0x00080010, 0x20080000, 0x20080010, + 0x00090000, 0x00090010, 0x20090000, 0x20090010, 0x00080800, 0x00080810, + 0x20080800, 0x20080810, 0x00090800, 0x00090810, 0x20090800, 0x20090810, + 0x00080020, 0x00080030, 0x20080020, 0x20080030, 0x00090020, 0x00090030, + 0x20090020, 0x20090030, 0x00080820, 0x00080830, 0x20080820, 0x20080830, + 0x00090820, 0x00090830, 0x20090820, 0x20090830, + }, + { + // for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 + 0x00000000, 0x02000000, 0x00002000, 0x02002000, 0x00200000, 0x02200000, + 0x00202000, 0x02202000, 0x00000004, 0x02000004, 0x00002004, 0x02002004, + 0x00200004, 0x02200004, 0x00202004, 0x02202004, 0x00000400, 0x02000400, + 0x00002400, 0x02002400, 0x00200400, 0x02200400, 0x00202400, 0x02202400, + 0x00000404, 0x02000404, 0x00002404, 0x02002404, 0x00200404, 0x02200404, + 0x00202404, 0x02202404, 0x10000000, 0x12000000, 0x10002000, 0x12002000, + 0x10200000, 0x12200000, 0x10202000, 0x12202000, 0x10000004, 0x12000004, + 0x10002004, 0x12002004, 0x10200004, 0x12200004, 0x10202004, 0x12202004, + 0x10000400, 0x12000400, 0x10002400, 0x12002400, 0x10200400, 0x12200400, + 0x10202400, 0x12202400, 0x10000404, 0x12000404, 0x10002404, 0x12002404, + 0x10200404, 0x12200404, 0x10202404, 0x12202404, + }, + { + // for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 + 0x00000000, 0x00000001, 0x00040000, 0x00040001, 0x01000000, 0x01000001, + 0x01040000, 0x01040001, 0x00000002, 0x00000003, 0x00040002, 0x00040003, + 0x01000002, 0x01000003, 0x01040002, 0x01040003, 0x00000200, 0x00000201, + 0x00040200, 0x00040201, 0x01000200, 0x01000201, 0x01040200, 0x01040201, + 0x00000202, 0x00000203, 0x00040202, 0x00040203, 0x01000202, 0x01000203, + 0x01040202, 0x01040203, 0x08000000, 0x08000001, 0x08040000, 0x08040001, + 0x09000000, 0x09000001, 0x09040000, 0x09040001, 0x08000002, 0x08000003, + 0x08040002, 0x08040003, 0x09000002, 0x09000003, 0x09040002, 0x09040003, + 0x08000200, 0x08000201, 0x08040200, 0x08040201, 0x09000200, 0x09000201, + 0x09040200, 0x09040201, 0x08000202, 0x08000203, 0x08040202, 0x08040203, + 0x09000202, 0x09000203, 0x09040202, 0x09040203, + }, + { + // for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 + 0x00000000, 0x00100000, 0x00000100, 0x00100100, 0x00000008, 0x00100008, + 0x00000108, 0x00100108, 0x00001000, 0x00101000, 0x00001100, 0x00101100, + 0x00001008, 0x00101008, 0x00001108, 0x00101108, 0x04000000, 0x04100000, + 0x04000100, 0x04100100, 0x04000008, 0x04100008, 0x04000108, 0x04100108, + 0x04001000, 0x04101000, 0x04001100, 0x04101100, 0x04001008, 0x04101008, + 0x04001108, 0x04101108, 0x00020000, 0x00120000, 0x00020100, 0x00120100, + 0x00020008, 0x00120008, 0x00020108, 0x00120108, 0x00021000, 0x00121000, + 0x00021100, 0x00121100, 0x00021008, 0x00121008, 0x00021108, 0x00121108, + 0x04020000, 0x04120000, 0x04020100, 0x04120100, 0x04020008, 0x04120008, + 0x04020108, 0x04120108, 0x04021000, 0x04121000, 0x04021100, 0x04121100, + 0x04021008, 0x04121008, 0x04021108, 0x04121108, + }, + { + // for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 + 0x00000000, 0x10000000, 0x00010000, 0x10010000, 0x00000004, 0x10000004, + 0x00010004, 0x10010004, 0x20000000, 0x30000000, 0x20010000, 0x30010000, + 0x20000004, 0x30000004, 0x20010004, 0x30010004, 0x00100000, 0x10100000, + 0x00110000, 0x10110000, 0x00100004, 0x10100004, 0x00110004, 0x10110004, + 0x20100000, 0x30100000, 0x20110000, 0x30110000, 0x20100004, 0x30100004, + 0x20110004, 0x30110004, 0x00001000, 0x10001000, 0x00011000, 0x10011000, + 0x00001004, 0x10001004, 0x00011004, 0x10011004, 0x20001000, 0x30001000, + 0x20011000, 0x30011000, 0x20001004, 0x30001004, 0x20011004, 0x30011004, + 0x00101000, 0x10101000, 0x00111000, 0x10111000, 0x00101004, 0x10101004, + 0x00111004, 0x10111004, 0x20101000, 0x30101000, 0x20111000, 0x30111000, + 0x20101004, 0x30101004, 0x20111004, 0x30111004, + }, + { + // for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 + 0x00000000, 0x08000000, 0x00000008, 0x08000008, 0x00000400, 0x08000400, + 0x00000408, 0x08000408, 0x00020000, 0x08020000, 0x00020008, 0x08020008, + 0x00020400, 0x08020400, 0x00020408, 0x08020408, 0x00000001, 0x08000001, + 0x00000009, 0x08000009, 0x00000401, 0x08000401, 0x00000409, 0x08000409, + 0x00020001, 0x08020001, 0x00020009, 0x08020009, 0x00020401, 0x08020401, + 0x00020409, 0x08020409, 0x02000000, 0x0A000000, 0x02000008, 0x0A000008, + 0x02000400, 0x0A000400, 0x02000408, 0x0A000408, 0x02020000, 0x0A020000, + 0x02020008, 0x0A020008, 0x02020400, 0x0A020400, 0x02020408, 0x0A020408, + 0x02000001, 0x0A000001, 0x02000009, 0x0A000009, 0x02000401, 0x0A000401, + 0x02000409, 0x0A000409, 0x02020001, 0x0A020001, 0x02020009, 0x0A020009, + 0x02020401, 0x0A020401, 0x02020409, 0x0A020409, + }, + { + // for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 + 0x00000000, 0x00000100, 0x00080000, 0x00080100, 0x01000000, 0x01000100, + 0x01080000, 0x01080100, 0x00000010, 0x00000110, 0x00080010, 0x00080110, + 0x01000010, 0x01000110, 0x01080010, 0x01080110, 0x00200000, 0x00200100, + 0x00280000, 0x00280100, 0x01200000, 0x01200100, 0x01280000, 0x01280100, + 0x00200010, 0x00200110, 0x00280010, 0x00280110, 0x01200010, 0x01200110, + 0x01280010, 0x01280110, 0x00000200, 0x00000300, 0x00080200, 0x00080300, + 0x01000200, 0x01000300, 0x01080200, 0x01080300, 0x00000210, 0x00000310, + 0x00080210, 0x00080310, 0x01000210, 0x01000310, 0x01080210, 0x01080310, + 0x00200200, 0x00200300, 0x00280200, 0x00280300, 0x01200200, 0x01200300, + 0x01280200, 0x01280300, 0x00200210, 0x00200310, 0x00280210, 0x00280310, + 0x01200210, 0x01200310, 0x01280210, 0x01280310, + }, + { + // for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 + 0x00000000, 0x04000000, 0x00040000, 0x04040000, 0x00000002, 0x04000002, + 0x00040002, 0x04040002, 0x00002000, 0x04002000, 0x00042000, 0x04042000, + 0x00002002, 0x04002002, 0x00042002, 0x04042002, 0x00000020, 0x04000020, + 0x00040020, 0x04040020, 0x00000022, 0x04000022, 0x00040022, 0x04040022, + 0x00002020, 0x04002020, 0x00042020, 0x04042020, 0x00002022, 0x04002022, + 0x00042022, 0x04042022, 0x00000800, 0x04000800, 0x00040800, 0x04040800, + 0x00000802, 0x04000802, 0x00040802, 0x04040802, 0x00002800, 0x04002800, + 0x00042800, 0x04042800, 0x00002802, 0x04002802, 0x00042802, 0x04042802, + 0x00000820, 0x04000820, 0x00040820, 0x04040820, 0x00000822, 0x04000822, + 0x00040822, 0x04040822, 0x00002820, 0x04002820, 0x00042820, 0x04042820, + 0x00002822, 0x04002822, 0x00042822, 0x04042822, + }}; static const uint32_t DES_SPtrans[8][64] = { - { // nibble 0 - 0x02080800, 0x00080000, 0x02000002, 0x02080802, 0x02000000, - 0x00080802, 0x00080002, 0x02000002, 0x00080802, 0x02080800, - 0x02080000, 0x00000802, 0x02000802, 0x02000000, 0x00000000, - 0x00080002, 0x00080000, 0x00000002, 0x02000800, 0x00080800, - 0x02080802, 0x02080000, 0x00000802, 0x02000800, 0x00000002, - 0x00000800, 0x00080800, 0x02080002, 0x00000800, 0x02000802, - 0x02080002, 0x00000000, 0x00000000, 0x02080802, 0x02000800, - 0x00080002, 0x02080800, 0x00080000, 0x00000802, 0x02000800, - 0x02080002, 0x00000800, 0x00080800, 0x02000002, 0x00080802, - 0x00000002, 0x02000002, 0x02080000, 0x02080802, 0x00080800, - 0x02080000, 0x02000802, 0x02000000, 0x00000802, 0x00080002, - 0x00000000, 0x00080000, 0x02000000, 0x02000802, 0x02080800, - 0x00000002, 0x02080002, 0x00000800, 0x00080802, }, - { // nibble 1 - 0x40108010, 0x00000000, 0x00108000, 0x40100000, 0x40000010, - 0x00008010, 0x40008000, 0x00108000, 0x00008000, 0x40100010, - 0x00000010, 0x40008000, 0x00100010, 0x40108000, 0x40100000, - 0x00000010, 0x00100000, 0x40008010, 0x40100010, 0x00008000, - 0x00108010, 0x40000000, 0x00000000, 0x00100010, 0x40008010, - 0x00108010, 0x40108000, 0x40000010, 0x40000000, 0x00100000, - 0x00008010, 0x40108010, 0x00100010, 0x40108000, 0x40008000, - 0x00108010, 0x40108010, 0x00100010, 0x40000010, 0x00000000, - 0x40000000, 0x00008010, 0x00100000, 0x40100010, 0x00008000, - 0x40000000, 0x00108010, 0x40008010, 0x40108000, 0x00008000, - 0x00000000, 0x40000010, 0x00000010, 0x40108010, 0x00108000, - 0x40100000, 0x40100010, 0x00100000, 0x00008010, 0x40008000, - 0x40008010, 0x00000010, 0x40100000, 0x00108000, }, - { // nibble 2 - 0x04000001, 0x04040100, 0x00000100, 0x04000101, 0x00040001, - 0x04000000, 0x04000101, 0x00040100, 0x04000100, 0x00040000, - 0x04040000, 0x00000001, 0x04040101, 0x00000101, 0x00000001, - 0x04040001, 0x00000000, 0x00040001, 0x04040100, 0x00000100, - 0x00000101, 0x04040101, 0x00040000, 0x04000001, 0x04040001, - 0x04000100, 0x00040101, 0x04040000, 0x00040100, 0x00000000, - 0x04000000, 0x00040101, 0x04040100, 0x00000100, 0x00000001, - 0x00040000, 0x00000101, 0x00040001, 0x04040000, 0x04000101, - 0x00000000, 0x04040100, 0x00040100, 0x04040001, 0x00040001, - 0x04000000, 0x04040101, 0x00000001, 0x00040101, 0x04000001, - 0x04000000, 0x04040101, 0x00040000, 0x04000100, 0x04000101, - 0x00040100, 0x04000100, 0x00000000, 0x04040001, 0x00000101, - 0x04000001, 0x00040101, 0x00000100, 0x04040000, }, - { // nibble 3 - 0x00401008, 0x10001000, 0x00000008, 0x10401008, 0x00000000, - 0x10400000, 0x10001008, 0x00400008, 0x10401000, 0x10000008, - 0x10000000, 0x00001008, 0x10000008, 0x00401008, 0x00400000, - 0x10000000, 0x10400008, 0x00401000, 0x00001000, 0x00000008, - 0x00401000, 0x10001008, 0x10400000, 0x00001000, 0x00001008, - 0x00000000, 0x00400008, 0x10401000, 0x10001000, 0x10400008, - 0x10401008, 0x00400000, 0x10400008, 0x00001008, 0x00400000, - 0x10000008, 0x00401000, 0x10001000, 0x00000008, 0x10400000, - 0x10001008, 0x00000000, 0x00001000, 0x00400008, 0x00000000, - 0x10400008, 0x10401000, 0x00001000, 0x10000000, 0x10401008, - 0x00401008, 0x00400000, 0x10401008, 0x00000008, 0x10001000, - 0x00401008, 0x00400008, 0x00401000, 0x10400000, 0x10001008, - 0x00001008, 0x10000000, 0x10000008, 0x10401000, }, - { // nibble 4 - 0x08000000, 0x00010000, 0x00000400, 0x08010420, 0x08010020, - 0x08000400, 0x00010420, 0x08010000, 0x00010000, 0x00000020, - 0x08000020, 0x00010400, 0x08000420, 0x08010020, 0x08010400, - 0x00000000, 0x00010400, 0x08000000, 0x00010020, 0x00000420, - 0x08000400, 0x00010420, 0x00000000, 0x08000020, 0x00000020, - 0x08000420, 0x08010420, 0x00010020, 0x08010000, 0x00000400, - 0x00000420, 0x08010400, 0x08010400, 0x08000420, 0x00010020, - 0x08010000, 0x00010000, 0x00000020, 0x08000020, 0x08000400, - 0x08000000, 0x00010400, 0x08010420, 0x00000000, 0x00010420, - 0x08000000, 0x00000400, 0x00010020, 0x08000420, 0x00000400, - 0x00000000, 0x08010420, 0x08010020, 0x08010400, 0x00000420, - 0x00010000, 0x00010400, 0x08010020, 0x08000400, 0x00000420, - 0x00000020, 0x00010420, 0x08010000, 0x08000020, }, - { // nibble 5 - 0x80000040, 0x00200040, 0x00000000, 0x80202000, 0x00200040, - 0x00002000, 0x80002040, 0x00200000, 0x00002040, 0x80202040, - 0x00202000, 0x80000000, 0x80002000, 0x80000040, 0x80200000, - 0x00202040, 0x00200000, 0x80002040, 0x80200040, 0x00000000, - 0x00002000, 0x00000040, 0x80202000, 0x80200040, 0x80202040, - 0x80200000, 0x80000000, 0x00002040, 0x00000040, 0x00202000, - 0x00202040, 0x80002000, 0x00002040, 0x80000000, 0x80002000, - 0x00202040, 0x80202000, 0x00200040, 0x00000000, 0x80002000, - 0x80000000, 0x00002000, 0x80200040, 0x00200000, 0x00200040, - 0x80202040, 0x00202000, 0x00000040, 0x80202040, 0x00202000, - 0x00200000, 0x80002040, 0x80000040, 0x80200000, 0x00202040, - 0x00000000, 0x00002000, 0x80000040, 0x80002040, 0x80202000, - 0x80200000, 0x00002040, 0x00000040, 0x80200040, }, - { // nibble 6 - 0x00004000, 0x00000200, 0x01000200, 0x01000004, 0x01004204, - 0x00004004, 0x00004200, 0x00000000, 0x01000000, 0x01000204, - 0x00000204, 0x01004000, 0x00000004, 0x01004200, 0x01004000, - 0x00000204, 0x01000204, 0x00004000, 0x00004004, 0x01004204, - 0x00000000, 0x01000200, 0x01000004, 0x00004200, 0x01004004, - 0x00004204, 0x01004200, 0x00000004, 0x00004204, 0x01004004, - 0x00000200, 0x01000000, 0x00004204, 0x01004000, 0x01004004, - 0x00000204, 0x00004000, 0x00000200, 0x01000000, 0x01004004, - 0x01000204, 0x00004204, 0x00004200, 0x00000000, 0x00000200, - 0x01000004, 0x00000004, 0x01000200, 0x00000000, 0x01000204, - 0x01000200, 0x00004200, 0x00000204, 0x00004000, 0x01004204, - 0x01000000, 0x01004200, 0x00000004, 0x00004004, 0x01004204, - 0x01000004, 0x01004200, 0x01004000, 0x00004004, }, - { // nibble 7 - 0x20800080, 0x20820000, 0x00020080, 0x00000000, 0x20020000, - 0x00800080, 0x20800000, 0x20820080, 0x00000080, 0x20000000, - 0x00820000, 0x00020080, 0x00820080, 0x20020080, 0x20000080, - 0x20800000, 0x00020000, 0x00820080, 0x00800080, 0x20020000, - 0x20820080, 0x20000080, 0x00000000, 0x00820000, 0x20000000, - 0x00800000, 0x20020080, 0x20800080, 0x00800000, 0x00020000, - 0x20820000, 0x00000080, 0x00800000, 0x00020000, 0x20000080, - 0x20820080, 0x00020080, 0x20000000, 0x00000000, 0x00820000, - 0x20800080, 0x20020080, 0x20020000, 0x00800080, 0x20820000, - 0x00000080, 0x00800080, 0x20020000, 0x20820080, 0x00800000, - 0x20800000, 0x20000080, 0x00820000, 0x00020080, 0x20020080, - 0x20800000, 0x00000080, 0x20820000, 0x00820080, 0x00000000, - 0x20000000, 0x20800080, 0x00020000, 0x00820080, }}; + { + // nibble 0 + 0x02080800, 0x00080000, 0x02000002, 0x02080802, 0x02000000, 0x00080802, + 0x00080002, 0x02000002, 0x00080802, 0x02080800, 0x02080000, 0x00000802, + 0x02000802, 0x02000000, 0x00000000, 0x00080002, 0x00080000, 0x00000002, + 0x02000800, 0x00080800, 0x02080802, 0x02080000, 0x00000802, 0x02000800, + 0x00000002, 0x00000800, 0x00080800, 0x02080002, 0x00000800, 0x02000802, + 0x02080002, 0x00000000, 0x00000000, 0x02080802, 0x02000800, 0x00080002, + 0x02080800, 0x00080000, 0x00000802, 0x02000800, 0x02080002, 0x00000800, + 0x00080800, 0x02000002, 0x00080802, 0x00000002, 0x02000002, 0x02080000, + 0x02080802, 0x00080800, 0x02080000, 0x02000802, 0x02000000, 0x00000802, + 0x00080002, 0x00000000, 0x00080000, 0x02000000, 0x02000802, 0x02080800, + 0x00000002, 0x02080002, 0x00000800, 0x00080802, + }, + { + // nibble 1 + 0x40108010, 0x00000000, 0x00108000, 0x40100000, 0x40000010, 0x00008010, + 0x40008000, 0x00108000, 0x00008000, 0x40100010, 0x00000010, 0x40008000, + 0x00100010, 0x40108000, 0x40100000, 0x00000010, 0x00100000, 0x40008010, + 0x40100010, 0x00008000, 0x00108010, 0x40000000, 0x00000000, 0x00100010, + 0x40008010, 0x00108010, 0x40108000, 0x40000010, 0x40000000, 0x00100000, + 0x00008010, 0x40108010, 0x00100010, 0x40108000, 0x40008000, 0x00108010, + 0x40108010, 0x00100010, 0x40000010, 0x00000000, 0x40000000, 0x00008010, + 0x00100000, 0x40100010, 0x00008000, 0x40000000, 0x00108010, 0x40008010, + 0x40108000, 0x00008000, 0x00000000, 0x40000010, 0x00000010, 0x40108010, + 0x00108000, 0x40100000, 0x40100010, 0x00100000, 0x00008010, 0x40008000, + 0x40008010, 0x00000010, 0x40100000, 0x00108000, + }, + { + // nibble 2 + 0x04000001, 0x04040100, 0x00000100, 0x04000101, 0x00040001, 0x04000000, + 0x04000101, 0x00040100, 0x04000100, 0x00040000, 0x04040000, 0x00000001, + 0x04040101, 0x00000101, 0x00000001, 0x04040001, 0x00000000, 0x00040001, + 0x04040100, 0x00000100, 0x00000101, 0x04040101, 0x00040000, 0x04000001, + 0x04040001, 0x04000100, 0x00040101, 0x04040000, 0x00040100, 0x00000000, + 0x04000000, 0x00040101, 0x04040100, 0x00000100, 0x00000001, 0x00040000, + 0x00000101, 0x00040001, 0x04040000, 0x04000101, 0x00000000, 0x04040100, + 0x00040100, 0x04040001, 0x00040001, 0x04000000, 0x04040101, 0x00000001, + 0x00040101, 0x04000001, 0x04000000, 0x04040101, 0x00040000, 0x04000100, + 0x04000101, 0x00040100, 0x04000100, 0x00000000, 0x04040001, 0x00000101, + 0x04000001, 0x00040101, 0x00000100, 0x04040000, + }, + { + // nibble 3 + 0x00401008, 0x10001000, 0x00000008, 0x10401008, 0x00000000, 0x10400000, + 0x10001008, 0x00400008, 0x10401000, 0x10000008, 0x10000000, 0x00001008, + 0x10000008, 0x00401008, 0x00400000, 0x10000000, 0x10400008, 0x00401000, + 0x00001000, 0x00000008, 0x00401000, 0x10001008, 0x10400000, 0x00001000, + 0x00001008, 0x00000000, 0x00400008, 0x10401000, 0x10001000, 0x10400008, + 0x10401008, 0x00400000, 0x10400008, 0x00001008, 0x00400000, 0x10000008, + 0x00401000, 0x10001000, 0x00000008, 0x10400000, 0x10001008, 0x00000000, + 0x00001000, 0x00400008, 0x00000000, 0x10400008, 0x10401000, 0x00001000, + 0x10000000, 0x10401008, 0x00401008, 0x00400000, 0x10401008, 0x00000008, + 0x10001000, 0x00401008, 0x00400008, 0x00401000, 0x10400000, 0x10001008, + 0x00001008, 0x10000000, 0x10000008, 0x10401000, + }, + { + // nibble 4 + 0x08000000, 0x00010000, 0x00000400, 0x08010420, 0x08010020, 0x08000400, + 0x00010420, 0x08010000, 0x00010000, 0x00000020, 0x08000020, 0x00010400, + 0x08000420, 0x08010020, 0x08010400, 0x00000000, 0x00010400, 0x08000000, + 0x00010020, 0x00000420, 0x08000400, 0x00010420, 0x00000000, 0x08000020, + 0x00000020, 0x08000420, 0x08010420, 0x00010020, 0x08010000, 0x00000400, + 0x00000420, 0x08010400, 0x08010400, 0x08000420, 0x00010020, 0x08010000, + 0x00010000, 0x00000020, 0x08000020, 0x08000400, 0x08000000, 0x00010400, + 0x08010420, 0x00000000, 0x00010420, 0x08000000, 0x00000400, 0x00010020, + 0x08000420, 0x00000400, 0x00000000, 0x08010420, 0x08010020, 0x08010400, + 0x00000420, 0x00010000, 0x00010400, 0x08010020, 0x08000400, 0x00000420, + 0x00000020, 0x00010420, 0x08010000, 0x08000020, + }, + { + // nibble 5 + 0x80000040, 0x00200040, 0x00000000, 0x80202000, 0x00200040, 0x00002000, + 0x80002040, 0x00200000, 0x00002040, 0x80202040, 0x00202000, 0x80000000, + 0x80002000, 0x80000040, 0x80200000, 0x00202040, 0x00200000, 0x80002040, + 0x80200040, 0x00000000, 0x00002000, 0x00000040, 0x80202000, 0x80200040, + 0x80202040, 0x80200000, 0x80000000, 0x00002040, 0x00000040, 0x00202000, + 0x00202040, 0x80002000, 0x00002040, 0x80000000, 0x80002000, 0x00202040, + 0x80202000, 0x00200040, 0x00000000, 0x80002000, 0x80000000, 0x00002000, + 0x80200040, 0x00200000, 0x00200040, 0x80202040, 0x00202000, 0x00000040, + 0x80202040, 0x00202000, 0x00200000, 0x80002040, 0x80000040, 0x80200000, + 0x00202040, 0x00000000, 0x00002000, 0x80000040, 0x80002040, 0x80202000, + 0x80200000, 0x00002040, 0x00000040, 0x80200040, + }, + { + // nibble 6 + 0x00004000, 0x00000200, 0x01000200, 0x01000004, 0x01004204, 0x00004004, + 0x00004200, 0x00000000, 0x01000000, 0x01000204, 0x00000204, 0x01004000, + 0x00000004, 0x01004200, 0x01004000, 0x00000204, 0x01000204, 0x00004000, + 0x00004004, 0x01004204, 0x00000000, 0x01000200, 0x01000004, 0x00004200, + 0x01004004, 0x00004204, 0x01004200, 0x00000004, 0x00004204, 0x01004004, + 0x00000200, 0x01000000, 0x00004204, 0x01004000, 0x01004004, 0x00000204, + 0x00004000, 0x00000200, 0x01000000, 0x01004004, 0x01000204, 0x00004204, + 0x00004200, 0x00000000, 0x00000200, 0x01000004, 0x00000004, 0x01000200, + 0x00000000, 0x01000204, 0x01000200, 0x00004200, 0x00000204, 0x00004000, + 0x01004204, 0x01000000, 0x01004200, 0x00000004, 0x00004004, 0x01004204, + 0x01000004, 0x01004200, 0x01004000, 0x00004004, + }, + { + // nibble 7 + 0x20800080, 0x20820000, 0x00020080, 0x00000000, 0x20020000, 0x00800080, + 0x20800000, 0x20820080, 0x00000080, 0x20000000, 0x00820000, 0x00020080, + 0x00820080, 0x20020080, 0x20000080, 0x20800000, 0x00020000, 0x00820080, + 0x00800080, 0x20020000, 0x20820080, 0x20000080, 0x00000000, 0x00820000, + 0x20000000, 0x00800000, 0x20020080, 0x20800080, 0x00800000, 0x00020000, + 0x20820000, 0x00000080, 0x00800000, 0x00020000, 0x20000080, 0x20820080, + 0x00020080, 0x20000000, 0x00000000, 0x00820000, 0x20800080, 0x20020080, + 0x20020000, 0x00800080, 0x20820000, 0x00000080, 0x00800080, 0x20020000, + 0x20820080, 0x00800000, 0x20800000, 0x20000080, 0x00820000, 0x00020080, + 0x20020080, 0x20800000, 0x00000080, 0x20820000, 0x00820080, 0x00000000, + 0x20000000, 0x20800080, 0x00020000, 0x00820080, + }}; #define HPERM_OP(a, t, n, m) \ ((t) = ((((a) << (16 - (n))) ^ (a)) & (m)), \ @@ -403,8 +403,8 @@ void DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule) { PERM_OP(d, c, t, 1, 0x55555555); PERM_OP(c, d, t, 8, 0x00ff00ff); PERM_OP(d, c, t, 1, 0x55555555); - d = (((d & 0x000000ff) << 16) | (d & 0x0000ff00) | - ((d & 0x00ff0000) >> 16) | ((c & 0xf0000000) >> 4)); + d = (((d & 0x000000ff) << 16) | (d & 0x0000ff00) | ((d & 0x00ff0000) >> 16) | + ((c & 0xf0000000) >> 4)); c &= 0x0fffffff; for (i = 0; i < ITERATIONS; i++) { @@ -419,12 +419,12 @@ void DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule) { d &= 0x0fffffff; // could be a few less shifts but I am to lazy at this // point in time to investigate - s = des_skb[0][(c) & 0x3f] | + s = des_skb[0][(c)&0x3f] | des_skb[1][((c >> 6) & 0x03) | ((c >> 7) & 0x3c)] | des_skb[2][((c >> 13) & 0x0f) | ((c >> 14) & 0x30)] | - des_skb[3][((c >> 20) & 0x01) | ((c >> 21) & 0x06) | - ((c >> 22) & 0x38)]; - t = des_skb[4][(d) & 0x3f] | + des_skb[3] + [((c >> 20) & 0x01) | ((c >> 21) & 0x06) | ((c >> 22) & 0x38)]; + t = des_skb[4][(d)&0x3f] | des_skb[5][((d >> 7) & 0x03) | ((d >> 8) & 0x3c)] | des_skb[6][(d >> 15) & 0x3f] | des_skb[7][((d >> 21) & 0x0f) | ((d >> 22) & 0x30)]; @@ -454,8 +454,7 @@ static int DES_check_key_parity(const DES_cblock *key) { return result & 1; } -int DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) -{ +int DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) { int result = 0; if (!DES_check_key_parity(key)) { @@ -490,8 +489,7 @@ static const uint8_t kOddParity[256] = { 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, 224, 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239, 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254, - 254 -}; + 254}; void DES_set_odd_parity(DES_cblock *key) { unsigned i; @@ -504,12 +502,14 @@ void DES_set_odd_parity(DES_cblock *key) { // Weak keys have unintended behaviors which may hurt the security of their use // see SP 800-67r2 section 3.3.2 static const DES_cblock weak_keys[] = { - // Weak keys: encryption is equal to decryption (encrypting twice produces the original plaintext) + // Weak keys: encryption is equal to decryption (encrypting twice produces + // the original plaintext) {{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}}, {{0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE}}, {{0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E}}, {{0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1}}, - // Semi-weak keys: encryption with one of these keys is equal to encryption with a different key + // Semi-weak keys: encryption with one of these keys is equal to encryption + // with a different key {{0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE}}, {{0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01}}, {{0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1}}, @@ -521,11 +521,9 @@ static const DES_cblock weak_keys[] = { {{0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E}}, {{0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01}}, {{0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE}}, - {{0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1}} -}; + {{0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1}}}; -int DES_is_weak_key(const DES_cblock *key) -{ +int DES_is_weak_key(const DES_cblock *key) { crypto_word_t result = 0; for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(weak_keys); i++) { int match = CRYPTO_memcmp(&weak_keys[i], key, sizeof(DES_cblock)); @@ -924,8 +922,7 @@ void DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *ks1, - const DES_key_schedule *ks2, - DES_cblock *ivec, + const DES_key_schedule *ks2, DES_cblock *ivec, int enc) { DES_ede3_cbc_encrypt(in, out, len, ks1, ks2, ks1, ivec, enc); } diff --git a/crypto/des/des_test.cc b/crypto/des/des_test.cc index 468f53cf24..8adcc6b2fe 100644 --- a/crypto/des/des_test.cc +++ b/crypto/des/des_test.cc @@ -7,13 +7,14 @@ TEST(DESTest, WeakKeys) { // The all 2 key is not weak and has odd parity - DES_cblock validKey = {{2, 2, 2, 2, 2, 2, 2, 2}}; + DES_cblock validKey = {{2, 2, 2, 2, 2, 2, 2, 2}}; EXPECT_FALSE(DES_is_weak_key(&validKey)); DES_key_schedule des; EXPECT_EQ(0, DES_set_key(&validKey, &des)); // Weak key example from SP 800-67r2 section 3.3.2 - static const DES_cblock weakKey = {{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}}; + static const DES_cblock weakKey = { + {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}}; EXPECT_TRUE(DES_is_weak_key(&weakKey)); EXPECT_EQ(-2, DES_set_key(&weakKey, &des)); } diff --git a/crypto/dh_extra/dh_asn1.c b/crypto/dh_extra/dh_asn1.c index 4e2e2c44f8..91b0a2c345 100644 --- a/crypto/dh_extra/dh_asn1.c +++ b/crypto/dh_extra/dh_asn1.c @@ -92,15 +92,13 @@ DH *DH_parse_parameters(CBS *cbs) { CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || - !parse_integer(&child, &ret->p) || - !parse_integer(&child, &ret->g)) { + !parse_integer(&child, &ret->p) || !parse_integer(&child, &ret->g)) { goto err; } uint64_t priv_length; if (CBS_len(&child) != 0) { - if (!CBS_get_asn1_uint64(&child, &priv_length) || - priv_length > UINT_MAX) { + if (!CBS_get_asn1_uint64(&child, &priv_length) || priv_length > UINT_MAX) { goto err; } ret->priv_length = (unsigned)priv_length; @@ -125,10 +123,8 @@ DH *DH_parse_parameters(CBS *cbs) { int DH_marshal_parameters(CBB *cbb, const DH *dh) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || - !marshal_integer(&child, dh->p) || - !marshal_integer(&child, dh->g) || - (dh->priv_length != 0 && - !CBB_add_asn1_uint64(&child, dh->priv_length)) || + !marshal_integer(&child, dh->p) || !marshal_integer(&child, dh->g) || + (dh->priv_length != 0 && !CBB_add_asn1_uint64(&child, dh->priv_length)) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DH, DH_R_ENCODE_ERROR); return 0; @@ -156,8 +152,7 @@ DH *d2i_DHparams(DH **out, const uint8_t **inp, long len) { int i2d_DHparams(const DH *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !DH_marshal_parameters(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !DH_marshal_parameters(&cbb, in)) { CBB_cleanup(&cbb); return -1; } diff --git a/crypto/dh_extra/dh_test.cc b/crypto/dh_extra/dh_test.cc index 149a4ca19b..5fdcc7b20a 100644 --- a/crypto/dh_extra/dh_test.cc +++ b/crypto/dh_extra/dh_test.cc @@ -321,7 +321,8 @@ TEST(DHTest, ASN1) { EXPECT_EQ(Bytes(kParamsDSA), Bytes(der, der_len)); } -static void check_bn_matches_bytes(std::vector bytes, const BIGNUM*bn) { +static void check_bn_matches_bytes(std::vector bytes, + const BIGNUM *bn) { uint8_t buffer[4096]; ASSERT_EQ(BN_bn2bin(bn, buffer), bytes.size()); EXPECT_EQ(Bytes(buffer, bytes.size()), Bytes(bytes)); @@ -329,9 +330,9 @@ static void check_bn_matches_bytes(std::vector bytes, const BIGNUM*bn) static std::vector rfc_string_to_bytes(const char *str) { std::string string(str); - string.erase(std::remove_if(string.begin(),string.end(), ::isspace),string.end()); + string.erase(std::remove_if(string.begin(), string.end(), ::isspace), + string.end()); return HexToBytes(string.c_str()); - } TEST(DHTest, RFC3526) { @@ -340,14 +341,14 @@ TEST(DHTest, RFC3526) { // Taken from section 2 std::vector kPrime1536 = rfc_string_to_bytes( - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" - "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF"); + "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" + "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" + "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" + "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" + "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" + "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" + "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" + "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF"); check_bn_matches_bytes(kPrime1536, bn.get()); } @@ -361,30 +362,30 @@ TEST(DHTest, RFC7919) { }; testInput testInputs[] = { {NID_ffdhe2048, - rfc_string_to_bytes( - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" - "D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9" - "7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561" - "2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935" - "984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735" - "30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB" - "B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19" - "0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61" - "9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73" - "3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA" - "886B4238 61285C97 FFFFFFFF FFFFFFFF"), - rfc_string_to_bytes( - "7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78" - "EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C" - "BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0" - "9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A" - "CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A" - "98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD" - "DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C" - "8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0" - "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" - "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" - "4435A11C 30942E4B FFFFFFFF FFFFFFFF")}, + rfc_string_to_bytes( + "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" + "D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9" + "7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561" + "2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935" + "984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735" + "30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB" + "B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19" + "0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61" + "9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73" + "3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA" + "886B4238 61285C97 FFFFFFFF FFFFFFFF"), + rfc_string_to_bytes( + "7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78" + "EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C" + "BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0" + "9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A" + "CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A" + "98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD" + "DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C" + "8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0" + "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" + "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" + "4435A11C 30942E4B FFFFFFFF FFFFFFFF")}, {NID_ffdhe3072, rfc_string_to_bytes( "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" @@ -421,52 +422,52 @@ TEST(DHTest, RFC7919) { "D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7" "9E0D9077 1FEACEBE 12F20E95 B363171B FFFFFFFF FFFFFFFF")}, {NID_ffdhe4096, - rfc_string_to_bytes( - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" - "D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9" - "7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561" - "2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935" - "984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735" - "30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB" - "B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19" - "0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61" - "9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73" - "3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA" - "886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238" - "61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C" - "AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3" - "64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D" - "ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF" - "3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB" - "7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004" - "87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832" - "A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A" - "1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF" - "8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E655F6A" - "FFFFFFFF FFFFFFFF"), - rfc_string_to_bytes( - "7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78" - "EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C" - "BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0" - "9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A" - "CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A" - "98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD" - "DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C" - "8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0" - "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" - "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" - "4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C" - "30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E" - "577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9" - "B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06" - "D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7" - "9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D" - "BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002" - "43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419" - "5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD" - "0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7" - "C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F32AFB5" - "7FFFFFFF FFFFFFFF")}, + rfc_string_to_bytes( + "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" + "D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9" + "7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561" + "2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935" + "984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735" + "30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB" + "B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19" + "0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61" + "9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73" + "3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA" + "886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238" + "61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C" + "AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3" + "64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D" + "ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF" + "3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB" + "7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004" + "87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832" + "A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A" + "1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF" + "8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E655F6A" + "FFFFFFFF FFFFFFFF"), + rfc_string_to_bytes( + "7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78" + "EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C" + "BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0" + "9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A" + "CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A" + "98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD" + "DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C" + "8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0" + "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" + "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" + "4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C" + "30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E" + "577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9" + "B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06" + "D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7" + "9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D" + "BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002" + "43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419" + "5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD" + "0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7" + "C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F32AFB5" + "7FFFFFFF FFFFFFFF")}, {NID_ffdhe8192, rfc_string_to_bytes( "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" @@ -587,25 +588,25 @@ TEST(DHExpectedTestnputTest, CalculateSharedSecretMatches) { testInput testInputs[] = { {NID_ffdhe2048, HexToBytes( - "50f2d9e890e290c60618a15fb314b71f9b24f4942db80ef29d1de007b5fc7a89" - "2f80d15b4b22a131e505beebc98d27d96eaade29d293b035f8b38b64d8927b16" - "ff3aebb887e14c56f889f5bf9fc248a2bf7e575fcc112c53f01048fa5127459c" - "e06ca98cd961a3a3aa075688da64c4983ee44668fdef1dcabc7791e4906f9301" - "eb0189b35c768c9c5b8e819f78c998a631ff9ded899080c4fb3cbd264689059e" - "6d8adca7df629fde5c2c73aeef7c39b464ebe833689e6dd85e08dbfaad89bbf9" - "140d15b5b2b31ec9b046a891fde9503234bf1c7818ec44ce00c103787e971b23" - "b7214a93cdf98b4f1920ec1f55ddb4507b5e80301d068ab76ec3df34d440089a"), + "50f2d9e890e290c60618a15fb314b71f9b24f4942db80ef29d1de007b5fc7a89" + "2f80d15b4b22a131e505beebc98d27d96eaade29d293b035f8b38b64d8927b16" + "ff3aebb887e14c56f889f5bf9fc248a2bf7e575fcc112c53f01048fa5127459c" + "e06ca98cd961a3a3aa075688da64c4983ee44668fdef1dcabc7791e4906f9301" + "eb0189b35c768c9c5b8e819f78c998a631ff9ded899080c4fb3cbd264689059e" + "6d8adca7df629fde5c2c73aeef7c39b464ebe833689e6dd85e08dbfaad89bbf9" + "140d15b5b2b31ec9b046a891fde9503234bf1c7818ec44ce00c103787e971b23" + "b7214a93cdf98b4f1920ec1f55ddb4507b5e80301d068ab76ec3df34d440089a"), HexToBytes( - "aabbccddeeff11223344556677889900aabbccddeeff11223344556677889900"), + "aabbccddeeff11223344556677889900aabbccddeeff11223344556677889900"), HexToBytes( - "897396da313e171565c15595197c521862358a5071db94b50ac24952b5619c94" - "3e4fffdb56dcfcfae886709038553b1ec7e4b6f165454ff09250662f4ea65cd9" - "86b0040de370637e053495ba08cf649e6e53a5fcc58334496061f2cc8a375d32" - "293cd2979283bedd08a2eb9a53a0f106fa29c6775b4d45cdf6b8516afb41ebfa" - "3a487510d8f3c4d337a0af880271ebfa28b5551286cb3c3b2cb6a2cc35116816" - "5e0a3a1f930bc547149fd6dfe1dc7ad7945dd74a38d46a6bc7658ac953b43770" - "b5d9212737a3cef574796c50aaa4168f07ddabccf5d12d8f87808e526cf68e15" - "224b8eb822048df910fe36a84a752177dbfce76a90f1ae864543e721d7885ad7")}, + "897396da313e171565c15595197c521862358a5071db94b50ac24952b5619c94" + "3e4fffdb56dcfcfae886709038553b1ec7e4b6f165454ff09250662f4ea65cd9" + "86b0040de370637e053495ba08cf649e6e53a5fcc58334496061f2cc8a375d32" + "293cd2979283bedd08a2eb9a53a0f106fa29c6775b4d45cdf6b8516afb41ebfa" + "3a487510d8f3c4d337a0af880271ebfa28b5551286cb3c3b2cb6a2cc35116816" + "5e0a3a1f930bc547149fd6dfe1dc7ad7945dd74a38d46a6bc7658ac953b43770" + "b5d9212737a3cef574796c50aaa4168f07ddabccf5d12d8f87808e526cf68e15" + "224b8eb822048df910fe36a84a752177dbfce76a90f1ae864543e721d7885ad7")}, {NID_ffdhe3072, HexToBytes( "b3955fefb03b1979f9bd6c26d8d7820ed1d14155f6d8f08c94480bee2753f659bcf" @@ -637,42 +638,41 @@ TEST(DHExpectedTestnputTest, CalculateSharedSecretMatches) { "bfebcb188edcc5b27385eab0588ad4a")}, {NID_ffdhe4096, HexToBytes( - "525b74f0c4c3d942cd65f924cebd4f76a1ec2c866d48462e1c468f75070b18bc" - "d6f4ce8d874895d6a9d2ad55781fcc1406b61526d1667954674cf6bb2d873ad4" - "1128bb3f9412be3f452582bb9ea6091a39b05cd877a7774e52e44e9066a96cf2" - "f6829f96e6e26a892cca132ae31dc771b333f4f0e011a9c9c83b245865b24ff9" - "f6bda4adcdee17195518c58d6821f2819498631ab83a8a99e7f33bdd98d2821b" - "e01dbd8d83dcbee7d1302597354bef404f2f17cac5febfe7cc6c5860faa39ceb" - "236eceddf59c7d463071d2715612ed78c35d6e3783da3042862068cf206a08fe" - "ce83f60572db55c60f6f6811f359b6f1d504e33d3054c0fe083dc7e73030ed42" - "7f079ce60324e71e81fed25c11d2dc853a9fa9f2f64c33f92618d01b8b9bdde6" - "2792fbc353aeb97f370f0ef85bbbd0eccbfd7104f6c4e77c7b26ff380aedb4e4" - "f974706aa9b4c8eeb924c72d233aa90b8d0376f540ff4af63fa4a7baf47b035f" - "f2a1564080e2c31bfc4fad3834d021858e26e4710db3e37144332b909f3340a8" - "805b66a7cf042c37797bd46f784793e49cb16e3728e1fc6c98986d21027303ef" - "898d32caf0131c323518ced384a9b7ae0c45c15edcb054dfe7044af3ec616ce8" - "e5870ea2bef5aa40f4e65721d724ec68774638b13350abbb1f2ac22b0852c6e3" - "4ab2608390ec3b971021c0c20e18e2cbcc89b1eea1c2ecb1db6eeaf4195ec7f2"), + "525b74f0c4c3d942cd65f924cebd4f76a1ec2c866d48462e1c468f75070b18bc" + "d6f4ce8d874895d6a9d2ad55781fcc1406b61526d1667954674cf6bb2d873ad4" + "1128bb3f9412be3f452582bb9ea6091a39b05cd877a7774e52e44e9066a96cf2" + "f6829f96e6e26a892cca132ae31dc771b333f4f0e011a9c9c83b245865b24ff9" + "f6bda4adcdee17195518c58d6821f2819498631ab83a8a99e7f33bdd98d2821b" + "e01dbd8d83dcbee7d1302597354bef404f2f17cac5febfe7cc6c5860faa39ceb" + "236eceddf59c7d463071d2715612ed78c35d6e3783da3042862068cf206a08fe" + "ce83f60572db55c60f6f6811f359b6f1d504e33d3054c0fe083dc7e73030ed42" + "7f079ce60324e71e81fed25c11d2dc853a9fa9f2f64c33f92618d01b8b9bdde6" + "2792fbc353aeb97f370f0ef85bbbd0eccbfd7104f6c4e77c7b26ff380aedb4e4" + "f974706aa9b4c8eeb924c72d233aa90b8d0376f540ff4af63fa4a7baf47b035f" + "f2a1564080e2c31bfc4fad3834d021858e26e4710db3e37144332b909f3340a8" + "805b66a7cf042c37797bd46f784793e49cb16e3728e1fc6c98986d21027303ef" + "898d32caf0131c323518ced384a9b7ae0c45c15edcb054dfe7044af3ec616ce8" + "e5870ea2bef5aa40f4e65721d724ec68774638b13350abbb1f2ac22b0852c6e3" + "4ab2608390ec3b971021c0c20e18e2cbcc89b1eea1c2ecb1db6eeaf4195ec7f2"), HexToBytes( - "aabbccddeeff11223344556677889900aabbccddeeff11223344556677889900"), + "aabbccddeeff11223344556677889900aabbccddeeff11223344556677889900"), HexToBytes( - "ba7d5bb3682473327e80c07bcfd58a6af9bf0fa4662288291feb847cc8121ca6" - "12ff09bc9d46e3a76f44bad0006e1babdafef5091aed25e53037a9077af93bc5" - "76910dbc3e6d345174b36dbec2ab92e0744dc4f5d1d25596b9aa53bc10c22dfe" - "fec93c178b8ffd4388c07ffa9ad8a7f22c274066c92f8063b1665609aa224039" - "aff15fb5ac07b21f9c81aace529ad5c29688d6940996b5e3a47de1b8cd3b212a" - "3e534677df246375679cc014a77c3cc4e14aaa5eb4fc4d0f8a542a0e833a16f4" - "dc5c46f11c5ffe14152b9c7f9e504ae01ff84db158b9e48e9fbc46b99190cad2" - "e22113797dc7c81ad7c86bcd5e75405226459bb54b26fae179378e377ce5618e" - "65f04d2213e1991cefe991ec43272b6c7d93b51e2ccc3bf64486efd1e5c73b3b" - "f9344271ab9fbc43af41232ae7524c8213433ef39c64481e9cd06b9f9dc34226" - "85dfb2d69b8dc1af0f44d6f52d1d857ec28d93f459a23386ecfe5d97130e201d" - "90f159ff5995bbf766ceb38594b7a3192c99432e007b99f1ea7a828d15a1cba6" - "d86cd020ff64b1774cd35e33e3696a98574cedb64534f8ca88e2690709718d66" - "f4b88d759689819cde545d202b641b0529a02d588ff4c6b832c3f5a3d9bec9ec" - "ce0fb9af978b76bf93eba919c5bef844b4b1e2bff3d3758b577c70fa78d89a1d" - "d5a1864a2d3795c3668562c67aa77265f38812f001d28b25f7965109481ec2c7") - }, + "ba7d5bb3682473327e80c07bcfd58a6af9bf0fa4662288291feb847cc8121ca6" + "12ff09bc9d46e3a76f44bad0006e1babdafef5091aed25e53037a9077af93bc5" + "76910dbc3e6d345174b36dbec2ab92e0744dc4f5d1d25596b9aa53bc10c22dfe" + "fec93c178b8ffd4388c07ffa9ad8a7f22c274066c92f8063b1665609aa224039" + "aff15fb5ac07b21f9c81aace529ad5c29688d6940996b5e3a47de1b8cd3b212a" + "3e534677df246375679cc014a77c3cc4e14aaa5eb4fc4d0f8a542a0e833a16f4" + "dc5c46f11c5ffe14152b9c7f9e504ae01ff84db158b9e48e9fbc46b99190cad2" + "e22113797dc7c81ad7c86bcd5e75405226459bb54b26fae179378e377ce5618e" + "65f04d2213e1991cefe991ec43272b6c7d93b51e2ccc3bf64486efd1e5c73b3b" + "f9344271ab9fbc43af41232ae7524c8213433ef39c64481e9cd06b9f9dc34226" + "85dfb2d69b8dc1af0f44d6f52d1d857ec28d93f459a23386ecfe5d97130e201d" + "90f159ff5995bbf766ceb38594b7a3192c99432e007b99f1ea7a828d15a1cba6" + "d86cd020ff64b1774cd35e33e3696a98574cedb64534f8ca88e2690709718d66" + "f4b88d759689819cde545d202b641b0529a02d588ff4c6b832c3f5a3d9bec9ec" + "ce0fb9af978b76bf93eba919c5bef844b4b1e2bff3d3758b577c70fa78d89a1d" + "d5a1864a2d3795c3668562c67aa77265f38812f001d28b25f7965109481ec2c7")}, {NID_ffdhe8192, HexToBytes( "9d8f631335eb2f802176a33b08ea7553398407e474f2b8031fbefe1f62cdec9798d" @@ -1053,13 +1053,16 @@ TEST(DHTest, DHCheckForStandardParams) { } TEST(DHTest, DHMarshalPubKey) { - const char* dh512_pem = - "-----BEGIN DH PARAMETERS-----\n" - "MEYCQQDqvLe5oX3p+Dw8T7NWG7nlWVFK58Ev74xvxYH72DC4kqfPEFPvNnCpFoRB\n" - "RdxOz7DZ6JO/GxobSRyAAI766+GDAgEC\n" - "-----END DH PARAMETERS-----"; + const char *dh512_pem = + "-----BEGIN DH PARAMETERS-----\n" + "MEYCQQDqvLe5oX3p+Dw8T7NWG7nlWVFK58Ev74xvxYH72DC4kqfPEFPvNnCpFoRB\n" + "RdxOz7DZ6JO/GxobSRyAAI766+GDAgEC\n" + "-----END DH PARAMETERS-----"; const uint64_t encoded_g = 2; - const char encoded_p_dec_str[] = "12294183602774786812319504504704470077603616440910559765086569005477513835495488680341310019770549315448633656928525381740662262980129138358936697450520963"; + const char encoded_p_dec_str[] = + "122941836027747868123195045047044700776036164409105597650865690054775138" + "354954886803413100197705493154486336569285253817406622629801291383589366" + "97450520963"; bssl::UniquePtr epkey_dh_params(nullptr); { @@ -1101,7 +1104,7 @@ TEST(DHTest, DHMarshalPubKey) { } // Marshall pubkey to der - const uint8_t* pubkey_der = NULL; + const uint8_t *pubkey_der = NULL; size_t pubkey_der_len = 0; { bssl::UniquePtr out_bio(BIO_new(BIO_s_mem())); @@ -1112,7 +1115,7 @@ TEST(DHTest, DHMarshalPubKey) { ASSERT_GT(pubkey_der_len, (size_t)0); ASSERT_NE(pubkey_der, nullptr); // We own the allocation after this - pubkey_der = (const uint8_t*)OPENSSL_memdup(pubkey_der, pubkey_der_len); + pubkey_der = (const uint8_t *)OPENSSL_memdup(pubkey_der, pubkey_der_len); } // Parse der to pubkey @@ -1120,7 +1123,7 @@ TEST(DHTest, DHMarshalPubKey) { { bssl::UniquePtr in_bio(BIO_new_mem_buf(pubkey_der, pubkey_der_len)); ASSERT_TRUE(in_bio); - EVP_PKEY* parsed_dh_pubkey_raw = nullptr; + EVP_PKEY *parsed_dh_pubkey_raw = nullptr; ASSERT_TRUE(d2i_PUBKEY_bio(in_bio.get(), &parsed_dh_pubkey_raw)); parsed_der_pubkey.reset(parsed_dh_pubkey_raw); ASSERT_TRUE(parsed_der_pubkey); @@ -1129,7 +1132,7 @@ TEST(DHTest, DHMarshalPubKey) { ASSERT_TRUE(EVP_PKEY_cmp(gen_dh.get(), parsed_der_pubkey.get())); // Marshall pubkey to PEM - const uint8_t* pubkey_pem = NULL; + const uint8_t *pubkey_pem = NULL; size_t pubkey_pem_len = 0; { bssl::UniquePtr out_bio(BIO_new(BIO_s_mem())); @@ -1140,7 +1143,7 @@ TEST(DHTest, DHMarshalPubKey) { ASSERT_GT(pubkey_pem_len, (size_t)0); ASSERT_TRUE(pubkey_pem); // We own the allocation after this - pubkey_pem = (const uint8_t*)OPENSSL_memdup(pubkey_pem, pubkey_pem_len); + pubkey_pem = (const uint8_t *)OPENSSL_memdup(pubkey_pem, pubkey_pem_len); } // Parse PEM to pubkey @@ -1148,7 +1151,7 @@ TEST(DHTest, DHMarshalPubKey) { { bssl::UniquePtr in_bio(BIO_new_mem_buf(pubkey_pem, pubkey_pem_len)); ASSERT_TRUE(in_bio); - EVP_PKEY* pem_pubkey_raw = NULL; + EVP_PKEY *pem_pubkey_raw = NULL; ASSERT_TRUE(PEM_read_bio_PUBKEY(in_bio.get(), &pem_pubkey_raw, NULL, NULL)); parsed_pem_pubkey.reset(pem_pubkey_raw); ASSERT_TRUE(parsed_pem_pubkey); @@ -1156,6 +1159,6 @@ TEST(DHTest, DHMarshalPubKey) { ASSERT_TRUE(EVP_PKEY_cmp(gen_dh.get(), parsed_pem_pubkey.get())); - OPENSSL_free((void*)pubkey_der); - OPENSSL_free((void*)pubkey_pem); + OPENSSL_free((void *)pubkey_der); + OPENSSL_free((void *)pubkey_pem); } diff --git a/crypto/dh_extra/params.c b/crypto/dh_extra/params.c index dd694d261d..0dc4d42dd7 100644 --- a/crypto/dh_extra/params.c +++ b/crypto/dh_extra/params.c @@ -60,7 +60,8 @@ #include "../fipsmodule/dh/internal.h" -static BIGNUM *get_params(BIGNUM *ret, const BN_ULONG *words, size_t num_words) { +static BIGNUM *get_params(BIGNUM *ret, const BN_ULONG *words, + size_t num_words) { BIGNUM *alloc = NULL; if (ret == NULL) { alloc = BN_new(); @@ -449,8 +450,7 @@ static int int_dh_param_copy(DH *to, const DH *from, int is_x942) { if (is_x942 == -1) { is_x942 = !!from->q; } - if (!int_dh_bn_cpy(&to->p, from->p) || - !int_dh_bn_cpy(&to->g, from->g)) { + if (!int_dh_bn_cpy(&to->p, from->p) || !int_dh_bn_cpy(&to->g, from->g)) { return 0; } @@ -479,24 +479,24 @@ DH *DHparams_dup(const DH *dh) { return ret; } -DH *DH_get_2048_256(void) { +DH *DH_get_2048_256(void) { static const BN_ULONG dh2048_256_p[] = { - TOBN(0xDB094AE9, 0x1E1A1597), TOBN(0x693877FA, 0xD7EF09CA), - TOBN(0x6116D227, 0x6E11715F), TOBN(0xA4B54330, 0xC198AF12), - TOBN(0x75F26375, 0xD7014103), TOBN(0xC3A3960A, 0x54E710C3), - TOBN(0xDED4010A, 0xBD0BE621), TOBN(0xC0B857F6, 0x89962856), - TOBN(0xB3CA3F79, 0x71506026), TOBN(0x1CCACB83, 0xE6B486F6), - TOBN(0x67E144E5, 0x14056425), TOBN(0xF6A167B5, 0xA41825D9), - TOBN(0x3AD83477, 0x96524D8E), TOBN(0xF13C6D9A, 0x51BFA4AB), - TOBN(0x2D525267, 0x35488A0E), TOBN(0xB63ACAE1, 0xCAA6B790), - TOBN(0x4FDB70C5, 0x81B23F76), TOBN(0xBC39A0BF, 0x12307F5C), - TOBN(0xB941F54E, 0xB1E59BB8), TOBN(0x6C5BFC11, 0xD45F9088), - TOBN(0x22E0B1EF, 0x4275BF7B), TOBN(0x91F9E672, 0x5B4758C0), - TOBN(0x5A8A9D30, 0x6BCF67ED), TOBN(0x209E0C64, 0x97517ABD), - TOBN(0x3BF4296D, 0x830E9A7C), TOBN(0x16C3D911, 0x34096FAA), - TOBN(0xFAF7DF45, 0x61B2AA30), TOBN(0xE00DF8F1, 0xD61957D4), - TOBN(0x5D2CEED4, 0x435E3B00), TOBN(0x8CEEF608, 0x660DD0F2), - TOBN(0xFFBBD19C, 0x65195999), TOBN(0x87A8E61D, 0xB4B6663C), + TOBN(0xDB094AE9, 0x1E1A1597), TOBN(0x693877FA, 0xD7EF09CA), + TOBN(0x6116D227, 0x6E11715F), TOBN(0xA4B54330, 0xC198AF12), + TOBN(0x75F26375, 0xD7014103), TOBN(0xC3A3960A, 0x54E710C3), + TOBN(0xDED4010A, 0xBD0BE621), TOBN(0xC0B857F6, 0x89962856), + TOBN(0xB3CA3F79, 0x71506026), TOBN(0x1CCACB83, 0xE6B486F6), + TOBN(0x67E144E5, 0x14056425), TOBN(0xF6A167B5, 0xA41825D9), + TOBN(0x3AD83477, 0x96524D8E), TOBN(0xF13C6D9A, 0x51BFA4AB), + TOBN(0x2D525267, 0x35488A0E), TOBN(0xB63ACAE1, 0xCAA6B790), + TOBN(0x4FDB70C5, 0x81B23F76), TOBN(0xBC39A0BF, 0x12307F5C), + TOBN(0xB941F54E, 0xB1E59BB8), TOBN(0x6C5BFC11, 0xD45F9088), + TOBN(0x22E0B1EF, 0x4275BF7B), TOBN(0x91F9E672, 0x5B4758C0), + TOBN(0x5A8A9D30, 0x6BCF67ED), TOBN(0x209E0C64, 0x97517ABD), + TOBN(0x3BF4296D, 0x830E9A7C), TOBN(0x16C3D911, 0x34096FAA), + TOBN(0xFAF7DF45, 0x61B2AA30), TOBN(0xE00DF8F1, 0xD61957D4), + TOBN(0x5D2CEED4, 0x435E3B00), TOBN(0x8CEEF608, 0x660DD0F2), + TOBN(0xFFBBD19C, 0x65195999), TOBN(0x87A8E61D, 0xB4B6663C), }; static const BN_ULONG dh2048_256_g[] = { TOBN(0x664B4C0F, 0x6CC41659), TOBN(0x5E2327CF, 0xEF98C582), @@ -517,8 +517,10 @@ DH *DH_get_2048_256(void) { TOBN(0x2E775066, 0x60EDBD48), TOBN(0x3FB32C9B, 0x73134D0B), }; static const BN_ULONG dh2048_256_q[] = { - TOBN(0xA308B0FE, 0x64F5FBD3), TOBN(0x99B1A47D, 0x1EB3750B), - TOBN(0xB4479976, 0x40129DA2), TOBN(0x8CF83642, 0xA709A097), + TOBN(0xA308B0FE, 0x64F5FBD3), + TOBN(0x99B1A47D, 0x1EB3750B), + TOBN(0xB4479976, 0x40129DA2), + TOBN(0x8CF83642, 0xA709A097), }; struct standard_parameters { @@ -526,9 +528,9 @@ DH *DH_get_2048_256(void) { }; static const struct standard_parameters dh2048_256 = { - STATIC_BIGNUM(dh2048_256_p), - STATIC_BIGNUM(dh2048_256_q), - STATIC_BIGNUM(dh2048_256_g), + STATIC_BIGNUM(dh2048_256_p), + STATIC_BIGNUM(dh2048_256_q), + STATIC_BIGNUM(dh2048_256_g), }; DH *dh = DH_new(); diff --git a/crypto/digest_extra/digest_extra.c b/crypto/digest_extra/digest_extra.c index 28254f9c9e..ad921bffd6 100644 --- a/crypto/digest_extra/digest_extra.c +++ b/crypto/digest_extra/digest_extra.c @@ -60,17 +60,17 @@ #include #include -#include #include +#include #include "../asn1/internal.h" -#include "../internal.h" #include "../fipsmodule/digest/internal.h" +#include "../internal.h" struct nid_to_digest { int nid; - const EVP_MD* (*md_func)(void); + const EVP_MD *(*md_func)(void); const char *short_name; const char *long_name; }; @@ -113,7 +113,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = { LN_sha512WithRSAEncryption}, }; -const EVP_MD* EVP_get_digestbynid(int nid) { +const EVP_MD *EVP_get_digestbynid(int nid) { if (nid == NID_undef) { // Skip the |NID_undef| entries in |nid_to_digest_mapping|. return NULL; @@ -133,22 +133,22 @@ static const struct { uint8_t oid_len; int nid; } kMDOIDs[] = { - // 1.2.840.113549.2.4 - { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, NID_md4 }, - // 1.2.840.113549.2.5 - { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, NID_md5 }, - // 1.3.36.3.2.1 - { {0x2b, 0x24, 0x03, 0x02, 0x01}, 5, NID_ripemd160 }, - // 1.3.14.3.2.26 - { {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, NID_sha1 }, - // 2.16.840.1.101.3.4.2.1 - { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, NID_sha256 }, - // 2.16.840.1.101.3.4.2.2 - { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, NID_sha384 }, - // 2.16.840.1.101.3.4.2.3 - { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, NID_sha512 }, - // 2.16.840.1.101.3.4.2.4 - { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, NID_sha224 }, + // 1.2.840.113549.2.4 + {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, NID_md4}, + // 1.2.840.113549.2.5 + {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, NID_md5}, + // 1.3.36.3.2.1 + {{0x2b, 0x24, 0x03, 0x02, 0x01}, 5, NID_ripemd160}, + // 1.3.14.3.2.26 + {{0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, NID_sha1}, + // 2.16.840.1.101.3.4.2.1 + {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, NID_sha256}, + // 2.16.840.1.101.3.4.2.2 + {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, NID_sha384}, + // 2.16.840.1.101.3.4.2.3 + {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, NID_sha512}, + // 2.16.840.1.101.3.4.2.4 + {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, NID_sha224}, }; static const EVP_MD *cbs_to_md(const CBS *cbs) { @@ -196,8 +196,7 @@ const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) { if (CBS_len(&algorithm) > 0) { CBS param; if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) || - CBS_len(¶m) != 0 || - CBS_len(&algorithm) != 0) { + CBS_len(¶m) != 0 || CBS_len(&algorithm) != 0) { OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR); return NULL; } @@ -231,8 +230,7 @@ int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) { } // TODO(crbug.com/boringssl/710): Is this correct? See RFC 4055, section 2.1. - if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || - !CBB_flush(cbb)) { + if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || !CBB_flush(cbb)) { return 0; } @@ -263,15 +261,10 @@ static void blake2b256_final(EVP_MD_CTX *ctx, uint8_t *md) { } static const EVP_MD evp_md_blake2b256 = { - NID_undef, - BLAKE2B256_DIGEST_LENGTH, - 0, - blake2b256_init, - blake2b256_update, - blake2b256_final, - BLAKE2B_CBLOCK, - sizeof(BLAKE2B_CTX), - /*finalXOf*/ NULL, + NID_undef, BLAKE2B256_DIGEST_LENGTH, 0, + blake2b256_init, blake2b256_update, blake2b256_final, + BLAKE2B_CBLOCK, sizeof(BLAKE2B_CTX), + /*finalXOf*/ NULL, }; const EVP_MD *EVP_blake2b256(void) { return &evp_md_blake2b256; } @@ -283,15 +276,8 @@ static void null_update(EVP_MD_CTX *ctx, const void *data, size_t count) {} static void null_final(EVP_MD_CTX *ctx, unsigned char *md) {} static const EVP_MD evp_md_null = { - NID_undef, - 0, - 0, - null_init, - null_update, - null_final, - 0, - sizeof(EVP_MD_CTX), - NULL, + NID_undef, 0, 0, null_init, null_update, null_final, 0, + sizeof(EVP_MD_CTX), NULL, }; const EVP_MD *EVP_md_null(void) { return &evp_md_null; } diff --git a/crypto/digest_extra/digest_test.cc b/crypto/digest_extra/digest_test.cc index 89b70043f9..e44bc84bae 100644 --- a/crypto/digest_extra/digest_test.cc +++ b/crypto/digest_extra/digest_test.cc @@ -42,7 +42,7 @@ struct MD { // name is the name of the digest. - const char* name; + const char *name; // md_func is the digest to test. const EVP_MD *(*func)(void); // one_shot_func is the convenience one-shot version of the @@ -50,28 +50,31 @@ struct MD { uint8_t *(*one_shot_func)(const uint8_t *, size_t, uint8_t *); // one_shot_xof_func is the convenience one-shot version of the // digest. - uint8_t *(*one_shot_xof_func)(const uint8_t *, const size_t in_len, uint8_t *, size_t); + uint8_t *(*one_shot_xof_func)(const uint8_t *, const size_t in_len, uint8_t *, + size_t); }; -static const MD md4 = { "MD4", &EVP_md4, nullptr, nullptr }; -static const MD md5 = { "MD5", &EVP_md5, &MD5, nullptr }; -static const MD ripemd160 = { "RIPEMD160", &EVP_ripemd160, &RIPEMD160, nullptr }; -static const MD sha1 = { "SHA1", &EVP_sha1, &SHA1, nullptr }; -static const MD sha224 = { "SHA224", &EVP_sha224, &SHA224, nullptr }; -static const MD sha256 = { "SHA256", &EVP_sha256, &SHA256, nullptr }; -static const MD sha384 = { "SHA384", &EVP_sha384, &SHA384, nullptr }; -static const MD sha512 = { "SHA512", &EVP_sha512, &SHA512, nullptr }; -static const MD sha512_224 = { "SHA512-224", &EVP_sha512_224, &SHA512_224, nullptr }; -static const MD sha512_256 = { "SHA512-256", &EVP_sha512_256, &SHA512_256, nullptr }; -static const MD sha3_224 = { "SHA3-224", &EVP_sha3_224, &SHA3_224, nullptr }; -static const MD sha3_256 = { "SHA3-256", &EVP_sha3_256, &SHA3_256, nullptr }; -static const MD sha3_384 = { "SHA3-384", &EVP_sha3_384, &SHA3_384, nullptr }; -static const MD sha3_512 = { "SHA3-512", &EVP_sha3_512, &SHA3_512, nullptr }; -static const MD shake128 = { "shake128", &EVP_shake128, nullptr, &SHAKE128}; -static const MD shake256 = { "shake256", &EVP_shake256, nullptr, &SHAKE256}; -static const MD md5_sha1 = { "MD5-SHA1", &EVP_md5_sha1, nullptr, nullptr }; -static const MD blake2b256 = { "BLAKE2b-256", &EVP_blake2b256, nullptr, nullptr }; -static const MD md_null = { "NULL", &EVP_md_null, nullptr, nullptr }; +static const MD md4 = {"MD4", &EVP_md4, nullptr, nullptr}; +static const MD md5 = {"MD5", &EVP_md5, &MD5, nullptr}; +static const MD ripemd160 = {"RIPEMD160", &EVP_ripemd160, &RIPEMD160, nullptr}; +static const MD sha1 = {"SHA1", &EVP_sha1, &SHA1, nullptr}; +static const MD sha224 = {"SHA224", &EVP_sha224, &SHA224, nullptr}; +static const MD sha256 = {"SHA256", &EVP_sha256, &SHA256, nullptr}; +static const MD sha384 = {"SHA384", &EVP_sha384, &SHA384, nullptr}; +static const MD sha512 = {"SHA512", &EVP_sha512, &SHA512, nullptr}; +static const MD sha512_224 = {"SHA512-224", &EVP_sha512_224, &SHA512_224, + nullptr}; +static const MD sha512_256 = {"SHA512-256", &EVP_sha512_256, &SHA512_256, + nullptr}; +static const MD sha3_224 = {"SHA3-224", &EVP_sha3_224, &SHA3_224, nullptr}; +static const MD sha3_256 = {"SHA3-256", &EVP_sha3_256, &SHA3_256, nullptr}; +static const MD sha3_384 = {"SHA3-384", &EVP_sha3_384, &SHA3_384, nullptr}; +static const MD sha3_512 = {"SHA3-512", &EVP_sha3_512, &SHA3_512, nullptr}; +static const MD shake128 = {"shake128", &EVP_shake128, nullptr, &SHAKE128}; +static const MD shake256 = {"shake256", &EVP_shake256, nullptr, &SHAKE256}; +static const MD md5_sha1 = {"MD5-SHA1", &EVP_md5_sha1, nullptr, nullptr}; +static const MD blake2b256 = {"BLAKE2b-256", &EVP_blake2b256, nullptr, nullptr}; +static const MD md_null = {"NULL", &EVP_md_null, nullptr, nullptr}; struct DigestTestVector { // md is the digest to test. @@ -107,15 +110,21 @@ static const DigestTestVector kTestVectors[] = { "d174ab98d277d9f5a5611c2c9f419d9f"}, {md5, "1234567890", 8, "57edf4a22be3c955ac49da2e2107b67a"}, - // RIPEMD160 tests, from https://homes.esat.kuleuven.be/~bosselae/ripemd160.html + // RIPEMD160 tests, from + // https://homes.esat.kuleuven.be/~bosselae/ripemd160.html // There doesn't appear to be an official RFC with test vectors for this. {ripemd160, "", 1, "9c1185a5c5e9fc54612808977ee8f548b2258d31"}, {ripemd160, "a", 1, "0bdc9d2d256b3ee9daae347be6f4dc835a467ffe"}, {ripemd160, "abc", 1, "8eb208f7e05d987a9b044a8e98c6b087f15a0bfc"}, - {ripemd160, "message digest", 1, "5d0689ef49d2fae572b881b123a85ffa21595f36"}, - {ripemd160, "abcdefghijklmnopqrstuvwxyz", 1, "f71c27109c692c1b56bbdceb5b9d2865b3708dbc"}, - {ripemd160, "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1, "12a053384a9c0c88e405a06c27dcf49ada62eb2b"}, - {ripemd160, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1, "b0e20b6e3116640286ed3a87a5713079b21f5189"}, + {ripemd160, "message digest", 1, + "5d0689ef49d2fae572b881b123a85ffa21595f36"}, + {ripemd160, "abcdefghijklmnopqrstuvwxyz", 1, + "f71c27109c692c1b56bbdceb5b9d2865b3708dbc"}, + {ripemd160, "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1, + "12a053384a9c0c88e405a06c27dcf49ada62eb2b"}, + {ripemd160, + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1, + "b0e20b6e3116640286ed3a87a5713079b21f5189"}, {ripemd160, "1234567890", 8, "9b752e45573d4b39f4dbd3323cab82bf63326bfb"}, {ripemd160, "a", 1000000, "52783243c1697bdbe16d37f97f68f08325dc1528"}, @@ -165,97 +174,215 @@ static const DigestTestVector kTestVectors[] = { // SHA-512-224 tests, from // https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/examples/sha512_224.pdf - {sha512_224, "abc", - 1, "4634270f707b6a54daae7530460842e20e37ed265ceee9a43e8924aa"}, + {sha512_224, "abc", 1, + "4634270f707b6a54daae7530460842e20e37ed265ceee9a43e8924aa"}, {sha512_224, - "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", - 1, "23fec5bb94d60b23308192640b0c453335d664734fe40e7268674af9"}, + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopj" + "klmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", + 1, "23fec5bb94d60b23308192640b0c453335d664734fe40e7268674af9"}, // SHA-512-256 tests, from // https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/examples/sha512_256.pdf - {sha512_256, "abc", - 1, "53048e2681941ef99b2e29b76b4c7dabe4c2d0c634fc6d46e0e2f13107e7af23"}, + {sha512_256, "abc", 1, + "53048e2681941ef99b2e29b76b4c7dabe4c2d0c634fc6d46e0e2f13107e7af23"}, {sha512_256, - "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", - 1, "3928e184fb8690f840da3988121d31be65cb9d3ef83ee6146feac861e19b563a"}, + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopj" + "klmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", + 1, "3928e184fb8690f840da3988121d31be65cb9d3ef83ee6146feac861e19b563a"}, - // SHA3-224 tests, from NIST. + // SHA3-224 tests, from NIST. // http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html - {sha3_224, "", 1, "6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7"}, - {sha3_224, "\x01", 1, "488286d9d32716e5881ea1ee51f36d3660d70f0db03b3f612ce9eda4"}, - {sha3_224, "\x69\xcb", 1, "94bd25c4cf6ca889126df37ddd9c36e6a9b28a4fe15cc3da6debcdd7"}, - {sha3_224, "\xbf\x58\x31", 1, "1bb36bebde5f3cb6d8e4672acf6eec8728f31a54dacc2560da2a00cc"}, - {sha3_224, "\xd1\x48\xce\x6d", 1, "0b521dac1efe292e20dfb585c8bff481899df72d59983315958391ba"}, - {sha3_224, "\x91\xc7\x10\x68\xf8", 1, "989f017709f50bd0230623c417f3daf194507f7b90a11127ba1638fa"}, - {sha3_224, "\xe7\x18\x3e\x4d\x89\xc9", 1, "650618f3b945c07de85b8478d69609647d5e2a432c6b15fbb3db91e4"}, - {sha3_224, "\xd8\x5e\x47\x0a\x7c\x69\x88", 1, "8a134c33c7abd673cd3d0c33956700760de980c5aee74c96e6ba08b2"}, - {sha3_224, "\xe4\xea\x2c\x16\x36\x6b\x80\xd6", 1, "7dd1a8e3ffe8c99cc547a69af14bd63b15ac26bd3d36b8a99513e89e"}, - {sha3_224, "\xe6\x5d\xe9\x1f\xdc\xb7\x60\x6f\x14\xdb\xcf\xc9\x4c\x9c\x94\xa5\x72\x40\xa6\xb2\xc3\x1e\xd4\x10\x34\x6c\x4d\xc0\x11\x52\x65\x59\xe4\x42\x96\xfc\x98\x8c\xc5\x89\xde\x2d\xc7\x13\xd0\xe8\x24\x92\xd4\x99\x1b\xd8\xc4\xc5\xe6\xc7\x4c\x75\x3f\xc0\x93\x45\x22\x5e\x1d\xb8\xd5\x65\xf0\xce\x26\xf5\xf5\xd9\xf4\x04\xa2\x8c\xf0\x0b\xd6\x55\xa5\xfe\x04\xed\xb6\x82\x94\x2d\x67\x5b\x86\x23\x5f\x23\x59\x65\xad\x42\x2b\xa5\x08\x1a\x21\x86\x5b\x82\x09\xae\x81\x76\x3e\x1c\x4c\x0c\xcc\xbc\xcd\xaa\xd5\x39\xcf\x77\x34\x13\xa5\x0f\x5f\xf1\x26\x7b\x92\x38\xf5\x60\x2a\xdc\x06\x76\x4f\x77\x5d\x3c", - 1, "26ec9df54d9afe11710772bfbeccc83d9d0439d3530777c81b8ae6a3"}, + {sha3_224, "", 1, + "6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7"}, + {sha3_224, "\x01", 1, + "488286d9d32716e5881ea1ee51f36d3660d70f0db03b3f612ce9eda4"}, + {sha3_224, "\x69\xcb", 1, + "94bd25c4cf6ca889126df37ddd9c36e6a9b28a4fe15cc3da6debcdd7"}, + {sha3_224, "\xbf\x58\x31", 1, + "1bb36bebde5f3cb6d8e4672acf6eec8728f31a54dacc2560da2a00cc"}, + {sha3_224, "\xd1\x48\xce\x6d", 1, + "0b521dac1efe292e20dfb585c8bff481899df72d59983315958391ba"}, + {sha3_224, "\x91\xc7\x10\x68\xf8", 1, + "989f017709f50bd0230623c417f3daf194507f7b90a11127ba1638fa"}, + {sha3_224, "\xe7\x18\x3e\x4d\x89\xc9", 1, + "650618f3b945c07de85b8478d69609647d5e2a432c6b15fbb3db91e4"}, + {sha3_224, "\xd8\x5e\x47\x0a\x7c\x69\x88", 1, + "8a134c33c7abd673cd3d0c33956700760de980c5aee74c96e6ba08b2"}, + {sha3_224, "\xe4\xea\x2c\x16\x36\x6b\x80\xd6", 1, + "7dd1a8e3ffe8c99cc547a69af14bd63b15ac26bd3d36b8a99513e89e"}, + {sha3_224, + "\xe6\x5d\xe9\x1f\xdc\xb7\x60\x6f\x14\xdb\xcf\xc9\x4c\x9c\x94\xa5\x72\x40" + "\xa6\xb2\xc3\x1e\xd4\x10\x34\x6c\x4d\xc0\x11\x52\x65\x59\xe4\x42\x96\xfc" + "\x98\x8c\xc5\x89\xde\x2d\xc7\x13\xd0\xe8\x24\x92\xd4\x99\x1b\xd8\xc4\xc5" + "\xe6\xc7\x4c\x75\x3f\xc0\x93\x45\x22\x5e\x1d\xb8\xd5\x65\xf0\xce\x26\xf5" + "\xf5\xd9\xf4\x04\xa2\x8c\xf0\x0b\xd6\x55\xa5\xfe\x04\xed\xb6\x82\x94\x2d" + "\x67\x5b\x86\x23\x5f\x23\x59\x65\xad\x42\x2b\xa5\x08\x1a\x21\x86\x5b\x82" + "\x09\xae\x81\x76\x3e\x1c\x4c\x0c\xcc\xbc\xcd\xaa\xd5\x39\xcf\x77\x34\x13" + "\xa5\x0f\x5f\xf1\x26\x7b\x92\x38\xf5\x60\x2a\xdc\x06\x76\x4f\x77\x5d\x3c", + 1, "26ec9df54d9afe11710772bfbeccc83d9d0439d3530777c81b8ae6a3"}, // SHA3-256 tests, from NIST. // http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html - {sha3_256, "", 1, "a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a"}, - {sha3_256, "\xe9", 1, "f0d04dd1e6cfc29a4460d521796852f25d9ef8d28b44ee91ff5b759d72c1e6d6"}, - {sha3_256, "\xd4\x77", 1, "94279e8f5ccdf6e17f292b59698ab4e614dfe696a46c46da78305fc6a3146ab7"}, - {sha3_256, "\xb0\x53\xfa", 1, "9d0ff086cd0ec06a682c51c094dc73abdc492004292344bd41b82a60498ccfdb"}, - {sha3_256, "\xe7\x37\x21\x05", 1, "3a42b68ab079f28c4ca3c752296f279006c4fe78b1eb79d989777f051e4046ae"}, - {sha3_256, "\xe6\xfd\x42\x03\x7f\x80", 1, "2294f8d3834f24aa9037c431f8c233a66a57b23fa3de10530bbb6911f6e1850f"}, - {sha3_256, "\x37\xb4\x42\x38\x5e\x05\x38", 1, "cfa55031e716bbd7a83f2157513099e229a88891bb899d9ccd317191819998f8"}, - {sha3_256, "\x8b\xca\x93\x1c\x8a\x13\x2d\x2f", 1, "dbb8be5dec1d715bd117b24566dc3f24f2cc0c799795d0638d9537481ef1e03e"}, - {sha3_256, "\xfb\x8d\xfa\x3a\x13\x2f\x98\x13\xac", 1, "fd09b3501888445ffc8c3bb95d106440ceee469415fce1474743273094306e2e"}, - {sha3_256, "\x56\xea\x14\xd7\xfc\xb0\xdb\x74\x8f\xf6\x49\xaa\xa5\xd0\xaf\xdc\x23\x57\x52\x8a\x9a\xad\x60\x76\xd7\x3b\x28\x05\xb5\x3d\x89\xe7\x36\x81\xab\xfa\xd2\x6b\xee\x6c\x0f\x3d\x20\x21\x52\x95\xf3\x54\xf5\x38\xae\x80\x99\x0d\x22\x81\xbe\x6d\xe0\xf6\x91\x9a\xa9\xeb\x04\x8c\x26\xb5\x24\xf4\xd9\x1c\xa8\x7b\x54\xc0\xc5\x4a\xa9\xb5\x4a\xd0\x21\x71\xe8\xbf\x31\xe8\xd1\x58\xa9\xf5\x86\xe9\x2f\xfc\xe9\x94\xec\xce\x9a\x51\x85\xcc\x80\x36\x4d\x50\xa6\xf7\xb9\x48\x49\xa9\x14\x24\x2f\xcb\x73\xf3\x3a\x86\xec\xc8\x3c\x34\x03\x63\x0d\x20\x65\x0d\xdb\x8c\xd9\xc4", - 1, "4beae3515ba35ec8cbd1d94567e22b0d7809c466abfbafe9610349597ba15b45"}, + {sha3_256, "", 1, + "a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a"}, + {sha3_256, "\xe9", 1, + "f0d04dd1e6cfc29a4460d521796852f25d9ef8d28b44ee91ff5b759d72c1e6d6"}, + {sha3_256, "\xd4\x77", 1, + "94279e8f5ccdf6e17f292b59698ab4e614dfe696a46c46da78305fc6a3146ab7"}, + {sha3_256, "\xb0\x53\xfa", 1, + "9d0ff086cd0ec06a682c51c094dc73abdc492004292344bd41b82a60498ccfdb"}, + {sha3_256, "\xe7\x37\x21\x05", 1, + "3a42b68ab079f28c4ca3c752296f279006c4fe78b1eb79d989777f051e4046ae"}, + {sha3_256, "\xe6\xfd\x42\x03\x7f\x80", 1, + "2294f8d3834f24aa9037c431f8c233a66a57b23fa3de10530bbb6911f6e1850f"}, + {sha3_256, "\x37\xb4\x42\x38\x5e\x05\x38", 1, + "cfa55031e716bbd7a83f2157513099e229a88891bb899d9ccd317191819998f8"}, + {sha3_256, "\x8b\xca\x93\x1c\x8a\x13\x2d\x2f", 1, + "dbb8be5dec1d715bd117b24566dc3f24f2cc0c799795d0638d9537481ef1e03e"}, + {sha3_256, "\xfb\x8d\xfa\x3a\x13\x2f\x98\x13\xac", 1, + "fd09b3501888445ffc8c3bb95d106440ceee469415fce1474743273094306e2e"}, + {sha3_256, + "\x56\xea\x14\xd7\xfc\xb0\xdb\x74\x8f\xf6\x49\xaa\xa5\xd0\xaf\xdc\x23\x57" + "\x52\x8a\x9a\xad\x60\x76\xd7\x3b\x28\x05\xb5\x3d\x89\xe7\x36\x81\xab\xfa" + "\xd2\x6b\xee\x6c\x0f\x3d\x20\x21\x52\x95\xf3\x54\xf5\x38\xae\x80\x99\x0d" + "\x22\x81\xbe\x6d\xe0\xf6\x91\x9a\xa9\xeb\x04\x8c\x26\xb5\x24\xf4\xd9\x1c" + "\xa8\x7b\x54\xc0\xc5\x4a\xa9\xb5\x4a\xd0\x21\x71\xe8\xbf\x31\xe8\xd1\x58" + "\xa9\xf5\x86\xe9\x2f\xfc\xe9\x94\xec\xce\x9a\x51\x85\xcc\x80\x36\x4d\x50" + "\xa6\xf7\xb9\x48\x49\xa9\x14\x24\x2f\xcb\x73\xf3\x3a\x86\xec\xc8\x3c\x34" + "\x03\x63\x0d\x20\x65\x0d\xdb\x8c\xd9\xc4", + 1, "4beae3515ba35ec8cbd1d94567e22b0d7809c466abfbafe9610349597ba15b45"}, // SHA3-384 tests, from NIST. // http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html - {sha3_384, "", 1, "0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004"}, - {sha3_384, "\x80", 1, "7541384852e10ff10d5fb6a7213a4a6c15ccc86d8bc1068ac04f69277142944f4ee50d91fdc56553db06b2f5039c8ab7"}, - {sha3_384, "\xfb\x52", 1, "d73a9d0e7f1802352ea54f3e062d3910577bf87edda48101de92a3de957e698b836085f5f10cab1de19fd0c906e48385"}, - {sha3_384, "\x6a\xb7\xd6", 1, "ea12d6d32d69ad2154a57e0e1be481a45add739ee7dd6e2a27e544b6c8b5ad122654bbf95134d567987156295d5e57db"}, - {sha3_384, "\x11\x58\x7d\xcb", 1, "cb6e6ce4a266d438ddd52867f2e183021be50223c7d57f8fdcaa18093a9d0126607df026c025bff40bc314af43fd8a08"}, - {sha3_384, "\x4d\x7f\xc6\xca\xe6", 1, "e570d463a010c71b78acd7f9790c78ce946e00cc54dae82bfc3833a10f0d8d35b03cbb4aa2f9ba4b27498807a397cd47"}, - {sha3_384, "\x5a\x66\x59\xe9\xf0\xe7", 1, "21b1f3f63b907f968821185a7fe30b16d47e1d6ee5b9c80be68947854de7a8ef4a03a6b2e4ec96abdd4fa29ab9796f28"}, - {sha3_384, "\x17\x51\x0e\xca\x2f\xe1\x1b", 1, "35fba6958b6c68eae8f2b5f5bdf5ebcc565252bc70f983548c2dfd5406f111a0a95b1bb9a639988c8d65da912d2c3ea2"}, - {sha3_384, "\xc4\x4a\x2c\x58\xc8\x4c\x39\x3a", 1, "60ad40f964d0edcf19281e415f7389968275ff613199a069c916a0ff7ef65503b740683162a622b913d43a46559e913c"}, - {sha3_384, "\x92\xc4\x1d\x34\xbd\x24\x9c\x18\x2a\xd4\xe1\x8e\x3b\x85\x67\x70\x76\x6f\x17\x57\x20\x96\x75\x02\x0d\x4c\x1c\xf7\xb6\xf7\x68\x6c\x8c\x14\x72\x67\x8c\x7c\x41\x25\x14\xe6\x3e\xb9\xf5\xae\xe9\xf5\xc9\xd5\xcb\x8d\x87\x48\xab\x7a\x54\x65\x05\x9d\x9c\xbb\xb8\xa5\x62\x11\xff\x32\xd4\xaa\xa2\x3a\x23\xc8\x6e\xad\x91\x6f\xe2\x54\xcc\x6b\x2b\xff\x7a\x95\x53\xdf\x15\x51\xb5\x31\xf9\x5b\xb4\x1c\xbb\xc4\xac\xdd\xbd\x37\x29\x21", - 1, "71307eec1355f73e5b726ed9efa1129086af81364e30a291f684dfade693cc4bc3d6ffcb7f3b4012a21976ff9edcab61"}, + {sha3_384, "", 1, + "0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac37138312" + "64adb47fb6bd1e058d5f004"}, + {sha3_384, "\x80", 1, + "7541384852e10ff10d5fb6a7213a4a6c15ccc86d8bc1068ac04f69277142944f4ee50d91f" + "dc56553db06b2f5039c8ab7"}, + {sha3_384, "\xfb\x52", 1, + "d73a9d0e7f1802352ea54f3e062d3910577bf87edda48101de92a3de957e698b836085f5f" + "10cab1de19fd0c906e48385"}, + {sha3_384, "\x6a\xb7\xd6", 1, + "ea12d6d32d69ad2154a57e0e1be481a45add739ee7dd6e2a27e544b6c8b5ad122654bbf95" + "134d567987156295d5e57db"}, + {sha3_384, "\x11\x58\x7d\xcb", 1, + "cb6e6ce4a266d438ddd52867f2e183021be50223c7d57f8fdcaa18093a9d0126607df026c" + "025bff40bc314af43fd8a08"}, + {sha3_384, "\x4d\x7f\xc6\xca\xe6", 1, + "e570d463a010c71b78acd7f9790c78ce946e00cc54dae82bfc3833a10f0d8d35b03cbb4aa" + "2f9ba4b27498807a397cd47"}, + {sha3_384, "\x5a\x66\x59\xe9\xf0\xe7", 1, + "21b1f3f63b907f968821185a7fe30b16d47e1d6ee5b9c80be68947854de7a8ef4a03a6b2e" + "4ec96abdd4fa29ab9796f28"}, + {sha3_384, "\x17\x51\x0e\xca\x2f\xe1\x1b", 1, + "35fba6958b6c68eae8f2b5f5bdf5ebcc565252bc70f983548c2dfd5406f111a0a95b1bb9a" + "639988c8d65da912d2c3ea2"}, + {sha3_384, "\xc4\x4a\x2c\x58\xc8\x4c\x39\x3a", 1, + "60ad40f964d0edcf19281e415f7389968275ff613199a069c916a0ff7ef65503b74068316" + "2a622b913d43a46559e913c"}, + {sha3_384, + "\x92\xc4\x1d\x34\xbd\x24\x9c\x18\x2a\xd4\xe1\x8e\x3b\x85\x67\x70\x76\x6f" + "\x17\x57\x20\x96\x75\x02\x0d\x4c\x1c\xf7\xb6\xf7\x68\x6c\x8c\x14\x72\x67" + "\x8c\x7c\x41\x25\x14\xe6\x3e\xb9\xf5\xae\xe9\xf5\xc9\xd5\xcb\x8d\x87\x48" + "\xab\x7a\x54\x65\x05\x9d\x9c\xbb\xb8\xa5\x62\x11\xff\x32\xd4\xaa\xa2\x3a" + "\x23\xc8\x6e\xad\x91\x6f\xe2\x54\xcc\x6b\x2b\xff\x7a\x95\x53\xdf\x15\x51" + "\xb5\x31\xf9\x5b\xb4\x1c\xbb\xc4\xac\xdd\xbd\x37\x29\x21", + 1, + "71307eec1355f73e5b726ed9efa1129086af81364e30a291f684dfade693cc4bc3d6ffcb7" + "f3b4012a21976ff9edcab61"}, // SHA3-512 tests, from NIST. // http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html - {sha3_512, "", 1, "a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26"}, - {sha3_512, "\xe5", 1, "150240baf95fb36f8ccb87a19a41767e7aed95125075a2b2dbba6e565e1ce8575f2b042b62e29a04e9440314a821c6224182964d8b557b16a492b3806f4c39c1"}, - {sha3_512, "\xef\x26", 1, "809b4124d2b174731db14585c253194c8619a68294c8c48947879316fef249b1575da81ab72aad8fae08d24ece75ca1be46d0634143705d79d2f5177856a0437"}, - {sha3_512, "\x37\xd5\x18", 1, "4aa96b1547e6402c0eee781acaa660797efe26ec00b4f2e0aec4a6d10688dd64cbd7f12b3b6c7f802e2096c041208b9289aec380d1a748fdfcd4128553d781e3"}, - {sha3_512, "\xfc\x7b\x8c\xda", 1, "58a5422d6b15eb1f223ebe4f4a5281bc6824d1599d979f4c6fe45695ca89014260b859a2d46ebf75f51ff204927932c79270dd7aef975657bb48fe09d8ea008e"}, - {sha3_512, "\x47\x75\xc8\x6b\x1c", 1, "ce96da8bcd6bc9d81419f0dd3308e3ef541bc7b030eee1339cf8b3c4e8420cd303180f8da77037c8c1ae375cab81ee475710923b9519adbddedb36db0c199f70"}, - {sha3_512, "\x71\xa9\x86\xd2\xf6\x62", 1, "def6aac2b08c98d56a0501a8cb93f5b47d6322daf99e03255457c303326395f765576930f8571d89c01e727cc79c2d4497f85c45691b554e20da810c2bc865ef"}, - {sha3_512, "\xec\x83\xd7\x07\xa1\x41\x4a", 1, "84fd3775bac5b87e550d03ec6fe4905cc60e851a4c33a61858d4e7d8a34d471f05008b9a1d63044445df5a9fce958cb012a6ac778ecf45104b0fcb979aa4692d"}, - {sha3_512, "\x0c\xe9\xf8\xc3\xa9\x90\xc2\x68\xf3\x4e\xfd\x9b\xef\xdb\x0f\x7c\x4e\xf8\x46\x6c\xfd\xb0\x11\x71\xf8\xde\x70\xdc\x5f\xef\xa9\x2a\xcb\xe9\x3d\x29\xe2\xac\x1a\x5c\x29\x79\x12\x9f\x1a\xb0\x8c\x0e\x77\xde\x79\x24\xdd\xf6\x8a\x20\x9c\xdf\xa0\xad\xc6\x2f\x85\xc1\x86\x37\xd9\xc6\xb3\x3f\x4f\xf8", - 1, "b018a20fcf831dde290e4fb18c56342efe138472cbe142da6b77eea4fce52588c04c808eb32912faa345245a850346faec46c3a16d39bd2e1ddb1816bc57d2da"}, + {sha3_512, "", 1, + "a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af" + "1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26"}, + {sha3_512, "\xe5", 1, + "150240baf95fb36f8ccb87a19a41767e7aed95125075a2b2dbba6e565e1ce8575f2b042b6" + "2e29a04e9440314a821c6224182964d8b557b16a492b3806f4c39c1"}, + {sha3_512, "\xef\x26", 1, + "809b4124d2b174731db14585c253194c8619a68294c8c48947879316fef249b1575da81ab" + "72aad8fae08d24ece75ca1be46d0634143705d79d2f5177856a0437"}, + {sha3_512, "\x37\xd5\x18", 1, + "4aa96b1547e6402c0eee781acaa660797efe26ec00b4f2e0aec4a6d10688dd64cbd7f12b3" + "b6c7f802e2096c041208b9289aec380d1a748fdfcd4128553d781e3"}, + {sha3_512, "\xfc\x7b\x8c\xda", 1, + "58a5422d6b15eb1f223ebe4f4a5281bc6824d1599d979f4c6fe45695ca89014260b859a2d" + "46ebf75f51ff204927932c79270dd7aef975657bb48fe09d8ea008e"}, + {sha3_512, "\x47\x75\xc8\x6b\x1c", 1, + "ce96da8bcd6bc9d81419f0dd3308e3ef541bc7b030eee1339cf8b3c4e8420cd303180f8da" + "77037c8c1ae375cab81ee475710923b9519adbddedb36db0c199f70"}, + {sha3_512, "\x71\xa9\x86\xd2\xf6\x62", 1, + "def6aac2b08c98d56a0501a8cb93f5b47d6322daf99e03255457c303326395f765576930f" + "8571d89c01e727cc79c2d4497f85c45691b554e20da810c2bc865ef"}, + {sha3_512, "\xec\x83\xd7\x07\xa1\x41\x4a", 1, + "84fd3775bac5b87e550d03ec6fe4905cc60e851a4c33a61858d4e7d8a34d471f05008b9a1" + "d63044445df5a9fce958cb012a6ac778ecf45104b0fcb979aa4692d"}, + {sha3_512, + "\x0c\xe9\xf8\xc3\xa9\x90\xc2\x68\xf3\x4e\xfd\x9b\xef\xdb\x0f\x7c\x4e\xf8" + "\x46\x6c\xfd\xb0\x11\x71\xf8\xde\x70\xdc\x5f\xef\xa9\x2a\xcb\xe9\x3d\x29" + "\xe2\xac\x1a\x5c\x29\x79\x12\x9f\x1a\xb0\x8c\x0e\x77\xde\x79\x24\xdd\xf6" + "\x8a\x20\x9c\xdf\xa0\xad\xc6\x2f\x85\xc1\x86\x37\xd9\xc6\xb3\x3f\x4f\xf8", + 1, + "b018a20fcf831dde290e4fb18c56342efe138472cbe142da6b77eea4fce52588c04c808eb" + "32912faa345245a850346faec46c3a16d39bd2e1ddb1816bc57d2da"}, // SHAKE128 XOF tests, from NIST. // http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html - // NOTE: the |repeat| field in this struct denotes output length for XOF digests. - {shake128, "\x84\xe9\x50\x05\x18\x76\x05\x0d\xc8\x51\xfb\xd9\x9e\x62\x47\xb8", 16, "8599bd89f63a848c49ca593ec37a12c6"}, - {shake128, "\xf1\x67\x51\x1e\xc8\x86\x49\x79\x30\x22\x37\xab\xea\x4c\xf7\xef", 17, "20f8938daa54b260860a104f8556278bac"}, - {shake128, "\x96\xdb\xe1\x83\xec\x72\x90\x57\x0b\x82\x54\x6a\xf7\x92\xeb\x90", 18, "762b421dc6374055a061caeddcf50f5dfbb6"}, - {shake128, "\x9b\xd2\xbd\x3a\x38\x4b\x9e\xf1\x41\xea\xd2\x63\x04\x96\x35\x49", 36, "3cdecb09f1673d8c823da2e02a2eeb28f32095e7c0ce8ab391811c626c472511a433845b"}, - {shake128, "\x5b\x2f\x2f\x2a\xf8\x3e\x86\xd4\x2c\x4e\x98\x15\x3f\xce\x27\x79", 37, "b6e0361dbce6d4a809a2e982f1dcffa4a49781c989402bf9c603cdacbc15484261a47b050d"}, + // NOTE: the |repeat| field in this struct denotes output length for XOF + // digests. + {shake128, + "\x84\xe9\x50\x05\x18\x76\x05\x0d\xc8\x51\xfb\xd9\x9e\x62\x47\xb8", 16, + "8599bd89f63a848c49ca593ec37a12c6"}, + {shake128, + "\xf1\x67\x51\x1e\xc8\x86\x49\x79\x30\x22\x37\xab\xea\x4c\xf7\xef", 17, + "20f8938daa54b260860a104f8556278bac"}, + {shake128, + "\x96\xdb\xe1\x83\xec\x72\x90\x57\x0b\x82\x54\x6a\xf7\x92\xeb\x90", 18, + "762b421dc6374055a061caeddcf50f5dfbb6"}, + {shake128, + "\x9b\xd2\xbd\x3a\x38\x4b\x9e\xf1\x41\xea\xd2\x63\x04\x96\x35\x49", 36, + "3cdecb09f1673d8c823da2e02a2eeb28f32095e7c0ce8ab391811c626c472511a433845" + "b"}, + {shake128, + "\x5b\x2f\x2f\x2a\xf8\x3e\x86\xd4\x2c\x4e\x98\x15\x3f\xce\x27\x79", 37, + "b6e0361dbce6d4a809a2e982f1dcffa4a49781c989402bf9c603cdacbc15484261a47b050" + "d"}, // SHAKE256 XOF tests, from NIST. // http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html - // NOTE: the |repeat| field in this struct denotes output length for XOF digests. - {shake256, "\xdc\x88\x6d\xf3\xf6\x9c\x49\x51\x3d\xe3\x62\x7e\x94\x81\xdb\x58\x71\xe8\xee\x88\xeb\x9f\x99\x61\x15\x41\x93\x0a\x8b\xc8\x85\xe0", 16, "00648afbc5e651649db1fd82936b00db"}, - {shake256, "\x8d\x80\x01\xe2\xc0\x96\xf1\xb8\x8e\x7c\x92\x24\xa0\x86\xef\xd4\x79\x7f\xbf\x74\xa8\x03\x3a\x2d\x42\x2a\x2b\x6b\x8f\x67\x47\xe4", 17, "2e975f6a8a14f0704d51b13667d8195c21"}, - {shake256, "\xe3\xef\x12\x7e\xad\xfa\xfa\xf4\x04\x08\xce\xbb\x28\x70\x5d\xf3\x0b\x68\xd9\x9d\xfa\x18\x93\x50\x7e\xf3\x06\x2d\x85\x46\x17\x15", 18, "7314002948c057006d4fc21e3e19c258fb5b"}, - {shake256, "\xdc\x88\x6d\xf3\xf6\x9c\x49\x51\x3d\xe3\x62\x7e\x94\x81\xdb\x58\x71\xe8\xee\x88\xeb\x9f\x99\x61\x15\x41\x93\x0a\x8b\xc8\x85\xe0", 36, "00648afbc5e651649db1fd82936b00dbbc122fb4c877860d385c4950d56de7e096d613d7"}, - {shake256, "\x79\x35\xb6\x8b\xb3\x34\xf3\x5d\xdc\x15\x7a\x8c\x47\x33\x49\xeb\x03\xad\x0e\x41\x53\x0d\x3c\x04\x5e\x2c\x5f\x64\x28\x50\xad\x8c", 37, "b44d25998e5cf77a83a4c0b2aae3061785adc7507d76fe07f4dcf299e04c991c922b51570f"}, + // NOTE: the |repeat| field in this struct denotes output length for XOF + // digests. + {shake256, + "\xdc\x88\x6d\xf3\xf6\x9c\x49\x51\x3d\xe3\x62\x7e\x94\x81\xdb\x58\x71\xe8" + "\xee\x88\xeb\x9f\x99\x61\x15\x41\x93\x0a\x8b\xc8\x85\xe0", + 16, "00648afbc5e651649db1fd82936b00db"}, + {shake256, + "\x8d\x80\x01\xe2\xc0\x96\xf1\xb8\x8e\x7c\x92\x24\xa0\x86\xef\xd4\x79\x7f" + "\xbf\x74\xa8\x03\x3a\x2d\x42\x2a\x2b\x6b\x8f\x67\x47\xe4", + 17, "2e975f6a8a14f0704d51b13667d8195c21"}, + {shake256, + "\xe3\xef\x12\x7e\xad\xfa\xfa\xf4\x04\x08\xce\xbb\x28\x70\x5d\xf3\x0b\x68" + "\xd9\x9d\xfa\x18\x93\x50\x7e\xf3\x06\x2d\x85\x46\x17\x15", + 18, "7314002948c057006d4fc21e3e19c258fb5b"}, + {shake256, + "\xdc\x88\x6d\xf3\xf6\x9c\x49\x51\x3d\xe3\x62\x7e\x94\x81\xdb\x58\x71\xe8" + "\xee\x88\xeb\x9f\x99\x61\x15\x41\x93\x0a\x8b\xc8\x85\xe0", + 36, + "00648afbc5e651649db1fd82936b00dbbc122fb4c877860d385c4950d56de7e096d613d" + "7"}, + {shake256, + "\x79\x35\xb6\x8b\xb3\x34\xf3\x5d\xdc\x15\x7a\x8c\x47\x33\x49\xeb\x03\xad" + "\x0e\x41\x53\x0d\x3c\x04\x5e\x2c\x5f\x64\x28\x50\xad\x8c", + 37, + "b44d25998e5cf77a83a4c0b2aae3061785adc7507d76fe07f4dcf299e04c991c922b51570" + "f"}, // MD5-SHA1 tests. {md5_sha1, "abc", 1, - "900150983cd24fb0d6963f7d28e17f72a9993e364706816aba3e25717850c26c9cd0d89d"}, + "900150983cd24fb0d6963f7d28e17f72a9993e364706816aba3e25717850c26c9cd0d89" + "d"}, // BLAKE2b-256 tests. {blake2b256, "abc", 1, @@ -266,123 +393,124 @@ static const DigestTestVector kTestVectors[] = { {md_null, "", 1, ""}, }; -static void CompareDigest(const DigestTestVector *test, - const uint8_t *digest, +static void CompareDigest(const DigestTestVector *test, const uint8_t *digest, size_t digest_len) { EXPECT_EQ(test->expected_hex, EncodeHex(bssl::MakeConstSpan(digest, digest_len))); } -static bool DoFinal(const DigestTestVector *test, EVP_MD_CTX *ctx, uint8_t *md_out, unsigned int *out_size) { - if (ctx->digest && (EVP_MD_flags(ctx->digest) & EVP_MD_FLAG_XOF)) { - // For XOF digests, DigestTestVector.repeat is the desired output length - *out_size = test->repeat; - return EVP_DigestFinalXOF(ctx, md_out, *out_size); - } - return EVP_DigestFinal(ctx, md_out, out_size); +static bool DoFinal(const DigestTestVector *test, EVP_MD_CTX *ctx, + uint8_t *md_out, unsigned int *out_size) { + if (ctx->digest && (EVP_MD_flags(ctx->digest) & EVP_MD_FLAG_XOF)) { + // For XOF digests, DigestTestVector.repeat is the desired output length + *out_size = test->repeat; + return EVP_DigestFinalXOF(ctx, md_out, *out_size); + } + return EVP_DigestFinal(ctx, md_out, out_size); } static void TestDigest(const DigestTestVector *test) { - SCOPED_TRACE(test->md.name); - const bool is_xof = EVP_MD_flags(test->md.func()) & EVP_MD_FLAG_XOF; - const size_t repeat = is_xof ? 1 : test->repeat; - const size_t expected_output_size = is_xof - ? test->repeat - : EVP_MD_size(test->md.func()); - - bssl::ScopedEVP_MD_CTX ctx; - // Test the input provided. - ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); - for (size_t i = 0; i < repeat; i++) { - ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, strlen(test->input))); - } - std::unique_ptr digest(new uint8_t[expected_output_size]); - unsigned digest_len; - ASSERT_TRUE(DoFinal(test, ctx.get(), digest.get(), &digest_len)); - CompareDigest(test, digest.get(), digest_len); - - // Test the input one character at a time. - ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); - ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), nullptr, 0)); - for (size_t i = 0; i < repeat; i++) { - for (const char *p = test->input; *p; p++) { - ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), p, 1)); - } - } - ASSERT_TRUE(DoFinal(test, ctx.get(), digest.get(), &digest_len)); - EXPECT_EQ(expected_output_size, digest_len); - CompareDigest(test, digest.get(), digest_len); - - // Test with unaligned input. - ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); - std::vector unaligned(strlen(test->input) + 1); - char *ptr = unaligned.data(); - if ((reinterpret_cast(ptr) & 1) == 0) { - ptr++; - } - OPENSSL_memcpy(ptr, test->input, strlen(test->input)); - for (size_t i = 0; i < repeat; i++) { - ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), ptr, strlen(test->input))); - } - ASSERT_TRUE(DoFinal(test, ctx.get(), digest.get(), &digest_len)); - CompareDigest(test, digest.get(), digest_len); - - // Make a copy of the digest in the initial state. - ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); - bssl::ScopedEVP_MD_CTX copy; - ASSERT_TRUE(EVP_MD_CTX_copy_ex(copy.get(), ctx.get())); - for (size_t i = 0; i < repeat; i++) { - ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); - } - ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); - CompareDigest(test, digest.get(), digest_len); - - // Make a copy of the digest with half the input provided. - size_t half = strlen(test->input) / 2; - ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, half)); - ASSERT_TRUE(EVP_MD_CTX_copy_ex(copy.get(), ctx.get())); - ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input + half, - strlen(test->input) - half)); - for (size_t i = 1; i < repeat; i++) { - ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); - } - ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); - CompareDigest(test, digest.get(), digest_len); - - // Move the digest from the initial state. - ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); - copy = std::move(ctx); - for (size_t i = 0; i < repeat; i++) { - ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); - } - ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); - CompareDigest(test, digest.get(), digest_len); - - // Move the digest with half the input provided. - ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); - ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, half)); - copy = std::move(ctx); - ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input + half, - strlen(test->input) - half)); - for (size_t i = 1; i < repeat; i++) { - ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); - } - ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); - CompareDigest(test, digest.get(), digest_len); - - // Digest context should be cleared by finalization - EXPECT_FALSE(DoFinal(test, copy.get(), digest.get(), &digest_len)); - - // Test the one-shot function. - if (is_xof || (test->md.one_shot_func && test->repeat == 1)) { - uint8_t *out = is_xof - ? test->md.one_shot_xof_func((const uint8_t *)test->input, strlen(test->input), - digest.get(), expected_output_size) - : test->md.one_shot_func((const uint8_t *)test->input, strlen(test->input), digest.get()); - // One-shot functions return their supplied buffers. - EXPECT_EQ(digest.get(), out); - CompareDigest(test, digest.get(), expected_output_size); + SCOPED_TRACE(test->md.name); + const bool is_xof = EVP_MD_flags(test->md.func()) & EVP_MD_FLAG_XOF; + const size_t repeat = is_xof ? 1 : test->repeat; + const size_t expected_output_size = + is_xof ? test->repeat : EVP_MD_size(test->md.func()); + + bssl::ScopedEVP_MD_CTX ctx; + // Test the input provided. + ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); + for (size_t i = 0; i < repeat; i++) { + ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, strlen(test->input))); + } + std::unique_ptr digest(new uint8_t[expected_output_size]); + unsigned digest_len; + ASSERT_TRUE(DoFinal(test, ctx.get(), digest.get(), &digest_len)); + CompareDigest(test, digest.get(), digest_len); + + // Test the input one character at a time. + ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); + ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), nullptr, 0)); + for (size_t i = 0; i < repeat; i++) { + for (const char *p = test->input; *p; p++) { + ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), p, 1)); } + } + ASSERT_TRUE(DoFinal(test, ctx.get(), digest.get(), &digest_len)); + EXPECT_EQ(expected_output_size, digest_len); + CompareDigest(test, digest.get(), digest_len); + + // Test with unaligned input. + ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); + std::vector unaligned(strlen(test->input) + 1); + char *ptr = unaligned.data(); + if ((reinterpret_cast(ptr) & 1) == 0) { + ptr++; + } + OPENSSL_memcpy(ptr, test->input, strlen(test->input)); + for (size_t i = 0; i < repeat; i++) { + ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), ptr, strlen(test->input))); + } + ASSERT_TRUE(DoFinal(test, ctx.get(), digest.get(), &digest_len)); + CompareDigest(test, digest.get(), digest_len); + + // Make a copy of the digest in the initial state. + ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); + bssl::ScopedEVP_MD_CTX copy; + ASSERT_TRUE(EVP_MD_CTX_copy_ex(copy.get(), ctx.get())); + for (size_t i = 0; i < repeat; i++) { + ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); + } + ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); + CompareDigest(test, digest.get(), digest_len); + + // Make a copy of the digest with half the input provided. + size_t half = strlen(test->input) / 2; + ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, half)); + ASSERT_TRUE(EVP_MD_CTX_copy_ex(copy.get(), ctx.get())); + ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input + half, + strlen(test->input) - half)); + for (size_t i = 1; i < repeat; i++) { + ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); + } + ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); + CompareDigest(test, digest.get(), digest_len); + + // Move the digest from the initial state. + ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); + copy = std::move(ctx); + for (size_t i = 0; i < repeat; i++) { + ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); + } + ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); + CompareDigest(test, digest.get(), digest_len); + + // Move the digest with half the input provided. + ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test->md.func(), nullptr)); + ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), test->input, half)); + copy = std::move(ctx); + ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input + half, + strlen(test->input) - half)); + for (size_t i = 1; i < repeat; i++) { + ASSERT_TRUE(EVP_DigestUpdate(copy.get(), test->input, strlen(test->input))); + } + ASSERT_TRUE(DoFinal(test, copy.get(), digest.get(), &digest_len)); + CompareDigest(test, digest.get(), digest_len); + + // Digest context should be cleared by finalization + EXPECT_FALSE(DoFinal(test, copy.get(), digest.get(), &digest_len)); + + // Test the one-shot function. + if (is_xof || (test->md.one_shot_func && test->repeat == 1)) { + uint8_t *out = + is_xof ? test->md.one_shot_xof_func((const uint8_t *)test->input, + strlen(test->input), digest.get(), + expected_output_size) + : test->md.one_shot_func((const uint8_t *)test->input, + strlen(test->input), digest.get()); + // One-shot functions return their supplied buffers. + EXPECT_EQ(digest.get(), out); + CompareDigest(test, digest.get(), expected_output_size); + } } TEST(DigestTest, TestVectors) { @@ -420,7 +548,8 @@ TEST(DigestTest, TestXOF) { const size_t out_size = 16; std::unique_ptr digest(new uint8_t[out_size]); EXPECT_FALSE(EVP_Digest(digest.get(), out_size, digest.get(), - /*out_len*/nullptr, EVP_shake128(), /*engine*/nullptr)); + /*out_len*/ nullptr, EVP_shake128(), + /*engine*/ nullptr)); EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, ERR_GET_REASON(ERR_peek_last_error())); ERR_clear_error(); } @@ -469,7 +598,7 @@ TEST(DigestTest, ASN1) { TEST(DigestTest, TransformBlocks) { uint8_t blocks[SHA256_CBLOCK * 10]; for (size_t i = 0; i < sizeof(blocks); i++) { - blocks[i] = i*3; + blocks[i] = i * 3; } SHA256_CTX ctx1; diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c index 16db9b32a9..f18c5f0463 100644 --- a/crypto/dsa/dsa.c +++ b/crypto/dsa/dsa.c @@ -74,10 +74,10 @@ #include #include -#include "internal.h" #include "../fipsmodule/bn/internal.h" #include "../fipsmodule/dh/internal.h" #include "../internal.h" +#include "internal.h" // Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of @@ -125,8 +125,7 @@ void DSA_free(DSA *dsa) { int DSA_print(BIO *bio, const DSA *dsa, int indent) { EVP_PKEY *pkey = EVP_PKEY_new(); - int ret = pkey != NULL && - EVP_PKEY_set1_DSA(pkey, (DSA *)dsa) && + int ret = pkey != NULL && EVP_PKEY_set1_DSA(pkey, (DSA *)dsa) && EVP_PKEY_print_private(bio, pkey, indent, NULL); EVP_PKEY_free(pkey); return ret; @@ -203,8 +202,7 @@ int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) { } int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - if ((dsa->p == NULL && p == NULL) || - (dsa->q == NULL && q == NULL) || + if ((dsa->p == NULL && p == NULL) || (dsa->q == NULL && q == NULL) || (dsa->g == NULL && g == NULL)) { return 0; } @@ -233,14 +231,14 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in, size_t seed_len, int *out_counter, unsigned long *out_h, BN_GENCB *cb) { const EVP_MD *evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1(); - return dsa_internal_paramgen(dsa, bits, evpmd, seed_in, seed_len, out_counter, out_h, cb); + return dsa_internal_paramgen(dsa, bits, evpmd, seed_in, seed_len, out_counter, + out_h, cb); } int dsa_internal_paramgen(DSA *dsa, size_t bits, const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, int *out_counter, unsigned long *out_h, - BN_GENCB *cb) -{ + BN_GENCB *cb) { int ok = 0; unsigned char seed[SHA256_DIGEST_LENGTH]; unsigned char md[SHA256_DIGEST_LENGTH]; @@ -337,7 +335,8 @@ int dsa_internal_paramgen(DSA *dsa, size_t bits, const EVP_MD *evpmd, } // step 4 - r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb); + r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, + cb); if (r > 0) { break; } @@ -381,25 +380,20 @@ int dsa_internal_paramgen(DSA *dsa, size_t bits, const EVP_MD *evpmd, } // step 8 - if (!BN_bin2bn(md, qsize, r0) || - !BN_lshift(r0, r0, (qsize << 3) * k) || + if (!BN_bin2bn(md, qsize, r0) || !BN_lshift(r0, r0, (qsize << 3) * k) || !BN_add(W, W, r0)) { goto err; } } // more of step 8 - if (!BN_mask_bits(W, bits - 1) || - !BN_copy(X, W) || - !BN_add(X, X, test)) { + if (!BN_mask_bits(W, bits - 1) || !BN_copy(X, W) || !BN_add(X, X, test)) { goto err; } // step 9 - if (!BN_lshift1(r0, q) || - !BN_mod(c, X, r0, ctx) || - !BN_sub(r0, c, BN_value_one()) || - !BN_sub(p, X, r0)) { + if (!BN_lshift1(r0, q) || !BN_mod(c, X, r0, ctx) || + !BN_sub(r0, c, BN_value_one()) || !BN_sub(p, X, r0)) { goto err; } @@ -432,14 +426,12 @@ int dsa_internal_paramgen(DSA *dsa, size_t bits, const EVP_MD *evpmd, // We now need to generate g // Set r0=(p-1)/q - if (!BN_sub(test, p, BN_value_one()) || - !BN_div(r0, NULL, test, q, ctx)) { + if (!BN_sub(test, p, BN_value_one()) || !BN_div(r0, NULL, test, q, ctx)) { goto err; } mont = BN_MONT_CTX_new_for_modulus(p, ctx); - if (mont == NULL || - !BN_set_word(test, h)) { + if (mont == NULL || !BN_set_word(test, h)) { goto err; } @@ -607,8 +599,7 @@ static int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BIGNUM *tmp = BN_CTX_get(ctx); // |BN_mod_mul_montgomery| removes a factor of R, so we cancel it with a // single |BN_to_montgomery| which adds one factor of R. - int ok = tmp != NULL && - BN_to_montgomery(tmp, a, mont, ctx) && + int ok = tmp != NULL && BN_to_montgomery(tmp, a, mont, ctx) && BN_mod_mul_montgomery(r, tmp, b, mont, ctx); BN_CTX_end(ctx); return ok; @@ -670,8 +661,7 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { // (The underlying algorithms could accept looser bounds, but we reduce for // simplicity.) size_t q_width = bn_minimal_width(dsa->q); - if (!bn_resize_words(&m, q_width) || - !bn_resize_words(&xr, q_width)) { + if (!bn_resize_words(&m, q_width) || !bn_resize_words(&xr, q_width)) { goto err; } bn_reduce_once_in_place(m.d, 0 /* no carry word */, dsa->q->d, diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index 0e9dd56c2d..ebbfc1bf9f 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -61,9 +61,9 @@ #include #include -#include "internal.h" #include "../bytestring/internal.h" #include "../crypto/internal.h" +#include "internal.h" #define OPENSSL_DSA_MAX_MODULUS_BITS 10000 @@ -156,8 +156,7 @@ DSA_SIG *DSA_SIG_parse(CBS *cbs) { } CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || - !parse_integer(&child, &ret->r) || - !parse_integer(&child, &ret->s) || + !parse_integer(&child, &ret->r) || !parse_integer(&child, &ret->s) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR); DSA_SIG_free(ret); @@ -169,8 +168,7 @@ DSA_SIG *DSA_SIG_parse(CBS *cbs) { int DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || - !marshal_integer(&child, sig->r) || - !marshal_integer(&child, sig->s) || + !marshal_integer(&child, sig->r) || !marshal_integer(&child, sig->s) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR); return 0; @@ -186,10 +184,8 @@ DSA *DSA_parse_public_key(CBS *cbs) { CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || !parse_integer(&child, &ret->pub_key) || - !parse_integer(&child, &ret->p) || - !parse_integer(&child, &ret->q) || - !parse_integer(&child, &ret->g) || - CBS_len(&child) != 0) { + !parse_integer(&child, &ret->p) || !parse_integer(&child, &ret->q) || + !parse_integer(&child, &ret->g) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR); goto err; } @@ -207,10 +203,8 @@ int DSA_marshal_public_key(CBB *cbb, const DSA *dsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !marshal_integer(&child, dsa->pub_key) || - !marshal_integer(&child, dsa->p) || - !marshal_integer(&child, dsa->q) || - !marshal_integer(&child, dsa->g) || - !CBB_flush(cbb)) { + !marshal_integer(&child, dsa->p) || !marshal_integer(&child, dsa->q) || + !marshal_integer(&child, dsa->g) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR); return 0; } @@ -224,10 +218,8 @@ DSA *DSA_parse_parameters(CBS *cbs) { } CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || - !parse_integer(&child, &ret->p) || - !parse_integer(&child, &ret->q) || - !parse_integer(&child, &ret->g) || - CBS_len(&child) != 0) { + !parse_integer(&child, &ret->p) || !parse_integer(&child, &ret->q) || + !parse_integer(&child, &ret->g) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR); goto err; } @@ -244,10 +236,8 @@ DSA *DSA_parse_parameters(CBS *cbs) { int DSA_marshal_parameters(CBB *cbb, const DSA *dsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || - !marshal_integer(&child, dsa->p) || - !marshal_integer(&child, dsa->q) || - !marshal_integer(&child, dsa->g) || - !CBB_flush(cbb)) { + !marshal_integer(&child, dsa->p) || !marshal_integer(&child, dsa->q) || + !marshal_integer(&child, dsa->g) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR); return 0; } @@ -273,12 +263,10 @@ DSA *DSA_parse_private_key(CBS *cbs) { goto err; } - if (!parse_integer(&child, &ret->p) || - !parse_integer(&child, &ret->q) || + if (!parse_integer(&child, &ret->p) || !parse_integer(&child, &ret->q) || !parse_integer(&child, &ret->g) || !parse_integer(&child, &ret->pub_key) || - !parse_integer(&child, &ret->priv_key) || - CBS_len(&child) != 0) { + !parse_integer(&child, &ret->priv_key) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR); goto err; } @@ -297,12 +285,10 @@ int DSA_marshal_private_key(CBB *cbb, const DSA *dsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&child, 0 /* version */) || - !marshal_integer(&child, dsa->p) || - !marshal_integer(&child, dsa->q) || + !marshal_integer(&child, dsa->p) || !marshal_integer(&child, dsa->q) || !marshal_integer(&child, dsa->g) || !marshal_integer(&child, dsa->pub_key) || - !marshal_integer(&child, dsa->priv_key) || - !CBB_flush(cbb)) { + !marshal_integer(&child, dsa->priv_key) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR); return 0; } @@ -329,8 +315,7 @@ DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp, long len) { int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !DSA_SIG_marshal(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !DSA_SIG_marshal(&cbb, in)) { CBB_cleanup(&cbb); return -1; } @@ -357,8 +342,7 @@ DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len) { int i2d_DSAPublicKey(const DSA *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !DSA_marshal_public_key(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !DSA_marshal_public_key(&cbb, in)) { CBB_cleanup(&cbb); return -1; } @@ -385,8 +369,7 @@ DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len) { int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !DSA_marshal_private_key(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !DSA_marshal_private_key(&cbb, in)) { CBB_cleanup(&cbb); return -1; } @@ -413,8 +396,7 @@ DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len) { int i2d_DSAparams(const DSA *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !DSA_marshal_parameters(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !DSA_marshal_parameters(&cbb, in)) { CBB_cleanup(&cbb); return -1; } diff --git a/crypto/dsa/dsa_test.cc b/crypto/dsa/dsa_test.cc index 2b4744170c..556a6a5674 100644 --- a/crypto/dsa/dsa_test.cc +++ b/crypto/dsa/dsa_test.cc @@ -79,8 +79,8 @@ // and also appear in Appendix 5 to FIPS PUB 186-1. static const uint8_t seed[20] = { - 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, - 0x40, 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, + 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, + 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, }; static const uint8_t fips_p[] = { @@ -93,8 +93,8 @@ static const uint8_t fips_p[] = { }; static const uint8_t fips_q[] = { - 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, 0x99, 0x3b, 0x4f, - 0x2d, 0xed, 0x30, 0xf4, 0x8e, 0xda, 0xce, 0x91, 0x5f, + 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, 0x99, 0x3b, + 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, 0xda, 0xce, 0x91, 0x5f, }; static const uint8_t fips_g[] = { @@ -107,8 +107,8 @@ static const uint8_t fips_g[] = { }; static const uint8_t fips_x[] = { - 0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f, 0xde, 0x1c, 0x0f, - 0xfc, 0x7b, 0x2e, 0x3b, 0x49, 0x8b, 0x26, 0x06, 0x14, + 0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f, 0xde, 0x1c, + 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49, 0x8b, 0x26, 0x06, 0x14, }; static const uint8_t fips_y[] = { @@ -121,53 +121,49 @@ static const uint8_t fips_y[] = { }; static const uint8_t fips_digest[] = { - 0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, 0x25, - 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d, + 0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, + 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d, }; // fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1. static const uint8_t fips_sig[] = { - 0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, - 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, - 0xb3, 0x41, 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, - 0xdf, 0x24, 0x58, 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, - 0xdc, 0xd8, 0xc8, + 0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43, + 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3, 0x41, + 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, 0xdf, 0x24, 0x58, + 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, 0xdc, 0xd8, 0xc8, }; // fips_sig_negative is fips_sig with r encoded as a negative number. static const uint8_t fips_sig_negative[] = { - 0x30, 0x2c, 0x02, 0x14, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43, - 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3, - 0x41, 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, 0xdf, - 0x24, 0x58, 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, 0xdc, - 0xd8, 0xc8, + 0x30, 0x2c, 0x02, 0x14, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43, 0x5c, + 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3, 0x41, 0xc0, + 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, 0xdf, 0x24, 0x58, 0xf4, + 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, 0xdc, 0xd8, 0xc8, }; // fip_sig_extra is fips_sig with trailing data. static const uint8_t fips_sig_extra[] = { - 0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, - 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, - 0xb3, 0x41, 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, - 0xdf, 0x24, 0x58, 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, - 0xdc, 0xd8, 0xc8, 0x00, + 0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43, + 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3, 0x41, + 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, 0xdf, 0x24, 0x58, + 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, 0xdc, 0xd8, 0xc8, 0x00, }; // fips_sig_lengths is fips_sig with a non-minimally encoded length. static const uint8_t fips_sig_bad_length[] = { - 0x30, 0x81, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, - 0x10, 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, - 0x92, 0xb3, 0x41, 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, - 0x56, 0xdf, 0x24, 0x58, 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, - 0xb6, 0xdc, 0xd8, 0xc8, 0x00, + 0x30, 0x81, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, + 0x64, 0x10, 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, + 0xb9, 0x7c, 0x92, 0xb3, 0x41, 0xc0, 0x02, 0x14, 0x41, 0xe2, + 0x34, 0x5f, 0x1f, 0x56, 0xdf, 0x24, 0x58, 0xf4, 0x26, 0xd1, + 0x55, 0xb4, 0xba, 0x2d, 0xb6, 0xdc, 0xd8, 0xc8, 0x00, }; // fips_sig_bad_r is fips_sig with a bad r value. static const uint8_t fips_sig_bad_r[] = { - 0x30, 0x2d, 0x02, 0x15, 0x00, 0x8c, 0xac, 0x1a, 0xb6, 0x64, 0x10, - 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, - 0xb3, 0x41, 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, - 0xdf, 0x24, 0x58, 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, - 0xdc, 0xd8, 0xc8, + 0x30, 0x2d, 0x02, 0x15, 0x00, 0x8c, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43, + 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3, 0x41, + 0xc0, 0x02, 0x14, 0x41, 0xe2, 0x34, 0x5f, 0x1f, 0x56, 0xdf, 0x24, 0x58, + 0xf4, 0x26, 0xd1, 0x55, 0xb4, 0xba, 0x2d, 0xb6, 0xdc, 0xd8, 0xc8, }; static bssl::UniquePtr GetFIPSDSAGroup(void) { @@ -427,7 +423,8 @@ TEST(DSATest, DSAPrint) { size_t len; BIO_mem_contents(bio.get(), &data, &len); - const char *expected = "" + const char *expected = + "" " Private-Key: (512 bit)\n" " priv:\n" " 20:70:b3:22:3d:ba:37:2f:de:1c:0f:fc:7b:2e:3b:\n" diff --git a/crypto/dynamic_loading_test.c b/crypto/dynamic_loading_test.c index 1c74565dbc..81e5d1b30c 100644 --- a/crypto/dynamic_loading_test.c +++ b/crypto/dynamic_loading_test.c @@ -22,10 +22,10 @@ #ifdef LIBCRYPTO_PATH -#include -#include #include #include +#include +#include typedef void (*fp_lc_clear_error_t)(void); typedef int (*fp_lc_tl_func_t)(void); @@ -57,7 +57,7 @@ static void *cycle_thread_local_setup(void *lc_so) { } static void *load_unload(void *ctx) { - const char* path = ctx; + const char *path = ctx; void *lc_so = dlopen(path, RTLD_NOW); fp_lc_tl_func_t lc_tl_shutdown = dlsym(lc_so, "AWSLC_thread_local_shutdown"); @@ -96,7 +96,8 @@ static void *load_unload(void *ctx) { int main(int argc, char *argv[]) { pthread_t thread_id; - if (pthread_create(&thread_id, NULL, load_unload, (void*)DYNAMIC_LIBRARY_PATH)) { + if (pthread_create(&thread_id, NULL, load_unload, + (void *)DYNAMIC_LIBRARY_PATH)) { fprintf(stderr, "Call to pthread_create in main failed."); exit(1); } @@ -118,4 +119,4 @@ int main(int argc, char **argv) { return 0; } -#endif // LIBCRYPTO_PATH +#endif // LIBCRYPTO_PATH diff --git a/crypto/ec_extra/ec_derive.c b/crypto/ec_extra/ec_derive.c index efc95f2010..7d50503bdd 100644 --- a/crypto/ec_extra/ec_derive.c +++ b/crypto/ec_extra/ec_derive.c @@ -16,9 +16,9 @@ #include +#include #include #include -#include #include #include diff --git a/crypto/ec_extra/hash_to_curve.c b/crypto/ec_extra/hash_to_curve.c index 647d86cbc0..fbd69a1826 100644 --- a/crypto/ec_extra/hash_to_curve.c +++ b/crypto/ec_extra/hash_to_curve.c @@ -21,10 +21,10 @@ #include -#include "internal.h" #include "../fipsmodule/bn/internal.h" #include "../fipsmodule/ec/internal.h" #include "../internal.h" +#include "internal.h" // This file implements hash-to-curve, as described in RFC 9380. @@ -145,8 +145,7 @@ static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { // |felem_reduce| and |ec_scalar_reduce|. All defined hash-to-curve suites // define |k| to be well under this bound. (|k| is usually around half of // |p_bits|.) - if (L * 8 >= 2 * bits - 2 || - L > 2 * EC_MAX_BYTES) { + if (L * 8 >= 2 * bits - 2 || L > 2 * EC_MAX_BYTES) { assert(0); OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); return 0; @@ -450,9 +449,9 @@ int EC_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group, EC_POINT *out, msg, msg_len); } -int ec_hash_to_scalar_p384_xmd_sha384( - const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, - const uint8_t *msg, size_t msg_len) { +int ec_hash_to_scalar_p384_xmd_sha384(const EC_GROUP *group, EC_SCALAR *out, + const uint8_t *dst, size_t dst_len, + const uint8_t *msg, size_t msg_len) { if (EC_GROUP_get_curve_name(group) != NID_secp384r1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; @@ -463,8 +462,8 @@ int ec_hash_to_scalar_p384_xmd_sha384( } int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( - const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, - size_t dst_len, const uint8_t *msg, size_t msg_len) { + const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, + const uint8_t *msg, size_t msg_len) { // See section 8.3 of draft-irtf-cfrg-hash-to-curve-07. if (EC_GROUP_get_curve_name(group) != NID_secp384r1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); diff --git a/crypto/ecdh_extra/ecdh_extra.c b/crypto/ecdh_extra/ecdh_extra.c index da38592dfe..7f614ccb15 100644 --- a/crypto/ecdh_extra/ecdh_extra.c +++ b/crypto/ecdh_extra/ecdh_extra.c @@ -81,7 +81,6 @@ int ECDH_compute_key(void *out, size_t out_len, const EC_POINT *pub_key, const EC_KEY *priv_key, void *(*kdf)(const void *in, size_t inlen, void *out, size_t *out_len)) { - uint8_t buf[EC_MAX_BYTES]; size_t buf_len = sizeof(buf); diff --git a/crypto/ecdh_extra/ecdh_test.cc b/crypto/ecdh_extra/ecdh_test.cc index eaa29956b6..7267066c90 100644 --- a/crypto/ecdh_extra/ecdh_test.cc +++ b/crypto/ecdh_extra/ecdh_test.cc @@ -69,7 +69,8 @@ static bssl::UniquePtr GetBIGNUM(FileTest *t, const char *key) { return nullptr; } - return bssl::UniquePtr(BN_bin2bn(bytes.data(), bytes.size(), nullptr)); + return bssl::UniquePtr( + BN_bin2bn(bytes.data(), bytes.size(), nullptr)); } TEST(ECDHTest, TestVectors) { @@ -150,91 +151,88 @@ TEST(ECDHTest, InvalidPubKeyLargeCoord) { bssl::UniquePtr ctx(BN_CTX_new()); ASSERT_TRUE(ctx); - FileTestGTest("crypto/fipsmodule/ec/large_x_coordinate_points.txt", - [&](FileTest *t) { - int ret; - const EC_GROUP *group = GetCurve(t, "Curve"); - ASSERT_TRUE(group); - bssl::UniquePtr x = GetBIGNUM(t, "X"); - ASSERT_TRUE(x); - bssl::UniquePtr xpp = GetBIGNUM(t, "XplusP"); - ASSERT_TRUE(xpp); - bssl::UniquePtr y = GetBIGNUM(t, "Y"); - ASSERT_TRUE(y); - bssl::UniquePtr peer_key(EC_KEY_new()); - ASSERT_TRUE(peer_key); - bssl::UniquePtr pub_key(EC_POINT_new(group)); - ASSERT_TRUE(pub_key); - bssl::UniquePtr priv_key(EC_KEY_new()); - // Own private key - ASSERT_TRUE(priv_key); - ASSERT_TRUE(EC_KEY_set_group(priv_key.get(), group)); - // Generate a generic ec key. - EC_KEY_generate_key(priv_key.get()); - - size_t len = BN_num_bytes(&group->field.N); // Modulus byte-length - std::vector shared_key((group->curve_name == NID_secp521r1) ? - SHA512_DIGEST_LENGTH : len); - - ASSERT_TRUE(EC_KEY_set_group(peer_key.get(), group)); - - // |EC_POINT_set_affine_coordinates_GFp| sets given (x, y) according to the - // form the curve is using. If the curve is using Montgomery form, |x| and - // |y| will be converted to Montgomery form. - ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( - group, pub_key.get(), x.get(), y.get(), nullptr)); - ASSERT_TRUE(EC_KEY_set_public_key(peer_key.get(), pub_key.get())); - ASSERT_TRUE(ECDH_compute_key_fips( - shared_key.data(), shared_key.size(), - EC_KEY_get0_public_key(peer_key.get()), priv_key.get())); - - // Ensure the pointers were not affected. - ASSERT_TRUE(peer_key.get()); - ASSERT_TRUE(pub_key.get()); - - // Set the raw point directly with the BIGNUM coordinates. - // Note that both are in little-endian byte order. - OPENSSL_memcpy(peer_key.get()->pub_key->raw.X.words, - x.get()->d, len); - OPENSSL_memcpy(peer_key.get()->pub_key->raw.Y.words, - y.get()->d, len); - OPENSSL_memset(peer_key.get()->pub_key->raw.Z.words, 0, len); - peer_key.get()->pub_key->raw.Z.words[0] = 1; - - // |ECDH_compute_key_fips| calls |EC_KEY_check_fips| that calls - // |EC_KEY_check_key| function which checks if the computed key point is on - // the curve (among other checks). If the curve uses Montgomery form then - // the point-on-curve check will fail because we set the raw point - // coordinates in regular form above. - ret = ECDH_compute_key_fips(shared_key.data(), shared_key.size(), - EC_KEY_get0_public_key(peer_key.get()), - priv_key.get()); - - int curve_nid = group->curve_name; - if (!is_curve_using_mont_felem_impl(curve_nid)) { - ASSERT_TRUE(ret); - } else { - ASSERT_FALSE(ret); - // Fails in |EC_KEY_check_fips|. - EXPECT_EQ(EC_R_PUBLIC_KEY_VALIDATION_FAILED, - ERR_GET_REASON(ERR_peek_last_error())); - } - ASSERT_TRUE(peer_key.get()); - ASSERT_TRUE(pub_key.get()); - - // Now replace the x-coordinate with the larger one, x+p; - OPENSSL_memcpy(peer_key.get()->pub_key->raw.X.words, - xpp.get()->d, len); - ret = ECDH_compute_key_fips(shared_key.data(), shared_key.size(), - EC_KEY_get0_public_key(peer_key.get()), - priv_key.get()); - ASSERT_FALSE(ret); - EXPECT_EQ(EC_R_PUBLIC_KEY_VALIDATION_FAILED, - ERR_GET_REASON(ERR_peek_last_error())); - - ASSERT_TRUE(peer_key.get()); - ASSERT_TRUE(pub_key.get()); - }); + FileTestGTest( + "crypto/fipsmodule/ec/large_x_coordinate_points.txt", [&](FileTest *t) { + int ret; + const EC_GROUP *group = GetCurve(t, "Curve"); + ASSERT_TRUE(group); + bssl::UniquePtr x = GetBIGNUM(t, "X"); + ASSERT_TRUE(x); + bssl::UniquePtr xpp = GetBIGNUM(t, "XplusP"); + ASSERT_TRUE(xpp); + bssl::UniquePtr y = GetBIGNUM(t, "Y"); + ASSERT_TRUE(y); + bssl::UniquePtr peer_key(EC_KEY_new()); + ASSERT_TRUE(peer_key); + bssl::UniquePtr pub_key(EC_POINT_new(group)); + ASSERT_TRUE(pub_key); + bssl::UniquePtr priv_key(EC_KEY_new()); + // Own private key + ASSERT_TRUE(priv_key); + ASSERT_TRUE(EC_KEY_set_group(priv_key.get(), group)); + // Generate a generic ec key. + EC_KEY_generate_key(priv_key.get()); + + size_t len = BN_num_bytes(&group->field.N); // Modulus byte-length + std::vector shared_key( + (group->curve_name == NID_secp521r1) ? SHA512_DIGEST_LENGTH : len); + + ASSERT_TRUE(EC_KEY_set_group(peer_key.get(), group)); + + // |EC_POINT_set_affine_coordinates_GFp| sets given (x, y) according to + // the form the curve is using. If the curve is using Montgomery form, + // |x| and |y| will be converted to Montgomery form. + ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( + group, pub_key.get(), x.get(), y.get(), nullptr)); + ASSERT_TRUE(EC_KEY_set_public_key(peer_key.get(), pub_key.get())); + ASSERT_TRUE(ECDH_compute_key_fips( + shared_key.data(), shared_key.size(), + EC_KEY_get0_public_key(peer_key.get()), priv_key.get())); + + // Ensure the pointers were not affected. + ASSERT_TRUE(peer_key.get()); + ASSERT_TRUE(pub_key.get()); + + // Set the raw point directly with the BIGNUM coordinates. + // Note that both are in little-endian byte order. + OPENSSL_memcpy(peer_key.get()->pub_key->raw.X.words, x.get()->d, len); + OPENSSL_memcpy(peer_key.get()->pub_key->raw.Y.words, y.get()->d, len); + OPENSSL_memset(peer_key.get()->pub_key->raw.Z.words, 0, len); + peer_key.get()->pub_key->raw.Z.words[0] = 1; + + // |ECDH_compute_key_fips| calls |EC_KEY_check_fips| that calls + // |EC_KEY_check_key| function which checks if the computed key point is + // on the curve (among other checks). If the curve uses Montgomery form + // then the point-on-curve check will fail because we set the raw point + // coordinates in regular form above. + ret = ECDH_compute_key_fips(shared_key.data(), shared_key.size(), + EC_KEY_get0_public_key(peer_key.get()), + priv_key.get()); + + int curve_nid = group->curve_name; + if (!is_curve_using_mont_felem_impl(curve_nid)) { + ASSERT_TRUE(ret); + } else { + ASSERT_FALSE(ret); + // Fails in |EC_KEY_check_fips|. + EXPECT_EQ(EC_R_PUBLIC_KEY_VALIDATION_FAILED, + ERR_GET_REASON(ERR_peek_last_error())); + } + ASSERT_TRUE(peer_key.get()); + ASSERT_TRUE(pub_key.get()); + + // Now replace the x-coordinate with the larger one, x+p; + OPENSSL_memcpy(peer_key.get()->pub_key->raw.X.words, xpp.get()->d, len); + ret = ECDH_compute_key_fips(shared_key.data(), shared_key.size(), + EC_KEY_get0_public_key(peer_key.get()), + priv_key.get()); + ASSERT_FALSE(ret); + EXPECT_EQ(EC_R_PUBLIC_KEY_VALIDATION_FAILED, + ERR_GET_REASON(ERR_peek_last_error())); + + ASSERT_TRUE(peer_key.get()); + ASSERT_TRUE(pub_key.get()); + }); } static void RunWycheproofTest(FileTest *t) { diff --git a/crypto/ecdsa_extra/ecdsa_asn1.c b/crypto/ecdsa_extra/ecdsa_asn1.c index 503e8c7462..5471953847 100644 --- a/crypto/ecdsa_extra/ecdsa_asn1.c +++ b/crypto/ecdsa_extra/ecdsa_asn1.c @@ -57,8 +57,8 @@ #include #include -#include #include +#include #include #include "../bytestring/internal.h" @@ -90,8 +90,7 @@ ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) { CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || !BN_parse_asn1_unsigned(&child, ret->r) || - !BN_parse_asn1_unsigned(&child, ret->s) || - CBS_len(&child) != 0) { + !BN_parse_asn1_unsigned(&child, ret->s) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); ECDSA_SIG_free(ret); return NULL; @@ -114,8 +113,7 @@ ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) { int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || - !BN_marshal_asn1(&child, sig->r) || - !BN_marshal_asn1(&child, sig->s) || + !BN_marshal_asn1(&child, sig->r) || !BN_marshal_asn1(&child, sig->s) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); return 0; @@ -127,8 +125,7 @@ int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len, const ECDSA_SIG *sig) { CBB cbb; CBB_zero(&cbb); - if (!CBB_init(&cbb, 0) || - !ECDSA_SIG_marshal(&cbb, sig) || + if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig) || !CBB_finish(&cbb, out_bytes, out_len)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); CBB_cleanup(&cbb); @@ -191,8 +188,7 @@ ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len) { int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !ECDSA_SIG_marshal(&cbb, sig)) { + if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig)) { CBB_cleanup(&cbb); return -1; } diff --git a/crypto/endian_test.cc b/crypto/endian_test.cc index 040c62f0b4..6fc8565b0d 100644 --- a/crypto/endian_test.cc +++ b/crypto/endian_test.cc @@ -56,8 +56,8 @@ TEST(EndianTest, wordOperations) { size_t val = 0x123456789abcdef0; uint8_t expected_le[8] = {0xf0, 0xde, 0xbc, 0x9a, 0x78, 0x56, 0x34, 0x12}; #else -size_t val = 0x12345678; -uint8_t expected_le[4] = {0x78, 0x56, 0x34, 0x12}; + size_t val = 0x12345678; + uint8_t expected_le[4] = {0x78, 0x56, 0x34, 0x12}; #endif CRYPTO_store_word_le(buffer, val); @@ -82,7 +82,8 @@ TEST(EndianTest, TestRotate32) { TEST(EndianTest, TestRotate64) { uint64_t value = 0b0000001000000000000000000000000000010000000000000000000000; - uint64_t expected = 0b0010000000000000000000000000000100000000000000000000000000; + uint64_t expected = + 0b0010000000000000000000000000000100000000000000000000000000; uint64_t rotl_by = 4; uint64_t rotr_by = 64 - rotl_by; @@ -147,12 +148,13 @@ TEST(EndianTest, BN_bin2bn) { input[255] = 0x02; ASSERT_NE(nullptr, BN_bin2bn(input, sizeof(input), x.get())); EXPECT_FALSE(BN_is_zero(x.get())); - for (size_t i = 1; i < (sizeof(input)*8/BN_BITS2) - 1; i++) { + for (size_t i = 1; i < (sizeof(input) * 8 / BN_BITS2) - 1; i++) { SCOPED_TRACE(i); EXPECT_EQ((uint64_t)0, x.get()->d[i]); } EXPECT_EQ((uint64_t)0x0102, x.get()->d[0]); - EXPECT_EQ((uint64_t)0xaa01 << (BN_BITS2-16), x.get()->d[(256*8/BN_BITS2)-1]); + EXPECT_EQ((uint64_t)0xaa01 << (BN_BITS2 - 16), + x.get()->d[(256 * 8 / BN_BITS2) - 1]); } TEST(EndianTest, BN_le2bn) { @@ -165,12 +167,13 @@ TEST(EndianTest, BN_le2bn) { input[255] = 0x02; ASSERT_NE(nullptr, BN_le2bn(input, sizeof(input), x.get())); EXPECT_FALSE(BN_is_zero(x.get())); - for (int i = 1; i < (256*8/BN_BITS2) - 1; i++) { + for (int i = 1; i < (256 * 8 / BN_BITS2) - 1; i++) { SCOPED_TRACE(i); EXPECT_EQ((uint64_t)0, x.get()->d[i]); } EXPECT_EQ((uint64_t)0x01aa, x.get()->d[0]); - EXPECT_EQ((uint64_t)0x0201 << (BN_BITS2-16), x.get()->d[(256*8/BN_BITS2)-1]); + EXPECT_EQ((uint64_t)0x0201 << (BN_BITS2 - 16), + x.get()->d[(256 * 8 / BN_BITS2) - 1]); } // This test creates a BIGNUM, where 255 bytes are significant. @@ -186,11 +189,12 @@ TEST(EndianTest, BN_le2bn_255) { input[254] = 0x01; ASSERT_TRUE(BN_le2bn(input, sizeof(input), x.get())); EXPECT_FALSE(BN_is_zero(x.get())); - for (size_t i = 1; i <= (255/sizeof(BN_ULONG)) - 1; i++) { + for (size_t i = 1; i <= (255 / sizeof(BN_ULONG)) - 1; i++) { EXPECT_EQ((BN_ULONG)0, x.get()->d[i]); } EXPECT_EQ((BN_ULONG)0x01aa, x.get()->d[0]); - EXPECT_EQ((BN_ULONG)0x01 << (BN_BITS2-16), x.get()->d[255/sizeof(BN_ULONG)]); + EXPECT_EQ((BN_ULONG)0x01 << (BN_BITS2 - 16), + x.get()->d[255 / sizeof(BN_ULONG)]); } TEST(EndianTest, BN_bn2bin) { @@ -283,10 +287,11 @@ TEST(EndianTest, BN_bn2bin_padded) { TEST(EndianTest, AES) { // Initialize the key and message buffers with zeros - uint8_t key[16] = {0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22, 0x33, - 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x50}; - uint8_t message[AES_BLOCK_SIZE] = {0x50, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, - 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}; + uint8_t key[16] = {0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22, + 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x50}; + uint8_t message[AES_BLOCK_SIZE] = {0x50, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, + 0xff, 0x11, 0x22, 0x33, 0x44, 0x55, + 0x66, 0x77, 0x88, 0x99}; // Allocate buffer to store the encrypted message uint8_t encrypted_message[AES_BLOCK_SIZE]; @@ -298,8 +303,8 @@ TEST(EndianTest, AES) { AES_encrypt(message, encrypted_message, &aes_key); const uint8_t known_value_bytes[AES_BLOCK_SIZE] = { - 0x5e, 0x3e, 0x8e, 0x76, 0xf4, 0xf2, 0x7d, 0x41, 0x35, 0x86, 0x96, 0xb5, 0x57, 0x2d, 0xd5, 0xc6 - }; + 0x5e, 0x3e, 0x8e, 0x76, 0xf4, 0xf2, 0x7d, 0x41, + 0x35, 0x86, 0x96, 0xb5, 0x57, 0x2d, 0xd5, 0xc6}; EXPECT_EQ(Bytes(known_value_bytes), Bytes(encrypted_message)); } diff --git a/crypto/engine/engine.c b/crypto/engine/engine.c index e08dbb34fa..afda077393 100644 --- a/crypto/engine/engine.c +++ b/crypto/engine/engine.c @@ -14,8 +14,8 @@ #include -#include #include +#include #include #include @@ -23,8 +23,8 @@ #include #include -#include "../internal.h" #include "../crypto/fipsmodule/ec/internal.h" +#include "../internal.h" struct engine_st { @@ -40,7 +40,7 @@ int ENGINE_free(ENGINE *engine) { } int ENGINE_set_RSA(ENGINE *engine, const RSA_METHOD *method) { - if(!engine) { + if (!engine) { OPENSSL_PUT_ERROR(ENGINE, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -50,14 +50,15 @@ int ENGINE_set_RSA(ENGINE *engine, const RSA_METHOD *method) { } const RSA_METHOD *ENGINE_get_RSA(const ENGINE *engine) { - if(engine) { - return engine->rsa_method;; + if (engine) { + return engine->rsa_method; + ; } return NULL; } int ENGINE_set_EC(ENGINE *engine, const EC_KEY_METHOD *method) { - if(!engine) { + if (!engine) { OPENSSL_PUT_ERROR(ENGINE, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -67,7 +68,7 @@ int ENGINE_set_EC(ENGINE *engine, const EC_KEY_METHOD *method) { } const EC_KEY_METHOD *ENGINE_get_EC(const ENGINE *engine) { - if(engine) { + if (engine) { return engine->eckey_method; } return NULL; diff --git a/crypto/err/err.c b/crypto/err/err.c index 8687c738de..61e8f019db 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -395,19 +395,15 @@ int ERR_get_next_error_library(void) { return ret; } -void ERR_remove_state(unsigned long pid) { - ERR_clear_error(); -} +void ERR_remove_state(unsigned long pid) { ERR_clear_error(); } -void ERR_clear_system_error(void) { - errno = 0; -} +void ERR_clear_system_error(void) { errno = 0; } // err_string_cmp is a compare function for searching error values with // |bsearch| in |err_string_lookup|. static int err_string_cmp(const void *a, const void *b) { - const uint32_t a_key = *((const uint32_t*) a) >> 15; - const uint32_t b_key = *((const uint32_t*) b) >> 15; + const uint32_t a_key = *((const uint32_t *)a) >> 15; + const uint32_t b_key = *((const uint32_t *)b) >> 15; if (a_key < b_key) { return -1; @@ -421,8 +417,7 @@ static int err_string_cmp(const void *a, const void *b) { // err_string_lookup looks up the string associated with |lib| and |key| in // |values| and |string_data|. It returns the string or NULL if not found. static const char *err_string_lookup(uint32_t lib, uint32_t key, - const uint32_t *values, - size_t num_values, + const uint32_t *values, size_t num_values, const char *string_data) { // |values| points to data in err_data.h, which is generated by // err_data_generate.go. It's an array of uint32_t values. Each value has the @@ -629,7 +624,7 @@ void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) { // thread_hash is the least-significant bits of the |ERR_STATE| pointer value // for this thread. - const unsigned long thread_hash = (uintptr_t) err_get_state(); + const unsigned long thread_hash = (uintptr_t)err_get_state(); for (;;) { packed_error = ERR_get_error_line_data(&file, &line, &data, &flags); @@ -646,9 +641,9 @@ void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) { } } -static int print_errors_to_file(const char* msg, size_t msg_len, void* ctx) { +static int print_errors_to_file(const char *msg, size_t msg_len, void *ctx) { assert(msg[msg_len] == '\0'); - FILE* fp = ctx; + FILE *fp = ctx; int res = fputs(msg, fp); return res < 0 ? 0 : 1; } @@ -720,15 +715,15 @@ static void err_add_error_vdata(unsigned num, va_list args) { size_t substr_len = strlen(substr); if (SIZE_MAX - total_size < substr_len) { va_end(args_copy); - return; // Would overflow. + return; // Would overflow. } total_size += substr_len; } va_end(args_copy); if (total_size == SIZE_MAX) { - return; // Would overflow. + return; // Would overflow. } - total_size += 1; // NUL terminator. + total_size += 1; // NUL terminator. if ((buf = malloc(total_size)) == NULL) { return; } @@ -739,7 +734,7 @@ static void err_add_error_vdata(unsigned num, va_list args) { continue; } if (OPENSSL_strlcat(buf, substr, total_size) >= total_size) { - assert(0); // should not be possible. + assert(0); // should not be possible. } } va_end(args); diff --git a/crypto/err/err_test.cc b/crypto/err/err_test.cc index 8e9f03c62b..c119d4f446 100644 --- a/crypto/err/err_test.cc +++ b/crypto/err/err_test.cc @@ -33,8 +33,8 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) TEST(ErrTest, Overflow) { - for (unsigned i = 0; i < ERR_NUM_ERRORS*2; i++) { - ERR_put_error(1, 0 /* unused */, i+1, "test", 1); + for (unsigned i = 0; i < ERR_NUM_ERRORS * 2; i++) { + ERR_put_error(1, 0 /* unused */, i + 1, "test", 1); } for (unsigned i = 0; i < ERR_NUM_ERRORS - 1; i++) { @@ -59,9 +59,8 @@ TEST(ErrTest, PutError) { int peeked_line, line, peeked_flags, flags; const char *peeked_file, *file, *peeked_data, *data; - uint32_t peeked_packed_error = - ERR_peek_error_line_data(&peeked_file, &peeked_line, &peeked_data, - &peeked_flags); + uint32_t peeked_packed_error = ERR_peek_error_line_data( + &peeked_file, &peeked_line, &peeked_data, &peeked_flags); uint32_t packed_error = ERR_get_error_line_data(&file, &line, &data, &flags); EXPECT_EQ(peeked_packed_error, packed_error); @@ -277,12 +276,9 @@ TEST(ErrTest, String) { ERR_error_string_n(err, buf, 57)); EXPECT_STREQ("error:0e000044:common libcryp::", ERR_error_string_n(err, buf, 32)); - EXPECT_STREQ("error:0e0000:::", - ERR_error_string_n(err, buf, 16)); - EXPECT_STREQ("err::::", - ERR_error_string_n(err, buf, 8)); - EXPECT_STREQ("::::", - ERR_error_string_n(err, buf, 5)); + EXPECT_STREQ("error:0e0000:::", ERR_error_string_n(err, buf, 16)); + EXPECT_STREQ("err::::", ERR_error_string_n(err, buf, 8)); + EXPECT_STREQ("::::", ERR_error_string_n(err, buf, 5)); // If the buffer is too short for even four colons, |ERR_error_string_n| does // not bother trying to preserve the format. diff --git a/crypto/evp_extra/evp_asn1.c b/crypto/evp_extra/evp_asn1.c index 254222a673..abdb5e7b8c 100644 --- a/crypto/evp_extra/evp_asn1.c +++ b/crypto/evp_extra/evp_asn1.c @@ -64,11 +64,11 @@ #include #include -#include "../fipsmodule/evp/internal.h" #include "../bytestring/internal.h" +#include "../fipsmodule/evp/internal.h" +#include "../fipsmodule/pqdsa/internal.h" #include "../internal.h" #include "internal.h" -#include "../fipsmodule/pqdsa/internal.h" // parse_key_type takes the algorithm cbs sequence |cbs| and extracts the OID. // The OID is then searched against ASN.1 methods for a method with that OID. @@ -103,11 +103,11 @@ static const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs) { // The pkey_id for the pqdsa_asn1_meth is EVP_PKEY_PQDSA, as this holds all // asn1 functions for pqdsa types. However, the incoming CBS has the OID for // the specific algorithm. So we must search explicitly for the algorithm. - const EVP_PKEY_ASN1_METHOD * ret = PQDSA_find_asn1_by_nid(OBJ_cbs2nid(&oid)); + const EVP_PKEY_ASN1_METHOD *ret = PQDSA_find_asn1_by_nid(OBJ_cbs2nid(&oid)); if (ret != NULL) { // if |cbs| is empty after parsing |oid| from it, we overwrite the contents - // with |oid| so that we can call pub_decode/priv_decode with the |algorithm| - // populated as |oid|. + // with |oid| so that we can call pub_decode/priv_decode with the + // |algorithm| populated as |oid|. if (CBS_len(cbs) == 0) { OPENSSL_memcpy(cbs, &oid, sizeof(oid)); return ret; @@ -123,8 +123,7 @@ EVP_PKEY *EVP_parse_public_key(CBS *cbs) { uint8_t padding; if (!CBS_get_asn1(cbs, &spki, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1(&spki, &key, CBS_ASN1_BITSTRING) || - CBS_len(&spki) != 0) { + !CBS_get_asn1(&spki, &key, CBS_ASN1_BITSTRING) || CBS_len(&spki) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return NULL; } @@ -134,10 +133,9 @@ EVP_PKEY *EVP_parse_public_key(CBS *cbs) { OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); return NULL; } - if (// Every key type defined encodes the key as a byte string with the same - // conversion to BIT STRING. - !CBS_get_u8(&key, &padding) || - padding != 0) { + if ( // Every key type defined encodes the key as a byte string with the same + // conversion to BIT STRING. + !CBS_get_u8(&key, &padding) || padding != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return NULL; } @@ -176,19 +174,16 @@ int EVP_marshal_public_key(CBB *cbb, const EVP_PKEY *key) { return key->ameth->pub_encode(cbb, key); } -static const unsigned kAttributesTag = - CBS_ASN1_CONTEXT_SPECIFIC | 0; +static const unsigned kAttributesTag = CBS_ASN1_CONTEXT_SPECIFIC | 0; -static const unsigned kPublicKeyTag = - CBS_ASN1_CONTEXT_SPECIFIC | 1; +static const unsigned kPublicKeyTag = CBS_ASN1_CONTEXT_SPECIFIC | 1; EVP_PKEY *EVP_parse_private_key(CBS *cbs) { // Parse the PrivateKeyInfo (RFC 5208) or OneAsymmetricKey (RFC 5958). CBS pkcs8, algorithm, key, public_key; uint64_t version; if (!CBS_get_asn1(cbs, &pkcs8, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1_uint64(&pkcs8, &version) || - version > PKCS8_VERSION_TWO || + !CBS_get_asn1_uint64(&pkcs8, &version) || version > PKCS8_VERSION_TWO || !CBS_get_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&pkcs8, &key, CBS_ASN1_OCTETSTRING)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); @@ -201,8 +196,8 @@ EVP_PKEY *EVP_parse_private_key(CBS *cbs) { return NULL; } - // A PrivateKeyInfo & OneAsymmetricKey may optionally contain a SET of Attributes which - // we ignore. + // A PrivateKeyInfo & OneAsymmetricKey may optionally contain a SET of + // Attributes which we ignore. if (CBS_peek_asn1_tag(&pkcs8, kAttributesTag)) { if (!CBS_get_asn1(cbs, NULL, kAttributesTag)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); @@ -216,7 +211,8 @@ EVP_PKEY *EVP_parse_private_key(CBS *cbs) { // divisible by 8 we leave the first octet of the bit string present, which // specifies the padded bit count between 0 and 7. if (CBS_peek_asn1_tag(&pkcs8, kPublicKeyTag)) { - if (version != PKCS8_VERSION_TWO || !CBS_get_asn1(&pkcs8, &public_key, kPublicKeyTag)) { + if (version != PKCS8_VERSION_TWO || + !CBS_get_asn1(&pkcs8, &public_key, kPublicKeyTag)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return NULL; } @@ -475,8 +471,7 @@ int i2d_PUBKEY(const EVP_PKEY *pkey, uint8_t **outp) { } CBB cbb; - if (!CBB_init(&cbb, 128) || - !EVP_marshal_public_key(&cbb, pkey)) { + if (!CBB_init(&cbb, 128) || !EVP_marshal_public_key(&cbb, pkey)) { CBB_cleanup(&cbb); return -1; } @@ -513,8 +508,7 @@ int i2d_RSA_PUBKEY(const RSA *rsa, uint8_t **outp) { int ret = -1; EVP_PKEY *pkey = EVP_PKEY_new(); - if (pkey == NULL || - !EVP_PKEY_set1_RSA(pkey, (RSA *)rsa)) { + if (pkey == NULL || !EVP_PKEY_set1_RSA(pkey, (RSA *)rsa)) { goto err; } @@ -555,8 +549,7 @@ int i2d_DSA_PUBKEY(const DSA *dsa, uint8_t **outp) { int ret = -1; EVP_PKEY *pkey = EVP_PKEY_new(); - if (pkey == NULL || - !EVP_PKEY_set1_DSA(pkey, (DSA *)dsa)) { + if (pkey == NULL || !EVP_PKEY_set1_DSA(pkey, (DSA *)dsa)) { goto err; } @@ -597,8 +590,7 @@ int i2d_EC_PUBKEY(const EC_KEY *ec_key, uint8_t **outp) { int ret = -1; EVP_PKEY *pkey = EVP_PKEY_new(); - if (pkey == NULL || - !EVP_PKEY_set1_EC_KEY(pkey, (EC_KEY *)ec_key)) { + if (pkey == NULL || !EVP_PKEY_set1_EC_KEY(pkey, (EC_KEY *)ec_key)) { goto err; } diff --git a/crypto/evp_extra/evp_extra_test.cc b/crypto/evp_extra/evp_extra_test.cc index 6bd3460dc2..7734a6a89a 100644 --- a/crypto/evp_extra/evp_extra_test.cc +++ b/crypto/evp_extra/evp_extra_test.cc @@ -27,13 +27,13 @@ #include #include #include +#include #include #include -#include +#include "../internal.h" #include "../test/file_test.h" #include "../test/test_util.h" -#include "../internal.h" #include "../fipsmodule/evp/internal.h" #include "../fipsmodule/kem/internal.h" @@ -246,7 +246,8 @@ static const uint8_t kExampleRSAKeyPKCS8[] = { // kExampleRSAPSSKeyNoPSSParams is a sample RSAPSS private key. // This private key has rsaPSS oid but no pss parameters. -// This key is copied from https://github.com/aws/s2n-tls/blame/c4d90e34fbd2ba64bb17a95628622ccc1d0c6807/tests/pems/rsa_pss_2048_sha256_CA_key.pem#L1 +// This key is copied from +// https://github.com/aws/s2n-tls/blame/c4d90e34fbd2ba64bb17a95628622ccc1d0c6807/tests/pems/rsa_pss_2048_sha256_CA_key.pem#L1 static const uint8_t kExampleRSAPSSKeyNoPSSParams[] = { 0x30, 0x82, 0x04, 0xbb, 0x02, 0x01, 0x00, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x04, 0x82, 0x04, 0xa7, @@ -463,7 +464,8 @@ static const uint8_t kExampleRSAPSSKeyPKCS8[] = { 0x94, 0xc2}; // badRSAPSSKeyPKCS8_SaltLengthTooLarge is encoded in a PKCS #8 PrivateKeyInfo. -// badRSAPSSKeyPKCS8_SaltLengthTooLarge contains a DER-encoded RSASSA-PSS-params: +// badRSAPSSKeyPKCS8_SaltLengthTooLarge contains a DER-encoded +// RSASSA-PSS-params: // Hash Algorithm: sha256 // Mask Algorithm: mgf1 with sha256 // Salt Length: 511 @@ -578,17 +580,17 @@ static const uint8_t badRSAPSSKeyPKCS8_SaltLengthTooLarge[] = { // kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey // structure. static const uint8_t kExampleECKeyDER[] = { - 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a, - 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08, - 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a, - 0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69, - 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c, - 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, - 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, - 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, - 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, - 0xc1, + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, + 0x7a, 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, + 0x77, 0x08, 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, + 0xc9, 0xce, 0x0a, 0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, + 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, + 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, + 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, + 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, + 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1, }; // kExampleECKeyPKCS8 is a sample EC private key encoded as a PKCS#8 @@ -657,8 +659,7 @@ static const uint8_t kExampleBadECKeyDER[] = { 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, 0xA1, 0x23, 0x03, 0x21, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, - 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 -}; + 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51}; // kExampleBadECKeyDER2 is a sample EC private key encoded as an ECPrivateKey // structure, but with the curve OID swapped out for 1.1.1.1.1.1.1.1.1. It is @@ -700,322 +701,348 @@ static const uint8_t kInvalidPrivateKey[] = { // kExampleMLDSA65KeyDER is a ML-DSA private key in ASN.1, DER format. // Of course, you should never use this key anywhere but in an example. static const uint8_t kExampleMLDSA65KeyDER[] = { -0x30, 0x82, 0xF, 0xD4, 0x2, 0x1, 0x0, 0x30, 0xB, 0x6, 0x9, 0x60, 0x86, -0x48, 0x1, 0x65, 0x3, 0x4, 0x3, 0x12, 0x4, 0x82, 0xF, 0xC0, 0x9B, 0x77, -0xAB, 0x96, 0x9D, 0x65, 0xA2, 0xC1, 0x55, 0x65, 0x2, 0x9B, 0xA5, 0xD4, 0xE5, -0x93, 0xA1, 0xAC, 0xE7, 0x3E, 0x8C, 0x61, 0xB7, 0xCB, 0xA1, 0x3E, 0x74, 0x8A, -0xC9, 0xC0, 0xA0, 0x63, 0x31, 0x99, 0xCE, 0x5B, 0x64, 0x5C, 0x4, 0xBC, 0xAA, -0x47, 0x73, 0x13, 0x4E, 0x53, 0x9F, 0x83, 0x81, 0x49, 0x98, 0x80, 0x58, 0xB2, -0xA1, 0xDB, 0xD8, 0xDB, 0xEB, 0xAD, 0x42, 0xD0, 0xFF, 0xEE, 0x18, 0x1A, 0x15, -0x58, 0x9C, 0x84, 0x7F, 0x2A, 0x73, 0x57, 0x63, 0x60, 0x82, 0xF7, 0xC6, 0xA3, -0xD1, 0x55, 0xC3, 0x4C, 0xE3, 0xA0, 0x49, 0xBC, 0x17, 0xB4, 0x31, 0x99, 0xBF, -0x75, 0xCB, 0xF2, 0xFB, 0x6B, 0x58, 0x52, 0x12, 0xC3, 0xBC, 0xED, 0xDC, 0x32, -0xBE, 0x9, 0x2C, 0xBB, 0x6A, 0x54, 0x6D, 0x9D, 0x5D, 0x97, 0xD3, 0xCC, 0x20, -0x31, 0x9C, 0x7E, 0x2B, 0x5C, 0x42, 0x9E, 0x2E, 0xCB, 0x41, 0x38, 0x84, 0x2, -0x3, 0x24, 0x75, 0x37, 0x23, 0x73, 0x38, 0x85, 0x0, 0x62, 0x42, 0x24, 0x76, -0x38, 0x88, 0x21, 0x31, 0x76, 0x74, 0x55, 0x51, 0x28, 0x34, 0x8, 0x41, 0x32, -0x67, 0x40, 0x11, 0x81, 0x62, 0x48, 0x27, 0x51, 0x85, 0x33, 0x61, 0x12, 0x22, -0x24, 0x30, 0x28, 0x75, 0x20, 0x3, 0x63, 0x11, 0x71, 0x88, 0x38, 0x88, 0x58, -0x84, 0x16, 0x66, 0x14, 0x22, 0x27, 0x28, 0x11, 0x44, 0x37, 0x76, 0x15, 0x24, -0x8, 0x56, 0x40, 0x13, 0x71, 0x74, 0x46, 0x88, 0x14, 0x37, 0x13, 0x0, 0x1, -0x48, 0x44, 0x4, 0x83, 0x67, 0x88, 0x16, 0x0, 0x13, 0x17, 0x6, 0x38, 0x18, -0x76, 0x15, 0x14, 0x67, 0x16, 0x76, 0x57, 0x24, 0x53, 0x86, 0x31, 0x34, 0x16, -0x34, 0x3, 0x8, 0x68, 0x65, 0x77, 0x36, 0x86, 0x37, 0x30, 0x76, 0x20, 0x51, -0x33, 0x82, 0x28, 0x72, 0x45, 0x35, 0x83, 0x6, 0x58, 0x58, 0x37, 0x71, 0x86, -0x0, 0x84, 0x18, 0x11, 0x54, 0x87, 0x12, 0x78, 0x75, 0x23, 0x45, 0x81, 0x17, -0x42, 0x1, 0x0, 0x34, 0x32, 0x55, 0x38, 0x88, 0x25, 0x52, 0x62, 0x5, 0x41, -0x86, 0x88, 0x67, 0x24, 0x81, 0x46, 0x74, 0x31, 0x53, 0x53, 0x45, 0x17, 0x26, -0x48, 0x85, 0x76, 0x24, 0x24, 0x36, 0x18, 0x50, 0x18, 0x18, 0x60, 0x76, 0x4, -0x87, 0x22, 0x0, 0x66, 0x74, 0x52, 0x18, 0x32, 0x7, 0x61, 0x27, 0x68, 0x70, -0x65, 0x78, 0x85, 0x66, 0x60, 0x5, 0x14, 0x77, 0x23, 0x74, 0x70, 0x41, 0x55, -0x12, 0x26, 0x86, 0x35, 0x28, 0x66, 0x30, 0x83, 0x42, 0x52, 0x26, 0x18, 0x34, -0x16, 0x48, 0x23, 0x35, 0x62, 0x37, 0x67, 0x82, 0x50, 0x1, 0x78, 0x70, 0x16, -0x11, 0x35, 0x58, 0x58, 0x8, 0x82, 0x55, 0x61, 0x85, 0x17, 0x46, 0x70, 0x77, -0x77, 0x37, 0x42, 0x35, 0x56, 0x53, 0x85, 0x7, 0x64, 0x13, 0x34, 0x51, 0x25, -0x78, 0x12, 0x21, 0x14, 0x74, 0x81, 0x32, 0x41, 0x0, 0x60, 0x78, 0x71, 0x22, -0x22, 0x56, 0x48, 0x57, 0x24, 0x65, 0x40, 0x36, 0x3, 0x3, 0x17, 0x86, 0x31, -0x44, 0x48, 0x55, 0x60, 0x55, 0x84, 0x68, 0x76, 0x16, 0x15, 0x40, 0x82, 0x64, -0x88, 0x47, 0x88, 0x44, 0x58, 0x46, 0x5, 0x2, 0x47, 0x27, 0x64, 0x20, 0x74, -0x14, 0x74, 0x2, 0x18, 0x21, 0x50, 0x42, 0x43, 0x14, 0x63, 0x5, 0x36, 0x8, -0x38, 0x80, 0x86, 0x80, 0x61, 0x15, 0x80, 0x56, 0x53, 0x13, 0x70, 0x64, 0x66, -0x20, 0x17, 0x21, 0x50, 0x68, 0x7, 0x53, 0x34, 0x73, 0x17, 0x50, 0x68, 0x72, -0x43, 0x2, 0x0, 0x80, 0x7, 0x37, 0x85, 0x72, 0x12, 0x87, 0x73, 0x46, 0x45, -0x56, 0x66, 0x2, 0x72, 0x70, 0x78, 0x34, 0x51, 0x65, 0x31, 0x77, 0x75, 0x52, -0x17, 0x82, 0x84, 0x34, 0x26, 0x51, 0x21, 0x31, 0x18, 0x33, 0x28, 0x84, 0x57, -0x10, 0x30, 0x47, 0x26, 0x27, 0x53, 0x58, 0x10, 0x73, 0x42, 0x67, 0x58, 0x27, -0x36, 0x56, 0x77, 0x25, 0x43, 0x87, 0x75, 0x65, 0x82, 0x51, 0x56, 0x60, 0x65, -0x70, 0x5, 0x7, 0x33, 0x48, 0x37, 0x82, 0x60, 0x11, 0x23, 0x18, 0x15, 0x22, -0x42, 0x10, 0x46, 0x81, 0x47, 0x44, 0x22, 0x73, 0x76, 0x28, 0x30, 0x63, 0x10, -0x24, 0x72, 0x12, 0x17, 0x78, 0x50, 0x1, 0x75, 0x57, 0x42, 0x88, 0x21, 0x22, -0x77, 0x68, 0x22, 0x43, 0x84, 0x14, 0x51, 0x73, 0x68, 0x54, 0x62, 0x8, 0x83, -0x75, 0x41, 0x10, 0x15, 0x14, 0x57, 0x73, 0x42, 0x13, 0x20, 0x52, 0x76, 0x72, -0x34, 0x18, 0x10, 0x0, 0x18, 0x17, 0x55, 0x30, 0x88, 0x47, 0x23, 0x0, 0x76, -0x44, 0x85, 0x25, 0x4, 0x3, 0x88, 0x0, 0x70, 0x10, 0x70, 0x1, 0x80, 0x12, -0x4, 0x73, 0x20, 0x72, 0x21, 0x24, 0x37, 0x4, 0x1, 0x63, 0x76, 0x4, 0x71, -0x30, 0x31, 0x17, 0x20, 0x18, 0x37, 0x23, 0x44, 0x3, 0x8, 0x77, 0x63, 0x73, -0x61, 0x43, 0x70, 0x11, 0x6, 0x84, 0x73, 0x26, 0x38, 0x78, 0x23, 0x61, 0x12, -0x45, 0x84, 0x76, 0x31, 0x23, 0x67, 0x37, 0x7, 0x73, 0x13, 0x46, 0x42, 0x51, -0x13, 0x12, 0x5, 0x15, 0x28, 0x57, 0x64, 0x62, 0x82, 0x42, 0x6, 0x83, 0x25, -0x12, 0x20, 0x40, 0x48, 0x21, 0x47, 0x73, 0x38, 0x13, 0x32, 0x10, 0x73, 0x36, -0x57, 0x3, 0x0, 0x31, 0x54, 0x78, 0x40, 0x23, 0x21, 0x14, 0x35, 0x13, 0x62, -0x83, 0x56, 0x35, 0x87, 0x44, 0x65, 0x74, 0x5, 0x66, 0x76, 0x26, 0x35, 0x17, -0x18, 0x67, 0x12, 0x6, 0x0, 0x42, 0x85, 0x71, 0x20, 0x62, 0x81, 0x22, 0x5, -0x76, 0x32, 0x77, 0x60, 0x65, 0x84, 0x64, 0x14, 0x60, 0x8, 0x55, 0x65, 0x21, -0x18, 0x8, 0x77, 0x72, 0x37, 0x70, 0x28, 0x24, 0x13, 0x18, 0x60, 0x83, 0x73, -0x33, 0x71, 0x16, 0x63, 0x72, 0x55, 0x64, 0x24, 0x11, 0x30, 0x84, 0x54, 0x33, -0x15, 0x33, 0x26, 0x66, 0x32, 0x35, 0x72, 0x52, 0x52, 0x35, 0x85, 0x85, 0x72, -0x5, 0x81, 0x84, 0x34, 0x78, 0x70, 0x65, 0x34, 0x10, 0x76, 0x76, 0x20, 0x76, -0x33, 0x33, 0x22, 0x76, 0x75, 0x28, 0x3, 0x4, 0x21, 0x28, 0x73, 0x3, 0x57, -0x72, 0x3, 0x35, 0x37, 0x66, 0x88, 0x23, 0x88, 0x27, 0x43, 0x32, 0x26, 0x5, -0x20, 0x36, 0x32, 0x78, 0x54, 0x83, 0x38, 0x86, 0x81, 0x78, 0x1, 0x63, 0x21, -0x75, 0x82, 0x1, 0x73, 0x18, 0x0, 0x42, 0x54, 0x67, 0x26, 0x52, 0x38, 0x18, -0x65, 0x87, 0x36, 0x86, 0x53, 0x84, 0x20, 0x6, 0x23, 0x62, 0x73, 0x4, 0x14, -0x83, 0x77, 0x0, 0x57, 0x86, 0x84, 0x70, 0x48, 0x2, 0x71, 0x28, 0x41, 0x42, -0x12, 0x13, 0x73, 0x43, 0x22, 0x65, 0x60, 0x72, 0x75, 0x28, 0x42, 0x17, 0x24, -0x67, 0x38, 0x27, 0x86, 0x58, 0x68, 0x25, 0x42, 0x2, 0x56, 0x62, 0x67, 0x5, -0x34, 0x54, 0x64, 0x68, 0x25, 0x15, 0x55, 0x88, 0x43, 0x58, 0x73, 0x77, 0x65, -0x46, 0x48, 0x36, 0x6, 0x86, 0x32, 0x80, 0x80, 0x18, 0x72, 0x2, 0x54, 0x54, -0x72, 0x10, 0x65, 0x70, 0x41, 0x63, 0x47, 0x35, 0x40, 0x75, 0x2, 0x70, 0x43, -0x18, 0x26, 0x78, 0x51, 0x52, 0x74, 0x43, 0x14, 0x51, 0x53, 0x77, 0x67, 0x53, -0x24, 0x11, 0x11, 0x57, 0x74, 0x18, 0x12, 0x27, 0x73, 0x30, 0x6, 0x42, 0x75, -0x16, 0x17, 0x58, 0x4, 0x81, 0x5, 0x48, 0x54, 0x78, 0x53, 0x71, 0x6, 0x28, -0x41, 0x63, 0x81, 0x67, 0x0, 0x18, 0x25, 0x24, 0x14, 0x70, 0x85, 0x70, 0x80, -0x72, 0x48, 0x23, 0x21, 0x47, 0x13, 0x74, 0x72, 0x4, 0x27, 0x20, 0x75, 0x6, -0x80, 0x12, 0x24, 0x18, 0x57, 0x75, 0x45, 0x33, 0x80, 0x47, 0x28, 0x25, 0x80, -0x86, 0x6, 0x67, 0x23, 0x51, 0x80, 0x6, 0x72, 0x34, 0x30, 0x16, 0x25, 0x15, -0x52, 0x16, 0x57, 0x77, 0x45, 0x1, 0x48, 0x83, 0x35, 0x58, 0x68, 0x77, 0x3, -0x20, 0x34, 0x70, 0x23, 0x66, 0x14, 0x85, 0x0, 0x5, 0x34, 0x32, 0x37, 0x83, -0x56, 0x45, 0x86, 0x32, 0x41, 0x56, 0x64, 0x83, 0x37, 0x77, 0x26, 0x80, 0x45, -0x16, 0x86, 0x64, 0x36, 0x85, 0x25, 0x16, 0x44, 0x47, 0x2, 0x62, 0x75, 0x86, -0x57, 0x82, 0x38, 0x34, 0x85, 0x21, 0x74, 0x15, 0x55, 0x26, 0x53, 0x16, 0x70, -0x82, 0x87, 0x17, 0x4, 0x63, 0x28, 0x21, 0x41, 0x61, 0x66, 0x16, 0x78, 0x37, -0x5, 0x81, 0x13, 0x26, 0x16, 0x56, 0x56, 0x85, 0x4, 0x72, 0x40, 0x64, 0x74, -0x13, 0x85, 0x20, 0x27, 0x14, 0x62, 0x72, 0x67, 0x70, 0x33, 0x25, 0x78, 0x48, -0x1, 0x17, 0x77, 0x14, 0x33, 0x41, 0x65, 0x5, 0x8, 0x0, 0x71, 0x44, 0x88, -0x8, 0x48, 0x2, 0x60, 0x12, 0x88, 0x5, 0x74, 0x56, 0x4, 0x77, 0x4, 0x52, -0x4, 0x31, 0x11, 0x81, 0x78, 0x88, 0x21, 0x11, 0x26, 0x51, 0x60, 0x67, 0x20, -0x37, 0x52, 0x1, 0x63, 0x85, 0x16, 0x68, 0x47, 0x65, 0x25, 0x2, 0x1, 0x18, -0x32, 0x0, 0x57, 0x33, 0x37, 0x38, 0x25, 0x27, 0x36, 0x21, 0x6, 0x40, 0x3, -0x74, 0x43, 0x24, 0x35, 0x86, 0x53, 0x88, 0x53, 0x16, 0x16, 0x2, 0x88, 0x44, -0x22, 0x25, 0x72, 0x63, 0x85, 0x17, 0x81, 0x56, 0x47, 0x16, 0x65, 0x2, 0x24, -0x5, 0x58, 0x55, 0x86, 0x72, 0x18, 0x21, 0x71, 0x86, 0x65, 0x61, 0x88, 0x85, -0x84, 0x70, 0x47, 0x27, 0x63, 0x73, 0x1, 0x26, 0x27, 0x85, 0x54, 0x85, 0x55, -0x45, 0x73, 0x30, 0x36, 0x44, 0x36, 0x45, 0x52, 0x43, 0x8, 0x14, 0x22, 0x64, -0x77, 0x36, 0x43, 0x14, 0x33, 0x66, 0x10, 0x56, 0x84, 0x42, 0x18, 0x77, 0x71, -0x27, 0x86, 0x84, 0x21, 0x26, 0x3, 0x22, 0x14, 0x47, 0x0, 0x51, 0x84, 0x28, -0x52, 0x66, 0x40, 0x66, 0x55, 0x85, 0x67, 0x2, 0x74, 0x6, 0x15, 0x72, 0x87, -0x40, 0x24, 0x71, 0x43, 0x74, 0x10, 0x27, 0x53, 0x42, 0x10, 0x3, 0x77, 0x1, -0x84, 0x8, 0x18, 0x22, 0x86, 0x71, 0x77, 0x48, 0x22, 0x42, 0x50, 0x66, 0x85, -0x34, 0x57, 0x88, 0x31, 0x81, 0x73, 0x66, 0x68, 0x75, 0x50, 0x10, 0x32, 0x73, -0x87, 0x57, 0x77, 0x40, 0x4, 0x3, 0x14, 0x87, 0x31, 0x38, 0x22, 0x65, 0x68, -0x68, 0x88, 0x10, 0x32, 0x71, 0x77, 0x5, 0x51, 0x76, 0x68, 0x40, 0x52, 0x36, -0x63, 0x2, 0x76, 0x84, 0x50, 0x76, 0x27, 0x6, 0x77, 0x58, 0x52, 0x52, 0x74, -0x78, 0x77, 0x77, 0x50, 0x30, 0x84, 0x54, 0x28, 0x53, 0x70, 0x82, 0x7, 0x21, -0x6, 0x64, 0x35, 0x62, 0x80, 0x55, 0x10, 0x71, 0x82, 0x2, 0x66, 0x81, 0x40, -0x57, 0x61, 0x7, 0x16, 0x2, 0x72, 0x67, 0x6, 0x24, 0x88, 0x23, 0x88, 0x63, -0x83, 0x81, 0x14, 0x40, 0x7, 0x17, 0x15, 0x20, 0x63, 0x76, 0x22, 0x75, 0x81, -0x70, 0x43, 0x81, 0x80, 0x43, 0x4, 0x51, 0x78, 0x40, 0x63, 0x36, 0x0, 0x77, -0x40, 0x24, 0x53, 0x11, 0x44, 0x65, 0x62, 0x56, 0x77, 0x20, 0x21, 0x25, 0x8, -0x25, 0x63, 0x34, 0x54, 0x76, 0x53, 0x6, 0x13, 0x1, 0x80, 0x25, 0x77, 0x44, -0x38, 0x17, 0x32, 0x36, 0x13, 0x32, 0x27, 0x0, 0x37, 0x60, 0x63, 0x74, 0x6, -0x52, 0x5, 0x72, 0x83, 0x83, 0x84, 0x28, 0x71, 0x15, 0x38, 0x17, 0x47, 0x8, -0x37, 0x42, 0x67, 0x86, 0x38, 0x62, 0x65, 0x26, 0x23, 0x84, 0x22, 0x38, 0x66, -0x6, 0xD9, 0x77, 0xF8, 0x41, 0xCB, 0x87, 0xD3, 0x3F, 0x76, 0xEB, 0x57, 0x71, -0xFF, 0xBF, 0x14, 0x3B, 0x4C, 0x53, 0x1, 0xA8, 0x24, 0xAC, 0xB4, 0x71, 0x4A, -0xD8, 0xAF, 0xCB, 0x45, 0x70, 0x6E, 0xF8, 0x89, 0xB6, 0x31, 0xA7, 0x8B, 0x4A, -0xCF, 0x6C, 0x42, 0x8E, 0x8, 0xCE, 0x55, 0x7D, 0x0, 0x1B, 0xA3, 0x3B, 0x9D, -0x2D, 0xC0, 0xF9, 0x85, 0x66, 0xA6, 0x3F, 0x5C, 0x77, 0xC0, 0xE1, 0x12, 0xF3, -0xEE, 0xBD, 0x4F, 0x9C, 0xB1, 0xD5, 0x1, 0x50, 0x22, 0x9C, 0xDD, 0xBF, 0xE9, -0xB7, 0xF5, 0x59, 0xC4, 0xB0, 0x9C, 0x2D, 0xB5, 0xA7, 0x4B, 0xB4, 0xD1, 0x2A, -0x91, 0x86, 0xC8, 0x28, 0x31, 0x73, 0xC0, 0x43, 0x2B, 0xBD, 0xDE, 0xDF, 0xA1, -0x2C, 0xAD, 0x9, 0x59, 0xB0, 0xF3, 0x95, 0x63, 0xA1, 0x7A, 0x88, 0x85, 0xA3, -0xFB, 0xF4, 0xD7, 0xF4, 0x1C, 0x68, 0xCD, 0x3F, 0x9C, 0x7A, 0xE5, 0xA9, 0x76, -0xB9, 0xC0, 0x89, 0xEE, 0x51, 0xD6, 0xB6, 0xF3, 0x4A, 0xF7, 0x5, 0xA1, 0x0, -0x6C, 0xF, 0x62, 0xC4, 0x65, 0x21, 0xB5, 0x9C, 0xD8, 0x77, 0x64, 0x94, 0x59, -0xBD, 0xA2, 0x14, 0x97, 0x45, 0x45, 0x58, 0xFF, 0x24, 0xD7, 0x9E, 0x47, 0x38, -0x32, 0xD6, 0x97, 0x98, 0xB7, 0xD7, 0xEF, 0x25, 0xDD, 0xFD, 0xAE, 0x91, 0xF7, -0x1E, 0x53, 0x9A, 0x8C, 0x11, 0xDE, 0xF3, 0xB6, 0x1D, 0xE0, 0x2A, 0xC8, 0x46, -0x47, 0xF8, 0x39, 0x59, 0xC4, 0x62, 0x8B, 0xD2, 0x7E, 0xDB, 0x23, 0xC5, 0xA3, -0x21, 0xF8, 0x16, 0xAE, 0x24, 0xFB, 0x19, 0x8D, 0x4D, 0xC3, 0x37, 0x96, 0x95, -0xA8, 0xA5, 0xA2, 0x8F, 0x4D, 0x77, 0xBC, 0x2E, 0xFB, 0xFE, 0xC8, 0xED, 0x76, -0x42, 0x1C, 0x2A, 0x3B, 0x41, 0xF7, 0xA0, 0xC5, 0xF3, 0xE9, 0x67, 0x7C, 0xC6, -0x88, 0xE7, 0x1A, 0x36, 0x65, 0x32, 0xFC, 0x15, 0x15, 0xF5, 0xA4, 0x9F, 0xA5, -0xF0, 0x67, 0xB1, 0xE6, 0x21, 0x4E, 0x9D, 0x29, 0x29, 0x50, 0xEB, 0x68, 0x36, -0x11, 0x9, 0xA5, 0x9C, 0xBD, 0x69, 0x1C, 0xA5, 0xB9, 0x8F, 0x68, 0x96, 0x1F, -0xA1, 0xDA, 0xFD, 0xF4, 0xED, 0xA2, 0xA6, 0xA7, 0xD2, 0x81, 0x9D, 0x91, 0x56, -0x9, 0xF4, 0x29, 0x24, 0x24, 0xA2, 0x8F, 0xC2, 0xB0, 0xEE, 0x2, 0xD9, 0x96, -0x8B, 0x9D, 0x9E, 0x1A, 0x48, 0xA7, 0x7A, 0x2D, 0x1D, 0x5A, 0xBF, 0x21, 0x60, -0x57, 0xB2, 0x28, 0x3, 0xBD, 0x4B, 0xEE, 0xE1, 0x71, 0x71, 0xF8, 0xC7, 0x3B, -0x1F, 0x2F, 0x6C, 0x2C, 0xBF, 0x1C, 0x51, 0x32, 0xFF, 0xF6, 0x3B, 0x53, 0x57, -0xBD, 0xC9, 0x9A, 0x58, 0xB4, 0xEA, 0x6, 0xBC, 0xDB, 0xB2, 0x2E, 0x86, 0x5D, -0xBB, 0x6A, 0x44, 0xF1, 0x8C, 0x4A, 0x6F, 0x4A, 0x8D, 0xEA, 0x93, 0x19, 0x36, -0xAC, 0x41, 0xA9, 0x92, 0x26, 0x4E, 0x8, 0xA5, 0xA5, 0xE9, 0xC6, 0xBD, 0xB6, -0xC2, 0x4F, 0xFF, 0xD1, 0xA5, 0x89, 0x30, 0xBF, 0x82, 0xE5, 0xEF, 0x1C, 0x47, -0x4B, 0xC, 0x3C, 0xFB, 0x46, 0x9D, 0xDA, 0x30, 0x35, 0xF8, 0x4, 0x9A, 0xD2, -0x60, 0xB7, 0x2C, 0x92, 0x1A, 0xB7, 0xCC, 0xEC, 0x1C, 0x5E, 0xED, 0x41, 0xCA, -0x11, 0xA1, 0x61, 0xDD, 0x6B, 0x4C, 0xA3, 0x1D, 0x95, 0x2A, 0x1A, 0x76, 0xC4, -0x35, 0xE5, 0xA9, 0x75, 0xCD, 0x20, 0x70, 0x91, 0xB0, 0xD3, 0x0, 0x70, 0x9B, -0xE9, 0xDC, 0xB3, 0xC7, 0x72, 0x62, 0xB7, 0xAD, 0x1, 0x4F, 0x6D, 0x23, 0x19, -0x67, 0xD8, 0xE8, 0x78, 0x84, 0x2E, 0xF1, 0xF8, 0x7A, 0x88, 0x13, 0xF2, 0xAA, -0x56, 0x8, 0xE7, 0x69, 0xE5, 0xE4, 0x12, 0x71, 0xBE, 0xFF, 0x9D, 0x94, 0x6D, -0xCA, 0xD2, 0xB5, 0x2A, 0x47, 0xAC, 0xCA, 0x6E, 0x3F, 0x27, 0x47, 0xF8, 0x6C, -0xBA, 0x8E, 0x61, 0x6C, 0xFB, 0x11, 0x50, 0x3D, 0x2E, 0x75, 0x28, 0xFA, 0x3A, -0xAD, 0x5B, 0x4B, 0x7A, 0x21, 0x35, 0x6B, 0x9E, 0xE1, 0xBE, 0xA0, 0xF9, 0x6C, -0x13, 0xE3, 0xC7, 0x84, 0xEB, 0x60, 0x76, 0x8F, 0x33, 0x8C, 0x57, 0xE1, 0x35, -0x2A, 0x1B, 0x5B, 0xD9, 0xA3, 0x77, 0x22, 0x93, 0x48, 0xB1, 0xF2, 0xA5, 0xB1, -0xCA, 0x35, 0x4D, 0x7A, 0x10, 0x0, 0xFB, 0x2E, 0xCD, 0x97, 0x80, 0x23, 0x6C, -0xD8, 0xA5, 0x49, 0x8D, 0xB3, 0x46, 0x5D, 0xEA, 0xE8, 0xF5, 0xFD, 0xDA, 0xE3, -0x9E, 0xDE, 0xF0, 0xB2, 0xF7, 0x5C, 0x82, 0x10, 0x9E, 0xC2, 0x4B, 0x4E, 0xD5, -0x45, 0x54, 0x15, 0xB1, 0xA5, 0xA7, 0xE5, 0xE0, 0xA5, 0xFE, 0x99, 0xB2, 0x6B, -0x30, 0x90, 0x55, 0xE1, 0xAF, 0x4, 0xB2, 0x15, 0x18, 0x60, 0x26, 0x99, 0x98, -0x3E, 0x67, 0xBC, 0x14, 0x45, 0x37, 0x2A, 0xA3, 0x23, 0x58, 0xCA, 0x82, 0x1C, -0x98, 0x7C, 0xC4, 0xB1, 0xE2, 0xED, 0xE5, 0xDF, 0x41, 0xDC, 0x7D, 0x13, 0xDF, -0xC1, 0xC1, 0xA7, 0xE, 0x24, 0x3D, 0xA2, 0x9D, 0x95, 0x44, 0x9, 0x7A, 0x42, -0x2B, 0x0, 0x23, 0x1C, 0x3D, 0xBC, 0x3E, 0x2B, 0x67, 0x6F, 0xB4, 0xC2, 0x49, -0xEB, 0xD, 0xFF, 0x6D, 0x19, 0x34, 0xBF, 0xDE, 0x2A, 0x9, 0x6C, 0x2F, 0x2B, -0x7D, 0xDE, 0x17, 0x54, 0x16, 0xEF, 0x4, 0x86, 0x89, 0xCA, 0x67, 0xA4, 0xE7, -0xBA, 0xF9, 0x7E, 0x8A, 0x42, 0xB2, 0xEB, 0x4F, 0xE8, 0x7B, 0xAD, 0x71, 0xBC, -0x1C, 0xF, 0x1D, 0x40, 0xB1, 0x84, 0xB2, 0x46, 0x46, 0xFB, 0x6A, 0xA7, 0x67, -0x30, 0x9B, 0xD0, 0x1A, 0x7A, 0xC1, 0xE9, 0xE7, 0x1, 0xA4, 0x1B, 0xC9, 0xE, -0x79, 0x6C, 0xE8, 0x46, 0x47, 0xCF, 0xA, 0x64, 0x42, 0xB1, 0xB1, 0x70, 0xB0, -0xB6, 0x6E, 0xDD, 0x93, 0xBA, 0x56, 0x78, 0xBA, 0x63, 0x87, 0x7F, 0x6E, 0x36, -0xC6, 0xFF, 0x90, 0xF5, 0xFC, 0xEE, 0x76, 0x61, 0x5C, 0x53, 0xD4, 0x4C, 0xE4, -0x9C, 0x59, 0xFF, 0x6B, 0x59, 0x44, 0x8E, 0x60, 0xDF, 0xFA, 0x25, 0x63, 0x4, -0xD0, 0xB6, 0x36, 0xF8, 0xF9, 0xB2, 0xD9, 0xDE, 0xD6, 0x29, 0xCD, 0x15, 0x90, -0x47, 0x8F, 0xCA, 0x5C, 0x1D, 0x42, 0x8D, 0x47, 0xF0, 0x72, 0xD5, 0x9, 0x92, -0x72, 0xE5, 0xB4, 0x2A, 0xAB, 0xD9, 0x6, 0x40, 0xDD, 0x3E, 0x7D, 0x85, 0x8, -0x7E, 0x12, 0x7E, 0x6A, 0xD, 0xB7, 0x9F, 0x98, 0xC7, 0x47, 0x63, 0xBB, 0xC6, -0x3C, 0x7, 0x68, 0x5F, 0xC3, 0x82, 0xAC, 0x6A, 0xD6, 0x4D, 0x29, 0x68, 0xFF, -0xD5, 0x46, 0xD4, 0x87, 0xE6, 0x4A, 0xFF, 0x22, 0x93, 0x2A, 0x4, 0x8, 0xA7, -0x9B, 0xF3, 0xA1, 0x7E, 0x4C, 0x2C, 0xFF, 0xEA, 0x7D, 0x97, 0x4B, 0x5B, 0x8F, -0xDE, 0x6F, 0x0, 0x80, 0xAB, 0x62, 0x96, 0x5E, 0x3A, 0x25, 0x39, 0xD3, 0x65, -0x9B, 0x7, 0x1D, 0x67, 0x80, 0x9A, 0x9B, 0xEF, 0x84, 0xF1, 0x66, 0xCF, 0xEB, -0x83, 0xBE, 0x5F, 0xA3, 0x7E, 0x92, 0x36, 0xAF, 0x80, 0xBE, 0x20, 0x88, 0x23, -0x9A, 0x23, 0x98, 0xB4, 0x90, 0xC7, 0x27, 0x6A, 0xA9, 0xBC, 0xC1, 0x71, 0x4D, -0xFF, 0x1B, 0x60, 0xF8, 0xA5, 0xE1, 0xB0, 0x5A, 0x6A, 0xC7, 0x87, 0xF, 0xB9, -0x3C, 0x99, 0xB0, 0x49, 0x65, 0x37, 0x28, 0xE7, 0x11, 0xC, 0xB8, 0xB9, 0x6B, -0xDC, 0x3C, 0x28, 0xF9, 0xFA, 0x96, 0x1A, 0x84, 0xDF, 0x20, 0x1E, 0xC, 0x8C, -0x5B, 0xA2, 0x22, 0x3E, 0x5B, 0x74, 0x38, 0x72, 0x45, 0x8D, 0xFA, 0x7D, 0x9F, -0xC3, 0x1F, 0x49, 0xA, 0xD9, 0x32, 0x8E, 0x2B, 0xDC, 0x86, 0x91, 0x15, 0xE6, -0xEA, 0xD4, 0x87, 0xE4, 0x6C, 0xE0, 0x31, 0xB4, 0xBF, 0x31, 0xB6, 0xD1, 0x94, -0xF8, 0x4E, 0x4B, 0xF3, 0x22, 0x7F, 0x88, 0x2F, 0xB2, 0x1F, 0x8E, 0xCA, 0x7, -0x6C, 0xCE, 0xAE, 0x25, 0x82, 0xB6, 0xE1, 0x30, 0x91, 0xE8, 0xB3, 0xD2, 0x24, -0x11, 0x31, 0xC6, 0x58, 0xC5, 0xB3, 0xBC, 0x45, 0xA8, 0x41, 0x6, 0x31, 0x89, -0xC9, 0x43, 0x2, 0x63, 0x9F, 0xEA, 0x9B, 0x69, 0x44, 0x8F, 0xD6, 0x44, 0x70, -0xCB, 0x83, 0x52, 0xDE, 0x39, 0x16, 0x77, 0x79, 0x7F, 0x23, 0xAC, 0x5C, 0x5F, -0x9F, 0x2B, 0xD2, 0x28, 0x73, 0xC0, 0x8D, 0x88, 0x7F, 0xEF, 0xA5, 0x30, 0xE6, -0x8B, 0x35, 0x4C, 0xD1, 0xA5, 0x6E, 0xE7, 0x4F, 0x19, 0x31, 0x78, 0x1, 0x98, -0xC5, 0xA6, 0x3D, 0x1E, 0xE8, 0x78, 0x85, 0x19, 0xDD, 0xAC, 0x8C, 0xBF, 0x1, -0xEE, 0x44, 0xA1, 0xD1, 0xA, 0xAB, 0x13, 0x99, 0x9D, 0x45, 0x73, 0x7, 0xF9, -0xD7, 0x9, 0x97, 0x93, 0x0, 0x94, 0x2, 0x68, 0xF9, 0xE8, 0x88, 0xC4, 0x9E, -0x53, 0xD6, 0x74, 0xF7, 0x9A, 0xAD, 0xC7, 0xE2, 0x1E, 0xBE, 0x57, 0x7B, 0xD, -0x5D, 0xE6, 0x7D, 0x3C, 0xF5, 0xF0, 0xE6, 0x1, 0xE5, 0x95, 0x1E, 0xA8, 0xB0, -0xA4, 0x92, 0xF4, 0xB0, 0x64, 0x7E, 0x63, 0x72, 0x52, 0xE7, 0x75, 0x30, 0x84, -0xE7, 0x9F, 0x51, 0x68, 0xA6, 0xB8, 0xFE, 0x2B, 0xF2, 0x58, 0xA4, 0x9, 0x2F, -0xB9, 0x0, 0xEB, 0xB0, 0x34, 0xD7, 0x5F, 0x3E, 0x3E, 0x76, 0xC1, 0x5D, 0x11, -0xCC, 0xB2, 0x4A, 0xBB, 0x7, 0x27, 0xFC, 0x8B, 0x47, 0xEC, 0x44, 0x4A, 0x8C, -0x6D, 0xE8, 0x42, 0x29, 0xAD, 0xED, 0x45, 0x3F, 0x2C, 0xDA, 0x3F, 0x4F, 0x9A, -0xDE, 0x54, 0xEB, 0x1D, 0xE4, 0x31, 0x54, 0xF7, 0xAF, 0x58, 0x81, 0x72, 0xED, -0xB9, 0xEC, 0x9, 0x2B, 0x38, 0xB1, 0xE5, 0x94, 0xE5, 0xC6, 0xE0, 0x7E, 0x3B, -0x48, 0x56, 0xAE, 0x15, 0x8C, 0xF7, 0xE5, 0x89, 0x23, 0xB0, 0xA9, 0x78, 0xC5, -0x5E, 0x3C, 0xB0, 0x3B, 0x1F, 0x1E, 0xA7, 0x34, 0x2D, 0xB3, 0x6E, 0xCC, 0x1A, -0xAB, 0x8E, 0x80, 0x39, 0xF5, 0x8A, 0x2F, 0x66, 0x4C, 0xF5, 0xDA, 0xCE, 0x2E, -0x6E, 0xCC, 0x12, 0xE4, 0xDB, 0xD5, 0x94, 0xBA, 0x18, 0xC9, 0x1E, 0xB4, 0xD1, -0x18, 0x6A, 0x5E, 0x37, 0x6A, 0x3A, 0x78, 0x70, 0x50, 0x7D, 0xC9, 0x65, 0x4D, -0x31, 0xE8, 0xB0, 0x89, 0xA5, 0xAA, 0x3D, 0x1, 0x46, 0x53, 0x84, 0xBC, 0xEE, -0x78, 0x38, 0x25, 0x99, 0x2D, 0xA7, 0x7B, 0xAA, 0x6, 0xB8, 0x28, 0xE9, 0x1, -0xD2, 0xDE, 0x84, 0x56, 0x2, 0xBA, 0x49, 0xFB, 0xA2, 0xAD, 0x8E, 0xEC, 0x73, -0xA, 0xF4, 0xB8, 0x24, 0xB8, 0xD0, 0x75, 0xC8, 0xB5, 0xCF, 0xF5, 0xE8, 0xC7, -0x4B, 0xDF, 0xEC, 0x43, 0xBC, 0x59, 0xD8, 0xFD, 0xA9, 0xC5, 0x26, 0xD9, 0x65, -0xB7, 0xB8, 0x22, 0x1E, 0x2E, 0x70, 0xD3, 0x86, 0xF4, 0xF4, 0x84, 0x81, 0x5A, -0x3D, 0x33, 0xCC, 0x82, 0x45, 0x99, 0xC1, 0x1B, 0x47, 0xCD, 0xEF, 0xAE, 0x19, -0xA0, 0x1C, 0xA5, 0x7D, 0x74, 0x1F, 0x7C, 0xA3, 0x4, 0x3D, 0x97, 0x70, 0x8F, -0x2D, 0xCA, 0x6D, 0xAD, 0x2C, 0x9A, 0x53, 0x45, 0x51, 0xA1, 0xE3, 0x47, 0x2C, -0x80, 0x7D, 0x2, 0x7B, 0x8A, 0xD4, 0x7A, 0x8B, 0x58, 0x11, 0x81, 0x60, 0x2A, -0xC4, 0x4D, 0x26, 0xE, 0xAC, 0x41, 0x89, 0x5E, 0x49, 0xC9, 0xC5, 0x39, 0x9B, -0xCA, 0xD3, 0xB3, 0xE3, 0x19, 0xE7, 0xF2, 0xE6, 0x57, 0x1E, 0x2A, 0x5A, 0x29, -0x78, 0x14, 0xAD, 0x97, 0x7A, 0x2, 0xE5, 0xD8, 0x15, 0x8C, 0xEC, 0xA6, 0x3, -0x9A, 0x11, 0xF9, 0x95, 0x31, 0xED, 0xF2, 0x8C, 0xF1, 0xEF, 0x6B, 0xA5, 0x39, -0xAD, 0xF7, 0x8, 0xDA, 0x1D, 0x4D, 0xC6, 0xAF, 0x93, 0x60, 0xE7, 0x57, 0x31, -0xE4, 0x9E, 0x70, 0x66, 0xD5, 0x8A, 0xB4, 0x3C, 0x15, 0x6F, 0x95, 0xAF, 0xA9, -0x6B, 0xD5, 0xE, 0xDE, 0x37, 0x1D, 0x4C, 0xFA, 0x71, 0xCA, 0xAA, 0x96, 0x5, -0x13, 0x38, 0x13, 0x6D, 0xE5, 0xC6, 0x3F, 0xC5, 0x60, 0xFC, 0xFC, 0xCE, 0xA4, -0xDB, 0xC9, 0x91, 0xE3, 0x59, 0x2C, 0x9D, 0xB0, 0x76, 0xB8, 0x9A, 0x7D, 0xF4, -0x96, 0x37, 0x4, 0xEE, 0xCF, 0x8C, 0xE2, 0x5D, 0x36, 0xE8, 0xAA, 0x4E, 0x4B, -0x7B, 0xD0, 0x4D, 0xB4, 0x24, 0xA8, 0x42, 0x12, 0xD, 0xDC, 0xA, 0xAF, 0xBB, -0x52, 0xE6, 0xF2, 0xD1, 0x7, 0xE4, 0x15, 0x16, 0x36, 0xBA, 0x43, 0xD2, 0x3B, -0x17, 0x66, 0xFF, 0x6D, 0x75, 0x7F, 0x1F, 0xC7, 0xE1, 0x5C, 0x27, 0xE6, 0xF3, -0x92, 0x7D, 0x54, 0x96, 0xC6, 0x5C, 0x5A, 0x5D, 0xFB, 0x94, 0xBD, 0x5A, 0x79, -0x7, 0xCF, 0xFC, 0x1E, 0x4F, 0x87, 0x7B, 0x7E, 0xFC, 0x25, 0x90, 0x62, 0x34, -0x94, 0x92, 0xFB, 0x83, 0xB1, 0xCE, 0xA2, 0x5B, 0x6A, 0xAB, 0x98, 0x23, 0x50, -0xD4, 0x14, 0xB3, 0x8, 0xD6, 0x45, 0xAB, 0xCF, 0x7C, 0xB, 0x94, 0xB7, 0x56, -0x63, 0x43, 0x1A, 0x46, 0x3C, 0xF3, 0x3D, 0x7, 0x19, 0x27, 0x9D, 0x3, 0x3E, -0x48, 0x85, 0xF7, 0xF5, 0x1D, 0x5F, 0xD8, 0x14, 0xEE, 0x3A, 0x9D, 0xDD, 0xF6, -0x1D, 0x7B, 0x3, 0x45, 0x30, 0x84, 0x51, 0xE2, 0x54, 0xBB, 0x96, 0x21, 0xD6, -0x93, 0x94, 0x46, 0x8, 0xAF, 0x6C, 0x32, 0x1F, 0x9F, 0x6B, 0xDF, 0x72, 0x80, -0xFB, 0xA8, 0xF3, 0xCD, 0x32, 0x52, 0x46, 0x4A, 0xAC, 0xB1, 0xA0, 0x25, 0x64, -0x8D, 0x41, 0xA7, 0x9C, 0xD9, 0x2D, 0xAE, 0x83, 0x90, 0xC9, 0xF9, 0x26, 0x91, -0xB2, 0xE3, 0x4, 0x6E, 0xA9, 0x46, 0x96, 0x5E, 0xA1, 0x5E, 0xEB, 0x2, 0xCB, -0x2, 0x1B, 0x21, 0xF7, 0x78, 0xB0, 0x10, 0x8F, 0x29, 0x9C, 0xFB, 0xAC, 0xFE, -0xC8, 0x8A, 0x79, 0x4, 0xC6, 0xED, 0xD, 0x9D, 0x27, 0xE5, 0x11, 0x65, 0x66, -0x14, 0xCD, 0xD, 0xCD, 0x85, 0x1D, 0x51, 0xE1, 0x64, 0xBC, 0x7E, 0x91, 0xD0, -0x54, 0xAB, 0x13, 0xFC, 0xF1, 0x22, 0x7C, 0x86, 0x17, 0xE6, 0x76, 0x76, 0xD6, -0x86, 0x5A, 0x3E, 0x92, 0xE6, 0x5F, 0x2E, 0x2F, 0xFC, 0xF0, 0xA8, 0x24, 0x91, -0xDF, 0xA8, 0x2, 0x72, 0xDC, 0x8A, 0xA6, 0x86, 0x85, 0xBE, 0xC6, 0x78, 0xFC, -0xDD, 0xC, 0xB0, 0x4B, 0x4D, 0xD4, 0xBE, 0x24, 0xB9, 0x3, 0x3, 0x54, 0x9F, -0xAB, 0x6, 0x5, 0x91, 0x4E, 0x41, 0xE9, 0x7E, 0x99, 0x18, 0x3C, 0xB1, 0x96, -0xF0, 0x99, 0x6A, 0xEC, 0xF6, 0x60, 0x7E, 0xE2, 0xD3, 0x6E, 0xED, 0xA8, 0xFC, -0x5F, 0x7, 0x34, 0x65, 0x4A, 0x27, 0x5C, 0x64, 0xD3, 0xF8, 0xA8, 0x6C, 0x92, -0x89, 0x6B, 0x21, 0xAD, 0x7D, 0x35, 0x17, 0xB0, 0x60, 0x93, 0xFA, 0x3E, 0x35, -0x52, 0x9C, 0x8E, 0x38, 0xA1, 0x11, 0xA2, 0x70, 0xB9, 0x8A, 0x8E, 0x3C, 0xCD, -0x57, 0x2, 0x48, 0x1, 0x3D, 0xFC, 0xA1, 0x75, 0x95, 0xF9, 0x90, 0xD, 0x3A, -0xF5, 0x6B, 0xBB, 0xDC, 0xC6, 0x2C, 0x82, 0x2B, 0xE4, 0x4C, 0x2, 0xDC, 0xD0, -0x80, 0x4F, 0x93, 0x22, 0x8D, 0xED, 0xE3, 0x92, 0x26, 0xC7, 0x64, 0x47, 0xDC, -0x85, 0x65, 0x9, 0x3D, 0x5B, 0x82, 0x34, 0x2F, 0x52, 0x93, 0x42, 0xD8, 0x68, -0x35, 0xF8, 0xA9, 0xCC, 0x87, 0x42, 0x9, 0x99, 0xFE, 0x5F, 0x70, 0xBB, 0x16, -0xD5, 0xFC, 0x60, 0x5D, 0x17, 0x92, 0x63, 0xBA, 0x1B, 0x69, 0xD5, 0xDC, 0x62, -0x2A, 0x66, 0x6, 0xD7, 0xD0, 0x46, 0x29, 0xC5, 0x0, 0x1, 0x77, 0x7D, 0xB2, -0x9B, 0x69, 0x7F, 0xCE, 0xBD, 0xFD, 0xC8, 0x11, 0x1C, 0x4E, 0x30, 0x6A, 0x66, -0x5F, 0x17, 0xD7, 0xCB, 0x91, 0x7E, 0x7F, 0xA7, 0x4C, 0xCE, 0xDC, 0xF2, 0x5B, -0x3C, 0x6A, 0xAB, 0x4B, 0x56, 0xD6, 0x4B, 0x9A, 0xA2, 0x88, 0xB, 0xC6, 0x7C, -0x10, 0x8, 0xF5, 0x8E, 0xD5, 0xF2, 0x38, 0x78, 0x9, 0xBC, 0x7F, 0x23, 0x4E, -0x67, 0xBD, 0x88, 0xDC, 0x91, 0xB3, 0xFE, 0x6B, 0x99, 0x99, 0xE1, 0xF3, 0xB6, -0xC1, 0x6E, 0x44, 0xBA, 0xEF, 0xE0, 0xBF, 0xBD, 0x2F, 0xBA, 0x92, 0xFB, 0xA5, -0x29, 0xB, 0x33, 0x9E, 0xAD, 0x66, 0x85, 0x3F, 0xD0, 0x61, 0x9A, 0x44, 0xA6, -0xDF, 0x96, 0xA, 0x1D, 0x78, 0xC2, 0x8D, 0x64, 0x86, 0xD9, 0xC, 0xBF, 0x21, -0x14, 0xA2, 0x96, 0x2C, 0x5B, 0x13, 0x1B, 0xA6, 0xDB, 0xD5, 0xE6, 0xD7, 0xC4, -0xFE, 0x52, 0xE3, 0x77, 0x8B, 0x37, 0x47, 0x24, 0x57, 0x94, 0x70, 0x55, 0x53, -0xC3, 0x8, 0x8F, 0xDA, 0x20, 0xBF, 0x85, 0x97, 0x74, 0x79, 0xB, 0x0, 0xB, -0x1E, 0xF1, 0x1A, 0x83, 0x40, 0xC7, 0x51, 0xFD, 0xDD, 0x3D, 0xB7, 0xC, 0x92, -0x72, 0x16, 0xCA, 0xFA, 0x8E, 0x43, 0x9E, 0xA3, 0x73, 0xFF, 0x12, 0x47, 0x26, -0x64, 0xA8, 0xC6, 0x36, 0xC4, 0xB0, 0x77, 0x9A, 0x84, 0xEC, 0x1D, 0xCD, 0xF3, -0x91, 0x48, 0x2A, 0xAD, 0x37, 0xEE, 0x47, 0xA4, 0x47, 0xD6, 0x26, 0x64, 0xAA, -0xE0, 0x6B, 0x25, 0xFE, 0xD5, 0xB, 0x7, 0x65, 0x30, 0xAB, 0xFC, 0xC0, 0xB7, -0x90, 0x8F, 0xA9, 0x3F, 0xC8, 0x9, 0x9A, 0xF7, 0x8F, 0x33, 0x8A, 0xB3, 0xEE, -0xFC, 0xA3, 0x6E, 0x50, 0xA, 0x84, 0xAB, 0xF8, 0x1F, 0x89, 0xEB, 0x5D, 0xDE, -0x35, 0x4B, 0x4E, 0x23, 0x8D, 0x52, 0x47, 0x54, 0x3F, 0x9B, 0x9B, 0x4F, 0xBD, -0xEB, 0x36, 0x81, 0x33, 0xB, 0x86, 0x9E, 0x19, 0x14, 0xC0, 0x49, 0xB5, 0x74, -0xEB, 0x79, 0xF7, 0xC2, 0x34, 0xF2, 0xEF, 0x10, 0x3A, 0xB0, 0x17, 0x8D, 0x16, -0x71, 0x2, 0xEE, 0x8A, 0x4C, 0x5B, 0xF1, 0xC7, 0x2F, 0xDE, 0x57, 0x24, 0x5F, -0x5D, 0x1A, 0x1A, 0xC5, 0xBB, 0xFB, 0xD3, 0x5F, 0xB0, 0xB5, 0xCF, 0x1A, 0x1C, -0x68, 0x84, 0x78, 0x23, 0x80, 0x84, 0x47, 0x3, 0xE8, 0x4B, 0x45, 0x9B, 0x5B, -0xD9, 0x9F, 0x3, 0x9B, 0xC9, 0xDF, 0xAF, 0xDD, 0x51, 0xBF, 0xCE, 0x59, 0xD7, -0x79, 0x67, 0x61, 0xCF, 0x55, 0x2A, 0x11, 0xD2, 0x42, 0xB7, 0x4A, 0x62, 0x1D, -0xC4, 0xDC, 0x6D, 0xBB, 0xC4, 0x9A, 0x60, 0xE2, 0x73, 0x40, 0x47, 0x60, 0x3E, -0x5F, 0x53, 0x37, 0xAE, 0x5B, 0x9E, 0x4D, 0xF7, 0xE4, 0x7B, 0x61, 0xA, 0x86, -0xA8, 0xDC, 0x2D, 0x65, 0x75, 0xE2, 0x8A, 0x2D, 0xC8, 0x73, 0xD8, 0x18, 0xAF, -0xAC, 0xC6, 0x6C, 0xDA, 0x67, 0x28, 0x52, 0xE8, 0xAE, 0xE4, 0x66, 0xF1, 0xD1, -0xC8, 0x1B, 0xD0, 0x9F, 0xA1, 0x42, 0xE, 0xC9, 0x75, 0x1E, 0x39, 0x2E, 0xD2, -0x43, 0x1, 0x76, 0x3B, 0xF7, 0x88, 0xAF, 0xC0, 0x3C, 0x96, 0xD, 0xF3, 0xE, -0x42, 0xFC, 0x80, 0xA, 0xAE, 0xF8, 0x3A, 0x16, 0x87, 0xA0, 0x5F, 0x7D, 0x5A, -0x4C, 0x56, 0x90, 0xCE, 0x2B, 0x82, 0x5A, 0x2B, 0x49, 0xD5, 0x2C, 0x11, 0x83, -0x96, 0xB9, 0xF6, 0xDB, 0xA9, 0x66, 0xD6, 0xAC, 0x9B, 0x9, 0x3C, 0x6C, 0x15, -0xE3, 0x1D, 0xF6, 0xF7, 0xEE, 0x9F, 0xA, 0xC5, 0x91, 0x14, 0x33, 0x4B, 0xDB, -0xC4, 0xEE, 0xC, 0xFB, 0xE4, 0xD1, 0x43, 0xC2, 0x1B, 0xC3, 0x2, 0x9B, 0x6B }; + 0x30, 0x82, 0xF, 0xD4, 0x2, 0x1, 0x0, 0x30, 0xB, 0x6, 0x9, 0x60, + 0x86, 0x48, 0x1, 0x65, 0x3, 0x4, 0x3, 0x12, 0x4, 0x82, 0xF, 0xC0, + 0x9B, 0x77, 0xAB, 0x96, 0x9D, 0x65, 0xA2, 0xC1, 0x55, 0x65, 0x2, 0x9B, + 0xA5, 0xD4, 0xE5, 0x93, 0xA1, 0xAC, 0xE7, 0x3E, 0x8C, 0x61, 0xB7, 0xCB, + 0xA1, 0x3E, 0x74, 0x8A, 0xC9, 0xC0, 0xA0, 0x63, 0x31, 0x99, 0xCE, 0x5B, + 0x64, 0x5C, 0x4, 0xBC, 0xAA, 0x47, 0x73, 0x13, 0x4E, 0x53, 0x9F, 0x83, + 0x81, 0x49, 0x98, 0x80, 0x58, 0xB2, 0xA1, 0xDB, 0xD8, 0xDB, 0xEB, 0xAD, + 0x42, 0xD0, 0xFF, 0xEE, 0x18, 0x1A, 0x15, 0x58, 0x9C, 0x84, 0x7F, 0x2A, + 0x73, 0x57, 0x63, 0x60, 0x82, 0xF7, 0xC6, 0xA3, 0xD1, 0x55, 0xC3, 0x4C, + 0xE3, 0xA0, 0x49, 0xBC, 0x17, 0xB4, 0x31, 0x99, 0xBF, 0x75, 0xCB, 0xF2, + 0xFB, 0x6B, 0x58, 0x52, 0x12, 0xC3, 0xBC, 0xED, 0xDC, 0x32, 0xBE, 0x9, + 0x2C, 0xBB, 0x6A, 0x54, 0x6D, 0x9D, 0x5D, 0x97, 0xD3, 0xCC, 0x20, 0x31, + 0x9C, 0x7E, 0x2B, 0x5C, 0x42, 0x9E, 0x2E, 0xCB, 0x41, 0x38, 0x84, 0x2, + 0x3, 0x24, 0x75, 0x37, 0x23, 0x73, 0x38, 0x85, 0x0, 0x62, 0x42, 0x24, + 0x76, 0x38, 0x88, 0x21, 0x31, 0x76, 0x74, 0x55, 0x51, 0x28, 0x34, 0x8, + 0x41, 0x32, 0x67, 0x40, 0x11, 0x81, 0x62, 0x48, 0x27, 0x51, 0x85, 0x33, + 0x61, 0x12, 0x22, 0x24, 0x30, 0x28, 0x75, 0x20, 0x3, 0x63, 0x11, 0x71, + 0x88, 0x38, 0x88, 0x58, 0x84, 0x16, 0x66, 0x14, 0x22, 0x27, 0x28, 0x11, + 0x44, 0x37, 0x76, 0x15, 0x24, 0x8, 0x56, 0x40, 0x13, 0x71, 0x74, 0x46, + 0x88, 0x14, 0x37, 0x13, 0x0, 0x1, 0x48, 0x44, 0x4, 0x83, 0x67, 0x88, + 0x16, 0x0, 0x13, 0x17, 0x6, 0x38, 0x18, 0x76, 0x15, 0x14, 0x67, 0x16, + 0x76, 0x57, 0x24, 0x53, 0x86, 0x31, 0x34, 0x16, 0x34, 0x3, 0x8, 0x68, + 0x65, 0x77, 0x36, 0x86, 0x37, 0x30, 0x76, 0x20, 0x51, 0x33, 0x82, 0x28, + 0x72, 0x45, 0x35, 0x83, 0x6, 0x58, 0x58, 0x37, 0x71, 0x86, 0x0, 0x84, + 0x18, 0x11, 0x54, 0x87, 0x12, 0x78, 0x75, 0x23, 0x45, 0x81, 0x17, 0x42, + 0x1, 0x0, 0x34, 0x32, 0x55, 0x38, 0x88, 0x25, 0x52, 0x62, 0x5, 0x41, + 0x86, 0x88, 0x67, 0x24, 0x81, 0x46, 0x74, 0x31, 0x53, 0x53, 0x45, 0x17, + 0x26, 0x48, 0x85, 0x76, 0x24, 0x24, 0x36, 0x18, 0x50, 0x18, 0x18, 0x60, + 0x76, 0x4, 0x87, 0x22, 0x0, 0x66, 0x74, 0x52, 0x18, 0x32, 0x7, 0x61, + 0x27, 0x68, 0x70, 0x65, 0x78, 0x85, 0x66, 0x60, 0x5, 0x14, 0x77, 0x23, + 0x74, 0x70, 0x41, 0x55, 0x12, 0x26, 0x86, 0x35, 0x28, 0x66, 0x30, 0x83, + 0x42, 0x52, 0x26, 0x18, 0x34, 0x16, 0x48, 0x23, 0x35, 0x62, 0x37, 0x67, + 0x82, 0x50, 0x1, 0x78, 0x70, 0x16, 0x11, 0x35, 0x58, 0x58, 0x8, 0x82, + 0x55, 0x61, 0x85, 0x17, 0x46, 0x70, 0x77, 0x77, 0x37, 0x42, 0x35, 0x56, + 0x53, 0x85, 0x7, 0x64, 0x13, 0x34, 0x51, 0x25, 0x78, 0x12, 0x21, 0x14, + 0x74, 0x81, 0x32, 0x41, 0x0, 0x60, 0x78, 0x71, 0x22, 0x22, 0x56, 0x48, + 0x57, 0x24, 0x65, 0x40, 0x36, 0x3, 0x3, 0x17, 0x86, 0x31, 0x44, 0x48, + 0x55, 0x60, 0x55, 0x84, 0x68, 0x76, 0x16, 0x15, 0x40, 0x82, 0x64, 0x88, + 0x47, 0x88, 0x44, 0x58, 0x46, 0x5, 0x2, 0x47, 0x27, 0x64, 0x20, 0x74, + 0x14, 0x74, 0x2, 0x18, 0x21, 0x50, 0x42, 0x43, 0x14, 0x63, 0x5, 0x36, + 0x8, 0x38, 0x80, 0x86, 0x80, 0x61, 0x15, 0x80, 0x56, 0x53, 0x13, 0x70, + 0x64, 0x66, 0x20, 0x17, 0x21, 0x50, 0x68, 0x7, 0x53, 0x34, 0x73, 0x17, + 0x50, 0x68, 0x72, 0x43, 0x2, 0x0, 0x80, 0x7, 0x37, 0x85, 0x72, 0x12, + 0x87, 0x73, 0x46, 0x45, 0x56, 0x66, 0x2, 0x72, 0x70, 0x78, 0x34, 0x51, + 0x65, 0x31, 0x77, 0x75, 0x52, 0x17, 0x82, 0x84, 0x34, 0x26, 0x51, 0x21, + 0x31, 0x18, 0x33, 0x28, 0x84, 0x57, 0x10, 0x30, 0x47, 0x26, 0x27, 0x53, + 0x58, 0x10, 0x73, 0x42, 0x67, 0x58, 0x27, 0x36, 0x56, 0x77, 0x25, 0x43, + 0x87, 0x75, 0x65, 0x82, 0x51, 0x56, 0x60, 0x65, 0x70, 0x5, 0x7, 0x33, + 0x48, 0x37, 0x82, 0x60, 0x11, 0x23, 0x18, 0x15, 0x22, 0x42, 0x10, 0x46, + 0x81, 0x47, 0x44, 0x22, 0x73, 0x76, 0x28, 0x30, 0x63, 0x10, 0x24, 0x72, + 0x12, 0x17, 0x78, 0x50, 0x1, 0x75, 0x57, 0x42, 0x88, 0x21, 0x22, 0x77, + 0x68, 0x22, 0x43, 0x84, 0x14, 0x51, 0x73, 0x68, 0x54, 0x62, 0x8, 0x83, + 0x75, 0x41, 0x10, 0x15, 0x14, 0x57, 0x73, 0x42, 0x13, 0x20, 0x52, 0x76, + 0x72, 0x34, 0x18, 0x10, 0x0, 0x18, 0x17, 0x55, 0x30, 0x88, 0x47, 0x23, + 0x0, 0x76, 0x44, 0x85, 0x25, 0x4, 0x3, 0x88, 0x0, 0x70, 0x10, 0x70, + 0x1, 0x80, 0x12, 0x4, 0x73, 0x20, 0x72, 0x21, 0x24, 0x37, 0x4, 0x1, + 0x63, 0x76, 0x4, 0x71, 0x30, 0x31, 0x17, 0x20, 0x18, 0x37, 0x23, 0x44, + 0x3, 0x8, 0x77, 0x63, 0x73, 0x61, 0x43, 0x70, 0x11, 0x6, 0x84, 0x73, + 0x26, 0x38, 0x78, 0x23, 0x61, 0x12, 0x45, 0x84, 0x76, 0x31, 0x23, 0x67, + 0x37, 0x7, 0x73, 0x13, 0x46, 0x42, 0x51, 0x13, 0x12, 0x5, 0x15, 0x28, + 0x57, 0x64, 0x62, 0x82, 0x42, 0x6, 0x83, 0x25, 0x12, 0x20, 0x40, 0x48, + 0x21, 0x47, 0x73, 0x38, 0x13, 0x32, 0x10, 0x73, 0x36, 0x57, 0x3, 0x0, + 0x31, 0x54, 0x78, 0x40, 0x23, 0x21, 0x14, 0x35, 0x13, 0x62, 0x83, 0x56, + 0x35, 0x87, 0x44, 0x65, 0x74, 0x5, 0x66, 0x76, 0x26, 0x35, 0x17, 0x18, + 0x67, 0x12, 0x6, 0x0, 0x42, 0x85, 0x71, 0x20, 0x62, 0x81, 0x22, 0x5, + 0x76, 0x32, 0x77, 0x60, 0x65, 0x84, 0x64, 0x14, 0x60, 0x8, 0x55, 0x65, + 0x21, 0x18, 0x8, 0x77, 0x72, 0x37, 0x70, 0x28, 0x24, 0x13, 0x18, 0x60, + 0x83, 0x73, 0x33, 0x71, 0x16, 0x63, 0x72, 0x55, 0x64, 0x24, 0x11, 0x30, + 0x84, 0x54, 0x33, 0x15, 0x33, 0x26, 0x66, 0x32, 0x35, 0x72, 0x52, 0x52, + 0x35, 0x85, 0x85, 0x72, 0x5, 0x81, 0x84, 0x34, 0x78, 0x70, 0x65, 0x34, + 0x10, 0x76, 0x76, 0x20, 0x76, 0x33, 0x33, 0x22, 0x76, 0x75, 0x28, 0x3, + 0x4, 0x21, 0x28, 0x73, 0x3, 0x57, 0x72, 0x3, 0x35, 0x37, 0x66, 0x88, + 0x23, 0x88, 0x27, 0x43, 0x32, 0x26, 0x5, 0x20, 0x36, 0x32, 0x78, 0x54, + 0x83, 0x38, 0x86, 0x81, 0x78, 0x1, 0x63, 0x21, 0x75, 0x82, 0x1, 0x73, + 0x18, 0x0, 0x42, 0x54, 0x67, 0x26, 0x52, 0x38, 0x18, 0x65, 0x87, 0x36, + 0x86, 0x53, 0x84, 0x20, 0x6, 0x23, 0x62, 0x73, 0x4, 0x14, 0x83, 0x77, + 0x0, 0x57, 0x86, 0x84, 0x70, 0x48, 0x2, 0x71, 0x28, 0x41, 0x42, 0x12, + 0x13, 0x73, 0x43, 0x22, 0x65, 0x60, 0x72, 0x75, 0x28, 0x42, 0x17, 0x24, + 0x67, 0x38, 0x27, 0x86, 0x58, 0x68, 0x25, 0x42, 0x2, 0x56, 0x62, 0x67, + 0x5, 0x34, 0x54, 0x64, 0x68, 0x25, 0x15, 0x55, 0x88, 0x43, 0x58, 0x73, + 0x77, 0x65, 0x46, 0x48, 0x36, 0x6, 0x86, 0x32, 0x80, 0x80, 0x18, 0x72, + 0x2, 0x54, 0x54, 0x72, 0x10, 0x65, 0x70, 0x41, 0x63, 0x47, 0x35, 0x40, + 0x75, 0x2, 0x70, 0x43, 0x18, 0x26, 0x78, 0x51, 0x52, 0x74, 0x43, 0x14, + 0x51, 0x53, 0x77, 0x67, 0x53, 0x24, 0x11, 0x11, 0x57, 0x74, 0x18, 0x12, + 0x27, 0x73, 0x30, 0x6, 0x42, 0x75, 0x16, 0x17, 0x58, 0x4, 0x81, 0x5, + 0x48, 0x54, 0x78, 0x53, 0x71, 0x6, 0x28, 0x41, 0x63, 0x81, 0x67, 0x0, + 0x18, 0x25, 0x24, 0x14, 0x70, 0x85, 0x70, 0x80, 0x72, 0x48, 0x23, 0x21, + 0x47, 0x13, 0x74, 0x72, 0x4, 0x27, 0x20, 0x75, 0x6, 0x80, 0x12, 0x24, + 0x18, 0x57, 0x75, 0x45, 0x33, 0x80, 0x47, 0x28, 0x25, 0x80, 0x86, 0x6, + 0x67, 0x23, 0x51, 0x80, 0x6, 0x72, 0x34, 0x30, 0x16, 0x25, 0x15, 0x52, + 0x16, 0x57, 0x77, 0x45, 0x1, 0x48, 0x83, 0x35, 0x58, 0x68, 0x77, 0x3, + 0x20, 0x34, 0x70, 0x23, 0x66, 0x14, 0x85, 0x0, 0x5, 0x34, 0x32, 0x37, + 0x83, 0x56, 0x45, 0x86, 0x32, 0x41, 0x56, 0x64, 0x83, 0x37, 0x77, 0x26, + 0x80, 0x45, 0x16, 0x86, 0x64, 0x36, 0x85, 0x25, 0x16, 0x44, 0x47, 0x2, + 0x62, 0x75, 0x86, 0x57, 0x82, 0x38, 0x34, 0x85, 0x21, 0x74, 0x15, 0x55, + 0x26, 0x53, 0x16, 0x70, 0x82, 0x87, 0x17, 0x4, 0x63, 0x28, 0x21, 0x41, + 0x61, 0x66, 0x16, 0x78, 0x37, 0x5, 0x81, 0x13, 0x26, 0x16, 0x56, 0x56, + 0x85, 0x4, 0x72, 0x40, 0x64, 0x74, 0x13, 0x85, 0x20, 0x27, 0x14, 0x62, + 0x72, 0x67, 0x70, 0x33, 0x25, 0x78, 0x48, 0x1, 0x17, 0x77, 0x14, 0x33, + 0x41, 0x65, 0x5, 0x8, 0x0, 0x71, 0x44, 0x88, 0x8, 0x48, 0x2, 0x60, + 0x12, 0x88, 0x5, 0x74, 0x56, 0x4, 0x77, 0x4, 0x52, 0x4, 0x31, 0x11, + 0x81, 0x78, 0x88, 0x21, 0x11, 0x26, 0x51, 0x60, 0x67, 0x20, 0x37, 0x52, + 0x1, 0x63, 0x85, 0x16, 0x68, 0x47, 0x65, 0x25, 0x2, 0x1, 0x18, 0x32, + 0x0, 0x57, 0x33, 0x37, 0x38, 0x25, 0x27, 0x36, 0x21, 0x6, 0x40, 0x3, + 0x74, 0x43, 0x24, 0x35, 0x86, 0x53, 0x88, 0x53, 0x16, 0x16, 0x2, 0x88, + 0x44, 0x22, 0x25, 0x72, 0x63, 0x85, 0x17, 0x81, 0x56, 0x47, 0x16, 0x65, + 0x2, 0x24, 0x5, 0x58, 0x55, 0x86, 0x72, 0x18, 0x21, 0x71, 0x86, 0x65, + 0x61, 0x88, 0x85, 0x84, 0x70, 0x47, 0x27, 0x63, 0x73, 0x1, 0x26, 0x27, + 0x85, 0x54, 0x85, 0x55, 0x45, 0x73, 0x30, 0x36, 0x44, 0x36, 0x45, 0x52, + 0x43, 0x8, 0x14, 0x22, 0x64, 0x77, 0x36, 0x43, 0x14, 0x33, 0x66, 0x10, + 0x56, 0x84, 0x42, 0x18, 0x77, 0x71, 0x27, 0x86, 0x84, 0x21, 0x26, 0x3, + 0x22, 0x14, 0x47, 0x0, 0x51, 0x84, 0x28, 0x52, 0x66, 0x40, 0x66, 0x55, + 0x85, 0x67, 0x2, 0x74, 0x6, 0x15, 0x72, 0x87, 0x40, 0x24, 0x71, 0x43, + 0x74, 0x10, 0x27, 0x53, 0x42, 0x10, 0x3, 0x77, 0x1, 0x84, 0x8, 0x18, + 0x22, 0x86, 0x71, 0x77, 0x48, 0x22, 0x42, 0x50, 0x66, 0x85, 0x34, 0x57, + 0x88, 0x31, 0x81, 0x73, 0x66, 0x68, 0x75, 0x50, 0x10, 0x32, 0x73, 0x87, + 0x57, 0x77, 0x40, 0x4, 0x3, 0x14, 0x87, 0x31, 0x38, 0x22, 0x65, 0x68, + 0x68, 0x88, 0x10, 0x32, 0x71, 0x77, 0x5, 0x51, 0x76, 0x68, 0x40, 0x52, + 0x36, 0x63, 0x2, 0x76, 0x84, 0x50, 0x76, 0x27, 0x6, 0x77, 0x58, 0x52, + 0x52, 0x74, 0x78, 0x77, 0x77, 0x50, 0x30, 0x84, 0x54, 0x28, 0x53, 0x70, + 0x82, 0x7, 0x21, 0x6, 0x64, 0x35, 0x62, 0x80, 0x55, 0x10, 0x71, 0x82, + 0x2, 0x66, 0x81, 0x40, 0x57, 0x61, 0x7, 0x16, 0x2, 0x72, 0x67, 0x6, + 0x24, 0x88, 0x23, 0x88, 0x63, 0x83, 0x81, 0x14, 0x40, 0x7, 0x17, 0x15, + 0x20, 0x63, 0x76, 0x22, 0x75, 0x81, 0x70, 0x43, 0x81, 0x80, 0x43, 0x4, + 0x51, 0x78, 0x40, 0x63, 0x36, 0x0, 0x77, 0x40, 0x24, 0x53, 0x11, 0x44, + 0x65, 0x62, 0x56, 0x77, 0x20, 0x21, 0x25, 0x8, 0x25, 0x63, 0x34, 0x54, + 0x76, 0x53, 0x6, 0x13, 0x1, 0x80, 0x25, 0x77, 0x44, 0x38, 0x17, 0x32, + 0x36, 0x13, 0x32, 0x27, 0x0, 0x37, 0x60, 0x63, 0x74, 0x6, 0x52, 0x5, + 0x72, 0x83, 0x83, 0x84, 0x28, 0x71, 0x15, 0x38, 0x17, 0x47, 0x8, 0x37, + 0x42, 0x67, 0x86, 0x38, 0x62, 0x65, 0x26, 0x23, 0x84, 0x22, 0x38, 0x66, + 0x6, 0xD9, 0x77, 0xF8, 0x41, 0xCB, 0x87, 0xD3, 0x3F, 0x76, 0xEB, 0x57, + 0x71, 0xFF, 0xBF, 0x14, 0x3B, 0x4C, 0x53, 0x1, 0xA8, 0x24, 0xAC, 0xB4, + 0x71, 0x4A, 0xD8, 0xAF, 0xCB, 0x45, 0x70, 0x6E, 0xF8, 0x89, 0xB6, 0x31, + 0xA7, 0x8B, 0x4A, 0xCF, 0x6C, 0x42, 0x8E, 0x8, 0xCE, 0x55, 0x7D, 0x0, + 0x1B, 0xA3, 0x3B, 0x9D, 0x2D, 0xC0, 0xF9, 0x85, 0x66, 0xA6, 0x3F, 0x5C, + 0x77, 0xC0, 0xE1, 0x12, 0xF3, 0xEE, 0xBD, 0x4F, 0x9C, 0xB1, 0xD5, 0x1, + 0x50, 0x22, 0x9C, 0xDD, 0xBF, 0xE9, 0xB7, 0xF5, 0x59, 0xC4, 0xB0, 0x9C, + 0x2D, 0xB5, 0xA7, 0x4B, 0xB4, 0xD1, 0x2A, 0x91, 0x86, 0xC8, 0x28, 0x31, + 0x73, 0xC0, 0x43, 0x2B, 0xBD, 0xDE, 0xDF, 0xA1, 0x2C, 0xAD, 0x9, 0x59, + 0xB0, 0xF3, 0x95, 0x63, 0xA1, 0x7A, 0x88, 0x85, 0xA3, 0xFB, 0xF4, 0xD7, + 0xF4, 0x1C, 0x68, 0xCD, 0x3F, 0x9C, 0x7A, 0xE5, 0xA9, 0x76, 0xB9, 0xC0, + 0x89, 0xEE, 0x51, 0xD6, 0xB6, 0xF3, 0x4A, 0xF7, 0x5, 0xA1, 0x0, 0x6C, + 0xF, 0x62, 0xC4, 0x65, 0x21, 0xB5, 0x9C, 0xD8, 0x77, 0x64, 0x94, 0x59, + 0xBD, 0xA2, 0x14, 0x97, 0x45, 0x45, 0x58, 0xFF, 0x24, 0xD7, 0x9E, 0x47, + 0x38, 0x32, 0xD6, 0x97, 0x98, 0xB7, 0xD7, 0xEF, 0x25, 0xDD, 0xFD, 0xAE, + 0x91, 0xF7, 0x1E, 0x53, 0x9A, 0x8C, 0x11, 0xDE, 0xF3, 0xB6, 0x1D, 0xE0, + 0x2A, 0xC8, 0x46, 0x47, 0xF8, 0x39, 0x59, 0xC4, 0x62, 0x8B, 0xD2, 0x7E, + 0xDB, 0x23, 0xC5, 0xA3, 0x21, 0xF8, 0x16, 0xAE, 0x24, 0xFB, 0x19, 0x8D, + 0x4D, 0xC3, 0x37, 0x96, 0x95, 0xA8, 0xA5, 0xA2, 0x8F, 0x4D, 0x77, 0xBC, + 0x2E, 0xFB, 0xFE, 0xC8, 0xED, 0x76, 0x42, 0x1C, 0x2A, 0x3B, 0x41, 0xF7, + 0xA0, 0xC5, 0xF3, 0xE9, 0x67, 0x7C, 0xC6, 0x88, 0xE7, 0x1A, 0x36, 0x65, + 0x32, 0xFC, 0x15, 0x15, 0xF5, 0xA4, 0x9F, 0xA5, 0xF0, 0x67, 0xB1, 0xE6, + 0x21, 0x4E, 0x9D, 0x29, 0x29, 0x50, 0xEB, 0x68, 0x36, 0x11, 0x9, 0xA5, + 0x9C, 0xBD, 0x69, 0x1C, 0xA5, 0xB9, 0x8F, 0x68, 0x96, 0x1F, 0xA1, 0xDA, + 0xFD, 0xF4, 0xED, 0xA2, 0xA6, 0xA7, 0xD2, 0x81, 0x9D, 0x91, 0x56, 0x9, + 0xF4, 0x29, 0x24, 0x24, 0xA2, 0x8F, 0xC2, 0xB0, 0xEE, 0x2, 0xD9, 0x96, + 0x8B, 0x9D, 0x9E, 0x1A, 0x48, 0xA7, 0x7A, 0x2D, 0x1D, 0x5A, 0xBF, 0x21, + 0x60, 0x57, 0xB2, 0x28, 0x3, 0xBD, 0x4B, 0xEE, 0xE1, 0x71, 0x71, 0xF8, + 0xC7, 0x3B, 0x1F, 0x2F, 0x6C, 0x2C, 0xBF, 0x1C, 0x51, 0x32, 0xFF, 0xF6, + 0x3B, 0x53, 0x57, 0xBD, 0xC9, 0x9A, 0x58, 0xB4, 0xEA, 0x6, 0xBC, 0xDB, + 0xB2, 0x2E, 0x86, 0x5D, 0xBB, 0x6A, 0x44, 0xF1, 0x8C, 0x4A, 0x6F, 0x4A, + 0x8D, 0xEA, 0x93, 0x19, 0x36, 0xAC, 0x41, 0xA9, 0x92, 0x26, 0x4E, 0x8, + 0xA5, 0xA5, 0xE9, 0xC6, 0xBD, 0xB6, 0xC2, 0x4F, 0xFF, 0xD1, 0xA5, 0x89, + 0x30, 0xBF, 0x82, 0xE5, 0xEF, 0x1C, 0x47, 0x4B, 0xC, 0x3C, 0xFB, 0x46, + 0x9D, 0xDA, 0x30, 0x35, 0xF8, 0x4, 0x9A, 0xD2, 0x60, 0xB7, 0x2C, 0x92, + 0x1A, 0xB7, 0xCC, 0xEC, 0x1C, 0x5E, 0xED, 0x41, 0xCA, 0x11, 0xA1, 0x61, + 0xDD, 0x6B, 0x4C, 0xA3, 0x1D, 0x95, 0x2A, 0x1A, 0x76, 0xC4, 0x35, 0xE5, + 0xA9, 0x75, 0xCD, 0x20, 0x70, 0x91, 0xB0, 0xD3, 0x0, 0x70, 0x9B, 0xE9, + 0xDC, 0xB3, 0xC7, 0x72, 0x62, 0xB7, 0xAD, 0x1, 0x4F, 0x6D, 0x23, 0x19, + 0x67, 0xD8, 0xE8, 0x78, 0x84, 0x2E, 0xF1, 0xF8, 0x7A, 0x88, 0x13, 0xF2, + 0xAA, 0x56, 0x8, 0xE7, 0x69, 0xE5, 0xE4, 0x12, 0x71, 0xBE, 0xFF, 0x9D, + 0x94, 0x6D, 0xCA, 0xD2, 0xB5, 0x2A, 0x47, 0xAC, 0xCA, 0x6E, 0x3F, 0x27, + 0x47, 0xF8, 0x6C, 0xBA, 0x8E, 0x61, 0x6C, 0xFB, 0x11, 0x50, 0x3D, 0x2E, + 0x75, 0x28, 0xFA, 0x3A, 0xAD, 0x5B, 0x4B, 0x7A, 0x21, 0x35, 0x6B, 0x9E, + 0xE1, 0xBE, 0xA0, 0xF9, 0x6C, 0x13, 0xE3, 0xC7, 0x84, 0xEB, 0x60, 0x76, + 0x8F, 0x33, 0x8C, 0x57, 0xE1, 0x35, 0x2A, 0x1B, 0x5B, 0xD9, 0xA3, 0x77, + 0x22, 0x93, 0x48, 0xB1, 0xF2, 0xA5, 0xB1, 0xCA, 0x35, 0x4D, 0x7A, 0x10, + 0x0, 0xFB, 0x2E, 0xCD, 0x97, 0x80, 0x23, 0x6C, 0xD8, 0xA5, 0x49, 0x8D, + 0xB3, 0x46, 0x5D, 0xEA, 0xE8, 0xF5, 0xFD, 0xDA, 0xE3, 0x9E, 0xDE, 0xF0, + 0xB2, 0xF7, 0x5C, 0x82, 0x10, 0x9E, 0xC2, 0x4B, 0x4E, 0xD5, 0x45, 0x54, + 0x15, 0xB1, 0xA5, 0xA7, 0xE5, 0xE0, 0xA5, 0xFE, 0x99, 0xB2, 0x6B, 0x30, + 0x90, 0x55, 0xE1, 0xAF, 0x4, 0xB2, 0x15, 0x18, 0x60, 0x26, 0x99, 0x98, + 0x3E, 0x67, 0xBC, 0x14, 0x45, 0x37, 0x2A, 0xA3, 0x23, 0x58, 0xCA, 0x82, + 0x1C, 0x98, 0x7C, 0xC4, 0xB1, 0xE2, 0xED, 0xE5, 0xDF, 0x41, 0xDC, 0x7D, + 0x13, 0xDF, 0xC1, 0xC1, 0xA7, 0xE, 0x24, 0x3D, 0xA2, 0x9D, 0x95, 0x44, + 0x9, 0x7A, 0x42, 0x2B, 0x0, 0x23, 0x1C, 0x3D, 0xBC, 0x3E, 0x2B, 0x67, + 0x6F, 0xB4, 0xC2, 0x49, 0xEB, 0xD, 0xFF, 0x6D, 0x19, 0x34, 0xBF, 0xDE, + 0x2A, 0x9, 0x6C, 0x2F, 0x2B, 0x7D, 0xDE, 0x17, 0x54, 0x16, 0xEF, 0x4, + 0x86, 0x89, 0xCA, 0x67, 0xA4, 0xE7, 0xBA, 0xF9, 0x7E, 0x8A, 0x42, 0xB2, + 0xEB, 0x4F, 0xE8, 0x7B, 0xAD, 0x71, 0xBC, 0x1C, 0xF, 0x1D, 0x40, 0xB1, + 0x84, 0xB2, 0x46, 0x46, 0xFB, 0x6A, 0xA7, 0x67, 0x30, 0x9B, 0xD0, 0x1A, + 0x7A, 0xC1, 0xE9, 0xE7, 0x1, 0xA4, 0x1B, 0xC9, 0xE, 0x79, 0x6C, 0xE8, + 0x46, 0x47, 0xCF, 0xA, 0x64, 0x42, 0xB1, 0xB1, 0x70, 0xB0, 0xB6, 0x6E, + 0xDD, 0x93, 0xBA, 0x56, 0x78, 0xBA, 0x63, 0x87, 0x7F, 0x6E, 0x36, 0xC6, + 0xFF, 0x90, 0xF5, 0xFC, 0xEE, 0x76, 0x61, 0x5C, 0x53, 0xD4, 0x4C, 0xE4, + 0x9C, 0x59, 0xFF, 0x6B, 0x59, 0x44, 0x8E, 0x60, 0xDF, 0xFA, 0x25, 0x63, + 0x4, 0xD0, 0xB6, 0x36, 0xF8, 0xF9, 0xB2, 0xD9, 0xDE, 0xD6, 0x29, 0xCD, + 0x15, 0x90, 0x47, 0x8F, 0xCA, 0x5C, 0x1D, 0x42, 0x8D, 0x47, 0xF0, 0x72, + 0xD5, 0x9, 0x92, 0x72, 0xE5, 0xB4, 0x2A, 0xAB, 0xD9, 0x6, 0x40, 0xDD, + 0x3E, 0x7D, 0x85, 0x8, 0x7E, 0x12, 0x7E, 0x6A, 0xD, 0xB7, 0x9F, 0x98, + 0xC7, 0x47, 0x63, 0xBB, 0xC6, 0x3C, 0x7, 0x68, 0x5F, 0xC3, 0x82, 0xAC, + 0x6A, 0xD6, 0x4D, 0x29, 0x68, 0xFF, 0xD5, 0x46, 0xD4, 0x87, 0xE6, 0x4A, + 0xFF, 0x22, 0x93, 0x2A, 0x4, 0x8, 0xA7, 0x9B, 0xF3, 0xA1, 0x7E, 0x4C, + 0x2C, 0xFF, 0xEA, 0x7D, 0x97, 0x4B, 0x5B, 0x8F, 0xDE, 0x6F, 0x0, 0x80, + 0xAB, 0x62, 0x96, 0x5E, 0x3A, 0x25, 0x39, 0xD3, 0x65, 0x9B, 0x7, 0x1D, + 0x67, 0x80, 0x9A, 0x9B, 0xEF, 0x84, 0xF1, 0x66, 0xCF, 0xEB, 0x83, 0xBE, + 0x5F, 0xA3, 0x7E, 0x92, 0x36, 0xAF, 0x80, 0xBE, 0x20, 0x88, 0x23, 0x9A, + 0x23, 0x98, 0xB4, 0x90, 0xC7, 0x27, 0x6A, 0xA9, 0xBC, 0xC1, 0x71, 0x4D, + 0xFF, 0x1B, 0x60, 0xF8, 0xA5, 0xE1, 0xB0, 0x5A, 0x6A, 0xC7, 0x87, 0xF, + 0xB9, 0x3C, 0x99, 0xB0, 0x49, 0x65, 0x37, 0x28, 0xE7, 0x11, 0xC, 0xB8, + 0xB9, 0x6B, 0xDC, 0x3C, 0x28, 0xF9, 0xFA, 0x96, 0x1A, 0x84, 0xDF, 0x20, + 0x1E, 0xC, 0x8C, 0x5B, 0xA2, 0x22, 0x3E, 0x5B, 0x74, 0x38, 0x72, 0x45, + 0x8D, 0xFA, 0x7D, 0x9F, 0xC3, 0x1F, 0x49, 0xA, 0xD9, 0x32, 0x8E, 0x2B, + 0xDC, 0x86, 0x91, 0x15, 0xE6, 0xEA, 0xD4, 0x87, 0xE4, 0x6C, 0xE0, 0x31, + 0xB4, 0xBF, 0x31, 0xB6, 0xD1, 0x94, 0xF8, 0x4E, 0x4B, 0xF3, 0x22, 0x7F, + 0x88, 0x2F, 0xB2, 0x1F, 0x8E, 0xCA, 0x7, 0x6C, 0xCE, 0xAE, 0x25, 0x82, + 0xB6, 0xE1, 0x30, 0x91, 0xE8, 0xB3, 0xD2, 0x24, 0x11, 0x31, 0xC6, 0x58, + 0xC5, 0xB3, 0xBC, 0x45, 0xA8, 0x41, 0x6, 0x31, 0x89, 0xC9, 0x43, 0x2, + 0x63, 0x9F, 0xEA, 0x9B, 0x69, 0x44, 0x8F, 0xD6, 0x44, 0x70, 0xCB, 0x83, + 0x52, 0xDE, 0x39, 0x16, 0x77, 0x79, 0x7F, 0x23, 0xAC, 0x5C, 0x5F, 0x9F, + 0x2B, 0xD2, 0x28, 0x73, 0xC0, 0x8D, 0x88, 0x7F, 0xEF, 0xA5, 0x30, 0xE6, + 0x8B, 0x35, 0x4C, 0xD1, 0xA5, 0x6E, 0xE7, 0x4F, 0x19, 0x31, 0x78, 0x1, + 0x98, 0xC5, 0xA6, 0x3D, 0x1E, 0xE8, 0x78, 0x85, 0x19, 0xDD, 0xAC, 0x8C, + 0xBF, 0x1, 0xEE, 0x44, 0xA1, 0xD1, 0xA, 0xAB, 0x13, 0x99, 0x9D, 0x45, + 0x73, 0x7, 0xF9, 0xD7, 0x9, 0x97, 0x93, 0x0, 0x94, 0x2, 0x68, 0xF9, + 0xE8, 0x88, 0xC4, 0x9E, 0x53, 0xD6, 0x74, 0xF7, 0x9A, 0xAD, 0xC7, 0xE2, + 0x1E, 0xBE, 0x57, 0x7B, 0xD, 0x5D, 0xE6, 0x7D, 0x3C, 0xF5, 0xF0, 0xE6, + 0x1, 0xE5, 0x95, 0x1E, 0xA8, 0xB0, 0xA4, 0x92, 0xF4, 0xB0, 0x64, 0x7E, + 0x63, 0x72, 0x52, 0xE7, 0x75, 0x30, 0x84, 0xE7, 0x9F, 0x51, 0x68, 0xA6, + 0xB8, 0xFE, 0x2B, 0xF2, 0x58, 0xA4, 0x9, 0x2F, 0xB9, 0x0, 0xEB, 0xB0, + 0x34, 0xD7, 0x5F, 0x3E, 0x3E, 0x76, 0xC1, 0x5D, 0x11, 0xCC, 0xB2, 0x4A, + 0xBB, 0x7, 0x27, 0xFC, 0x8B, 0x47, 0xEC, 0x44, 0x4A, 0x8C, 0x6D, 0xE8, + 0x42, 0x29, 0xAD, 0xED, 0x45, 0x3F, 0x2C, 0xDA, 0x3F, 0x4F, 0x9A, 0xDE, + 0x54, 0xEB, 0x1D, 0xE4, 0x31, 0x54, 0xF7, 0xAF, 0x58, 0x81, 0x72, 0xED, + 0xB9, 0xEC, 0x9, 0x2B, 0x38, 0xB1, 0xE5, 0x94, 0xE5, 0xC6, 0xE0, 0x7E, + 0x3B, 0x48, 0x56, 0xAE, 0x15, 0x8C, 0xF7, 0xE5, 0x89, 0x23, 0xB0, 0xA9, + 0x78, 0xC5, 0x5E, 0x3C, 0xB0, 0x3B, 0x1F, 0x1E, 0xA7, 0x34, 0x2D, 0xB3, + 0x6E, 0xCC, 0x1A, 0xAB, 0x8E, 0x80, 0x39, 0xF5, 0x8A, 0x2F, 0x66, 0x4C, + 0xF5, 0xDA, 0xCE, 0x2E, 0x6E, 0xCC, 0x12, 0xE4, 0xDB, 0xD5, 0x94, 0xBA, + 0x18, 0xC9, 0x1E, 0xB4, 0xD1, 0x18, 0x6A, 0x5E, 0x37, 0x6A, 0x3A, 0x78, + 0x70, 0x50, 0x7D, 0xC9, 0x65, 0x4D, 0x31, 0xE8, 0xB0, 0x89, 0xA5, 0xAA, + 0x3D, 0x1, 0x46, 0x53, 0x84, 0xBC, 0xEE, 0x78, 0x38, 0x25, 0x99, 0x2D, + 0xA7, 0x7B, 0xAA, 0x6, 0xB8, 0x28, 0xE9, 0x1, 0xD2, 0xDE, 0x84, 0x56, + 0x2, 0xBA, 0x49, 0xFB, 0xA2, 0xAD, 0x8E, 0xEC, 0x73, 0xA, 0xF4, 0xB8, + 0x24, 0xB8, 0xD0, 0x75, 0xC8, 0xB5, 0xCF, 0xF5, 0xE8, 0xC7, 0x4B, 0xDF, + 0xEC, 0x43, 0xBC, 0x59, 0xD8, 0xFD, 0xA9, 0xC5, 0x26, 0xD9, 0x65, 0xB7, + 0xB8, 0x22, 0x1E, 0x2E, 0x70, 0xD3, 0x86, 0xF4, 0xF4, 0x84, 0x81, 0x5A, + 0x3D, 0x33, 0xCC, 0x82, 0x45, 0x99, 0xC1, 0x1B, 0x47, 0xCD, 0xEF, 0xAE, + 0x19, 0xA0, 0x1C, 0xA5, 0x7D, 0x74, 0x1F, 0x7C, 0xA3, 0x4, 0x3D, 0x97, + 0x70, 0x8F, 0x2D, 0xCA, 0x6D, 0xAD, 0x2C, 0x9A, 0x53, 0x45, 0x51, 0xA1, + 0xE3, 0x47, 0x2C, 0x80, 0x7D, 0x2, 0x7B, 0x8A, 0xD4, 0x7A, 0x8B, 0x58, + 0x11, 0x81, 0x60, 0x2A, 0xC4, 0x4D, 0x26, 0xE, 0xAC, 0x41, 0x89, 0x5E, + 0x49, 0xC9, 0xC5, 0x39, 0x9B, 0xCA, 0xD3, 0xB3, 0xE3, 0x19, 0xE7, 0xF2, + 0xE6, 0x57, 0x1E, 0x2A, 0x5A, 0x29, 0x78, 0x14, 0xAD, 0x97, 0x7A, 0x2, + 0xE5, 0xD8, 0x15, 0x8C, 0xEC, 0xA6, 0x3, 0x9A, 0x11, 0xF9, 0x95, 0x31, + 0xED, 0xF2, 0x8C, 0xF1, 0xEF, 0x6B, 0xA5, 0x39, 0xAD, 0xF7, 0x8, 0xDA, + 0x1D, 0x4D, 0xC6, 0xAF, 0x93, 0x60, 0xE7, 0x57, 0x31, 0xE4, 0x9E, 0x70, + 0x66, 0xD5, 0x8A, 0xB4, 0x3C, 0x15, 0x6F, 0x95, 0xAF, 0xA9, 0x6B, 0xD5, + 0xE, 0xDE, 0x37, 0x1D, 0x4C, 0xFA, 0x71, 0xCA, 0xAA, 0x96, 0x5, 0x13, + 0x38, 0x13, 0x6D, 0xE5, 0xC6, 0x3F, 0xC5, 0x60, 0xFC, 0xFC, 0xCE, 0xA4, + 0xDB, 0xC9, 0x91, 0xE3, 0x59, 0x2C, 0x9D, 0xB0, 0x76, 0xB8, 0x9A, 0x7D, + 0xF4, 0x96, 0x37, 0x4, 0xEE, 0xCF, 0x8C, 0xE2, 0x5D, 0x36, 0xE8, 0xAA, + 0x4E, 0x4B, 0x7B, 0xD0, 0x4D, 0xB4, 0x24, 0xA8, 0x42, 0x12, 0xD, 0xDC, + 0xA, 0xAF, 0xBB, 0x52, 0xE6, 0xF2, 0xD1, 0x7, 0xE4, 0x15, 0x16, 0x36, + 0xBA, 0x43, 0xD2, 0x3B, 0x17, 0x66, 0xFF, 0x6D, 0x75, 0x7F, 0x1F, 0xC7, + 0xE1, 0x5C, 0x27, 0xE6, 0xF3, 0x92, 0x7D, 0x54, 0x96, 0xC6, 0x5C, 0x5A, + 0x5D, 0xFB, 0x94, 0xBD, 0x5A, 0x79, 0x7, 0xCF, 0xFC, 0x1E, 0x4F, 0x87, + 0x7B, 0x7E, 0xFC, 0x25, 0x90, 0x62, 0x34, 0x94, 0x92, 0xFB, 0x83, 0xB1, + 0xCE, 0xA2, 0x5B, 0x6A, 0xAB, 0x98, 0x23, 0x50, 0xD4, 0x14, 0xB3, 0x8, + 0xD6, 0x45, 0xAB, 0xCF, 0x7C, 0xB, 0x94, 0xB7, 0x56, 0x63, 0x43, 0x1A, + 0x46, 0x3C, 0xF3, 0x3D, 0x7, 0x19, 0x27, 0x9D, 0x3, 0x3E, 0x48, 0x85, + 0xF7, 0xF5, 0x1D, 0x5F, 0xD8, 0x14, 0xEE, 0x3A, 0x9D, 0xDD, 0xF6, 0x1D, + 0x7B, 0x3, 0x45, 0x30, 0x84, 0x51, 0xE2, 0x54, 0xBB, 0x96, 0x21, 0xD6, + 0x93, 0x94, 0x46, 0x8, 0xAF, 0x6C, 0x32, 0x1F, 0x9F, 0x6B, 0xDF, 0x72, + 0x80, 0xFB, 0xA8, 0xF3, 0xCD, 0x32, 0x52, 0x46, 0x4A, 0xAC, 0xB1, 0xA0, + 0x25, 0x64, 0x8D, 0x41, 0xA7, 0x9C, 0xD9, 0x2D, 0xAE, 0x83, 0x90, 0xC9, + 0xF9, 0x26, 0x91, 0xB2, 0xE3, 0x4, 0x6E, 0xA9, 0x46, 0x96, 0x5E, 0xA1, + 0x5E, 0xEB, 0x2, 0xCB, 0x2, 0x1B, 0x21, 0xF7, 0x78, 0xB0, 0x10, 0x8F, + 0x29, 0x9C, 0xFB, 0xAC, 0xFE, 0xC8, 0x8A, 0x79, 0x4, 0xC6, 0xED, 0xD, + 0x9D, 0x27, 0xE5, 0x11, 0x65, 0x66, 0x14, 0xCD, 0xD, 0xCD, 0x85, 0x1D, + 0x51, 0xE1, 0x64, 0xBC, 0x7E, 0x91, 0xD0, 0x54, 0xAB, 0x13, 0xFC, 0xF1, + 0x22, 0x7C, 0x86, 0x17, 0xE6, 0x76, 0x76, 0xD6, 0x86, 0x5A, 0x3E, 0x92, + 0xE6, 0x5F, 0x2E, 0x2F, 0xFC, 0xF0, 0xA8, 0x24, 0x91, 0xDF, 0xA8, 0x2, + 0x72, 0xDC, 0x8A, 0xA6, 0x86, 0x85, 0xBE, 0xC6, 0x78, 0xFC, 0xDD, 0xC, + 0xB0, 0x4B, 0x4D, 0xD4, 0xBE, 0x24, 0xB9, 0x3, 0x3, 0x54, 0x9F, 0xAB, + 0x6, 0x5, 0x91, 0x4E, 0x41, 0xE9, 0x7E, 0x99, 0x18, 0x3C, 0xB1, 0x96, + 0xF0, 0x99, 0x6A, 0xEC, 0xF6, 0x60, 0x7E, 0xE2, 0xD3, 0x6E, 0xED, 0xA8, + 0xFC, 0x5F, 0x7, 0x34, 0x65, 0x4A, 0x27, 0x5C, 0x64, 0xD3, 0xF8, 0xA8, + 0x6C, 0x92, 0x89, 0x6B, 0x21, 0xAD, 0x7D, 0x35, 0x17, 0xB0, 0x60, 0x93, + 0xFA, 0x3E, 0x35, 0x52, 0x9C, 0x8E, 0x38, 0xA1, 0x11, 0xA2, 0x70, 0xB9, + 0x8A, 0x8E, 0x3C, 0xCD, 0x57, 0x2, 0x48, 0x1, 0x3D, 0xFC, 0xA1, 0x75, + 0x95, 0xF9, 0x90, 0xD, 0x3A, 0xF5, 0x6B, 0xBB, 0xDC, 0xC6, 0x2C, 0x82, + 0x2B, 0xE4, 0x4C, 0x2, 0xDC, 0xD0, 0x80, 0x4F, 0x93, 0x22, 0x8D, 0xED, + 0xE3, 0x92, 0x26, 0xC7, 0x64, 0x47, 0xDC, 0x85, 0x65, 0x9, 0x3D, 0x5B, + 0x82, 0x34, 0x2F, 0x52, 0x93, 0x42, 0xD8, 0x68, 0x35, 0xF8, 0xA9, 0xCC, + 0x87, 0x42, 0x9, 0x99, 0xFE, 0x5F, 0x70, 0xBB, 0x16, 0xD5, 0xFC, 0x60, + 0x5D, 0x17, 0x92, 0x63, 0xBA, 0x1B, 0x69, 0xD5, 0xDC, 0x62, 0x2A, 0x66, + 0x6, 0xD7, 0xD0, 0x46, 0x29, 0xC5, 0x0, 0x1, 0x77, 0x7D, 0xB2, 0x9B, + 0x69, 0x7F, 0xCE, 0xBD, 0xFD, 0xC8, 0x11, 0x1C, 0x4E, 0x30, 0x6A, 0x66, + 0x5F, 0x17, 0xD7, 0xCB, 0x91, 0x7E, 0x7F, 0xA7, 0x4C, 0xCE, 0xDC, 0xF2, + 0x5B, 0x3C, 0x6A, 0xAB, 0x4B, 0x56, 0xD6, 0x4B, 0x9A, 0xA2, 0x88, 0xB, + 0xC6, 0x7C, 0x10, 0x8, 0xF5, 0x8E, 0xD5, 0xF2, 0x38, 0x78, 0x9, 0xBC, + 0x7F, 0x23, 0x4E, 0x67, 0xBD, 0x88, 0xDC, 0x91, 0xB3, 0xFE, 0x6B, 0x99, + 0x99, 0xE1, 0xF3, 0xB6, 0xC1, 0x6E, 0x44, 0xBA, 0xEF, 0xE0, 0xBF, 0xBD, + 0x2F, 0xBA, 0x92, 0xFB, 0xA5, 0x29, 0xB, 0x33, 0x9E, 0xAD, 0x66, 0x85, + 0x3F, 0xD0, 0x61, 0x9A, 0x44, 0xA6, 0xDF, 0x96, 0xA, 0x1D, 0x78, 0xC2, + 0x8D, 0x64, 0x86, 0xD9, 0xC, 0xBF, 0x21, 0x14, 0xA2, 0x96, 0x2C, 0x5B, + 0x13, 0x1B, 0xA6, 0xDB, 0xD5, 0xE6, 0xD7, 0xC4, 0xFE, 0x52, 0xE3, 0x77, + 0x8B, 0x37, 0x47, 0x24, 0x57, 0x94, 0x70, 0x55, 0x53, 0xC3, 0x8, 0x8F, + 0xDA, 0x20, 0xBF, 0x85, 0x97, 0x74, 0x79, 0xB, 0x0, 0xB, 0x1E, 0xF1, + 0x1A, 0x83, 0x40, 0xC7, 0x51, 0xFD, 0xDD, 0x3D, 0xB7, 0xC, 0x92, 0x72, + 0x16, 0xCA, 0xFA, 0x8E, 0x43, 0x9E, 0xA3, 0x73, 0xFF, 0x12, 0x47, 0x26, + 0x64, 0xA8, 0xC6, 0x36, 0xC4, 0xB0, 0x77, 0x9A, 0x84, 0xEC, 0x1D, 0xCD, + 0xF3, 0x91, 0x48, 0x2A, 0xAD, 0x37, 0xEE, 0x47, 0xA4, 0x47, 0xD6, 0x26, + 0x64, 0xAA, 0xE0, 0x6B, 0x25, 0xFE, 0xD5, 0xB, 0x7, 0x65, 0x30, 0xAB, + 0xFC, 0xC0, 0xB7, 0x90, 0x8F, 0xA9, 0x3F, 0xC8, 0x9, 0x9A, 0xF7, 0x8F, + 0x33, 0x8A, 0xB3, 0xEE, 0xFC, 0xA3, 0x6E, 0x50, 0xA, 0x84, 0xAB, 0xF8, + 0x1F, 0x89, 0xEB, 0x5D, 0xDE, 0x35, 0x4B, 0x4E, 0x23, 0x8D, 0x52, 0x47, + 0x54, 0x3F, 0x9B, 0x9B, 0x4F, 0xBD, 0xEB, 0x36, 0x81, 0x33, 0xB, 0x86, + 0x9E, 0x19, 0x14, 0xC0, 0x49, 0xB5, 0x74, 0xEB, 0x79, 0xF7, 0xC2, 0x34, + 0xF2, 0xEF, 0x10, 0x3A, 0xB0, 0x17, 0x8D, 0x16, 0x71, 0x2, 0xEE, 0x8A, + 0x4C, 0x5B, 0xF1, 0xC7, 0x2F, 0xDE, 0x57, 0x24, 0x5F, 0x5D, 0x1A, 0x1A, + 0xC5, 0xBB, 0xFB, 0xD3, 0x5F, 0xB0, 0xB5, 0xCF, 0x1A, 0x1C, 0x68, 0x84, + 0x78, 0x23, 0x80, 0x84, 0x47, 0x3, 0xE8, 0x4B, 0x45, 0x9B, 0x5B, 0xD9, + 0x9F, 0x3, 0x9B, 0xC9, 0xDF, 0xAF, 0xDD, 0x51, 0xBF, 0xCE, 0x59, 0xD7, + 0x79, 0x67, 0x61, 0xCF, 0x55, 0x2A, 0x11, 0xD2, 0x42, 0xB7, 0x4A, 0x62, + 0x1D, 0xC4, 0xDC, 0x6D, 0xBB, 0xC4, 0x9A, 0x60, 0xE2, 0x73, 0x40, 0x47, + 0x60, 0x3E, 0x5F, 0x53, 0x37, 0xAE, 0x5B, 0x9E, 0x4D, 0xF7, 0xE4, 0x7B, + 0x61, 0xA, 0x86, 0xA8, 0xDC, 0x2D, 0x65, 0x75, 0xE2, 0x8A, 0x2D, 0xC8, + 0x73, 0xD8, 0x18, 0xAF, 0xAC, 0xC6, 0x6C, 0xDA, 0x67, 0x28, 0x52, 0xE8, + 0xAE, 0xE4, 0x66, 0xF1, 0xD1, 0xC8, 0x1B, 0xD0, 0x9F, 0xA1, 0x42, 0xE, + 0xC9, 0x75, 0x1E, 0x39, 0x2E, 0xD2, 0x43, 0x1, 0x76, 0x3B, 0xF7, 0x88, + 0xAF, 0xC0, 0x3C, 0x96, 0xD, 0xF3, 0xE, 0x42, 0xFC, 0x80, 0xA, 0xAE, + 0xF8, 0x3A, 0x16, 0x87, 0xA0, 0x5F, 0x7D, 0x5A, 0x4C, 0x56, 0x90, 0xCE, + 0x2B, 0x82, 0x5A, 0x2B, 0x49, 0xD5, 0x2C, 0x11, 0x83, 0x96, 0xB9, 0xF6, + 0xDB, 0xA9, 0x66, 0xD6, 0xAC, 0x9B, 0x9, 0x3C, 0x6C, 0x15, 0xE3, 0x1D, + 0xF6, 0xF7, 0xEE, 0x9F, 0xA, 0xC5, 0x91, 0x14, 0x33, 0x4B, 0xDB, 0xC4, + 0xEE, 0xC, 0xFB, 0xE4, 0xD1, 0x43, 0xC2, 0x1B, 0xC3, 0x2, 0x9B, 0x6B}; static bssl::UniquePtr LoadExampleRSAKey() { - bssl::UniquePtr rsa(RSA_private_key_from_bytes(kExampleRSAKeyDER, - sizeof(kExampleRSAKeyDER))); + bssl::UniquePtr rsa( + RSA_private_key_from_bytes(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER))); if (!rsa) { return nullptr; } @@ -1072,7 +1099,7 @@ TEST(EVPExtraTest, VerifyRecover) { ASSERT_TRUE(rsa); const uint8_t kDummyHash[32] = {0}; - uint8_t sig[2048/8]; + uint8_t sig[2048 / 8]; unsigned sig_len = sizeof(sig); ASSERT_TRUE(RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig, &sig_len, rsa.get())); @@ -1119,8 +1146,7 @@ TEST(EVPExtraTest, d2i_AutoPrivateKey) { TestValidPrivateKey(kExampleRSAPSSKeyPKCS8, sizeof(kExampleRSAPSSKeyPKCS8), EVP_PKEY_RSA_PSS); TestValidPrivateKey(kExampleRSAPSSKeyNoPSSParams, - sizeof(kExampleRSAPSSKeyNoPSSParams), - EVP_PKEY_RSA_PSS); + sizeof(kExampleRSAPSSKeyNoPSSParams), EVP_PKEY_RSA_PSS); TestValidPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC); TestValidPrivateKey(kExampleECKeyPKCS8, sizeof(kExampleECKeyPKCS8), EVP_PKEY_EC); @@ -1829,9 +1855,9 @@ TEST(EVPExtraTest, DHParamgen) { bssl::UniquePtr pkey(raw_pkey); ASSERT_TRUE(raw_pkey); - const DH* dh = EVP_PKEY_get0_DH(pkey.get()); + const DH *dh = EVP_PKEY_get0_DH(pkey.get()); ASSERT_TRUE(dh); - const BIGNUM* p = DH_get0_p(dh); + const BIGNUM *p = DH_get0_p(dh); ASSERT_TRUE(p); unsigned p_size = BN_num_bits(p); ASSERT_EQ(p_size, (unsigned)prime_len); @@ -1921,7 +1947,8 @@ TEST(EVPExtraTest, PKEY_CTX_manual) { // Generate generic |EC_KEY|. pkey.reset(EVP_PKEY_new()); ASSERT_TRUE(pkey); - bssl::UniquePtr group(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); + bssl::UniquePtr group( + EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); bssl::UniquePtr eckey(EC_KEY_new()); ASSERT_TRUE(eckey); ASSERT_TRUE(EC_KEY_set_group(eckey.get(), group.get())); @@ -2073,8 +2100,8 @@ struct RsassaPssParamsMatchTestInput { EVP_sha512_256(), 0}, // This test expects success when setting |signature_md| and |rsa_mgf1_md| // because |kExampleRSAPSSKeyNoPSSParams| has no pss restriction. - {kExampleRSAPSSKeyNoPSSParams, sizeof(kExampleRSAPSSKeyNoPSSParams), EVP_sha256(), - EVP_sha256(), 1}, + {kExampleRSAPSSKeyNoPSSParams, sizeof(kExampleRSAPSSKeyNoPSSParams), + EVP_sha256(), EVP_sha256(), 1}, }; class EVPRsaPssExtraTest @@ -2106,7 +2133,8 @@ TEST_P(EVPRsaPssExtraTest, PssParamsMatch) { ASSERT_TRUE(EVP_PKEY_sign_init(pkey_ctx)); EXPECT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)); // Compare one way hash func. - EXPECT_EQ(EVP_PKEY_CTX_set_signature_md(pkey_ctx, signature_md), param.success); + EXPECT_EQ(EVP_PKEY_CTX_set_signature_md(pkey_ctx, signature_md), + param.success); // Compare one way hash func of mask gen. EXPECT_EQ(EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, rsa_mgf1_md), param.success); EXPECT_TRUE( @@ -2121,7 +2149,8 @@ struct BadPssKeyTestInput { const uint8_t *der; size_t der_len; } kBadPssKeyTestInputs[] = { - {badRSAPSSKeyPKCS8_SaltLengthTooLarge, sizeof(badRSAPSSKeyPKCS8_SaltLengthTooLarge)}, + {badRSAPSSKeyPKCS8_SaltLengthTooLarge, + sizeof(badRSAPSSKeyPKCS8_SaltLengthTooLarge)}, }; class EVPRsaPssBadKeyTest : public testing::TestWithParam { @@ -2167,12 +2196,18 @@ struct KnownKEM { }; static const struct KnownKEM kKEMs[] = { - {"Kyber512r3", NID_KYBER512_R3, 800, 1632, 768, 32, 64, 32, "kyber/kat/kyber512r3.txt"}, - {"Kyber768r3", NID_KYBER768_R3, 1184, 2400, 1088, 32, 64, 32, "kyber/kat/kyber768r3.txt"}, - {"Kyber1024r3", NID_KYBER1024_R3, 1568, 3168, 1568, 32, 64, 32, "kyber/kat/kyber1024r3.txt"}, - {"MLKEM512", NID_MLKEM512, 800, 1632, 768, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem512.txt"}, - {"MLKEM768", NID_MLKEM768, 1184, 2400, 1088, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem768.txt"}, - {"MLKEM1024", NID_MLKEM1024, 1568, 3168, 1568, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem1024.txt"}, + {"Kyber512r3", NID_KYBER512_R3, 800, 1632, 768, 32, 64, 32, + "kyber/kat/kyber512r3.txt"}, + {"Kyber768r3", NID_KYBER768_R3, 1184, 2400, 1088, 32, 64, 32, + "kyber/kat/kyber768r3.txt"}, + {"Kyber1024r3", NID_KYBER1024_R3, 1568, 3168, 1568, 32, 64, 32, + "kyber/kat/kyber1024r3.txt"}, + {"MLKEM512", NID_MLKEM512, 800, 1632, 768, 32, 64, 32, + "fipsmodule/ml_kem/kat/mlkem512.txt"}, + {"MLKEM768", NID_MLKEM768, 1184, 2400, 1088, 32, 64, 32, + "fipsmodule/ml_kem/kat/mlkem768.txt"}, + {"MLKEM1024", NID_MLKEM1024, 1568, 3168, 1568, 32, 64, 32, + "fipsmodule/ml_kem/kat/mlkem1024.txt"}, }; class PerKEMTest : public testing::TestWithParam {}; @@ -2182,7 +2217,6 @@ INSTANTIATE_TEST_SUITE_P(All, PerKEMTest, testing::ValuesIn(kKEMs), -> std::string { return params.param.name; }); TEST_P(PerKEMTest, KeyGeneration) { - // ---- 1. Test basic key generation flow ---- // Create context of KEM type. bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr)); @@ -2250,13 +2284,13 @@ TEST_P(PerKEMTest, KeyGeneration) { EXPECT_EQ(EVP_R_INVALID_OPERATION, ERR_GET_REASON(err)); // kem_nid is not a KEM. - tmp = (void*) ctx.get()->pkey; + tmp = (void *)ctx.get()->pkey; ctx.get()->pkey = nullptr; ASSERT_FALSE(EVP_PKEY_CTX_kem_set_params(ctx.get(), NID_secp521r1)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_UNSUPPORTED_ALGORITHM, ERR_GET_REASON(err)); - ctx.get()->pkey = (EVP_PKEY*) tmp; + ctx.get()->pkey = (EVP_PKEY *)tmp; } // Helper function that: @@ -2266,8 +2300,8 @@ TEST_P(PerKEMTest, KeyGeneration) { // is performed, if a |seed| is provided, deterministic keygen is performed) // 4. creates EVP_PKEY object from the generated key, // 5. creates a new context with the EVP_PKEY object and returns it. -static bssl::UniquePtr setup_ctx_and_generate_key(int kem_nid, const uint8_t * seed, size_t *seed_len) { - +static bssl::UniquePtr setup_ctx_and_generate_key( + int kem_nid, const uint8_t *seed, size_t *seed_len) { // Create context of KEM type. bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr)); EXPECT_TRUE(ctx); @@ -2278,11 +2312,11 @@ static bssl::UniquePtr setup_ctx_and_generate_key(int kem_nid, con // Generate a key pair. EVP_PKEY *raw = nullptr; EXPECT_TRUE(EVP_PKEY_keygen_init(ctx.get())); - // If a |seed| is NULL, we use EVP_PKEY_keygen, otherwise we use EVP_PKEY_keygen_deterministic - if (seed == nullptr){ + // If a |seed| is NULL, we use EVP_PKEY_keygen, otherwise we use + // EVP_PKEY_keygen_deterministic + if (seed == nullptr) { EXPECT_TRUE(EVP_PKEY_keygen(ctx.get(), &raw)); - } - else{ + } else { EXPECT_TRUE(EVP_PKEY_keygen_deterministic(ctx.get(), &raw, seed, seed_len)); } @@ -2297,7 +2331,6 @@ static bssl::UniquePtr setup_ctx_and_generate_key(int kem_nid, con } TEST_P(PerKEMTest, Encapsulation) { - // ---- 1. Setup phase: generate a context and a key ---- bssl::UniquePtr ctx; ctx = setup_ctx_and_generate_key(GetParam().nid, nullptr, nullptr); @@ -2311,7 +2344,8 @@ TEST_P(PerKEMTest, Encapsulation) { std::vector ss(ss_len); // Encapsulate. - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); // Check the lengths set by encapsulate are as expected. EXPECT_EQ(ct_len, GetParam().ciphertext_len); @@ -2323,17 +2357,20 @@ TEST_P(PerKEMTest, Encapsulation) { ss_len = 0; // Get the lengths and check them. - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), nullptr, &ct_len, nullptr, &ss_len)); + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), nullptr, &ct_len, nullptr, &ss_len)); EXPECT_EQ(ct_len, GetParam().ciphertext_len); EXPECT_EQ(ss_len, GetParam().shared_secret_len); // When only one of |ct| or |ss| is NULL the function fails. - ASSERT_FALSE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, nullptr, &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, nullptr, &ss_len)); uint32_t err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_MISSING_PARAMETERS, ERR_GET_REASON(err)); - ASSERT_FALSE(EVP_PKEY_encapsulate(ctx.get(), nullptr, &ct_len, ss.data(), &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(ctx.get(), nullptr, &ct_len, ss.data(), &ss_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_MISSING_PARAMETERS, ERR_GET_REASON(err)); @@ -2341,7 +2378,8 @@ TEST_P(PerKEMTest, Encapsulation) { // ---- 4. Test calling encapsulate with different lengths ---- // Set ct length to be less than expected -- should fail. ct_len = GetParam().ciphertext_len - 1; - ASSERT_FALSE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_BUFFER_TOO_SMALL, ERR_GET_REASON(err)); @@ -2349,13 +2387,15 @@ TEST_P(PerKEMTest, Encapsulation) { // Set ct length to be greater than expected -- should succeed because // it's ok to provide buffer that's larger than needed. ct_len = GetParam().ciphertext_len + 1; - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); EXPECT_EQ(ct_len, GetParam().ciphertext_len); // Set ss length to be less than expected -- should fail. ct_len = GetParam().ciphertext_len; ss_len = GetParam().shared_secret_len - 1; - ASSERT_FALSE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_BUFFER_TOO_SMALL, ERR_GET_REASON(err)); @@ -2363,23 +2403,26 @@ TEST_P(PerKEMTest, Encapsulation) { // Set ss length to be greater than expected -- should succeed because // it's ok to provide buffer that's larger than needed. ss_len = GetParam().shared_secret_len + 1; - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); EXPECT_EQ(ss_len, GetParam().shared_secret_len); // ---- 5. Test more failure modes for EVP_PKEY_encapsulate. ---- - ASSERT_FALSE(EVP_PKEY_encapsulate(nullptr, ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(nullptr, ct.data(), &ct_len, ss.data(), &ss_len)); - void *tmp = (void*) ctx.get()->pmeth; + void *tmp = (void *)ctx.get()->pmeth; ctx.get()->pmeth = nullptr; - ASSERT_FALSE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); - EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, ERR_GET_REASON(err)); - ctx.get()->pmeth = (EVP_PKEY_METHOD*) tmp; + EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, + ERR_GET_REASON(err)); + ctx.get()->pmeth = (EVP_PKEY_METHOD *)tmp; } TEST_P(PerKEMTest, Decapsulation) { - // ---- 1. Setup phase: generate context and key and encapsulate ---- bssl::UniquePtr ctx; ctx = setup_ctx_and_generate_key(GetParam().nid, nullptr, nullptr); @@ -2392,11 +2435,13 @@ TEST_P(PerKEMTest, Decapsulation) { std::vector ss(ss_len); // Encapsulate. - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); // ---- 2. Test basic decapsulation flow ---- // Decapsulate. - ASSERT_TRUE(EVP_PKEY_decapsulate(ctx.get(), ss.data(), &ss_len, ct.data(), ct_len)); + ASSERT_TRUE( + EVP_PKEY_decapsulate(ctx.get(), ss.data(), &ss_len, ct.data(), ct_len)); // Check the length set by decapsulate is as expected. EXPECT_EQ(ss_len, GetParam().shared_secret_len); @@ -2406,13 +2451,15 @@ TEST_P(PerKEMTest, Decapsulation) { ss_len = 0; // Get the lengths and check them. - ASSERT_TRUE(EVP_PKEY_decapsulate(ctx.get(), nullptr, &ss_len, ct.data(), ct_len)); + ASSERT_TRUE( + EVP_PKEY_decapsulate(ctx.get(), nullptr, &ss_len, ct.data(), ct_len)); EXPECT_EQ(ss_len, GetParam().shared_secret_len); // ---- 4. Test calling encapsulate with different lengths ---- // Set ss length to be less than expected -- should fail. ss_len = GetParam().shared_secret_len - 1; - ASSERT_FALSE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_FALSE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); uint32_t err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_BUFFER_TOO_SMALL, ERR_GET_REASON(err)); @@ -2420,19 +2467,23 @@ TEST_P(PerKEMTest, Decapsulation) { // Set ss length to be greater than expected -- should succeed because // it's ok to provide buffer that's larger than needed. ss_len = GetParam().shared_secret_len + 1; - ASSERT_TRUE(EVP_PKEY_decapsulate(ctx.get(), nullptr, &ss_len, ct.data(), ct_len)); + ASSERT_TRUE( + EVP_PKEY_decapsulate(ctx.get(), nullptr, &ss_len, ct.data(), ct_len)); EXPECT_EQ(ss_len, GetParam().shared_secret_len); // ---- 5. Test more failure modes for EVP_PKEY_encapsulate. ---- - ASSERT_FALSE(EVP_PKEY_decapsulate(nullptr, ss.data(), &ss_len, ct.data(), ct_len)); + ASSERT_FALSE( + EVP_PKEY_decapsulate(nullptr, ss.data(), &ss_len, ct.data(), ct_len)); - void *tmp = (void*) ctx.get()->pmeth; + void *tmp = (void *)ctx.get()->pmeth; ctx.get()->pmeth = nullptr; - ASSERT_FALSE(EVP_PKEY_decapsulate(ctx.get(), ss.data(), &ss_len, ct.data(), ct_len)); + ASSERT_FALSE( + EVP_PKEY_decapsulate(ctx.get(), ss.data(), &ss_len, ct.data(), ct_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); - EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, ERR_GET_REASON(err)); - ctx.get()->pmeth = (EVP_PKEY_METHOD*) tmp; + EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, + ERR_GET_REASON(err)); + ctx.get()->pmeth = (EVP_PKEY_METHOD *)tmp; } TEST_P(PerKEMTest, EndToEnd) { @@ -2460,45 +2511,46 @@ TEST_P(PerKEMTest, EndToEnd) { ASSERT_TRUE(EVP_PKEY_get_raw_public_key(a_pkey, a_pk.data(), &pk_len)); // Bob receives the raw key and creates a PKEY object and context. - bssl::UniquePtr b_pkey(EVP_PKEY_kem_new_raw_public_key( - GetParam().nid, a_pk.data(), pk_len)); + bssl::UniquePtr b_pkey( + EVP_PKEY_kem_new_raw_public_key(GetParam().nid, a_pk.data(), pk_len)); ASSERT_TRUE(b_pkey); bssl::UniquePtr b_ctx(EVP_PKEY_CTX_new(b_pkey.get(), nullptr)); // ---- 3. Bob: encapsulation ---- size_t ct_len = GetParam().ciphertext_len; size_t ss_len = GetParam().shared_secret_len; - std::vector b_ct(ct_len); // Ciphertext to be sent to Alice. - std::vector b_ss(ss_len); // The shared secret. - ASSERT_TRUE(EVP_PKEY_encapsulate(b_ctx.get(), b_ct.data(), &ct_len, b_ss.data(), &ss_len)); + std::vector b_ct(ct_len); // Ciphertext to be sent to Alice. + std::vector b_ss(ss_len); // The shared secret. + ASSERT_TRUE(EVP_PKEY_encapsulate(b_ctx.get(), b_ct.data(), &ct_len, + b_ss.data(), &ss_len)); // ---- 4. Alice/Bob: Bob -- ciphertext --> Alice ---- // Nothing to do here, we simply use |b_ct|. // ---- 5. Alice: decapsulation ---- - std::vector a_ss(ss_len); // The shared secret. - ASSERT_TRUE(EVP_PKEY_decapsulate(a_ctx.get(), a_ss.data(), &ss_len, b_ct.data(), ct_len)); + std::vector a_ss(ss_len); // The shared secret. + ASSERT_TRUE(EVP_PKEY_decapsulate(a_ctx.get(), a_ss.data(), &ss_len, + b_ct.data(), ct_len)); // ---- 6. Alice's and Bob's shared secrets are the same? ---- EXPECT_EQ(Bytes(a_ss), Bytes(b_ss)); } // Helper macros to compare std::vector with raw pointers from pkey. -#define CMP_VEC_AND_PTR(vec, ptr, len) \ - { \ - std::vector tmp(len); \ - tmp.assign(ptr, ptr+len); \ - EXPECT_EQ(Bytes(vec), Bytes(tmp)); \ - } +#define CMP_VEC_AND_PTR(vec, ptr, len) \ + { \ + std::vector tmp(len); \ + tmp.assign(ptr, ptr + len); \ + EXPECT_EQ(Bytes(vec), Bytes(tmp)); \ + } #define CMP_VEC_AND_PKEY_PUBLIC(vec, pkey, len) \ - CMP_VEC_AND_PTR(vec, pkey->pkey.kem_key->public_key, len) + CMP_VEC_AND_PTR(vec, pkey->pkey.kem_key->public_key, len) #define CMP_VEC_AND_PKEY_SECRET(vec, pkey, len) \ - CMP_VEC_AND_PTR(vec, pkey->pkey.kem_key->secret_key, len) + CMP_VEC_AND_PTR(vec, pkey->pkey.kem_key->secret_key, len) TEST_P(PerKEMTest, RawKeyOperations) { - // ---- 1. Setup phase: generate a context and a key ---- // Create context of KEM type. bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr)); @@ -2542,9 +2594,12 @@ TEST_P(PerKEMTest, RawKeyOperations) { // ---- 4. Test creating new keys from raw data ---- int nid = GetParam().nid; - bssl::UniquePtr pkey_pk_new(EVP_PKEY_kem_new_raw_public_key(nid, pk.data(), pk_len)); - bssl::UniquePtr pkey_sk_new(EVP_PKEY_kem_new_raw_secret_key(nid, sk.data(), sk_len)); - bssl::UniquePtr pkey_new(EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); + bssl::UniquePtr pkey_pk_new( + EVP_PKEY_kem_new_raw_public_key(nid, pk.data(), pk_len)); + bssl::UniquePtr pkey_sk_new( + EVP_PKEY_kem_new_raw_secret_key(nid, sk.data(), sk_len)); + bssl::UniquePtr pkey_new( + EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); ASSERT_TRUE(pkey_pk_new); ASSERT_TRUE(pkey_sk_new); @@ -2554,25 +2609,29 @@ TEST_P(PerKEMTest, RawKeyOperations) { // ---- 5. Test encaps/decaps with new keys ---- // Create Alice's context with the new key that has both // the public and the secret part of the key. - bssl::UniquePtr a_ctx(EVP_PKEY_CTX_new(pkey_new.get(), nullptr)); + bssl::UniquePtr a_ctx( + EVP_PKEY_CTX_new(pkey_new.get(), nullptr)); ASSERT_TRUE(a_ctx); // Create Bob's context with the new key that has only the public part. - bssl::UniquePtr b_ctx(EVP_PKEY_CTX_new(pkey_pk_new.get(), nullptr)); + bssl::UniquePtr b_ctx( + EVP_PKEY_CTX_new(pkey_pk_new.get(), nullptr)); ASSERT_TRUE(b_ctx); // Alloc memory for Bob's ciphertext and shared secret. size_t ct_len = GetParam().ciphertext_len; size_t ss_len = GetParam().shared_secret_len; - std::vector b_ct(ct_len); // Ciphertext to be sent to Alice. - std::vector b_ss(ss_len); // The shared secret. + std::vector b_ct(ct_len); // Ciphertext to be sent to Alice. + std::vector b_ss(ss_len); // The shared secret. // Bob encapsulates. - ASSERT_TRUE(EVP_PKEY_encapsulate(b_ctx.get(), b_ct.data(), &ct_len, b_ss.data(), &ss_len)); + ASSERT_TRUE(EVP_PKEY_encapsulate(b_ctx.get(), b_ct.data(), &ct_len, + b_ss.data(), &ss_len)); // Alice decapsulates. - std::vector a_ss(ss_len); // The shared secret. - ASSERT_TRUE(EVP_PKEY_decapsulate(a_ctx.get(), a_ss.data(), &ss_len, b_ct.data(), ct_len)); + std::vector a_ss(ss_len); // The shared secret. + ASSERT_TRUE(EVP_PKEY_decapsulate(a_ctx.get(), a_ss.data(), &ss_len, + b_ct.data(), ct_len)); // Alice's and Bob's shared secrets are the same? EXPECT_EQ(Bytes(a_ss), Bytes(b_ss)); @@ -2586,24 +2645,28 @@ TEST_P(PerKEMTest, RawKeyOperations) { ASSERT_FALSE(EVP_PKEY_get_raw_public_key(nullptr, pk.data(), &pk_len)); uint32_t err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); - EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, ERR_GET_REASON(err)); + EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, + ERR_GET_REASON(err)); ASSERT_FALSE(EVP_PKEY_get_raw_private_key(nullptr, sk.data(), &sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); - EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, ERR_GET_REASON(err)); + EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, + ERR_GET_REASON(err)); - void *tmp = (void*) pkey.get()->ameth; + void *tmp = (void *)pkey.get()->ameth; pkey.get()->ameth = nullptr; ASSERT_FALSE(EVP_PKEY_get_raw_public_key(pkey.get(), pk.data(), &pk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); - EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, ERR_GET_REASON(err)); + EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, + ERR_GET_REASON(err)); ASSERT_FALSE(EVP_PKEY_get_raw_private_key(pkey.get(), sk.data(), &sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); - EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, ERR_GET_REASON(err)); - pkey.get()->ameth = (const EVP_PKEY_ASN1_METHOD*)(tmp); + EXPECT_EQ(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, + ERR_GET_REASON(err)); + pkey.get()->ameth = (const EVP_PKEY_ASN1_METHOD *)(tmp); // Invalid lengths. pk_len = GetParam().public_key_len - 1; @@ -2626,12 +2689,14 @@ TEST_P(PerKEMTest, RawKeyOperations) { ASSERT_TRUE(pkey_pk_new); ASSERT_TRUE(pkey_sk_new); - ASSERT_FALSE(EVP_PKEY_get_raw_private_key(pkey_pk_new.get(), sk.data(), &sk_len)); + ASSERT_FALSE( + EVP_PKEY_get_raw_private_key(pkey_pk_new.get(), sk.data(), &sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_NO_KEY_SET, ERR_GET_REASON(err)); - ASSERT_FALSE(EVP_PKEY_get_raw_public_key(pkey_sk_new.get(), pk.data(), &pk_len)); + ASSERT_FALSE( + EVP_PKEY_get_raw_public_key(pkey_sk_new.get(), pk.data(), &pk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_NO_KEY_SET, ERR_GET_REASON(err)); @@ -2651,7 +2716,8 @@ TEST_P(PerKEMTest, RawKeyOperations) { EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_UNSUPPORTED_ALGORITHM, ERR_GET_REASON(err)); - ASSERT_FALSE(EVP_PKEY_kem_new_raw_key(0, pk.data(), pk_len, sk.data(), sk_len)); + ASSERT_FALSE( + EVP_PKEY_kem_new_raw_key(0, pk.data(), pk_len, sk.data(), sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_UNSUPPORTED_ALGORITHM, ERR_GET_REASON(err)); @@ -2667,12 +2733,14 @@ TEST_P(PerKEMTest, RawKeyOperations) { EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, ERR_GET_REASON(err)); - ASSERT_FALSE(EVP_PKEY_kem_new_raw_key(nid, nullptr, pk_len, sk.data(), sk_len)); + ASSERT_FALSE( + EVP_PKEY_kem_new_raw_key(nid, nullptr, pk_len, sk.data(), sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, ERR_GET_REASON(err)); - ASSERT_FALSE(EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, nullptr, sk_len)); + ASSERT_FALSE( + EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, nullptr, sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, ERR_GET_REASON(err)); @@ -2704,14 +2772,16 @@ TEST_P(PerKEMTest, RawKeyOperations) { pk_len = GetParam().public_key_len; sk_len = GetParam().secret_key_len - 1; - ASSERT_FALSE(EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); + ASSERT_FALSE( + EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_INVALID_BUFFER_SIZE, ERR_GET_REASON(err)); pk_len = GetParam().public_key_len - 1; sk_len = GetParam().secret_key_len; - ASSERT_FALSE(EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); + ASSERT_FALSE( + EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); err = ERR_get_error(); EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); EXPECT_EQ(EVP_R_INVALID_BUFFER_SIZE, ERR_GET_REASON(err)); @@ -2722,7 +2792,8 @@ TEST_P(PerKEMTest, RawKeyOperations) { // Failures for key validation. pkey_pk_new.reset(EVP_PKEY_kem_new_raw_public_key(nid, pk.data(), pk_len)); pkey_sk_new.reset(EVP_PKEY_kem_new_raw_secret_key(nid, sk.data(), sk_len)); - pkey_new.reset(EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); + pkey_new.reset( + EVP_PKEY_kem_new_raw_key(nid, pk.data(), pk_len, sk.data(), sk_len)); ASSERT_TRUE(pkey_pk_new); ASSERT_TRUE(pkey_sk_new); ASSERT_TRUE(pkey_new); @@ -2751,8 +2822,8 @@ TEST_P(PerKEMTest, KAT) { FileTestGTest(kat_filepath.c_str(), [&](FileTest *t) { std::string count; - std::vector keypair_coins, encap_coins, pk_expected, - sk_expected, ct_expected, ss_expected; + std::vector keypair_coins, encap_coins, pk_expected, sk_expected, + ct_expected, ss_expected; ASSERT_TRUE(t->GetAttribute(&count, "count")); ASSERT_TRUE(t->GetBytes(&keypair_coins, "keypair_coins")); @@ -2771,8 +2842,7 @@ TEST_P(PerKEMTest, KAT) { // ---- 1. Setup the context and generate the key ---- bssl::UniquePtr ctx; - ctx = setup_ctx_and_generate_key(GetParam().nid, - keypair_coins.data(), + ctx = setup_ctx_and_generate_key(GetParam().nid, keypair_coins.data(), &keygen_seed_len); ASSERT_TRUE(ctx); @@ -2784,15 +2854,15 @@ TEST_P(PerKEMTest, KAT) { // ---- 2. Encapsulation ---- std::vector ct(ct_len); std::vector ss(ss_len); - ASSERT_TRUE(EVP_PKEY_encapsulate_deterministic(ctx.get(), ct.data(), &ct_len, - ss.data(), &ss_len, - encap_coins.data(), - &encap_seed_len)); + ASSERT_TRUE(EVP_PKEY_encapsulate_deterministic( + ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len, encap_coins.data(), + &encap_seed_len)); EXPECT_EQ(Bytes(ct_expected), Bytes(ct)); EXPECT_EQ(Bytes(ss_expected), Bytes(ss)); // ---- 3. Decapsulation ---- - ASSERT_TRUE(EVP_PKEY_decapsulate(ctx.get(), ss.data(), &ss_len, ct.data(), ct_len)); + ASSERT_TRUE( + EVP_PKEY_decapsulate(ctx.get(), ss.data(), &ss_len, ct.data(), ct_len)); EXPECT_EQ(Bytes(ss_expected), Bytes(ss)); }); } @@ -2810,9 +2880,8 @@ TEST_P(PerKEMTest, KeygenSeedTest) { // ---- 2. Test passing in a context without the KEM parameters set. ---- size_t keygen_seed_len = GetParam().keygen_seed_len; std::vector keygen_seed(keygen_seed_len); - ASSERT_FALSE(EVP_PKEY_keygen_deterministic(ctx.get(), &raw, - keygen_seed.data(), - &keygen_seed_len)); + ASSERT_FALSE(EVP_PKEY_keygen_deterministic( + ctx.get(), &raw, keygen_seed.data(), &keygen_seed_len)); EXPECT_EQ(EVP_R_NO_PARAMETERS_SET, ERR_GET_REASON(ERR_peek_last_error())); // Setup the context with specific KEM parameters. @@ -2826,24 +2895,23 @@ TEST_P(PerKEMTest, KeygenSeedTest) { // ---- 4. Test failure mode on a seed len NULL ---- keygen_seed.resize(keygen_seed_len); - EXPECT_FALSE(EVP_PKEY_keygen_deterministic(ctx.get(), &raw, keygen_seed.data(), - nullptr)); + EXPECT_FALSE(EVP_PKEY_keygen_deterministic(ctx.get(), &raw, + keygen_seed.data(), nullptr)); EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, ERR_GET_REASON(ERR_peek_last_error())); // ---- 5. Test failure mode on a seed len too small ---- keygen_seed_len -= 1; std::vector small_keygen_seed(keygen_seed_len); - EXPECT_FALSE(EVP_PKEY_keygen_deterministic(ctx.get(), &raw, - small_keygen_seed.data(), - &keygen_seed_len)); + EXPECT_FALSE(EVP_PKEY_keygen_deterministic( + ctx.get(), &raw, small_keygen_seed.data(), &keygen_seed_len)); EXPECT_EQ(EVP_R_INVALID_PARAMETERS, ERR_GET_REASON(ERR_peek_last_error())); // ---- 6. Test failure mode on a seed len too large ---- keygen_seed_len += 2; std::vector big_keygen_seed(keygen_seed_len); - EXPECT_FALSE(EVP_PKEY_keygen_deterministic(ctx.get(), &raw, big_keygen_seed.data(), - &keygen_seed_len)); + EXPECT_FALSE(EVP_PKEY_keygen_deterministic( + ctx.get(), &raw, big_keygen_seed.data(), &keygen_seed_len)); EXPECT_EQ(EVP_R_INVALID_PARAMETERS, ERR_GET_REASON(ERR_peek_last_error())); // ---- 7. Test failure mode on a non-NULL out_pkey and NULL seed ---- @@ -2853,7 +2921,6 @@ TEST_P(PerKEMTest, KeygenSeedTest) { } TEST_P(PerKEMTest, EncapsSeedTest) { - // ---- 1. Setup phase: generate a context and a key ---- bssl::UniquePtr ctx; ctx = setup_ctx_and_generate_key(GetParam().nid, nullptr, nullptr); @@ -2877,33 +2944,29 @@ TEST_P(PerKEMTest, EncapsSeedTest) { // ---- 3. Test calling encapsulate with different lengths ---- // Set ct length to be less than expected -- should fail. ct_len = GetParam().ciphertext_len - 1; - ASSERT_FALSE(EVP_PKEY_encapsulate_deterministic(ctx.get(), ct.data(), &ct_len, - ss.data(), &ss_len, es.data(), - &es_len)); + ASSERT_FALSE(EVP_PKEY_encapsulate_deterministic( + ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len, es.data(), &es_len)); EXPECT_EQ(EVP_R_BUFFER_TOO_SMALL, ERR_GET_REASON(ERR_peek_last_error())); // Set ct length to be greater than expected -- should succeed because // it's ok to provide buffer that's larger than needed. ct_len = GetParam().ciphertext_len + 1; - ASSERT_TRUE(EVP_PKEY_encapsulate_deterministic(ctx.get(), ct.data(), &ct_len, - ss.data(), &ss_len, es.data(), - &es_len)); + ASSERT_TRUE(EVP_PKEY_encapsulate_deterministic( + ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len, es.data(), &es_len)); EXPECT_EQ(ct_len, GetParam().ciphertext_len); // Set ss length to be less than expected -- should fail. ct_len = GetParam().ciphertext_len; ss_len = GetParam().shared_secret_len - 1; - ASSERT_FALSE(EVP_PKEY_encapsulate_deterministic(ctx.get(), ct.data(), &ct_len, - ss.data(), &ss_len, es.data(), - &es_len)); + ASSERT_FALSE(EVP_PKEY_encapsulate_deterministic( + ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len, es.data(), &es_len)); EXPECT_EQ(EVP_R_BUFFER_TOO_SMALL, ERR_GET_REASON(ERR_peek_last_error())); // Set ss length to be greater than expected -- should succeed because // it's ok to provide buffer that's larger than needed. ss_len = GetParam().shared_secret_len + 1; - ASSERT_TRUE(EVP_PKEY_encapsulate_deterministic(ctx.get(), ct.data(), &ct_len, - ss.data(), &ss_len, es.data(), - &es_len)); + ASSERT_TRUE(EVP_PKEY_encapsulate_deterministic( + ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len, es.data(), &es_len)); EXPECT_EQ(ss_len, GetParam().shared_secret_len); // ---- 4. Test failure mode on seed being NULL ---- @@ -2924,9 +2987,12 @@ TEST_P(PerKEMTest, EncapsSeedTest) { } static const struct KnownKEM kMLKEMs[] = { - {"MLKEM512", NID_MLKEM512, 800, 1632, 768, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem512.txt"}, - {"MLKEM768", NID_MLKEM768, 1184, 2400, 1088, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem768.txt"}, - {"MLKEM1024", NID_MLKEM1024, 1568, 3168, 1568, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem1024.txt"}, + {"MLKEM512", NID_MLKEM512, 800, 1632, 768, 32, 64, 32, + "fipsmodule/ml_kem/kat/mlkem512.txt"}, + {"MLKEM768", NID_MLKEM768, 1184, 2400, 1088, 32, 64, 32, + "fipsmodule/ml_kem/kat/mlkem768.txt"}, + {"MLKEM1024", NID_MLKEM1024, 1568, 3168, 1568, 32, 64, 32, + "fipsmodule/ml_kem/kat/mlkem1024.txt"}, }; class PerMLKEMTest : public testing::TestWithParam {}; @@ -2949,7 +3015,8 @@ TEST_P(PerMLKEMTest, InputValidation) { std::vector ss(ss_len); // Encapsulate. - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); // ---- 3. Test invalid public key ---- // FIPS 203 Section 7.2 Encapsulation key check (Modulus check). @@ -2967,17 +3034,21 @@ TEST_P(PerMLKEMTest, InputValidation) { ctx->pkey->pkey.kem_key->public_key[0] = tmp0; ctx->pkey->pkey.kem_key->public_key[1] = tmp1; - std::vector ss_expected(ss_len); // The shared secret. - ASSERT_TRUE(EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); - ASSERT_TRUE(EVP_PKEY_decapsulate(ctx.get(), ss_expected.data(), &ss_len, ct.data(), ct_len)); + std::vector ss_expected(ss_len); // The shared secret. + ASSERT_TRUE( + EVP_PKEY_encapsulate(ctx.get(), ct.data(), &ct_len, ss.data(), &ss_len)); + ASSERT_TRUE(EVP_PKEY_decapsulate(ctx.get(), ss_expected.data(), &ss_len, + ct.data(), ct_len)); EXPECT_EQ(Bytes(ss_expected), Bytes(ss)); // ---- 4. Test invalid secret key ---- // FIPS 203 Section 7.3 Decapsulation key check (Hash check). - // Invalidate the key by changing the hash of the public key within the secret key. - // The 32-byte hash is stored right before the last 32 bytes of the secret key. + // Invalidate the key by changing the hash of the public key within the secret + // key. The 32-byte hash is stored right before the last 32 bytes of the + // secret key. ctx->pkey->pkey.kem_key->secret_key[GetParam().secret_key_len - 64] ^= 1; - ASSERT_FALSE(EVP_PKEY_decapsulate(ctx.get(), ss_expected.data(), &ss_len, ct.data(), ct_len)); + ASSERT_FALSE(EVP_PKEY_decapsulate(ctx.get(), ss_expected.data(), &ss_len, + ct.data(), ct_len)); } struct dummy_cb_app_data { @@ -3039,29 +3110,32 @@ TEST(EVPExtraTest, KeygenCallbacks) { } struct ParamgenCBParam { - const char* name; + const char *name; int pkey_type; - const char* setup_command; - const char* setup_arg; + const char *setup_command; + const char *setup_arg; int keygen_info_0; int keygen_into_1; }; static const ParamgenCBParam paramgenCBparams[] = { - // DH_generate_parameters_ex makes a final call to `BN_GENCB_call(cb, 3, 0)` - {"DH", EVP_PKEY_DH, "dh_paramgen_prime_len", "512", 3, 0}, - // dsa_internal_paramgen makes a final call to `BN_GENCB_call(cb, 3, 1))` - {"DSA", EVP_PKEY_DSA, "dsa_paramgen_bits", "512", 3, 1}, + // DH_generate_parameters_ex makes a final call to `BN_GENCB_call(cb, 3, 0)` + {"DH", EVP_PKEY_DH, "dh_paramgen_prime_len", "512", 3, 0}, + // dsa_internal_paramgen makes a final call to `BN_GENCB_call(cb, 3, 1))` + {"DSA", EVP_PKEY_DSA, "dsa_paramgen_bits", "512", 3, 1}, }; class PerParamgenCBTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(All, PerParamgenCBTest, testing::ValuesIn(paramgenCBparams), - [](const testing::TestParamInfo ¶ms) - -> const char* { return params.param.name; }); +INSTANTIATE_TEST_SUITE_P( + All, PerParamgenCBTest, testing::ValuesIn(paramgenCBparams), + [](const testing::TestParamInfo ¶ms) -> const char * { + return params.param.name; + }); TEST_P(PerParamgenCBTest, ParamgenCallbacks) { - bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(GetParam().pkey_type, nullptr)); + bssl::UniquePtr ctx( + EVP_PKEY_CTX_new_id(GetParam().pkey_type, nullptr)); ASSERT_TRUE(ctx); // Check the initial values of |ctx->keygen_info|. @@ -3074,7 +3148,8 @@ TEST_P(PerParamgenCBTest, ParamgenCallbacks) { // Generating an DH params will trigger the callback. ASSERT_EQ(EVP_PKEY_paramgen_init(ctx.get()), 1); - ASSERT_TRUE(EVP_PKEY_CTX_ctrl_str(ctx.get(), GetParam().setup_command, GetParam().setup_arg)); + ASSERT_TRUE(EVP_PKEY_CTX_ctrl_str(ctx.get(), GetParam().setup_command, + GetParam().setup_arg)); { EVP_PKEY *pkey = EVP_PKEY_new(); ASSERT_TRUE(pkey); @@ -3107,10 +3182,12 @@ TEST_P(PerParamgenCBTest, ParamgenCallbacks) { EXPECT_TRUE(app_data.state); for (int i = 0; i < keygen_info; i++) { - if(i == 0) { - EXPECT_EQ(EVP_PKEY_CTX_get_keygen_info(ctx.get(), i), GetParam().keygen_info_0); + if (i == 0) { + EXPECT_EQ(EVP_PKEY_CTX_get_keygen_info(ctx.get(), i), + GetParam().keygen_info_0); } else { - EXPECT_EQ(EVP_PKEY_CTX_get_keygen_info(ctx.get(), i), GetParam().keygen_into_1); + EXPECT_EQ(EVP_PKEY_CTX_get_keygen_info(ctx.get(), i), + GetParam().keygen_into_1); } } } @@ -3129,8 +3206,7 @@ static bssl::UniquePtr dsa_paramgen(int nbits, const EVP_MD *md, // Construct a EVP_PKEY_CTX bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, nullptr)); - if (ctx && maybe_copy(&ctx) && - 1 == EVP_PKEY_paramgen_init(ctx.get()) && + if (ctx && maybe_copy(&ctx) && 1 == EVP_PKEY_paramgen_init(ctx.get()) && 1 == EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx.get(), nbits) && 1 == EVP_PKEY_CTX_set_dsa_paramgen_md(ctx.get(), md) && 1 == EVP_PKEY_paramgen(ctx.get(), &pkey_raw)) { @@ -3152,8 +3228,7 @@ static bssl::UniquePtr dsa_keygen(bssl::UniquePtr ¶ms, }; bssl::UniquePtr ctx(EVP_PKEY_CTX_new(params.get(), nullptr)); - if (ctx && - 1 == EVP_PKEY_keygen_init(ctx.get()) && maybe_copy(&ctx) && + if (ctx && 1 == EVP_PKEY_keygen_init(ctx.get()) && maybe_copy(&ctx) && 1 == EVP_PKEY_keygen(ctx.get(), &pkey_raw)) { pkey.reset(pkey_raw); } @@ -3164,8 +3239,7 @@ static bssl::UniquePtr dsa_public_key( bssl::UniquePtr &private_key) { bssl::UniquePtr pkey(nullptr); bssl::UniquePtr bio(BIO_new(BIO_s_mem())); - if (bio && - 1 == PEM_write_bio_PUBKEY(bio.get(), private_key.get())) { + if (bio && 1 == PEM_write_bio_PUBKEY(bio.get(), private_key.get())) { pkey.reset(PEM_read_bio_PUBKEY(bio.get(), nullptr, nullptr, nullptr)); } return pkey; @@ -3177,7 +3251,7 @@ TEST(EVPExtraTest, DSAKeygen) { bssl::UniquePtr params = dsa_paramgen(512, EVP_sha1(), copy); ASSERT_TRUE(params); - const DSA* params_dsa = EVP_PKEY_get0_DSA(params.get()); + const DSA *params_dsa = EVP_PKEY_get0_DSA(params.get()); ASSERT_TRUE(params_dsa); bssl::UniquePtr pkey1 = dsa_keygen(params, copy); ASSERT_TRUE(pkey1); @@ -3212,12 +3286,12 @@ TEST(EVPExtraTest, DSAKeygen) { } TEST(EVPExtraTest, DSAParamgen) { - std::vector> test_data( + std::vector> test_data( {{768, EVP_sha1()}, {2048, EVP_sha224()}, {512, EVP_sha256()}}); - for (std::pair plgen : test_data) { + for (std::pair plgen : test_data) { const int nbits = plgen.first; - const EVP_MD* digest = plgen.second; + const EVP_MD *digest = plgen.second; // Construct a EVP_PKEY_CTX bssl::UniquePtr ctx( EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, nullptr)); @@ -3235,17 +3309,17 @@ TEST(EVPExtraTest, DSAParamgen) { bssl::UniquePtr pkey(raw_pkey); ASSERT_TRUE(pkey); - const DSA* dsa = EVP_PKEY_get0_DSA(pkey.get()); + const DSA *dsa = EVP_PKEY_get0_DSA(pkey.get()); ASSERT_TRUE(dsa); - const BIGNUM* p = DSA_get0_p(dsa); + const BIGNUM *p = DSA_get0_p(dsa); ASSERT_TRUE(p); unsigned p_size = BN_num_bits(p); ASSERT_EQ(p_size, (unsigned)nbits); - const BIGNUM* q = DSA_get0_q(dsa); + const BIGNUM *q = DSA_get0_q(dsa); ASSERT_TRUE(q); unsigned q_size = BN_num_bits(q); - ASSERT_EQ(q_size, 8*(unsigned)EVP_MD_size(digest)); + ASSERT_EQ(q_size, 8 * (unsigned)EVP_MD_size(digest)); } // Test error conditions @@ -3272,9 +3346,10 @@ TEST(EVPExtraTest, DSASignDigestVerify) { uint8_t digest[32] = {0}; std::vector sig; size_t siglen = 0; - ASSERT_TRUE(SHA1((uint8_t*)data, data_len, digest)); + ASSERT_TRUE(SHA1((uint8_t *)data, data_len, digest)); { - bssl::UniquePtr ctx(EVP_PKEY_CTX_new(private_key.get(), nullptr)); + bssl::UniquePtr ctx( + EVP_PKEY_CTX_new(private_key.get(), nullptr)); ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_sign_init(ctx.get())); ASSERT_EQ(1, EVP_PKEY_sign(ctx.get(), NULL, &siglen, digest, 32)); @@ -3287,11 +3362,11 @@ TEST(EVPExtraTest, DSASignDigestVerify) { bssl::UniquePtr public_key = dsa_public_key(private_key); { bssl::UniquePtr md_ctx(EVP_MD_CTX_new()); - ASSERT_EQ(1, EVP_DigestVerifyInit(md_ctx.get(), nullptr, EVP_sha1(), nullptr, public_key.get())); + ASSERT_EQ(1, EVP_DigestVerifyInit(md_ctx.get(), nullptr, EVP_sha1(), + nullptr, public_key.get())); ASSERT_EQ(1, EVP_DigestVerifyUpdate(md_ctx.get(), data, data_len)); ASSERT_EQ(1, EVP_DigestVerifyFinal(md_ctx.get(), sig.data(), sig.size())); } - } TEST(EVPExtraTest, DSADigestSignFinalVerify) { @@ -3307,14 +3382,16 @@ TEST(EVPExtraTest, DSADigestSignFinalVerify) { size_t siglen = 0; { - EVP_PKEY_CTX* raw_pctx = nullptr; - const EVP_MD* raw_md = nullptr; - + EVP_PKEY_CTX *raw_pctx = nullptr; + const EVP_MD *raw_md = nullptr; + bssl::UniquePtr md_ctx(EVP_MD_CTX_new()); ASSERT_TRUE(md_ctx); - ASSERT_NE(1, EVP_DigestSignInit(md_ctx.get(), &raw_pctx, EVP_md5(), nullptr, private_key.get())); + ASSERT_NE(1, EVP_DigestSignInit(md_ctx.get(), &raw_pctx, EVP_md5(), nullptr, + private_key.get())); // md_ctx takes ownership of raw_pctx - ASSERT_EQ(1, EVP_DigestSignInit(md_ctx.get(), &raw_pctx, EVP_sha256(), nullptr, private_key.get())); + ASSERT_EQ(1, EVP_DigestSignInit(md_ctx.get(), &raw_pctx, EVP_sha256(), + nullptr, private_key.get())); ASSERT_EQ(1, EVP_PKEY_CTX_get_signature_md(raw_pctx, &raw_md)); ASSERT_EQ(EVP_sha256(), raw_md); @@ -3327,10 +3404,11 @@ TEST(EVPExtraTest, DSADigestSignFinalVerify) { // This intentionally does not use EVP_DigestVerify to help ensure the // equivalence of using different APIs for the same purpose. uint8_t digest[32] = {0}; - ASSERT_TRUE(SHA256((uint8_t*)data, data_len, digest)); + ASSERT_TRUE(SHA256((uint8_t *)data, data_len, digest)); bssl::UniquePtr public_key = dsa_public_key(private_key); { - bssl::UniquePtr ctx(EVP_PKEY_CTX_new(public_key.get(), nullptr)); + bssl::UniquePtr ctx( + EVP_PKEY_CTX_new(public_key.get(), nullptr)); ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_verify_init(ctx.get())); ASSERT_EQ(1, EVP_PKEY_verify(ctx.get(), sig.data(), siglen, digest, 32)); @@ -3352,18 +3430,23 @@ TEST(EVPExtraTest, DSADigestSignVerify) { { bssl::UniquePtr md_ctx(EVP_MD_CTX_new()); ASSERT_TRUE(md_ctx); - ASSERT_EQ(1, EVP_DigestSignInit(md_ctx.get(), nullptr, EVP_sha256(), nullptr, private_key.get())); - ASSERT_EQ(1, EVP_DigestSign(md_ctx.get(), nullptr, &siglen, (const uint8_t*)data, data_len)); + ASSERT_EQ(1, EVP_DigestSignInit(md_ctx.get(), nullptr, EVP_sha256(), + nullptr, private_key.get())); + ASSERT_EQ(1, EVP_DigestSign(md_ctx.get(), nullptr, &siglen, + (const uint8_t *)data, data_len)); sig.resize(siglen); - ASSERT_EQ(1, EVP_DigestSign(md_ctx.get(), sig.data(), &siglen, (const uint8_t*)data, data_len)); + ASSERT_EQ(1, EVP_DigestSign(md_ctx.get(), sig.data(), &siglen, + (const uint8_t *)data, data_len)); } bssl::UniquePtr public_key = dsa_public_key(private_key); { bssl::UniquePtr md_ctx(EVP_MD_CTX_new()); ASSERT_TRUE(md_ctx); - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), nullptr, EVP_sha256(), nullptr, public_key.get())); - ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), sig.data(), sig.size(), (const uint8_t*)data, data_len)); + ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), nullptr, EVP_sha256(), + nullptr, public_key.get())); + ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), sig.data(), sig.size(), + (const uint8_t *)data, data_len)); } } @@ -3374,4 +3457,3 @@ TEST(EVPExtraTest, RawKeyUnsupported) { EXPECT_FALSE( EVP_PKEY_new_raw_private_key(EVP_PKEY_RSA, nullptr, kKey, sizeof(kKey))); } - diff --git a/crypto/evp_extra/evp_test.cc b/crypto/evp_extra/evp_test.cc index ef8f8bb492..581a930399 100644 --- a/crypto/evp_extra/evp_test.cc +++ b/crypto/evp_extra/evp_test.cc @@ -63,7 +63,7 @@ #include "../fipsmodule/evp/internal.h" OPENSSL_MSVC_PRAGMA(warning(push)) -OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) +OPENSSL_MSVC_PRAGMA(warning(disable : 4702)) #include #include @@ -77,8 +77,8 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #include #include #include -#include #include +#include #include #include #include @@ -195,16 +195,14 @@ static bool ImportKey(FileTest *t, KeyMap *key_map, bssl::ScopedCBB cbb; uint8_t *der; size_t der_len; - if (!CBB_init(cbb.get(), 0) || - !marshal_func(cbb.get(), pkey.get()) || + if (!CBB_init(cbb.get(), 0) || !marshal_func(cbb.get(), pkey.get()) || !CBB_finish(cbb.get(), &der, &der_len)) { return false; } bssl::UniquePtr free_der(der); std::vector output = input; - if (t->HasAttribute("Output") && - !t->GetBytes(&output, "Output")) { + if (t->HasAttribute("Output") && !t->GetBytes(&output, "Output")) { return false; } EXPECT_EQ(Bytes(output), Bytes(der, der_len)) @@ -386,8 +384,7 @@ static bool SetupContext(FileTest *t, KeyMap *key_map, EVP_PKEY_CTX *ctx) { static bool TestDerive(FileTest *t, KeyMap *key_map, EVP_PKEY *key) { bssl::UniquePtr ctx(EVP_PKEY_CTX_new(key, nullptr)); - if (!ctx || - !EVP_PKEY_derive_init(ctx.get()) || + if (!ctx || !EVP_PKEY_derive_init(ctx.get()) || !SetupContext(t, key_map, ctx.get())) { return false; } @@ -450,24 +447,27 @@ static int EVP_marshal_private_key_version_two(CBB *cbb, const EVP_PKEY *key) { } static void VerifyEVPSignOut(std::string key_name, std::vector input, - std::vector actual, std::vector output, - EVP_MD_CTX *ctx, size_t len) { - - // Unless not compatible, verify EVP_DigestSign() with EVP_DigestVerify instead of comparing outputs - // This allows us to test the correctness of non-deterministic outputs (e.g. for ECDSA). + std::vector actual, + std::vector output, EVP_MD_CTX *ctx, + size_t len) { + // Unless not compatible, verify EVP_DigestSign() with EVP_DigestVerify + // instead of comparing outputs This allows us to test the correctness of + // non-deterministic outputs (e.g. for ECDSA). if (key_name.find("Ed25519") != std::string::npos) { EXPECT_EQ(Bytes(output), Bytes(actual)); } else { - EXPECT_TRUE(!EVP_DigestVerify(ctx, actual.data(), len, input.data(), input.size())); + EXPECT_TRUE( + !EVP_DigestVerify(ctx, actual.data(), len, input.data(), input.size())); } } static bool TestEVP(FileTest *t, KeyMap *key_map) { if (t->GetType() == "PrivateKey") { - int (*marshal_func)(CBB * cbb, const EVP_PKEY *key) = + int (*marshal_func)(CBB *cbb, const EVP_PKEY *key) = EVP_marshal_private_key; std::string version; - if (t->HasAttribute("PKCS8VersionOut") && t->GetAttribute(&version, "PKCS8VersionOut")) { + if (t->HasAttribute("PKCS8VersionOut") && + t->GetAttribute(&version, "PKCS8VersionOut")) { if (version == "1") { marshal_func = EVP_marshal_private_key_version_one; } else if (version == "2") { @@ -498,7 +498,7 @@ static bool TestEVP(FileTest *t, KeyMap *key_map) { int (*key_op_init)(EVP_PKEY_CTX *ctx) = nullptr; int (*key_op)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, const uint8_t *in, size_t in_len) = nullptr; - int (*md_op_init)(EVP_MD_CTX * ctx, EVP_PKEY_CTX * *pctx, const EVP_MD *type, + int (*md_op_init)(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey) = nullptr; bool is_verify = false; if (t->GetType() == "Decrypt") { @@ -585,13 +585,12 @@ static bool TestEVP(FileTest *t, KeyMap *key_map) { } actual.resize(len); VerifyEVPSignOut(key_name, std::move(input), std::move(actual), - std::move(output), ctx.get(), len); + std::move(output), ctx.get(), len); return true; } bssl::UniquePtr ctx(EVP_PKEY_CTX_new(key, nullptr)); - if (!ctx || - !key_op_init(ctx.get()) || + if (!ctx || !key_op_init(ctx.get()) || (digest != nullptr && !EVP_PKEY_CTX_set_signature_md(ctx.get(), digest)) || !SetupContext(t, key_map, ctx.get())) { @@ -624,8 +623,7 @@ static bool TestEVP(FileTest *t, KeyMap *key_map) { // Encryption is non-deterministic, so we check by decrypting. size_t plaintext_len; bssl::UniquePtr decrypt_ctx(EVP_PKEY_CTX_new(key, nullptr)); - if (!decrypt_ctx || - !EVP_PKEY_decrypt_init(decrypt_ctx.get()) || + if (!decrypt_ctx || !EVP_PKEY_decrypt_init(decrypt_ctx.get()) || (digest != nullptr && !EVP_PKEY_CTX_set_signature_md(decrypt_ctx.get(), digest)) || !SetupContext(t, key_map, decrypt_ctx.get()) || @@ -644,8 +642,7 @@ static bool TestEVP(FileTest *t, KeyMap *key_map) { } else if (t->HasAttribute("CheckVerify")) { // Some signature schemes are non-deterministic, so we check by verifying. bssl::UniquePtr verify_ctx(EVP_PKEY_CTX_new(key, nullptr)); - if (!verify_ctx || - !EVP_PKEY_verify_init(verify_ctx.get()) || + if (!verify_ctx || !EVP_PKEY_verify_init(verify_ctx.get()) || (digest != nullptr && !EVP_PKEY_CTX_set_signature_md(verify_ctx.get(), digest)) || !SetupContext(t, key_map, verify_ctx.get())) { @@ -1032,39 +1029,37 @@ TEST(EVPTest, WycheproofRSAPKCS1Decrypt) { } struct ectlsencodedpoint_test_data { - const uint8_t *public_key; - size_t public_key_size; - const uint8_t *private_key; - size_t private_key_size; - const uint8_t *expected_shared_secret; - size_t expected_shared_secret_size; - int key_type; - int curve_nid; + const uint8_t *public_key; + size_t public_key_size; + const uint8_t *private_key; + size_t private_key_size; + const uint8_t *expected_shared_secret; + size_t expected_shared_secret_size; + int key_type; + int curve_nid; }; -static EVP_PKEY * instantiate_public_key(int key_type, int curve_nid) { - +static EVP_PKEY *instantiate_public_key(int key_type, int curve_nid) { EVP_PKEY *pkey = NULL; if (NID_X25519 == curve_nid) { pkey = EVP_PKEY_new(); EXPECT_TRUE(pkey); EXPECT_TRUE(EVP_PKEY_set_type(pkey, key_type)); - } - else { + } else { EC_KEY *ec_key = EC_KEY_new_by_curve_name(curve_nid); EXPECT_TRUE(ec_key); pkey = EVP_PKEY_new(); EXPECT_TRUE(pkey); - EXPECT_TRUE(EVP_PKEY_assign(pkey, EVP_PKEY_EC, (EC_KEY *) ec_key)); + EXPECT_TRUE(EVP_PKEY_assign(pkey, EVP_PKEY_EC, (EC_KEY *)ec_key)); } return pkey; } -static EVP_PKEY * instantiate_and_set_public_key(const uint8_t *public_key, - size_t public_key_size, int curve_nid) { - +static EVP_PKEY *instantiate_and_set_public_key(const uint8_t *public_key, + size_t public_key_size, + int curve_nid) { EVP_PKEY *pkey = NULL; if (NID_X25519 != curve_nid) { @@ -1075,20 +1070,20 @@ static EVP_PKEY * instantiate_and_set_public_key(const uint8_t *public_key, EC_POINT *ec_point = EC_POINT_new(ec_key_group); EXPECT_TRUE(ec_point); EXPECT_TRUE(EC_POINT_oct2point(ec_key_group, ec_point, public_key, - public_key_size, NULL)); + public_key_size, NULL)); EXPECT_TRUE(EC_KEY_set_public_key(ec_key, ec_point)); pkey = EVP_PKEY_new(); EXPECT_TRUE(pkey); - EXPECT_TRUE(EVP_PKEY_assign(pkey, EVP_PKEY_EC, (EC_KEY *) ec_key)); + EXPECT_TRUE(EVP_PKEY_assign(pkey, EVP_PKEY_EC, (EC_KEY *)ec_key)); EC_POINT_free(ec_point); } return pkey; } -static EVP_PKEY * instantiate_and_set_private_key(const uint8_t *private_key, - size_t private_key_size, int key_type, int curve_nid) { - +static EVP_PKEY *instantiate_and_set_private_key(const uint8_t *private_key, + size_t private_key_size, + int key_type, int curve_nid) { EVP_PKEY *pkey = NULL; OPENSSL_BEGIN_ALLOW_DEPRECATED EXPECT_FALSE(EVP_PKEY_get0(pkey)); @@ -1096,10 +1091,9 @@ static EVP_PKEY * instantiate_and_set_private_key(const uint8_t *private_key, if (NID_X25519 == curve_nid) { pkey = EVP_PKEY_new_raw_private_key(curve_nid, nullptr, private_key, - private_key_size); + private_key_size); EXPECT_TRUE(pkey); - } - else { + } else { EC_KEY *ec_key = EC_KEY_new_by_curve_name(curve_nid); EXPECT_TRUE(ec_key); BIGNUM *private_key_bn = BN_bin2bn(private_key, private_key_size, NULL); @@ -1110,7 +1104,7 @@ static EVP_PKEY * instantiate_and_set_private_key(const uint8_t *private_key, EXPECT_TRUE(pkey); OPENSSL_BEGIN_ALLOW_DEPRECATED EXPECT_FALSE(EVP_PKEY_get0(pkey)); - EXPECT_TRUE(EVP_PKEY_assign(pkey, key_type, (EC_KEY *) ec_key)); + EXPECT_TRUE(EVP_PKEY_assign(pkey, key_type, (EC_KEY *)ec_key)); EXPECT_EQ(ec_key, EVP_PKEY_get0(pkey)); OPENSSL_END_ALLOW_DEPRECATED } @@ -1119,45 +1113,41 @@ static EVP_PKEY * instantiate_and_set_private_key(const uint8_t *private_key, } TEST(EVPTest, ECTLSEncodedPoint) { - - // TLS wire-encoding format - // (https://tools.ietf.org/html/rfc8422#section-5.4) - // x25519: u-coordinate - // NIST curves: 0x04 || x-coordinate || y-coordinate - - // Taken from https://tools.ietf.org/html/rfc7748#section-5.2 - static const uint8_t kX25519PublicKey[] = { - 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 0x35, 0x94, 0xc1, 0xa4, - 0x24, 0xb1, 0x5f, 0x7c, 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c - }; - static const uint8_t kX25519PrivateKey[] = { - 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 0x3b, 0x16, 0x15, 0x4b, - 0x82, 0x46, 0x5e, 0xdd, 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 - }; - static const uint8_t kX25519ExpectedSharedSecret[] = { - 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 0x8e, 0x94, 0xea, 0x4d, - 0xf2, 0x8d, 0x08, 0x4f, 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 - }; - - struct ectlsencodedpoint_test_data x25519_test_data = { - kX25519PublicKey, // public_key - X25519_PUBLIC_VALUE_LEN, // public_key_size - kX25519PrivateKey, // private_key - X25519_PRIVATE_KEY_LEN, // private_key_size - kX25519ExpectedSharedSecret, // expected_shared_secret - X25519_SHARED_KEY_LEN, // expected_shared_secret_size - EVP_PKEY_X25519, // key_type - NID_X25519 // curve_nid - }; - - // P-{224,256,384,521} test vectors, taken from CAVP - // (CAVP 20.1 - KASValidityTest_ECCStaticUnified_KDFConcat_NOKC) - // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/key-management - - static const uint8_t kP224PublicKey[] = { + // TLS wire-encoding format + // (https://tools.ietf.org/html/rfc8422#section-5.4) + // x25519: u-coordinate + // NIST curves: 0x04 || x-coordinate || y-coordinate + + // Taken from https://tools.ietf.org/html/rfc7748#section-5.2 + static const uint8_t kX25519PublicKey[] = { + 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 0x35, 0x94, 0xc1, + 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, + 0x35, 0x3b, 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c}; + static const uint8_t kX25519PrivateKey[] = { + 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 0x3b, 0x16, 0x15, + 0x4b, 0x82, 0x46, 0x5e, 0xdd, 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, + 0x5a, 0x18, 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4}; + static const uint8_t kX25519ExpectedSharedSecret[] = { + 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 0x8e, 0x94, 0xea, + 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, + 0x71, 0xf7, 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52}; + + struct ectlsencodedpoint_test_data x25519_test_data = { + kX25519PublicKey, // public_key + X25519_PUBLIC_VALUE_LEN, // public_key_size + kX25519PrivateKey, // private_key + X25519_PRIVATE_KEY_LEN, // private_key_size + kX25519ExpectedSharedSecret, // expected_shared_secret + X25519_SHARED_KEY_LEN, // expected_shared_secret_size + EVP_PKEY_X25519, // key_type + NID_X25519 // curve_nid + }; + + // P-{224,256,384,521} test vectors, taken from CAVP + // (CAVP 20.1 - KASValidityTest_ECCStaticUnified_KDFConcat_NOKC) + // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/key-management + + static const uint8_t kP224PublicKey[] = { /* uncompressed */ 0x04, /* x-coordinate */ @@ -1167,31 +1157,28 @@ TEST(EVPTest, ECTLSEncodedPoint) { /* y-coordinate */ 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3, 0xea - }; - static const uint8_t kP224PrivateKey[] = { - 0xc7, 0x39, 0x45, 0x68, 0x8b, 0x3d, 0xbb, 0xc6, 0xc2, 0xe7, 0x54, 0x75, - 0xdf, 0x61, 0xd1, 0x44, 0x9d, 0x05, 0xf9, 0x64, 0x49, 0x62, 0x92, 0x67, - 0xf2, 0x19, 0x5d, 0xaf - }; - static const uint8_t kP224ExpectedSharedSecret[] = { - 0x50, 0x28, 0xd8, 0xa1, 0x62, 0xfe, 0xac, 0xbd, 0xfa, 0x5e, 0xca, 0x8c, - 0xdf, 0x50, 0xcc, 0xb9, 0xe0, 0x7c, 0x6b, 0x7f, 0x96, 0xa8, 0xa8, 0x93, - 0x24, 0xdd, 0xed, 0x7a - }; - - struct ectlsencodedpoint_test_data p224_test_data = { - kP224PublicKey, // public_key - (1 + 28 + 28), // public_key_size - kP224PrivateKey, // private_key - 28, // private_key_size - kP224ExpectedSharedSecret, // expected_shared_secret - 28, // expected_shared_secret_size - EVP_PKEY_EC, // key_type - NID_secp224r1 // curve_nid - }; - - static const uint8_t kP256PublicKey[] = { + 0xd6, 0x45, 0xa3, 0xea}; + static const uint8_t kP224PrivateKey[] = { + 0xc7, 0x39, 0x45, 0x68, 0x8b, 0x3d, 0xbb, 0xc6, 0xc2, 0xe7, + 0x54, 0x75, 0xdf, 0x61, 0xd1, 0x44, 0x9d, 0x05, 0xf9, 0x64, + 0x49, 0x62, 0x92, 0x67, 0xf2, 0x19, 0x5d, 0xaf}; + static const uint8_t kP224ExpectedSharedSecret[] = { + 0x50, 0x28, 0xd8, 0xa1, 0x62, 0xfe, 0xac, 0xbd, 0xfa, 0x5e, + 0xca, 0x8c, 0xdf, 0x50, 0xcc, 0xb9, 0xe0, 0x7c, 0x6b, 0x7f, + 0x96, 0xa8, 0xa8, 0x93, 0x24, 0xdd, 0xed, 0x7a}; + + struct ectlsencodedpoint_test_data p224_test_data = { + kP224PublicKey, // public_key + (1 + 28 + 28), // public_key_size + kP224PrivateKey, // private_key + 28, // private_key_size + kP224ExpectedSharedSecret, // expected_shared_secret + 28, // expected_shared_secret_size + EVP_PKEY_EC, // key_type + NID_secp224r1 // curve_nid + }; + + static const uint8_t kP256PublicKey[] = { /* uncompressed */ 0x04, /* x-coordinate */ @@ -1201,31 +1188,28 @@ TEST(EVPTest, ECTLSEncodedPoint) { /* y-coordinate */ 0x36, 0xac, 0x98, 0x3e, 0x2d, 0x6f, 0xb9, 0x7a, 0x9e, 0x74, 0x09, 0x0d, 0x26, 0xf4, 0x83, 0x34, 0xce, 0x4f, 0x4b, 0x74, 0x9f, 0x3f, 0xd7, 0xaa, - 0x92, 0xe2, 0xc5, 0x40, 0x23, 0x2c, 0xe1, 0xbd - }; - static const uint8_t kP256PrivateKey[] = { - 0x4c, 0xab, 0xbc, 0x3f, 0xad, 0x44, 0x43, 0xcd, 0xa1, 0x36, 0x46, 0x39, - 0x1e, 0x08, 0xbd, 0xa9, 0xd5, 0x29, 0xe1, 0x03, 0x96, 0xc0, 0xcb, 0xd2, - 0xde, 0x9c, 0x1c, 0x73, 0xaf, 0xaa, 0x32, 0x99 - }; - static const uint8_t kP256ExpectedSharedSecret[] = { - 0x89, 0x00, 0x1b, 0x34, 0x36, 0xf7, 0xe6, 0x6b, 0x00, 0x8d, 0x68, 0xa6, - 0xc4, 0x7e, 0x01, 0x82, 0x49, 0x49, 0x4b, 0x92, 0x33, 0x92, 0x1b, 0x80, - 0x7a, 0x75, 0x49, 0xd3, 0xad, 0xe2, 0x01, 0xa2 - }; - - struct ectlsencodedpoint_test_data p256_test_data = { - kP256PublicKey, // public_key - (1 + 32 + 32), // public_key_size - kP256PrivateKey, // private_key - 32, // private_key_size - kP256ExpectedSharedSecret, // expected_shared_secret - 32, // expected_shared_secret_size - EVP_PKEY_EC, // key_type - NID_X9_62_prime256v1 // curve_nid - }; - - static const uint8_t kP384PublicKey[] = { + 0x92, 0xe2, 0xc5, 0x40, 0x23, 0x2c, 0xe1, 0xbd}; + static const uint8_t kP256PrivateKey[] = { + 0x4c, 0xab, 0xbc, 0x3f, 0xad, 0x44, 0x43, 0xcd, 0xa1, 0x36, 0x46, + 0x39, 0x1e, 0x08, 0xbd, 0xa9, 0xd5, 0x29, 0xe1, 0x03, 0x96, 0xc0, + 0xcb, 0xd2, 0xde, 0x9c, 0x1c, 0x73, 0xaf, 0xaa, 0x32, 0x99}; + static const uint8_t kP256ExpectedSharedSecret[] = { + 0x89, 0x00, 0x1b, 0x34, 0x36, 0xf7, 0xe6, 0x6b, 0x00, 0x8d, 0x68, + 0xa6, 0xc4, 0x7e, 0x01, 0x82, 0x49, 0x49, 0x4b, 0x92, 0x33, 0x92, + 0x1b, 0x80, 0x7a, 0x75, 0x49, 0xd3, 0xad, 0xe2, 0x01, 0xa2}; + + struct ectlsencodedpoint_test_data p256_test_data = { + kP256PublicKey, // public_key + (1 + 32 + 32), // public_key_size + kP256PrivateKey, // private_key + 32, // private_key_size + kP256ExpectedSharedSecret, // expected_shared_secret + 32, // expected_shared_secret_size + EVP_PKEY_EC, // key_type + NID_X9_62_prime256v1 // curve_nid + }; + + static const uint8_t kP384PublicKey[] = { /* uncompressed */ 0x04, /* x-coordinate */ @@ -1237,33 +1221,30 @@ TEST(EVPTest, ECTLSEncodedPoint) { 0xf9, 0x62, 0xa2, 0x73, 0x6a, 0xce, 0x52, 0x56, 0x18, 0x15, 0xd5, 0x99, 0x53, 0xa0, 0x19, 0x1b, 0x1f, 0xb1, 0xf2, 0x88, 0xa4, 0x5f, 0x8e, 0x28, 0x3d, 0x40, 0xa5, 0xff, 0x0e, 0x83, 0x3f, 0xf3, 0x0b, 0xd6, 0x05, 0xb1, - 0x0c, 0xf8, 0xc2, 0x6c, 0x57, 0x4d, 0x4c, 0x2f, 0x0d, 0xcd, 0xce, 0x21 - }; - static const uint8_t kP384PrivateKey[] = { + 0x0c, 0xf8, 0xc2, 0x6c, 0x57, 0x4d, 0x4c, 0x2f, 0x0d, 0xcd, 0xce, 0x21}; + static const uint8_t kP384PrivateKey[] = { 0x08, 0x95, 0x0a, 0xc9, 0x2e, 0x16, 0xce, 0x9e, 0x50, 0xed, 0xe3, 0x65, 0x00, 0x3c, 0xb6, 0x2c, 0xea, 0x61, 0x03, 0xcf, 0xe5, 0x35, 0xfa, 0xb3, 0xdc, 0x6f, 0x01, 0x45, 0xf3, 0x8e, 0xf1, 0x1c, 0x10, 0x3e, 0xf1, 0x40, - 0x79, 0x7e, 0x4f, 0x1e, 0x5f, 0x05, 0x3f, 0x8e, 0x83, 0x0c, 0xa7, 0xd9 - }; - static const uint8_t kP384ExpectedSharedSecret[] = { + 0x79, 0x7e, 0x4f, 0x1e, 0x5f, 0x05, 0x3f, 0x8e, 0x83, 0x0c, 0xa7, 0xd9}; + static const uint8_t kP384ExpectedSharedSecret[] = { 0x4b, 0x3c, 0xda, 0x1c, 0xef, 0xb6, 0x8d, 0x0a, 0x2e, 0xf3, 0x53, 0x04, 0xa9, 0xb0, 0xca, 0x1d, 0x8c, 0xda, 0x8b, 0xdf, 0xc8, 0x01, 0x09, 0x8c, 0xf7, 0x3c, 0x21, 0x8e, 0x65, 0x67, 0x22, 0xc3, 0x64, 0x96, 0x9a, 0x2a, - 0x1f, 0x57, 0xd1, 0x93, 0x03, 0x95, 0x98, 0x22, 0x7e, 0xf2, 0xb5, 0x18 - }; - - struct ectlsencodedpoint_test_data p384_test_data = { - kP384PublicKey, // public_key - (1 + 48 + 48), // public_key_size - kP384PrivateKey, // private_key - 48, // private_key_size - kP384ExpectedSharedSecret, // expected_shared_secret - 48, // expected_shared_secret_size - EVP_PKEY_EC, // key_type - NID_secp384r1 // curve_nid - }; - - static const uint8_t kP521PublicKey[] = { + 0x1f, 0x57, 0xd1, 0x93, 0x03, 0x95, 0x98, 0x22, 0x7e, 0xf2, 0xb5, 0x18}; + + struct ectlsencodedpoint_test_data p384_test_data = { + kP384PublicKey, // public_key + (1 + 48 + 48), // public_key_size + kP384PrivateKey, // private_key + 48, // private_key_size + kP384ExpectedSharedSecret, // expected_shared_secret + 48, // expected_shared_secret_size + EVP_PKEY_EC, // key_type + NID_secp384r1 // curve_nid + }; + + static const uint8_t kP521PublicKey[] = { /* uncompressed */ 0x04, /* x-coordinate */ @@ -1279,195 +1260,216 @@ TEST(EVPTest, ECTLSEncodedPoint) { 0x8d, 0x5d, 0xfa, 0x08, 0xb4, 0x27, 0xd3, 0xae, 0xe4, 0x76, 0x4f, 0x46, 0x47, 0xf9, 0xf2, 0x4e, 0xcf, 0x0f, 0xee, 0x6d, 0x61, 0x9c, 0x79, 0x73, 0xa8, 0x55, 0x4a, 0xd5, 0x51, 0x13, 0x0d, 0x1e, 0x3f, 0x6c, 0x9d, 0x2e, - 0xe3, 0xa2, 0xa8, 0x6f, 0xf5, 0xc3 - }; - static const uint8_t kP521PrivateKey[] = { - 0x01, 0xab, 0x4b, 0x1a, 0x8b, 0x60, 0xbb, 0x40, 0x23, 0xd6, 0x55, 0x05, - 0x0f, 0x0a, 0xd5, 0xd6, 0xe1, 0xbf, 0x5b, 0xc5, 0x23, 0x90, 0x2a, 0x2f, - 0x59, 0x69, 0x3e, 0xd0, 0xb9, 0x4f, 0x3c, 0x61, 0x06, 0xde, 0xb5, 0x92, - 0xe0, 0xf1, 0x74, 0xa7, 0x8b, 0xbd, 0xef, 0x23, 0xec, 0xeb, 0x23, 0xfc, - 0x97, 0x4b, 0x1c, 0xf5, 0x6a, 0x37, 0x73, 0x66, 0x6a, 0xfc, 0x76, 0x6f, - 0x3d, 0xdc, 0xb4, 0xc2, 0x92, 0xd0 - }; - static const uint8_t kP521ExpectedSharedSecret[] = { - 0x01, 0x1e, 0x28, 0x45, 0xc3, 0x2d, 0x1e, 0x49, 0xfc, 0x6a, 0x0e, 0x3c, - 0xc8, 0x05, 0xc0, 0x98, 0x45, 0x11, 0xb0, 0x7f, 0xf6, 0xea, 0x41, 0xe1, - 0xe1, 0x12, 0xee, 0x9c, 0x40, 0x8c, 0x74, 0xc3, 0x53, 0x5c, 0x97, 0xf2, - 0xf1, 0x8d, 0x62, 0xf4, 0x3d, 0x27, 0x21, 0x40, 0x7b, 0x82, 0x13, 0xd0, - 0x0b, 0xd3, 0x58, 0x86, 0x6a, 0x33, 0xc6, 0x0c, 0x67, 0x51, 0xd2, 0xdc, - 0x23, 0x50, 0x06, 0x15, 0xb2, 0xba - }; - - struct ectlsencodedpoint_test_data p521_test_data = { - kP521PublicKey, // public_key - (1 + 66 + 66), // public_key_size - kP521PrivateKey, // private_key - 66, // private_key_size - kP521ExpectedSharedSecret, // expected_shared_secret - 66, // expected_shared_secret_size - EVP_PKEY_EC, // key_type - NID_secp521r1 // curve_nid - }; - - ectlsencodedpoint_test_data test_data_all[] = {x25519_test_data, - p224_test_data, p256_test_data, p384_test_data, p521_test_data}; - - uint8_t *output = nullptr; - size_t output_size = 0; - uint8_t *shared_secret = nullptr; - size_t shared_secret_size = 0; - EVP_PKEY_CTX *pkey_ctx = nullptr; - EVP_PKEY *pkey_public = nullptr; - EVP_PKEY *pkey_private = nullptr; - - for (ectlsencodedpoint_test_data test_data : test_data_all) { - - pkey_private = instantiate_and_set_private_key(test_data.private_key, - test_data.private_key_size, test_data.key_type, test_data.curve_nid); - ASSERT_TRUE(pkey_private); - pkey_public = instantiate_public_key(test_data.key_type, + 0xe3, 0xa2, 0xa8, 0x6f, 0xf5, 0xc3}; + static const uint8_t kP521PrivateKey[] = { + 0x01, 0xab, 0x4b, 0x1a, 0x8b, 0x60, 0xbb, 0x40, 0x23, 0xd6, 0x55, + 0x05, 0x0f, 0x0a, 0xd5, 0xd6, 0xe1, 0xbf, 0x5b, 0xc5, 0x23, 0x90, + 0x2a, 0x2f, 0x59, 0x69, 0x3e, 0xd0, 0xb9, 0x4f, 0x3c, 0x61, 0x06, + 0xde, 0xb5, 0x92, 0xe0, 0xf1, 0x74, 0xa7, 0x8b, 0xbd, 0xef, 0x23, + 0xec, 0xeb, 0x23, 0xfc, 0x97, 0x4b, 0x1c, 0xf5, 0x6a, 0x37, 0x73, + 0x66, 0x6a, 0xfc, 0x76, 0x6f, 0x3d, 0xdc, 0xb4, 0xc2, 0x92, 0xd0}; + static const uint8_t kP521ExpectedSharedSecret[] = { + 0x01, 0x1e, 0x28, 0x45, 0xc3, 0x2d, 0x1e, 0x49, 0xfc, 0x6a, 0x0e, + 0x3c, 0xc8, 0x05, 0xc0, 0x98, 0x45, 0x11, 0xb0, 0x7f, 0xf6, 0xea, + 0x41, 0xe1, 0xe1, 0x12, 0xee, 0x9c, 0x40, 0x8c, 0x74, 0xc3, 0x53, + 0x5c, 0x97, 0xf2, 0xf1, 0x8d, 0x62, 0xf4, 0x3d, 0x27, 0x21, 0x40, + 0x7b, 0x82, 0x13, 0xd0, 0x0b, 0xd3, 0x58, 0x86, 0x6a, 0x33, 0xc6, + 0x0c, 0x67, 0x51, 0xd2, 0xdc, 0x23, 0x50, 0x06, 0x15, 0xb2, 0xba}; + + struct ectlsencodedpoint_test_data p521_test_data = { + kP521PublicKey, // public_key + (1 + 66 + 66), // public_key_size + kP521PrivateKey, // private_key + 66, // private_key_size + kP521ExpectedSharedSecret, // expected_shared_secret + 66, // expected_shared_secret_size + EVP_PKEY_EC, // key_type + NID_secp521r1 // curve_nid + }; + + ectlsencodedpoint_test_data test_data_all[] = { + x25519_test_data, p224_test_data, p256_test_data, p384_test_data, + p521_test_data}; + + uint8_t *output = nullptr; + size_t output_size = 0; + uint8_t *shared_secret = nullptr; + size_t shared_secret_size = 0; + EVP_PKEY_CTX *pkey_ctx = nullptr; + EVP_PKEY *pkey_public = nullptr; + EVP_PKEY *pkey_private = nullptr; + + for (ectlsencodedpoint_test_data test_data : test_data_all) { + pkey_private = instantiate_and_set_private_key( + test_data.private_key, test_data.private_key_size, test_data.key_type, test_data.curve_nid); - ASSERT_TRUE(pkey_public); - - // Test we can parse EC point into an EVP_PKEY object - ASSERT_TRUE(EVP_PKEY_set1_tls_encodedpoint(pkey_public, - test_data.public_key, test_data.public_key_size)); - - // Test we can successfully perform a ECDH key derivation using the - // parsed public key and a corresponding private key - pkey_ctx = EVP_PKEY_CTX_new(pkey_private, nullptr); - ASSERT_TRUE(pkey_ctx); - ASSERT_TRUE(EVP_PKEY_derive_init(pkey_ctx)); - ASSERT_TRUE(EVP_PKEY_derive_set_peer(pkey_ctx, pkey_public)); - ASSERT_TRUE(EVP_PKEY_derive(pkey_ctx, nullptr, &shared_secret_size)); - EXPECT_EQ(shared_secret_size, test_data.expected_shared_secret_size); - shared_secret = (uint8_t *) OPENSSL_malloc(shared_secret_size); - ASSERT_TRUE(shared_secret); - ASSERT_TRUE(EVP_PKEY_derive(pkey_ctx, shared_secret, - &shared_secret_size)); - EXPECT_EQ(shared_secret_size, test_data.expected_shared_secret_size); - EXPECT_EQ(Bytes(shared_secret, shared_secret_size), - Bytes(test_data.expected_shared_secret, shared_secret_size)); - - // Test we can write EC point from the EVP_PKEY object to wire format - output_size = EVP_PKEY_get1_tls_encodedpoint(pkey_public, &output); - EXPECT_EQ(output_size, test_data.public_key_size); - EXPECT_EQ(Bytes(output, output_size), - Bytes(test_data.public_key, output_size)); - - OPENSSL_free(output); - OPENSSL_free(shared_secret); - EVP_PKEY_CTX_free(pkey_ctx); - EVP_PKEY_free(pkey_public); - EVP_PKEY_free(pkey_private); - output_size = 0; - shared_secret_size = 0; - } + ASSERT_TRUE(pkey_private); + pkey_public = + instantiate_public_key(test_data.key_type, test_data.curve_nid); + ASSERT_TRUE(pkey_public); + + // Test we can parse EC point into an EVP_PKEY object + ASSERT_TRUE(EVP_PKEY_set1_tls_encodedpoint( + pkey_public, test_data.public_key, test_data.public_key_size)); + + // Test we can successfully perform a ECDH key derivation using the + // parsed public key and a corresponding private key + pkey_ctx = EVP_PKEY_CTX_new(pkey_private, nullptr); + ASSERT_TRUE(pkey_ctx); + ASSERT_TRUE(EVP_PKEY_derive_init(pkey_ctx)); + ASSERT_TRUE(EVP_PKEY_derive_set_peer(pkey_ctx, pkey_public)); + ASSERT_TRUE(EVP_PKEY_derive(pkey_ctx, nullptr, &shared_secret_size)); + EXPECT_EQ(shared_secret_size, test_data.expected_shared_secret_size); + shared_secret = (uint8_t *)OPENSSL_malloc(shared_secret_size); + ASSERT_TRUE(shared_secret); + ASSERT_TRUE(EVP_PKEY_derive(pkey_ctx, shared_secret, &shared_secret_size)); + EXPECT_EQ(shared_secret_size, test_data.expected_shared_secret_size); + EXPECT_EQ(Bytes(shared_secret, shared_secret_size), + Bytes(test_data.expected_shared_secret, shared_secret_size)); + + // Test we can write EC point from the EVP_PKEY object to wire format + output_size = EVP_PKEY_get1_tls_encodedpoint(pkey_public, &output); + EXPECT_EQ(output_size, test_data.public_key_size); + EXPECT_EQ(Bytes(output, output_size), + Bytes(test_data.public_key, output_size)); + + OPENSSL_free(output); + OPENSSL_free(shared_secret); + EVP_PKEY_CTX_free(pkey_ctx); + EVP_PKEY_free(pkey_public); + EVP_PKEY_free(pkey_private); + output_size = 0; + shared_secret_size = 0; + } - // Above tests explore the happy path. Now test that some invalid - // input parameters are handled gracefully and with no crashes. - for (ectlsencodedpoint_test_data test_data : test_data_all) { + // Above tests explore the happy path. Now test that some invalid + // input parameters are handled gracefully and with no crashes. + for (ectlsencodedpoint_test_data test_data : test_data_all) { + pkey_public = + instantiate_public_key(test_data.key_type, test_data.curve_nid); + ASSERT_TRUE(pkey_public); + + // pkey = NULL should result in |ERR_R_PASSED_NULL_PARAMETER| being passed + // back for both functions. + ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint(nullptr, test_data.public_key, + test_data.public_key_size)); + EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, + ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); + ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint(nullptr, &output)); + EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, + ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); - pkey_public = instantiate_public_key(test_data.key_type, - test_data.curve_nid); - ASSERT_TRUE(pkey_public); - - // pkey = NULL should result in |ERR_R_PASSED_NULL_PARAMETER| being passed - // back for both functions. - ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint(nullptr, - test_data.public_key, test_data.public_key_size)); - EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); - ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint(nullptr, &output)); - EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); + // For |EVP_PKEY_get1_tls_encodedpoint| if out_ptr = NULL, we should also + // expect |ERR_R_PASSED_NULL_PARAMETER| being passed back. + ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint(pkey_public, nullptr)); + EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, + ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); - // For |EVP_PKEY_get1_tls_encodedpoint| if out_ptr = NULL, we should also - // expect |ERR_R_PASSED_NULL_PARAMETER| being passed back. - ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint(pkey_public, nullptr)); - EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); + // For |EVP_PKEY_set1_tls_encodedpoint| if in = NULL or len < 1, we should + // expect |ERR_R_PASSED_NULL_PARAMETER| or |EVP_R_INVALID_PARAMETERS|, + // respectively. + ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint(pkey_public, nullptr, + test_data.public_key_size)); + EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, + ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); + ASSERT_FALSE( + EVP_PKEY_set1_tls_encodedpoint(pkey_public, test_data.public_key, 0)); + EXPECT_EQ(EVP_R_INVALID_PARAMETERS, ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); - // For |EVP_PKEY_set1_tls_encodedpoint| if in = NULL or len < 1, we should - // expect |ERR_R_PASSED_NULL_PARAMETER| or |EVP_R_INVALID_PARAMETERS|, - // respectively. - ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint(pkey_public, - nullptr, test_data.public_key_size)); - EXPECT_EQ(ERR_R_PASSED_NULL_PARAMETER, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); - ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint(pkey_public, - test_data.public_key, 0)); - EXPECT_EQ(EVP_R_INVALID_PARAMETERS, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); + EVP_PKEY_free(pkey_public); + } - EVP_PKEY_free(pkey_public); - } + // Test various unsupported key types are rejected + int key_types_not_supported[] = {EVP_PKEY_RSA, EVP_PKEY_DSA, + EVP_PKEY_ED25519}; + const uint8_t not_supported[] = {'n', 'o', 't', ' ', 's', 'u', 'p', + 'p', 'o', 'r', 't', 'e', 'd'}; + size_t not_supported_size = 13; // specific size irrelevant + uint8_t *not_supported_out = nullptr; + bssl::UniquePtr pkey_key_type_not_supported(EVP_PKEY_new()); + + for (int key_type : key_types_not_supported) { + ASSERT_TRUE(pkey_key_type_not_supported.get()); + ASSERT_TRUE(EVP_PKEY_set_type(pkey_key_type_not_supported.get(), key_type)); - // Test various unsupported key types are rejected - int key_types_not_supported[] = {EVP_PKEY_RSA, EVP_PKEY_DSA, - EVP_PKEY_ED25519}; - const uint8_t not_supported[] = {'n','o','t',' ','s','u','p','p','o','r', - 't','e','d'}; - size_t not_supported_size = 13; // specific size irrelevant - uint8_t *not_supported_out = nullptr; - bssl::UniquePtr pkey_key_type_not_supported(EVP_PKEY_new()); - - for (int key_type : key_types_not_supported) { - ASSERT_TRUE(pkey_key_type_not_supported.get()); - ASSERT_TRUE(EVP_PKEY_set_type(pkey_key_type_not_supported.get(), - key_type)); - - ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint( + ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint( pkey_key_type_not_supported.get(), not_supported, not_supported_size)); - EXPECT_EQ(EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); + EXPECT_EQ(EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE, + ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); - ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint( + ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint( pkey_key_type_not_supported.get(), ¬_supported_out)); - EXPECT_EQ(EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); - } + EXPECT_EQ(EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE, + ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); + } - // Test compressed encoded EC point is rejected - static const uint8_t kP256PublicKeyCompressed[] = { + // Test compressed encoded EC point is rejected + static const uint8_t kP256PublicKeyCompressed[] = { /* uncompressed + parity bit */ 0x03, /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, - }; - - bssl::UniquePtr pkey_public_compressed(instantiate_public_key( - EVP_PKEY_EC, NID_X9_62_prime256v1)); - ASSERT_TRUE(pkey_public_compressed); - - ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint(pkey_public_compressed.get(), - kP256PublicKeyCompressed, 1 + 32)); - EXPECT_EQ(ERR_R_EVP_LIB, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); - - uint8_t *output_compressed = NULL; - bssl::UniquePtr pkey_public_compressed_set( + 0xe1, + 0x5a, + 0x44, + 0x72, + 0x91, + 0xf0, + 0x84, + 0xfe, + 0x88, + 0x7a, + 0x6c, + 0x2c, + 0x03, + 0x22, + 0x9a, + 0xf3, + 0x04, + 0x8a, + 0x5d, + 0xfe, + 0x84, + 0x73, + 0x70, + 0xc9, + 0x3f, + 0x92, + 0x72, + 0x9b, + 0x31, + 0xc5, + 0x5f, + 0x7b, + }; + + bssl::UniquePtr pkey_public_compressed( + instantiate_public_key(EVP_PKEY_EC, NID_X9_62_prime256v1)); + ASSERT_TRUE(pkey_public_compressed); + + ASSERT_FALSE(EVP_PKEY_set1_tls_encodedpoint( + pkey_public_compressed.get(), kP256PublicKeyCompressed, 1 + 32)); + EXPECT_EQ(ERR_R_EVP_LIB, ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); + + uint8_t *output_compressed = NULL; + bssl::UniquePtr pkey_public_compressed_set( instantiate_and_set_public_key(kP256PublicKeyCompressed, 1 + 32, - NID_X9_62_prime256v1)); - EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey_public_compressed_set.get()), - POINT_CONVERSION_COMPRESSED); - ASSERT_TRUE(pkey_public_compressed_set.get()); - - ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint( - pkey_public_compressed_set.get(), &output_compressed)); - EXPECT_EQ(ERR_R_EVP_LIB, - ERR_GET_REASON(ERR_peek_last_error())); - ERR_clear_error(); + NID_X9_62_prime256v1)); + EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey_public_compressed_set.get()), + POINT_CONVERSION_COMPRESSED); + ASSERT_TRUE(pkey_public_compressed_set.get()); + + ASSERT_FALSE(EVP_PKEY_get1_tls_encodedpoint(pkey_public_compressed_set.get(), + &output_compressed)); + EXPECT_EQ(ERR_R_EVP_LIB, ERR_GET_REASON(ERR_peek_last_error())); + ERR_clear_error(); } TEST(EVPTest, PKEY_asn1_find) { @@ -1475,9 +1477,10 @@ TEST(EVPTest, PKEY_asn1_find) { const char *pinfo, *pem_str; /* Test case 1: Find RSA algorithm */ - const EVP_PKEY_ASN1_METHOD* ameth = EVP_PKEY_asn1_find(NULL, EVP_PKEY_RSA); + const EVP_PKEY_ASN1_METHOD *ameth = EVP_PKEY_asn1_find(NULL, EVP_PKEY_RSA); ASSERT_TRUE(ameth); - ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth)); + ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth)); ASSERT_EQ(pkey_id, EVP_PKEY_RSA); ASSERT_EQ(pkey_base_id, EVP_PKEY_RSA); ASSERT_EQ(0, pkey_flags); @@ -1487,7 +1490,8 @@ TEST(EVPTest, PKEY_asn1_find) { /* Test case 2: Find EC algorithm */ ameth = EVP_PKEY_asn1_find(NULL, EVP_PKEY_EC); ASSERT_TRUE(ameth); - ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth)); + ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth)); ASSERT_EQ(pkey_id, EVP_PKEY_EC); ASSERT_EQ(pkey_base_id, EVP_PKEY_EC); ASSERT_EQ(0, pkey_flags); @@ -1497,7 +1501,8 @@ TEST(EVPTest, PKEY_asn1_find) { /* Test case 3: Find non-existent algorithm */ ameth = EVP_PKEY_asn1_find(NULL, EVP_PKEY_NONE); ASSERT_FALSE(ameth); - ASSERT_FALSE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth)); + ASSERT_FALSE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth)); } TEST(EVPTest, PKEY_asn1_find_str) { @@ -1505,9 +1510,10 @@ TEST(EVPTest, PKEY_asn1_find_str) { const char *pinfo, *pem_str; /* Test case 1: Find RSA algorithm */ - const EVP_PKEY_ASN1_METHOD* ameth = EVP_PKEY_asn1_find_str(NULL, "RSA", 3); + const EVP_PKEY_ASN1_METHOD *ameth = EVP_PKEY_asn1_find_str(NULL, "RSA", 3); ASSERT_TRUE(ameth); - ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth)); + ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth)); ASSERT_EQ(pkey_id, EVP_PKEY_RSA); ASSERT_EQ(pkey_base_id, EVP_PKEY_RSA); ASSERT_EQ(0, pkey_flags); @@ -1517,7 +1523,8 @@ TEST(EVPTest, PKEY_asn1_find_str) { /* Test case 2: Find EC algorithm */ ameth = EVP_PKEY_asn1_find_str(NULL, "EC", 2); ASSERT_TRUE(ameth); - ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth)); + ASSERT_TRUE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth)); ASSERT_EQ(pkey_id, EVP_PKEY_EC); ASSERT_EQ(pkey_base_id, EVP_PKEY_EC); ASSERT_EQ(0, pkey_flags); @@ -1527,7 +1534,8 @@ TEST(EVPTest, PKEY_asn1_find_str) { /* Test case 3: Find non-existent algorithm */ ameth = EVP_PKEY_asn1_find_str(NULL, "Nonsense", 8); ASSERT_FALSE(ameth); - ASSERT_FALSE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth)); + ASSERT_FALSE(EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth)); } TEST(EVPTest, ED25519PH) { @@ -1576,9 +1584,11 @@ TEST(EVPTest, ED25519PH) { { uint8_t raw_key[ED25519_PRIVATE_KEY_SEED_LEN]; size_t raw_key_len = sizeof(raw_key); - ASSERT_TRUE(EVP_PKEY_get_raw_private_key(pkey.get(), raw_key, &raw_key_len)); + ASSERT_TRUE( + EVP_PKEY_get_raw_private_key(pkey.get(), raw_key, &raw_key_len)); - EVP_PKEY *rk = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519PH, nullptr, raw_key, raw_key_len); + EVP_PKEY *rk = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519PH, nullptr, + raw_key, raw_key_len); ASSERT_TRUE(rk); pkey.reset(rk); ASSERT_EQ(EVP_PKEY_ED25519PH, EVP_PKEY_id(pkey.get())); @@ -1592,8 +1602,9 @@ TEST(EVPTest, ED25519PH) { uint8_t raw_key[ED25519_PUBLIC_KEY_LEN]; size_t raw_key_len = sizeof(raw_key); ASSERT_TRUE(EVP_PKEY_get_raw_public_key(pkey.get(), raw_key, &raw_key_len)); - - EVP_PKEY *rk = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519PH, nullptr, raw_key, raw_key_len); + + EVP_PKEY *rk = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519PH, nullptr, + raw_key, raw_key_len); ASSERT_TRUE(rk); pubkey.reset(rk); ASSERT_EQ(EVP_PKEY_ED25519PH, EVP_PKEY_id(pubkey.get())); @@ -1623,8 +1634,7 @@ TEST(EVPTest, ED25519PH) { ASSERT_TRUE(EVP_DigestSignUpdate(md_ctx.get(), &message[0], 3)); ASSERT_TRUE( EVP_DigestSignUpdate(md_ctx.get(), &message[3], sizeof(message) - 3)); - ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), signature, - &signature_len)); + ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), signature, &signature_len)); ASSERT_EQ(signature_len, (size_t)ED25519_SIGNATURE_LEN); ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), &pctx, EVP_sha512(), nullptr, @@ -1634,8 +1644,7 @@ TEST(EVPTest, ED25519PH) { ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), &message[0], 3)); ASSERT_TRUE( EVP_DigestVerifyUpdate(md_ctx.get(), &message[3], sizeof(message) - 3)); - ASSERT_TRUE(EVP_DigestVerifyFinal(md_ctx.get(), - signature, signature_len)); + ASSERT_TRUE(EVP_DigestVerifyFinal(md_ctx.get(), signature, signature_len)); } // prehash signature gen and verify w/ context using EVP_PKEY_sign and @@ -1646,9 +1655,11 @@ TEST(EVPTest, ED25519PH) { ASSERT_TRUE(EVP_PKEY_sign_init(ctx.get())); ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(ctx.get(), context, sizeof(context))); - ASSERT_TRUE(EVP_PKEY_sign(ctx.get(), working_signature, &working_signature_len, message_sha512, sizeof(message_sha512))); + ASSERT_TRUE(EVP_PKEY_sign(ctx.get(), working_signature, + &working_signature_len, message_sha512, + sizeof(message_sha512))); ASSERT_EQ(working_signature_len, (size_t)ED25519_SIGNATURE_LEN); - + ctx.reset(EVP_PKEY_CTX_new(pubkey.get(), nullptr)); ASSERT_TRUE(ctx.get()); ASSERT_TRUE(EVP_PKEY_verify_init(ctx.get())); @@ -1692,12 +1703,14 @@ TEST(EVPTest, ED25519PH) { working_signature_len)); } - // Pre-hash signature w/ context should not match Pre-hash signature w/o context + // Pre-hash signature w/ context should not match Pre-hash signature w/o + // context ASSERT_NE(Bytes(signature, signature_len), Bytes(working_signature, working_signature_len)); - // prehash signature gen and verify with EVP_PKEY_sign and EVP_PKEY_verify directly + // prehash signature gen and verify with EVP_PKEY_sign and EVP_PKEY_verify + // directly { OPENSSL_memcpy(signature, working_signature, working_signature_len); signature_len = working_signature_len; @@ -1705,19 +1718,23 @@ TEST(EVPTest, ED25519PH) { bssl::UniquePtr ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr)); ASSERT_TRUE(ctx.get()); ASSERT_TRUE(EVP_PKEY_sign_init(ctx.get())); - ASSERT_TRUE(EVP_PKEY_sign(ctx.get(), working_signature, &working_signature_len, message_sha512, sizeof(message_sha512))); + ASSERT_TRUE(EVP_PKEY_sign(ctx.get(), working_signature, + &working_signature_len, message_sha512, + sizeof(message_sha512))); ASSERT_EQ(working_signature_len, (size_t)ED25519_SIGNATURE_LEN); ctx.reset(EVP_PKEY_CTX_new(pubkey.get(), nullptr)); ASSERT_TRUE(ctx.get()); ASSERT_TRUE(EVP_PKEY_verify_init(ctx.get())); - ASSERT_TRUE(EVP_PKEY_verify(ctx.get(), working_signature, working_signature_len, message_sha512, sizeof(message_sha512))); + ASSERT_TRUE(EVP_PKEY_verify(ctx.get(), working_signature, + working_signature_len, message_sha512, + sizeof(message_sha512))); ASSERT_EQ(Bytes(signature, signature_len), Bytes(working_signature, working_signature_len)); } - + { CBS cbs; CBS_init(&cbs, CBB_data(marshalled_private_key.get()), @@ -1744,13 +1761,15 @@ TEST(EVPTest, ED25519PH) { ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), working_signature, - &working_signature_len, message, sizeof(message))); + &working_signature_len, message, + sizeof(message))); ASSERT_EQ(working_signature_len, (size_t)ED25519_SIGNATURE_LEN); ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), nullptr, nullptr, nullptr, pubkey.get())); ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), working_signature, - working_signature_len, message, sizeof(message))); + working_signature_len, message, + sizeof(message))); } // pure signature shouldn't match a pre-hash signature w/o context @@ -1759,50 +1778,55 @@ TEST(EVPTest, ED25519PH) { } TEST(EVPTest, Ed25519phTestVectors) { - FileTestGTest("crypto/fipsmodule/curve25519/ed25519ph_tests.txt", [](FileTest *t) { - std::vector seed, q, message, context, expected_signature; - ASSERT_TRUE(t->GetBytes(&seed, "SEED")); - ASSERT_EQ(32u, seed.size()); - ASSERT_TRUE(t->GetBytes(&q, "Q")); - ASSERT_EQ(32u, q.size()); - ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); - ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); - ASSERT_EQ(64u, expected_signature.size()); - - if (t->HasAttribute("CONTEXT")) { - t->GetBytes(&context, "CONTEXT"); - } else { - context = std::vector(); - } - - bssl::UniquePtr pkey(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519PH, nullptr, seed.data(), seed.size())); - bssl::UniquePtr pubkey(EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519PH, nullptr, q.data(), q.size())); - ASSERT_TRUE(pkey.get()); - ASSERT_TRUE(pubkey.get()); - ASSERT_EQ(EVP_PKEY_ED25519PH, EVP_PKEY_id(pkey.get())); - ASSERT_EQ(EVP_PKEY_ED25519PH, EVP_PKEY_id(pubkey.get())); - - bssl::UniquePtr md_ctx(EVP_MD_CTX_new()); - EVP_PKEY_CTX *pctx = nullptr; - uint8_t signature[ED25519_SIGNATURE_LEN] = {}; - size_t signature_len = ED25519_SIGNATURE_LEN; - - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pctx, EVP_sha512(), nullptr, - pkey.get())); - ASSERT_TRUE( - EVP_PKEY_CTX_set_signature_context(pctx, context.data(), context.size())); - ASSERT_TRUE(EVP_DigestSignUpdate(md_ctx.get(), message.data(), message.size())); - ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), signature, - &signature_len)); - ASSERT_EQ(signature_len, (size_t)ED25519_SIGNATURE_LEN); - ASSERT_EQ(Bytes(expected_signature), Bytes(signature, signature_len)); + FileTestGTest( + "crypto/fipsmodule/curve25519/ed25519ph_tests.txt", [](FileTest *t) { + std::vector seed, q, message, context, expected_signature; + ASSERT_TRUE(t->GetBytes(&seed, "SEED")); + ASSERT_EQ(32u, seed.size()); + ASSERT_TRUE(t->GetBytes(&q, "Q")); + ASSERT_EQ(32u, q.size()); + ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); + ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); + ASSERT_EQ(64u, expected_signature.size()); + + if (t->HasAttribute("CONTEXT")) { + t->GetBytes(&context, "CONTEXT"); + } else { + context = std::vector(); + } - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), &pctx, EVP_sha512(), nullptr, - pubkey.get())); - ASSERT_TRUE( - EVP_PKEY_CTX_set_signature_context(pctx, context.data(), context.size())); - ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), message.data(), message.size())); - ASSERT_TRUE(EVP_DigestVerifyFinal(md_ctx.get(), signature, - signature_len)); - }); + bssl::UniquePtr pkey(EVP_PKEY_new_raw_private_key( + EVP_PKEY_ED25519PH, nullptr, seed.data(), seed.size())); + bssl::UniquePtr pubkey(EVP_PKEY_new_raw_public_key( + EVP_PKEY_ED25519PH, nullptr, q.data(), q.size())); + ASSERT_TRUE(pkey.get()); + ASSERT_TRUE(pubkey.get()); + ASSERT_EQ(EVP_PKEY_ED25519PH, EVP_PKEY_id(pkey.get())); + ASSERT_EQ(EVP_PKEY_ED25519PH, EVP_PKEY_id(pubkey.get())); + + bssl::UniquePtr md_ctx(EVP_MD_CTX_new()); + EVP_PKEY_CTX *pctx = nullptr; + uint8_t signature[ED25519_SIGNATURE_LEN] = {}; + size_t signature_len = ED25519_SIGNATURE_LEN; + + ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pctx, EVP_sha512(), + nullptr, pkey.get())); + ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(pctx, context.data(), + context.size())); + ASSERT_TRUE( + EVP_DigestSignUpdate(md_ctx.get(), message.data(), message.size())); + ASSERT_TRUE( + EVP_DigestSignFinal(md_ctx.get(), signature, &signature_len)); + ASSERT_EQ(signature_len, (size_t)ED25519_SIGNATURE_LEN); + ASSERT_EQ(Bytes(expected_signature), Bytes(signature, signature_len)); + + ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), &pctx, EVP_sha512(), + nullptr, pubkey.get())); + ASSERT_TRUE(EVP_PKEY_CTX_set_signature_context(pctx, context.data(), + context.size())); + ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), message.data(), + message.size())); + ASSERT_TRUE( + EVP_DigestVerifyFinal(md_ctx.get(), signature, signature_len)); + }); } diff --git a/crypto/evp_extra/p_dh.c b/crypto/evp_extra/p_dh.c index e0f194023d..d546146a7a 100644 --- a/crypto/evp_extra/p_dh.c +++ b/crypto/evp_extra/p_dh.c @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include #include +#include #include @@ -123,14 +123,14 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *_p2) { return 1; case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN: - if(p1 < 256) { + if (p1 < 256) { return -2; } dctx->prime_len = p1; return 1; case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR: - if(p1 < 2) { + if (p1 < 2) { return -2; } dctx->generator = p1; @@ -159,7 +159,8 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { evp_pkey_set_cb_translate(pkey_ctx_cb, ctx); } - ret = DH_generate_parameters_ex(dh, dctx->prime_len, dctx->generator, pkey_ctx_cb); + ret = DH_generate_parameters_ex(dh, dctx->prime_len, dctx->generator, + pkey_ctx_cb); end: if (ret == 1) { EVP_PKEY_assign_DH(pkey, dh); @@ -180,9 +181,9 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, // * dh_paramgen_subprime_len // * dh_paramgen_type if (strcmp(type, "dh_paramgen_prime_len") == 0) { - char* str_end = NULL; + char *str_end = NULL; long prime_len = strtol(value, &str_end, 10); - if(str_end == value || prime_len < 0 || prime_len > INT_MAX) { + if (str_end == value || prime_len < 0 || prime_len > INT_MAX) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION); return 0; } @@ -190,9 +191,9 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, } if (strcmp(type, "dh_paramgen_generator") == 0) { - char* str_end = NULL; + char *str_end = NULL; long generator = strtol(value, &str_end, 10); - if(str_end == value || generator < 0 || generator > INT_MAX) { + if (str_end == value || generator < 0 || generator > INT_MAX) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION); return 0; } @@ -201,9 +202,9 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, if (strcmp(type, "dh_pad") == 0) { - char* str_end = NULL; + char *str_end = NULL; long pad = strtol(value, &str_end, 10); - if(str_end == value || pad < 0 || pad > INT_MAX) { + if (str_end == value || pad < 0 || pad > INT_MAX) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION); return 0; } @@ -213,17 +214,15 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, } -const EVP_PKEY_METHOD dh_pkey_meth = { - .pkey_id = EVP_PKEY_DH, - .init = pkey_dh_init, - .copy = pkey_dh_copy, - .cleanup = pkey_dh_cleanup, - .keygen = pkey_dh_keygen, - .derive = pkey_dh_derive, - .paramgen = pkey_dh_paramgen, - .ctrl = pkey_dh_ctrl, - .ctrl_str = pkey_dh_ctrl_str -}; +const EVP_PKEY_METHOD dh_pkey_meth = {.pkey_id = EVP_PKEY_DH, + .init = pkey_dh_init, + .copy = pkey_dh_copy, + .cleanup = pkey_dh_cleanup, + .keygen = pkey_dh_keygen, + .derive = pkey_dh_derive, + .paramgen = pkey_dh_paramgen, + .ctrl = pkey_dh_ctrl, + .ctrl_str = pkey_dh_ctrl_str}; int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) { return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_DERIVE, @@ -232,9 +231,9 @@ int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) { int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits) { return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, pbits, NULL); + EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, pbits, NULL); } int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen) { return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, gen, NULL); + EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, gen, NULL); } diff --git a/crypto/evp_extra/p_dh_asn1.c b/crypto/evp_extra/p_dh_asn1.c index fc8cb1109a..6b8dbb2f09 100644 --- a/crypto/evp_extra/p_dh_asn1.c +++ b/crypto/evp_extra/p_dh_asn1.c @@ -144,7 +144,8 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { // 1.2.840.113549.1.3.1 // ((1)*40 + (2)) = 42 = 0x2a // 840 = 0b_0000110_1001000 => 0b_1000_0110_0100_1000 = 0x86 0x48 - // 113549 = 0b_0000110_1110111_0001101 => 0b_1000_0110_1111_0111_0000_1101 = 0x86 0xF7 0x0D + // 113549 = 0b_0000110_1110111_0001101 => 0b_1000_0110_1111_0111_0000_1101 = + // 0x86 0xF7 0x0D .oid = {0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x03, 0x01}, .oid_len = 9, .pem_str = "DH", diff --git a/crypto/evp_extra/p_dsa.c b/crypto/evp_extra/p_dsa.c index 194916fa27..472ae5b5b0 100644 --- a/crypto/evp_extra/p_dsa.c +++ b/crypto/evp_extra/p_dsa.c @@ -292,9 +292,9 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION); return 0; } -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED return EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, (int)nbits); -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED } if (strcmp(type, "dsa_paramgen_q_bits") == 0) { char *str_end = NULL; @@ -303,9 +303,9 @@ OPENSSL_END_ALLOW_DEPRECATED OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION); return 0; } -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED return EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, (int)qbits); -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED } if (strcmp(type, "dsa_paramgen_md") == 0) { const EVP_MD *md = EVP_get_digestbyname(value); @@ -314,9 +314,9 @@ OPENSSL_END_ALLOW_DEPRECATED OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE); return 0; } -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED return EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, md); -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED } return -2; } diff --git a/crypto/evp_extra/p_dsa_asn1.c b/crypto/evp_extra/p_dsa_asn1.c index 470d3bd04e..2c23f40e5d 100644 --- a/crypto/evp_extra/p_dsa_asn1.c +++ b/crypto/evp_extra/p_dsa_asn1.c @@ -55,14 +55,14 @@ #include -#include #include #include +#include #include #include -#include "../fipsmodule/evp/internal.h" #include "../dsa/internal.h" +#include "../fipsmodule/evp/internal.h" #include "internal.h" @@ -89,13 +89,12 @@ static int dsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { goto err; } - if (!BN_parse_asn1_unsigned(key, dsa->pub_key) || - CBS_len(key) != 0) { + if (!BN_parse_asn1_unsigned(key, dsa->pub_key) || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); goto err; } - if(1 == EVP_PKEY_assign_DSA(out, dsa)) { + if (1 == EVP_PKEY_assign_DSA(out, dsa)) { return 1; } @@ -114,12 +113,10 @@ static int dsa_pub_encode(CBB *out, const EVP_PKEY *key) { !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, dsa_asn1_meth.oid, dsa_asn1_meth.oid_len) || - (has_params && - !DSA_marshal_parameters(&algorithm, dsa)) || + (has_params && !DSA_marshal_parameters(&algorithm, dsa)) || !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || !CBB_add_u8(&key_bitstring, 0 /* padding */) || - !BN_marshal_asn1(&key_bitstring, dsa->pub_key) || - !CBB_flush(out)) { + !BN_marshal_asn1(&key_bitstring, dsa->pub_key) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } @@ -129,7 +126,7 @@ static int dsa_pub_encode(CBB *out, const EVP_PKEY *key) { static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { // See PKCS#11, v2.40, section 2.5. - if(pubkey) { + if (pubkey) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } @@ -146,8 +143,7 @@ static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { if (dsa->priv_key == NULL) { goto err; } - if (!BN_parse_asn1_unsigned(key, dsa->priv_key) || - CBS_len(key) != 0) { + if (!BN_parse_asn1_unsigned(key, dsa->priv_key) || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); goto err; } @@ -169,7 +165,7 @@ static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { goto err; } - if(1 == EVP_PKEY_assign_DSA(out, dsa)) { + if (1 == EVP_PKEY_assign_DSA(out, dsa)) { BN_CTX_free(ctx); return 1; } @@ -196,8 +192,7 @@ static int dsa_priv_encode(CBB *out, const EVP_PKEY *key) { !CBB_add_bytes(&oid, dsa_asn1_meth.oid, dsa_asn1_meth.oid_len) || !DSA_marshal_parameters(&algorithm, dsa) || !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) || - !BN_marshal_asn1(&private_key, dsa->priv_key) || - !CBB_flush(out)) { + !BN_marshal_asn1(&private_key, dsa->priv_key) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } @@ -258,34 +253,35 @@ static int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { static void int_dsa_free(EVP_PKEY *pkey) { DSA_free(pkey->pkey.dsa); } const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = { - EVP_PKEY_DSA, - // 1.2.840.10040.4.1 - {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x01}, 7, + EVP_PKEY_DSA, + // 1.2.840.10040.4.1 + {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x01}, + 7, - "DSA", - "OpenSSL DSA method", + "DSA", + "OpenSSL DSA method", - dsa_pub_decode, - dsa_pub_encode, - dsa_pub_cmp, + dsa_pub_decode, + dsa_pub_encode, + dsa_pub_cmp, - dsa_priv_decode, - dsa_priv_encode, - NULL /* priv_encode_v2 */, + dsa_priv_decode, + dsa_priv_encode, + NULL /* priv_encode_v2 */, - NULL /* set_priv_raw */, - NULL /* set_pub_raw */, - NULL /* get_priv_raw */, - NULL /* get_pub_raw */, + NULL /* set_priv_raw */, + NULL /* set_pub_raw */, + NULL /* get_priv_raw */, + NULL /* get_pub_raw */, - NULL /* pkey_opaque */, + NULL /* pkey_opaque */, - int_dsa_size, - dsa_bits, + int_dsa_size, + dsa_bits, - dsa_missing_parameters, - dsa_copy_parameters, - dsa_cmp_parameters, + dsa_missing_parameters, + dsa_copy_parameters, + dsa_cmp_parameters, - int_dsa_free, + int_dsa_free, }; diff --git a/crypto/evp_extra/p_ec_asn1.c b/crypto/evp_extra/p_ec_asn1.c index de364a6f4f..5f8e083b43 100644 --- a/crypto/evp_extra/p_ec_asn1.c +++ b/crypto/evp_extra/p_ec_asn1.c @@ -139,9 +139,10 @@ static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { } } -static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { +static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, + CBS *pubkey) { // See RFC 5915. - if(pubkey) { + if (pubkey) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } @@ -249,34 +250,35 @@ static int eckey_opaque(const EVP_PKEY *pkey) { } const EVP_PKEY_ASN1_METHOD ec_asn1_meth = { - EVP_PKEY_EC, - // 1.2.840.10045.2.1 - {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01}, 7, + EVP_PKEY_EC, + // 1.2.840.10045.2.1 + {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01}, + 7, - "EC", - "OpenSSL EC algorithm", + "EC", + "OpenSSL EC algorithm", - eckey_pub_decode, - eckey_pub_encode, - eckey_pub_cmp, + eckey_pub_decode, + eckey_pub_encode, + eckey_pub_cmp, - eckey_priv_decode, - eckey_priv_encode, - NULL /* priv_encode_v2 */, + eckey_priv_decode, + eckey_priv_encode, + NULL /* priv_encode_v2 */, - NULL /* set_priv_raw */, - NULL /* set_pub_raw */, - NULL /* get_priv_raw */, - NULL /* get_pub_raw */, + NULL /* set_priv_raw */, + NULL /* set_pub_raw */, + NULL /* get_priv_raw */, + NULL /* get_pub_raw */, - eckey_opaque, + eckey_opaque, - int_ec_size, - ec_bits, + int_ec_size, + ec_bits, - ec_missing_parameters, - ec_copy_parameters, - ec_cmp_parameters, + ec_missing_parameters, + ec_copy_parameters, + ec_cmp_parameters, - int_ec_free, + int_ec_free, }; diff --git a/crypto/evp_extra/p_ed25519_asn1.c b/crypto/evp_extra/p_ed25519_asn1.c index 488c64452b..28b0932435 100644 --- a/crypto/evp_extra/p_ed25519_asn1.c +++ b/crypto/evp_extra/p_ed25519_asn1.c @@ -37,7 +37,7 @@ static int ed25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *privkey, return 0; } - if(pubkey && pubkey_len != ED25519_PUBLIC_KEY_LEN) { + if (pubkey && pubkey_len != ED25519_PUBLIC_KEY_LEN) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } @@ -54,7 +54,7 @@ static int ed25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *privkey, key->has_private = 1; // If a public key was provided, validate that it matches the computed value. - if(pubkey && OPENSSL_memcmp(pubkey_computed, pubkey, pubkey_len) != 0) { + if (pubkey && OPENSSL_memcmp(pubkey_computed, pubkey, pubkey_len) != 0) { OPENSSL_free(key); OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; @@ -76,7 +76,8 @@ static int ed25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) { return 0; } - OPENSSL_memcpy(key->key + ED25519_PUBLIC_KEY_OFFSET, in, ED25519_PUBLIC_KEY_LEN); + OPENSSL_memcpy(key->key + ED25519_PUBLIC_KEY_OFFSET, in, + ED25519_PUBLIC_KEY_LEN); key->has_private = 0; ed25519_free(pkey); @@ -121,7 +122,8 @@ static int ed25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out, return 0; } - OPENSSL_memcpy(out, key->key + ED25519_PUBLIC_KEY_OFFSET, ED25519_PUBLIC_KEY_LEN); + OPENSSL_memcpy(out, key->key + ED25519_PUBLIC_KEY_OFFSET, + ED25519_PUBLIC_KEY_LEN); *out_len = 32; return 1; } @@ -163,23 +165,24 @@ static int ed25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { const ED25519_KEY *a_key = a->pkey.ptr; const ED25519_KEY *b_key = b->pkey.ptr; return OPENSSL_memcmp(a_key->key + ED25519_PUBLIC_KEY_OFFSET, - b_key->key + ED25519_PUBLIC_KEY_OFFSET, ED25519_PUBLIC_KEY_LEN) == 0; + b_key->key + ED25519_PUBLIC_KEY_OFFSET, + ED25519_PUBLIC_KEY_LEN) == 0; } -static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { +static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, + CBS *pubkey) { // See RFC 8410, section 7. // Parameters must be empty. The key is a 32-byte value wrapped in an extra // OCTET STRING layer. CBS inner; if (CBS_len(params) != 0 || - !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || - CBS_len(key) != 0) { + !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } - const uint8_t *public= NULL; + const uint8_t *public = NULL; size_t public_len = 0; if (pubkey) { // pubkey is encoded as an ASN.1 BIT STRING, so we handle the padding here @@ -193,7 +196,8 @@ static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey public_len = CBS_len(pubkey); } - return ed25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner), public, public_len); + return ed25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner), public, + public_len); } static int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) { @@ -214,8 +218,7 @@ static int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) { !CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) || // The PKCS#8 encoding stores only the 32-byte seed which is the first 32 // bytes of the private key. - !CBB_add_bytes(&inner, key->key, 32) || - !CBB_flush(out)) { + !CBB_add_bytes(&inner, key->key, 32) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } @@ -245,7 +248,8 @@ static int ed25519_priv_encode_v2(CBB *out, const EVP_PKEY *pkey) { !CBB_add_asn1(&pkcs8, &public_key, CBS_ASN1_CONTEXT_SPECIFIC | 1) || !CBB_add_u8(&public_key, 0 /*no padding required*/) || // The last 32-bytes of the key is the public key - !CBB_add_bytes(&public_key, &key->key[32], ED25519_PUBLIC_KEY_LEN) || !CBB_flush(out)) { + !CBB_add_bytes(&public_key, &key->key[32], ED25519_PUBLIC_KEY_LEN) || + !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } @@ -284,16 +288,16 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { const EVP_PKEY_ASN1_METHOD ed25519ph_asn1_meth = { EVP_PKEY_ED25519PH, - {0xFF}, /* oid */ - 0, /* oid_len */ - "ED25519ph", /* pem_str */ + {0xFF}, /* oid */ + 0, /* oid_len */ + "ED25519ph", /* pem_str */ "OpenSSL ED25519ph algorithm", /* info */ - NULL, /* pub_decode */ - NULL, /* pub_encode */ - NULL, /* pub_cmp */ - NULL, /* priv_decode */ - NULL, /* priv_encode */ - NULL, /* priv_encode_v2 */ + NULL, /* pub_decode */ + NULL, /* pub_encode */ + NULL, /* pub_cmp */ + NULL, /* priv_decode */ + NULL, /* priv_encode */ + NULL, /* priv_encode_v2 */ ed25519_set_priv_raw, ed25519_set_pub_raw, ed25519_get_priv_raw, diff --git a/crypto/evp_extra/p_ed25519ph.c b/crypto/evp_extra/p_ed25519ph.c index eda1306206..2b243a2487 100644 --- a/crypto/evp_extra/p_ed25519ph.c +++ b/crypto/evp_extra/p_ed25519ph.c @@ -44,7 +44,7 @@ static void pkey_ed25519ph_cleanup(EVP_PKEY_CTX *ctx) { OPENSSL_free(dctx); } -static int pkey_ed25519ph_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { +static int pkey_ed25519ph_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { if (!pkey_ed25519ph_init(dst)) { return 0; } @@ -78,7 +78,7 @@ static int pkey_ed25519ph_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, return 0; } - if(tbslen < SHA512_DIGEST_LENGTH) { + if (tbslen < SHA512_DIGEST_LENGTH) { OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); return 0; } @@ -86,7 +86,8 @@ static int pkey_ed25519ph_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, ED25519PH_PKEY_CTX *dctx = ctx->data; GUARD_PTR(dctx); - if (!ED25519ph_sign_digest(sig, tbs, key->key, dctx->context, dctx->context_len)) { + if (!ED25519ph_sign_digest(sig, tbs, key->key, dctx->context, + dctx->context_len)) { return 0; } @@ -102,8 +103,8 @@ static int pkey_ed25519ph_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, GUARD_PTR(dctx); if (siglen != ED25519_SIGNATURE_LEN || tbslen < SHA512_DIGEST_LENGTH || - !ED25519ph_verify_digest(tbs, sig, - key->key + ED25519_PUBLIC_KEY_OFFSET, dctx->context, dctx->context_len)) { + !ED25519ph_verify_digest(tbs, sig, key->key + ED25519_PUBLIC_KEY_OFFSET, + dctx->context, dctx->context_len)) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE); return 0; } @@ -139,7 +140,7 @@ static int pkey_ed25519ph_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { if (!params || !dctx) { return 0; } - if(dctx->context_len == 0) { + if (dctx->context_len == 0) { params->context = NULL; params->context_len = 0; } else { @@ -155,12 +156,10 @@ static int pkey_ed25519ph_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { return 1; } -const EVP_PKEY_METHOD ed25519ph_pkey_meth = { - .pkey_id = EVP_PKEY_ED25519PH, - .init = pkey_ed25519ph_init, - .cleanup = pkey_ed25519ph_cleanup, - .copy = pkey_ed25519ph_copy, - .sign = pkey_ed25519ph_sign, - .verify = pkey_ed25519ph_verify, - .ctrl = pkey_ed25519ph_ctrl -}; +const EVP_PKEY_METHOD ed25519ph_pkey_meth = {.pkey_id = EVP_PKEY_ED25519PH, + .init = pkey_ed25519ph_init, + .cleanup = pkey_ed25519ph_cleanup, + .copy = pkey_ed25519ph_copy, + .sign = pkey_ed25519ph_sign, + .verify = pkey_ed25519ph_verify, + .ctrl = pkey_ed25519ph_ctrl}; diff --git a/crypto/evp_extra/p_kem_asn1.c b/crypto/evp_extra/p_kem_asn1.c index 74fb8ffb77..d1d9afff80 100644 --- a/crypto/evp_extra/p_kem_asn1.c +++ b/crypto/evp_extra/p_kem_asn1.c @@ -115,29 +115,29 @@ static int kem_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { } const EVP_PKEY_ASN1_METHOD kem_asn1_meth = { - EVP_PKEY_KEM, - // TODO(awslc): this is a placeholder OID. Do we need OID for KEM at all? - {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, - 11, - - "KEM", - "AWS-LC KEM method", - - NULL, // pub_decode - NULL, // pub_encode - kem_pub_cmp, - NULL, // priv_decode - NULL, // priv_encode - NULL, // priv_encode_v2 - NULL, // set_priv_raw - NULL, // set_pub_raw, - kem_get_priv_raw, - kem_get_pub_raw, - NULL, // pkey_opaque - NULL, // kem_size - NULL, // kem_bits - NULL, // missing_parameters - NULL, // param_copy - kem_cmp_parameters, - kem_free, + EVP_PKEY_KEM, + // TODO(awslc): this is a placeholder OID. Do we need OID for KEM at all? + {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + 11, + + "KEM", + "AWS-LC KEM method", + + NULL, // pub_decode + NULL, // pub_encode + kem_pub_cmp, + NULL, // priv_decode + NULL, // priv_encode + NULL, // priv_encode_v2 + NULL, // set_priv_raw + NULL, // set_pub_raw, + kem_get_priv_raw, + kem_get_pub_raw, + NULL, // pkey_opaque + NULL, // kem_size + NULL, // kem_bits + NULL, // missing_parameters + NULL, // param_copy + kem_cmp_parameters, + kem_free, }; diff --git a/crypto/evp_extra/p_methods.c b/crypto/evp_extra/p_methods.c index 19fc43d4ce..8bd8406a76 100644 --- a/crypto/evp_extra/p_methods.c +++ b/crypto/evp_extra/p_methods.c @@ -8,33 +8,21 @@ #include "internal.h" static const EVP_PKEY_METHOD *const non_fips_pkey_evp_methods[] = { - &x25519_pkey_meth, - &dh_pkey_meth, - &dsa_pkey_meth, - &ed25519ph_pkey_meth -}; + &x25519_pkey_meth, &dh_pkey_meth, &dsa_pkey_meth, &ed25519ph_pkey_meth}; const EVP_PKEY_ASN1_METHOD *const asn1_evp_pkey_methods[] = { - &rsa_asn1_meth, - &rsa_pss_asn1_meth, - &ec_asn1_meth, - &dsa_asn1_meth, - &ed25519_asn1_meth, - &x25519_asn1_meth, - &pqdsa_asn1_meth, - &kem_asn1_meth, - &hmac_asn1_meth, - &dh_asn1_meth, - &ed25519ph_asn1_meth -}; -const size_t asn1_evp_pkey_methods_size = sizeof(asn1_evp_pkey_methods)/sizeof(asn1_evp_pkey_methods[0]); + &rsa_asn1_meth, &rsa_pss_asn1_meth, &ec_asn1_meth, &dsa_asn1_meth, + &ed25519_asn1_meth, &x25519_asn1_meth, &pqdsa_asn1_meth, &kem_asn1_meth, + &hmac_asn1_meth, &dh_asn1_meth, &ed25519ph_asn1_meth}; +const size_t asn1_evp_pkey_methods_size = + sizeof(asn1_evp_pkey_methods) / sizeof(asn1_evp_pkey_methods[0]); OPENSSL_STATIC_ASSERT( - NON_FIPS_EVP_PKEY_METHODS == OPENSSL_ARRAY_SIZE(non_fips_pkey_evp_methods), - NON_FIPS_EVP_PKEY_METHODS_does_not_have_the_expected_value) -OPENSSL_STATIC_ASSERT( - ASN1_EVP_PKEY_METHODS == OPENSSL_ARRAY_SIZE(asn1_evp_pkey_methods), - ASN1_EVP_PKEY_METHODS_does_not_have_the_expected_value) + NON_FIPS_EVP_PKEY_METHODS == OPENSSL_ARRAY_SIZE(non_fips_pkey_evp_methods), + NON_FIPS_EVP_PKEY_METHODS_does_not_have_the_expected_value) +OPENSSL_STATIC_ASSERT(ASN1_EVP_PKEY_METHODS == + OPENSSL_ARRAY_SIZE(asn1_evp_pkey_methods), + ASN1_EVP_PKEY_METHODS_does_not_have_the_expected_value) const EVP_PKEY_METHOD *const *AWSLC_non_fips_pkey_evp_methods(void) { return non_fips_pkey_evp_methods; diff --git a/crypto/evp_extra/p_pqdsa_asn1.c b/crypto/evp_extra/p_pqdsa_asn1.c index 539f9e5526..4d29e26448 100644 --- a/crypto/evp_extra/p_pqdsa_asn1.c +++ b/crypto/evp_extra/p_pqdsa_asn1.c @@ -19,7 +19,7 @@ static void pqdsa_free(EVP_PKEY *pkey) { } static int pqdsa_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out, - size_t *out_len) { + size_t *out_len) { if (pkey->pkey.pqdsa_key == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET); return 0; @@ -54,7 +54,7 @@ static int pqdsa_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out, } static int pqdsa_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out, - size_t *out_len) { + size_t *out_len) { if (pkey->pkey.pqdsa_key == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET); return 0; @@ -89,7 +89,8 @@ static int pqdsa_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out, } static int pqdsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { - // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ + // See + // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ // section 4. the only parameter that can be included is the OID which has // length 9 if (CBS_len(params) != 9) { @@ -112,7 +113,9 @@ static int pqdsa_pub_encode(CBB *out, const EVP_PKEY *pkey) { return 0; } - // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ section 4. + // See + // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ + // section 4. CBB spki, algorithm, oid, key_bitstring; if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || @@ -124,7 +127,7 @@ static int pqdsa_pub_encode(CBB *out, const EVP_PKEY *pkey) { !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; - } + } return 1; } @@ -133,13 +136,14 @@ static int pqdsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { PQDSA_KEY *a_key = a->pkey.pqdsa_key; PQDSA_KEY *b_key = b->pkey.pqdsa_key; - return OPENSSL_memcmp(a_key->public_key, - b_key->public_key, + return OPENSSL_memcmp(a_key->public_key, b_key->public_key, a->pkey.pqdsa_key->pqdsa->public_key_len) == 0; } -static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { - // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ +static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, + CBS *pubkey) { + // See + // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ // section 6. the only parameter that can be included is the OID which has // length 9. if (CBS_len(params) != 9) { @@ -160,11 +164,11 @@ static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) return 0; } - // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ + // See + // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ // The caller can either provide the full key of size |private_key_len| or // |keygen_seed_len|. if (CBS_len(key) == out->pkey.pqdsa_key->pqdsa->private_key_len) { - // Set the private key if (!PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, key)) { // PQDSA_KEY_set_raw_private_key sets the appropriate error. @@ -187,7 +191,9 @@ static int pqdsa_priv_encode(CBB *out, const EVP_PKEY *pkey) { OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY); return 0; } - // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ section 6. + // See + // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ + // section 6. CBB pkcs8, algorithm, oid, private_key; if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || @@ -199,7 +205,7 @@ static int pqdsa_priv_encode(CBB *out, const EVP_PKEY *pkey) { !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; - } + } return 1; } @@ -221,30 +227,30 @@ static int pqdsa_bits(const EVP_PKEY *pkey) { } const EVP_PKEY_ASN1_METHOD pqdsa_asn1_meth = { - //2.16.840.1.101.3.4.3 - EVP_PKEY_PQDSA, - - {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03}, - 8, - - "PQ DSA", - "AWS-LC PQ DSA method", - - pqdsa_pub_decode, - pqdsa_pub_encode, - pqdsa_pub_cmp, - pqdsa_priv_decode, - pqdsa_priv_encode, - NULL /*priv_encode_v2*/, - NULL /* pqdsa_set_priv_raw */, - NULL /*pqdsa_set_pub_raw */ , - pqdsa_get_priv_raw, - pqdsa_get_pub_raw, - NULL /* pkey_opaque */, - pqdsa_size, - pqdsa_bits, - NULL /* param_missing */, - NULL /* param_copy */, - NULL /* param_cmp */, - pqdsa_free, + // 2.16.840.1.101.3.4.3 + EVP_PKEY_PQDSA, + + {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03}, + 8, + + "PQ DSA", + "AWS-LC PQ DSA method", + + pqdsa_pub_decode, + pqdsa_pub_encode, + pqdsa_pub_cmp, + pqdsa_priv_decode, + pqdsa_priv_encode, + NULL /*priv_encode_v2*/, + NULL /* pqdsa_set_priv_raw */, + NULL /*pqdsa_set_pub_raw */, + pqdsa_get_priv_raw, + pqdsa_get_pub_raw, + NULL /* pkey_opaque */, + pqdsa_size, + pqdsa_bits, + NULL /* param_missing */, + NULL /* param_copy */, + NULL /* param_cmp */, + pqdsa_free, }; diff --git a/crypto/evp_extra/p_pqdsa_test.cc b/crypto/evp_extra/p_pqdsa_test.cc index 37c078620d..a26d1917d0 100644 --- a/crypto/evp_extra/p_pqdsa_test.cc +++ b/crypto/evp_extra/p_pqdsa_test.cc @@ -13,1097 +13,1172 @@ #include #include "../fipsmodule/evp/internal.h" -#include "../internal.h" #include "../fipsmodule/ml_dsa/ml_dsa.h" #include "../fipsmodule/pqdsa/internal.h" +#include "../internal.h" #include "../test/file_test.h" #include "../test/test_util.h" // mldsa44kPublicKey is an example ML-DSA-44 public key static const uint8_t mldsa44kPublicKey[] = { -0x88, 0x96, 0x9F, 0xBD, 0x4C, 0xC9, 0x27, 0x00, 0x57, 0xA5, 0xBF, 0xB2, 0x28, -0x9B, 0xB8, 0xB6, 0x66, 0x58, 0xB9, 0x65, 0x9A, 0x37, 0xA8, 0x2E, 0x5B, 0x5D, -0xE4, 0x85, 0xA8, 0x7F, 0x98, 0x3B, 0x57, 0x2D, 0xDB, 0xDD, 0x11, 0x7E, 0x74, -0x34, 0xCF, 0xFE, 0x78, 0x3F, 0x04, 0xBB, 0x9E, 0x7C, 0x74, 0x46, 0x00, 0xCF, -0x46, 0xA8, 0x9F, 0x53, 0x11, 0x4C, 0xBB, 0x33, 0x49, 0x50, 0x5A, 0xA5, 0x6D, -0xEA, 0x2A, 0x79, 0xF4, 0x83, 0x0E, 0x19, 0x8A, 0xCB, 0x0B, 0xDA, 0xBC, 0xFE, -0xD3, 0x0D, 0x12, 0x0B, 0x34, 0x35, 0xDB, 0x3D, 0xF7, 0x95, 0x89, 0xBF, 0x87, -0x82, 0x0A, 0x5B, 0x5E, 0x5C, 0xF1, 0x96, 0x7A, 0x46, 0xA3, 0xB5, 0x80, 0x60, -0xB4, 0xB5, 0xD1, 0x72, 0xB7, 0x2C, 0x7A, 0x99, 0x94, 0x48, 0x93, 0x0E, 0xFC, -0xEB, 0x02, 0x2F, 0x15, 0xC3, 0x5C, 0xC5, 0x4A, 0xDE, 0x84, 0xEC, 0x45, 0xBA, -0xEA, 0x1D, 0x8F, 0xD2, 0x01, 0x6F, 0xC0, 0x85, 0xDF, 0x7B, 0xBA, 0x1F, 0x52, -0xEE, 0xD1, 0xB8, 0x50, 0xBE, 0x93, 0x42, 0x87, 0x39, 0x46, 0x1C, 0xCA, 0x63, -0x4D, 0xAD, 0x5F, 0xBD, 0xEF, 0x0C, 0x9D, 0x11, 0x6E, 0xBA, 0xC2, 0x8E, 0xB7, -0x59, 0x4B, 0x1C, 0x22, 0xC0, 0x4D, 0x05, 0x37, 0x93, 0x10, 0xE6, 0xFD, 0x7A, -0xEC, 0x6C, 0x80, 0x32, 0xF9, 0x64, 0x60, 0xC7, 0x35, 0x81, 0x98, 0x42, 0xDD, -0x70, 0x0E, 0xFD, 0x13, 0x2D, 0x36, 0xF7, 0xDA, 0x3D, 0x00, 0x1B, 0x4C, 0x7D, -0xAB, 0x13, 0xAA, 0xED, 0x3B, 0xC2, 0x01, 0xB1, 0x54, 0xA7, 0x99, 0xAB, 0x7D, -0x6F, 0xA9, 0x29, 0xCF, 0xCA, 0x45, 0xBE, 0x0C, 0x2C, 0xFB, 0x04, 0xF9, 0x64, -0x60, 0xF4, 0x3A, 0x60, 0xDC, 0x62, 0x49, 0x9E, 0xBF, 0x0B, 0xE3, 0x73, 0xFC, -0xC4, 0xC2, 0x44, 0xC4, 0x6D, 0xD0, 0x3F, 0xD2, 0xC5, 0x7D, 0x0E, 0x87, 0xE5, -0x68, 0xC9, 0xEF, 0x93, 0x42, 0xCD, 0xA3, 0x2E, 0x6D, 0xA4, 0x5B, 0xD6, 0x66, -0x7B, 0x94, 0xA0, 0xA7, 0xB8, 0x7E, 0x30, 0xEE, 0x15, 0x3A, 0xB8, 0xB3, 0x68, -0x66, 0x14, 0x09, 0x22, 0xB1, 0x10, 0x52, 0x47, 0x7A, 0xDD, 0x43, 0x29, 0x77, -0x50, 0xDA, 0x60, 0xF9, 0x17, 0x43, 0xA3, 0xA8, 0x6E, 0x73, 0x47, 0x75, 0xCD, -0xEB, 0x00, 0xDC, 0xAB, 0xEE, 0xCD, 0x77, 0x3A, 0xA5, 0x0D, 0xA7, 0xDB, 0xD3, -0xAA, 0xD2, 0x21, 0xB4, 0x8F, 0xC8, 0x6F, 0x56, 0x9C, 0x20, 0xB2, 0xC6, 0x53, -0x28, 0xA6, 0x63, 0x48, 0x45, 0x78, 0x57, 0xB3, 0xF3, 0xCC, 0xED, 0xAD, 0x30, -0x38, 0x45, 0x02, 0x3E, 0xF8, 0x86, 0x29, 0xA9, 0x56, 0xAA, 0x8C, 0x83, 0xC8, -0x7C, 0xF3, 0x04, 0x64, 0x57, 0xE5, 0x62, 0xFB, 0x53, 0x3B, 0x9E, 0xF9, 0x44, -0xB2, 0x47, 0xFF, 0x0A, 0x60, 0x06, 0x34, 0xD4, 0x85, 0x9B, 0xF4, 0x2E, 0x13, -0xB8, 0x99, 0x6F, 0xC6, 0x9A, 0x9B, 0x69, 0x10, 0x46, 0x78, 0xB0, 0x63, 0x26, -0x18, 0x73, 0xEB, 0x0A, 0x64, 0xA8, 0x10, 0x5B, 0xA3, 0xBD, 0x7B, 0x67, 0xF0, -0x8E, 0x49, 0x7E, 0xB5, 0x7D, 0xCF, 0xA8, 0xD3, 0x88, 0xAD, 0x01, 0xC2, 0x12, -0x89, 0x31, 0xCD, 0x9C, 0xC9, 0x57, 0x97, 0x70, 0x79, 0x0E, 0x16, 0x71, 0x85, -0x79, 0x39, 0x41, 0x63, 0xF8, 0x2E, 0x4D, 0x53, 0x88, 0xBE, 0xED, 0xC9, 0x82, -0xBD, 0x0F, 0x81, 0x22, 0x40, 0x14, 0xAF, 0xA4, 0x07, 0x10, 0x7C, 0x07, 0xAA, -0xF3, 0x27, 0x11, 0x19, 0x2F, 0xFF, 0xFE, 0xBB, 0x0A, 0xF5, 0xC1, 0xBF, 0x2C, -0x93, 0x00, 0xCE, 0xF1, 0xF7, 0x7F, 0xEA, 0x68, 0x39, 0x04, 0x48, 0xBF, 0x42, -0x01, 0xBB, 0x51, 0x82, 0x36, 0x3C, 0x93, 0x55, 0x43, 0x7C, 0x2C, 0xFF, 0xE1, -0xD8, 0x51, 0x5B, 0xC3, 0xB4, 0x57, 0x72, 0x24, 0xAB, 0xDD, 0xDA, 0x14, 0x71, -0x0C, 0xC0, 0x9B, 0x73, 0x46, 0xF7, 0xE4, 0x12, 0x15, 0x8B, 0x26, 0x44, 0xD7, -0xD3, 0xF1, 0x86, 0xD5, 0xA4, 0x90, 0xA9, 0x0C, 0x89, 0x26, 0x8A, 0x67, 0xCB, -0xA0, 0xFF, 0x45, 0x8D, 0xB0, 0xF4, 0x5D, 0x78, 0x77, 0x38, 0x34, 0x7E, 0xDE, -0x65, 0x8A, 0x68, 0x69, 0x26, 0xD3, 0x2D, 0xD8, 0x95, 0xD9, 0x3A, 0x88, 0x4E, -0x8E, 0x9B, 0x9C, 0x83, 0x21, 0x18, 0x6B, 0xE1, 0x4A, 0xEC, 0x43, 0x39, 0xF8, -0xD7, 0xC4, 0x77, 0x32, 0xDD, 0x20, 0x51, 0x2B, 0x90, 0x08, 0x5B, 0x51, 0xF1, -0x3C, 0x73, 0x68, 0x89, 0x18, 0x8E, 0xD2, 0x9C, 0x9A, 0x32, 0xAE, 0x49, 0xA5, -0x19, 0xED, 0xE4, 0x1E, 0x6B, 0x78, 0x7D, 0x4A, 0x92, 0x07, 0x07, 0x75, 0x19, -0x7A, 0x0B, 0xC1, 0x79, 0xFF, 0xB4, 0xCF, 0x26, 0x28, 0x3B, 0xF8, 0xC6, 0xE4, -0x89, 0x8C, 0x92, 0x39, 0xC3, 0x81, 0x63, 0xC4, 0xAA, 0xE3, 0xE2, 0x00, 0x7F, -0xB0, 0x77, 0xE9, 0x07, 0xE4, 0x38, 0xA4, 0xFC, 0x2F, 0x67, 0xD1, 0xED, 0x22, -0xA3, 0xCB, 0x31, 0x79, 0xB9, 0x38, 0xDB, 0x12, 0x50, 0x1A, 0x0F, 0xE6, 0x53, -0x09, 0xD1, 0x06, 0xD1, 0xE4, 0x35, 0x2F, 0x93, 0x5B, 0x5A, 0x6C, 0x27, 0x06, -0xC4, 0x77, 0xED, 0x6F, 0xB5, 0x41, 0x87, 0xF6, 0x26, 0xAA, 0x96, 0xC1, 0x76, -0xE1, 0x1C, 0x0F, 0x13, 0x2D, 0x05, 0xBA, 0x38, 0x52, 0x7B, 0xD2, 0x71, 0xDF, -0xF0, 0xF9, 0x5E, 0x85, 0x45, 0x52, 0xDC, 0x2A, 0x8A, 0x20, 0x05, 0x8F, 0x11, -0xDE, 0x0C, 0x9E, 0x6B, 0xC9, 0x36, 0xDE, 0x05, 0xE9, 0xC9, 0xFD, 0xED, 0x80, -0xA8, 0x63, 0xFC, 0xE5, 0x3B, 0x29, 0x81, 0x4F, 0x25, 0xF3, 0x59, 0xCC, 0x8F, -0x40, 0xA9, 0x6B, 0x67, 0x1E, 0x67, 0x29, 0x19, 0x27, 0x14, 0xF2, 0xDC, 0x2C, -0x9D, 0xFF, 0x73, 0x60, 0x29, 0x22, 0xF6, 0x10, 0x12, 0x39, 0xE8, 0xB8, 0xB9, -0xD0, 0x90, 0xC7, 0xE1, 0x10, 0x0D, 0x30, 0xC5, 0x11, 0x85, 0x7C, 0x0B, 0x0C, -0x29, 0xD9, 0x4A, 0xBA, 0xBB, 0xE9, 0xF6, 0x4E, 0xEC, 0x1B, 0x62, 0x48, 0x0C, -0x7A, 0xFA, 0x9A, 0xF9, 0x12, 0xA5, 0xC3, 0x3E, 0x67, 0x0B, 0x7A, 0x27, 0x2B, -0x20, 0xB2, 0x82, 0x5C, 0x86, 0xEA, 0x31, 0x8A, 0x90, 0xE6, 0xFA, 0x45, 0x36, -0x41, 0x53, 0x78, 0x57, 0x88, 0x76, 0x97, 0x3D, 0xB0, 0x8A, 0x43, 0x2B, 0x67, -0x79, 0x96, 0x35, 0x7D, 0xEF, 0x9C, 0x93, 0xBA, 0xD2, 0x91, 0x86, 0xCF, 0x52, -0xD5, 0x96, 0xAA, 0xD0, 0x45, 0xD8, 0x3C, 0x93, 0xC4, 0xC2, 0xC3, 0x5F, 0x4A, -0x23, 0xD4, 0xC7, 0xE4, 0x1D, 0x3B, 0xD1, 0x8F, 0x91, 0x36, 0xFA, 0x64, 0x15, -0xA8, 0xA8, 0xD1, 0x95, 0xCD, 0x2C, 0x99, 0x8A, 0x34, 0x0A, 0x5E, 0x0E, 0xB0, -0x6A, 0x8E, 0xF2, 0xE8, 0xE9, 0xF9, 0x67, 0xF6, 0xD6, 0x33, 0xBE, 0xD3, 0xB7, -0x94, 0x8B, 0x27, 0xB2, 0x33, 0xE2, 0x41, 0xE3, 0x9E, 0x12, 0xE4, 0x21, 0x35, -0x58, 0xD6, 0xDE, 0xB5, 0xAC, 0xF2, 0x72, 0xC4, 0x32, 0x72, 0xB8, 0x2E, 0x7D, -0xD0, 0xF3, 0xE3, 0x56, 0x86, 0xFD, 0x5F, 0xD0, 0x66, 0x64, 0xB4, 0x92, 0x27, -0xCA, 0x36, 0xE1, 0x57, 0x9F, 0xC0, 0x0D, 0x0E, 0xBE, 0xA6, 0x42, 0xAD, 0xD9, -0x7D, 0x9A, 0x7D, 0x1F, 0x87, 0x17, 0x46, 0x3B, 0xA5, 0x40, 0x9C, 0xD2, 0x9F, -0xD6, 0x73, 0xC6, 0xFA, 0xD3, 0x03, 0x27, 0x01, 0x59, 0x8D, 0x5F, 0xB8, 0xAF, -0x2D, 0xCE, 0x06, 0xA2, 0x73, 0xE2, 0xE4, 0xC9, 0xE2, 0x14, 0x58, 0xA8, 0x2C, -0xC6, 0xBF, 0x72, 0x8E, 0x87, 0x84, 0x81, 0x7B, 0x62, 0x5A, 0x13, 0x7D, 0xFF, -0x38, 0x9E, 0x97, 0xEF, 0x91, 0x45, 0xB6, 0xC6, 0xCF, 0x0E, 0xC0, 0xBA, 0x2A, -0xAE, 0x41, 0x44, 0x48, 0xE5, 0x52, 0x45, 0x15, 0x01, 0xE0, 0xF7, 0x98, 0xAB, -0x45, 0x26, 0x25, 0xCA, 0x95, 0x6D, 0xB2, 0x04, 0xB7, 0x93, 0x06, 0xE2, 0x8F, -0xF5, 0x59, 0xA7, 0xD6, 0x69, 0x4D, 0x03, 0x07, 0x45, 0xE7, 0xE6, 0xA4, 0x8A, -0x8B, 0xBD, 0xB8, 0x09, 0x9F, 0x33, 0xD5, 0x58, 0x88, 0xC3, 0xD8, 0x55, 0x26, -0xCE, 0x94, 0x21, 0x08, 0x43, 0x36, 0x57, 0xE8, 0x6A, 0x5D, 0x4D, 0x5B, 0x00, -0x4D, 0x58, 0xB3, 0x29, 0xE4, 0x23, 0xF5, 0x3B, 0x78, 0xD4, 0x3D, 0x08, 0xE3, -0xC2, 0x26, 0x16, 0x86, 0x4A, 0xD2, 0x5B, 0x08, 0x3D, 0xE4, 0x31, 0x5A, 0x77, -0x40, 0xFA, 0xC4, 0x4B, 0x78, 0xB1, 0x16, 0xEA, 0x57, 0xA5, 0x63, 0x2A, 0x7C, -0x4C, 0x0D, 0xF5, 0xD4, 0xD4, 0x1C, 0x7A, 0x28, 0x96, 0xAF, 0xEB, 0x23, 0x32, -0x2F, 0x84, 0x68, 0x33, 0x94, 0x60, 0xDD, 0x65, 0xBA, 0x4F, 0x88, 0x25, 0x5F, -0x42, 0x86, 0xD7, 0xF8, 0x3D, 0x6D, 0xDF, 0xA1, 0x08, 0x67, 0xCA, 0xFB, 0xB0, -0x0B, 0x3C, 0x0F, 0xB0, 0x69, 0xD5, 0x44, 0x56, 0x6D, 0xB7, 0xCF, 0x1D, 0xA2, -0x38, 0x3C, 0x72, 0xC7, 0x6C, 0x9D, 0x08, 0xCF, 0xDE, 0x2D, 0x99, 0x85, 0x8A, -0xD3, 0xC9, 0xCE, 0x59, 0x86, 0x63, 0x9A, 0x20, 0xD8, 0x54, 0xA6, 0x30, 0xF7, -0x6D, 0xFC, 0x99, 0xDF, 0xF3, 0x85, 0xD7, 0xCE, 0xEC, 0x83, 0x9B, 0x45, 0x3C, -0xA9, 0x7B, 0x52, 0xBB, 0xB6, 0x31, 0xCF, 0x1F, 0xD2, 0x99, 0x1D, 0x5A, 0x30, -0xB5, 0x63, 0x3E, 0x28, 0x0B, 0xA4, 0x61, 0xD9, 0xE9, 0xBD, 0x04, 0x70, 0x76, -0x83, 0x4C, 0x35, 0x60, 0x7A, 0x0A, 0x55, 0x6C, 0x9C, 0x9F, 0x6A, 0x42, 0xBE, -0x1F, 0xDD, 0x89, 0x55, 0x87, 0x48, 0xF3, 0xBB, 0x64, 0x17, 0xFA, 0x17, 0x60, -0xC4, 0xDC, 0xB6, 0xBF, 0xB7, 0x56, 0x64, 0x6E, 0x0A, 0xC3, 0x6B, 0x33, 0x8A, -0xAC, 0x6C, 0x97, 0x86, 0xB4, 0x27, 0x0D, 0xB0, 0x36, 0x3F, 0x3C, 0x6D, 0x7C, -0x66, 0x13, 0x94, 0xFB, 0x0E, 0x8E, 0xE8, 0x0E, 0x49, 0xEF, 0xD0, 0x0E}; + 0x88, 0x96, 0x9F, 0xBD, 0x4C, 0xC9, 0x27, 0x00, 0x57, 0xA5, 0xBF, 0xB2, + 0x28, 0x9B, 0xB8, 0xB6, 0x66, 0x58, 0xB9, 0x65, 0x9A, 0x37, 0xA8, 0x2E, + 0x5B, 0x5D, 0xE4, 0x85, 0xA8, 0x7F, 0x98, 0x3B, 0x57, 0x2D, 0xDB, 0xDD, + 0x11, 0x7E, 0x74, 0x34, 0xCF, 0xFE, 0x78, 0x3F, 0x04, 0xBB, 0x9E, 0x7C, + 0x74, 0x46, 0x00, 0xCF, 0x46, 0xA8, 0x9F, 0x53, 0x11, 0x4C, 0xBB, 0x33, + 0x49, 0x50, 0x5A, 0xA5, 0x6D, 0xEA, 0x2A, 0x79, 0xF4, 0x83, 0x0E, 0x19, + 0x8A, 0xCB, 0x0B, 0xDA, 0xBC, 0xFE, 0xD3, 0x0D, 0x12, 0x0B, 0x34, 0x35, + 0xDB, 0x3D, 0xF7, 0x95, 0x89, 0xBF, 0x87, 0x82, 0x0A, 0x5B, 0x5E, 0x5C, + 0xF1, 0x96, 0x7A, 0x46, 0xA3, 0xB5, 0x80, 0x60, 0xB4, 0xB5, 0xD1, 0x72, + 0xB7, 0x2C, 0x7A, 0x99, 0x94, 0x48, 0x93, 0x0E, 0xFC, 0xEB, 0x02, 0x2F, + 0x15, 0xC3, 0x5C, 0xC5, 0x4A, 0xDE, 0x84, 0xEC, 0x45, 0xBA, 0xEA, 0x1D, + 0x8F, 0xD2, 0x01, 0x6F, 0xC0, 0x85, 0xDF, 0x7B, 0xBA, 0x1F, 0x52, 0xEE, + 0xD1, 0xB8, 0x50, 0xBE, 0x93, 0x42, 0x87, 0x39, 0x46, 0x1C, 0xCA, 0x63, + 0x4D, 0xAD, 0x5F, 0xBD, 0xEF, 0x0C, 0x9D, 0x11, 0x6E, 0xBA, 0xC2, 0x8E, + 0xB7, 0x59, 0x4B, 0x1C, 0x22, 0xC0, 0x4D, 0x05, 0x37, 0x93, 0x10, 0xE6, + 0xFD, 0x7A, 0xEC, 0x6C, 0x80, 0x32, 0xF9, 0x64, 0x60, 0xC7, 0x35, 0x81, + 0x98, 0x42, 0xDD, 0x70, 0x0E, 0xFD, 0x13, 0x2D, 0x36, 0xF7, 0xDA, 0x3D, + 0x00, 0x1B, 0x4C, 0x7D, 0xAB, 0x13, 0xAA, 0xED, 0x3B, 0xC2, 0x01, 0xB1, + 0x54, 0xA7, 0x99, 0xAB, 0x7D, 0x6F, 0xA9, 0x29, 0xCF, 0xCA, 0x45, 0xBE, + 0x0C, 0x2C, 0xFB, 0x04, 0xF9, 0x64, 0x60, 0xF4, 0x3A, 0x60, 0xDC, 0x62, + 0x49, 0x9E, 0xBF, 0x0B, 0xE3, 0x73, 0xFC, 0xC4, 0xC2, 0x44, 0xC4, 0x6D, + 0xD0, 0x3F, 0xD2, 0xC5, 0x7D, 0x0E, 0x87, 0xE5, 0x68, 0xC9, 0xEF, 0x93, + 0x42, 0xCD, 0xA3, 0x2E, 0x6D, 0xA4, 0x5B, 0xD6, 0x66, 0x7B, 0x94, 0xA0, + 0xA7, 0xB8, 0x7E, 0x30, 0xEE, 0x15, 0x3A, 0xB8, 0xB3, 0x68, 0x66, 0x14, + 0x09, 0x22, 0xB1, 0x10, 0x52, 0x47, 0x7A, 0xDD, 0x43, 0x29, 0x77, 0x50, + 0xDA, 0x60, 0xF9, 0x17, 0x43, 0xA3, 0xA8, 0x6E, 0x73, 0x47, 0x75, 0xCD, + 0xEB, 0x00, 0xDC, 0xAB, 0xEE, 0xCD, 0x77, 0x3A, 0xA5, 0x0D, 0xA7, 0xDB, + 0xD3, 0xAA, 0xD2, 0x21, 0xB4, 0x8F, 0xC8, 0x6F, 0x56, 0x9C, 0x20, 0xB2, + 0xC6, 0x53, 0x28, 0xA6, 0x63, 0x48, 0x45, 0x78, 0x57, 0xB3, 0xF3, 0xCC, + 0xED, 0xAD, 0x30, 0x38, 0x45, 0x02, 0x3E, 0xF8, 0x86, 0x29, 0xA9, 0x56, + 0xAA, 0x8C, 0x83, 0xC8, 0x7C, 0xF3, 0x04, 0x64, 0x57, 0xE5, 0x62, 0xFB, + 0x53, 0x3B, 0x9E, 0xF9, 0x44, 0xB2, 0x47, 0xFF, 0x0A, 0x60, 0x06, 0x34, + 0xD4, 0x85, 0x9B, 0xF4, 0x2E, 0x13, 0xB8, 0x99, 0x6F, 0xC6, 0x9A, 0x9B, + 0x69, 0x10, 0x46, 0x78, 0xB0, 0x63, 0x26, 0x18, 0x73, 0xEB, 0x0A, 0x64, + 0xA8, 0x10, 0x5B, 0xA3, 0xBD, 0x7B, 0x67, 0xF0, 0x8E, 0x49, 0x7E, 0xB5, + 0x7D, 0xCF, 0xA8, 0xD3, 0x88, 0xAD, 0x01, 0xC2, 0x12, 0x89, 0x31, 0xCD, + 0x9C, 0xC9, 0x57, 0x97, 0x70, 0x79, 0x0E, 0x16, 0x71, 0x85, 0x79, 0x39, + 0x41, 0x63, 0xF8, 0x2E, 0x4D, 0x53, 0x88, 0xBE, 0xED, 0xC9, 0x82, 0xBD, + 0x0F, 0x81, 0x22, 0x40, 0x14, 0xAF, 0xA4, 0x07, 0x10, 0x7C, 0x07, 0xAA, + 0xF3, 0x27, 0x11, 0x19, 0x2F, 0xFF, 0xFE, 0xBB, 0x0A, 0xF5, 0xC1, 0xBF, + 0x2C, 0x93, 0x00, 0xCE, 0xF1, 0xF7, 0x7F, 0xEA, 0x68, 0x39, 0x04, 0x48, + 0xBF, 0x42, 0x01, 0xBB, 0x51, 0x82, 0x36, 0x3C, 0x93, 0x55, 0x43, 0x7C, + 0x2C, 0xFF, 0xE1, 0xD8, 0x51, 0x5B, 0xC3, 0xB4, 0x57, 0x72, 0x24, 0xAB, + 0xDD, 0xDA, 0x14, 0x71, 0x0C, 0xC0, 0x9B, 0x73, 0x46, 0xF7, 0xE4, 0x12, + 0x15, 0x8B, 0x26, 0x44, 0xD7, 0xD3, 0xF1, 0x86, 0xD5, 0xA4, 0x90, 0xA9, + 0x0C, 0x89, 0x26, 0x8A, 0x67, 0xCB, 0xA0, 0xFF, 0x45, 0x8D, 0xB0, 0xF4, + 0x5D, 0x78, 0x77, 0x38, 0x34, 0x7E, 0xDE, 0x65, 0x8A, 0x68, 0x69, 0x26, + 0xD3, 0x2D, 0xD8, 0x95, 0xD9, 0x3A, 0x88, 0x4E, 0x8E, 0x9B, 0x9C, 0x83, + 0x21, 0x18, 0x6B, 0xE1, 0x4A, 0xEC, 0x43, 0x39, 0xF8, 0xD7, 0xC4, 0x77, + 0x32, 0xDD, 0x20, 0x51, 0x2B, 0x90, 0x08, 0x5B, 0x51, 0xF1, 0x3C, 0x73, + 0x68, 0x89, 0x18, 0x8E, 0xD2, 0x9C, 0x9A, 0x32, 0xAE, 0x49, 0xA5, 0x19, + 0xED, 0xE4, 0x1E, 0x6B, 0x78, 0x7D, 0x4A, 0x92, 0x07, 0x07, 0x75, 0x19, + 0x7A, 0x0B, 0xC1, 0x79, 0xFF, 0xB4, 0xCF, 0x26, 0x28, 0x3B, 0xF8, 0xC6, + 0xE4, 0x89, 0x8C, 0x92, 0x39, 0xC3, 0x81, 0x63, 0xC4, 0xAA, 0xE3, 0xE2, + 0x00, 0x7F, 0xB0, 0x77, 0xE9, 0x07, 0xE4, 0x38, 0xA4, 0xFC, 0x2F, 0x67, + 0xD1, 0xED, 0x22, 0xA3, 0xCB, 0x31, 0x79, 0xB9, 0x38, 0xDB, 0x12, 0x50, + 0x1A, 0x0F, 0xE6, 0x53, 0x09, 0xD1, 0x06, 0xD1, 0xE4, 0x35, 0x2F, 0x93, + 0x5B, 0x5A, 0x6C, 0x27, 0x06, 0xC4, 0x77, 0xED, 0x6F, 0xB5, 0x41, 0x87, + 0xF6, 0x26, 0xAA, 0x96, 0xC1, 0x76, 0xE1, 0x1C, 0x0F, 0x13, 0x2D, 0x05, + 0xBA, 0x38, 0x52, 0x7B, 0xD2, 0x71, 0xDF, 0xF0, 0xF9, 0x5E, 0x85, 0x45, + 0x52, 0xDC, 0x2A, 0x8A, 0x20, 0x05, 0x8F, 0x11, 0xDE, 0x0C, 0x9E, 0x6B, + 0xC9, 0x36, 0xDE, 0x05, 0xE9, 0xC9, 0xFD, 0xED, 0x80, 0xA8, 0x63, 0xFC, + 0xE5, 0x3B, 0x29, 0x81, 0x4F, 0x25, 0xF3, 0x59, 0xCC, 0x8F, 0x40, 0xA9, + 0x6B, 0x67, 0x1E, 0x67, 0x29, 0x19, 0x27, 0x14, 0xF2, 0xDC, 0x2C, 0x9D, + 0xFF, 0x73, 0x60, 0x29, 0x22, 0xF6, 0x10, 0x12, 0x39, 0xE8, 0xB8, 0xB9, + 0xD0, 0x90, 0xC7, 0xE1, 0x10, 0x0D, 0x30, 0xC5, 0x11, 0x85, 0x7C, 0x0B, + 0x0C, 0x29, 0xD9, 0x4A, 0xBA, 0xBB, 0xE9, 0xF6, 0x4E, 0xEC, 0x1B, 0x62, + 0x48, 0x0C, 0x7A, 0xFA, 0x9A, 0xF9, 0x12, 0xA5, 0xC3, 0x3E, 0x67, 0x0B, + 0x7A, 0x27, 0x2B, 0x20, 0xB2, 0x82, 0x5C, 0x86, 0xEA, 0x31, 0x8A, 0x90, + 0xE6, 0xFA, 0x45, 0x36, 0x41, 0x53, 0x78, 0x57, 0x88, 0x76, 0x97, 0x3D, + 0xB0, 0x8A, 0x43, 0x2B, 0x67, 0x79, 0x96, 0x35, 0x7D, 0xEF, 0x9C, 0x93, + 0xBA, 0xD2, 0x91, 0x86, 0xCF, 0x52, 0xD5, 0x96, 0xAA, 0xD0, 0x45, 0xD8, + 0x3C, 0x93, 0xC4, 0xC2, 0xC3, 0x5F, 0x4A, 0x23, 0xD4, 0xC7, 0xE4, 0x1D, + 0x3B, 0xD1, 0x8F, 0x91, 0x36, 0xFA, 0x64, 0x15, 0xA8, 0xA8, 0xD1, 0x95, + 0xCD, 0x2C, 0x99, 0x8A, 0x34, 0x0A, 0x5E, 0x0E, 0xB0, 0x6A, 0x8E, 0xF2, + 0xE8, 0xE9, 0xF9, 0x67, 0xF6, 0xD6, 0x33, 0xBE, 0xD3, 0xB7, 0x94, 0x8B, + 0x27, 0xB2, 0x33, 0xE2, 0x41, 0xE3, 0x9E, 0x12, 0xE4, 0x21, 0x35, 0x58, + 0xD6, 0xDE, 0xB5, 0xAC, 0xF2, 0x72, 0xC4, 0x32, 0x72, 0xB8, 0x2E, 0x7D, + 0xD0, 0xF3, 0xE3, 0x56, 0x86, 0xFD, 0x5F, 0xD0, 0x66, 0x64, 0xB4, 0x92, + 0x27, 0xCA, 0x36, 0xE1, 0x57, 0x9F, 0xC0, 0x0D, 0x0E, 0xBE, 0xA6, 0x42, + 0xAD, 0xD9, 0x7D, 0x9A, 0x7D, 0x1F, 0x87, 0x17, 0x46, 0x3B, 0xA5, 0x40, + 0x9C, 0xD2, 0x9F, 0xD6, 0x73, 0xC6, 0xFA, 0xD3, 0x03, 0x27, 0x01, 0x59, + 0x8D, 0x5F, 0xB8, 0xAF, 0x2D, 0xCE, 0x06, 0xA2, 0x73, 0xE2, 0xE4, 0xC9, + 0xE2, 0x14, 0x58, 0xA8, 0x2C, 0xC6, 0xBF, 0x72, 0x8E, 0x87, 0x84, 0x81, + 0x7B, 0x62, 0x5A, 0x13, 0x7D, 0xFF, 0x38, 0x9E, 0x97, 0xEF, 0x91, 0x45, + 0xB6, 0xC6, 0xCF, 0x0E, 0xC0, 0xBA, 0x2A, 0xAE, 0x41, 0x44, 0x48, 0xE5, + 0x52, 0x45, 0x15, 0x01, 0xE0, 0xF7, 0x98, 0xAB, 0x45, 0x26, 0x25, 0xCA, + 0x95, 0x6D, 0xB2, 0x04, 0xB7, 0x93, 0x06, 0xE2, 0x8F, 0xF5, 0x59, 0xA7, + 0xD6, 0x69, 0x4D, 0x03, 0x07, 0x45, 0xE7, 0xE6, 0xA4, 0x8A, 0x8B, 0xBD, + 0xB8, 0x09, 0x9F, 0x33, 0xD5, 0x58, 0x88, 0xC3, 0xD8, 0x55, 0x26, 0xCE, + 0x94, 0x21, 0x08, 0x43, 0x36, 0x57, 0xE8, 0x6A, 0x5D, 0x4D, 0x5B, 0x00, + 0x4D, 0x58, 0xB3, 0x29, 0xE4, 0x23, 0xF5, 0x3B, 0x78, 0xD4, 0x3D, 0x08, + 0xE3, 0xC2, 0x26, 0x16, 0x86, 0x4A, 0xD2, 0x5B, 0x08, 0x3D, 0xE4, 0x31, + 0x5A, 0x77, 0x40, 0xFA, 0xC4, 0x4B, 0x78, 0xB1, 0x16, 0xEA, 0x57, 0xA5, + 0x63, 0x2A, 0x7C, 0x4C, 0x0D, 0xF5, 0xD4, 0xD4, 0x1C, 0x7A, 0x28, 0x96, + 0xAF, 0xEB, 0x23, 0x32, 0x2F, 0x84, 0x68, 0x33, 0x94, 0x60, 0xDD, 0x65, + 0xBA, 0x4F, 0x88, 0x25, 0x5F, 0x42, 0x86, 0xD7, 0xF8, 0x3D, 0x6D, 0xDF, + 0xA1, 0x08, 0x67, 0xCA, 0xFB, 0xB0, 0x0B, 0x3C, 0x0F, 0xB0, 0x69, 0xD5, + 0x44, 0x56, 0x6D, 0xB7, 0xCF, 0x1D, 0xA2, 0x38, 0x3C, 0x72, 0xC7, 0x6C, + 0x9D, 0x08, 0xCF, 0xDE, 0x2D, 0x99, 0x85, 0x8A, 0xD3, 0xC9, 0xCE, 0x59, + 0x86, 0x63, 0x9A, 0x20, 0xD8, 0x54, 0xA6, 0x30, 0xF7, 0x6D, 0xFC, 0x99, + 0xDF, 0xF3, 0x85, 0xD7, 0xCE, 0xEC, 0x83, 0x9B, 0x45, 0x3C, 0xA9, 0x7B, + 0x52, 0xBB, 0xB6, 0x31, 0xCF, 0x1F, 0xD2, 0x99, 0x1D, 0x5A, 0x30, 0xB5, + 0x63, 0x3E, 0x28, 0x0B, 0xA4, 0x61, 0xD9, 0xE9, 0xBD, 0x04, 0x70, 0x76, + 0x83, 0x4C, 0x35, 0x60, 0x7A, 0x0A, 0x55, 0x6C, 0x9C, 0x9F, 0x6A, 0x42, + 0xBE, 0x1F, 0xDD, 0x89, 0x55, 0x87, 0x48, 0xF3, 0xBB, 0x64, 0x17, 0xFA, + 0x17, 0x60, 0xC4, 0xDC, 0xB6, 0xBF, 0xB7, 0x56, 0x64, 0x6E, 0x0A, 0xC3, + 0x6B, 0x33, 0x8A, 0xAC, 0x6C, 0x97, 0x86, 0xB4, 0x27, 0x0D, 0xB0, 0x36, + 0x3F, 0x3C, 0x6D, 0x7C, 0x66, 0x13, 0x94, 0xFB, 0x0E, 0x8E, 0xE8, 0x0E, + 0x49, 0xEF, 0xD0, 0x0E}; // mldsa44kPublicKeySPKI is the above example ML-DSA-44 public key encoded static const uint8_t mldsa44kPublicKeySPKI[] = { -0x30, 0x82, 0x05, 0x32, 0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, -0x03, 0x04, 0x03, 0x11, 0x03, 0x82, 0x05, 0x21, 0x00, 0x88, 0x96, 0x9F, 0xBD, -0x4C, 0xC9, 0x27, 0x00, 0x57, 0xA5, 0xBF, 0xB2, 0x28, 0x9B, 0xB8, 0xB6, 0x66, -0x58, 0xB9, 0x65, 0x9A, 0x37, 0xA8, 0x2E, 0x5B, 0x5D, 0xE4, 0x85, 0xA8, 0x7F, -0x98, 0x3B, 0x57, 0x2D, 0xDB, 0xDD, 0x11, 0x7E, 0x74, 0x34, 0xCF, 0xFE, 0x78, -0x3F, 0x04, 0xBB, 0x9E, 0x7C, 0x74, 0x46, 0x00, 0xCF, 0x46, 0xA8, 0x9F, 0x53, -0x11, 0x4C, 0xBB, 0x33, 0x49, 0x50, 0x5A, 0xA5, 0x6D, 0xEA, 0x2A, 0x79, 0xF4, -0x83, 0x0E, 0x19, 0x8A, 0xCB, 0x0B, 0xDA, 0xBC, 0xFE, 0xD3, 0x0D, 0x12, 0x0B, -0x34, 0x35, 0xDB, 0x3D, 0xF7, 0x95, 0x89, 0xBF, 0x87, 0x82, 0x0A, 0x5B, 0x5E, -0x5C, 0xF1, 0x96, 0x7A, 0x46, 0xA3, 0xB5, 0x80, 0x60, 0xB4, 0xB5, 0xD1, 0x72, -0xB7, 0x2C, 0x7A, 0x99, 0x94, 0x48, 0x93, 0x0E, 0xFC, 0xEB, 0x02, 0x2F, 0x15, -0xC3, 0x5C, 0xC5, 0x4A, 0xDE, 0x84, 0xEC, 0x45, 0xBA, 0xEA, 0x1D, 0x8F, 0xD2, -0x01, 0x6F, 0xC0, 0x85, 0xDF, 0x7B, 0xBA, 0x1F, 0x52, 0xEE, 0xD1, 0xB8, 0x50, -0xBE, 0x93, 0x42, 0x87, 0x39, 0x46, 0x1C, 0xCA, 0x63, 0x4D, 0xAD, 0x5F, 0xBD, -0xEF, 0x0C, 0x9D, 0x11, 0x6E, 0xBA, 0xC2, 0x8E, 0xB7, 0x59, 0x4B, 0x1C, 0x22, -0xC0, 0x4D, 0x05, 0x37, 0x93, 0x10, 0xE6, 0xFD, 0x7A, 0xEC, 0x6C, 0x80, 0x32, -0xF9, 0x64, 0x60, 0xC7, 0x35, 0x81, 0x98, 0x42, 0xDD, 0x70, 0x0E, 0xFD, 0x13, -0x2D, 0x36, 0xF7, 0xDA, 0x3D, 0x00, 0x1B, 0x4C, 0x7D, 0xAB, 0x13, 0xAA, 0xED, -0x3B, 0xC2, 0x01, 0xB1, 0x54, 0xA7, 0x99, 0xAB, 0x7D, 0x6F, 0xA9, 0x29, 0xCF, -0xCA, 0x45, 0xBE, 0x0C, 0x2C, 0xFB, 0x04, 0xF9, 0x64, 0x60, 0xF4, 0x3A, 0x60, -0xDC, 0x62, 0x49, 0x9E, 0xBF, 0x0B, 0xE3, 0x73, 0xFC, 0xC4, 0xC2, 0x44, 0xC4, -0x6D, 0xD0, 0x3F, 0xD2, 0xC5, 0x7D, 0x0E, 0x87, 0xE5, 0x68, 0xC9, 0xEF, 0x93, -0x42, 0xCD, 0xA3, 0x2E, 0x6D, 0xA4, 0x5B, 0xD6, 0x66, 0x7B, 0x94, 0xA0, 0xA7, -0xB8, 0x7E, 0x30, 0xEE, 0x15, 0x3A, 0xB8, 0xB3, 0x68, 0x66, 0x14, 0x09, 0x22, -0xB1, 0x10, 0x52, 0x47, 0x7A, 0xDD, 0x43, 0x29, 0x77, 0x50, 0xDA, 0x60, 0xF9, -0x17, 0x43, 0xA3, 0xA8, 0x6E, 0x73, 0x47, 0x75, 0xCD, 0xEB, 0x00, 0xDC, 0xAB, -0xEE, 0xCD, 0x77, 0x3A, 0xA5, 0x0D, 0xA7, 0xDB, 0xD3, 0xAA, 0xD2, 0x21, 0xB4, -0x8F, 0xC8, 0x6F, 0x56, 0x9C, 0x20, 0xB2, 0xC6, 0x53, 0x28, 0xA6, 0x63, 0x48, -0x45, 0x78, 0x57, 0xB3, 0xF3, 0xCC, 0xED, 0xAD, 0x30, 0x38, 0x45, 0x02, 0x3E, -0xF8, 0x86, 0x29, 0xA9, 0x56, 0xAA, 0x8C, 0x83, 0xC8, 0x7C, 0xF3, 0x04, 0x64, -0x57, 0xE5, 0x62, 0xFB, 0x53, 0x3B, 0x9E, 0xF9, 0x44, 0xB2, 0x47, 0xFF, 0x0A, -0x60, 0x06, 0x34, 0xD4, 0x85, 0x9B, 0xF4, 0x2E, 0x13, 0xB8, 0x99, 0x6F, 0xC6, -0x9A, 0x9B, 0x69, 0x10, 0x46, 0x78, 0xB0, 0x63, 0x26, 0x18, 0x73, 0xEB, 0x0A, -0x64, 0xA8, 0x10, 0x5B, 0xA3, 0xBD, 0x7B, 0x67, 0xF0, 0x8E, 0x49, 0x7E, 0xB5, -0x7D, 0xCF, 0xA8, 0xD3, 0x88, 0xAD, 0x01, 0xC2, 0x12, 0x89, 0x31, 0xCD, 0x9C, -0xC9, 0x57, 0x97, 0x70, 0x79, 0x0E, 0x16, 0x71, 0x85, 0x79, 0x39, 0x41, 0x63, -0xF8, 0x2E, 0x4D, 0x53, 0x88, 0xBE, 0xED, 0xC9, 0x82, 0xBD, 0x0F, 0x81, 0x22, -0x40, 0x14, 0xAF, 0xA4, 0x07, 0x10, 0x7C, 0x07, 0xAA, 0xF3, 0x27, 0x11, 0x19, -0x2F, 0xFF, 0xFE, 0xBB, 0x0A, 0xF5, 0xC1, 0xBF, 0x2C, 0x93, 0x00, 0xCE, 0xF1, -0xF7, 0x7F, 0xEA, 0x68, 0x39, 0x04, 0x48, 0xBF, 0x42, 0x01, 0xBB, 0x51, 0x82, -0x36, 0x3C, 0x93, 0x55, 0x43, 0x7C, 0x2C, 0xFF, 0xE1, 0xD8, 0x51, 0x5B, 0xC3, -0xB4, 0x57, 0x72, 0x24, 0xAB, 0xDD, 0xDA, 0x14, 0x71, 0x0C, 0xC0, 0x9B, 0x73, -0x46, 0xF7, 0xE4, 0x12, 0x15, 0x8B, 0x26, 0x44, 0xD7, 0xD3, 0xF1, 0x86, 0xD5, -0xA4, 0x90, 0xA9, 0x0C, 0x89, 0x26, 0x8A, 0x67, 0xCB, 0xA0, 0xFF, 0x45, 0x8D, -0xB0, 0xF4, 0x5D, 0x78, 0x77, 0x38, 0x34, 0x7E, 0xDE, 0x65, 0x8A, 0x68, 0x69, -0x26, 0xD3, 0x2D, 0xD8, 0x95, 0xD9, 0x3A, 0x88, 0x4E, 0x8E, 0x9B, 0x9C, 0x83, -0x21, 0x18, 0x6B, 0xE1, 0x4A, 0xEC, 0x43, 0x39, 0xF8, 0xD7, 0xC4, 0x77, 0x32, -0xDD, 0x20, 0x51, 0x2B, 0x90, 0x08, 0x5B, 0x51, 0xF1, 0x3C, 0x73, 0x68, 0x89, -0x18, 0x8E, 0xD2, 0x9C, 0x9A, 0x32, 0xAE, 0x49, 0xA5, 0x19, 0xED, 0xE4, 0x1E, -0x6B, 0x78, 0x7D, 0x4A, 0x92, 0x07, 0x07, 0x75, 0x19, 0x7A, 0x0B, 0xC1, 0x79, -0xFF, 0xB4, 0xCF, 0x26, 0x28, 0x3B, 0xF8, 0xC6, 0xE4, 0x89, 0x8C, 0x92, 0x39, -0xC3, 0x81, 0x63, 0xC4, 0xAA, 0xE3, 0xE2, 0x00, 0x7F, 0xB0, 0x77, 0xE9, 0x07, -0xE4, 0x38, 0xA4, 0xFC, 0x2F, 0x67, 0xD1, 0xED, 0x22, 0xA3, 0xCB, 0x31, 0x79, -0xB9, 0x38, 0xDB, 0x12, 0x50, 0x1A, 0x0F, 0xE6, 0x53, 0x09, 0xD1, 0x06, 0xD1, -0xE4, 0x35, 0x2F, 0x93, 0x5B, 0x5A, 0x6C, 0x27, 0x06, 0xC4, 0x77, 0xED, 0x6F, -0xB5, 0x41, 0x87, 0xF6, 0x26, 0xAA, 0x96, 0xC1, 0x76, 0xE1, 0x1C, 0x0F, 0x13, -0x2D, 0x05, 0xBA, 0x38, 0x52, 0x7B, 0xD2, 0x71, 0xDF, 0xF0, 0xF9, 0x5E, 0x85, -0x45, 0x52, 0xDC, 0x2A, 0x8A, 0x20, 0x05, 0x8F, 0x11, 0xDE, 0x0C, 0x9E, 0x6B, -0xC9, 0x36, 0xDE, 0x05, 0xE9, 0xC9, 0xFD, 0xED, 0x80, 0xA8, 0x63, 0xFC, 0xE5, -0x3B, 0x29, 0x81, 0x4F, 0x25, 0xF3, 0x59, 0xCC, 0x8F, 0x40, 0xA9, 0x6B, 0x67, -0x1E, 0x67, 0x29, 0x19, 0x27, 0x14, 0xF2, 0xDC, 0x2C, 0x9D, 0xFF, 0x73, 0x60, -0x29, 0x22, 0xF6, 0x10, 0x12, 0x39, 0xE8, 0xB8, 0xB9, 0xD0, 0x90, 0xC7, 0xE1, -0x10, 0x0D, 0x30, 0xC5, 0x11, 0x85, 0x7C, 0x0B, 0x0C, 0x29, 0xD9, 0x4A, 0xBA, -0xBB, 0xE9, 0xF6, 0x4E, 0xEC, 0x1B, 0x62, 0x48, 0x0C, 0x7A, 0xFA, 0x9A, 0xF9, -0x12, 0xA5, 0xC3, 0x3E, 0x67, 0x0B, 0x7A, 0x27, 0x2B, 0x20, 0xB2, 0x82, 0x5C, -0x86, 0xEA, 0x31, 0x8A, 0x90, 0xE6, 0xFA, 0x45, 0x36, 0x41, 0x53, 0x78, 0x57, -0x88, 0x76, 0x97, 0x3D, 0xB0, 0x8A, 0x43, 0x2B, 0x67, 0x79, 0x96, 0x35, 0x7D, -0xEF, 0x9C, 0x93, 0xBA, 0xD2, 0x91, 0x86, 0xCF, 0x52, 0xD5, 0x96, 0xAA, 0xD0, -0x45, 0xD8, 0x3C, 0x93, 0xC4, 0xC2, 0xC3, 0x5F, 0x4A, 0x23, 0xD4, 0xC7, 0xE4, -0x1D, 0x3B, 0xD1, 0x8F, 0x91, 0x36, 0xFA, 0x64, 0x15, 0xA8, 0xA8, 0xD1, 0x95, -0xCD, 0x2C, 0x99, 0x8A, 0x34, 0x0A, 0x5E, 0x0E, 0xB0, 0x6A, 0x8E, 0xF2, 0xE8, -0xE9, 0xF9, 0x67, 0xF6, 0xD6, 0x33, 0xBE, 0xD3, 0xB7, 0x94, 0x8B, 0x27, 0xB2, -0x33, 0xE2, 0x41, 0xE3, 0x9E, 0x12, 0xE4, 0x21, 0x35, 0x58, 0xD6, 0xDE, 0xB5, -0xAC, 0xF2, 0x72, 0xC4, 0x32, 0x72, 0xB8, 0x2E, 0x7D, 0xD0, 0xF3, 0xE3, 0x56, -0x86, 0xFD, 0x5F, 0xD0, 0x66, 0x64, 0xB4, 0x92, 0x27, 0xCA, 0x36, 0xE1, 0x57, -0x9F, 0xC0, 0x0D, 0x0E, 0xBE, 0xA6, 0x42, 0xAD, 0xD9, 0x7D, 0x9A, 0x7D, 0x1F, -0x87, 0x17, 0x46, 0x3B, 0xA5, 0x40, 0x9C, 0xD2, 0x9F, 0xD6, 0x73, 0xC6, 0xFA, -0xD3, 0x03, 0x27, 0x01, 0x59, 0x8D, 0x5F, 0xB8, 0xAF, 0x2D, 0xCE, 0x06, 0xA2, -0x73, 0xE2, 0xE4, 0xC9, 0xE2, 0x14, 0x58, 0xA8, 0x2C, 0xC6, 0xBF, 0x72, 0x8E, -0x87, 0x84, 0x81, 0x7B, 0x62, 0x5A, 0x13, 0x7D, 0xFF, 0x38, 0x9E, 0x97, 0xEF, -0x91, 0x45, 0xB6, 0xC6, 0xCF, 0x0E, 0xC0, 0xBA, 0x2A, 0xAE, 0x41, 0x44, 0x48, -0xE5, 0x52, 0x45, 0x15, 0x01, 0xE0, 0xF7, 0x98, 0xAB, 0x45, 0x26, 0x25, 0xCA, -0x95, 0x6D, 0xB2, 0x04, 0xB7, 0x93, 0x06, 0xE2, 0x8F, 0xF5, 0x59, 0xA7, 0xD6, -0x69, 0x4D, 0x03, 0x07, 0x45, 0xE7, 0xE6, 0xA4, 0x8A, 0x8B, 0xBD, 0xB8, 0x09, -0x9F, 0x33, 0xD5, 0x58, 0x88, 0xC3, 0xD8, 0x55, 0x26, 0xCE, 0x94, 0x21, 0x08, -0x43, 0x36, 0x57, 0xE8, 0x6A, 0x5D, 0x4D, 0x5B, 0x00, 0x4D, 0x58, 0xB3, 0x29, -0xE4, 0x23, 0xF5, 0x3B, 0x78, 0xD4, 0x3D, 0x08, 0xE3, 0xC2, 0x26, 0x16, 0x86, -0x4A, 0xD2, 0x5B, 0x08, 0x3D, 0xE4, 0x31, 0x5A, 0x77, 0x40, 0xFA, 0xC4, 0x4B, -0x78, 0xB1, 0x16, 0xEA, 0x57, 0xA5, 0x63, 0x2A, 0x7C, 0x4C, 0x0D, 0xF5, 0xD4, -0xD4, 0x1C, 0x7A, 0x28, 0x96, 0xAF, 0xEB, 0x23, 0x32, 0x2F, 0x84, 0x68, 0x33, -0x94, 0x60, 0xDD, 0x65, 0xBA, 0x4F, 0x88, 0x25, 0x5F, 0x42, 0x86, 0xD7, 0xF8, -0x3D, 0x6D, 0xDF, 0xA1, 0x08, 0x67, 0xCA, 0xFB, 0xB0, 0x0B, 0x3C, 0x0F, 0xB0, -0x69, 0xD5, 0x44, 0x56, 0x6D, 0xB7, 0xCF, 0x1D, 0xA2, 0x38, 0x3C, 0x72, 0xC7, -0x6C, 0x9D, 0x08, 0xCF, 0xDE, 0x2D, 0x99, 0x85, 0x8A, 0xD3, 0xC9, 0xCE, 0x59, -0x86, 0x63, 0x9A, 0x20, 0xD8, 0x54, 0xA6, 0x30, 0xF7, 0x6D, 0xFC, 0x99, 0xDF, -0xF3, 0x85, 0xD7, 0xCE, 0xEC, 0x83, 0x9B, 0x45, 0x3C, 0xA9, 0x7B, 0x52, 0xBB, -0xB6, 0x31, 0xCF, 0x1F, 0xD2, 0x99, 0x1D, 0x5A, 0x30, 0xB5, 0x63, 0x3E, 0x28, -0x0B, 0xA4, 0x61, 0xD9, 0xE9, 0xBD, 0x04, 0x70, 0x76, 0x83, 0x4C, 0x35, 0x60, -0x7A, 0x0A, 0x55, 0x6C, 0x9C, 0x9F, 0x6A, 0x42, 0xBE, 0x1F, 0xDD, 0x89, 0x55, -0x87, 0x48, 0xF3, 0xBB, 0x64, 0x17, 0xFA, 0x17, 0x60, 0xC4, 0xDC, 0xB6, 0xBF, -0xB7, 0x56, 0x64, 0x6E, 0x0A, 0xC3, 0x6B, 0x33, 0x8A, 0xAC, 0x6C, 0x97, 0x86, -0xB4, 0x27, 0x0D, 0xB0, 0x36, 0x3F, 0x3C, 0x6D, 0x7C, 0x66, 0x13, 0x94, 0xFB, -0x0E, 0x8E, 0xE8, 0x0E, 0x49, 0xEF, 0xD0, 0x0E}; + 0x30, 0x82, 0x05, 0x32, 0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x03, 0x11, 0x03, 0x82, 0x05, 0x21, 0x00, 0x88, 0x96, + 0x9F, 0xBD, 0x4C, 0xC9, 0x27, 0x00, 0x57, 0xA5, 0xBF, 0xB2, 0x28, 0x9B, + 0xB8, 0xB6, 0x66, 0x58, 0xB9, 0x65, 0x9A, 0x37, 0xA8, 0x2E, 0x5B, 0x5D, + 0xE4, 0x85, 0xA8, 0x7F, 0x98, 0x3B, 0x57, 0x2D, 0xDB, 0xDD, 0x11, 0x7E, + 0x74, 0x34, 0xCF, 0xFE, 0x78, 0x3F, 0x04, 0xBB, 0x9E, 0x7C, 0x74, 0x46, + 0x00, 0xCF, 0x46, 0xA8, 0x9F, 0x53, 0x11, 0x4C, 0xBB, 0x33, 0x49, 0x50, + 0x5A, 0xA5, 0x6D, 0xEA, 0x2A, 0x79, 0xF4, 0x83, 0x0E, 0x19, 0x8A, 0xCB, + 0x0B, 0xDA, 0xBC, 0xFE, 0xD3, 0x0D, 0x12, 0x0B, 0x34, 0x35, 0xDB, 0x3D, + 0xF7, 0x95, 0x89, 0xBF, 0x87, 0x82, 0x0A, 0x5B, 0x5E, 0x5C, 0xF1, 0x96, + 0x7A, 0x46, 0xA3, 0xB5, 0x80, 0x60, 0xB4, 0xB5, 0xD1, 0x72, 0xB7, 0x2C, + 0x7A, 0x99, 0x94, 0x48, 0x93, 0x0E, 0xFC, 0xEB, 0x02, 0x2F, 0x15, 0xC3, + 0x5C, 0xC5, 0x4A, 0xDE, 0x84, 0xEC, 0x45, 0xBA, 0xEA, 0x1D, 0x8F, 0xD2, + 0x01, 0x6F, 0xC0, 0x85, 0xDF, 0x7B, 0xBA, 0x1F, 0x52, 0xEE, 0xD1, 0xB8, + 0x50, 0xBE, 0x93, 0x42, 0x87, 0x39, 0x46, 0x1C, 0xCA, 0x63, 0x4D, 0xAD, + 0x5F, 0xBD, 0xEF, 0x0C, 0x9D, 0x11, 0x6E, 0xBA, 0xC2, 0x8E, 0xB7, 0x59, + 0x4B, 0x1C, 0x22, 0xC0, 0x4D, 0x05, 0x37, 0x93, 0x10, 0xE6, 0xFD, 0x7A, + 0xEC, 0x6C, 0x80, 0x32, 0xF9, 0x64, 0x60, 0xC7, 0x35, 0x81, 0x98, 0x42, + 0xDD, 0x70, 0x0E, 0xFD, 0x13, 0x2D, 0x36, 0xF7, 0xDA, 0x3D, 0x00, 0x1B, + 0x4C, 0x7D, 0xAB, 0x13, 0xAA, 0xED, 0x3B, 0xC2, 0x01, 0xB1, 0x54, 0xA7, + 0x99, 0xAB, 0x7D, 0x6F, 0xA9, 0x29, 0xCF, 0xCA, 0x45, 0xBE, 0x0C, 0x2C, + 0xFB, 0x04, 0xF9, 0x64, 0x60, 0xF4, 0x3A, 0x60, 0xDC, 0x62, 0x49, 0x9E, + 0xBF, 0x0B, 0xE3, 0x73, 0xFC, 0xC4, 0xC2, 0x44, 0xC4, 0x6D, 0xD0, 0x3F, + 0xD2, 0xC5, 0x7D, 0x0E, 0x87, 0xE5, 0x68, 0xC9, 0xEF, 0x93, 0x42, 0xCD, + 0xA3, 0x2E, 0x6D, 0xA4, 0x5B, 0xD6, 0x66, 0x7B, 0x94, 0xA0, 0xA7, 0xB8, + 0x7E, 0x30, 0xEE, 0x15, 0x3A, 0xB8, 0xB3, 0x68, 0x66, 0x14, 0x09, 0x22, + 0xB1, 0x10, 0x52, 0x47, 0x7A, 0xDD, 0x43, 0x29, 0x77, 0x50, 0xDA, 0x60, + 0xF9, 0x17, 0x43, 0xA3, 0xA8, 0x6E, 0x73, 0x47, 0x75, 0xCD, 0xEB, 0x00, + 0xDC, 0xAB, 0xEE, 0xCD, 0x77, 0x3A, 0xA5, 0x0D, 0xA7, 0xDB, 0xD3, 0xAA, + 0xD2, 0x21, 0xB4, 0x8F, 0xC8, 0x6F, 0x56, 0x9C, 0x20, 0xB2, 0xC6, 0x53, + 0x28, 0xA6, 0x63, 0x48, 0x45, 0x78, 0x57, 0xB3, 0xF3, 0xCC, 0xED, 0xAD, + 0x30, 0x38, 0x45, 0x02, 0x3E, 0xF8, 0x86, 0x29, 0xA9, 0x56, 0xAA, 0x8C, + 0x83, 0xC8, 0x7C, 0xF3, 0x04, 0x64, 0x57, 0xE5, 0x62, 0xFB, 0x53, 0x3B, + 0x9E, 0xF9, 0x44, 0xB2, 0x47, 0xFF, 0x0A, 0x60, 0x06, 0x34, 0xD4, 0x85, + 0x9B, 0xF4, 0x2E, 0x13, 0xB8, 0x99, 0x6F, 0xC6, 0x9A, 0x9B, 0x69, 0x10, + 0x46, 0x78, 0xB0, 0x63, 0x26, 0x18, 0x73, 0xEB, 0x0A, 0x64, 0xA8, 0x10, + 0x5B, 0xA3, 0xBD, 0x7B, 0x67, 0xF0, 0x8E, 0x49, 0x7E, 0xB5, 0x7D, 0xCF, + 0xA8, 0xD3, 0x88, 0xAD, 0x01, 0xC2, 0x12, 0x89, 0x31, 0xCD, 0x9C, 0xC9, + 0x57, 0x97, 0x70, 0x79, 0x0E, 0x16, 0x71, 0x85, 0x79, 0x39, 0x41, 0x63, + 0xF8, 0x2E, 0x4D, 0x53, 0x88, 0xBE, 0xED, 0xC9, 0x82, 0xBD, 0x0F, 0x81, + 0x22, 0x40, 0x14, 0xAF, 0xA4, 0x07, 0x10, 0x7C, 0x07, 0xAA, 0xF3, 0x27, + 0x11, 0x19, 0x2F, 0xFF, 0xFE, 0xBB, 0x0A, 0xF5, 0xC1, 0xBF, 0x2C, 0x93, + 0x00, 0xCE, 0xF1, 0xF7, 0x7F, 0xEA, 0x68, 0x39, 0x04, 0x48, 0xBF, 0x42, + 0x01, 0xBB, 0x51, 0x82, 0x36, 0x3C, 0x93, 0x55, 0x43, 0x7C, 0x2C, 0xFF, + 0xE1, 0xD8, 0x51, 0x5B, 0xC3, 0xB4, 0x57, 0x72, 0x24, 0xAB, 0xDD, 0xDA, + 0x14, 0x71, 0x0C, 0xC0, 0x9B, 0x73, 0x46, 0xF7, 0xE4, 0x12, 0x15, 0x8B, + 0x26, 0x44, 0xD7, 0xD3, 0xF1, 0x86, 0xD5, 0xA4, 0x90, 0xA9, 0x0C, 0x89, + 0x26, 0x8A, 0x67, 0xCB, 0xA0, 0xFF, 0x45, 0x8D, 0xB0, 0xF4, 0x5D, 0x78, + 0x77, 0x38, 0x34, 0x7E, 0xDE, 0x65, 0x8A, 0x68, 0x69, 0x26, 0xD3, 0x2D, + 0xD8, 0x95, 0xD9, 0x3A, 0x88, 0x4E, 0x8E, 0x9B, 0x9C, 0x83, 0x21, 0x18, + 0x6B, 0xE1, 0x4A, 0xEC, 0x43, 0x39, 0xF8, 0xD7, 0xC4, 0x77, 0x32, 0xDD, + 0x20, 0x51, 0x2B, 0x90, 0x08, 0x5B, 0x51, 0xF1, 0x3C, 0x73, 0x68, 0x89, + 0x18, 0x8E, 0xD2, 0x9C, 0x9A, 0x32, 0xAE, 0x49, 0xA5, 0x19, 0xED, 0xE4, + 0x1E, 0x6B, 0x78, 0x7D, 0x4A, 0x92, 0x07, 0x07, 0x75, 0x19, 0x7A, 0x0B, + 0xC1, 0x79, 0xFF, 0xB4, 0xCF, 0x26, 0x28, 0x3B, 0xF8, 0xC6, 0xE4, 0x89, + 0x8C, 0x92, 0x39, 0xC3, 0x81, 0x63, 0xC4, 0xAA, 0xE3, 0xE2, 0x00, 0x7F, + 0xB0, 0x77, 0xE9, 0x07, 0xE4, 0x38, 0xA4, 0xFC, 0x2F, 0x67, 0xD1, 0xED, + 0x22, 0xA3, 0xCB, 0x31, 0x79, 0xB9, 0x38, 0xDB, 0x12, 0x50, 0x1A, 0x0F, + 0xE6, 0x53, 0x09, 0xD1, 0x06, 0xD1, 0xE4, 0x35, 0x2F, 0x93, 0x5B, 0x5A, + 0x6C, 0x27, 0x06, 0xC4, 0x77, 0xED, 0x6F, 0xB5, 0x41, 0x87, 0xF6, 0x26, + 0xAA, 0x96, 0xC1, 0x76, 0xE1, 0x1C, 0x0F, 0x13, 0x2D, 0x05, 0xBA, 0x38, + 0x52, 0x7B, 0xD2, 0x71, 0xDF, 0xF0, 0xF9, 0x5E, 0x85, 0x45, 0x52, 0xDC, + 0x2A, 0x8A, 0x20, 0x05, 0x8F, 0x11, 0xDE, 0x0C, 0x9E, 0x6B, 0xC9, 0x36, + 0xDE, 0x05, 0xE9, 0xC9, 0xFD, 0xED, 0x80, 0xA8, 0x63, 0xFC, 0xE5, 0x3B, + 0x29, 0x81, 0x4F, 0x25, 0xF3, 0x59, 0xCC, 0x8F, 0x40, 0xA9, 0x6B, 0x67, + 0x1E, 0x67, 0x29, 0x19, 0x27, 0x14, 0xF2, 0xDC, 0x2C, 0x9D, 0xFF, 0x73, + 0x60, 0x29, 0x22, 0xF6, 0x10, 0x12, 0x39, 0xE8, 0xB8, 0xB9, 0xD0, 0x90, + 0xC7, 0xE1, 0x10, 0x0D, 0x30, 0xC5, 0x11, 0x85, 0x7C, 0x0B, 0x0C, 0x29, + 0xD9, 0x4A, 0xBA, 0xBB, 0xE9, 0xF6, 0x4E, 0xEC, 0x1B, 0x62, 0x48, 0x0C, + 0x7A, 0xFA, 0x9A, 0xF9, 0x12, 0xA5, 0xC3, 0x3E, 0x67, 0x0B, 0x7A, 0x27, + 0x2B, 0x20, 0xB2, 0x82, 0x5C, 0x86, 0xEA, 0x31, 0x8A, 0x90, 0xE6, 0xFA, + 0x45, 0x36, 0x41, 0x53, 0x78, 0x57, 0x88, 0x76, 0x97, 0x3D, 0xB0, 0x8A, + 0x43, 0x2B, 0x67, 0x79, 0x96, 0x35, 0x7D, 0xEF, 0x9C, 0x93, 0xBA, 0xD2, + 0x91, 0x86, 0xCF, 0x52, 0xD5, 0x96, 0xAA, 0xD0, 0x45, 0xD8, 0x3C, 0x93, + 0xC4, 0xC2, 0xC3, 0x5F, 0x4A, 0x23, 0xD4, 0xC7, 0xE4, 0x1D, 0x3B, 0xD1, + 0x8F, 0x91, 0x36, 0xFA, 0x64, 0x15, 0xA8, 0xA8, 0xD1, 0x95, 0xCD, 0x2C, + 0x99, 0x8A, 0x34, 0x0A, 0x5E, 0x0E, 0xB0, 0x6A, 0x8E, 0xF2, 0xE8, 0xE9, + 0xF9, 0x67, 0xF6, 0xD6, 0x33, 0xBE, 0xD3, 0xB7, 0x94, 0x8B, 0x27, 0xB2, + 0x33, 0xE2, 0x41, 0xE3, 0x9E, 0x12, 0xE4, 0x21, 0x35, 0x58, 0xD6, 0xDE, + 0xB5, 0xAC, 0xF2, 0x72, 0xC4, 0x32, 0x72, 0xB8, 0x2E, 0x7D, 0xD0, 0xF3, + 0xE3, 0x56, 0x86, 0xFD, 0x5F, 0xD0, 0x66, 0x64, 0xB4, 0x92, 0x27, 0xCA, + 0x36, 0xE1, 0x57, 0x9F, 0xC0, 0x0D, 0x0E, 0xBE, 0xA6, 0x42, 0xAD, 0xD9, + 0x7D, 0x9A, 0x7D, 0x1F, 0x87, 0x17, 0x46, 0x3B, 0xA5, 0x40, 0x9C, 0xD2, + 0x9F, 0xD6, 0x73, 0xC6, 0xFA, 0xD3, 0x03, 0x27, 0x01, 0x59, 0x8D, 0x5F, + 0xB8, 0xAF, 0x2D, 0xCE, 0x06, 0xA2, 0x73, 0xE2, 0xE4, 0xC9, 0xE2, 0x14, + 0x58, 0xA8, 0x2C, 0xC6, 0xBF, 0x72, 0x8E, 0x87, 0x84, 0x81, 0x7B, 0x62, + 0x5A, 0x13, 0x7D, 0xFF, 0x38, 0x9E, 0x97, 0xEF, 0x91, 0x45, 0xB6, 0xC6, + 0xCF, 0x0E, 0xC0, 0xBA, 0x2A, 0xAE, 0x41, 0x44, 0x48, 0xE5, 0x52, 0x45, + 0x15, 0x01, 0xE0, 0xF7, 0x98, 0xAB, 0x45, 0x26, 0x25, 0xCA, 0x95, 0x6D, + 0xB2, 0x04, 0xB7, 0x93, 0x06, 0xE2, 0x8F, 0xF5, 0x59, 0xA7, 0xD6, 0x69, + 0x4D, 0x03, 0x07, 0x45, 0xE7, 0xE6, 0xA4, 0x8A, 0x8B, 0xBD, 0xB8, 0x09, + 0x9F, 0x33, 0xD5, 0x58, 0x88, 0xC3, 0xD8, 0x55, 0x26, 0xCE, 0x94, 0x21, + 0x08, 0x43, 0x36, 0x57, 0xE8, 0x6A, 0x5D, 0x4D, 0x5B, 0x00, 0x4D, 0x58, + 0xB3, 0x29, 0xE4, 0x23, 0xF5, 0x3B, 0x78, 0xD4, 0x3D, 0x08, 0xE3, 0xC2, + 0x26, 0x16, 0x86, 0x4A, 0xD2, 0x5B, 0x08, 0x3D, 0xE4, 0x31, 0x5A, 0x77, + 0x40, 0xFA, 0xC4, 0x4B, 0x78, 0xB1, 0x16, 0xEA, 0x57, 0xA5, 0x63, 0x2A, + 0x7C, 0x4C, 0x0D, 0xF5, 0xD4, 0xD4, 0x1C, 0x7A, 0x28, 0x96, 0xAF, 0xEB, + 0x23, 0x32, 0x2F, 0x84, 0x68, 0x33, 0x94, 0x60, 0xDD, 0x65, 0xBA, 0x4F, + 0x88, 0x25, 0x5F, 0x42, 0x86, 0xD7, 0xF8, 0x3D, 0x6D, 0xDF, 0xA1, 0x08, + 0x67, 0xCA, 0xFB, 0xB0, 0x0B, 0x3C, 0x0F, 0xB0, 0x69, 0xD5, 0x44, 0x56, + 0x6D, 0xB7, 0xCF, 0x1D, 0xA2, 0x38, 0x3C, 0x72, 0xC7, 0x6C, 0x9D, 0x08, + 0xCF, 0xDE, 0x2D, 0x99, 0x85, 0x8A, 0xD3, 0xC9, 0xCE, 0x59, 0x86, 0x63, + 0x9A, 0x20, 0xD8, 0x54, 0xA6, 0x30, 0xF7, 0x6D, 0xFC, 0x99, 0xDF, 0xF3, + 0x85, 0xD7, 0xCE, 0xEC, 0x83, 0x9B, 0x45, 0x3C, 0xA9, 0x7B, 0x52, 0xBB, + 0xB6, 0x31, 0xCF, 0x1F, 0xD2, 0x99, 0x1D, 0x5A, 0x30, 0xB5, 0x63, 0x3E, + 0x28, 0x0B, 0xA4, 0x61, 0xD9, 0xE9, 0xBD, 0x04, 0x70, 0x76, 0x83, 0x4C, + 0x35, 0x60, 0x7A, 0x0A, 0x55, 0x6C, 0x9C, 0x9F, 0x6A, 0x42, 0xBE, 0x1F, + 0xDD, 0x89, 0x55, 0x87, 0x48, 0xF3, 0xBB, 0x64, 0x17, 0xFA, 0x17, 0x60, + 0xC4, 0xDC, 0xB6, 0xBF, 0xB7, 0x56, 0x64, 0x6E, 0x0A, 0xC3, 0x6B, 0x33, + 0x8A, 0xAC, 0x6C, 0x97, 0x86, 0xB4, 0x27, 0x0D, 0xB0, 0x36, 0x3F, 0x3C, + 0x6D, 0x7C, 0x66, 0x13, 0x94, 0xFB, 0x0E, 0x8E, 0xE8, 0x0E, 0x49, 0xEF, + 0xD0, 0x0E}; // mldsa65kPublicKey is an example ML-DSA-65 public key static const uint8_t mldsa65kPublicKey[] = { -0x9B, 0x77, 0xAB, 0x96, 0x9D, 0x65, 0xA2, 0xC1, 0x55, 0x65, 0x02, 0x9B, 0xA5, -0xD4, 0xE5, 0x93, 0xA1, 0xAC, 0xE7, 0x3E, 0x8C, 0x61, 0xB7, 0xCB, 0xA1, 0x3E, -0x74, 0x8A, 0xC9, 0xC0, 0xA0, 0x63, 0x4A, 0xF6, 0xF4, 0x1C, 0x72, 0x37, 0xB0, -0x31, 0x9E, 0xB7, 0x51, 0x55, 0xCF, 0x5B, 0x4E, 0x03, 0x46, 0x7C, 0x26, 0xBE, -0x84, 0x73, 0xD8, 0x50, 0xDF, 0x72, 0x87, 0xC0, 0x18, 0xED, 0xE7, 0xE4, 0x12, -0x4F, 0xCA, 0x4E, 0x1A, 0xFA, 0x76, 0x82, 0xD4, 0xA6, 0x3E, 0xDA, 0xEC, 0x74, -0x53, 0xFF, 0xDD, 0x69, 0x5C, 0x9F, 0xFD, 0x69, 0xA3, 0xED, 0x4F, 0xEB, 0xFB, -0xEF, 0xD2, 0x98, 0x8B, 0x45, 0x06, 0xBA, 0xD5, 0xF8, 0x9E, 0x0A, 0x2D, 0xA2, -0xC7, 0x96, 0x4B, 0x79, 0xE9, 0xA9, 0xA6, 0x73, 0x69, 0xF8, 0x8C, 0x01, 0x69, -0xF2, 0x66, 0x05, 0x37, 0x31, 0x65, 0xA9, 0x09, 0x3E, 0x0E, 0x73, 0x95, 0x67, -0xC9, 0x33, 0xA6, 0x57, 0xDF, 0xDD, 0xC0, 0x55, 0x1A, 0x89, 0x6F, 0xC8, 0x30, -0x71, 0x68, 0x3C, 0x2A, 0x7E, 0x61, 0x86, 0xAC, 0x70, 0x6A, 0x27, 0x31, 0x9B, -0x9A, 0xEC, 0x8F, 0x37, 0x2B, 0x71, 0x91, 0x91, 0x6C, 0x8B, 0x35, 0xED, 0xF1, -0x97, 0x87, 0x58, 0xD1, 0x4F, 0xF2, 0x06, 0x23, 0xE6, 0x1C, 0x44, 0x63, 0x02, -0x9E, 0x09, 0x76, 0x6C, 0x72, 0xBD, 0x0D, 0xB3, 0xE2, 0x1D, 0x92, 0xAA, 0x8D, -0x7B, 0x78, 0xD8, 0xB3, 0xA7, 0x5A, 0xAB, 0xBF, 0x22, 0xBB, 0x30, 0x5B, 0xFB, -0xB4, 0x3C, 0x52, 0xD2, 0xA2, 0xED, 0x3B, 0x99, 0x43, 0xCB, 0x29, 0x66, 0x2A, -0xBD, 0x52, 0x1B, 0x1C, 0xB4, 0xE5, 0xE3, 0x6E, 0xFF, 0xAD, 0xEF, 0x8B, 0xE1, -0xF9, 0xB5, 0x5E, 0xCB, 0xF2, 0x8E, 0xCD, 0x53, 0x39, 0xBE, 0xBE, 0x61, 0x72, -0x86, 0x31, 0x65, 0xA0, 0xFC, 0xC1, 0xFC, 0x31, 0x79, 0x93, 0xDF, 0x76, 0x13, -0x71, 0xE4, 0x61, 0x0F, 0x6B, 0x32, 0x78, 0xD2, 0x24, 0xB7, 0x8C, 0xE8, 0x84, -0xE3, 0xB8, 0xF6, 0x04, 0xF3, 0x30, 0xE9, 0x5B, 0xA5, 0xD8, 0x94, 0xA7, 0xA3, -0xF0, 0xE8, 0xAC, 0x70, 0x32, 0x42, 0xB5, 0x08, 0xEE, 0x2A, 0x77, 0xFA, 0x04, -0x49, 0xE9, 0x7A, 0xB7, 0x0A, 0x95, 0x05, 0x86, 0x33, 0xA5, 0xE4, 0x5A, 0xC6, -0xE1, 0xE7, 0x48, 0xBD, 0xBA, 0x80, 0xE7, 0x21, 0x61, 0x45, 0x24, 0x5E, 0xA9, -0x7F, 0x2D, 0x75, 0x0F, 0xE9, 0xEE, 0x79, 0x88, 0x64, 0xF3, 0xE7, 0x0C, 0xA0, -0xEB, 0x93, 0x2C, 0x6B, 0xD3, 0x51, 0x12, 0xE7, 0x62, 0x8D, 0x71, 0x10, 0x6D, -0x5B, 0x3A, 0x27, 0xF4, 0xEA, 0x80, 0xFC, 0xCD, 0x58, 0x81, 0x43, 0xEB, 0xA0, -0x4E, 0xF5, 0xA1, 0x68, 0x67, 0x74, 0x7C, 0x14, 0x12, 0xA6, 0x78, 0xC2, 0x08, -0x58, 0x3F, 0x20, 0x96, 0x52, 0xD2, 0x61, 0xDA, 0xED, 0x5F, 0x7F, 0xAD, 0x40, -0x93, 0x21, 0xEB, 0xC4, 0x37, 0x5C, 0xD1, 0x72, 0xE6, 0x06, 0x37, 0xD9, 0xF6, -0x09, 0xD4, 0xC9, 0x6D, 0xED, 0x07, 0xF6, 0xD2, 0x15, 0x94, 0xFD, 0xF6, 0xC3, -0x09, 0x60, 0x6D, 0x6A, 0x23, 0x50, 0x8C, 0xDD, 0x61, 0xDD, 0x66, 0x81, 0xB0, -0xAC, 0x7C, 0xE7, 0x7F, 0xED, 0x3C, 0x2F, 0x19, 0xB5, 0xF9, 0xB7, 0x2E, 0x35, -0xF7, 0xF4, 0x98, 0x0E, 0x6A, 0x9E, 0x6D, 0xAC, 0xF1, 0x0F, 0x90, 0x25, 0xED, -0xC5, 0x94, 0x9E, 0x10, 0x29, 0x97, 0x47, 0x05, 0x3D, 0x03, 0x6F, 0x69, 0xAE, -0x84, 0x08, 0x9B, 0x33, 0x0C, 0x1F, 0x26, 0x65, 0xC7, 0x86, 0x25, 0x10, 0x11, -0x97, 0x33, 0x3D, 0x98, 0x43, 0xB5, 0x7F, 0x9C, 0x19, 0x62, 0xE5, 0x46, 0x6D, -0x3B, 0xA2, 0xDC, 0xD4, 0x17, 0x85, 0x9A, 0xE8, 0x2C, 0xF3, 0x01, 0x5F, 0x39, -0xD1, 0xBC, 0x07, 0x8E, 0xAC, 0xC9, 0x28, 0x0C, 0x7B, 0xD8, 0x02, 0xFE, 0x46, -0x12, 0xA8, 0xBD, 0x0E, 0x6B, 0x23, 0x65, 0x5B, 0xAA, 0xFC, 0x32, 0x20, 0xF7, -0xCC, 0xC7, 0x06, 0x80, 0x09, 0x0A, 0x95, 0xD9, 0x69, 0xED, 0x3C, 0x6C, 0xEB, -0x62, 0x28, 0xE6, 0x4E, 0xF4, 0xFA, 0x9B, 0x5C, 0x36, 0x07, 0xE0, 0x25, 0x20, -0xB8, 0xF4, 0x1F, 0x2E, 0x78, 0x21, 0xEE, 0xFA, 0x9E, 0x80, 0x14, 0xAD, 0xAD, -0x83, 0x39, 0x2E, 0xD0, 0xE9, 0x56, 0xE3, 0x88, 0x0C, 0xC4, 0xD7, 0xBE, 0xB1, -0xE4, 0xD0, 0x42, 0xE6, 0xED, 0xDC, 0x44, 0x65, 0x51, 0x1F, 0x95, 0x9A, 0xAA, -0xBF, 0x83, 0x7B, 0xD7, 0x14, 0x23, 0x18, 0x81, 0x91, 0x0A, 0x07, 0x97, 0x10, -0x6F, 0x3C, 0x16, 0xF2, 0xF0, 0x3E, 0xE1, 0x45, 0x40, 0xB0, 0x39, 0x98, 0x33, -0x55, 0xFF, 0x7E, 0x75, 0x31, 0xE0, 0x10, 0x16, 0x81, 0x36, 0x56, 0x86, 0x34, -0x1C, 0x61, 0x10, 0x25, 0xAE, 0x98, 0x6E, 0xBE, 0xC9, 0x47, 0xCD, 0x14, 0x1C, -0x52, 0x8C, 0x27, 0xEE, 0x28, 0xDA, 0x18, 0x96, 0x4D, 0x16, 0x6D, 0x17, 0x2E, -0x5B, 0x7E, 0x88, 0x70, 0xC8, 0x3D, 0x31, 0x34, 0xE5, 0xEA, 0x08, 0x40, 0x25, -0x7B, 0x03, 0x75, 0x47, 0xAD, 0x19, 0x02, 0x7E, 0xCC, 0xB6, 0x43, 0xD1, 0xC9, -0xB2, 0x95, 0x7F, 0x9F, 0x93, 0xC4, 0xD7, 0x33, 0x5A, 0x7E, 0xA4, 0x51, 0x58, -0xC5, 0xA7, 0x23, 0x25, 0xF8, 0xF4, 0xDE, 0xEF, 0x84, 0x72, 0x0E, 0x8D, 0xE7, -0x9E, 0x1E, 0x40, 0xB3, 0xA6, 0x58, 0x34, 0x4E, 0xB8, 0x56, 0x6B, 0xA1, 0x50, -0x2B, 0x1C, 0xF9, 0xA6, 0x88, 0x21, 0x34, 0x79, 0x99, 0x5F, 0x24, 0xD6, 0x96, -0x67, 0xB5, 0x7E, 0x9C, 0xD2, 0xFB, 0x11, 0x40, 0xA6, 0xE6, 0x20, 0xD2, 0x8C, -0x38, 0x62, 0x9B, 0xC1, 0xD7, 0x57, 0x42, 0xE0, 0xD7, 0x34, 0xF3, 0x90, 0xF9, -0x60, 0xDD, 0xEA, 0x24, 0x67, 0x6A, 0xC0, 0xC7, 0xEF, 0xA7, 0x1B, 0xDC, 0xAD, -0x3D, 0x0D, 0x17, 0x90, 0x66, 0x70, 0xB2, 0x98, 0x24, 0x1B, 0x58, 0x79, 0xAC, -0x3E, 0x61, 0x9C, 0x67, 0xB4, 0xEE, 0x09, 0x06, 0x20, 0xCE, 0x39, 0x03, 0x57, -0xD4, 0xB5, 0x44, 0x3C, 0x35, 0x80, 0xDD, 0xEF, 0xC3, 0xC5, 0xC4, 0x93, 0x79, -0xF8, 0x84, 0x60, 0x31, 0x27, 0xB7, 0xF8, 0xEB, 0x63, 0xE8, 0x75, 0x74, 0x31, -0x29, 0xF4, 0xE7, 0x06, 0x51, 0x74, 0x72, 0x71, 0x9D, 0xA1, 0x3F, 0x3C, 0x73, -0xCF, 0x07, 0xA9, 0x98, 0x23, 0x1F, 0x62, 0x9C, 0x9E, 0x27, 0xFD, 0x1E, 0xC8, -0x1C, 0xB9, 0xBD, 0x16, 0xB5, 0x4C, 0x1A, 0xC2, 0x8D, 0xCF, 0x4D, 0xB8, 0xC2, -0x4D, 0x94, 0xE6, 0x12, 0x6D, 0x14, 0xFA, 0x2B, 0xF4, 0x4A, 0x2B, 0xD9, 0x7D, -0xEF, 0xF8, 0x81, 0x2C, 0xF7, 0x7B, 0x98, 0x44, 0x12, 0x58, 0xD5, 0x82, 0xAA, -0xED, 0x49, 0x40, 0x87, 0xBA, 0x11, 0x29, 0x7E, 0xFD, 0x04, 0x67, 0x20, 0x5D, -0x2B, 0x79, 0x42, 0x07, 0x03, 0x5C, 0x36, 0xD7, 0xBE, 0x72, 0xCA, 0x13, 0xCF, -0x93, 0x2D, 0xD8, 0xA9, 0xEE, 0x06, 0x0B, 0xCF, 0x5A, 0x46, 0x88, 0x57, 0x9E, -0x18, 0x92, 0x3B, 0x5F, 0x2F, 0x86, 0xCD, 0x3D, 0x49, 0xF6, 0xA3, 0x05, 0xE6, -0xE4, 0x68, 0xA4, 0x79, 0xA6, 0xEE, 0x85, 0xF4, 0x2B, 0xF6, 0x6E, 0x1B, 0x7A, -0xBD, 0x77, 0xEA, 0x6A, 0xC9, 0x31, 0x34, 0x8E, 0x5F, 0xC2, 0xF3, 0x87, 0x3D, -0x8F, 0xD7, 0xB0, 0x16, 0x28, 0x3F, 0x2C, 0x87, 0xA0, 0xA3, 0x56, 0xE8, 0x21, -0x83, 0x53, 0xCB, 0xE9, 0x1D, 0x28, 0x57, 0x93, 0xDB, 0x5B, 0xE9, 0xF0, 0x7B, -0x7F, 0xF4, 0x6A, 0x51, 0x48, 0xFC, 0xAB, 0xF5, 0x3B, 0x44, 0xA7, 0x5E, 0x67, -0x3A, 0x6B, 0x43, 0x9C, 0xD1, 0x03, 0xDF, 0xF8, 0xD5, 0x7F, 0x7B, 0x09, 0x62, -0xBF, 0x28, 0xBD, 0xC6, 0x3E, 0xC3, 0x6C, 0x91, 0x01, 0x45, 0x3F, 0xE2, 0x1F, -0xEF, 0x2A, 0x8F, 0xB2, 0x1B, 0x72, 0x35, 0x4D, 0x18, 0x6F, 0x4D, 0x57, 0xBF, -0x6A, 0x69, 0x02, 0x69, 0x4A, 0xE5, 0x5F, 0x74, 0xF7, 0x69, 0x5B, 0x89, 0x08, -0xCE, 0xCE, 0x15, 0x56, 0x3F, 0x21, 0x1A, 0xB8, 0xEC, 0x4D, 0xB0, 0x7E, 0x0F, -0x89, 0xB0, 0x5C, 0x6D, 0xDB, 0x53, 0x9E, 0xA9, 0x27, 0x28, 0x52, 0xE5, 0x9E, -0x1F, 0xEF, 0x84, 0x1A, 0x9A, 0xAE, 0x86, 0x8B, 0x25, 0x3B, 0xC6, 0x3B, 0x8E, -0x9C, 0x32, 0xD9, 0x89, 0x3B, 0xA2, 0xCB, 0x59, 0x35, 0xC3, 0x71, 0xEE, 0x22, -0x0C, 0x61, 0xEA, 0x59, 0x33, 0x25, 0x39, 0xAF, 0xF0, 0x12, 0x81, 0x55, 0x4A, -0x9D, 0x0C, 0x3E, 0x5E, 0x34, 0x9F, 0xA7, 0xD8, 0xC5, 0xB5, 0x0A, 0xC3, 0xA2, -0x00, 0x3F, 0x59, 0x3D, 0x07, 0x5F, 0x2B, 0xC1, 0x6F, 0x6A, 0xE3, 0x94, 0x90, -0xAF, 0x81, 0x11, 0x82, 0x89, 0xF4, 0x9D, 0x8B, 0x05, 0xE2, 0x7C, 0x22, 0x02, -0xEC, 0x00, 0x38, 0x39, 0xED, 0x04, 0xB2, 0xC9, 0xD8, 0xA1, 0x1B, 0xED, 0xB9, -0xE1, 0x62, 0x82, 0xC4, 0xCC, 0xA0, 0x61, 0xEE, 0x7A, 0x17, 0xA0, 0x99, 0xAC, -0xAC, 0x85, 0xA7, 0x5F, 0xC9, 0xC3, 0xC5, 0x63, 0x8F, 0x5A, 0xE7, 0x41, 0xAC, -0xB7, 0x89, 0x13, 0x38, 0xD8, 0x58, 0xBF, 0x71, 0xA5, 0x4F, 0x9D, 0x4C, 0x72, -0x57, 0x88, 0x2E, 0xAB, 0xD4, 0x74, 0xDE, 0x46, 0x9F, 0xF4, 0xBA, 0xB1, 0x55, -0x6A, 0x18, 0xF4, 0x87, 0xB9, 0x24, 0xA7, 0xD9, 0xF4, 0x9A, 0x3C, 0xEF, 0xF4, -0xA2, 0x2D, 0x0F, 0xC9, 0xE4, 0x45, 0xC2, 0xC9, 0x6F, 0x2D, 0xB6, 0xDA, 0xE6, -0x89, 0x38, 0x80, 0x2A, 0x89, 0xE2, 0xF5, 0x3D, 0x77, 0x5E, 0x61, 0x6E, 0x9C, -0xF9, 0x87, 0x89, 0xD4, 0x70, 0x23, 0x79, 0x93, 0xDA, 0xCE, 0x62, 0x89, 0xEB, -0x13, 0x77, 0xB0, 0x49, 0xB2, 0xF9, 0xFC, 0x84, 0xD3, 0x06, 0xD2, 0x8D, 0x5A, -0x94, 0x64, 0xC1, 0xA8, 0x9A, 0x60, 0x57, 0x8A, 0x8F, 0x62, 0x4A, 0x78, 0x12, -0x6B, 0x87, 0x6F, 0x6D, 0xC8, 0x32, 0xF3, 0xC6, 0x8D, 0xDB, 0x3A, 0x67, 0x95, -0xCD, 0xAF, 0x48, 0x28, 0x79, 0xC2, 0xB6, 0xDB, 0xD8, 0xFE, 0x82, 0x15, 0xE6, -0xE4, 0xEC, 0x79, 0xE2, 0xB4, 0x21, 0x5C, 0x30, 0x45, 0xD7, 0x3B, 0xA0, 0x1A, -0x3B, 0xAA, 0x3D, 0x6C, 0x1C, 0xC3, 0x1E, 0xDE, 0x4D, 0x75, 0x1D, 0x9A, 0x96, -0x51, 0xF9, 0x4F, 0x10, 0x28, 0x7E, 0x88, 0xEE, 0x3B, 0x93, 0x4A, 0x0B, 0x09, -0x44, 0x9C, 0x20, 0x34, 0xF6, 0xEE, 0x6F, 0x26, 0xB9, 0x4C, 0x76, 0xCC, 0xE1, -0x6F, 0x09, 0x91, 0xAF, 0x48, 0x8C, 0xC4, 0x31, 0xA2, 0xF9, 0x44, 0x77, 0x19, -0xA7, 0x00, 0x33, 0x77, 0x31, 0xF2, 0xF5, 0xF7, 0x30, 0xDF, 0xAB, 0xFE, 0x7E, -0xE6, 0x83, 0xE1, 0xC9, 0x2A, 0xC8, 0xE0, 0xA6, 0xAC, 0x5A, 0x28, 0x7F, 0xC4, -0x0B, 0xEB, 0x55, 0xD9, 0x5D, 0xBD, 0xB5, 0xD2, 0xF6, 0xB4, 0xA9, 0x76, 0x2B, -0x35, 0x10, 0x36, 0x3B, 0xCC, 0x61, 0x6C, 0x79, 0xCE, 0xC3, 0x9A, 0x02, 0x9A, -0x00, 0xBA, 0x43, 0x20, 0x3F, 0x26, 0x36, 0x66, 0x07, 0x11, 0x68, 0x51, 0x47, -0xBE, 0x78, 0xED, 0x4A, 0xFA, 0xBC, 0xDA, 0xCD, 0xFD, 0x02, 0xDB, 0xD1, 0x8B, -0xE0, 0xBD, 0x13, 0xFE, 0xED, 0x26, 0x77, 0xE4, 0x83, 0xAE, 0xB7, 0xAB, 0xFD, -0x2A, 0x5E, 0xA3, 0x28, 0xFD, 0x90, 0x40, 0x3D, 0x34, 0xF7, 0xF8, 0x35, 0x80, -0xF6, 0x6F, 0xA0, 0xE9, 0xCD, 0x9A, 0x54, 0x6F, 0x41, 0xA5, 0xC7, 0xED, 0xEA, -0xDC, 0x52, 0x23, 0xF1, 0x96, 0x19, 0x8E, 0x2B, 0x94, 0x3F, 0xD9, 0x27, 0x60, -0x1E, 0x27, 0xC1, 0x39, 0x68, 0x78, 0x7B, 0x47, 0x8F, 0xCC, 0xCD, 0xBE, 0xE4, -0xBD, 0x0B, 0x73, 0x03, 0xFB, 0xFE, 0xC0, 0x50, 0x38, 0x70, 0xDF, 0x81, 0x5D, -0x22, 0x4C, 0x5B, 0xCB, 0x27, 0x5D, 0xD2, 0x94, 0x64, 0x0A, 0x88, 0x67, 0x31, -0xE9, 0x08, 0xF0, 0x88, 0x20, 0xF2, 0x86, 0xCA, 0xBD, 0x18, 0x5F, 0x34, 0xD0, -0x96, 0x0D, 0x4A, 0x62, 0x4D, 0xBE, 0xE8, 0xA6, 0x04, 0xA6, 0x69, 0xCE, 0xCD, -0xE9, 0x5A, 0x1D, 0xD2, 0xF8, 0xCF, 0x19, 0x06, 0x17, 0x05, 0x82, 0x6B, 0x60, -0x3E, 0x5E, 0x6B, 0x1D, 0x1E, 0x13, 0x51, 0x5D, 0xFE, 0x95, 0x38, 0x33, 0x62, -0x9B, 0xBF, 0xD5, 0x3E, 0x3B, 0x8B, 0xD2, 0x6F, 0x24, 0x6D, 0x24, 0xC9, 0x0D, -0x2D, 0x52, 0xBF, 0xDA, 0xCE, 0x5E, 0xFE, 0x9D, 0xB8, 0x5D, 0x61, 0x57, 0xBC, -0x8C, 0x7A, 0x17, 0x75, 0x80, 0xEE, 0x52, 0x2F, 0xF5, 0x25, 0x48, 0x3A, 0x9E, -0x27, 0xF4, 0xEB, 0xE1, 0x01, 0xE4, 0xA7, 0x48, 0x93, 0xAA, 0x92, 0x68, 0xC0, -0x3B, 0x1A, 0x5A, 0xC5, 0x6D, 0xD0, 0x91, 0xB9, 0x8D, 0x44, 0xD4, 0xE1, 0x9C, -0x74, 0xEA, 0x14, 0xFA, 0xF6, 0x1E, 0x01, 0xC0, 0x89, 0x24, 0x90, 0x71, 0xAF, -0xF5, 0x2D, 0x6C, 0x35, 0x13, 0xA6, 0x73, 0x14, 0xAC, 0xE5, 0xAE, 0x88, 0x2F, -0x9D, 0x77, 0x3B, 0x8F, 0x61, 0xB1, 0x47, 0x66, 0x72, 0x14, 0x91, 0x40, 0xD7, -0x50, 0xDC, 0xEA, 0xFF, 0x49, 0x9E, 0x17, 0x75, 0x25, 0x49, 0x7C, 0x57, 0x41, -0xA7, 0x8C, 0x4D, 0x3B, 0x94, 0x9D, 0x65, 0x83, 0x62, 0x6F, 0x16, 0xBF, 0x0C, -0x87, 0x03, 0x61, 0xB4, 0x3B, 0x60, 0x6D, 0x07, 0x56, 0xB8, 0x1F, 0x89, 0xAD, -0x00, 0x25, 0x10, 0x4A, 0x34, 0x4C, 0x9A, 0x26, 0xDA, 0x06, 0x25, 0x9C, 0x91, -0xA6, 0xA5, 0xAD, 0x4D, 0x6E, 0xE9, 0x2F, 0x18, 0xC4, 0x1D, 0x09, 0xE1, 0xAA, -0x66, 0x01, 0x31, 0x6D, 0x12, 0x30, 0xED, 0x97, 0x3F, 0x67, 0xCE, 0x4E, 0x26, -0x0B, 0xF5, 0x5E, 0x81, 0xA7, 0x1F, 0x83, 0x68, 0x91, 0xC3, 0xD0, 0x4C, 0x2E, -0xD4, 0xDE, 0xEF, 0x34, 0xF9, 0x61, 0x83, 0x6F, 0xD6, 0x6E, 0x40, 0x87, 0x48, -0x7E, 0xCF, 0x56, 0x42, 0x21, 0xBA, 0x40, 0x64, 0x17, 0xFA, 0x97, 0xFF, 0x8D, -0xC8, 0x32, 0xFA, 0xB7, 0x45, 0xB0, 0xEC, 0xBD, 0x0E, 0x51, 0x63, 0x90, 0x05, -0x68, 0x7A, 0x45, 0x86, 0x68, 0x2A, 0x0E, 0x81, 0x5F, 0xDD, 0x12, 0xAD, 0x48, -0xF6, 0x87, 0x2E, 0x8D, 0xF6, 0x86, 0xC3, 0x6D, 0x69, 0xD5, 0x4E, 0x52, 0x8A, -0x8E, 0xE8, 0x01, 0x56, 0x11, 0xCC, 0x2E, 0x3F, 0xB5, 0x46, 0x1D, 0xF6, 0x6E, -0x4A, 0xEE, 0x1C, 0x60, 0x15, 0x85, 0xF6, 0x40, 0xFD, 0x56, 0xDC, 0x10, 0x01, -0xC3, 0xBD, 0xAE, 0x5A, 0x13, 0x1F, 0x15, 0x16, 0x10, 0x92, 0xC5, 0x02, 0xC2, -0x81, 0xB5, 0x6A, 0x4D, 0x37, 0x29, 0x40, 0x8B, 0xAA, 0x5F, 0xC9, 0x4C, 0x26, -0x7B, 0x2C, 0x21, 0x9E, 0xE2, 0xF2, 0x5A, 0x20, 0x88, 0x3F, 0x40, 0x30, 0xC5, -0x64, 0x0E}; + 0x9B, 0x77, 0xAB, 0x96, 0x9D, 0x65, 0xA2, 0xC1, 0x55, 0x65, 0x02, 0x9B, + 0xA5, 0xD4, 0xE5, 0x93, 0xA1, 0xAC, 0xE7, 0x3E, 0x8C, 0x61, 0xB7, 0xCB, + 0xA1, 0x3E, 0x74, 0x8A, 0xC9, 0xC0, 0xA0, 0x63, 0x4A, 0xF6, 0xF4, 0x1C, + 0x72, 0x37, 0xB0, 0x31, 0x9E, 0xB7, 0x51, 0x55, 0xCF, 0x5B, 0x4E, 0x03, + 0x46, 0x7C, 0x26, 0xBE, 0x84, 0x73, 0xD8, 0x50, 0xDF, 0x72, 0x87, 0xC0, + 0x18, 0xED, 0xE7, 0xE4, 0x12, 0x4F, 0xCA, 0x4E, 0x1A, 0xFA, 0x76, 0x82, + 0xD4, 0xA6, 0x3E, 0xDA, 0xEC, 0x74, 0x53, 0xFF, 0xDD, 0x69, 0x5C, 0x9F, + 0xFD, 0x69, 0xA3, 0xED, 0x4F, 0xEB, 0xFB, 0xEF, 0xD2, 0x98, 0x8B, 0x45, + 0x06, 0xBA, 0xD5, 0xF8, 0x9E, 0x0A, 0x2D, 0xA2, 0xC7, 0x96, 0x4B, 0x79, + 0xE9, 0xA9, 0xA6, 0x73, 0x69, 0xF8, 0x8C, 0x01, 0x69, 0xF2, 0x66, 0x05, + 0x37, 0x31, 0x65, 0xA9, 0x09, 0x3E, 0x0E, 0x73, 0x95, 0x67, 0xC9, 0x33, + 0xA6, 0x57, 0xDF, 0xDD, 0xC0, 0x55, 0x1A, 0x89, 0x6F, 0xC8, 0x30, 0x71, + 0x68, 0x3C, 0x2A, 0x7E, 0x61, 0x86, 0xAC, 0x70, 0x6A, 0x27, 0x31, 0x9B, + 0x9A, 0xEC, 0x8F, 0x37, 0x2B, 0x71, 0x91, 0x91, 0x6C, 0x8B, 0x35, 0xED, + 0xF1, 0x97, 0x87, 0x58, 0xD1, 0x4F, 0xF2, 0x06, 0x23, 0xE6, 0x1C, 0x44, + 0x63, 0x02, 0x9E, 0x09, 0x76, 0x6C, 0x72, 0xBD, 0x0D, 0xB3, 0xE2, 0x1D, + 0x92, 0xAA, 0x8D, 0x7B, 0x78, 0xD8, 0xB3, 0xA7, 0x5A, 0xAB, 0xBF, 0x22, + 0xBB, 0x30, 0x5B, 0xFB, 0xB4, 0x3C, 0x52, 0xD2, 0xA2, 0xED, 0x3B, 0x99, + 0x43, 0xCB, 0x29, 0x66, 0x2A, 0xBD, 0x52, 0x1B, 0x1C, 0xB4, 0xE5, 0xE3, + 0x6E, 0xFF, 0xAD, 0xEF, 0x8B, 0xE1, 0xF9, 0xB5, 0x5E, 0xCB, 0xF2, 0x8E, + 0xCD, 0x53, 0x39, 0xBE, 0xBE, 0x61, 0x72, 0x86, 0x31, 0x65, 0xA0, 0xFC, + 0xC1, 0xFC, 0x31, 0x79, 0x93, 0xDF, 0x76, 0x13, 0x71, 0xE4, 0x61, 0x0F, + 0x6B, 0x32, 0x78, 0xD2, 0x24, 0xB7, 0x8C, 0xE8, 0x84, 0xE3, 0xB8, 0xF6, + 0x04, 0xF3, 0x30, 0xE9, 0x5B, 0xA5, 0xD8, 0x94, 0xA7, 0xA3, 0xF0, 0xE8, + 0xAC, 0x70, 0x32, 0x42, 0xB5, 0x08, 0xEE, 0x2A, 0x77, 0xFA, 0x04, 0x49, + 0xE9, 0x7A, 0xB7, 0x0A, 0x95, 0x05, 0x86, 0x33, 0xA5, 0xE4, 0x5A, 0xC6, + 0xE1, 0xE7, 0x48, 0xBD, 0xBA, 0x80, 0xE7, 0x21, 0x61, 0x45, 0x24, 0x5E, + 0xA9, 0x7F, 0x2D, 0x75, 0x0F, 0xE9, 0xEE, 0x79, 0x88, 0x64, 0xF3, 0xE7, + 0x0C, 0xA0, 0xEB, 0x93, 0x2C, 0x6B, 0xD3, 0x51, 0x12, 0xE7, 0x62, 0x8D, + 0x71, 0x10, 0x6D, 0x5B, 0x3A, 0x27, 0xF4, 0xEA, 0x80, 0xFC, 0xCD, 0x58, + 0x81, 0x43, 0xEB, 0xA0, 0x4E, 0xF5, 0xA1, 0x68, 0x67, 0x74, 0x7C, 0x14, + 0x12, 0xA6, 0x78, 0xC2, 0x08, 0x58, 0x3F, 0x20, 0x96, 0x52, 0xD2, 0x61, + 0xDA, 0xED, 0x5F, 0x7F, 0xAD, 0x40, 0x93, 0x21, 0xEB, 0xC4, 0x37, 0x5C, + 0xD1, 0x72, 0xE6, 0x06, 0x37, 0xD9, 0xF6, 0x09, 0xD4, 0xC9, 0x6D, 0xED, + 0x07, 0xF6, 0xD2, 0x15, 0x94, 0xFD, 0xF6, 0xC3, 0x09, 0x60, 0x6D, 0x6A, + 0x23, 0x50, 0x8C, 0xDD, 0x61, 0xDD, 0x66, 0x81, 0xB0, 0xAC, 0x7C, 0xE7, + 0x7F, 0xED, 0x3C, 0x2F, 0x19, 0xB5, 0xF9, 0xB7, 0x2E, 0x35, 0xF7, 0xF4, + 0x98, 0x0E, 0x6A, 0x9E, 0x6D, 0xAC, 0xF1, 0x0F, 0x90, 0x25, 0xED, 0xC5, + 0x94, 0x9E, 0x10, 0x29, 0x97, 0x47, 0x05, 0x3D, 0x03, 0x6F, 0x69, 0xAE, + 0x84, 0x08, 0x9B, 0x33, 0x0C, 0x1F, 0x26, 0x65, 0xC7, 0x86, 0x25, 0x10, + 0x11, 0x97, 0x33, 0x3D, 0x98, 0x43, 0xB5, 0x7F, 0x9C, 0x19, 0x62, 0xE5, + 0x46, 0x6D, 0x3B, 0xA2, 0xDC, 0xD4, 0x17, 0x85, 0x9A, 0xE8, 0x2C, 0xF3, + 0x01, 0x5F, 0x39, 0xD1, 0xBC, 0x07, 0x8E, 0xAC, 0xC9, 0x28, 0x0C, 0x7B, + 0xD8, 0x02, 0xFE, 0x46, 0x12, 0xA8, 0xBD, 0x0E, 0x6B, 0x23, 0x65, 0x5B, + 0xAA, 0xFC, 0x32, 0x20, 0xF7, 0xCC, 0xC7, 0x06, 0x80, 0x09, 0x0A, 0x95, + 0xD9, 0x69, 0xED, 0x3C, 0x6C, 0xEB, 0x62, 0x28, 0xE6, 0x4E, 0xF4, 0xFA, + 0x9B, 0x5C, 0x36, 0x07, 0xE0, 0x25, 0x20, 0xB8, 0xF4, 0x1F, 0x2E, 0x78, + 0x21, 0xEE, 0xFA, 0x9E, 0x80, 0x14, 0xAD, 0xAD, 0x83, 0x39, 0x2E, 0xD0, + 0xE9, 0x56, 0xE3, 0x88, 0x0C, 0xC4, 0xD7, 0xBE, 0xB1, 0xE4, 0xD0, 0x42, + 0xE6, 0xED, 0xDC, 0x44, 0x65, 0x51, 0x1F, 0x95, 0x9A, 0xAA, 0xBF, 0x83, + 0x7B, 0xD7, 0x14, 0x23, 0x18, 0x81, 0x91, 0x0A, 0x07, 0x97, 0x10, 0x6F, + 0x3C, 0x16, 0xF2, 0xF0, 0x3E, 0xE1, 0x45, 0x40, 0xB0, 0x39, 0x98, 0x33, + 0x55, 0xFF, 0x7E, 0x75, 0x31, 0xE0, 0x10, 0x16, 0x81, 0x36, 0x56, 0x86, + 0x34, 0x1C, 0x61, 0x10, 0x25, 0xAE, 0x98, 0x6E, 0xBE, 0xC9, 0x47, 0xCD, + 0x14, 0x1C, 0x52, 0x8C, 0x27, 0xEE, 0x28, 0xDA, 0x18, 0x96, 0x4D, 0x16, + 0x6D, 0x17, 0x2E, 0x5B, 0x7E, 0x88, 0x70, 0xC8, 0x3D, 0x31, 0x34, 0xE5, + 0xEA, 0x08, 0x40, 0x25, 0x7B, 0x03, 0x75, 0x47, 0xAD, 0x19, 0x02, 0x7E, + 0xCC, 0xB6, 0x43, 0xD1, 0xC9, 0xB2, 0x95, 0x7F, 0x9F, 0x93, 0xC4, 0xD7, + 0x33, 0x5A, 0x7E, 0xA4, 0x51, 0x58, 0xC5, 0xA7, 0x23, 0x25, 0xF8, 0xF4, + 0xDE, 0xEF, 0x84, 0x72, 0x0E, 0x8D, 0xE7, 0x9E, 0x1E, 0x40, 0xB3, 0xA6, + 0x58, 0x34, 0x4E, 0xB8, 0x56, 0x6B, 0xA1, 0x50, 0x2B, 0x1C, 0xF9, 0xA6, + 0x88, 0x21, 0x34, 0x79, 0x99, 0x5F, 0x24, 0xD6, 0x96, 0x67, 0xB5, 0x7E, + 0x9C, 0xD2, 0xFB, 0x11, 0x40, 0xA6, 0xE6, 0x20, 0xD2, 0x8C, 0x38, 0x62, + 0x9B, 0xC1, 0xD7, 0x57, 0x42, 0xE0, 0xD7, 0x34, 0xF3, 0x90, 0xF9, 0x60, + 0xDD, 0xEA, 0x24, 0x67, 0x6A, 0xC0, 0xC7, 0xEF, 0xA7, 0x1B, 0xDC, 0xAD, + 0x3D, 0x0D, 0x17, 0x90, 0x66, 0x70, 0xB2, 0x98, 0x24, 0x1B, 0x58, 0x79, + 0xAC, 0x3E, 0x61, 0x9C, 0x67, 0xB4, 0xEE, 0x09, 0x06, 0x20, 0xCE, 0x39, + 0x03, 0x57, 0xD4, 0xB5, 0x44, 0x3C, 0x35, 0x80, 0xDD, 0xEF, 0xC3, 0xC5, + 0xC4, 0x93, 0x79, 0xF8, 0x84, 0x60, 0x31, 0x27, 0xB7, 0xF8, 0xEB, 0x63, + 0xE8, 0x75, 0x74, 0x31, 0x29, 0xF4, 0xE7, 0x06, 0x51, 0x74, 0x72, 0x71, + 0x9D, 0xA1, 0x3F, 0x3C, 0x73, 0xCF, 0x07, 0xA9, 0x98, 0x23, 0x1F, 0x62, + 0x9C, 0x9E, 0x27, 0xFD, 0x1E, 0xC8, 0x1C, 0xB9, 0xBD, 0x16, 0xB5, 0x4C, + 0x1A, 0xC2, 0x8D, 0xCF, 0x4D, 0xB8, 0xC2, 0x4D, 0x94, 0xE6, 0x12, 0x6D, + 0x14, 0xFA, 0x2B, 0xF4, 0x4A, 0x2B, 0xD9, 0x7D, 0xEF, 0xF8, 0x81, 0x2C, + 0xF7, 0x7B, 0x98, 0x44, 0x12, 0x58, 0xD5, 0x82, 0xAA, 0xED, 0x49, 0x40, + 0x87, 0xBA, 0x11, 0x29, 0x7E, 0xFD, 0x04, 0x67, 0x20, 0x5D, 0x2B, 0x79, + 0x42, 0x07, 0x03, 0x5C, 0x36, 0xD7, 0xBE, 0x72, 0xCA, 0x13, 0xCF, 0x93, + 0x2D, 0xD8, 0xA9, 0xEE, 0x06, 0x0B, 0xCF, 0x5A, 0x46, 0x88, 0x57, 0x9E, + 0x18, 0x92, 0x3B, 0x5F, 0x2F, 0x86, 0xCD, 0x3D, 0x49, 0xF6, 0xA3, 0x05, + 0xE6, 0xE4, 0x68, 0xA4, 0x79, 0xA6, 0xEE, 0x85, 0xF4, 0x2B, 0xF6, 0x6E, + 0x1B, 0x7A, 0xBD, 0x77, 0xEA, 0x6A, 0xC9, 0x31, 0x34, 0x8E, 0x5F, 0xC2, + 0xF3, 0x87, 0x3D, 0x8F, 0xD7, 0xB0, 0x16, 0x28, 0x3F, 0x2C, 0x87, 0xA0, + 0xA3, 0x56, 0xE8, 0x21, 0x83, 0x53, 0xCB, 0xE9, 0x1D, 0x28, 0x57, 0x93, + 0xDB, 0x5B, 0xE9, 0xF0, 0x7B, 0x7F, 0xF4, 0x6A, 0x51, 0x48, 0xFC, 0xAB, + 0xF5, 0x3B, 0x44, 0xA7, 0x5E, 0x67, 0x3A, 0x6B, 0x43, 0x9C, 0xD1, 0x03, + 0xDF, 0xF8, 0xD5, 0x7F, 0x7B, 0x09, 0x62, 0xBF, 0x28, 0xBD, 0xC6, 0x3E, + 0xC3, 0x6C, 0x91, 0x01, 0x45, 0x3F, 0xE2, 0x1F, 0xEF, 0x2A, 0x8F, 0xB2, + 0x1B, 0x72, 0x35, 0x4D, 0x18, 0x6F, 0x4D, 0x57, 0xBF, 0x6A, 0x69, 0x02, + 0x69, 0x4A, 0xE5, 0x5F, 0x74, 0xF7, 0x69, 0x5B, 0x89, 0x08, 0xCE, 0xCE, + 0x15, 0x56, 0x3F, 0x21, 0x1A, 0xB8, 0xEC, 0x4D, 0xB0, 0x7E, 0x0F, 0x89, + 0xB0, 0x5C, 0x6D, 0xDB, 0x53, 0x9E, 0xA9, 0x27, 0x28, 0x52, 0xE5, 0x9E, + 0x1F, 0xEF, 0x84, 0x1A, 0x9A, 0xAE, 0x86, 0x8B, 0x25, 0x3B, 0xC6, 0x3B, + 0x8E, 0x9C, 0x32, 0xD9, 0x89, 0x3B, 0xA2, 0xCB, 0x59, 0x35, 0xC3, 0x71, + 0xEE, 0x22, 0x0C, 0x61, 0xEA, 0x59, 0x33, 0x25, 0x39, 0xAF, 0xF0, 0x12, + 0x81, 0x55, 0x4A, 0x9D, 0x0C, 0x3E, 0x5E, 0x34, 0x9F, 0xA7, 0xD8, 0xC5, + 0xB5, 0x0A, 0xC3, 0xA2, 0x00, 0x3F, 0x59, 0x3D, 0x07, 0x5F, 0x2B, 0xC1, + 0x6F, 0x6A, 0xE3, 0x94, 0x90, 0xAF, 0x81, 0x11, 0x82, 0x89, 0xF4, 0x9D, + 0x8B, 0x05, 0xE2, 0x7C, 0x22, 0x02, 0xEC, 0x00, 0x38, 0x39, 0xED, 0x04, + 0xB2, 0xC9, 0xD8, 0xA1, 0x1B, 0xED, 0xB9, 0xE1, 0x62, 0x82, 0xC4, 0xCC, + 0xA0, 0x61, 0xEE, 0x7A, 0x17, 0xA0, 0x99, 0xAC, 0xAC, 0x85, 0xA7, 0x5F, + 0xC9, 0xC3, 0xC5, 0x63, 0x8F, 0x5A, 0xE7, 0x41, 0xAC, 0xB7, 0x89, 0x13, + 0x38, 0xD8, 0x58, 0xBF, 0x71, 0xA5, 0x4F, 0x9D, 0x4C, 0x72, 0x57, 0x88, + 0x2E, 0xAB, 0xD4, 0x74, 0xDE, 0x46, 0x9F, 0xF4, 0xBA, 0xB1, 0x55, 0x6A, + 0x18, 0xF4, 0x87, 0xB9, 0x24, 0xA7, 0xD9, 0xF4, 0x9A, 0x3C, 0xEF, 0xF4, + 0xA2, 0x2D, 0x0F, 0xC9, 0xE4, 0x45, 0xC2, 0xC9, 0x6F, 0x2D, 0xB6, 0xDA, + 0xE6, 0x89, 0x38, 0x80, 0x2A, 0x89, 0xE2, 0xF5, 0x3D, 0x77, 0x5E, 0x61, + 0x6E, 0x9C, 0xF9, 0x87, 0x89, 0xD4, 0x70, 0x23, 0x79, 0x93, 0xDA, 0xCE, + 0x62, 0x89, 0xEB, 0x13, 0x77, 0xB0, 0x49, 0xB2, 0xF9, 0xFC, 0x84, 0xD3, + 0x06, 0xD2, 0x8D, 0x5A, 0x94, 0x64, 0xC1, 0xA8, 0x9A, 0x60, 0x57, 0x8A, + 0x8F, 0x62, 0x4A, 0x78, 0x12, 0x6B, 0x87, 0x6F, 0x6D, 0xC8, 0x32, 0xF3, + 0xC6, 0x8D, 0xDB, 0x3A, 0x67, 0x95, 0xCD, 0xAF, 0x48, 0x28, 0x79, 0xC2, + 0xB6, 0xDB, 0xD8, 0xFE, 0x82, 0x15, 0xE6, 0xE4, 0xEC, 0x79, 0xE2, 0xB4, + 0x21, 0x5C, 0x30, 0x45, 0xD7, 0x3B, 0xA0, 0x1A, 0x3B, 0xAA, 0x3D, 0x6C, + 0x1C, 0xC3, 0x1E, 0xDE, 0x4D, 0x75, 0x1D, 0x9A, 0x96, 0x51, 0xF9, 0x4F, + 0x10, 0x28, 0x7E, 0x88, 0xEE, 0x3B, 0x93, 0x4A, 0x0B, 0x09, 0x44, 0x9C, + 0x20, 0x34, 0xF6, 0xEE, 0x6F, 0x26, 0xB9, 0x4C, 0x76, 0xCC, 0xE1, 0x6F, + 0x09, 0x91, 0xAF, 0x48, 0x8C, 0xC4, 0x31, 0xA2, 0xF9, 0x44, 0x77, 0x19, + 0xA7, 0x00, 0x33, 0x77, 0x31, 0xF2, 0xF5, 0xF7, 0x30, 0xDF, 0xAB, 0xFE, + 0x7E, 0xE6, 0x83, 0xE1, 0xC9, 0x2A, 0xC8, 0xE0, 0xA6, 0xAC, 0x5A, 0x28, + 0x7F, 0xC4, 0x0B, 0xEB, 0x55, 0xD9, 0x5D, 0xBD, 0xB5, 0xD2, 0xF6, 0xB4, + 0xA9, 0x76, 0x2B, 0x35, 0x10, 0x36, 0x3B, 0xCC, 0x61, 0x6C, 0x79, 0xCE, + 0xC3, 0x9A, 0x02, 0x9A, 0x00, 0xBA, 0x43, 0x20, 0x3F, 0x26, 0x36, 0x66, + 0x07, 0x11, 0x68, 0x51, 0x47, 0xBE, 0x78, 0xED, 0x4A, 0xFA, 0xBC, 0xDA, + 0xCD, 0xFD, 0x02, 0xDB, 0xD1, 0x8B, 0xE0, 0xBD, 0x13, 0xFE, 0xED, 0x26, + 0x77, 0xE4, 0x83, 0xAE, 0xB7, 0xAB, 0xFD, 0x2A, 0x5E, 0xA3, 0x28, 0xFD, + 0x90, 0x40, 0x3D, 0x34, 0xF7, 0xF8, 0x35, 0x80, 0xF6, 0x6F, 0xA0, 0xE9, + 0xCD, 0x9A, 0x54, 0x6F, 0x41, 0xA5, 0xC7, 0xED, 0xEA, 0xDC, 0x52, 0x23, + 0xF1, 0x96, 0x19, 0x8E, 0x2B, 0x94, 0x3F, 0xD9, 0x27, 0x60, 0x1E, 0x27, + 0xC1, 0x39, 0x68, 0x78, 0x7B, 0x47, 0x8F, 0xCC, 0xCD, 0xBE, 0xE4, 0xBD, + 0x0B, 0x73, 0x03, 0xFB, 0xFE, 0xC0, 0x50, 0x38, 0x70, 0xDF, 0x81, 0x5D, + 0x22, 0x4C, 0x5B, 0xCB, 0x27, 0x5D, 0xD2, 0x94, 0x64, 0x0A, 0x88, 0x67, + 0x31, 0xE9, 0x08, 0xF0, 0x88, 0x20, 0xF2, 0x86, 0xCA, 0xBD, 0x18, 0x5F, + 0x34, 0xD0, 0x96, 0x0D, 0x4A, 0x62, 0x4D, 0xBE, 0xE8, 0xA6, 0x04, 0xA6, + 0x69, 0xCE, 0xCD, 0xE9, 0x5A, 0x1D, 0xD2, 0xF8, 0xCF, 0x19, 0x06, 0x17, + 0x05, 0x82, 0x6B, 0x60, 0x3E, 0x5E, 0x6B, 0x1D, 0x1E, 0x13, 0x51, 0x5D, + 0xFE, 0x95, 0x38, 0x33, 0x62, 0x9B, 0xBF, 0xD5, 0x3E, 0x3B, 0x8B, 0xD2, + 0x6F, 0x24, 0x6D, 0x24, 0xC9, 0x0D, 0x2D, 0x52, 0xBF, 0xDA, 0xCE, 0x5E, + 0xFE, 0x9D, 0xB8, 0x5D, 0x61, 0x57, 0xBC, 0x8C, 0x7A, 0x17, 0x75, 0x80, + 0xEE, 0x52, 0x2F, 0xF5, 0x25, 0x48, 0x3A, 0x9E, 0x27, 0xF4, 0xEB, 0xE1, + 0x01, 0xE4, 0xA7, 0x48, 0x93, 0xAA, 0x92, 0x68, 0xC0, 0x3B, 0x1A, 0x5A, + 0xC5, 0x6D, 0xD0, 0x91, 0xB9, 0x8D, 0x44, 0xD4, 0xE1, 0x9C, 0x74, 0xEA, + 0x14, 0xFA, 0xF6, 0x1E, 0x01, 0xC0, 0x89, 0x24, 0x90, 0x71, 0xAF, 0xF5, + 0x2D, 0x6C, 0x35, 0x13, 0xA6, 0x73, 0x14, 0xAC, 0xE5, 0xAE, 0x88, 0x2F, + 0x9D, 0x77, 0x3B, 0x8F, 0x61, 0xB1, 0x47, 0x66, 0x72, 0x14, 0x91, 0x40, + 0xD7, 0x50, 0xDC, 0xEA, 0xFF, 0x49, 0x9E, 0x17, 0x75, 0x25, 0x49, 0x7C, + 0x57, 0x41, 0xA7, 0x8C, 0x4D, 0x3B, 0x94, 0x9D, 0x65, 0x83, 0x62, 0x6F, + 0x16, 0xBF, 0x0C, 0x87, 0x03, 0x61, 0xB4, 0x3B, 0x60, 0x6D, 0x07, 0x56, + 0xB8, 0x1F, 0x89, 0xAD, 0x00, 0x25, 0x10, 0x4A, 0x34, 0x4C, 0x9A, 0x26, + 0xDA, 0x06, 0x25, 0x9C, 0x91, 0xA6, 0xA5, 0xAD, 0x4D, 0x6E, 0xE9, 0x2F, + 0x18, 0xC4, 0x1D, 0x09, 0xE1, 0xAA, 0x66, 0x01, 0x31, 0x6D, 0x12, 0x30, + 0xED, 0x97, 0x3F, 0x67, 0xCE, 0x4E, 0x26, 0x0B, 0xF5, 0x5E, 0x81, 0xA7, + 0x1F, 0x83, 0x68, 0x91, 0xC3, 0xD0, 0x4C, 0x2E, 0xD4, 0xDE, 0xEF, 0x34, + 0xF9, 0x61, 0x83, 0x6F, 0xD6, 0x6E, 0x40, 0x87, 0x48, 0x7E, 0xCF, 0x56, + 0x42, 0x21, 0xBA, 0x40, 0x64, 0x17, 0xFA, 0x97, 0xFF, 0x8D, 0xC8, 0x32, + 0xFA, 0xB7, 0x45, 0xB0, 0xEC, 0xBD, 0x0E, 0x51, 0x63, 0x90, 0x05, 0x68, + 0x7A, 0x45, 0x86, 0x68, 0x2A, 0x0E, 0x81, 0x5F, 0xDD, 0x12, 0xAD, 0x48, + 0xF6, 0x87, 0x2E, 0x8D, 0xF6, 0x86, 0xC3, 0x6D, 0x69, 0xD5, 0x4E, 0x52, + 0x8A, 0x8E, 0xE8, 0x01, 0x56, 0x11, 0xCC, 0x2E, 0x3F, 0xB5, 0x46, 0x1D, + 0xF6, 0x6E, 0x4A, 0xEE, 0x1C, 0x60, 0x15, 0x85, 0xF6, 0x40, 0xFD, 0x56, + 0xDC, 0x10, 0x01, 0xC3, 0xBD, 0xAE, 0x5A, 0x13, 0x1F, 0x15, 0x16, 0x10, + 0x92, 0xC5, 0x02, 0xC2, 0x81, 0xB5, 0x6A, 0x4D, 0x37, 0x29, 0x40, 0x8B, + 0xAA, 0x5F, 0xC9, 0x4C, 0x26, 0x7B, 0x2C, 0x21, 0x9E, 0xE2, 0xF2, 0x5A, + 0x20, 0x88, 0x3F, 0x40, 0x30, 0xC5, 0x64, 0x0E}; // mldsa65kPublicKeySPKI is the above example ML-DSA-65 public key encoded static const uint8_t mldsa65kPublicKeySPKI[] = { -0x30, 0x82, 0x07, 0xB2, 0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, -0x03, 0x04, 0x03, 0x12, 0x03, 0x82, 0x07, 0xA1, 0x00, 0x9B, 0x77, 0xAB, 0x96, -0x9D, 0x65, 0xA2, 0xC1, 0x55, 0x65, 0x02, 0x9B, 0xA5, 0xD4, 0xE5, 0x93, 0xA1, -0xAC, 0xE7, 0x3E, 0x8C, 0x61, 0xB7, 0xCB, 0xA1, 0x3E, 0x74, 0x8A, 0xC9, 0xC0, -0xA0, 0x63, 0x4A, 0xF6, 0xF4, 0x1C, 0x72, 0x37, 0xB0, 0x31, 0x9E, 0xB7, 0x51, -0x55, 0xCF, 0x5B, 0x4E, 0x03, 0x46, 0x7C, 0x26, 0xBE, 0x84, 0x73, 0xD8, 0x50, -0xDF, 0x72, 0x87, 0xC0, 0x18, 0xED, 0xE7, 0xE4, 0x12, 0x4F, 0xCA, 0x4E, 0x1A, -0xFA, 0x76, 0x82, 0xD4, 0xA6, 0x3E, 0xDA, 0xEC, 0x74, 0x53, 0xFF, 0xDD, 0x69, -0x5C, 0x9F, 0xFD, 0x69, 0xA3, 0xED, 0x4F, 0xEB, 0xFB, 0xEF, 0xD2, 0x98, 0x8B, -0x45, 0x06, 0xBA, 0xD5, 0xF8, 0x9E, 0x0A, 0x2D, 0xA2, 0xC7, 0x96, 0x4B, 0x79, -0xE9, 0xA9, 0xA6, 0x73, 0x69, 0xF8, 0x8C, 0x01, 0x69, 0xF2, 0x66, 0x05, 0x37, -0x31, 0x65, 0xA9, 0x09, 0x3E, 0x0E, 0x73, 0x95, 0x67, 0xC9, 0x33, 0xA6, 0x57, -0xDF, 0xDD, 0xC0, 0x55, 0x1A, 0x89, 0x6F, 0xC8, 0x30, 0x71, 0x68, 0x3C, 0x2A, -0x7E, 0x61, 0x86, 0xAC, 0x70, 0x6A, 0x27, 0x31, 0x9B, 0x9A, 0xEC, 0x8F, 0x37, -0x2B, 0x71, 0x91, 0x91, 0x6C, 0x8B, 0x35, 0xED, 0xF1, 0x97, 0x87, 0x58, 0xD1, -0x4F, 0xF2, 0x06, 0x23, 0xE6, 0x1C, 0x44, 0x63, 0x02, 0x9E, 0x09, 0x76, 0x6C, -0x72, 0xBD, 0x0D, 0xB3, 0xE2, 0x1D, 0x92, 0xAA, 0x8D, 0x7B, 0x78, 0xD8, 0xB3, -0xA7, 0x5A, 0xAB, 0xBF, 0x22, 0xBB, 0x30, 0x5B, 0xFB, 0xB4, 0x3C, 0x52, 0xD2, -0xA2, 0xED, 0x3B, 0x99, 0x43, 0xCB, 0x29, 0x66, 0x2A, 0xBD, 0x52, 0x1B, 0x1C, -0xB4, 0xE5, 0xE3, 0x6E, 0xFF, 0xAD, 0xEF, 0x8B, 0xE1, 0xF9, 0xB5, 0x5E, 0xCB, -0xF2, 0x8E, 0xCD, 0x53, 0x39, 0xBE, 0xBE, 0x61, 0x72, 0x86, 0x31, 0x65, 0xA0, -0xFC, 0xC1, 0xFC, 0x31, 0x79, 0x93, 0xDF, 0x76, 0x13, 0x71, 0xE4, 0x61, 0x0F, -0x6B, 0x32, 0x78, 0xD2, 0x24, 0xB7, 0x8C, 0xE8, 0x84, 0xE3, 0xB8, 0xF6, 0x04, -0xF3, 0x30, 0xE9, 0x5B, 0xA5, 0xD8, 0x94, 0xA7, 0xA3, 0xF0, 0xE8, 0xAC, 0x70, -0x32, 0x42, 0xB5, 0x08, 0xEE, 0x2A, 0x77, 0xFA, 0x04, 0x49, 0xE9, 0x7A, 0xB7, -0x0A, 0x95, 0x05, 0x86, 0x33, 0xA5, 0xE4, 0x5A, 0xC6, 0xE1, 0xE7, 0x48, 0xBD, -0xBA, 0x80, 0xE7, 0x21, 0x61, 0x45, 0x24, 0x5E, 0xA9, 0x7F, 0x2D, 0x75, 0x0F, -0xE9, 0xEE, 0x79, 0x88, 0x64, 0xF3, 0xE7, 0x0C, 0xA0, 0xEB, 0x93, 0x2C, 0x6B, -0xD3, 0x51, 0x12, 0xE7, 0x62, 0x8D, 0x71, 0x10, 0x6D, 0x5B, 0x3A, 0x27, 0xF4, -0xEA, 0x80, 0xFC, 0xCD, 0x58, 0x81, 0x43, 0xEB, 0xA0, 0x4E, 0xF5, 0xA1, 0x68, -0x67, 0x74, 0x7C, 0x14, 0x12, 0xA6, 0x78, 0xC2, 0x08, 0x58, 0x3F, 0x20, 0x96, -0x52, 0xD2, 0x61, 0xDA, 0xED, 0x5F, 0x7F, 0xAD, 0x40, 0x93, 0x21, 0xEB, 0xC4, -0x37, 0x5C, 0xD1, 0x72, 0xE6, 0x06, 0x37, 0xD9, 0xF6, 0x09, 0xD4, 0xC9, 0x6D, -0xED, 0x07, 0xF6, 0xD2, 0x15, 0x94, 0xFD, 0xF6, 0xC3, 0x09, 0x60, 0x6D, 0x6A, -0x23, 0x50, 0x8C, 0xDD, 0x61, 0xDD, 0x66, 0x81, 0xB0, 0xAC, 0x7C, 0xE7, 0x7F, -0xED, 0x3C, 0x2F, 0x19, 0xB5, 0xF9, 0xB7, 0x2E, 0x35, 0xF7, 0xF4, 0x98, 0x0E, -0x6A, 0x9E, 0x6D, 0xAC, 0xF1, 0x0F, 0x90, 0x25, 0xED, 0xC5, 0x94, 0x9E, 0x10, -0x29, 0x97, 0x47, 0x05, 0x3D, 0x03, 0x6F, 0x69, 0xAE, 0x84, 0x08, 0x9B, 0x33, -0x0C, 0x1F, 0x26, 0x65, 0xC7, 0x86, 0x25, 0x10, 0x11, 0x97, 0x33, 0x3D, 0x98, -0x43, 0xB5, 0x7F, 0x9C, 0x19, 0x62, 0xE5, 0x46, 0x6D, 0x3B, 0xA2, 0xDC, 0xD4, -0x17, 0x85, 0x9A, 0xE8, 0x2C, 0xF3, 0x01, 0x5F, 0x39, 0xD1, 0xBC, 0x07, 0x8E, -0xAC, 0xC9, 0x28, 0x0C, 0x7B, 0xD8, 0x02, 0xFE, 0x46, 0x12, 0xA8, 0xBD, 0x0E, -0x6B, 0x23, 0x65, 0x5B, 0xAA, 0xFC, 0x32, 0x20, 0xF7, 0xCC, 0xC7, 0x06, 0x80, -0x09, 0x0A, 0x95, 0xD9, 0x69, 0xED, 0x3C, 0x6C, 0xEB, 0x62, 0x28, 0xE6, 0x4E, -0xF4, 0xFA, 0x9B, 0x5C, 0x36, 0x07, 0xE0, 0x25, 0x20, 0xB8, 0xF4, 0x1F, 0x2E, -0x78, 0x21, 0xEE, 0xFA, 0x9E, 0x80, 0x14, 0xAD, 0xAD, 0x83, 0x39, 0x2E, 0xD0, -0xE9, 0x56, 0xE3, 0x88, 0x0C, 0xC4, 0xD7, 0xBE, 0xB1, 0xE4, 0xD0, 0x42, 0xE6, -0xED, 0xDC, 0x44, 0x65, 0x51, 0x1F, 0x95, 0x9A, 0xAA, 0xBF, 0x83, 0x7B, 0xD7, -0x14, 0x23, 0x18, 0x81, 0x91, 0x0A, 0x07, 0x97, 0x10, 0x6F, 0x3C, 0x16, 0xF2, -0xF0, 0x3E, 0xE1, 0x45, 0x40, 0xB0, 0x39, 0x98, 0x33, 0x55, 0xFF, 0x7E, 0x75, -0x31, 0xE0, 0x10, 0x16, 0x81, 0x36, 0x56, 0x86, 0x34, 0x1C, 0x61, 0x10, 0x25, -0xAE, 0x98, 0x6E, 0xBE, 0xC9, 0x47, 0xCD, 0x14, 0x1C, 0x52, 0x8C, 0x27, 0xEE, -0x28, 0xDA, 0x18, 0x96, 0x4D, 0x16, 0x6D, 0x17, 0x2E, 0x5B, 0x7E, 0x88, 0x70, -0xC8, 0x3D, 0x31, 0x34, 0xE5, 0xEA, 0x08, 0x40, 0x25, 0x7B, 0x03, 0x75, 0x47, -0xAD, 0x19, 0x02, 0x7E, 0xCC, 0xB6, 0x43, 0xD1, 0xC9, 0xB2, 0x95, 0x7F, 0x9F, -0x93, 0xC4, 0xD7, 0x33, 0x5A, 0x7E, 0xA4, 0x51, 0x58, 0xC5, 0xA7, 0x23, 0x25, -0xF8, 0xF4, 0xDE, 0xEF, 0x84, 0x72, 0x0E, 0x8D, 0xE7, 0x9E, 0x1E, 0x40, 0xB3, -0xA6, 0x58, 0x34, 0x4E, 0xB8, 0x56, 0x6B, 0xA1, 0x50, 0x2B, 0x1C, 0xF9, 0xA6, -0x88, 0x21, 0x34, 0x79, 0x99, 0x5F, 0x24, 0xD6, 0x96, 0x67, 0xB5, 0x7E, 0x9C, -0xD2, 0xFB, 0x11, 0x40, 0xA6, 0xE6, 0x20, 0xD2, 0x8C, 0x38, 0x62, 0x9B, 0xC1, -0xD7, 0x57, 0x42, 0xE0, 0xD7, 0x34, 0xF3, 0x90, 0xF9, 0x60, 0xDD, 0xEA, 0x24, -0x67, 0x6A, 0xC0, 0xC7, 0xEF, 0xA7, 0x1B, 0xDC, 0xAD, 0x3D, 0x0D, 0x17, 0x90, -0x66, 0x70, 0xB2, 0x98, 0x24, 0x1B, 0x58, 0x79, 0xAC, 0x3E, 0x61, 0x9C, 0x67, -0xB4, 0xEE, 0x09, 0x06, 0x20, 0xCE, 0x39, 0x03, 0x57, 0xD4, 0xB5, 0x44, 0x3C, -0x35, 0x80, 0xDD, 0xEF, 0xC3, 0xC5, 0xC4, 0x93, 0x79, 0xF8, 0x84, 0x60, 0x31, -0x27, 0xB7, 0xF8, 0xEB, 0x63, 0xE8, 0x75, 0x74, 0x31, 0x29, 0xF4, 0xE7, 0x06, -0x51, 0x74, 0x72, 0x71, 0x9D, 0xA1, 0x3F, 0x3C, 0x73, 0xCF, 0x07, 0xA9, 0x98, -0x23, 0x1F, 0x62, 0x9C, 0x9E, 0x27, 0xFD, 0x1E, 0xC8, 0x1C, 0xB9, 0xBD, 0x16, -0xB5, 0x4C, 0x1A, 0xC2, 0x8D, 0xCF, 0x4D, 0xB8, 0xC2, 0x4D, 0x94, 0xE6, 0x12, -0x6D, 0x14, 0xFA, 0x2B, 0xF4, 0x4A, 0x2B, 0xD9, 0x7D, 0xEF, 0xF8, 0x81, 0x2C, -0xF7, 0x7B, 0x98, 0x44, 0x12, 0x58, 0xD5, 0x82, 0xAA, 0xED, 0x49, 0x40, 0x87, -0xBA, 0x11, 0x29, 0x7E, 0xFD, 0x04, 0x67, 0x20, 0x5D, 0x2B, 0x79, 0x42, 0x07, -0x03, 0x5C, 0x36, 0xD7, 0xBE, 0x72, 0xCA, 0x13, 0xCF, 0x93, 0x2D, 0xD8, 0xA9, -0xEE, 0x06, 0x0B, 0xCF, 0x5A, 0x46, 0x88, 0x57, 0x9E, 0x18, 0x92, 0x3B, 0x5F, -0x2F, 0x86, 0xCD, 0x3D, 0x49, 0xF6, 0xA3, 0x05, 0xE6, 0xE4, 0x68, 0xA4, 0x79, -0xA6, 0xEE, 0x85, 0xF4, 0x2B, 0xF6, 0x6E, 0x1B, 0x7A, 0xBD, 0x77, 0xEA, 0x6A, -0xC9, 0x31, 0x34, 0x8E, 0x5F, 0xC2, 0xF3, 0x87, 0x3D, 0x8F, 0xD7, 0xB0, 0x16, -0x28, 0x3F, 0x2C, 0x87, 0xA0, 0xA3, 0x56, 0xE8, 0x21, 0x83, 0x53, 0xCB, 0xE9, -0x1D, 0x28, 0x57, 0x93, 0xDB, 0x5B, 0xE9, 0xF0, 0x7B, 0x7F, 0xF4, 0x6A, 0x51, -0x48, 0xFC, 0xAB, 0xF5, 0x3B, 0x44, 0xA7, 0x5E, 0x67, 0x3A, 0x6B, 0x43, 0x9C, -0xD1, 0x03, 0xDF, 0xF8, 0xD5, 0x7F, 0x7B, 0x09, 0x62, 0xBF, 0x28, 0xBD, 0xC6, -0x3E, 0xC3, 0x6C, 0x91, 0x01, 0x45, 0x3F, 0xE2, 0x1F, 0xEF, 0x2A, 0x8F, 0xB2, -0x1B, 0x72, 0x35, 0x4D, 0x18, 0x6F, 0x4D, 0x57, 0xBF, 0x6A, 0x69, 0x02, 0x69, -0x4A, 0xE5, 0x5F, 0x74, 0xF7, 0x69, 0x5B, 0x89, 0x08, 0xCE, 0xCE, 0x15, 0x56, -0x3F, 0x21, 0x1A, 0xB8, 0xEC, 0x4D, 0xB0, 0x7E, 0x0F, 0x89, 0xB0, 0x5C, 0x6D, -0xDB, 0x53, 0x9E, 0xA9, 0x27, 0x28, 0x52, 0xE5, 0x9E, 0x1F, 0xEF, 0x84, 0x1A, -0x9A, 0xAE, 0x86, 0x8B, 0x25, 0x3B, 0xC6, 0x3B, 0x8E, 0x9C, 0x32, 0xD9, 0x89, -0x3B, 0xA2, 0xCB, 0x59, 0x35, 0xC3, 0x71, 0xEE, 0x22, 0x0C, 0x61, 0xEA, 0x59, -0x33, 0x25, 0x39, 0xAF, 0xF0, 0x12, 0x81, 0x55, 0x4A, 0x9D, 0x0C, 0x3E, 0x5E, -0x34, 0x9F, 0xA7, 0xD8, 0xC5, 0xB5, 0x0A, 0xC3, 0xA2, 0x00, 0x3F, 0x59, 0x3D, -0x07, 0x5F, 0x2B, 0xC1, 0x6F, 0x6A, 0xE3, 0x94, 0x90, 0xAF, 0x81, 0x11, 0x82, -0x89, 0xF4, 0x9D, 0x8B, 0x05, 0xE2, 0x7C, 0x22, 0x02, 0xEC, 0x00, 0x38, 0x39, -0xED, 0x04, 0xB2, 0xC9, 0xD8, 0xA1, 0x1B, 0xED, 0xB9, 0xE1, 0x62, 0x82, 0xC4, -0xCC, 0xA0, 0x61, 0xEE, 0x7A, 0x17, 0xA0, 0x99, 0xAC, 0xAC, 0x85, 0xA7, 0x5F, -0xC9, 0xC3, 0xC5, 0x63, 0x8F, 0x5A, 0xE7, 0x41, 0xAC, 0xB7, 0x89, 0x13, 0x38, -0xD8, 0x58, 0xBF, 0x71, 0xA5, 0x4F, 0x9D, 0x4C, 0x72, 0x57, 0x88, 0x2E, 0xAB, -0xD4, 0x74, 0xDE, 0x46, 0x9F, 0xF4, 0xBA, 0xB1, 0x55, 0x6A, 0x18, 0xF4, 0x87, -0xB9, 0x24, 0xA7, 0xD9, 0xF4, 0x9A, 0x3C, 0xEF, 0xF4, 0xA2, 0x2D, 0x0F, 0xC9, -0xE4, 0x45, 0xC2, 0xC9, 0x6F, 0x2D, 0xB6, 0xDA, 0xE6, 0x89, 0x38, 0x80, 0x2A, -0x89, 0xE2, 0xF5, 0x3D, 0x77, 0x5E, 0x61, 0x6E, 0x9C, 0xF9, 0x87, 0x89, 0xD4, -0x70, 0x23, 0x79, 0x93, 0xDA, 0xCE, 0x62, 0x89, 0xEB, 0x13, 0x77, 0xB0, 0x49, -0xB2, 0xF9, 0xFC, 0x84, 0xD3, 0x06, 0xD2, 0x8D, 0x5A, 0x94, 0x64, 0xC1, 0xA8, -0x9A, 0x60, 0x57, 0x8A, 0x8F, 0x62, 0x4A, 0x78, 0x12, 0x6B, 0x87, 0x6F, 0x6D, -0xC8, 0x32, 0xF3, 0xC6, 0x8D, 0xDB, 0x3A, 0x67, 0x95, 0xCD, 0xAF, 0x48, 0x28, -0x79, 0xC2, 0xB6, 0xDB, 0xD8, 0xFE, 0x82, 0x15, 0xE6, 0xE4, 0xEC, 0x79, 0xE2, -0xB4, 0x21, 0x5C, 0x30, 0x45, 0xD7, 0x3B, 0xA0, 0x1A, 0x3B, 0xAA, 0x3D, 0x6C, -0x1C, 0xC3, 0x1E, 0xDE, 0x4D, 0x75, 0x1D, 0x9A, 0x96, 0x51, 0xF9, 0x4F, 0x10, -0x28, 0x7E, 0x88, 0xEE, 0x3B, 0x93, 0x4A, 0x0B, 0x09, 0x44, 0x9C, 0x20, 0x34, -0xF6, 0xEE, 0x6F, 0x26, 0xB9, 0x4C, 0x76, 0xCC, 0xE1, 0x6F, 0x09, 0x91, 0xAF, -0x48, 0x8C, 0xC4, 0x31, 0xA2, 0xF9, 0x44, 0x77, 0x19, 0xA7, 0x00, 0x33, 0x77, -0x31, 0xF2, 0xF5, 0xF7, 0x30, 0xDF, 0xAB, 0xFE, 0x7E, 0xE6, 0x83, 0xE1, 0xC9, -0x2A, 0xC8, 0xE0, 0xA6, 0xAC, 0x5A, 0x28, 0x7F, 0xC4, 0x0B, 0xEB, 0x55, 0xD9, -0x5D, 0xBD, 0xB5, 0xD2, 0xF6, 0xB4, 0xA9, 0x76, 0x2B, 0x35, 0x10, 0x36, 0x3B, -0xCC, 0x61, 0x6C, 0x79, 0xCE, 0xC3, 0x9A, 0x02, 0x9A, 0x00, 0xBA, 0x43, 0x20, -0x3F, 0x26, 0x36, 0x66, 0x07, 0x11, 0x68, 0x51, 0x47, 0xBE, 0x78, 0xED, 0x4A, -0xFA, 0xBC, 0xDA, 0xCD, 0xFD, 0x02, 0xDB, 0xD1, 0x8B, 0xE0, 0xBD, 0x13, 0xFE, -0xED, 0x26, 0x77, 0xE4, 0x83, 0xAE, 0xB7, 0xAB, 0xFD, 0x2A, 0x5E, 0xA3, 0x28, -0xFD, 0x90, 0x40, 0x3D, 0x34, 0xF7, 0xF8, 0x35, 0x80, 0xF6, 0x6F, 0xA0, 0xE9, -0xCD, 0x9A, 0x54, 0x6F, 0x41, 0xA5, 0xC7, 0xED, 0xEA, 0xDC, 0x52, 0x23, 0xF1, -0x96, 0x19, 0x8E, 0x2B, 0x94, 0x3F, 0xD9, 0x27, 0x60, 0x1E, 0x27, 0xC1, 0x39, -0x68, 0x78, 0x7B, 0x47, 0x8F, 0xCC, 0xCD, 0xBE, 0xE4, 0xBD, 0x0B, 0x73, 0x03, -0xFB, 0xFE, 0xC0, 0x50, 0x38, 0x70, 0xDF, 0x81, 0x5D, 0x22, 0x4C, 0x5B, 0xCB, -0x27, 0x5D, 0xD2, 0x94, 0x64, 0x0A, 0x88, 0x67, 0x31, 0xE9, 0x08, 0xF0, 0x88, -0x20, 0xF2, 0x86, 0xCA, 0xBD, 0x18, 0x5F, 0x34, 0xD0, 0x96, 0x0D, 0x4A, 0x62, -0x4D, 0xBE, 0xE8, 0xA6, 0x04, 0xA6, 0x69, 0xCE, 0xCD, 0xE9, 0x5A, 0x1D, 0xD2, -0xF8, 0xCF, 0x19, 0x06, 0x17, 0x05, 0x82, 0x6B, 0x60, 0x3E, 0x5E, 0x6B, 0x1D, -0x1E, 0x13, 0x51, 0x5D, 0xFE, 0x95, 0x38, 0x33, 0x62, 0x9B, 0xBF, 0xD5, 0x3E, -0x3B, 0x8B, 0xD2, 0x6F, 0x24, 0x6D, 0x24, 0xC9, 0x0D, 0x2D, 0x52, 0xBF, 0xDA, -0xCE, 0x5E, 0xFE, 0x9D, 0xB8, 0x5D, 0x61, 0x57, 0xBC, 0x8C, 0x7A, 0x17, 0x75, -0x80, 0xEE, 0x52, 0x2F, 0xF5, 0x25, 0x48, 0x3A, 0x9E, 0x27, 0xF4, 0xEB, 0xE1, -0x01, 0xE4, 0xA7, 0x48, 0x93, 0xAA, 0x92, 0x68, 0xC0, 0x3B, 0x1A, 0x5A, 0xC5, -0x6D, 0xD0, 0x91, 0xB9, 0x8D, 0x44, 0xD4, 0xE1, 0x9C, 0x74, 0xEA, 0x14, 0xFA, -0xF6, 0x1E, 0x01, 0xC0, 0x89, 0x24, 0x90, 0x71, 0xAF, 0xF5, 0x2D, 0x6C, 0x35, -0x13, 0xA6, 0x73, 0x14, 0xAC, 0xE5, 0xAE, 0x88, 0x2F, 0x9D, 0x77, 0x3B, 0x8F, -0x61, 0xB1, 0x47, 0x66, 0x72, 0x14, 0x91, 0x40, 0xD7, 0x50, 0xDC, 0xEA, 0xFF, -0x49, 0x9E, 0x17, 0x75, 0x25, 0x49, 0x7C, 0x57, 0x41, 0xA7, 0x8C, 0x4D, 0x3B, -0x94, 0x9D, 0x65, 0x83, 0x62, 0x6F, 0x16, 0xBF, 0x0C, 0x87, 0x03, 0x61, 0xB4, -0x3B, 0x60, 0x6D, 0x07, 0x56, 0xB8, 0x1F, 0x89, 0xAD, 0x00, 0x25, 0x10, 0x4A, -0x34, 0x4C, 0x9A, 0x26, 0xDA, 0x06, 0x25, 0x9C, 0x91, 0xA6, 0xA5, 0xAD, 0x4D, -0x6E, 0xE9, 0x2F, 0x18, 0xC4, 0x1D, 0x09, 0xE1, 0xAA, 0x66, 0x01, 0x31, 0x6D, -0x12, 0x30, 0xED, 0x97, 0x3F, 0x67, 0xCE, 0x4E, 0x26, 0x0B, 0xF5, 0x5E, 0x81, -0xA7, 0x1F, 0x83, 0x68, 0x91, 0xC3, 0xD0, 0x4C, 0x2E, 0xD4, 0xDE, 0xEF, 0x34, -0xF9, 0x61, 0x83, 0x6F, 0xD6, 0x6E, 0x40, 0x87, 0x48, 0x7E, 0xCF, 0x56, 0x42, -0x21, 0xBA, 0x40, 0x64, 0x17, 0xFA, 0x97, 0xFF, 0x8D, 0xC8, 0x32, 0xFA, 0xB7, -0x45, 0xB0, 0xEC, 0xBD, 0x0E, 0x51, 0x63, 0x90, 0x05, 0x68, 0x7A, 0x45, 0x86, -0x68, 0x2A, 0x0E, 0x81, 0x5F, 0xDD, 0x12, 0xAD, 0x48, 0xF6, 0x87, 0x2E, 0x8D, -0xF6, 0x86, 0xC3, 0x6D, 0x69, 0xD5, 0x4E, 0x52, 0x8A, 0x8E, 0xE8, 0x01, 0x56, -0x11, 0xCC, 0x2E, 0x3F, 0xB5, 0x46, 0x1D, 0xF6, 0x6E, 0x4A, 0xEE, 0x1C, 0x60, -0x15, 0x85, 0xF6, 0x40, 0xFD, 0x56, 0xDC, 0x10, 0x01, 0xC3, 0xBD, 0xAE, 0x5A, -0x13, 0x1F, 0x15, 0x16, 0x10, 0x92, 0xC5, 0x02, 0xC2, 0x81, 0xB5, 0x6A, 0x4D, -0x37, 0x29, 0x40, 0x8B, 0xAA, 0x5F, 0xC9, 0x4C, 0x26, 0x7B, 0x2C, 0x21, 0x9E, -0xE2, 0xF2, 0x5A, 0x20, 0x88, 0x3F, 0x40, 0x30, 0xC5, 0x64, 0x0E }; + 0x30, 0x82, 0x07, 0xB2, 0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x03, 0x12, 0x03, 0x82, 0x07, 0xA1, 0x00, 0x9B, 0x77, + 0xAB, 0x96, 0x9D, 0x65, 0xA2, 0xC1, 0x55, 0x65, 0x02, 0x9B, 0xA5, 0xD4, + 0xE5, 0x93, 0xA1, 0xAC, 0xE7, 0x3E, 0x8C, 0x61, 0xB7, 0xCB, 0xA1, 0x3E, + 0x74, 0x8A, 0xC9, 0xC0, 0xA0, 0x63, 0x4A, 0xF6, 0xF4, 0x1C, 0x72, 0x37, + 0xB0, 0x31, 0x9E, 0xB7, 0x51, 0x55, 0xCF, 0x5B, 0x4E, 0x03, 0x46, 0x7C, + 0x26, 0xBE, 0x84, 0x73, 0xD8, 0x50, 0xDF, 0x72, 0x87, 0xC0, 0x18, 0xED, + 0xE7, 0xE4, 0x12, 0x4F, 0xCA, 0x4E, 0x1A, 0xFA, 0x76, 0x82, 0xD4, 0xA6, + 0x3E, 0xDA, 0xEC, 0x74, 0x53, 0xFF, 0xDD, 0x69, 0x5C, 0x9F, 0xFD, 0x69, + 0xA3, 0xED, 0x4F, 0xEB, 0xFB, 0xEF, 0xD2, 0x98, 0x8B, 0x45, 0x06, 0xBA, + 0xD5, 0xF8, 0x9E, 0x0A, 0x2D, 0xA2, 0xC7, 0x96, 0x4B, 0x79, 0xE9, 0xA9, + 0xA6, 0x73, 0x69, 0xF8, 0x8C, 0x01, 0x69, 0xF2, 0x66, 0x05, 0x37, 0x31, + 0x65, 0xA9, 0x09, 0x3E, 0x0E, 0x73, 0x95, 0x67, 0xC9, 0x33, 0xA6, 0x57, + 0xDF, 0xDD, 0xC0, 0x55, 0x1A, 0x89, 0x6F, 0xC8, 0x30, 0x71, 0x68, 0x3C, + 0x2A, 0x7E, 0x61, 0x86, 0xAC, 0x70, 0x6A, 0x27, 0x31, 0x9B, 0x9A, 0xEC, + 0x8F, 0x37, 0x2B, 0x71, 0x91, 0x91, 0x6C, 0x8B, 0x35, 0xED, 0xF1, 0x97, + 0x87, 0x58, 0xD1, 0x4F, 0xF2, 0x06, 0x23, 0xE6, 0x1C, 0x44, 0x63, 0x02, + 0x9E, 0x09, 0x76, 0x6C, 0x72, 0xBD, 0x0D, 0xB3, 0xE2, 0x1D, 0x92, 0xAA, + 0x8D, 0x7B, 0x78, 0xD8, 0xB3, 0xA7, 0x5A, 0xAB, 0xBF, 0x22, 0xBB, 0x30, + 0x5B, 0xFB, 0xB4, 0x3C, 0x52, 0xD2, 0xA2, 0xED, 0x3B, 0x99, 0x43, 0xCB, + 0x29, 0x66, 0x2A, 0xBD, 0x52, 0x1B, 0x1C, 0xB4, 0xE5, 0xE3, 0x6E, 0xFF, + 0xAD, 0xEF, 0x8B, 0xE1, 0xF9, 0xB5, 0x5E, 0xCB, 0xF2, 0x8E, 0xCD, 0x53, + 0x39, 0xBE, 0xBE, 0x61, 0x72, 0x86, 0x31, 0x65, 0xA0, 0xFC, 0xC1, 0xFC, + 0x31, 0x79, 0x93, 0xDF, 0x76, 0x13, 0x71, 0xE4, 0x61, 0x0F, 0x6B, 0x32, + 0x78, 0xD2, 0x24, 0xB7, 0x8C, 0xE8, 0x84, 0xE3, 0xB8, 0xF6, 0x04, 0xF3, + 0x30, 0xE9, 0x5B, 0xA5, 0xD8, 0x94, 0xA7, 0xA3, 0xF0, 0xE8, 0xAC, 0x70, + 0x32, 0x42, 0xB5, 0x08, 0xEE, 0x2A, 0x77, 0xFA, 0x04, 0x49, 0xE9, 0x7A, + 0xB7, 0x0A, 0x95, 0x05, 0x86, 0x33, 0xA5, 0xE4, 0x5A, 0xC6, 0xE1, 0xE7, + 0x48, 0xBD, 0xBA, 0x80, 0xE7, 0x21, 0x61, 0x45, 0x24, 0x5E, 0xA9, 0x7F, + 0x2D, 0x75, 0x0F, 0xE9, 0xEE, 0x79, 0x88, 0x64, 0xF3, 0xE7, 0x0C, 0xA0, + 0xEB, 0x93, 0x2C, 0x6B, 0xD3, 0x51, 0x12, 0xE7, 0x62, 0x8D, 0x71, 0x10, + 0x6D, 0x5B, 0x3A, 0x27, 0xF4, 0xEA, 0x80, 0xFC, 0xCD, 0x58, 0x81, 0x43, + 0xEB, 0xA0, 0x4E, 0xF5, 0xA1, 0x68, 0x67, 0x74, 0x7C, 0x14, 0x12, 0xA6, + 0x78, 0xC2, 0x08, 0x58, 0x3F, 0x20, 0x96, 0x52, 0xD2, 0x61, 0xDA, 0xED, + 0x5F, 0x7F, 0xAD, 0x40, 0x93, 0x21, 0xEB, 0xC4, 0x37, 0x5C, 0xD1, 0x72, + 0xE6, 0x06, 0x37, 0xD9, 0xF6, 0x09, 0xD4, 0xC9, 0x6D, 0xED, 0x07, 0xF6, + 0xD2, 0x15, 0x94, 0xFD, 0xF6, 0xC3, 0x09, 0x60, 0x6D, 0x6A, 0x23, 0x50, + 0x8C, 0xDD, 0x61, 0xDD, 0x66, 0x81, 0xB0, 0xAC, 0x7C, 0xE7, 0x7F, 0xED, + 0x3C, 0x2F, 0x19, 0xB5, 0xF9, 0xB7, 0x2E, 0x35, 0xF7, 0xF4, 0x98, 0x0E, + 0x6A, 0x9E, 0x6D, 0xAC, 0xF1, 0x0F, 0x90, 0x25, 0xED, 0xC5, 0x94, 0x9E, + 0x10, 0x29, 0x97, 0x47, 0x05, 0x3D, 0x03, 0x6F, 0x69, 0xAE, 0x84, 0x08, + 0x9B, 0x33, 0x0C, 0x1F, 0x26, 0x65, 0xC7, 0x86, 0x25, 0x10, 0x11, 0x97, + 0x33, 0x3D, 0x98, 0x43, 0xB5, 0x7F, 0x9C, 0x19, 0x62, 0xE5, 0x46, 0x6D, + 0x3B, 0xA2, 0xDC, 0xD4, 0x17, 0x85, 0x9A, 0xE8, 0x2C, 0xF3, 0x01, 0x5F, + 0x39, 0xD1, 0xBC, 0x07, 0x8E, 0xAC, 0xC9, 0x28, 0x0C, 0x7B, 0xD8, 0x02, + 0xFE, 0x46, 0x12, 0xA8, 0xBD, 0x0E, 0x6B, 0x23, 0x65, 0x5B, 0xAA, 0xFC, + 0x32, 0x20, 0xF7, 0xCC, 0xC7, 0x06, 0x80, 0x09, 0x0A, 0x95, 0xD9, 0x69, + 0xED, 0x3C, 0x6C, 0xEB, 0x62, 0x28, 0xE6, 0x4E, 0xF4, 0xFA, 0x9B, 0x5C, + 0x36, 0x07, 0xE0, 0x25, 0x20, 0xB8, 0xF4, 0x1F, 0x2E, 0x78, 0x21, 0xEE, + 0xFA, 0x9E, 0x80, 0x14, 0xAD, 0xAD, 0x83, 0x39, 0x2E, 0xD0, 0xE9, 0x56, + 0xE3, 0x88, 0x0C, 0xC4, 0xD7, 0xBE, 0xB1, 0xE4, 0xD0, 0x42, 0xE6, 0xED, + 0xDC, 0x44, 0x65, 0x51, 0x1F, 0x95, 0x9A, 0xAA, 0xBF, 0x83, 0x7B, 0xD7, + 0x14, 0x23, 0x18, 0x81, 0x91, 0x0A, 0x07, 0x97, 0x10, 0x6F, 0x3C, 0x16, + 0xF2, 0xF0, 0x3E, 0xE1, 0x45, 0x40, 0xB0, 0x39, 0x98, 0x33, 0x55, 0xFF, + 0x7E, 0x75, 0x31, 0xE0, 0x10, 0x16, 0x81, 0x36, 0x56, 0x86, 0x34, 0x1C, + 0x61, 0x10, 0x25, 0xAE, 0x98, 0x6E, 0xBE, 0xC9, 0x47, 0xCD, 0x14, 0x1C, + 0x52, 0x8C, 0x27, 0xEE, 0x28, 0xDA, 0x18, 0x96, 0x4D, 0x16, 0x6D, 0x17, + 0x2E, 0x5B, 0x7E, 0x88, 0x70, 0xC8, 0x3D, 0x31, 0x34, 0xE5, 0xEA, 0x08, + 0x40, 0x25, 0x7B, 0x03, 0x75, 0x47, 0xAD, 0x19, 0x02, 0x7E, 0xCC, 0xB6, + 0x43, 0xD1, 0xC9, 0xB2, 0x95, 0x7F, 0x9F, 0x93, 0xC4, 0xD7, 0x33, 0x5A, + 0x7E, 0xA4, 0x51, 0x58, 0xC5, 0xA7, 0x23, 0x25, 0xF8, 0xF4, 0xDE, 0xEF, + 0x84, 0x72, 0x0E, 0x8D, 0xE7, 0x9E, 0x1E, 0x40, 0xB3, 0xA6, 0x58, 0x34, + 0x4E, 0xB8, 0x56, 0x6B, 0xA1, 0x50, 0x2B, 0x1C, 0xF9, 0xA6, 0x88, 0x21, + 0x34, 0x79, 0x99, 0x5F, 0x24, 0xD6, 0x96, 0x67, 0xB5, 0x7E, 0x9C, 0xD2, + 0xFB, 0x11, 0x40, 0xA6, 0xE6, 0x20, 0xD2, 0x8C, 0x38, 0x62, 0x9B, 0xC1, + 0xD7, 0x57, 0x42, 0xE0, 0xD7, 0x34, 0xF3, 0x90, 0xF9, 0x60, 0xDD, 0xEA, + 0x24, 0x67, 0x6A, 0xC0, 0xC7, 0xEF, 0xA7, 0x1B, 0xDC, 0xAD, 0x3D, 0x0D, + 0x17, 0x90, 0x66, 0x70, 0xB2, 0x98, 0x24, 0x1B, 0x58, 0x79, 0xAC, 0x3E, + 0x61, 0x9C, 0x67, 0xB4, 0xEE, 0x09, 0x06, 0x20, 0xCE, 0x39, 0x03, 0x57, + 0xD4, 0xB5, 0x44, 0x3C, 0x35, 0x80, 0xDD, 0xEF, 0xC3, 0xC5, 0xC4, 0x93, + 0x79, 0xF8, 0x84, 0x60, 0x31, 0x27, 0xB7, 0xF8, 0xEB, 0x63, 0xE8, 0x75, + 0x74, 0x31, 0x29, 0xF4, 0xE7, 0x06, 0x51, 0x74, 0x72, 0x71, 0x9D, 0xA1, + 0x3F, 0x3C, 0x73, 0xCF, 0x07, 0xA9, 0x98, 0x23, 0x1F, 0x62, 0x9C, 0x9E, + 0x27, 0xFD, 0x1E, 0xC8, 0x1C, 0xB9, 0xBD, 0x16, 0xB5, 0x4C, 0x1A, 0xC2, + 0x8D, 0xCF, 0x4D, 0xB8, 0xC2, 0x4D, 0x94, 0xE6, 0x12, 0x6D, 0x14, 0xFA, + 0x2B, 0xF4, 0x4A, 0x2B, 0xD9, 0x7D, 0xEF, 0xF8, 0x81, 0x2C, 0xF7, 0x7B, + 0x98, 0x44, 0x12, 0x58, 0xD5, 0x82, 0xAA, 0xED, 0x49, 0x40, 0x87, 0xBA, + 0x11, 0x29, 0x7E, 0xFD, 0x04, 0x67, 0x20, 0x5D, 0x2B, 0x79, 0x42, 0x07, + 0x03, 0x5C, 0x36, 0xD7, 0xBE, 0x72, 0xCA, 0x13, 0xCF, 0x93, 0x2D, 0xD8, + 0xA9, 0xEE, 0x06, 0x0B, 0xCF, 0x5A, 0x46, 0x88, 0x57, 0x9E, 0x18, 0x92, + 0x3B, 0x5F, 0x2F, 0x86, 0xCD, 0x3D, 0x49, 0xF6, 0xA3, 0x05, 0xE6, 0xE4, + 0x68, 0xA4, 0x79, 0xA6, 0xEE, 0x85, 0xF4, 0x2B, 0xF6, 0x6E, 0x1B, 0x7A, + 0xBD, 0x77, 0xEA, 0x6A, 0xC9, 0x31, 0x34, 0x8E, 0x5F, 0xC2, 0xF3, 0x87, + 0x3D, 0x8F, 0xD7, 0xB0, 0x16, 0x28, 0x3F, 0x2C, 0x87, 0xA0, 0xA3, 0x56, + 0xE8, 0x21, 0x83, 0x53, 0xCB, 0xE9, 0x1D, 0x28, 0x57, 0x93, 0xDB, 0x5B, + 0xE9, 0xF0, 0x7B, 0x7F, 0xF4, 0x6A, 0x51, 0x48, 0xFC, 0xAB, 0xF5, 0x3B, + 0x44, 0xA7, 0x5E, 0x67, 0x3A, 0x6B, 0x43, 0x9C, 0xD1, 0x03, 0xDF, 0xF8, + 0xD5, 0x7F, 0x7B, 0x09, 0x62, 0xBF, 0x28, 0xBD, 0xC6, 0x3E, 0xC3, 0x6C, + 0x91, 0x01, 0x45, 0x3F, 0xE2, 0x1F, 0xEF, 0x2A, 0x8F, 0xB2, 0x1B, 0x72, + 0x35, 0x4D, 0x18, 0x6F, 0x4D, 0x57, 0xBF, 0x6A, 0x69, 0x02, 0x69, 0x4A, + 0xE5, 0x5F, 0x74, 0xF7, 0x69, 0x5B, 0x89, 0x08, 0xCE, 0xCE, 0x15, 0x56, + 0x3F, 0x21, 0x1A, 0xB8, 0xEC, 0x4D, 0xB0, 0x7E, 0x0F, 0x89, 0xB0, 0x5C, + 0x6D, 0xDB, 0x53, 0x9E, 0xA9, 0x27, 0x28, 0x52, 0xE5, 0x9E, 0x1F, 0xEF, + 0x84, 0x1A, 0x9A, 0xAE, 0x86, 0x8B, 0x25, 0x3B, 0xC6, 0x3B, 0x8E, 0x9C, + 0x32, 0xD9, 0x89, 0x3B, 0xA2, 0xCB, 0x59, 0x35, 0xC3, 0x71, 0xEE, 0x22, + 0x0C, 0x61, 0xEA, 0x59, 0x33, 0x25, 0x39, 0xAF, 0xF0, 0x12, 0x81, 0x55, + 0x4A, 0x9D, 0x0C, 0x3E, 0x5E, 0x34, 0x9F, 0xA7, 0xD8, 0xC5, 0xB5, 0x0A, + 0xC3, 0xA2, 0x00, 0x3F, 0x59, 0x3D, 0x07, 0x5F, 0x2B, 0xC1, 0x6F, 0x6A, + 0xE3, 0x94, 0x90, 0xAF, 0x81, 0x11, 0x82, 0x89, 0xF4, 0x9D, 0x8B, 0x05, + 0xE2, 0x7C, 0x22, 0x02, 0xEC, 0x00, 0x38, 0x39, 0xED, 0x04, 0xB2, 0xC9, + 0xD8, 0xA1, 0x1B, 0xED, 0xB9, 0xE1, 0x62, 0x82, 0xC4, 0xCC, 0xA0, 0x61, + 0xEE, 0x7A, 0x17, 0xA0, 0x99, 0xAC, 0xAC, 0x85, 0xA7, 0x5F, 0xC9, 0xC3, + 0xC5, 0x63, 0x8F, 0x5A, 0xE7, 0x41, 0xAC, 0xB7, 0x89, 0x13, 0x38, 0xD8, + 0x58, 0xBF, 0x71, 0xA5, 0x4F, 0x9D, 0x4C, 0x72, 0x57, 0x88, 0x2E, 0xAB, + 0xD4, 0x74, 0xDE, 0x46, 0x9F, 0xF4, 0xBA, 0xB1, 0x55, 0x6A, 0x18, 0xF4, + 0x87, 0xB9, 0x24, 0xA7, 0xD9, 0xF4, 0x9A, 0x3C, 0xEF, 0xF4, 0xA2, 0x2D, + 0x0F, 0xC9, 0xE4, 0x45, 0xC2, 0xC9, 0x6F, 0x2D, 0xB6, 0xDA, 0xE6, 0x89, + 0x38, 0x80, 0x2A, 0x89, 0xE2, 0xF5, 0x3D, 0x77, 0x5E, 0x61, 0x6E, 0x9C, + 0xF9, 0x87, 0x89, 0xD4, 0x70, 0x23, 0x79, 0x93, 0xDA, 0xCE, 0x62, 0x89, + 0xEB, 0x13, 0x77, 0xB0, 0x49, 0xB2, 0xF9, 0xFC, 0x84, 0xD3, 0x06, 0xD2, + 0x8D, 0x5A, 0x94, 0x64, 0xC1, 0xA8, 0x9A, 0x60, 0x57, 0x8A, 0x8F, 0x62, + 0x4A, 0x78, 0x12, 0x6B, 0x87, 0x6F, 0x6D, 0xC8, 0x32, 0xF3, 0xC6, 0x8D, + 0xDB, 0x3A, 0x67, 0x95, 0xCD, 0xAF, 0x48, 0x28, 0x79, 0xC2, 0xB6, 0xDB, + 0xD8, 0xFE, 0x82, 0x15, 0xE6, 0xE4, 0xEC, 0x79, 0xE2, 0xB4, 0x21, 0x5C, + 0x30, 0x45, 0xD7, 0x3B, 0xA0, 0x1A, 0x3B, 0xAA, 0x3D, 0x6C, 0x1C, 0xC3, + 0x1E, 0xDE, 0x4D, 0x75, 0x1D, 0x9A, 0x96, 0x51, 0xF9, 0x4F, 0x10, 0x28, + 0x7E, 0x88, 0xEE, 0x3B, 0x93, 0x4A, 0x0B, 0x09, 0x44, 0x9C, 0x20, 0x34, + 0xF6, 0xEE, 0x6F, 0x26, 0xB9, 0x4C, 0x76, 0xCC, 0xE1, 0x6F, 0x09, 0x91, + 0xAF, 0x48, 0x8C, 0xC4, 0x31, 0xA2, 0xF9, 0x44, 0x77, 0x19, 0xA7, 0x00, + 0x33, 0x77, 0x31, 0xF2, 0xF5, 0xF7, 0x30, 0xDF, 0xAB, 0xFE, 0x7E, 0xE6, + 0x83, 0xE1, 0xC9, 0x2A, 0xC8, 0xE0, 0xA6, 0xAC, 0x5A, 0x28, 0x7F, 0xC4, + 0x0B, 0xEB, 0x55, 0xD9, 0x5D, 0xBD, 0xB5, 0xD2, 0xF6, 0xB4, 0xA9, 0x76, + 0x2B, 0x35, 0x10, 0x36, 0x3B, 0xCC, 0x61, 0x6C, 0x79, 0xCE, 0xC3, 0x9A, + 0x02, 0x9A, 0x00, 0xBA, 0x43, 0x20, 0x3F, 0x26, 0x36, 0x66, 0x07, 0x11, + 0x68, 0x51, 0x47, 0xBE, 0x78, 0xED, 0x4A, 0xFA, 0xBC, 0xDA, 0xCD, 0xFD, + 0x02, 0xDB, 0xD1, 0x8B, 0xE0, 0xBD, 0x13, 0xFE, 0xED, 0x26, 0x77, 0xE4, + 0x83, 0xAE, 0xB7, 0xAB, 0xFD, 0x2A, 0x5E, 0xA3, 0x28, 0xFD, 0x90, 0x40, + 0x3D, 0x34, 0xF7, 0xF8, 0x35, 0x80, 0xF6, 0x6F, 0xA0, 0xE9, 0xCD, 0x9A, + 0x54, 0x6F, 0x41, 0xA5, 0xC7, 0xED, 0xEA, 0xDC, 0x52, 0x23, 0xF1, 0x96, + 0x19, 0x8E, 0x2B, 0x94, 0x3F, 0xD9, 0x27, 0x60, 0x1E, 0x27, 0xC1, 0x39, + 0x68, 0x78, 0x7B, 0x47, 0x8F, 0xCC, 0xCD, 0xBE, 0xE4, 0xBD, 0x0B, 0x73, + 0x03, 0xFB, 0xFE, 0xC0, 0x50, 0x38, 0x70, 0xDF, 0x81, 0x5D, 0x22, 0x4C, + 0x5B, 0xCB, 0x27, 0x5D, 0xD2, 0x94, 0x64, 0x0A, 0x88, 0x67, 0x31, 0xE9, + 0x08, 0xF0, 0x88, 0x20, 0xF2, 0x86, 0xCA, 0xBD, 0x18, 0x5F, 0x34, 0xD0, + 0x96, 0x0D, 0x4A, 0x62, 0x4D, 0xBE, 0xE8, 0xA6, 0x04, 0xA6, 0x69, 0xCE, + 0xCD, 0xE9, 0x5A, 0x1D, 0xD2, 0xF8, 0xCF, 0x19, 0x06, 0x17, 0x05, 0x82, + 0x6B, 0x60, 0x3E, 0x5E, 0x6B, 0x1D, 0x1E, 0x13, 0x51, 0x5D, 0xFE, 0x95, + 0x38, 0x33, 0x62, 0x9B, 0xBF, 0xD5, 0x3E, 0x3B, 0x8B, 0xD2, 0x6F, 0x24, + 0x6D, 0x24, 0xC9, 0x0D, 0x2D, 0x52, 0xBF, 0xDA, 0xCE, 0x5E, 0xFE, 0x9D, + 0xB8, 0x5D, 0x61, 0x57, 0xBC, 0x8C, 0x7A, 0x17, 0x75, 0x80, 0xEE, 0x52, + 0x2F, 0xF5, 0x25, 0x48, 0x3A, 0x9E, 0x27, 0xF4, 0xEB, 0xE1, 0x01, 0xE4, + 0xA7, 0x48, 0x93, 0xAA, 0x92, 0x68, 0xC0, 0x3B, 0x1A, 0x5A, 0xC5, 0x6D, + 0xD0, 0x91, 0xB9, 0x8D, 0x44, 0xD4, 0xE1, 0x9C, 0x74, 0xEA, 0x14, 0xFA, + 0xF6, 0x1E, 0x01, 0xC0, 0x89, 0x24, 0x90, 0x71, 0xAF, 0xF5, 0x2D, 0x6C, + 0x35, 0x13, 0xA6, 0x73, 0x14, 0xAC, 0xE5, 0xAE, 0x88, 0x2F, 0x9D, 0x77, + 0x3B, 0x8F, 0x61, 0xB1, 0x47, 0x66, 0x72, 0x14, 0x91, 0x40, 0xD7, 0x50, + 0xDC, 0xEA, 0xFF, 0x49, 0x9E, 0x17, 0x75, 0x25, 0x49, 0x7C, 0x57, 0x41, + 0xA7, 0x8C, 0x4D, 0x3B, 0x94, 0x9D, 0x65, 0x83, 0x62, 0x6F, 0x16, 0xBF, + 0x0C, 0x87, 0x03, 0x61, 0xB4, 0x3B, 0x60, 0x6D, 0x07, 0x56, 0xB8, 0x1F, + 0x89, 0xAD, 0x00, 0x25, 0x10, 0x4A, 0x34, 0x4C, 0x9A, 0x26, 0xDA, 0x06, + 0x25, 0x9C, 0x91, 0xA6, 0xA5, 0xAD, 0x4D, 0x6E, 0xE9, 0x2F, 0x18, 0xC4, + 0x1D, 0x09, 0xE1, 0xAA, 0x66, 0x01, 0x31, 0x6D, 0x12, 0x30, 0xED, 0x97, + 0x3F, 0x67, 0xCE, 0x4E, 0x26, 0x0B, 0xF5, 0x5E, 0x81, 0xA7, 0x1F, 0x83, + 0x68, 0x91, 0xC3, 0xD0, 0x4C, 0x2E, 0xD4, 0xDE, 0xEF, 0x34, 0xF9, 0x61, + 0x83, 0x6F, 0xD6, 0x6E, 0x40, 0x87, 0x48, 0x7E, 0xCF, 0x56, 0x42, 0x21, + 0xBA, 0x40, 0x64, 0x17, 0xFA, 0x97, 0xFF, 0x8D, 0xC8, 0x32, 0xFA, 0xB7, + 0x45, 0xB0, 0xEC, 0xBD, 0x0E, 0x51, 0x63, 0x90, 0x05, 0x68, 0x7A, 0x45, + 0x86, 0x68, 0x2A, 0x0E, 0x81, 0x5F, 0xDD, 0x12, 0xAD, 0x48, 0xF6, 0x87, + 0x2E, 0x8D, 0xF6, 0x86, 0xC3, 0x6D, 0x69, 0xD5, 0x4E, 0x52, 0x8A, 0x8E, + 0xE8, 0x01, 0x56, 0x11, 0xCC, 0x2E, 0x3F, 0xB5, 0x46, 0x1D, 0xF6, 0x6E, + 0x4A, 0xEE, 0x1C, 0x60, 0x15, 0x85, 0xF6, 0x40, 0xFD, 0x56, 0xDC, 0x10, + 0x01, 0xC3, 0xBD, 0xAE, 0x5A, 0x13, 0x1F, 0x15, 0x16, 0x10, 0x92, 0xC5, + 0x02, 0xC2, 0x81, 0xB5, 0x6A, 0x4D, 0x37, 0x29, 0x40, 0x8B, 0xAA, 0x5F, + 0xC9, 0x4C, 0x26, 0x7B, 0x2C, 0x21, 0x9E, 0xE2, 0xF2, 0x5A, 0x20, 0x88, + 0x3F, 0x40, 0x30, 0xC5, 0x64, 0x0E}; // mldsa87kPublicKey is an example ML-DSA-87 public key static const uint8_t mldsa87kPublicKey[] = { -0xE4, 0x36, 0x63, 0x53, 0xA7, 0xE7, 0xDF, 0x51, 0x06, 0x19, 0x34, 0x9F, 0xB5, -0x95, 0x53, 0x9D, 0xC0, 0x59, 0x21, 0x38, 0x0F, 0x8E, 0x2A, 0xEC, 0x43, 0x5C, -0x9B, 0x4B, 0xD0, 0xDC, 0x7E, 0xE1, 0x89, 0x77, 0x51, 0xD4, 0x26, 0x46, 0x8F, -0x25, 0x76, 0xAB, 0x5E, 0x68, 0xFE, 0x45, 0xC6, 0x35, 0xF5, 0xF0, 0xD0, 0x2D, -0xD2, 0x11, 0xCB, 0x2D, 0x3B, 0x6B, 0xF3, 0x2F, 0x68, 0xD1, 0xF2, 0xCC, 0x51, -0x9E, 0xE0, 0xC5, 0x1D, 0xFA, 0x2C, 0x55, 0x02, 0xE5, 0xAB, 0xC6, 0xA2, 0xA9, -0x2C, 0x35, 0xC1, 0x22, 0xDC, 0xFB, 0x9D, 0xDC, 0x9E, 0x17, 0xCB, 0x7C, 0xEC, -0xB4, 0x7D, 0x1C, 0x40, 0xA6, 0x40, 0x3C, 0x2B, 0x1C, 0x5B, 0x85, 0x97, 0x31, -0x5D, 0x9E, 0xAD, 0x7C, 0xC9, 0xF1, 0xBC, 0x99, 0x59, 0x2B, 0xE0, 0x10, 0x30, -0x58, 0xC6, 0x63, 0xBD, 0xD7, 0xF1, 0x27, 0x2B, 0x1E, 0xB2, 0xA8, 0x31, 0xD7, -0xD3, 0x2B, 0x85, 0xA7, 0x59, 0xAF, 0x70, 0x15, 0x66, 0x9E, 0xD2, 0x13, 0xB0, -0x50, 0xBF, 0x59, 0x08, 0x92, 0x32, 0x07, 0x9C, 0x81, 0xD7, 0x06, 0x55, 0x76, -0xEE, 0x15, 0x8A, 0xFE, 0xCB, 0x62, 0x58, 0xF7, 0xDF, 0x0F, 0xEB, 0x0A, 0x11, -0x98, 0xF8, 0x93, 0xD8, 0x96, 0xF5, 0x14, 0x87, 0x40, 0x4F, 0xEC, 0x9A, 0x45, -0xE2, 0x7A, 0x54, 0x91, 0x0B, 0xDB, 0x39, 0x90, 0x48, 0x5D, 0x1B, 0xE6, 0x63, -0x2C, 0x47, 0xC2, 0x2C, 0x45, 0x91, 0xDA, 0x52, 0x65, 0x15, 0x54, 0x35, 0x1A, -0xFF, 0x3E, 0xC9, 0x64, 0xED, 0x48, 0xE6, 0x7C, 0xDB, 0x2C, 0x72, 0x7B, 0x14, -0xC0, 0x35, 0x5C, 0x14, 0xE8, 0xBB, 0x92, 0xEA, 0xB6, 0x29, 0x29, 0x8B, 0x8A, -0x4D, 0x95, 0x1F, 0xAE, 0x54, 0x64, 0x07, 0x2D, 0xAD, 0x3D, 0xA4, 0x20, 0x20, -0xA0, 0x7A, 0x7C, 0xAE, 0x9E, 0xFE, 0x5C, 0xE8, 0x88, 0x63, 0x41, 0x2C, 0x3A, -0xCB, 0xF0, 0xA0, 0x33, 0x5B, 0x34, 0xE1, 0xD2, 0x85, 0x31, 0xB7, 0xB9, 0x4A, -0xD3, 0x29, 0x8A, 0x9B, 0x7E, 0x2E, 0x8E, 0x32, 0x72, 0xEB, 0x85, 0x8C, 0xA6, -0x61, 0x86, 0x36, 0x4A, 0x23, 0x22, 0xE2, 0xB4, 0x21, 0xF6, 0xD7, 0xCD, 0x40, -0xDB, 0xE1, 0x6E, 0x37, 0x0B, 0xB7, 0x08, 0x01, 0x17, 0x12, 0xB2, 0x56, 0x9E, -0x6B, 0x17, 0x2C, 0x31, 0x69, 0x14, 0x33, 0x0D, 0x49, 0x96, 0x44, 0x86, 0x42, -0x0B, 0xA7, 0x51, 0x67, 0x53, 0x2C, 0x86, 0x39, 0x49, 0xC2, 0x5F, 0x3C, 0xE9, -0xDF, 0x5F, 0x9C, 0x1F, 0x93, 0xC8, 0x28, 0x5F, 0x41, 0x83, 0xD9, 0x34, 0x80, -0x77, 0xE3, 0x6C, 0xE9, 0x81, 0xBE, 0x16, 0xC2, 0x6F, 0x85, 0x75, 0x93, 0x28, -0x15, 0xDB, 0xE1, 0x67, 0xC1, 0x75, 0xDA, 0x9C, 0x80, 0xE2, 0x8D, 0xA2, 0x29, -0x62, 0x9A, 0xA6, 0x0C, 0x6F, 0xC8, 0xE2, 0xB8, 0x35, 0x26, 0x7F, 0x27, 0x35, -0xCE, 0xEF, 0x21, 0x43, 0xED, 0xF2, 0x8F, 0x34, 0x22, 0x0E, 0x2A, 0x0D, 0x63, -0x2B, 0x01, 0x75, 0xB0, 0x95, 0xD2, 0x74, 0x3F, 0x21, 0x84, 0xE5, 0x23, 0x06, -0x62, 0x47, 0x8E, 0x0B, 0x40, 0xEA, 0xB8, 0x2F, 0x9C, 0x07, 0xF4, 0xCC, 0xA2, -0xA7, 0x8D, 0x78, 0x17, 0x40, 0x38, 0x0E, 0xA6, 0x1F, 0x81, 0xB1, 0x21, 0xF6, -0x10, 0x18, 0x4A, 0xD3, 0x7B, 0x46, 0x8F, 0x69, 0xE2, 0x78, 0x1B, 0x2E, 0xCF, -0x96, 0xBF, 0x56, 0xA9, 0x17, 0x8D, 0x97, 0xB5, 0x69, 0x1D, 0xFE, 0xD4, 0x7E, -0xB6, 0x0D, 0xC1, 0xEA, 0xAC, 0x12, 0xB3, 0xAD, 0xE0, 0xC6, 0xB5, 0xF2, 0x96, -0xE0, 0x12, 0xD6, 0xF5, 0xB8, 0xF4, 0x86, 0xCC, 0xE4, 0x55, 0xA7, 0x05, 0x6F, -0xF9, 0x88, 0xD5, 0x36, 0x8D, 0xD6, 0x75, 0x18, 0xCA, 0xD5, 0x28, 0x21, 0x64, -0x41, 0x1D, 0xC6, 0x38, 0x56, 0x50, 0x96, 0x8E, 0x1A, 0x32, 0xD8, 0x4A, 0x47, -0x82, 0xFC, 0x67, 0xB2, 0xB5, 0xED, 0xC2, 0x54, 0x46, 0x87, 0xE3, 0x1F, 0xBB, -0x18, 0xCD, 0xB0, 0x59, 0xA0, 0xBE, 0xA6, 0x4D, 0x4E, 0x1E, 0x7A, 0x46, 0xE5, -0x77, 0xB2, 0x59, 0xCE, 0x61, 0xEF, 0xA2, 0x0A, 0xEC, 0x55, 0x8E, 0xB0, 0xD4, -0x3E, 0x1B, 0x25, 0x37, 0x8E, 0xA7, 0xB2, 0x27, 0xED, 0x00, 0x8C, 0x38, 0x26, -0x5E, 0x9D, 0x20, 0x38, 0x6A, 0xAF, 0xD2, 0x24, 0x94, 0x31, 0xF5, 0x6E, 0x66, -0x41, 0x2C, 0xFD, 0x77, 0x9C, 0x2D, 0x73, 0xE5, 0x8E, 0x64, 0xF7, 0x3D, 0xDF, -0x42, 0x37, 0xFE, 0x07, 0xB6, 0xBC, 0x29, 0x02, 0xD4, 0x90, 0xDA, 0x3F, 0x5E, -0x7F, 0xEC, 0x39, 0xC7, 0x4D, 0x11, 0x09, 0xBE, 0xA6, 0xF4, 0xBE, 0x4F, 0x14, -0x2C, 0x59, 0xD5, 0x07, 0xD3, 0x49, 0x81, 0x5D, 0x3B, 0xF9, 0x90, 0xD1, 0x8E, -0xB1, 0x83, 0xE3, 0x39, 0xDF, 0x04, 0x62, 0x56, 0x44, 0x12, 0xA2, 0x36, 0x28, -0xAA, 0xBC, 0x46, 0xDF, 0x78, 0xFF, 0x27, 0xC5, 0x3A, 0x16, 0xA5, 0x59, 0x63, -0xBF, 0x25, 0x0C, 0x31, 0xAD, 0x90, 0xF5, 0xBB, 0xAA, 0x9C, 0x56, 0x7D, 0x4A, -0xA5, 0x8C, 0x25, 0xAA, 0x9D, 0xB3, 0x44, 0xDB, 0x82, 0xCF, 0x46, 0x10, 0x1F, -0x4E, 0x24, 0xC1, 0x85, 0x6B, 0x6E, 0xD0, 0xC0, 0x66, 0x79, 0x58, 0xB1, 0x86, -0x86, 0xD0, 0xEF, 0xDA, 0xE0, 0xE0, 0x40, 0x61, 0x53, 0xFB, 0x02, 0xB4, 0x57, -0xFD, 0x47, 0xC0, 0xE0, 0x01, 0x9F, 0x4B, 0x51, 0xB1, 0x0B, 0x8C, 0x58, 0x7F, -0x92, 0xA9, 0xFA, 0x9D, 0x74, 0x12, 0x1B, 0xCC, 0x23, 0xF1, 0x21, 0xAE, 0x21, -0x16, 0xEF, 0xE1, 0xF9, 0x78, 0x67, 0xED, 0xDD, 0x31, 0xC1, 0xE0, 0xE6, 0x53, -0xD8, 0x55, 0xCE, 0x04, 0x99, 0x50, 0xB9, 0x11, 0x05, 0xDE, 0xD1, 0xD3, 0x2B, -0x9E, 0xF4, 0xB9, 0x8A, 0x95, 0x20, 0x69, 0x5A, 0x96, 0xD2, 0x82, 0x9C, 0x26, -0x60, 0xE0, 0x51, 0x95, 0xA3, 0x74, 0x4F, 0x22, 0x7F, 0x01, 0xCC, 0x80, 0xAB, -0xD5, 0x92, 0xB3, 0xF0, 0x3F, 0xE8, 0x0F, 0xD8, 0x7C, 0x4D, 0xB0, 0x37, 0x55, -0xE7, 0xE2, 0x9A, 0xDC, 0x09, 0x80, 0x01, 0x43, 0x54, 0xDF, 0x57, 0x6D, 0x92, -0x21, 0x81, 0x92, 0xA4, 0x33, 0xEF, 0xDD, 0x59, 0xC6, 0xD3, 0x17, 0x3A, 0xBD, -0x75, 0x7A, 0x91, 0x50, 0xCF, 0x69, 0x97, 0x07, 0x38, 0xFB, 0x9E, 0xCE, 0x3A, -0x78, 0x25, 0xCF, 0x11, 0x5C, 0xD6, 0xC8, 0x53, 0xCF, 0xA6, 0x0E, 0x06, 0xF5, -0xD5, 0x5C, 0x16, 0x26, 0x4F, 0x0E, 0x12, 0x37, 0xEF, 0xD8, 0x7A, 0xFF, 0xCE, -0xA8, 0x8D, 0x44, 0x05, 0x4F, 0x35, 0xC1, 0x87, 0xBB, 0xF1, 0xF8, 0x91, 0x8B, -0x91, 0xD4, 0x96, 0x70, 0x7C, 0x4B, 0x89, 0xA8, 0x07, 0x66, 0x63, 0x7C, 0xD0, -0x1D, 0xBE, 0x4D, 0x03, 0x41, 0x19, 0x8B, 0x67, 0x66, 0xFD, 0xCE, 0xF5, 0xD8, -0x46, 0x13, 0x45, 0x72, 0xA7, 0x47, 0xF0, 0x67, 0xB4, 0x30, 0x58, 0xCE, 0x5B, -0xEA, 0x02, 0x7C, 0xF3, 0xC2, 0xF7, 0xAE, 0x3A, 0x4C, 0x5C, 0x11, 0xAF, 0xC3, -0xB2, 0xA8, 0x1F, 0x2F, 0xD2, 0x1E, 0x8F, 0xF1, 0x70, 0x1B, 0x9D, 0xF0, 0x61, -0x28, 0xF0, 0xBB, 0x64, 0x9C, 0x07, 0x2E, 0xD6, 0xFB, 0xA0, 0xD3, 0x14, 0x16, -0x7E, 0x73, 0x00, 0xD0, 0x28, 0xF5, 0x96, 0x83, 0x18, 0x2F, 0xBC, 0x7E, 0x4D, -0xE1, 0xA4, 0xC2, 0x91, 0x6C, 0xDA, 0xAB, 0xDD, 0xE0, 0xC1, 0x89, 0xD3, 0xE3, -0x5D, 0x17, 0x64, 0x48, 0x23, 0x4F, 0x8C, 0xB4, 0x17, 0x38, 0x6C, 0x25, 0xCF, -0x89, 0x84, 0x56, 0x3E, 0x92, 0x6F, 0xCA, 0xCB, 0xD7, 0xC0, 0x89, 0x05, 0xB0, -0x39, 0x66, 0x16, 0x98, 0x6C, 0xD5, 0xD2, 0x14, 0x7D, 0x85, 0xF5, 0xD0, 0x3A, -0x02, 0x42, 0x25, 0x6B, 0xDB, 0x40, 0xF3, 0xA5, 0x5C, 0x03, 0x6F, 0xA9, 0x6A, -0x98, 0x4F, 0xC4, 0x77, 0x83, 0xED, 0x40, 0x4E, 0x32, 0xB6, 0xE4, 0x6F, 0x5B, -0x13, 0x88, 0x04, 0x3B, 0x0D, 0x6E, 0xC1, 0x67, 0x20, 0xEA, 0x3B, 0x3C, 0xC4, -0x4A, 0xA9, 0x23, 0xE0, 0x41, 0x8A, 0xA8, 0x13, 0x00, 0xB5, 0x8C, 0x37, 0x71, -0x57, 0xD3, 0xED, 0x9F, 0x9A, 0x6C, 0xB7, 0x6C, 0x5B, 0x46, 0xBD, 0x8A, 0x98, -0x30, 0xA3, 0x34, 0x1F, 0xCA, 0x19, 0x81, 0xE0, 0xFF, 0x4C, 0x08, 0x09, 0x82, -0xBC, 0x0D, 0xDF, 0xB2, 0x57, 0x68, 0x0B, 0x0A, 0xE7, 0xE2, 0x83, 0xD4, 0xD1, -0xA4, 0x62, 0x8F, 0x88, 0xCF, 0x04, 0xDC, 0x11, 0xE9, 0x9B, 0xCD, 0xEC, 0x0B, -0x88, 0x2B, 0x57, 0x9A, 0xF9, 0x71, 0xB8, 0xC3, 0x05, 0x59, 0x35, 0xF2, 0xA9, -0x80, 0xE0, 0x16, 0x22, 0xCA, 0xE0, 0xAE, 0x1B, 0xB5, 0x54, 0x76, 0xC1, 0xBA, -0x32, 0x9B, 0x67, 0x18, 0x86, 0x7C, 0x15, 0xD6, 0x81, 0x1A, 0xDF, 0x83, 0xD0, -0xDD, 0x6B, 0x2F, 0x98, 0x56, 0xB2, 0xBA, 0xFC, 0xA7, 0xD3, 0xE7, 0xAA, 0xE7, -0x3A, 0xC2, 0x50, 0x74, 0x63, 0xE6, 0x72, 0xC3, 0x40, 0x00, 0xF2, 0xDC, 0x06, -0x86, 0x1F, 0xF5, 0xE2, 0xD5, 0x77, 0xF5, 0xFF, 0x87, 0x32, 0x30, 0x61, 0x94, -0xE7, 0x04, 0x68, 0x0E, 0xC4, 0xF9, 0xDA, 0x54, 0x93, 0x32, 0xCE, 0x7D, 0x82, -0x05, 0x9A, 0x25, 0xF2, 0x88, 0x32, 0x64, 0x1A, 0x71, 0x94, 0x50, 0xBC, 0xD0, -0x31, 0xE2, 0x53, 0x61, 0x4A, 0xFF, 0xD4, 0x2E, 0xCE, 0xE0, 0x5B, 0xC4, 0x24, -0xCA, 0x95, 0xE2, 0x75, 0x54, 0xB6, 0xCF, 0x5C, 0xD6, 0x96, 0x0F, 0x1F, 0x60, -0xA2, 0x20, 0x1F, 0x00, 0x3C, 0x2D, 0x0D, 0x89, 0x90, 0xBD, 0x3A, 0xD3, 0xDC, -0x64, 0xB1, 0x61, 0xFB, 0xAA, 0x67, 0x15, 0xB0, 0xCE, 0x18, 0x1B, 0x09, 0xA2, -0x38, 0x31, 0x95, 0x0F, 0x2C, 0x25, 0x80, 0x4B, 0x13, 0xCB, 0xA0, 0xC7, 0xC7, -0xFA, 0xCC, 0x2C, 0x98, 0x66, 0xBE, 0xDC, 0x7B, 0xBB, 0x53, 0x12, 0x33, 0xDF, -0x92, 0x0C, 0x5F, 0x9E, 0xCC, 0x8E, 0x18, 0x23, 0x03, 0x2D, 0x7A, 0x2B, 0x90, -0x71, 0x07, 0x24, 0x95, 0xFE, 0x50, 0x95, 0x6E, 0x95, 0xFF, 0x29, 0x85, 0x7B, -0x44, 0x1C, 0x0A, 0x86, 0x48, 0x9B, 0x6B, 0xEA, 0xA7, 0xF9, 0xBF, 0xE8, 0x84, -0x10, 0xDC, 0x45, 0xC7, 0xFB, 0x2A, 0x39, 0x99, 0x0D, 0xCF, 0x23, 0x88, 0x35, -0x9C, 0x3D, 0xBA, 0x77, 0x7E, 0x8D, 0x4C, 0xA7, 0xB6, 0x41, 0x25, 0x46, 0x9A, -0x8E, 0xFF, 0x74, 0x5E, 0x9E, 0xDB, 0x8F, 0x20, 0xE9, 0xE3, 0x83, 0x84, 0x28, -0x0E, 0x14, 0xFC, 0x52, 0x1A, 0x69, 0xEC, 0x95, 0x5E, 0xBD, 0xFA, 0x05, 0xE4, -0xE5, 0xC7, 0xEB, 0x5F, 0x90, 0x21, 0x9C, 0xD5, 0x6B, 0xF7, 0x31, 0x35, 0xDA, -0x30, 0x41, 0xB2, 0x7E, 0xAB, 0x43, 0x36, 0x4E, 0x0B, 0x84, 0xDE, 0x43, 0x62, -0x96, 0x81, 0xF8, 0x9B, 0x81, 0x20, 0x06, 0x3B, 0xCA, 0x8E, 0x09, 0xE7, 0x2A, -0x6B, 0x41, 0x0C, 0x42, 0x02, 0x27, 0x41, 0x95, 0x8C, 0x86, 0x91, 0x40, 0xB1, -0xE8, 0x0C, 0x65, 0x6F, 0x23, 0xA5, 0x4A, 0xA9, 0x14, 0x8F, 0x32, 0x36, 0x3A, -0xDC, 0xAE, 0x54, 0x29, 0x13, 0x6B, 0xC0, 0x0D, 0x76, 0x6F, 0x79, 0xC4, 0x0A, -0x87, 0x89, 0xF2, 0xDD, 0xB0, 0xE3, 0xC0, 0x65, 0xC7, 0xE3, 0xBD, 0x17, 0xC4, -0x66, 0x3F, 0x84, 0x0B, 0x3F, 0x7A, 0x50, 0x08, 0x5F, 0x68, 0xE6, 0xC6, 0x37, -0xA7, 0x73, 0xF4, 0x4F, 0x37, 0x05, 0x28, 0x64, 0x0E, 0x36, 0xF8, 0xC2, 0x2F, -0xEA, 0x1D, 0x98, 0xBB, 0xB2, 0xFB, 0xE5, 0x98, 0xAE, 0x5D, 0xF8, 0xE8, 0xDA, -0xA1, 0xB6, 0x43, 0x0C, 0x6D, 0x1C, 0x39, 0x59, 0xE1, 0xBF, 0xEB, 0xA6, 0x4D, -0xBF, 0x12, 0x0E, 0x6E, 0xC4, 0x93, 0x8B, 0x72, 0x54, 0x47, 0xBE, 0xFC, 0x3A, -0x00, 0x7F, 0xD3, 0x57, 0x32, 0xE7, 0x86, 0xF0, 0x96, 0xCC, 0x06, 0x8F, 0x73, -0x9C, 0xE6, 0x8D, 0xD8, 0xB8, 0x24, 0xF9, 0xC0, 0x51, 0x99, 0xB8, 0x35, 0x98, -0x37, 0x32, 0x35, 0x03, 0x5C, 0xDA, 0x91, 0xC9, 0x6A, 0x50, 0xE5, 0xE1, 0xF0, -0xEF, 0xBB, 0x66, 0x27, 0x91, 0x51, 0x57, 0x09, 0xBB, 0x5B, 0xE9, 0x26, 0x8E, -0xB9, 0x75, 0xD9, 0x2E, 0x80, 0xE2, 0xDD, 0x27, 0xDD, 0x5A, 0x1B, 0x4E, 0xCF, -0x17, 0x11, 0x2B, 0x7B, 0xCB, 0xF9, 0xB3, 0xED, 0x07, 0xF3, 0x5A, 0xEE, 0xBF, -0x4B, 0x07, 0x43, 0x73, 0xF8, 0x24, 0x16, 0x67, 0x41, 0xE9, 0x64, 0xB4, 0xE7, -0x05, 0x72, 0x91, 0xF7, 0xCE, 0x38, 0x7D, 0x38, 0xA5, 0x60, 0x95, 0xC1, 0xC7, -0x64, 0x1B, 0xCC, 0xC4, 0x12, 0x32, 0xC3, 0x49, 0x7E, 0xAB, 0x96, 0x1D, 0x2A, -0x3C, 0x60, 0x51, 0xAA, 0x62, 0x86, 0xF3, 0x9F, 0xC6, 0x7F, 0xAB, 0x0F, 0xBB, -0x15, 0x7B, 0xBA, 0x43, 0x26, 0xAE, 0x37, 0x45, 0x5F, 0x39, 0x70, 0xB7, 0x19, -0x2F, 0x02, 0x33, 0xF1, 0x11, 0x4E, 0x78, 0x7D, 0x17, 0x8F, 0xBF, 0xEB, 0x92, -0xCC, 0x2F, 0xCA, 0x87, 0x01, 0xA8, 0xE3, 0xAD, 0x7B, 0x4A, 0x44, 0x0C, 0x75, -0x5A, 0x31, 0xCA, 0xE1, 0xE6, 0x18, 0xD7, 0xC4, 0xA3, 0xBA, 0x7F, 0xB5, 0xBC, -0xFD, 0xA6, 0x9C, 0xDC, 0x2A, 0xEB, 0x18, 0xDC, 0x88, 0x08, 0x6E, 0x7D, 0x6A, -0x97, 0xB6, 0xCD, 0x53, 0x41, 0x1D, 0xB4, 0xA8, 0xBD, 0xE3, 0x85, 0x29, 0x5F, -0x12, 0x03, 0xB8, 0x09, 0x13, 0x20, 0x6D, 0x68, 0x4F, 0x80, 0x1E, 0xBB, 0x6C, -0xD6, 0x51, 0x8C, 0x46, 0x19, 0x00, 0xBB, 0x90, 0xF9, 0xEA, 0xB0, 0x33, 0xF4, -0x52, 0xCA, 0x19, 0xD6, 0x68, 0xAE, 0x79, 0xE2, 0xC1, 0x39, 0xA9, 0x18, 0xF2, -0x26, 0x71, 0x69, 0xFF, 0xBA, 0x97, 0x28, 0x34, 0x4D, 0x10, 0x01, 0xFB, 0xD7, -0xBA, 0x37, 0x0F, 0xC8, 0xFC, 0x07, 0x7A, 0xCD, 0x1A, 0xDD, 0x92, 0x0D, 0x45, -0x8A, 0x7B, 0x6F, 0x94, 0x00, 0x53, 0x7E, 0xAF, 0xA5, 0x99, 0xB9, 0x7F, 0x00, -0xCD, 0xC7, 0x7C, 0x35, 0xCE, 0x53, 0x64, 0x15, 0xC2, 0x47, 0x7C, 0xD1, 0x12, -0x40, 0xBD, 0xF9, 0x8B, 0xBA, 0x3B, 0x5A, 0x3D, 0xFF, 0x5C, 0x48, 0x3A, 0x7F, -0xEF, 0x5B, 0xA8, 0xFC, 0xD6, 0xEA, 0xFB, 0x49, 0x0B, 0x29, 0x98, 0x5F, 0xCA, -0xBC, 0xC1, 0xD5, 0xA8, 0x15, 0x5B, 0x09, 0xEF, 0xB3, 0x0E, 0x41, 0xDC, 0x4D, -0x22, 0x30, 0xEE, 0xAA, 0xD9, 0xBA, 0x37, 0x43, 0xDE, 0x34, 0xF8, 0xB9, 0x42, -0xE7, 0x65, 0xEC, 0xE6, 0xA3, 0xE1, 0xED, 0x46, 0x46, 0xB4, 0x9F, 0x1C, 0xA0, -0x61, 0x50, 0x8E, 0x8A, 0x61, 0xBC, 0xF1, 0x3A, 0x55, 0xF8, 0xAB, 0xBA, 0x09, -0x5A, 0x4F, 0xB1, 0x38, 0x99, 0x77, 0x0A, 0xF5, 0x5D, 0xF7, 0xA0, 0x29, 0xA5, -0x00, 0x1D, 0x92, 0xC1, 0xA8, 0x4A, 0x73, 0x13, 0xCB, 0x1F, 0x14, 0xB0, 0xDB, -0x64, 0x53, 0xA8, 0x77, 0xB1, 0x80, 0xDF, 0xA7, 0x20, 0x9A, 0xA3, 0xD1, 0x79, -0x4B, 0x75, 0x45, 0x6D, 0xB0, 0xF5, 0xD8, 0x09, 0xE3, 0xB7, 0x7C, 0xC8, 0x1B, -0x56, 0xA2, 0x04, 0x11, 0xFB, 0xAC, 0x2D, 0x55, 0xF3, 0x95, 0x36, 0xF2, 0xAE, -0x6E, 0x9F, 0x10, 0xFE, 0xC0, 0xD5, 0x62, 0x36, 0xA7, 0xA0, 0xC5, 0x05, 0x2F, -0x55, 0x79, 0x59, 0x1B, 0xF4, 0xF6, 0xC3, 0xD2, 0x77, 0x96, 0x35, 0xBF, 0x89, -0x33, 0x45, 0xE9, 0xAB, 0x0A, 0x4B, 0xE1, 0x42, 0x31, 0xAF, 0x38, 0xA2, 0xA9, -0x45, 0xCF, 0x7D, 0x02, 0x88, 0x77, 0x4B, 0xD0, 0x2D, 0x9B, 0x56, 0x6E, 0xC3, -0xB3, 0x61, 0xA8, 0x1F, 0x8B, 0x9C, 0x3F, 0x63, 0xD4, 0x3C, 0x88, 0xA0, 0x7B, -0x90, 0xDB, 0x02, 0x30, 0xC5, 0xE8, 0x68, 0x82, 0x28, 0x58, 0x40, 0x31, 0xA3, -0x5C, 0xE9, 0xFB, 0x2A, 0xE6, 0x6E, 0x8F, 0x49, 0x5B, 0xF6, 0xAC, 0xB5, 0xBF, -0x30, 0xA8, 0x68, 0x83, 0x5E, 0xB4, 0x26, 0xBF, 0x6D, 0x1F, 0xEC, 0xEB, 0x00, -0xBD, 0x12, 0x0D, 0xB9, 0x80, 0xF1, 0xE7, 0x13, 0x3B, 0xCA, 0x81, 0x98, 0x5C, -0xE8, 0xA1, 0x98, 0xA1, 0x82, 0x26, 0x5F, 0xDD, 0xE0, 0xAE, 0xF8, 0x0C, 0x63, -0x78, 0xA8, 0xC1, 0xF7, 0x20, 0x62, 0x0B, 0xC8, 0xF9, 0xE5, 0x89, 0x43, 0x44, -0x05, 0x56, 0x98, 0xDE, 0xFD, 0x99, 0x25, 0xC0, 0x33, 0xCA, 0x1C, 0xDD, 0xAE, -0x2F, 0xDF, 0x14, 0x7E, 0xE2, 0x75, 0x75, 0xBC, 0x1C, 0x81, 0xF7, 0x21, 0x07, -0x0E, 0x21, 0x4A, 0x41, 0x4F, 0x33, 0xBD, 0x00, 0x5D, 0xBD, 0xF1, 0x79, 0x0C, -0x15, 0x8C, 0x98, 0x06, 0x72, 0xB8, 0xC2, 0xC1, 0x29, 0xFB, 0x7E, 0xE5, 0xF4, -0x04, 0x49, 0x17, 0xFD, 0x4B, 0xE5, 0xC7, 0x03, 0xFA, 0x88, 0x81, 0xBF, 0xDB, -0x10, 0xE2, 0x37, 0x12, 0x9E, 0x63, 0x7D, 0xFA, 0xBC, 0xF6, 0x98, 0x12, 0x23, -0x99, 0x59, 0xE3, 0x30, 0xD0, 0xA8, 0x21, 0x6D, 0x80, 0x2A, 0xF4, 0xB9, 0x6D, -0x71, 0x62, 0x0B, 0xA7, 0x99, 0xB2, 0xA1, 0x60, 0x34, 0xC5, 0x7F, 0xC3, 0x59, -0x78, 0xED, 0xB4, 0xA6, 0x5E, 0xF8, 0xC8, 0x5E, 0xF6, 0x69, 0xCE, 0xA0, 0x98, -0x87, 0x79, 0xDB, 0xB8, 0xA2, 0x3C, 0x94, 0xAC, 0xD1, 0x4C, 0x6C, 0x72, 0x39, -0x17, 0x32, 0x78, 0xA1, 0xDC, 0x1D, 0x03, 0xB2, 0xA1, 0x57, 0x0D, 0x2F, 0xA7, -0xF4, 0x8D, 0xE8, 0x4C, 0x67, 0x95, 0x19, 0x95, 0x55, 0xB9, 0xDE, 0x38, 0xD0, -0x85, 0xDB, 0x15, 0xB8, 0x8C, 0x0F, 0x6A, 0x69, 0x38, 0xF6, 0x8B, 0x75, 0x81, -0x89, 0x7E, 0xF8, 0x3A, 0xF3, 0x27, 0x08, 0xC0, 0x7B, 0x78, 0x3A, 0x73, 0xA5, -0xCB, 0xB0, 0x67, 0xD7, 0xDF, 0x88, 0x84, 0x4A, 0x52, 0xBD, 0x91, 0x74, 0x2C, -0xD1, 0x16, 0x3A, 0xCB, 0x0D, 0x3D, 0x08, 0x3D, 0x4F, 0x58, 0xE6, 0xCB, 0x32, -0x8A, 0x52, 0x86, 0x82, 0x61, 0x00, 0xDE, 0xCA, 0xF3, 0xDE, 0x05, 0xAB, 0x15, -0xAE, 0x13, 0x35, 0x4A, 0xE2, 0x45, 0xD5, 0xC1, 0xB0, 0x1B, 0xFA, 0xD8, 0xAD, -0xF7, 0xD2, 0x9A, 0x53, 0x06, 0x79, 0x15, 0xA6, 0x95, 0xE0, 0x6C, 0xC7, 0xFA, -0x94, 0x81, 0xB4, 0x91, 0x9D, 0x53, 0x89, 0x2D, 0x59, 0x74, 0x9F, 0x0F, 0xD5, -0x4E, 0xE6, 0xF6, 0x07, 0x62, 0x3B, 0x2C, 0x59, 0xA0, 0x47, 0x52, 0xDF, 0xF4, -0x10, 0xC2, 0xEB, 0x38, 0x86, 0x2F, 0x42, 0x01, 0xC2, 0x8A, 0xCB, 0x20, 0x7B, -0xFC, 0xB8, 0xEA, 0x20, 0x14, 0x69, 0x8B, 0x63, 0x52, 0xA8, 0x13, 0x1D, 0xD4, -0x60, 0x32, 0xF6, 0xDE, 0x75, 0x4D, 0x41, 0xC2, 0xC7, 0xA2, 0x62, 0x6F, 0x04, -0xAF, 0xF9, 0x9E, 0x3D, 0x1C, 0xCB, 0xBB, 0xEC, 0x7A, 0xFD, 0x9C, 0x97, 0x87, -0x40, 0xF1, 0xE7, 0x91, 0xCD, 0x36, 0xD2, 0x64, 0xB1, 0x2B, 0x43, 0xBA, 0x6E, -0xBD, 0x0E, 0x7D, 0xB1, 0x45, 0xA4, 0x0B, 0x84, 0xEB, 0x18, 0x5C, 0x25, 0x8B, -0x9B, 0x62, 0xB3, 0x8C, 0x95, 0xEF, 0x6F, 0x09, 0xE9, 0xF8, 0xE8, 0x18, 0x1A, -0x8A, 0xE2, 0xCC, 0x48, 0xDC, 0xC6, 0xDC, 0x94, 0xB1, 0x24, 0x55, 0x13, 0xB6, -0xD8, 0x16, 0xAB, 0x5F, 0x20, 0x7F, 0x5E, 0x35, 0x1F, 0x5A, 0x56, 0x2C, 0xFF, -0x02, 0x9C, 0xAF, 0x18, 0xF8, 0xBB, 0x60, 0xE1, 0xD4, 0xEF, 0x5E, 0x03, 0x08, -0x07, 0xCD, 0x29, 0x35, 0x7B, 0x9F, 0xEC, 0x35, 0xDB, 0x1D, 0xE1, 0xFD, 0x85, -0xC3, 0xDB, 0xE0, 0x58, 0x1F, 0x39, 0xE9, 0x38, 0xAE, 0x37, 0x18, 0xAF, 0x9C, -0x11, 0x97, 0x97, 0x6B, 0x67, 0x46, 0xC8, 0x68, 0xB7, 0x65, 0x05, 0x20, 0x02, -0x70, 0xDA, 0x6B, 0xC7, 0x34}; + 0xE4, 0x36, 0x63, 0x53, 0xA7, 0xE7, 0xDF, 0x51, 0x06, 0x19, 0x34, 0x9F, + 0xB5, 0x95, 0x53, 0x9D, 0xC0, 0x59, 0x21, 0x38, 0x0F, 0x8E, 0x2A, 0xEC, + 0x43, 0x5C, 0x9B, 0x4B, 0xD0, 0xDC, 0x7E, 0xE1, 0x89, 0x77, 0x51, 0xD4, + 0x26, 0x46, 0x8F, 0x25, 0x76, 0xAB, 0x5E, 0x68, 0xFE, 0x45, 0xC6, 0x35, + 0xF5, 0xF0, 0xD0, 0x2D, 0xD2, 0x11, 0xCB, 0x2D, 0x3B, 0x6B, 0xF3, 0x2F, + 0x68, 0xD1, 0xF2, 0xCC, 0x51, 0x9E, 0xE0, 0xC5, 0x1D, 0xFA, 0x2C, 0x55, + 0x02, 0xE5, 0xAB, 0xC6, 0xA2, 0xA9, 0x2C, 0x35, 0xC1, 0x22, 0xDC, 0xFB, + 0x9D, 0xDC, 0x9E, 0x17, 0xCB, 0x7C, 0xEC, 0xB4, 0x7D, 0x1C, 0x40, 0xA6, + 0x40, 0x3C, 0x2B, 0x1C, 0x5B, 0x85, 0x97, 0x31, 0x5D, 0x9E, 0xAD, 0x7C, + 0xC9, 0xF1, 0xBC, 0x99, 0x59, 0x2B, 0xE0, 0x10, 0x30, 0x58, 0xC6, 0x63, + 0xBD, 0xD7, 0xF1, 0x27, 0x2B, 0x1E, 0xB2, 0xA8, 0x31, 0xD7, 0xD3, 0x2B, + 0x85, 0xA7, 0x59, 0xAF, 0x70, 0x15, 0x66, 0x9E, 0xD2, 0x13, 0xB0, 0x50, + 0xBF, 0x59, 0x08, 0x92, 0x32, 0x07, 0x9C, 0x81, 0xD7, 0x06, 0x55, 0x76, + 0xEE, 0x15, 0x8A, 0xFE, 0xCB, 0x62, 0x58, 0xF7, 0xDF, 0x0F, 0xEB, 0x0A, + 0x11, 0x98, 0xF8, 0x93, 0xD8, 0x96, 0xF5, 0x14, 0x87, 0x40, 0x4F, 0xEC, + 0x9A, 0x45, 0xE2, 0x7A, 0x54, 0x91, 0x0B, 0xDB, 0x39, 0x90, 0x48, 0x5D, + 0x1B, 0xE6, 0x63, 0x2C, 0x47, 0xC2, 0x2C, 0x45, 0x91, 0xDA, 0x52, 0x65, + 0x15, 0x54, 0x35, 0x1A, 0xFF, 0x3E, 0xC9, 0x64, 0xED, 0x48, 0xE6, 0x7C, + 0xDB, 0x2C, 0x72, 0x7B, 0x14, 0xC0, 0x35, 0x5C, 0x14, 0xE8, 0xBB, 0x92, + 0xEA, 0xB6, 0x29, 0x29, 0x8B, 0x8A, 0x4D, 0x95, 0x1F, 0xAE, 0x54, 0x64, + 0x07, 0x2D, 0xAD, 0x3D, 0xA4, 0x20, 0x20, 0xA0, 0x7A, 0x7C, 0xAE, 0x9E, + 0xFE, 0x5C, 0xE8, 0x88, 0x63, 0x41, 0x2C, 0x3A, 0xCB, 0xF0, 0xA0, 0x33, + 0x5B, 0x34, 0xE1, 0xD2, 0x85, 0x31, 0xB7, 0xB9, 0x4A, 0xD3, 0x29, 0x8A, + 0x9B, 0x7E, 0x2E, 0x8E, 0x32, 0x72, 0xEB, 0x85, 0x8C, 0xA6, 0x61, 0x86, + 0x36, 0x4A, 0x23, 0x22, 0xE2, 0xB4, 0x21, 0xF6, 0xD7, 0xCD, 0x40, 0xDB, + 0xE1, 0x6E, 0x37, 0x0B, 0xB7, 0x08, 0x01, 0x17, 0x12, 0xB2, 0x56, 0x9E, + 0x6B, 0x17, 0x2C, 0x31, 0x69, 0x14, 0x33, 0x0D, 0x49, 0x96, 0x44, 0x86, + 0x42, 0x0B, 0xA7, 0x51, 0x67, 0x53, 0x2C, 0x86, 0x39, 0x49, 0xC2, 0x5F, + 0x3C, 0xE9, 0xDF, 0x5F, 0x9C, 0x1F, 0x93, 0xC8, 0x28, 0x5F, 0x41, 0x83, + 0xD9, 0x34, 0x80, 0x77, 0xE3, 0x6C, 0xE9, 0x81, 0xBE, 0x16, 0xC2, 0x6F, + 0x85, 0x75, 0x93, 0x28, 0x15, 0xDB, 0xE1, 0x67, 0xC1, 0x75, 0xDA, 0x9C, + 0x80, 0xE2, 0x8D, 0xA2, 0x29, 0x62, 0x9A, 0xA6, 0x0C, 0x6F, 0xC8, 0xE2, + 0xB8, 0x35, 0x26, 0x7F, 0x27, 0x35, 0xCE, 0xEF, 0x21, 0x43, 0xED, 0xF2, + 0x8F, 0x34, 0x22, 0x0E, 0x2A, 0x0D, 0x63, 0x2B, 0x01, 0x75, 0xB0, 0x95, + 0xD2, 0x74, 0x3F, 0x21, 0x84, 0xE5, 0x23, 0x06, 0x62, 0x47, 0x8E, 0x0B, + 0x40, 0xEA, 0xB8, 0x2F, 0x9C, 0x07, 0xF4, 0xCC, 0xA2, 0xA7, 0x8D, 0x78, + 0x17, 0x40, 0x38, 0x0E, 0xA6, 0x1F, 0x81, 0xB1, 0x21, 0xF6, 0x10, 0x18, + 0x4A, 0xD3, 0x7B, 0x46, 0x8F, 0x69, 0xE2, 0x78, 0x1B, 0x2E, 0xCF, 0x96, + 0xBF, 0x56, 0xA9, 0x17, 0x8D, 0x97, 0xB5, 0x69, 0x1D, 0xFE, 0xD4, 0x7E, + 0xB6, 0x0D, 0xC1, 0xEA, 0xAC, 0x12, 0xB3, 0xAD, 0xE0, 0xC6, 0xB5, 0xF2, + 0x96, 0xE0, 0x12, 0xD6, 0xF5, 0xB8, 0xF4, 0x86, 0xCC, 0xE4, 0x55, 0xA7, + 0x05, 0x6F, 0xF9, 0x88, 0xD5, 0x36, 0x8D, 0xD6, 0x75, 0x18, 0xCA, 0xD5, + 0x28, 0x21, 0x64, 0x41, 0x1D, 0xC6, 0x38, 0x56, 0x50, 0x96, 0x8E, 0x1A, + 0x32, 0xD8, 0x4A, 0x47, 0x82, 0xFC, 0x67, 0xB2, 0xB5, 0xED, 0xC2, 0x54, + 0x46, 0x87, 0xE3, 0x1F, 0xBB, 0x18, 0xCD, 0xB0, 0x59, 0xA0, 0xBE, 0xA6, + 0x4D, 0x4E, 0x1E, 0x7A, 0x46, 0xE5, 0x77, 0xB2, 0x59, 0xCE, 0x61, 0xEF, + 0xA2, 0x0A, 0xEC, 0x55, 0x8E, 0xB0, 0xD4, 0x3E, 0x1B, 0x25, 0x37, 0x8E, + 0xA7, 0xB2, 0x27, 0xED, 0x00, 0x8C, 0x38, 0x26, 0x5E, 0x9D, 0x20, 0x38, + 0x6A, 0xAF, 0xD2, 0x24, 0x94, 0x31, 0xF5, 0x6E, 0x66, 0x41, 0x2C, 0xFD, + 0x77, 0x9C, 0x2D, 0x73, 0xE5, 0x8E, 0x64, 0xF7, 0x3D, 0xDF, 0x42, 0x37, + 0xFE, 0x07, 0xB6, 0xBC, 0x29, 0x02, 0xD4, 0x90, 0xDA, 0x3F, 0x5E, 0x7F, + 0xEC, 0x39, 0xC7, 0x4D, 0x11, 0x09, 0xBE, 0xA6, 0xF4, 0xBE, 0x4F, 0x14, + 0x2C, 0x59, 0xD5, 0x07, 0xD3, 0x49, 0x81, 0x5D, 0x3B, 0xF9, 0x90, 0xD1, + 0x8E, 0xB1, 0x83, 0xE3, 0x39, 0xDF, 0x04, 0x62, 0x56, 0x44, 0x12, 0xA2, + 0x36, 0x28, 0xAA, 0xBC, 0x46, 0xDF, 0x78, 0xFF, 0x27, 0xC5, 0x3A, 0x16, + 0xA5, 0x59, 0x63, 0xBF, 0x25, 0x0C, 0x31, 0xAD, 0x90, 0xF5, 0xBB, 0xAA, + 0x9C, 0x56, 0x7D, 0x4A, 0xA5, 0x8C, 0x25, 0xAA, 0x9D, 0xB3, 0x44, 0xDB, + 0x82, 0xCF, 0x46, 0x10, 0x1F, 0x4E, 0x24, 0xC1, 0x85, 0x6B, 0x6E, 0xD0, + 0xC0, 0x66, 0x79, 0x58, 0xB1, 0x86, 0x86, 0xD0, 0xEF, 0xDA, 0xE0, 0xE0, + 0x40, 0x61, 0x53, 0xFB, 0x02, 0xB4, 0x57, 0xFD, 0x47, 0xC0, 0xE0, 0x01, + 0x9F, 0x4B, 0x51, 0xB1, 0x0B, 0x8C, 0x58, 0x7F, 0x92, 0xA9, 0xFA, 0x9D, + 0x74, 0x12, 0x1B, 0xCC, 0x23, 0xF1, 0x21, 0xAE, 0x21, 0x16, 0xEF, 0xE1, + 0xF9, 0x78, 0x67, 0xED, 0xDD, 0x31, 0xC1, 0xE0, 0xE6, 0x53, 0xD8, 0x55, + 0xCE, 0x04, 0x99, 0x50, 0xB9, 0x11, 0x05, 0xDE, 0xD1, 0xD3, 0x2B, 0x9E, + 0xF4, 0xB9, 0x8A, 0x95, 0x20, 0x69, 0x5A, 0x96, 0xD2, 0x82, 0x9C, 0x26, + 0x60, 0xE0, 0x51, 0x95, 0xA3, 0x74, 0x4F, 0x22, 0x7F, 0x01, 0xCC, 0x80, + 0xAB, 0xD5, 0x92, 0xB3, 0xF0, 0x3F, 0xE8, 0x0F, 0xD8, 0x7C, 0x4D, 0xB0, + 0x37, 0x55, 0xE7, 0xE2, 0x9A, 0xDC, 0x09, 0x80, 0x01, 0x43, 0x54, 0xDF, + 0x57, 0x6D, 0x92, 0x21, 0x81, 0x92, 0xA4, 0x33, 0xEF, 0xDD, 0x59, 0xC6, + 0xD3, 0x17, 0x3A, 0xBD, 0x75, 0x7A, 0x91, 0x50, 0xCF, 0x69, 0x97, 0x07, + 0x38, 0xFB, 0x9E, 0xCE, 0x3A, 0x78, 0x25, 0xCF, 0x11, 0x5C, 0xD6, 0xC8, + 0x53, 0xCF, 0xA6, 0x0E, 0x06, 0xF5, 0xD5, 0x5C, 0x16, 0x26, 0x4F, 0x0E, + 0x12, 0x37, 0xEF, 0xD8, 0x7A, 0xFF, 0xCE, 0xA8, 0x8D, 0x44, 0x05, 0x4F, + 0x35, 0xC1, 0x87, 0xBB, 0xF1, 0xF8, 0x91, 0x8B, 0x91, 0xD4, 0x96, 0x70, + 0x7C, 0x4B, 0x89, 0xA8, 0x07, 0x66, 0x63, 0x7C, 0xD0, 0x1D, 0xBE, 0x4D, + 0x03, 0x41, 0x19, 0x8B, 0x67, 0x66, 0xFD, 0xCE, 0xF5, 0xD8, 0x46, 0x13, + 0x45, 0x72, 0xA7, 0x47, 0xF0, 0x67, 0xB4, 0x30, 0x58, 0xCE, 0x5B, 0xEA, + 0x02, 0x7C, 0xF3, 0xC2, 0xF7, 0xAE, 0x3A, 0x4C, 0x5C, 0x11, 0xAF, 0xC3, + 0xB2, 0xA8, 0x1F, 0x2F, 0xD2, 0x1E, 0x8F, 0xF1, 0x70, 0x1B, 0x9D, 0xF0, + 0x61, 0x28, 0xF0, 0xBB, 0x64, 0x9C, 0x07, 0x2E, 0xD6, 0xFB, 0xA0, 0xD3, + 0x14, 0x16, 0x7E, 0x73, 0x00, 0xD0, 0x28, 0xF5, 0x96, 0x83, 0x18, 0x2F, + 0xBC, 0x7E, 0x4D, 0xE1, 0xA4, 0xC2, 0x91, 0x6C, 0xDA, 0xAB, 0xDD, 0xE0, + 0xC1, 0x89, 0xD3, 0xE3, 0x5D, 0x17, 0x64, 0x48, 0x23, 0x4F, 0x8C, 0xB4, + 0x17, 0x38, 0x6C, 0x25, 0xCF, 0x89, 0x84, 0x56, 0x3E, 0x92, 0x6F, 0xCA, + 0xCB, 0xD7, 0xC0, 0x89, 0x05, 0xB0, 0x39, 0x66, 0x16, 0x98, 0x6C, 0xD5, + 0xD2, 0x14, 0x7D, 0x85, 0xF5, 0xD0, 0x3A, 0x02, 0x42, 0x25, 0x6B, 0xDB, + 0x40, 0xF3, 0xA5, 0x5C, 0x03, 0x6F, 0xA9, 0x6A, 0x98, 0x4F, 0xC4, 0x77, + 0x83, 0xED, 0x40, 0x4E, 0x32, 0xB6, 0xE4, 0x6F, 0x5B, 0x13, 0x88, 0x04, + 0x3B, 0x0D, 0x6E, 0xC1, 0x67, 0x20, 0xEA, 0x3B, 0x3C, 0xC4, 0x4A, 0xA9, + 0x23, 0xE0, 0x41, 0x8A, 0xA8, 0x13, 0x00, 0xB5, 0x8C, 0x37, 0x71, 0x57, + 0xD3, 0xED, 0x9F, 0x9A, 0x6C, 0xB7, 0x6C, 0x5B, 0x46, 0xBD, 0x8A, 0x98, + 0x30, 0xA3, 0x34, 0x1F, 0xCA, 0x19, 0x81, 0xE0, 0xFF, 0x4C, 0x08, 0x09, + 0x82, 0xBC, 0x0D, 0xDF, 0xB2, 0x57, 0x68, 0x0B, 0x0A, 0xE7, 0xE2, 0x83, + 0xD4, 0xD1, 0xA4, 0x62, 0x8F, 0x88, 0xCF, 0x04, 0xDC, 0x11, 0xE9, 0x9B, + 0xCD, 0xEC, 0x0B, 0x88, 0x2B, 0x57, 0x9A, 0xF9, 0x71, 0xB8, 0xC3, 0x05, + 0x59, 0x35, 0xF2, 0xA9, 0x80, 0xE0, 0x16, 0x22, 0xCA, 0xE0, 0xAE, 0x1B, + 0xB5, 0x54, 0x76, 0xC1, 0xBA, 0x32, 0x9B, 0x67, 0x18, 0x86, 0x7C, 0x15, + 0xD6, 0x81, 0x1A, 0xDF, 0x83, 0xD0, 0xDD, 0x6B, 0x2F, 0x98, 0x56, 0xB2, + 0xBA, 0xFC, 0xA7, 0xD3, 0xE7, 0xAA, 0xE7, 0x3A, 0xC2, 0x50, 0x74, 0x63, + 0xE6, 0x72, 0xC3, 0x40, 0x00, 0xF2, 0xDC, 0x06, 0x86, 0x1F, 0xF5, 0xE2, + 0xD5, 0x77, 0xF5, 0xFF, 0x87, 0x32, 0x30, 0x61, 0x94, 0xE7, 0x04, 0x68, + 0x0E, 0xC4, 0xF9, 0xDA, 0x54, 0x93, 0x32, 0xCE, 0x7D, 0x82, 0x05, 0x9A, + 0x25, 0xF2, 0x88, 0x32, 0x64, 0x1A, 0x71, 0x94, 0x50, 0xBC, 0xD0, 0x31, + 0xE2, 0x53, 0x61, 0x4A, 0xFF, 0xD4, 0x2E, 0xCE, 0xE0, 0x5B, 0xC4, 0x24, + 0xCA, 0x95, 0xE2, 0x75, 0x54, 0xB6, 0xCF, 0x5C, 0xD6, 0x96, 0x0F, 0x1F, + 0x60, 0xA2, 0x20, 0x1F, 0x00, 0x3C, 0x2D, 0x0D, 0x89, 0x90, 0xBD, 0x3A, + 0xD3, 0xDC, 0x64, 0xB1, 0x61, 0xFB, 0xAA, 0x67, 0x15, 0xB0, 0xCE, 0x18, + 0x1B, 0x09, 0xA2, 0x38, 0x31, 0x95, 0x0F, 0x2C, 0x25, 0x80, 0x4B, 0x13, + 0xCB, 0xA0, 0xC7, 0xC7, 0xFA, 0xCC, 0x2C, 0x98, 0x66, 0xBE, 0xDC, 0x7B, + 0xBB, 0x53, 0x12, 0x33, 0xDF, 0x92, 0x0C, 0x5F, 0x9E, 0xCC, 0x8E, 0x18, + 0x23, 0x03, 0x2D, 0x7A, 0x2B, 0x90, 0x71, 0x07, 0x24, 0x95, 0xFE, 0x50, + 0x95, 0x6E, 0x95, 0xFF, 0x29, 0x85, 0x7B, 0x44, 0x1C, 0x0A, 0x86, 0x48, + 0x9B, 0x6B, 0xEA, 0xA7, 0xF9, 0xBF, 0xE8, 0x84, 0x10, 0xDC, 0x45, 0xC7, + 0xFB, 0x2A, 0x39, 0x99, 0x0D, 0xCF, 0x23, 0x88, 0x35, 0x9C, 0x3D, 0xBA, + 0x77, 0x7E, 0x8D, 0x4C, 0xA7, 0xB6, 0x41, 0x25, 0x46, 0x9A, 0x8E, 0xFF, + 0x74, 0x5E, 0x9E, 0xDB, 0x8F, 0x20, 0xE9, 0xE3, 0x83, 0x84, 0x28, 0x0E, + 0x14, 0xFC, 0x52, 0x1A, 0x69, 0xEC, 0x95, 0x5E, 0xBD, 0xFA, 0x05, 0xE4, + 0xE5, 0xC7, 0xEB, 0x5F, 0x90, 0x21, 0x9C, 0xD5, 0x6B, 0xF7, 0x31, 0x35, + 0xDA, 0x30, 0x41, 0xB2, 0x7E, 0xAB, 0x43, 0x36, 0x4E, 0x0B, 0x84, 0xDE, + 0x43, 0x62, 0x96, 0x81, 0xF8, 0x9B, 0x81, 0x20, 0x06, 0x3B, 0xCA, 0x8E, + 0x09, 0xE7, 0x2A, 0x6B, 0x41, 0x0C, 0x42, 0x02, 0x27, 0x41, 0x95, 0x8C, + 0x86, 0x91, 0x40, 0xB1, 0xE8, 0x0C, 0x65, 0x6F, 0x23, 0xA5, 0x4A, 0xA9, + 0x14, 0x8F, 0x32, 0x36, 0x3A, 0xDC, 0xAE, 0x54, 0x29, 0x13, 0x6B, 0xC0, + 0x0D, 0x76, 0x6F, 0x79, 0xC4, 0x0A, 0x87, 0x89, 0xF2, 0xDD, 0xB0, 0xE3, + 0xC0, 0x65, 0xC7, 0xE3, 0xBD, 0x17, 0xC4, 0x66, 0x3F, 0x84, 0x0B, 0x3F, + 0x7A, 0x50, 0x08, 0x5F, 0x68, 0xE6, 0xC6, 0x37, 0xA7, 0x73, 0xF4, 0x4F, + 0x37, 0x05, 0x28, 0x64, 0x0E, 0x36, 0xF8, 0xC2, 0x2F, 0xEA, 0x1D, 0x98, + 0xBB, 0xB2, 0xFB, 0xE5, 0x98, 0xAE, 0x5D, 0xF8, 0xE8, 0xDA, 0xA1, 0xB6, + 0x43, 0x0C, 0x6D, 0x1C, 0x39, 0x59, 0xE1, 0xBF, 0xEB, 0xA6, 0x4D, 0xBF, + 0x12, 0x0E, 0x6E, 0xC4, 0x93, 0x8B, 0x72, 0x54, 0x47, 0xBE, 0xFC, 0x3A, + 0x00, 0x7F, 0xD3, 0x57, 0x32, 0xE7, 0x86, 0xF0, 0x96, 0xCC, 0x06, 0x8F, + 0x73, 0x9C, 0xE6, 0x8D, 0xD8, 0xB8, 0x24, 0xF9, 0xC0, 0x51, 0x99, 0xB8, + 0x35, 0x98, 0x37, 0x32, 0x35, 0x03, 0x5C, 0xDA, 0x91, 0xC9, 0x6A, 0x50, + 0xE5, 0xE1, 0xF0, 0xEF, 0xBB, 0x66, 0x27, 0x91, 0x51, 0x57, 0x09, 0xBB, + 0x5B, 0xE9, 0x26, 0x8E, 0xB9, 0x75, 0xD9, 0x2E, 0x80, 0xE2, 0xDD, 0x27, + 0xDD, 0x5A, 0x1B, 0x4E, 0xCF, 0x17, 0x11, 0x2B, 0x7B, 0xCB, 0xF9, 0xB3, + 0xED, 0x07, 0xF3, 0x5A, 0xEE, 0xBF, 0x4B, 0x07, 0x43, 0x73, 0xF8, 0x24, + 0x16, 0x67, 0x41, 0xE9, 0x64, 0xB4, 0xE7, 0x05, 0x72, 0x91, 0xF7, 0xCE, + 0x38, 0x7D, 0x38, 0xA5, 0x60, 0x95, 0xC1, 0xC7, 0x64, 0x1B, 0xCC, 0xC4, + 0x12, 0x32, 0xC3, 0x49, 0x7E, 0xAB, 0x96, 0x1D, 0x2A, 0x3C, 0x60, 0x51, + 0xAA, 0x62, 0x86, 0xF3, 0x9F, 0xC6, 0x7F, 0xAB, 0x0F, 0xBB, 0x15, 0x7B, + 0xBA, 0x43, 0x26, 0xAE, 0x37, 0x45, 0x5F, 0x39, 0x70, 0xB7, 0x19, 0x2F, + 0x02, 0x33, 0xF1, 0x11, 0x4E, 0x78, 0x7D, 0x17, 0x8F, 0xBF, 0xEB, 0x92, + 0xCC, 0x2F, 0xCA, 0x87, 0x01, 0xA8, 0xE3, 0xAD, 0x7B, 0x4A, 0x44, 0x0C, + 0x75, 0x5A, 0x31, 0xCA, 0xE1, 0xE6, 0x18, 0xD7, 0xC4, 0xA3, 0xBA, 0x7F, + 0xB5, 0xBC, 0xFD, 0xA6, 0x9C, 0xDC, 0x2A, 0xEB, 0x18, 0xDC, 0x88, 0x08, + 0x6E, 0x7D, 0x6A, 0x97, 0xB6, 0xCD, 0x53, 0x41, 0x1D, 0xB4, 0xA8, 0xBD, + 0xE3, 0x85, 0x29, 0x5F, 0x12, 0x03, 0xB8, 0x09, 0x13, 0x20, 0x6D, 0x68, + 0x4F, 0x80, 0x1E, 0xBB, 0x6C, 0xD6, 0x51, 0x8C, 0x46, 0x19, 0x00, 0xBB, + 0x90, 0xF9, 0xEA, 0xB0, 0x33, 0xF4, 0x52, 0xCA, 0x19, 0xD6, 0x68, 0xAE, + 0x79, 0xE2, 0xC1, 0x39, 0xA9, 0x18, 0xF2, 0x26, 0x71, 0x69, 0xFF, 0xBA, + 0x97, 0x28, 0x34, 0x4D, 0x10, 0x01, 0xFB, 0xD7, 0xBA, 0x37, 0x0F, 0xC8, + 0xFC, 0x07, 0x7A, 0xCD, 0x1A, 0xDD, 0x92, 0x0D, 0x45, 0x8A, 0x7B, 0x6F, + 0x94, 0x00, 0x53, 0x7E, 0xAF, 0xA5, 0x99, 0xB9, 0x7F, 0x00, 0xCD, 0xC7, + 0x7C, 0x35, 0xCE, 0x53, 0x64, 0x15, 0xC2, 0x47, 0x7C, 0xD1, 0x12, 0x40, + 0xBD, 0xF9, 0x8B, 0xBA, 0x3B, 0x5A, 0x3D, 0xFF, 0x5C, 0x48, 0x3A, 0x7F, + 0xEF, 0x5B, 0xA8, 0xFC, 0xD6, 0xEA, 0xFB, 0x49, 0x0B, 0x29, 0x98, 0x5F, + 0xCA, 0xBC, 0xC1, 0xD5, 0xA8, 0x15, 0x5B, 0x09, 0xEF, 0xB3, 0x0E, 0x41, + 0xDC, 0x4D, 0x22, 0x30, 0xEE, 0xAA, 0xD9, 0xBA, 0x37, 0x43, 0xDE, 0x34, + 0xF8, 0xB9, 0x42, 0xE7, 0x65, 0xEC, 0xE6, 0xA3, 0xE1, 0xED, 0x46, 0x46, + 0xB4, 0x9F, 0x1C, 0xA0, 0x61, 0x50, 0x8E, 0x8A, 0x61, 0xBC, 0xF1, 0x3A, + 0x55, 0xF8, 0xAB, 0xBA, 0x09, 0x5A, 0x4F, 0xB1, 0x38, 0x99, 0x77, 0x0A, + 0xF5, 0x5D, 0xF7, 0xA0, 0x29, 0xA5, 0x00, 0x1D, 0x92, 0xC1, 0xA8, 0x4A, + 0x73, 0x13, 0xCB, 0x1F, 0x14, 0xB0, 0xDB, 0x64, 0x53, 0xA8, 0x77, 0xB1, + 0x80, 0xDF, 0xA7, 0x20, 0x9A, 0xA3, 0xD1, 0x79, 0x4B, 0x75, 0x45, 0x6D, + 0xB0, 0xF5, 0xD8, 0x09, 0xE3, 0xB7, 0x7C, 0xC8, 0x1B, 0x56, 0xA2, 0x04, + 0x11, 0xFB, 0xAC, 0x2D, 0x55, 0xF3, 0x95, 0x36, 0xF2, 0xAE, 0x6E, 0x9F, + 0x10, 0xFE, 0xC0, 0xD5, 0x62, 0x36, 0xA7, 0xA0, 0xC5, 0x05, 0x2F, 0x55, + 0x79, 0x59, 0x1B, 0xF4, 0xF6, 0xC3, 0xD2, 0x77, 0x96, 0x35, 0xBF, 0x89, + 0x33, 0x45, 0xE9, 0xAB, 0x0A, 0x4B, 0xE1, 0x42, 0x31, 0xAF, 0x38, 0xA2, + 0xA9, 0x45, 0xCF, 0x7D, 0x02, 0x88, 0x77, 0x4B, 0xD0, 0x2D, 0x9B, 0x56, + 0x6E, 0xC3, 0xB3, 0x61, 0xA8, 0x1F, 0x8B, 0x9C, 0x3F, 0x63, 0xD4, 0x3C, + 0x88, 0xA0, 0x7B, 0x90, 0xDB, 0x02, 0x30, 0xC5, 0xE8, 0x68, 0x82, 0x28, + 0x58, 0x40, 0x31, 0xA3, 0x5C, 0xE9, 0xFB, 0x2A, 0xE6, 0x6E, 0x8F, 0x49, + 0x5B, 0xF6, 0xAC, 0xB5, 0xBF, 0x30, 0xA8, 0x68, 0x83, 0x5E, 0xB4, 0x26, + 0xBF, 0x6D, 0x1F, 0xEC, 0xEB, 0x00, 0xBD, 0x12, 0x0D, 0xB9, 0x80, 0xF1, + 0xE7, 0x13, 0x3B, 0xCA, 0x81, 0x98, 0x5C, 0xE8, 0xA1, 0x98, 0xA1, 0x82, + 0x26, 0x5F, 0xDD, 0xE0, 0xAE, 0xF8, 0x0C, 0x63, 0x78, 0xA8, 0xC1, 0xF7, + 0x20, 0x62, 0x0B, 0xC8, 0xF9, 0xE5, 0x89, 0x43, 0x44, 0x05, 0x56, 0x98, + 0xDE, 0xFD, 0x99, 0x25, 0xC0, 0x33, 0xCA, 0x1C, 0xDD, 0xAE, 0x2F, 0xDF, + 0x14, 0x7E, 0xE2, 0x75, 0x75, 0xBC, 0x1C, 0x81, 0xF7, 0x21, 0x07, 0x0E, + 0x21, 0x4A, 0x41, 0x4F, 0x33, 0xBD, 0x00, 0x5D, 0xBD, 0xF1, 0x79, 0x0C, + 0x15, 0x8C, 0x98, 0x06, 0x72, 0xB8, 0xC2, 0xC1, 0x29, 0xFB, 0x7E, 0xE5, + 0xF4, 0x04, 0x49, 0x17, 0xFD, 0x4B, 0xE5, 0xC7, 0x03, 0xFA, 0x88, 0x81, + 0xBF, 0xDB, 0x10, 0xE2, 0x37, 0x12, 0x9E, 0x63, 0x7D, 0xFA, 0xBC, 0xF6, + 0x98, 0x12, 0x23, 0x99, 0x59, 0xE3, 0x30, 0xD0, 0xA8, 0x21, 0x6D, 0x80, + 0x2A, 0xF4, 0xB9, 0x6D, 0x71, 0x62, 0x0B, 0xA7, 0x99, 0xB2, 0xA1, 0x60, + 0x34, 0xC5, 0x7F, 0xC3, 0x59, 0x78, 0xED, 0xB4, 0xA6, 0x5E, 0xF8, 0xC8, + 0x5E, 0xF6, 0x69, 0xCE, 0xA0, 0x98, 0x87, 0x79, 0xDB, 0xB8, 0xA2, 0x3C, + 0x94, 0xAC, 0xD1, 0x4C, 0x6C, 0x72, 0x39, 0x17, 0x32, 0x78, 0xA1, 0xDC, + 0x1D, 0x03, 0xB2, 0xA1, 0x57, 0x0D, 0x2F, 0xA7, 0xF4, 0x8D, 0xE8, 0x4C, + 0x67, 0x95, 0x19, 0x95, 0x55, 0xB9, 0xDE, 0x38, 0xD0, 0x85, 0xDB, 0x15, + 0xB8, 0x8C, 0x0F, 0x6A, 0x69, 0x38, 0xF6, 0x8B, 0x75, 0x81, 0x89, 0x7E, + 0xF8, 0x3A, 0xF3, 0x27, 0x08, 0xC0, 0x7B, 0x78, 0x3A, 0x73, 0xA5, 0xCB, + 0xB0, 0x67, 0xD7, 0xDF, 0x88, 0x84, 0x4A, 0x52, 0xBD, 0x91, 0x74, 0x2C, + 0xD1, 0x16, 0x3A, 0xCB, 0x0D, 0x3D, 0x08, 0x3D, 0x4F, 0x58, 0xE6, 0xCB, + 0x32, 0x8A, 0x52, 0x86, 0x82, 0x61, 0x00, 0xDE, 0xCA, 0xF3, 0xDE, 0x05, + 0xAB, 0x15, 0xAE, 0x13, 0x35, 0x4A, 0xE2, 0x45, 0xD5, 0xC1, 0xB0, 0x1B, + 0xFA, 0xD8, 0xAD, 0xF7, 0xD2, 0x9A, 0x53, 0x06, 0x79, 0x15, 0xA6, 0x95, + 0xE0, 0x6C, 0xC7, 0xFA, 0x94, 0x81, 0xB4, 0x91, 0x9D, 0x53, 0x89, 0x2D, + 0x59, 0x74, 0x9F, 0x0F, 0xD5, 0x4E, 0xE6, 0xF6, 0x07, 0x62, 0x3B, 0x2C, + 0x59, 0xA0, 0x47, 0x52, 0xDF, 0xF4, 0x10, 0xC2, 0xEB, 0x38, 0x86, 0x2F, + 0x42, 0x01, 0xC2, 0x8A, 0xCB, 0x20, 0x7B, 0xFC, 0xB8, 0xEA, 0x20, 0x14, + 0x69, 0x8B, 0x63, 0x52, 0xA8, 0x13, 0x1D, 0xD4, 0x60, 0x32, 0xF6, 0xDE, + 0x75, 0x4D, 0x41, 0xC2, 0xC7, 0xA2, 0x62, 0x6F, 0x04, 0xAF, 0xF9, 0x9E, + 0x3D, 0x1C, 0xCB, 0xBB, 0xEC, 0x7A, 0xFD, 0x9C, 0x97, 0x87, 0x40, 0xF1, + 0xE7, 0x91, 0xCD, 0x36, 0xD2, 0x64, 0xB1, 0x2B, 0x43, 0xBA, 0x6E, 0xBD, + 0x0E, 0x7D, 0xB1, 0x45, 0xA4, 0x0B, 0x84, 0xEB, 0x18, 0x5C, 0x25, 0x8B, + 0x9B, 0x62, 0xB3, 0x8C, 0x95, 0xEF, 0x6F, 0x09, 0xE9, 0xF8, 0xE8, 0x18, + 0x1A, 0x8A, 0xE2, 0xCC, 0x48, 0xDC, 0xC6, 0xDC, 0x94, 0xB1, 0x24, 0x55, + 0x13, 0xB6, 0xD8, 0x16, 0xAB, 0x5F, 0x20, 0x7F, 0x5E, 0x35, 0x1F, 0x5A, + 0x56, 0x2C, 0xFF, 0x02, 0x9C, 0xAF, 0x18, 0xF8, 0xBB, 0x60, 0xE1, 0xD4, + 0xEF, 0x5E, 0x03, 0x08, 0x07, 0xCD, 0x29, 0x35, 0x7B, 0x9F, 0xEC, 0x35, + 0xDB, 0x1D, 0xE1, 0xFD, 0x85, 0xC3, 0xDB, 0xE0, 0x58, 0x1F, 0x39, 0xE9, + 0x38, 0xAE, 0x37, 0x18, 0xAF, 0x9C, 0x11, 0x97, 0x97, 0x6B, 0x67, 0x46, + 0xC8, 0x68, 0xB7, 0x65, 0x05, 0x20, 0x02, 0x70, 0xDA, 0x6B, 0xC7, 0x34}; // mldsa87kPublicKeySPKI is the above example ML-DSA-87 public key encoded static const uint8_t mldsa87kPublicKeySPKI[] = { -0x30, 0x82, 0x0A, 0x32, 0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, -0x03, 0x04, 0x03, 0x13, 0x03, 0x82, 0x0A, 0x21, 0x00, 0xE4, 0x36, 0x63, 0x53, -0xA7, 0xE7, 0xDF, 0x51, 0x06, 0x19, 0x34, 0x9F, 0xB5, 0x95, 0x53, 0x9D, 0xC0, -0x59, 0x21, 0x38, 0x0F, 0x8E, 0x2A, 0xEC, 0x43, 0x5C, 0x9B, 0x4B, 0xD0, 0xDC, -0x7E, 0xE1, 0x89, 0x77, 0x51, 0xD4, 0x26, 0x46, 0x8F, 0x25, 0x76, 0xAB, 0x5E, -0x68, 0xFE, 0x45, 0xC6, 0x35, 0xF5, 0xF0, 0xD0, 0x2D, 0xD2, 0x11, 0xCB, 0x2D, -0x3B, 0x6B, 0xF3, 0x2F, 0x68, 0xD1, 0xF2, 0xCC, 0x51, 0x9E, 0xE0, 0xC5, 0x1D, -0xFA, 0x2C, 0x55, 0x02, 0xE5, 0xAB, 0xC6, 0xA2, 0xA9, 0x2C, 0x35, 0xC1, 0x22, -0xDC, 0xFB, 0x9D, 0xDC, 0x9E, 0x17, 0xCB, 0x7C, 0xEC, 0xB4, 0x7D, 0x1C, 0x40, -0xA6, 0x40, 0x3C, 0x2B, 0x1C, 0x5B, 0x85, 0x97, 0x31, 0x5D, 0x9E, 0xAD, 0x7C, -0xC9, 0xF1, 0xBC, 0x99, 0x59, 0x2B, 0xE0, 0x10, 0x30, 0x58, 0xC6, 0x63, 0xBD, -0xD7, 0xF1, 0x27, 0x2B, 0x1E, 0xB2, 0xA8, 0x31, 0xD7, 0xD3, 0x2B, 0x85, 0xA7, -0x59, 0xAF, 0x70, 0x15, 0x66, 0x9E, 0xD2, 0x13, 0xB0, 0x50, 0xBF, 0x59, 0x08, -0x92, 0x32, 0x07, 0x9C, 0x81, 0xD7, 0x06, 0x55, 0x76, 0xEE, 0x15, 0x8A, 0xFE, -0xCB, 0x62, 0x58, 0xF7, 0xDF, 0x0F, 0xEB, 0x0A, 0x11, 0x98, 0xF8, 0x93, 0xD8, -0x96, 0xF5, 0x14, 0x87, 0x40, 0x4F, 0xEC, 0x9A, 0x45, 0xE2, 0x7A, 0x54, 0x91, -0x0B, 0xDB, 0x39, 0x90, 0x48, 0x5D, 0x1B, 0xE6, 0x63, 0x2C, 0x47, 0xC2, 0x2C, -0x45, 0x91, 0xDA, 0x52, 0x65, 0x15, 0x54, 0x35, 0x1A, 0xFF, 0x3E, 0xC9, 0x64, -0xED, 0x48, 0xE6, 0x7C, 0xDB, 0x2C, 0x72, 0x7B, 0x14, 0xC0, 0x35, 0x5C, 0x14, -0xE8, 0xBB, 0x92, 0xEA, 0xB6, 0x29, 0x29, 0x8B, 0x8A, 0x4D, 0x95, 0x1F, 0xAE, -0x54, 0x64, 0x07, 0x2D, 0xAD, 0x3D, 0xA4, 0x20, 0x20, 0xA0, 0x7A, 0x7C, 0xAE, -0x9E, 0xFE, 0x5C, 0xE8, 0x88, 0x63, 0x41, 0x2C, 0x3A, 0xCB, 0xF0, 0xA0, 0x33, -0x5B, 0x34, 0xE1, 0xD2, 0x85, 0x31, 0xB7, 0xB9, 0x4A, 0xD3, 0x29, 0x8A, 0x9B, -0x7E, 0x2E, 0x8E, 0x32, 0x72, 0xEB, 0x85, 0x8C, 0xA6, 0x61, 0x86, 0x36, 0x4A, -0x23, 0x22, 0xE2, 0xB4, 0x21, 0xF6, 0xD7, 0xCD, 0x40, 0xDB, 0xE1, 0x6E, 0x37, -0x0B, 0xB7, 0x08, 0x01, 0x17, 0x12, 0xB2, 0x56, 0x9E, 0x6B, 0x17, 0x2C, 0x31, -0x69, 0x14, 0x33, 0x0D, 0x49, 0x96, 0x44, 0x86, 0x42, 0x0B, 0xA7, 0x51, 0x67, -0x53, 0x2C, 0x86, 0x39, 0x49, 0xC2, 0x5F, 0x3C, 0xE9, 0xDF, 0x5F, 0x9C, 0x1F, -0x93, 0xC8, 0x28, 0x5F, 0x41, 0x83, 0xD9, 0x34, 0x80, 0x77, 0xE3, 0x6C, 0xE9, -0x81, 0xBE, 0x16, 0xC2, 0x6F, 0x85, 0x75, 0x93, 0x28, 0x15, 0xDB, 0xE1, 0x67, -0xC1, 0x75, 0xDA, 0x9C, 0x80, 0xE2, 0x8D, 0xA2, 0x29, 0x62, 0x9A, 0xA6, 0x0C, -0x6F, 0xC8, 0xE2, 0xB8, 0x35, 0x26, 0x7F, 0x27, 0x35, 0xCE, 0xEF, 0x21, 0x43, -0xED, 0xF2, 0x8F, 0x34, 0x22, 0x0E, 0x2A, 0x0D, 0x63, 0x2B, 0x01, 0x75, 0xB0, -0x95, 0xD2, 0x74, 0x3F, 0x21, 0x84, 0xE5, 0x23, 0x06, 0x62, 0x47, 0x8E, 0x0B, -0x40, 0xEA, 0xB8, 0x2F, 0x9C, 0x07, 0xF4, 0xCC, 0xA2, 0xA7, 0x8D, 0x78, 0x17, -0x40, 0x38, 0x0E, 0xA6, 0x1F, 0x81, 0xB1, 0x21, 0xF6, 0x10, 0x18, 0x4A, 0xD3, -0x7B, 0x46, 0x8F, 0x69, 0xE2, 0x78, 0x1B, 0x2E, 0xCF, 0x96, 0xBF, 0x56, 0xA9, -0x17, 0x8D, 0x97, 0xB5, 0x69, 0x1D, 0xFE, 0xD4, 0x7E, 0xB6, 0x0D, 0xC1, 0xEA, -0xAC, 0x12, 0xB3, 0xAD, 0xE0, 0xC6, 0xB5, 0xF2, 0x96, 0xE0, 0x12, 0xD6, 0xF5, -0xB8, 0xF4, 0x86, 0xCC, 0xE4, 0x55, 0xA7, 0x05, 0x6F, 0xF9, 0x88, 0xD5, 0x36, -0x8D, 0xD6, 0x75, 0x18, 0xCA, 0xD5, 0x28, 0x21, 0x64, 0x41, 0x1D, 0xC6, 0x38, -0x56, 0x50, 0x96, 0x8E, 0x1A, 0x32, 0xD8, 0x4A, 0x47, 0x82, 0xFC, 0x67, 0xB2, -0xB5, 0xED, 0xC2, 0x54, 0x46, 0x87, 0xE3, 0x1F, 0xBB, 0x18, 0xCD, 0xB0, 0x59, -0xA0, 0xBE, 0xA6, 0x4D, 0x4E, 0x1E, 0x7A, 0x46, 0xE5, 0x77, 0xB2, 0x59, 0xCE, -0x61, 0xEF, 0xA2, 0x0A, 0xEC, 0x55, 0x8E, 0xB0, 0xD4, 0x3E, 0x1B, 0x25, 0x37, -0x8E, 0xA7, 0xB2, 0x27, 0xED, 0x00, 0x8C, 0x38, 0x26, 0x5E, 0x9D, 0x20, 0x38, -0x6A, 0xAF, 0xD2, 0x24, 0x94, 0x31, 0xF5, 0x6E, 0x66, 0x41, 0x2C, 0xFD, 0x77, -0x9C, 0x2D, 0x73, 0xE5, 0x8E, 0x64, 0xF7, 0x3D, 0xDF, 0x42, 0x37, 0xFE, 0x07, -0xB6, 0xBC, 0x29, 0x02, 0xD4, 0x90, 0xDA, 0x3F, 0x5E, 0x7F, 0xEC, 0x39, 0xC7, -0x4D, 0x11, 0x09, 0xBE, 0xA6, 0xF4, 0xBE, 0x4F, 0x14, 0x2C, 0x59, 0xD5, 0x07, -0xD3, 0x49, 0x81, 0x5D, 0x3B, 0xF9, 0x90, 0xD1, 0x8E, 0xB1, 0x83, 0xE3, 0x39, -0xDF, 0x04, 0x62, 0x56, 0x44, 0x12, 0xA2, 0x36, 0x28, 0xAA, 0xBC, 0x46, 0xDF, -0x78, 0xFF, 0x27, 0xC5, 0x3A, 0x16, 0xA5, 0x59, 0x63, 0xBF, 0x25, 0x0C, 0x31, -0xAD, 0x90, 0xF5, 0xBB, 0xAA, 0x9C, 0x56, 0x7D, 0x4A, 0xA5, 0x8C, 0x25, 0xAA, -0x9D, 0xB3, 0x44, 0xDB, 0x82, 0xCF, 0x46, 0x10, 0x1F, 0x4E, 0x24, 0xC1, 0x85, -0x6B, 0x6E, 0xD0, 0xC0, 0x66, 0x79, 0x58, 0xB1, 0x86, 0x86, 0xD0, 0xEF, 0xDA, -0xE0, 0xE0, 0x40, 0x61, 0x53, 0xFB, 0x02, 0xB4, 0x57, 0xFD, 0x47, 0xC0, 0xE0, -0x01, 0x9F, 0x4B, 0x51, 0xB1, 0x0B, 0x8C, 0x58, 0x7F, 0x92, 0xA9, 0xFA, 0x9D, -0x74, 0x12, 0x1B, 0xCC, 0x23, 0xF1, 0x21, 0xAE, 0x21, 0x16, 0xEF, 0xE1, 0xF9, -0x78, 0x67, 0xED, 0xDD, 0x31, 0xC1, 0xE0, 0xE6, 0x53, 0xD8, 0x55, 0xCE, 0x04, -0x99, 0x50, 0xB9, 0x11, 0x05, 0xDE, 0xD1, 0xD3, 0x2B, 0x9E, 0xF4, 0xB9, 0x8A, -0x95, 0x20, 0x69, 0x5A, 0x96, 0xD2, 0x82, 0x9C, 0x26, 0x60, 0xE0, 0x51, 0x95, -0xA3, 0x74, 0x4F, 0x22, 0x7F, 0x01, 0xCC, 0x80, 0xAB, 0xD5, 0x92, 0xB3, 0xF0, -0x3F, 0xE8, 0x0F, 0xD8, 0x7C, 0x4D, 0xB0, 0x37, 0x55, 0xE7, 0xE2, 0x9A, 0xDC, -0x09, 0x80, 0x01, 0x43, 0x54, 0xDF, 0x57, 0x6D, 0x92, 0x21, 0x81, 0x92, 0xA4, -0x33, 0xEF, 0xDD, 0x59, 0xC6, 0xD3, 0x17, 0x3A, 0xBD, 0x75, 0x7A, 0x91, 0x50, -0xCF, 0x69, 0x97, 0x07, 0x38, 0xFB, 0x9E, 0xCE, 0x3A, 0x78, 0x25, 0xCF, 0x11, -0x5C, 0xD6, 0xC8, 0x53, 0xCF, 0xA6, 0x0E, 0x06, 0xF5, 0xD5, 0x5C, 0x16, 0x26, -0x4F, 0x0E, 0x12, 0x37, 0xEF, 0xD8, 0x7A, 0xFF, 0xCE, 0xA8, 0x8D, 0x44, 0x05, -0x4F, 0x35, 0xC1, 0x87, 0xBB, 0xF1, 0xF8, 0x91, 0x8B, 0x91, 0xD4, 0x96, 0x70, -0x7C, 0x4B, 0x89, 0xA8, 0x07, 0x66, 0x63, 0x7C, 0xD0, 0x1D, 0xBE, 0x4D, 0x03, -0x41, 0x19, 0x8B, 0x67, 0x66, 0xFD, 0xCE, 0xF5, 0xD8, 0x46, 0x13, 0x45, 0x72, -0xA7, 0x47, 0xF0, 0x67, 0xB4, 0x30, 0x58, 0xCE, 0x5B, 0xEA, 0x02, 0x7C, 0xF3, -0xC2, 0xF7, 0xAE, 0x3A, 0x4C, 0x5C, 0x11, 0xAF, 0xC3, 0xB2, 0xA8, 0x1F, 0x2F, -0xD2, 0x1E, 0x8F, 0xF1, 0x70, 0x1B, 0x9D, 0xF0, 0x61, 0x28, 0xF0, 0xBB, 0x64, -0x9C, 0x07, 0x2E, 0xD6, 0xFB, 0xA0, 0xD3, 0x14, 0x16, 0x7E, 0x73, 0x00, 0xD0, -0x28, 0xF5, 0x96, 0x83, 0x18, 0x2F, 0xBC, 0x7E, 0x4D, 0xE1, 0xA4, 0xC2, 0x91, -0x6C, 0xDA, 0xAB, 0xDD, 0xE0, 0xC1, 0x89, 0xD3, 0xE3, 0x5D, 0x17, 0x64, 0x48, -0x23, 0x4F, 0x8C, 0xB4, 0x17, 0x38, 0x6C, 0x25, 0xCF, 0x89, 0x84, 0x56, 0x3E, -0x92, 0x6F, 0xCA, 0xCB, 0xD7, 0xC0, 0x89, 0x05, 0xB0, 0x39, 0x66, 0x16, 0x98, -0x6C, 0xD5, 0xD2, 0x14, 0x7D, 0x85, 0xF5, 0xD0, 0x3A, 0x02, 0x42, 0x25, 0x6B, -0xDB, 0x40, 0xF3, 0xA5, 0x5C, 0x03, 0x6F, 0xA9, 0x6A, 0x98, 0x4F, 0xC4, 0x77, -0x83, 0xED, 0x40, 0x4E, 0x32, 0xB6, 0xE4, 0x6F, 0x5B, 0x13, 0x88, 0x04, 0x3B, -0x0D, 0x6E, 0xC1, 0x67, 0x20, 0xEA, 0x3B, 0x3C, 0xC4, 0x4A, 0xA9, 0x23, 0xE0, -0x41, 0x8A, 0xA8, 0x13, 0x00, 0xB5, 0x8C, 0x37, 0x71, 0x57, 0xD3, 0xED, 0x9F, -0x9A, 0x6C, 0xB7, 0x6C, 0x5B, 0x46, 0xBD, 0x8A, 0x98, 0x30, 0xA3, 0x34, 0x1F, -0xCA, 0x19, 0x81, 0xE0, 0xFF, 0x4C, 0x08, 0x09, 0x82, 0xBC, 0x0D, 0xDF, 0xB2, -0x57, 0x68, 0x0B, 0x0A, 0xE7, 0xE2, 0x83, 0xD4, 0xD1, 0xA4, 0x62, 0x8F, 0x88, -0xCF, 0x04, 0xDC, 0x11, 0xE9, 0x9B, 0xCD, 0xEC, 0x0B, 0x88, 0x2B, 0x57, 0x9A, -0xF9, 0x71, 0xB8, 0xC3, 0x05, 0x59, 0x35, 0xF2, 0xA9, 0x80, 0xE0, 0x16, 0x22, -0xCA, 0xE0, 0xAE, 0x1B, 0xB5, 0x54, 0x76, 0xC1, 0xBA, 0x32, 0x9B, 0x67, 0x18, -0x86, 0x7C, 0x15, 0xD6, 0x81, 0x1A, 0xDF, 0x83, 0xD0, 0xDD, 0x6B, 0x2F, 0x98, -0x56, 0xB2, 0xBA, 0xFC, 0xA7, 0xD3, 0xE7, 0xAA, 0xE7, 0x3A, 0xC2, 0x50, 0x74, -0x63, 0xE6, 0x72, 0xC3, 0x40, 0x00, 0xF2, 0xDC, 0x06, 0x86, 0x1F, 0xF5, 0xE2, -0xD5, 0x77, 0xF5, 0xFF, 0x87, 0x32, 0x30, 0x61, 0x94, 0xE7, 0x04, 0x68, 0x0E, -0xC4, 0xF9, 0xDA, 0x54, 0x93, 0x32, 0xCE, 0x7D, 0x82, 0x05, 0x9A, 0x25, 0xF2, -0x88, 0x32, 0x64, 0x1A, 0x71, 0x94, 0x50, 0xBC, 0xD0, 0x31, 0xE2, 0x53, 0x61, -0x4A, 0xFF, 0xD4, 0x2E, 0xCE, 0xE0, 0x5B, 0xC4, 0x24, 0xCA, 0x95, 0xE2, 0x75, -0x54, 0xB6, 0xCF, 0x5C, 0xD6, 0x96, 0x0F, 0x1F, 0x60, 0xA2, 0x20, 0x1F, 0x00, -0x3C, 0x2D, 0x0D, 0x89, 0x90, 0xBD, 0x3A, 0xD3, 0xDC, 0x64, 0xB1, 0x61, 0xFB, -0xAA, 0x67, 0x15, 0xB0, 0xCE, 0x18, 0x1B, 0x09, 0xA2, 0x38, 0x31, 0x95, 0x0F, -0x2C, 0x25, 0x80, 0x4B, 0x13, 0xCB, 0xA0, 0xC7, 0xC7, 0xFA, 0xCC, 0x2C, 0x98, -0x66, 0xBE, 0xDC, 0x7B, 0xBB, 0x53, 0x12, 0x33, 0xDF, 0x92, 0x0C, 0x5F, 0x9E, -0xCC, 0x8E, 0x18, 0x23, 0x03, 0x2D, 0x7A, 0x2B, 0x90, 0x71, 0x07, 0x24, 0x95, -0xFE, 0x50, 0x95, 0x6E, 0x95, 0xFF, 0x29, 0x85, 0x7B, 0x44, 0x1C, 0x0A, 0x86, -0x48, 0x9B, 0x6B, 0xEA, 0xA7, 0xF9, 0xBF, 0xE8, 0x84, 0x10, 0xDC, 0x45, 0xC7, -0xFB, 0x2A, 0x39, 0x99, 0x0D, 0xCF, 0x23, 0x88, 0x35, 0x9C, 0x3D, 0xBA, 0x77, -0x7E, 0x8D, 0x4C, 0xA7, 0xB6, 0x41, 0x25, 0x46, 0x9A, 0x8E, 0xFF, 0x74, 0x5E, -0x9E, 0xDB, 0x8F, 0x20, 0xE9, 0xE3, 0x83, 0x84, 0x28, 0x0E, 0x14, 0xFC, 0x52, -0x1A, 0x69, 0xEC, 0x95, 0x5E, 0xBD, 0xFA, 0x05, 0xE4, 0xE5, 0xC7, 0xEB, 0x5F, -0x90, 0x21, 0x9C, 0xD5, 0x6B, 0xF7, 0x31, 0x35, 0xDA, 0x30, 0x41, 0xB2, 0x7E, -0xAB, 0x43, 0x36, 0x4E, 0x0B, 0x84, 0xDE, 0x43, 0x62, 0x96, 0x81, 0xF8, 0x9B, -0x81, 0x20, 0x06, 0x3B, 0xCA, 0x8E, 0x09, 0xE7, 0x2A, 0x6B, 0x41, 0x0C, 0x42, -0x02, 0x27, 0x41, 0x95, 0x8C, 0x86, 0x91, 0x40, 0xB1, 0xE8, 0x0C, 0x65, 0x6F, -0x23, 0xA5, 0x4A, 0xA9, 0x14, 0x8F, 0x32, 0x36, 0x3A, 0xDC, 0xAE, 0x54, 0x29, -0x13, 0x6B, 0xC0, 0x0D, 0x76, 0x6F, 0x79, 0xC4, 0x0A, 0x87, 0x89, 0xF2, 0xDD, -0xB0, 0xE3, 0xC0, 0x65, 0xC7, 0xE3, 0xBD, 0x17, 0xC4, 0x66, 0x3F, 0x84, 0x0B, -0x3F, 0x7A, 0x50, 0x08, 0x5F, 0x68, 0xE6, 0xC6, 0x37, 0xA7, 0x73, 0xF4, 0x4F, -0x37, 0x05, 0x28, 0x64, 0x0E, 0x36, 0xF8, 0xC2, 0x2F, 0xEA, 0x1D, 0x98, 0xBB, -0xB2, 0xFB, 0xE5, 0x98, 0xAE, 0x5D, 0xF8, 0xE8, 0xDA, 0xA1, 0xB6, 0x43, 0x0C, -0x6D, 0x1C, 0x39, 0x59, 0xE1, 0xBF, 0xEB, 0xA6, 0x4D, 0xBF, 0x12, 0x0E, 0x6E, -0xC4, 0x93, 0x8B, 0x72, 0x54, 0x47, 0xBE, 0xFC, 0x3A, 0x00, 0x7F, 0xD3, 0x57, -0x32, 0xE7, 0x86, 0xF0, 0x96, 0xCC, 0x06, 0x8F, 0x73, 0x9C, 0xE6, 0x8D, 0xD8, -0xB8, 0x24, 0xF9, 0xC0, 0x51, 0x99, 0xB8, 0x35, 0x98, 0x37, 0x32, 0x35, 0x03, -0x5C, 0xDA, 0x91, 0xC9, 0x6A, 0x50, 0xE5, 0xE1, 0xF0, 0xEF, 0xBB, 0x66, 0x27, -0x91, 0x51, 0x57, 0x09, 0xBB, 0x5B, 0xE9, 0x26, 0x8E, 0xB9, 0x75, 0xD9, 0x2E, -0x80, 0xE2, 0xDD, 0x27, 0xDD, 0x5A, 0x1B, 0x4E, 0xCF, 0x17, 0x11, 0x2B, 0x7B, -0xCB, 0xF9, 0xB3, 0xED, 0x07, 0xF3, 0x5A, 0xEE, 0xBF, 0x4B, 0x07, 0x43, 0x73, -0xF8, 0x24, 0x16, 0x67, 0x41, 0xE9, 0x64, 0xB4, 0xE7, 0x05, 0x72, 0x91, 0xF7, -0xCE, 0x38, 0x7D, 0x38, 0xA5, 0x60, 0x95, 0xC1, 0xC7, 0x64, 0x1B, 0xCC, 0xC4, -0x12, 0x32, 0xC3, 0x49, 0x7E, 0xAB, 0x96, 0x1D, 0x2A, 0x3C, 0x60, 0x51, 0xAA, -0x62, 0x86, 0xF3, 0x9F, 0xC6, 0x7F, 0xAB, 0x0F, 0xBB, 0x15, 0x7B, 0xBA, 0x43, -0x26, 0xAE, 0x37, 0x45, 0x5F, 0x39, 0x70, 0xB7, 0x19, 0x2F, 0x02, 0x33, 0xF1, -0x11, 0x4E, 0x78, 0x7D, 0x17, 0x8F, 0xBF, 0xEB, 0x92, 0xCC, 0x2F, 0xCA, 0x87, -0x01, 0xA8, 0xE3, 0xAD, 0x7B, 0x4A, 0x44, 0x0C, 0x75, 0x5A, 0x31, 0xCA, 0xE1, -0xE6, 0x18, 0xD7, 0xC4, 0xA3, 0xBA, 0x7F, 0xB5, 0xBC, 0xFD, 0xA6, 0x9C, 0xDC, -0x2A, 0xEB, 0x18, 0xDC, 0x88, 0x08, 0x6E, 0x7D, 0x6A, 0x97, 0xB6, 0xCD, 0x53, -0x41, 0x1D, 0xB4, 0xA8, 0xBD, 0xE3, 0x85, 0x29, 0x5F, 0x12, 0x03, 0xB8, 0x09, -0x13, 0x20, 0x6D, 0x68, 0x4F, 0x80, 0x1E, 0xBB, 0x6C, 0xD6, 0x51, 0x8C, 0x46, -0x19, 0x00, 0xBB, 0x90, 0xF9, 0xEA, 0xB0, 0x33, 0xF4, 0x52, 0xCA, 0x19, 0xD6, -0x68, 0xAE, 0x79, 0xE2, 0xC1, 0x39, 0xA9, 0x18, 0xF2, 0x26, 0x71, 0x69, 0xFF, -0xBA, 0x97, 0x28, 0x34, 0x4D, 0x10, 0x01, 0xFB, 0xD7, 0xBA, 0x37, 0x0F, 0xC8, -0xFC, 0x07, 0x7A, 0xCD, 0x1A, 0xDD, 0x92, 0x0D, 0x45, 0x8A, 0x7B, 0x6F, 0x94, -0x00, 0x53, 0x7E, 0xAF, 0xA5, 0x99, 0xB9, 0x7F, 0x00, 0xCD, 0xC7, 0x7C, 0x35, -0xCE, 0x53, 0x64, 0x15, 0xC2, 0x47, 0x7C, 0xD1, 0x12, 0x40, 0xBD, 0xF9, 0x8B, -0xBA, 0x3B, 0x5A, 0x3D, 0xFF, 0x5C, 0x48, 0x3A, 0x7F, 0xEF, 0x5B, 0xA8, 0xFC, -0xD6, 0xEA, 0xFB, 0x49, 0x0B, 0x29, 0x98, 0x5F, 0xCA, 0xBC, 0xC1, 0xD5, 0xA8, -0x15, 0x5B, 0x09, 0xEF, 0xB3, 0x0E, 0x41, 0xDC, 0x4D, 0x22, 0x30, 0xEE, 0xAA, -0xD9, 0xBA, 0x37, 0x43, 0xDE, 0x34, 0xF8, 0xB9, 0x42, 0xE7, 0x65, 0xEC, 0xE6, -0xA3, 0xE1, 0xED, 0x46, 0x46, 0xB4, 0x9F, 0x1C, 0xA0, 0x61, 0x50, 0x8E, 0x8A, -0x61, 0xBC, 0xF1, 0x3A, 0x55, 0xF8, 0xAB, 0xBA, 0x09, 0x5A, 0x4F, 0xB1, 0x38, -0x99, 0x77, 0x0A, 0xF5, 0x5D, 0xF7, 0xA0, 0x29, 0xA5, 0x00, 0x1D, 0x92, 0xC1, -0xA8, 0x4A, 0x73, 0x13, 0xCB, 0x1F, 0x14, 0xB0, 0xDB, 0x64, 0x53, 0xA8, 0x77, -0xB1, 0x80, 0xDF, 0xA7, 0x20, 0x9A, 0xA3, 0xD1, 0x79, 0x4B, 0x75, 0x45, 0x6D, -0xB0, 0xF5, 0xD8, 0x09, 0xE3, 0xB7, 0x7C, 0xC8, 0x1B, 0x56, 0xA2, 0x04, 0x11, -0xFB, 0xAC, 0x2D, 0x55, 0xF3, 0x95, 0x36, 0xF2, 0xAE, 0x6E, 0x9F, 0x10, 0xFE, -0xC0, 0xD5, 0x62, 0x36, 0xA7, 0xA0, 0xC5, 0x05, 0x2F, 0x55, 0x79, 0x59, 0x1B, -0xF4, 0xF6, 0xC3, 0xD2, 0x77, 0x96, 0x35, 0xBF, 0x89, 0x33, 0x45, 0xE9, 0xAB, -0x0A, 0x4B, 0xE1, 0x42, 0x31, 0xAF, 0x38, 0xA2, 0xA9, 0x45, 0xCF, 0x7D, 0x02, -0x88, 0x77, 0x4B, 0xD0, 0x2D, 0x9B, 0x56, 0x6E, 0xC3, 0xB3, 0x61, 0xA8, 0x1F, -0x8B, 0x9C, 0x3F, 0x63, 0xD4, 0x3C, 0x88, 0xA0, 0x7B, 0x90, 0xDB, 0x02, 0x30, -0xC5, 0xE8, 0x68, 0x82, 0x28, 0x58, 0x40, 0x31, 0xA3, 0x5C, 0xE9, 0xFB, 0x2A, -0xE6, 0x6E, 0x8F, 0x49, 0x5B, 0xF6, 0xAC, 0xB5, 0xBF, 0x30, 0xA8, 0x68, 0x83, -0x5E, 0xB4, 0x26, 0xBF, 0x6D, 0x1F, 0xEC, 0xEB, 0x00, 0xBD, 0x12, 0x0D, 0xB9, -0x80, 0xF1, 0xE7, 0x13, 0x3B, 0xCA, 0x81, 0x98, 0x5C, 0xE8, 0xA1, 0x98, 0xA1, -0x82, 0x26, 0x5F, 0xDD, 0xE0, 0xAE, 0xF8, 0x0C, 0x63, 0x78, 0xA8, 0xC1, 0xF7, -0x20, 0x62, 0x0B, 0xC8, 0xF9, 0xE5, 0x89, 0x43, 0x44, 0x05, 0x56, 0x98, 0xDE, -0xFD, 0x99, 0x25, 0xC0, 0x33, 0xCA, 0x1C, 0xDD, 0xAE, 0x2F, 0xDF, 0x14, 0x7E, -0xE2, 0x75, 0x75, 0xBC, 0x1C, 0x81, 0xF7, 0x21, 0x07, 0x0E, 0x21, 0x4A, 0x41, -0x4F, 0x33, 0xBD, 0x00, 0x5D, 0xBD, 0xF1, 0x79, 0x0C, 0x15, 0x8C, 0x98, 0x06, -0x72, 0xB8, 0xC2, 0xC1, 0x29, 0xFB, 0x7E, 0xE5, 0xF4, 0x04, 0x49, 0x17, 0xFD, -0x4B, 0xE5, 0xC7, 0x03, 0xFA, 0x88, 0x81, 0xBF, 0xDB, 0x10, 0xE2, 0x37, 0x12, -0x9E, 0x63, 0x7D, 0xFA, 0xBC, 0xF6, 0x98, 0x12, 0x23, 0x99, 0x59, 0xE3, 0x30, -0xD0, 0xA8, 0x21, 0x6D, 0x80, 0x2A, 0xF4, 0xB9, 0x6D, 0x71, 0x62, 0x0B, 0xA7, -0x99, 0xB2, 0xA1, 0x60, 0x34, 0xC5, 0x7F, 0xC3, 0x59, 0x78, 0xED, 0xB4, 0xA6, -0x5E, 0xF8, 0xC8, 0x5E, 0xF6, 0x69, 0xCE, 0xA0, 0x98, 0x87, 0x79, 0xDB, 0xB8, -0xA2, 0x3C, 0x94, 0xAC, 0xD1, 0x4C, 0x6C, 0x72, 0x39, 0x17, 0x32, 0x78, 0xA1, -0xDC, 0x1D, 0x03, 0xB2, 0xA1, 0x57, 0x0D, 0x2F, 0xA7, 0xF4, 0x8D, 0xE8, 0x4C, -0x67, 0x95, 0x19, 0x95, 0x55, 0xB9, 0xDE, 0x38, 0xD0, 0x85, 0xDB, 0x15, 0xB8, -0x8C, 0x0F, 0x6A, 0x69, 0x38, 0xF6, 0x8B, 0x75, 0x81, 0x89, 0x7E, 0xF8, 0x3A, -0xF3, 0x27, 0x08, 0xC0, 0x7B, 0x78, 0x3A, 0x73, 0xA5, 0xCB, 0xB0, 0x67, 0xD7, -0xDF, 0x88, 0x84, 0x4A, 0x52, 0xBD, 0x91, 0x74, 0x2C, 0xD1, 0x16, 0x3A, 0xCB, -0x0D, 0x3D, 0x08, 0x3D, 0x4F, 0x58, 0xE6, 0xCB, 0x32, 0x8A, 0x52, 0x86, 0x82, -0x61, 0x00, 0xDE, 0xCA, 0xF3, 0xDE, 0x05, 0xAB, 0x15, 0xAE, 0x13, 0x35, 0x4A, -0xE2, 0x45, 0xD5, 0xC1, 0xB0, 0x1B, 0xFA, 0xD8, 0xAD, 0xF7, 0xD2, 0x9A, 0x53, -0x06, 0x79, 0x15, 0xA6, 0x95, 0xE0, 0x6C, 0xC7, 0xFA, 0x94, 0x81, 0xB4, 0x91, -0x9D, 0x53, 0x89, 0x2D, 0x59, 0x74, 0x9F, 0x0F, 0xD5, 0x4E, 0xE6, 0xF6, 0x07, -0x62, 0x3B, 0x2C, 0x59, 0xA0, 0x47, 0x52, 0xDF, 0xF4, 0x10, 0xC2, 0xEB, 0x38, -0x86, 0x2F, 0x42, 0x01, 0xC2, 0x8A, 0xCB, 0x20, 0x7B, 0xFC, 0xB8, 0xEA, 0x20, -0x14, 0x69, 0x8B, 0x63, 0x52, 0xA8, 0x13, 0x1D, 0xD4, 0x60, 0x32, 0xF6, 0xDE, -0x75, 0x4D, 0x41, 0xC2, 0xC7, 0xA2, 0x62, 0x6F, 0x04, 0xAF, 0xF9, 0x9E, 0x3D, -0x1C, 0xCB, 0xBB, 0xEC, 0x7A, 0xFD, 0x9C, 0x97, 0x87, 0x40, 0xF1, 0xE7, 0x91, -0xCD, 0x36, 0xD2, 0x64, 0xB1, 0x2B, 0x43, 0xBA, 0x6E, 0xBD, 0x0E, 0x7D, 0xB1, -0x45, 0xA4, 0x0B, 0x84, 0xEB, 0x18, 0x5C, 0x25, 0x8B, 0x9B, 0x62, 0xB3, 0x8C, -0x95, 0xEF, 0x6F, 0x09, 0xE9, 0xF8, 0xE8, 0x18, 0x1A, 0x8A, 0xE2, 0xCC, 0x48, -0xDC, 0xC6, 0xDC, 0x94, 0xB1, 0x24, 0x55, 0x13, 0xB6, 0xD8, 0x16, 0xAB, 0x5F, -0x20, 0x7F, 0x5E, 0x35, 0x1F, 0x5A, 0x56, 0x2C, 0xFF, 0x02, 0x9C, 0xAF, 0x18, -0xF8, 0xBB, 0x60, 0xE1, 0xD4, 0xEF, 0x5E, 0x03, 0x08, 0x07, 0xCD, 0x29, 0x35, -0x7B, 0x9F, 0xEC, 0x35, 0xDB, 0x1D, 0xE1, 0xFD, 0x85, 0xC3, 0xDB, 0xE0, 0x58, -0x1F, 0x39, 0xE9, 0x38, 0xAE, 0x37, 0x18, 0xAF, 0x9C, 0x11, 0x97, 0x97, 0x6B, -0x67, 0x46, 0xC8, 0x68, 0xB7, 0x65, 0x05, 0x20, 0x02, 0x70, 0xDA, 0x6B, 0xC7, -0x34}; + 0x30, 0x82, 0x0A, 0x32, 0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x03, 0x13, 0x03, 0x82, 0x0A, 0x21, 0x00, 0xE4, 0x36, + 0x63, 0x53, 0xA7, 0xE7, 0xDF, 0x51, 0x06, 0x19, 0x34, 0x9F, 0xB5, 0x95, + 0x53, 0x9D, 0xC0, 0x59, 0x21, 0x38, 0x0F, 0x8E, 0x2A, 0xEC, 0x43, 0x5C, + 0x9B, 0x4B, 0xD0, 0xDC, 0x7E, 0xE1, 0x89, 0x77, 0x51, 0xD4, 0x26, 0x46, + 0x8F, 0x25, 0x76, 0xAB, 0x5E, 0x68, 0xFE, 0x45, 0xC6, 0x35, 0xF5, 0xF0, + 0xD0, 0x2D, 0xD2, 0x11, 0xCB, 0x2D, 0x3B, 0x6B, 0xF3, 0x2F, 0x68, 0xD1, + 0xF2, 0xCC, 0x51, 0x9E, 0xE0, 0xC5, 0x1D, 0xFA, 0x2C, 0x55, 0x02, 0xE5, + 0xAB, 0xC6, 0xA2, 0xA9, 0x2C, 0x35, 0xC1, 0x22, 0xDC, 0xFB, 0x9D, 0xDC, + 0x9E, 0x17, 0xCB, 0x7C, 0xEC, 0xB4, 0x7D, 0x1C, 0x40, 0xA6, 0x40, 0x3C, + 0x2B, 0x1C, 0x5B, 0x85, 0x97, 0x31, 0x5D, 0x9E, 0xAD, 0x7C, 0xC9, 0xF1, + 0xBC, 0x99, 0x59, 0x2B, 0xE0, 0x10, 0x30, 0x58, 0xC6, 0x63, 0xBD, 0xD7, + 0xF1, 0x27, 0x2B, 0x1E, 0xB2, 0xA8, 0x31, 0xD7, 0xD3, 0x2B, 0x85, 0xA7, + 0x59, 0xAF, 0x70, 0x15, 0x66, 0x9E, 0xD2, 0x13, 0xB0, 0x50, 0xBF, 0x59, + 0x08, 0x92, 0x32, 0x07, 0x9C, 0x81, 0xD7, 0x06, 0x55, 0x76, 0xEE, 0x15, + 0x8A, 0xFE, 0xCB, 0x62, 0x58, 0xF7, 0xDF, 0x0F, 0xEB, 0x0A, 0x11, 0x98, + 0xF8, 0x93, 0xD8, 0x96, 0xF5, 0x14, 0x87, 0x40, 0x4F, 0xEC, 0x9A, 0x45, + 0xE2, 0x7A, 0x54, 0x91, 0x0B, 0xDB, 0x39, 0x90, 0x48, 0x5D, 0x1B, 0xE6, + 0x63, 0x2C, 0x47, 0xC2, 0x2C, 0x45, 0x91, 0xDA, 0x52, 0x65, 0x15, 0x54, + 0x35, 0x1A, 0xFF, 0x3E, 0xC9, 0x64, 0xED, 0x48, 0xE6, 0x7C, 0xDB, 0x2C, + 0x72, 0x7B, 0x14, 0xC0, 0x35, 0x5C, 0x14, 0xE8, 0xBB, 0x92, 0xEA, 0xB6, + 0x29, 0x29, 0x8B, 0x8A, 0x4D, 0x95, 0x1F, 0xAE, 0x54, 0x64, 0x07, 0x2D, + 0xAD, 0x3D, 0xA4, 0x20, 0x20, 0xA0, 0x7A, 0x7C, 0xAE, 0x9E, 0xFE, 0x5C, + 0xE8, 0x88, 0x63, 0x41, 0x2C, 0x3A, 0xCB, 0xF0, 0xA0, 0x33, 0x5B, 0x34, + 0xE1, 0xD2, 0x85, 0x31, 0xB7, 0xB9, 0x4A, 0xD3, 0x29, 0x8A, 0x9B, 0x7E, + 0x2E, 0x8E, 0x32, 0x72, 0xEB, 0x85, 0x8C, 0xA6, 0x61, 0x86, 0x36, 0x4A, + 0x23, 0x22, 0xE2, 0xB4, 0x21, 0xF6, 0xD7, 0xCD, 0x40, 0xDB, 0xE1, 0x6E, + 0x37, 0x0B, 0xB7, 0x08, 0x01, 0x17, 0x12, 0xB2, 0x56, 0x9E, 0x6B, 0x17, + 0x2C, 0x31, 0x69, 0x14, 0x33, 0x0D, 0x49, 0x96, 0x44, 0x86, 0x42, 0x0B, + 0xA7, 0x51, 0x67, 0x53, 0x2C, 0x86, 0x39, 0x49, 0xC2, 0x5F, 0x3C, 0xE9, + 0xDF, 0x5F, 0x9C, 0x1F, 0x93, 0xC8, 0x28, 0x5F, 0x41, 0x83, 0xD9, 0x34, + 0x80, 0x77, 0xE3, 0x6C, 0xE9, 0x81, 0xBE, 0x16, 0xC2, 0x6F, 0x85, 0x75, + 0x93, 0x28, 0x15, 0xDB, 0xE1, 0x67, 0xC1, 0x75, 0xDA, 0x9C, 0x80, 0xE2, + 0x8D, 0xA2, 0x29, 0x62, 0x9A, 0xA6, 0x0C, 0x6F, 0xC8, 0xE2, 0xB8, 0x35, + 0x26, 0x7F, 0x27, 0x35, 0xCE, 0xEF, 0x21, 0x43, 0xED, 0xF2, 0x8F, 0x34, + 0x22, 0x0E, 0x2A, 0x0D, 0x63, 0x2B, 0x01, 0x75, 0xB0, 0x95, 0xD2, 0x74, + 0x3F, 0x21, 0x84, 0xE5, 0x23, 0x06, 0x62, 0x47, 0x8E, 0x0B, 0x40, 0xEA, + 0xB8, 0x2F, 0x9C, 0x07, 0xF4, 0xCC, 0xA2, 0xA7, 0x8D, 0x78, 0x17, 0x40, + 0x38, 0x0E, 0xA6, 0x1F, 0x81, 0xB1, 0x21, 0xF6, 0x10, 0x18, 0x4A, 0xD3, + 0x7B, 0x46, 0x8F, 0x69, 0xE2, 0x78, 0x1B, 0x2E, 0xCF, 0x96, 0xBF, 0x56, + 0xA9, 0x17, 0x8D, 0x97, 0xB5, 0x69, 0x1D, 0xFE, 0xD4, 0x7E, 0xB6, 0x0D, + 0xC1, 0xEA, 0xAC, 0x12, 0xB3, 0xAD, 0xE0, 0xC6, 0xB5, 0xF2, 0x96, 0xE0, + 0x12, 0xD6, 0xF5, 0xB8, 0xF4, 0x86, 0xCC, 0xE4, 0x55, 0xA7, 0x05, 0x6F, + 0xF9, 0x88, 0xD5, 0x36, 0x8D, 0xD6, 0x75, 0x18, 0xCA, 0xD5, 0x28, 0x21, + 0x64, 0x41, 0x1D, 0xC6, 0x38, 0x56, 0x50, 0x96, 0x8E, 0x1A, 0x32, 0xD8, + 0x4A, 0x47, 0x82, 0xFC, 0x67, 0xB2, 0xB5, 0xED, 0xC2, 0x54, 0x46, 0x87, + 0xE3, 0x1F, 0xBB, 0x18, 0xCD, 0xB0, 0x59, 0xA0, 0xBE, 0xA6, 0x4D, 0x4E, + 0x1E, 0x7A, 0x46, 0xE5, 0x77, 0xB2, 0x59, 0xCE, 0x61, 0xEF, 0xA2, 0x0A, + 0xEC, 0x55, 0x8E, 0xB0, 0xD4, 0x3E, 0x1B, 0x25, 0x37, 0x8E, 0xA7, 0xB2, + 0x27, 0xED, 0x00, 0x8C, 0x38, 0x26, 0x5E, 0x9D, 0x20, 0x38, 0x6A, 0xAF, + 0xD2, 0x24, 0x94, 0x31, 0xF5, 0x6E, 0x66, 0x41, 0x2C, 0xFD, 0x77, 0x9C, + 0x2D, 0x73, 0xE5, 0x8E, 0x64, 0xF7, 0x3D, 0xDF, 0x42, 0x37, 0xFE, 0x07, + 0xB6, 0xBC, 0x29, 0x02, 0xD4, 0x90, 0xDA, 0x3F, 0x5E, 0x7F, 0xEC, 0x39, + 0xC7, 0x4D, 0x11, 0x09, 0xBE, 0xA6, 0xF4, 0xBE, 0x4F, 0x14, 0x2C, 0x59, + 0xD5, 0x07, 0xD3, 0x49, 0x81, 0x5D, 0x3B, 0xF9, 0x90, 0xD1, 0x8E, 0xB1, + 0x83, 0xE3, 0x39, 0xDF, 0x04, 0x62, 0x56, 0x44, 0x12, 0xA2, 0x36, 0x28, + 0xAA, 0xBC, 0x46, 0xDF, 0x78, 0xFF, 0x27, 0xC5, 0x3A, 0x16, 0xA5, 0x59, + 0x63, 0xBF, 0x25, 0x0C, 0x31, 0xAD, 0x90, 0xF5, 0xBB, 0xAA, 0x9C, 0x56, + 0x7D, 0x4A, 0xA5, 0x8C, 0x25, 0xAA, 0x9D, 0xB3, 0x44, 0xDB, 0x82, 0xCF, + 0x46, 0x10, 0x1F, 0x4E, 0x24, 0xC1, 0x85, 0x6B, 0x6E, 0xD0, 0xC0, 0x66, + 0x79, 0x58, 0xB1, 0x86, 0x86, 0xD0, 0xEF, 0xDA, 0xE0, 0xE0, 0x40, 0x61, + 0x53, 0xFB, 0x02, 0xB4, 0x57, 0xFD, 0x47, 0xC0, 0xE0, 0x01, 0x9F, 0x4B, + 0x51, 0xB1, 0x0B, 0x8C, 0x58, 0x7F, 0x92, 0xA9, 0xFA, 0x9D, 0x74, 0x12, + 0x1B, 0xCC, 0x23, 0xF1, 0x21, 0xAE, 0x21, 0x16, 0xEF, 0xE1, 0xF9, 0x78, + 0x67, 0xED, 0xDD, 0x31, 0xC1, 0xE0, 0xE6, 0x53, 0xD8, 0x55, 0xCE, 0x04, + 0x99, 0x50, 0xB9, 0x11, 0x05, 0xDE, 0xD1, 0xD3, 0x2B, 0x9E, 0xF4, 0xB9, + 0x8A, 0x95, 0x20, 0x69, 0x5A, 0x96, 0xD2, 0x82, 0x9C, 0x26, 0x60, 0xE0, + 0x51, 0x95, 0xA3, 0x74, 0x4F, 0x22, 0x7F, 0x01, 0xCC, 0x80, 0xAB, 0xD5, + 0x92, 0xB3, 0xF0, 0x3F, 0xE8, 0x0F, 0xD8, 0x7C, 0x4D, 0xB0, 0x37, 0x55, + 0xE7, 0xE2, 0x9A, 0xDC, 0x09, 0x80, 0x01, 0x43, 0x54, 0xDF, 0x57, 0x6D, + 0x92, 0x21, 0x81, 0x92, 0xA4, 0x33, 0xEF, 0xDD, 0x59, 0xC6, 0xD3, 0x17, + 0x3A, 0xBD, 0x75, 0x7A, 0x91, 0x50, 0xCF, 0x69, 0x97, 0x07, 0x38, 0xFB, + 0x9E, 0xCE, 0x3A, 0x78, 0x25, 0xCF, 0x11, 0x5C, 0xD6, 0xC8, 0x53, 0xCF, + 0xA6, 0x0E, 0x06, 0xF5, 0xD5, 0x5C, 0x16, 0x26, 0x4F, 0x0E, 0x12, 0x37, + 0xEF, 0xD8, 0x7A, 0xFF, 0xCE, 0xA8, 0x8D, 0x44, 0x05, 0x4F, 0x35, 0xC1, + 0x87, 0xBB, 0xF1, 0xF8, 0x91, 0x8B, 0x91, 0xD4, 0x96, 0x70, 0x7C, 0x4B, + 0x89, 0xA8, 0x07, 0x66, 0x63, 0x7C, 0xD0, 0x1D, 0xBE, 0x4D, 0x03, 0x41, + 0x19, 0x8B, 0x67, 0x66, 0xFD, 0xCE, 0xF5, 0xD8, 0x46, 0x13, 0x45, 0x72, + 0xA7, 0x47, 0xF0, 0x67, 0xB4, 0x30, 0x58, 0xCE, 0x5B, 0xEA, 0x02, 0x7C, + 0xF3, 0xC2, 0xF7, 0xAE, 0x3A, 0x4C, 0x5C, 0x11, 0xAF, 0xC3, 0xB2, 0xA8, + 0x1F, 0x2F, 0xD2, 0x1E, 0x8F, 0xF1, 0x70, 0x1B, 0x9D, 0xF0, 0x61, 0x28, + 0xF0, 0xBB, 0x64, 0x9C, 0x07, 0x2E, 0xD6, 0xFB, 0xA0, 0xD3, 0x14, 0x16, + 0x7E, 0x73, 0x00, 0xD0, 0x28, 0xF5, 0x96, 0x83, 0x18, 0x2F, 0xBC, 0x7E, + 0x4D, 0xE1, 0xA4, 0xC2, 0x91, 0x6C, 0xDA, 0xAB, 0xDD, 0xE0, 0xC1, 0x89, + 0xD3, 0xE3, 0x5D, 0x17, 0x64, 0x48, 0x23, 0x4F, 0x8C, 0xB4, 0x17, 0x38, + 0x6C, 0x25, 0xCF, 0x89, 0x84, 0x56, 0x3E, 0x92, 0x6F, 0xCA, 0xCB, 0xD7, + 0xC0, 0x89, 0x05, 0xB0, 0x39, 0x66, 0x16, 0x98, 0x6C, 0xD5, 0xD2, 0x14, + 0x7D, 0x85, 0xF5, 0xD0, 0x3A, 0x02, 0x42, 0x25, 0x6B, 0xDB, 0x40, 0xF3, + 0xA5, 0x5C, 0x03, 0x6F, 0xA9, 0x6A, 0x98, 0x4F, 0xC4, 0x77, 0x83, 0xED, + 0x40, 0x4E, 0x32, 0xB6, 0xE4, 0x6F, 0x5B, 0x13, 0x88, 0x04, 0x3B, 0x0D, + 0x6E, 0xC1, 0x67, 0x20, 0xEA, 0x3B, 0x3C, 0xC4, 0x4A, 0xA9, 0x23, 0xE0, + 0x41, 0x8A, 0xA8, 0x13, 0x00, 0xB5, 0x8C, 0x37, 0x71, 0x57, 0xD3, 0xED, + 0x9F, 0x9A, 0x6C, 0xB7, 0x6C, 0x5B, 0x46, 0xBD, 0x8A, 0x98, 0x30, 0xA3, + 0x34, 0x1F, 0xCA, 0x19, 0x81, 0xE0, 0xFF, 0x4C, 0x08, 0x09, 0x82, 0xBC, + 0x0D, 0xDF, 0xB2, 0x57, 0x68, 0x0B, 0x0A, 0xE7, 0xE2, 0x83, 0xD4, 0xD1, + 0xA4, 0x62, 0x8F, 0x88, 0xCF, 0x04, 0xDC, 0x11, 0xE9, 0x9B, 0xCD, 0xEC, + 0x0B, 0x88, 0x2B, 0x57, 0x9A, 0xF9, 0x71, 0xB8, 0xC3, 0x05, 0x59, 0x35, + 0xF2, 0xA9, 0x80, 0xE0, 0x16, 0x22, 0xCA, 0xE0, 0xAE, 0x1B, 0xB5, 0x54, + 0x76, 0xC1, 0xBA, 0x32, 0x9B, 0x67, 0x18, 0x86, 0x7C, 0x15, 0xD6, 0x81, + 0x1A, 0xDF, 0x83, 0xD0, 0xDD, 0x6B, 0x2F, 0x98, 0x56, 0xB2, 0xBA, 0xFC, + 0xA7, 0xD3, 0xE7, 0xAA, 0xE7, 0x3A, 0xC2, 0x50, 0x74, 0x63, 0xE6, 0x72, + 0xC3, 0x40, 0x00, 0xF2, 0xDC, 0x06, 0x86, 0x1F, 0xF5, 0xE2, 0xD5, 0x77, + 0xF5, 0xFF, 0x87, 0x32, 0x30, 0x61, 0x94, 0xE7, 0x04, 0x68, 0x0E, 0xC4, + 0xF9, 0xDA, 0x54, 0x93, 0x32, 0xCE, 0x7D, 0x82, 0x05, 0x9A, 0x25, 0xF2, + 0x88, 0x32, 0x64, 0x1A, 0x71, 0x94, 0x50, 0xBC, 0xD0, 0x31, 0xE2, 0x53, + 0x61, 0x4A, 0xFF, 0xD4, 0x2E, 0xCE, 0xE0, 0x5B, 0xC4, 0x24, 0xCA, 0x95, + 0xE2, 0x75, 0x54, 0xB6, 0xCF, 0x5C, 0xD6, 0x96, 0x0F, 0x1F, 0x60, 0xA2, + 0x20, 0x1F, 0x00, 0x3C, 0x2D, 0x0D, 0x89, 0x90, 0xBD, 0x3A, 0xD3, 0xDC, + 0x64, 0xB1, 0x61, 0xFB, 0xAA, 0x67, 0x15, 0xB0, 0xCE, 0x18, 0x1B, 0x09, + 0xA2, 0x38, 0x31, 0x95, 0x0F, 0x2C, 0x25, 0x80, 0x4B, 0x13, 0xCB, 0xA0, + 0xC7, 0xC7, 0xFA, 0xCC, 0x2C, 0x98, 0x66, 0xBE, 0xDC, 0x7B, 0xBB, 0x53, + 0x12, 0x33, 0xDF, 0x92, 0x0C, 0x5F, 0x9E, 0xCC, 0x8E, 0x18, 0x23, 0x03, + 0x2D, 0x7A, 0x2B, 0x90, 0x71, 0x07, 0x24, 0x95, 0xFE, 0x50, 0x95, 0x6E, + 0x95, 0xFF, 0x29, 0x85, 0x7B, 0x44, 0x1C, 0x0A, 0x86, 0x48, 0x9B, 0x6B, + 0xEA, 0xA7, 0xF9, 0xBF, 0xE8, 0x84, 0x10, 0xDC, 0x45, 0xC7, 0xFB, 0x2A, + 0x39, 0x99, 0x0D, 0xCF, 0x23, 0x88, 0x35, 0x9C, 0x3D, 0xBA, 0x77, 0x7E, + 0x8D, 0x4C, 0xA7, 0xB6, 0x41, 0x25, 0x46, 0x9A, 0x8E, 0xFF, 0x74, 0x5E, + 0x9E, 0xDB, 0x8F, 0x20, 0xE9, 0xE3, 0x83, 0x84, 0x28, 0x0E, 0x14, 0xFC, + 0x52, 0x1A, 0x69, 0xEC, 0x95, 0x5E, 0xBD, 0xFA, 0x05, 0xE4, 0xE5, 0xC7, + 0xEB, 0x5F, 0x90, 0x21, 0x9C, 0xD5, 0x6B, 0xF7, 0x31, 0x35, 0xDA, 0x30, + 0x41, 0xB2, 0x7E, 0xAB, 0x43, 0x36, 0x4E, 0x0B, 0x84, 0xDE, 0x43, 0x62, + 0x96, 0x81, 0xF8, 0x9B, 0x81, 0x20, 0x06, 0x3B, 0xCA, 0x8E, 0x09, 0xE7, + 0x2A, 0x6B, 0x41, 0x0C, 0x42, 0x02, 0x27, 0x41, 0x95, 0x8C, 0x86, 0x91, + 0x40, 0xB1, 0xE8, 0x0C, 0x65, 0x6F, 0x23, 0xA5, 0x4A, 0xA9, 0x14, 0x8F, + 0x32, 0x36, 0x3A, 0xDC, 0xAE, 0x54, 0x29, 0x13, 0x6B, 0xC0, 0x0D, 0x76, + 0x6F, 0x79, 0xC4, 0x0A, 0x87, 0x89, 0xF2, 0xDD, 0xB0, 0xE3, 0xC0, 0x65, + 0xC7, 0xE3, 0xBD, 0x17, 0xC4, 0x66, 0x3F, 0x84, 0x0B, 0x3F, 0x7A, 0x50, + 0x08, 0x5F, 0x68, 0xE6, 0xC6, 0x37, 0xA7, 0x73, 0xF4, 0x4F, 0x37, 0x05, + 0x28, 0x64, 0x0E, 0x36, 0xF8, 0xC2, 0x2F, 0xEA, 0x1D, 0x98, 0xBB, 0xB2, + 0xFB, 0xE5, 0x98, 0xAE, 0x5D, 0xF8, 0xE8, 0xDA, 0xA1, 0xB6, 0x43, 0x0C, + 0x6D, 0x1C, 0x39, 0x59, 0xE1, 0xBF, 0xEB, 0xA6, 0x4D, 0xBF, 0x12, 0x0E, + 0x6E, 0xC4, 0x93, 0x8B, 0x72, 0x54, 0x47, 0xBE, 0xFC, 0x3A, 0x00, 0x7F, + 0xD3, 0x57, 0x32, 0xE7, 0x86, 0xF0, 0x96, 0xCC, 0x06, 0x8F, 0x73, 0x9C, + 0xE6, 0x8D, 0xD8, 0xB8, 0x24, 0xF9, 0xC0, 0x51, 0x99, 0xB8, 0x35, 0x98, + 0x37, 0x32, 0x35, 0x03, 0x5C, 0xDA, 0x91, 0xC9, 0x6A, 0x50, 0xE5, 0xE1, + 0xF0, 0xEF, 0xBB, 0x66, 0x27, 0x91, 0x51, 0x57, 0x09, 0xBB, 0x5B, 0xE9, + 0x26, 0x8E, 0xB9, 0x75, 0xD9, 0x2E, 0x80, 0xE2, 0xDD, 0x27, 0xDD, 0x5A, + 0x1B, 0x4E, 0xCF, 0x17, 0x11, 0x2B, 0x7B, 0xCB, 0xF9, 0xB3, 0xED, 0x07, + 0xF3, 0x5A, 0xEE, 0xBF, 0x4B, 0x07, 0x43, 0x73, 0xF8, 0x24, 0x16, 0x67, + 0x41, 0xE9, 0x64, 0xB4, 0xE7, 0x05, 0x72, 0x91, 0xF7, 0xCE, 0x38, 0x7D, + 0x38, 0xA5, 0x60, 0x95, 0xC1, 0xC7, 0x64, 0x1B, 0xCC, 0xC4, 0x12, 0x32, + 0xC3, 0x49, 0x7E, 0xAB, 0x96, 0x1D, 0x2A, 0x3C, 0x60, 0x51, 0xAA, 0x62, + 0x86, 0xF3, 0x9F, 0xC6, 0x7F, 0xAB, 0x0F, 0xBB, 0x15, 0x7B, 0xBA, 0x43, + 0x26, 0xAE, 0x37, 0x45, 0x5F, 0x39, 0x70, 0xB7, 0x19, 0x2F, 0x02, 0x33, + 0xF1, 0x11, 0x4E, 0x78, 0x7D, 0x17, 0x8F, 0xBF, 0xEB, 0x92, 0xCC, 0x2F, + 0xCA, 0x87, 0x01, 0xA8, 0xE3, 0xAD, 0x7B, 0x4A, 0x44, 0x0C, 0x75, 0x5A, + 0x31, 0xCA, 0xE1, 0xE6, 0x18, 0xD7, 0xC4, 0xA3, 0xBA, 0x7F, 0xB5, 0xBC, + 0xFD, 0xA6, 0x9C, 0xDC, 0x2A, 0xEB, 0x18, 0xDC, 0x88, 0x08, 0x6E, 0x7D, + 0x6A, 0x97, 0xB6, 0xCD, 0x53, 0x41, 0x1D, 0xB4, 0xA8, 0xBD, 0xE3, 0x85, + 0x29, 0x5F, 0x12, 0x03, 0xB8, 0x09, 0x13, 0x20, 0x6D, 0x68, 0x4F, 0x80, + 0x1E, 0xBB, 0x6C, 0xD6, 0x51, 0x8C, 0x46, 0x19, 0x00, 0xBB, 0x90, 0xF9, + 0xEA, 0xB0, 0x33, 0xF4, 0x52, 0xCA, 0x19, 0xD6, 0x68, 0xAE, 0x79, 0xE2, + 0xC1, 0x39, 0xA9, 0x18, 0xF2, 0x26, 0x71, 0x69, 0xFF, 0xBA, 0x97, 0x28, + 0x34, 0x4D, 0x10, 0x01, 0xFB, 0xD7, 0xBA, 0x37, 0x0F, 0xC8, 0xFC, 0x07, + 0x7A, 0xCD, 0x1A, 0xDD, 0x92, 0x0D, 0x45, 0x8A, 0x7B, 0x6F, 0x94, 0x00, + 0x53, 0x7E, 0xAF, 0xA5, 0x99, 0xB9, 0x7F, 0x00, 0xCD, 0xC7, 0x7C, 0x35, + 0xCE, 0x53, 0x64, 0x15, 0xC2, 0x47, 0x7C, 0xD1, 0x12, 0x40, 0xBD, 0xF9, + 0x8B, 0xBA, 0x3B, 0x5A, 0x3D, 0xFF, 0x5C, 0x48, 0x3A, 0x7F, 0xEF, 0x5B, + 0xA8, 0xFC, 0xD6, 0xEA, 0xFB, 0x49, 0x0B, 0x29, 0x98, 0x5F, 0xCA, 0xBC, + 0xC1, 0xD5, 0xA8, 0x15, 0x5B, 0x09, 0xEF, 0xB3, 0x0E, 0x41, 0xDC, 0x4D, + 0x22, 0x30, 0xEE, 0xAA, 0xD9, 0xBA, 0x37, 0x43, 0xDE, 0x34, 0xF8, 0xB9, + 0x42, 0xE7, 0x65, 0xEC, 0xE6, 0xA3, 0xE1, 0xED, 0x46, 0x46, 0xB4, 0x9F, + 0x1C, 0xA0, 0x61, 0x50, 0x8E, 0x8A, 0x61, 0xBC, 0xF1, 0x3A, 0x55, 0xF8, + 0xAB, 0xBA, 0x09, 0x5A, 0x4F, 0xB1, 0x38, 0x99, 0x77, 0x0A, 0xF5, 0x5D, + 0xF7, 0xA0, 0x29, 0xA5, 0x00, 0x1D, 0x92, 0xC1, 0xA8, 0x4A, 0x73, 0x13, + 0xCB, 0x1F, 0x14, 0xB0, 0xDB, 0x64, 0x53, 0xA8, 0x77, 0xB1, 0x80, 0xDF, + 0xA7, 0x20, 0x9A, 0xA3, 0xD1, 0x79, 0x4B, 0x75, 0x45, 0x6D, 0xB0, 0xF5, + 0xD8, 0x09, 0xE3, 0xB7, 0x7C, 0xC8, 0x1B, 0x56, 0xA2, 0x04, 0x11, 0xFB, + 0xAC, 0x2D, 0x55, 0xF3, 0x95, 0x36, 0xF2, 0xAE, 0x6E, 0x9F, 0x10, 0xFE, + 0xC0, 0xD5, 0x62, 0x36, 0xA7, 0xA0, 0xC5, 0x05, 0x2F, 0x55, 0x79, 0x59, + 0x1B, 0xF4, 0xF6, 0xC3, 0xD2, 0x77, 0x96, 0x35, 0xBF, 0x89, 0x33, 0x45, + 0xE9, 0xAB, 0x0A, 0x4B, 0xE1, 0x42, 0x31, 0xAF, 0x38, 0xA2, 0xA9, 0x45, + 0xCF, 0x7D, 0x02, 0x88, 0x77, 0x4B, 0xD0, 0x2D, 0x9B, 0x56, 0x6E, 0xC3, + 0xB3, 0x61, 0xA8, 0x1F, 0x8B, 0x9C, 0x3F, 0x63, 0xD4, 0x3C, 0x88, 0xA0, + 0x7B, 0x90, 0xDB, 0x02, 0x30, 0xC5, 0xE8, 0x68, 0x82, 0x28, 0x58, 0x40, + 0x31, 0xA3, 0x5C, 0xE9, 0xFB, 0x2A, 0xE6, 0x6E, 0x8F, 0x49, 0x5B, 0xF6, + 0xAC, 0xB5, 0xBF, 0x30, 0xA8, 0x68, 0x83, 0x5E, 0xB4, 0x26, 0xBF, 0x6D, + 0x1F, 0xEC, 0xEB, 0x00, 0xBD, 0x12, 0x0D, 0xB9, 0x80, 0xF1, 0xE7, 0x13, + 0x3B, 0xCA, 0x81, 0x98, 0x5C, 0xE8, 0xA1, 0x98, 0xA1, 0x82, 0x26, 0x5F, + 0xDD, 0xE0, 0xAE, 0xF8, 0x0C, 0x63, 0x78, 0xA8, 0xC1, 0xF7, 0x20, 0x62, + 0x0B, 0xC8, 0xF9, 0xE5, 0x89, 0x43, 0x44, 0x05, 0x56, 0x98, 0xDE, 0xFD, + 0x99, 0x25, 0xC0, 0x33, 0xCA, 0x1C, 0xDD, 0xAE, 0x2F, 0xDF, 0x14, 0x7E, + 0xE2, 0x75, 0x75, 0xBC, 0x1C, 0x81, 0xF7, 0x21, 0x07, 0x0E, 0x21, 0x4A, + 0x41, 0x4F, 0x33, 0xBD, 0x00, 0x5D, 0xBD, 0xF1, 0x79, 0x0C, 0x15, 0x8C, + 0x98, 0x06, 0x72, 0xB8, 0xC2, 0xC1, 0x29, 0xFB, 0x7E, 0xE5, 0xF4, 0x04, + 0x49, 0x17, 0xFD, 0x4B, 0xE5, 0xC7, 0x03, 0xFA, 0x88, 0x81, 0xBF, 0xDB, + 0x10, 0xE2, 0x37, 0x12, 0x9E, 0x63, 0x7D, 0xFA, 0xBC, 0xF6, 0x98, 0x12, + 0x23, 0x99, 0x59, 0xE3, 0x30, 0xD0, 0xA8, 0x21, 0x6D, 0x80, 0x2A, 0xF4, + 0xB9, 0x6D, 0x71, 0x62, 0x0B, 0xA7, 0x99, 0xB2, 0xA1, 0x60, 0x34, 0xC5, + 0x7F, 0xC3, 0x59, 0x78, 0xED, 0xB4, 0xA6, 0x5E, 0xF8, 0xC8, 0x5E, 0xF6, + 0x69, 0xCE, 0xA0, 0x98, 0x87, 0x79, 0xDB, 0xB8, 0xA2, 0x3C, 0x94, 0xAC, + 0xD1, 0x4C, 0x6C, 0x72, 0x39, 0x17, 0x32, 0x78, 0xA1, 0xDC, 0x1D, 0x03, + 0xB2, 0xA1, 0x57, 0x0D, 0x2F, 0xA7, 0xF4, 0x8D, 0xE8, 0x4C, 0x67, 0x95, + 0x19, 0x95, 0x55, 0xB9, 0xDE, 0x38, 0xD0, 0x85, 0xDB, 0x15, 0xB8, 0x8C, + 0x0F, 0x6A, 0x69, 0x38, 0xF6, 0x8B, 0x75, 0x81, 0x89, 0x7E, 0xF8, 0x3A, + 0xF3, 0x27, 0x08, 0xC0, 0x7B, 0x78, 0x3A, 0x73, 0xA5, 0xCB, 0xB0, 0x67, + 0xD7, 0xDF, 0x88, 0x84, 0x4A, 0x52, 0xBD, 0x91, 0x74, 0x2C, 0xD1, 0x16, + 0x3A, 0xCB, 0x0D, 0x3D, 0x08, 0x3D, 0x4F, 0x58, 0xE6, 0xCB, 0x32, 0x8A, + 0x52, 0x86, 0x82, 0x61, 0x00, 0xDE, 0xCA, 0xF3, 0xDE, 0x05, 0xAB, 0x15, + 0xAE, 0x13, 0x35, 0x4A, 0xE2, 0x45, 0xD5, 0xC1, 0xB0, 0x1B, 0xFA, 0xD8, + 0xAD, 0xF7, 0xD2, 0x9A, 0x53, 0x06, 0x79, 0x15, 0xA6, 0x95, 0xE0, 0x6C, + 0xC7, 0xFA, 0x94, 0x81, 0xB4, 0x91, 0x9D, 0x53, 0x89, 0x2D, 0x59, 0x74, + 0x9F, 0x0F, 0xD5, 0x4E, 0xE6, 0xF6, 0x07, 0x62, 0x3B, 0x2C, 0x59, 0xA0, + 0x47, 0x52, 0xDF, 0xF4, 0x10, 0xC2, 0xEB, 0x38, 0x86, 0x2F, 0x42, 0x01, + 0xC2, 0x8A, 0xCB, 0x20, 0x7B, 0xFC, 0xB8, 0xEA, 0x20, 0x14, 0x69, 0x8B, + 0x63, 0x52, 0xA8, 0x13, 0x1D, 0xD4, 0x60, 0x32, 0xF6, 0xDE, 0x75, 0x4D, + 0x41, 0xC2, 0xC7, 0xA2, 0x62, 0x6F, 0x04, 0xAF, 0xF9, 0x9E, 0x3D, 0x1C, + 0xCB, 0xBB, 0xEC, 0x7A, 0xFD, 0x9C, 0x97, 0x87, 0x40, 0xF1, 0xE7, 0x91, + 0xCD, 0x36, 0xD2, 0x64, 0xB1, 0x2B, 0x43, 0xBA, 0x6E, 0xBD, 0x0E, 0x7D, + 0xB1, 0x45, 0xA4, 0x0B, 0x84, 0xEB, 0x18, 0x5C, 0x25, 0x8B, 0x9B, 0x62, + 0xB3, 0x8C, 0x95, 0xEF, 0x6F, 0x09, 0xE9, 0xF8, 0xE8, 0x18, 0x1A, 0x8A, + 0xE2, 0xCC, 0x48, 0xDC, 0xC6, 0xDC, 0x94, 0xB1, 0x24, 0x55, 0x13, 0xB6, + 0xD8, 0x16, 0xAB, 0x5F, 0x20, 0x7F, 0x5E, 0x35, 0x1F, 0x5A, 0x56, 0x2C, + 0xFF, 0x02, 0x9C, 0xAF, 0x18, 0xF8, 0xBB, 0x60, 0xE1, 0xD4, 0xEF, 0x5E, + 0x03, 0x08, 0x07, 0xCD, 0x29, 0x35, 0x7B, 0x9F, 0xEC, 0x35, 0xDB, 0x1D, + 0xE1, 0xFD, 0x85, 0xC3, 0xDB, 0xE0, 0x58, 0x1F, 0x39, 0xE9, 0x38, 0xAE, + 0x37, 0x18, 0xAF, 0x9C, 0x11, 0x97, 0x97, 0x6B, 0x67, 0x46, 0xC8, 0x68, + 0xB7, 0x65, 0x05, 0x20, 0x02, 0x70, 0xDA, 0x6B, 0xC7, 0x34}; // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/06/ // C.2. Example Public Key const char *mldsa_44_pub_pem_str = -"-----BEGIN PUBLIC KEY-----\n" -"MIIFMjALBglghkgBZQMEAxEDggUhANeytHJUquDbReeTDUqY0sl9jxOX0Xidr6Fw\n" -"JLMW6b7JT8mUbULxm3mnQTu6oz5xSctC7VEVaTrAQfrLmIretf4OHYYxGEmVtZLD\n" -"l9IpTi4U+QqkFLo4JomaxD9MzKy8JumoMrlRGNXLQzy++WYLABOOCBf2HnYsonTD\n" -"atVU6yKqwRYuSrAay6HjjE79j4C2WzM9D3LlXf5xzpweu5iJ58VhBsD9c4A6Kuz+\n" -"r97XqjyyztpU0SvYzTanjPl1lDtHq9JeiArEUuV0LtHo0agq+oblkMdYwVrk0oQN\n" -"kryhpQkPQElll/yn2LlRPxob2m6VCqqY3kZ1B9Sk9aTwWZIWWCw1cvYu2okFqzWB\n" -"ZwxKAnd6M+DKcpX9j0/20aCjp2g9ZfX19/xg2gI+gmxfkhRMAvfRuhB1mHVT6pNn\n" -"/NdtmQt/qZzUWv24g21D5Fn1GH3wWEeXCaAepoNZNfpwRgmQzT3BukAbqUurHd5B\n" -"rGerMxncrKBgSNTE7vJ+4TqcF9BTj0MPLWQtwkFWYN54h32NirxyUjl4wELkKF9D\n" -"GYRsRBJiQpdoRMEOVWuiFbWnGeWdDGsqltOYWQcf3MLN51JKe+2uVOhbMY6FTo/i\n" -"svPt+slxkSgnCq/R5QRMOk/a/Z/zH5B4S46ORZYUSg2vWGUR09mWK56pWvGXtOX8\n" -"YPKx7RXeOlvvX4m9x52RBR2bKBbnT6VFMe/cHL501EiFf0drzVjyHAtlOzt2pOB2\n" -"plWaMCcYVVzGP3SFmqurkl8COGHKjND3utsocfZ9VTJtdFETWtRfShumkRj7ssij\n" -"DuyTku8/l3Bmya3VxxDMZHsVFNIX2VjHAXw+kP0gwE5nS5BIbpNwoxoAHTL0c5ee\n" -"SQZ0nn5Hf6C3RQj4pfI3gxK4PCW9OIygsP/3R4uvQrcWZ+2qyXxGsSlkPlhuWwVa\n" -"DCEZRtTzbmdb7Vhg+gQqMV2YJhZNapI3w1pfv0lUkKW9TfJIuVxKrneEtgVnMWas\n" -"QkW1tLCCoJ6TI+YvIHjFt2eDRG3v1zatOjcC1JsImESQCmGDM5e8RBmzDXqXoLOH\n" -"wZEUdMTUG1PjKpd6y28Op122W7OeWecB52lX3vby1EVZwxp3EitSBOO1whnxaIsU\n" -"7QvAuAGz5ugtzUPpwOn0F0TNmBW9G8iCDYuxI/BPrNGxtoXdWisbjbvz7ZM2cPCV\n" -"oYC08ZLQixC4+rvfzCskUY4y7qCl4MkEyoRHgAg/OwzS0Li2r2e8NVuUlAJdx7Cn\n" -"j6gOOi2/61EyiFHWB4GY6Uk2Ua54fsAlH5Irow6fUd9iptcnhM890gU5MXbfoySl\n" -"Er2Ulwo23TSlFKhnkfDrNvAUWwmrZGUbSgMTsplhGiocSIkWJ1mHaKMRQGC6RENI\n" -"bfUVIqHOiLMJhcIW+ObtF43VZ7MEoNTK+6iCooNC8XqaomrljbYwCD0sNY/fVmw/\n" -"XWKkKFZ7yeqM6VyqDzVHSwv6jzOaJQq0388gg76O77wQVeGP4VNw7ssmBWbYP/Br\n" -"IRquxDyim1TM0A+IFaJGXvC0ZRXMfkHzEk8J7/9zkwmrWLKaFFmgC85QOOk4yWeP\n" -"cusOTuX9quZtn4Vz/Jf8QrSVn0v4th14Qz6GsDNdbpGRxNi/SHs5BcEIz9asJLDO\n" -"t9y3z1H4TQ7Wh7lerrHFM8BvDZcCPZKnCCWDe1m6bLfU5WsKh8IDhiro8xW6WSXo\n" -"7e+meTaaIgJ2YVHxapZfn4Hs52zAcLVYaeTbl4TPBcgwsyQsgxI=\n" -"-----END PUBLIC KEY-----\n"; + "-----BEGIN PUBLIC KEY-----\n" + "MIIFMjALBglghkgBZQMEAxEDggUhANeytHJUquDbReeTDUqY0sl9jxOX0Xidr6Fw\n" + "JLMW6b7JT8mUbULxm3mnQTu6oz5xSctC7VEVaTrAQfrLmIretf4OHYYxGEmVtZLD\n" + "l9IpTi4U+QqkFLo4JomaxD9MzKy8JumoMrlRGNXLQzy++WYLABOOCBf2HnYsonTD\n" + "atVU6yKqwRYuSrAay6HjjE79j4C2WzM9D3LlXf5xzpweu5iJ58VhBsD9c4A6Kuz+\n" + "r97XqjyyztpU0SvYzTanjPl1lDtHq9JeiArEUuV0LtHo0agq+oblkMdYwVrk0oQN\n" + "kryhpQkPQElll/yn2LlRPxob2m6VCqqY3kZ1B9Sk9aTwWZIWWCw1cvYu2okFqzWB\n" + "ZwxKAnd6M+DKcpX9j0/20aCjp2g9ZfX19/xg2gI+gmxfkhRMAvfRuhB1mHVT6pNn\n" + "/NdtmQt/qZzUWv24g21D5Fn1GH3wWEeXCaAepoNZNfpwRgmQzT3BukAbqUurHd5B\n" + "rGerMxncrKBgSNTE7vJ+4TqcF9BTj0MPLWQtwkFWYN54h32NirxyUjl4wELkKF9D\n" + "GYRsRBJiQpdoRMEOVWuiFbWnGeWdDGsqltOYWQcf3MLN51JKe+2uVOhbMY6FTo/i\n" + "svPt+slxkSgnCq/R5QRMOk/a/Z/zH5B4S46ORZYUSg2vWGUR09mWK56pWvGXtOX8\n" + "YPKx7RXeOlvvX4m9x52RBR2bKBbnT6VFMe/cHL501EiFf0drzVjyHAtlOzt2pOB2\n" + "plWaMCcYVVzGP3SFmqurkl8COGHKjND3utsocfZ9VTJtdFETWtRfShumkRj7ssij\n" + "DuyTku8/l3Bmya3VxxDMZHsVFNIX2VjHAXw+kP0gwE5nS5BIbpNwoxoAHTL0c5ee\n" + "SQZ0nn5Hf6C3RQj4pfI3gxK4PCW9OIygsP/3R4uvQrcWZ+2qyXxGsSlkPlhuWwVa\n" + "DCEZRtTzbmdb7Vhg+gQqMV2YJhZNapI3w1pfv0lUkKW9TfJIuVxKrneEtgVnMWas\n" + "QkW1tLCCoJ6TI+YvIHjFt2eDRG3v1zatOjcC1JsImESQCmGDM5e8RBmzDXqXoLOH\n" + "wZEUdMTUG1PjKpd6y28Op122W7OeWecB52lX3vby1EVZwxp3EitSBOO1whnxaIsU\n" + "7QvAuAGz5ugtzUPpwOn0F0TNmBW9G8iCDYuxI/BPrNGxtoXdWisbjbvz7ZM2cPCV\n" + "oYC08ZLQixC4+rvfzCskUY4y7qCl4MkEyoRHgAg/OwzS0Li2r2e8NVuUlAJdx7Cn\n" + "j6gOOi2/61EyiFHWB4GY6Uk2Ua54fsAlH5Irow6fUd9iptcnhM890gU5MXbfoySl\n" + "Er2Ulwo23TSlFKhnkfDrNvAUWwmrZGUbSgMTsplhGiocSIkWJ1mHaKMRQGC6RENI\n" + "bfUVIqHOiLMJhcIW+ObtF43VZ7MEoNTK+6iCooNC8XqaomrljbYwCD0sNY/fVmw/\n" + "XWKkKFZ7yeqM6VyqDzVHSwv6jzOaJQq0388gg76O77wQVeGP4VNw7ssmBWbYP/Br\n" + "IRquxDyim1TM0A+IFaJGXvC0ZRXMfkHzEk8J7/9zkwmrWLKaFFmgC85QOOk4yWeP\n" + "cusOTuX9quZtn4Vz/Jf8QrSVn0v4th14Qz6GsDNdbpGRxNi/SHs5BcEIz9asJLDO\n" + "t9y3z1H4TQ7Wh7lerrHFM8BvDZcCPZKnCCWDe1m6bLfU5WsKh8IDhiro8xW6WSXo\n" + "7e+meTaaIgJ2YVHxapZfn4Hs52zAcLVYaeTbl4TPBcgwsyQsgxI=\n" + "-----END PUBLIC KEY-----\n"; const char *mldsa_65_pub_pem_str = -"-----BEGIN PUBLIC KEY-----\n" -"MIIHsjALBglghkgBZQMEAxIDggehAEhoPZGXjjHrPd24sEc0gtK4il9iWUn9j1il\n" -"YeaWvUwn0Fs427Lt8B5mTv2Bvh6ok2iM5oqi1RxZWPi7xutOie5n0sAyCVTVchLK\n" -"xyKf8dbq8DkovVFRH42I2EdzbH3icw1ZeOVBBxMWCXiGdxG/VTmgv8TDUMK+Vyuv\n" -"DuLi+xbM/qCAKNmaxJrrt1k33c4RHNq2L/886ouiIz0eVvvFxaHnJt5j+t0q8Bax\n" -"GRd/o9lxotkncXP85VtndFrwt8IdWX2+uT5qMvNBxJpai+noJQiNHyqkUVXWyK4V\n" -"Nn5OsAO4/feFEHGUlzn5//CQI+r0UQTSqEpFkG7tRnGkTcKNJ5h7tV32np6FYfYa\n" -"gKcmmVA4Zf7Zt+5yqOF6GcQIFE9LKa/vcDHDpthXFhC0LJ9CEkWojxl+FoErAxFZ\n" -"tluWh+Wz6TTFIlrpinm6c9Kzmdc1EO/60Z5TuEUPC6j84QEv2Y0mCnSqqhP64kmg\n" -"BrHDT1uguILyY3giL7NvIoPCQ/D/618btBSgpw1V49QKVrbLyIrh8Dt7KILZje6i\n" -"jhRcne39jq8c7y7ZSosFD4lk9G0eoNDCpD4N2mGCrb9PbtF1tnQiV4Wb8i86QX7P\n" -"H52JMXteU51YevFrnhMT4EUU/6ZLqLP/K4Mh+IEcs/sCLI9kTnCkuAovv+5gSrtz\n" -"eQkeqObFx038AoNma0DAeThwAoIEoTa/XalWjreY00kDi9sMEeA0ReeEfLUGnHXP\n" -"KKxgHHeZ2VghDdvLIm5Rr++fHeR7Bzhz1tP5dFa+3ghQgudKKYss1I9LMJMVXzZs\n" -"j6YBxq+FjfoywISRsqKYh/kDNZSaXW7apnmIKjqV1r9tlwoiH0udPYy/OEr4GqyV\n" -"4rMpTgR4msg3J6XcBFWflq9B2KBTUW/u7rxSdG62qygZ4JEIcQ2DXwEfpjBlhyrT\n" -"NNXN/7KyMQUH6S/Jk64xfal/TzCc2vD2ftmdkCFVdgg4SflTskbX/ts/22dnmFCl\n" -"rUBOZBR/t89Pau3dBa+0uDSWjR/ogBSWDc5dlCI2Um4SpHjWnl++aXAxCzCMBoRQ\n" -"GM/HsqtDChOmsax7sCzMuz2RGsLxEGhhP74Cm/3OAs9c04lQ7XLIOUTt+8dWFa+H\n" -"+GTAUfPFVFbFQShjpAwG0dq1Yr3/BXG408ORe70wCIC7pemYI5uV+pG31kFtTzmL\n" -"OtvNMJg+01krTZ731CNv0A9Q2YqlOiNaxBcnIPd9lhcmcpgM/o/3pacCeD7cK6Mb\n" -"IlkBWhEvx/RoqcL5RkA5AC0w72eLTLeYvBFiFr96mnwYugO3tY/QdRXTEVBJ02FL\n" -"56B+dEMAdQ3x0sWHUziQWer8PXhczdMcB2SL7cA6XDuK1G0GTVnBPVc3Ryn8TilT\n" -"YuKlGRIEUwQovBUir6KP9f4WVeMEylvIwnrQ4MajndTfKJVsFLOMyTaCzv5AK71e\n" -"gtKcRk5E6103tI/FaN/gzG6OFrrqBeUTVZDxkpTnPoNnsCFtu4FQMLneVZE/CAOc\n" -"QjUcWeVRXdWvjgiaFeYl6Pbe5jk4bEZJfXomMoh3TeWBp96WKbQbRCQUH5ePuDMS\n" -"CO/ew8bg3jm8VwY/Pc1sRwNzwIiR6inLx8xtZIO4iJCDrOhqp7UbHCz+birRjZfO\n" -"NvvFbqQvrpfmp6wRSGRHjDZt8eux57EakJhQT9WXW98fSdxwACtjwXOanSY/utQH\n" -"P2qfbCuK9LTDMqEDoM/6Xe6y0GLKPCFf02ACa+fFFk9KRCTvdJSIBNZvRkh3Msgg\n" -"LHlUeGR7TqcdYnwIYCTMo1SkHwh3s48Zs3dK0glcjaU7Bp4hx2ri0gB+FnGe1ACA\n" -"0zT32lLp9aWZBDnK8IOpW4M/Aq0QoIwabQ8mDAByhb1KL0dwOlrvRlKH0lOxisIl\n" -"FDFiEP9WaBSxD4eik9bxmdPDlZmQ0MEmi09Q1fn877vyN70MKLgBgtZll0HxTxC/\n" -"uyG7oSq2IKojlvVsBoa06pAXmQIkIWsv6K12xKkUju+ahqNjWmqne8Hc+2+6Wad9\n" -"/am3Uw3AyoZIyNlzc44Burjwi0kF6EqkZBvWAkEM2XUgJl8vIx8rNeFesvoE0r2U\n" -"1ad6uvHg4WEBCpkAh/W0bqmIsrwFEv2g+pI9rdbEXFMB0JSDZzJltasuEPS6Ug9r\n" -"utVkpcPV4nvbCA99IOEylqMYGVTDnGSclD6+F99cH3quCo/hJsR3WFpdTWSKDQCL\n" -"avXozTG+aakpbU8/0l7YbyIeS5P2X1kplnUzYkuSNXUMMHB1ULWFNtEJpxMcWlu+\n" -"SlcVVnwSU0rsdmB2Huu5+uKJHHdFibgOVmrVV93vc2cZa3In6phw7wnd/seda5MZ\n" -"poebUgXXa/erpazzOvtZ0X/FTmg4PWvloI6bZtpT3N4Ai7KUuFgr0TLNzEmVn9vC\n" -"HlJyGIDIrQNSx58DpDu9hMTN/cbFKQBeHnzZo0mnFoo1Vpul3qgYlo1akUZr1uZO\n" -"IL9iQXGYr8ToHCjdd+1AKCMjmLUvvehryE9HW5AWcQziqrwRoGtNuskB7BbPNlyj\n" -"8tU4E5SKaToPk+ecRspdWm3KPSjKUK0YvRP8pVBZ3ZsYX3n5xHGWpOgbIQS8RgoF\n" -"HgLy6ERP\n" -"-----END PUBLIC KEY-----\n"; + "-----BEGIN PUBLIC KEY-----\n" + "MIIHsjALBglghkgBZQMEAxIDggehAEhoPZGXjjHrPd24sEc0gtK4il9iWUn9j1il\n" + "YeaWvUwn0Fs427Lt8B5mTv2Bvh6ok2iM5oqi1RxZWPi7xutOie5n0sAyCVTVchLK\n" + "xyKf8dbq8DkovVFRH42I2EdzbH3icw1ZeOVBBxMWCXiGdxG/VTmgv8TDUMK+Vyuv\n" + "DuLi+xbM/qCAKNmaxJrrt1k33c4RHNq2L/886ouiIz0eVvvFxaHnJt5j+t0q8Bax\n" + "GRd/o9lxotkncXP85VtndFrwt8IdWX2+uT5qMvNBxJpai+noJQiNHyqkUVXWyK4V\n" + "Nn5OsAO4/feFEHGUlzn5//CQI+r0UQTSqEpFkG7tRnGkTcKNJ5h7tV32np6FYfYa\n" + "gKcmmVA4Zf7Zt+5yqOF6GcQIFE9LKa/vcDHDpthXFhC0LJ9CEkWojxl+FoErAxFZ\n" + "tluWh+Wz6TTFIlrpinm6c9Kzmdc1EO/60Z5TuEUPC6j84QEv2Y0mCnSqqhP64kmg\n" + "BrHDT1uguILyY3giL7NvIoPCQ/D/618btBSgpw1V49QKVrbLyIrh8Dt7KILZje6i\n" + "jhRcne39jq8c7y7ZSosFD4lk9G0eoNDCpD4N2mGCrb9PbtF1tnQiV4Wb8i86QX7P\n" + "H52JMXteU51YevFrnhMT4EUU/6ZLqLP/K4Mh+IEcs/sCLI9kTnCkuAovv+5gSrtz\n" + "eQkeqObFx038AoNma0DAeThwAoIEoTa/XalWjreY00kDi9sMEeA0ReeEfLUGnHXP\n" + "KKxgHHeZ2VghDdvLIm5Rr++fHeR7Bzhz1tP5dFa+3ghQgudKKYss1I9LMJMVXzZs\n" + "j6YBxq+FjfoywISRsqKYh/kDNZSaXW7apnmIKjqV1r9tlwoiH0udPYy/OEr4GqyV\n" + "4rMpTgR4msg3J6XcBFWflq9B2KBTUW/u7rxSdG62qygZ4JEIcQ2DXwEfpjBlhyrT\n" + "NNXN/7KyMQUH6S/Jk64xfal/TzCc2vD2ftmdkCFVdgg4SflTskbX/ts/22dnmFCl\n" + "rUBOZBR/t89Pau3dBa+0uDSWjR/ogBSWDc5dlCI2Um4SpHjWnl++aXAxCzCMBoRQ\n" + "GM/HsqtDChOmsax7sCzMuz2RGsLxEGhhP74Cm/3OAs9c04lQ7XLIOUTt+8dWFa+H\n" + "+GTAUfPFVFbFQShjpAwG0dq1Yr3/BXG408ORe70wCIC7pemYI5uV+pG31kFtTzmL\n" + "OtvNMJg+01krTZ731CNv0A9Q2YqlOiNaxBcnIPd9lhcmcpgM/o/3pacCeD7cK6Mb\n" + "IlkBWhEvx/RoqcL5RkA5AC0w72eLTLeYvBFiFr96mnwYugO3tY/QdRXTEVBJ02FL\n" + "56B+dEMAdQ3x0sWHUziQWer8PXhczdMcB2SL7cA6XDuK1G0GTVnBPVc3Ryn8TilT\n" + "YuKlGRIEUwQovBUir6KP9f4WVeMEylvIwnrQ4MajndTfKJVsFLOMyTaCzv5AK71e\n" + "gtKcRk5E6103tI/FaN/gzG6OFrrqBeUTVZDxkpTnPoNnsCFtu4FQMLneVZE/CAOc\n" + "QjUcWeVRXdWvjgiaFeYl6Pbe5jk4bEZJfXomMoh3TeWBp96WKbQbRCQUH5ePuDMS\n" + "CO/ew8bg3jm8VwY/Pc1sRwNzwIiR6inLx8xtZIO4iJCDrOhqp7UbHCz+birRjZfO\n" + "NvvFbqQvrpfmp6wRSGRHjDZt8eux57EakJhQT9WXW98fSdxwACtjwXOanSY/utQH\n" + "P2qfbCuK9LTDMqEDoM/6Xe6y0GLKPCFf02ACa+fFFk9KRCTvdJSIBNZvRkh3Msgg\n" + "LHlUeGR7TqcdYnwIYCTMo1SkHwh3s48Zs3dK0glcjaU7Bp4hx2ri0gB+FnGe1ACA\n" + "0zT32lLp9aWZBDnK8IOpW4M/Aq0QoIwabQ8mDAByhb1KL0dwOlrvRlKH0lOxisIl\n" + "FDFiEP9WaBSxD4eik9bxmdPDlZmQ0MEmi09Q1fn877vyN70MKLgBgtZll0HxTxC/\n" + "uyG7oSq2IKojlvVsBoa06pAXmQIkIWsv6K12xKkUju+ahqNjWmqne8Hc+2+6Wad9\n" + "/am3Uw3AyoZIyNlzc44Burjwi0kF6EqkZBvWAkEM2XUgJl8vIx8rNeFesvoE0r2U\n" + "1ad6uvHg4WEBCpkAh/W0bqmIsrwFEv2g+pI9rdbEXFMB0JSDZzJltasuEPS6Ug9r\n" + "utVkpcPV4nvbCA99IOEylqMYGVTDnGSclD6+F99cH3quCo/hJsR3WFpdTWSKDQCL\n" + "avXozTG+aakpbU8/0l7YbyIeS5P2X1kplnUzYkuSNXUMMHB1ULWFNtEJpxMcWlu+\n" + "SlcVVnwSU0rsdmB2Huu5+uKJHHdFibgOVmrVV93vc2cZa3In6phw7wnd/seda5MZ\n" + "poebUgXXa/erpazzOvtZ0X/FTmg4PWvloI6bZtpT3N4Ai7KUuFgr0TLNzEmVn9vC\n" + "HlJyGIDIrQNSx58DpDu9hMTN/cbFKQBeHnzZo0mnFoo1Vpul3qgYlo1akUZr1uZO\n" + "IL9iQXGYr8ToHCjdd+1AKCMjmLUvvehryE9HW5AWcQziqrwRoGtNuskB7BbPNlyj\n" + "8tU4E5SKaToPk+ecRspdWm3KPSjKUK0YvRP8pVBZ3ZsYX3n5xHGWpOgbIQS8RgoF\n" + "HgLy6ERP\n" + "-----END PUBLIC KEY-----\n"; const char *mldsa_87_pub_pem_str = -"-----BEGIN PUBLIC KEY-----\n" -"MIIKMjALBglghkgBZQMEAxMDggohAJeSvOwvJDBoaoL8zzwvX/Zl53HXq0G5AljP\n" -"p+kOyXEkpzsyO5uiGrZNdnxDP1pSHv/hj4bkahiJUsRGfgSLcp5/xNEV5+SNoYlt\n" -"X+EZsQ3N3vYssweVQHS0IzblKDbeYdqUH4036misgQb6vhkHBnmvYAhTcSD3B5O4\n" -"6pzA5ue3tMmlx0IcYPJEUboekz2xou4Wx5VZ8hs9G4MFhQqkKvuxPx9NW59INfnY\n" -"ffzrFi0O9Kf9xMuhdDzRyHu0ln2hbMh2S2Vp347lvcv/6aTgV0jm/fIlr55O63dz\n" -"ti6Phfm1a1SJRVUYRPvYmAakrDab7S0lYQD2iKatXgpwmCbcREnpHiPFUG5kI2Hv\n" -"WjE3EvebxLMYaGHKhaS6sX5/lD0bijM6o6584WtEDWAY+eBNr1clx/GpP60aWie2\n" -"eJW9JJqpFoXeIK8yyLfiaMf5aHfQyFABE1pPCo8bgmT6br5aNJ2K7K0aFimczy/Z\n" -"x7hbrOLO06oSdrph7njtflyltnzdRYqTVAMOaru6v1agojFv7J26g7UdQv0xZ/Hg\n" -"+QhV1cZlCbIQJl3B5U7ES0O6fPmu8Ri0TYCRLOdRZqZlHhFs6+SSKacGLAmTH3Gr\n" -"0ik/dvfvwyFbqXgAA35Y5HC9u7Q8GwQ56vecVNk7RKrJ7+n74VGHTPsqZMvuKMxM\n" -"D+d3Xl2HDxwC5bLjxQBMmV8kybd5y3U6J30Ocf1CXra8LKVs4SnbUfcHQPMeY5dr\n" -"UMcxLpeX14xbGsJKX6NHzJFuCoP1w7Z1zTC4Hj+hC5NETgc5dXHM6Yso2lHbkFa8\n" -"coxbCxGB4vvTh7THmrGl/v7ONxZ693LdrRTrTDmC2lpZ0OnrFz7GMVCRFwAno6te\n" -"9qoSnLhYVye5NYooUB1xOnLz8dsxcUKG+bZAgBOvBgRddVkvwLfdR8c+2cdbEenX\n" -"xp98rfwygKkGLFJzxDvhw0+HRIhkzqe1yX1tMvWb1fJThGU7tcT6pFvqi4lAKEPm\n" -"Rba5Jp4r2YjdrLAzMo/7BgRQ998IAFPmlpslHodezsMs/FkoQNaatpp14Gs3nFNd\n" -"lSZrCC9PCckxYrM7DZ9zB6TqqlIQRDf+1m+O4+q71F1nslqBM/SWRotSuv/b+tk+\n" -"7xqYGLXkLscieIo9jTUp/Hd9K6VwgB364B7IgwKDfB+54DVXJ2Re4QRsP5Ffaugt\n" -"rU+2sDVqRlGP/INBVcO0/m2vpsyKXM9TxzoISdjUT33PcnVOcOG337RHu070nRpx\n" -"j2Fxu84gCVDgzpJhBrFRo+hx1c5JcxvWZQqbDKly2hxfE21Egg6mODwI87OEzyM4\n" -"54nFE/YYzFaUpvDO4QRRHh7XxfI6Hr/YoNuEJFUyQBVtv2IoMbDGQ9HFUbbz96mN\n" -"KbhcLeBaZfphXu4WSVvZBzdnIRW1PpHF2QAozz8ak5U6FT3lO0QITpzP9rc2aTkm\n" -"2u/rstd6pa1om5LzFoZmnfFtFxXMWPeiz7ct0aUekvglmTp0Aivn6etgVGVEVwlN\n" -"FJKPICFeeyIqxWtRrb7I2L22mDl5p+OiG0S10VGMqX0LUZX1HtaiQ1DIl0fh7epR\n" -"tEjj6RRwVM6SeHPJDbOU2GiI4H3/F3WT1veeFSMCIErrA74jhq8+JAeL0CixaJ9e\n" -"FHyfRSyM6wLsWcydtjoDV2zur+mCOQI4l9oCNmMKU8Def0NaGYaXkvqzbnueY1dg\n" -"8JBp5kMucAA1rCoCh5//Ch4b7FIgRxk9lOtd8e/VPuoRRMp4lAhS9eyXJ5BLNm7e\n" -"T14tMx+tX8KC6ixH6SMUJ3HD3XWoc1dIfe+Z5fGOnZ7WI8F10CiIxR+CwHqA1UcW\n" -"s8PCvb4unwqbuq6+tNUpNodkBvXADo5LvQpewFeX5iB8WrbIjxpohCG9BaEU9Nfe\n" -"KsJB+g6L7f9H92Ldy+qpEAT40x6FCVyBBUmUrTgm40S6lgQIEPwLKtHeSM+t4ALG\n" -"LlpJoHMas4NEvBY23xa/YH1WhV5W1oQAPHGOS62eWgmZefzd7rHEp3ds03o0F8sO\n" -"GE4p75vA6HR1umY74J4Aq1Yut8D3Fl+WmptCQUGYzPG/8qLI1omkFOznZiknZlaJ\n" -"6U25YeuuxWFcvBp4lcaFGslhQy/xEY1GB9Mu+dxzLVEzO+S00OMN3qeE7Ki+R+dB\n" -"vpwZYx3EcKUu9NwTpPNjP9Q014fBcJd7QX31mOHQ3eUGu3HW8LwX7HDjsDzcGWXL\n" -"Npk/YzsEcuUNCSOsbGb98dPmRZzBIfD1+U0J6dvPXWkOIyM4OKC6y3xjjRsmUKQw\n" -"jNFxtoVRJtHaZypu2FqNeMKG+1b0qz0hSXUoBFxjJiyKQq8vmALFO3u4vijnj+C1\n" -"zkX7t6GvGjsoqNlLeJDjyILjm8mOnwrXYCW/DdLwApjnFBoiaz187kFPYE0eC6VN\n" -"EdX+WLzOpq13rS6MHKrPMkWQFLe5EAGx76itFypSP7jjZbV3Ehv5/Yiixgwh6CHX\n" -"tqy0elqZXkDKztXCI7j+beXhjp0uWJOu/rt6rn/xoUYmDi8RDpOVKCE6ACWjjsea\n" -"q8hhsl68UJpGdMEyqqy34BRvFO/RHPyvTKpPd1pxbOMl4KQ1pNNJ1yC88TdFCvxF\n" -"BG/Bofg6nTKXd6cITkqtrnEizpcAWTBSjrPH9/ESmzcoh6NxFVo7ogGiXL8dy2Tn\n" -"ze4JLDFB+1VQ/j0N2C6HDleLK0ZQCBgRO49laXc8Z3OFtppCt33Lp6z/2V/URS4j\n" -"qqHTfh2iFR6mWNQKNZayesn4Ep3GzwZDdyYktZ9PRhIw30ccomCHw5QtXGaH32CC\n" -"g1k1o/h8t2Kww7HQ3aSmUzllvvG3uCkuJUwBTQkP7YV8RMGDnGlMCmTj+tkKEfU0\n" -"citu4VdPLhSdVddE3kiHAk4IURQxwGJ1DhbHSrnzJC8ts/+xKo1hB/qiKdb2NzsH\n" -"8205MrO9sEwZ3WTq3X+Tw8Vkw1ihyB3PHJwx5bBlaPl1RMF9wVaYxcs4mDqa/EJ4\n" -"P6p3OlLJ2CYGkL6eMVaqW8FQneo/aVh2lc1v8XK6g+am2KfWu+u7zaNnJzGYP4m8\n" -"WDHcN8PzxcVvrMaX88sgvV2629cC5UhErC9iaQH+FZ25Pf1Hc9j+c1YrhGwfyFbR\n" -"gCdihA68cteYi951y8pw0xnTLODMAlO7KtRVcj7gx/RzbObmZlxayjKkgcU4Obwl\n" -"kWewE9BCM5Xuuaqu4yBhSafVUNZ/xf3+SopcNdJRC2ZDeauPcoVaKvR6vOKmMgSO\n" -"r4nly0qI3rxTpZUQOszk8c/xis/wev4etXFqoeQLYxNMOjrpV5+of1Fb4JPC0p22\n" -"1rZck2YeAGNrWScE0JPMZxbCNC6xhT1IyFxjrIooVEYse3fn470erFvKKP+qALXT\n" -"SfilR62HW5aowrKRDJMBMJo/kTilaTER9Vs8AJypR8Od/ILZjrHKpKnL6IX3hvqG\n" -"5VvgYiIvi6kKl0BzMmsxISrs4KNKYA==\n" -"-----END PUBLIC KEY-----\n"; + "-----BEGIN PUBLIC KEY-----\n" + "MIIKMjALBglghkgBZQMEAxMDggohAJeSvOwvJDBoaoL8zzwvX/Zl53HXq0G5AljP\n" + "p+kOyXEkpzsyO5uiGrZNdnxDP1pSHv/hj4bkahiJUsRGfgSLcp5/xNEV5+SNoYlt\n" + "X+EZsQ3N3vYssweVQHS0IzblKDbeYdqUH4036misgQb6vhkHBnmvYAhTcSD3B5O4\n" + "6pzA5ue3tMmlx0IcYPJEUboekz2xou4Wx5VZ8hs9G4MFhQqkKvuxPx9NW59INfnY\n" + "ffzrFi0O9Kf9xMuhdDzRyHu0ln2hbMh2S2Vp347lvcv/6aTgV0jm/fIlr55O63dz\n" + "ti6Phfm1a1SJRVUYRPvYmAakrDab7S0lYQD2iKatXgpwmCbcREnpHiPFUG5kI2Hv\n" + "WjE3EvebxLMYaGHKhaS6sX5/lD0bijM6o6584WtEDWAY+eBNr1clx/GpP60aWie2\n" + "eJW9JJqpFoXeIK8yyLfiaMf5aHfQyFABE1pPCo8bgmT6br5aNJ2K7K0aFimczy/Z\n" + "x7hbrOLO06oSdrph7njtflyltnzdRYqTVAMOaru6v1agojFv7J26g7UdQv0xZ/Hg\n" + "+QhV1cZlCbIQJl3B5U7ES0O6fPmu8Ri0TYCRLOdRZqZlHhFs6+SSKacGLAmTH3Gr\n" + "0ik/dvfvwyFbqXgAA35Y5HC9u7Q8GwQ56vecVNk7RKrJ7+n74VGHTPsqZMvuKMxM\n" + "D+d3Xl2HDxwC5bLjxQBMmV8kybd5y3U6J30Ocf1CXra8LKVs4SnbUfcHQPMeY5dr\n" + "UMcxLpeX14xbGsJKX6NHzJFuCoP1w7Z1zTC4Hj+hC5NETgc5dXHM6Yso2lHbkFa8\n" + "coxbCxGB4vvTh7THmrGl/v7ONxZ693LdrRTrTDmC2lpZ0OnrFz7GMVCRFwAno6te\n" + "9qoSnLhYVye5NYooUB1xOnLz8dsxcUKG+bZAgBOvBgRddVkvwLfdR8c+2cdbEenX\n" + "xp98rfwygKkGLFJzxDvhw0+HRIhkzqe1yX1tMvWb1fJThGU7tcT6pFvqi4lAKEPm\n" + "Rba5Jp4r2YjdrLAzMo/7BgRQ998IAFPmlpslHodezsMs/FkoQNaatpp14Gs3nFNd\n" + "lSZrCC9PCckxYrM7DZ9zB6TqqlIQRDf+1m+O4+q71F1nslqBM/SWRotSuv/b+tk+\n" + "7xqYGLXkLscieIo9jTUp/Hd9K6VwgB364B7IgwKDfB+54DVXJ2Re4QRsP5Ffaugt\n" + "rU+2sDVqRlGP/INBVcO0/m2vpsyKXM9TxzoISdjUT33PcnVOcOG337RHu070nRpx\n" + "j2Fxu84gCVDgzpJhBrFRo+hx1c5JcxvWZQqbDKly2hxfE21Egg6mODwI87OEzyM4\n" + "54nFE/YYzFaUpvDO4QRRHh7XxfI6Hr/YoNuEJFUyQBVtv2IoMbDGQ9HFUbbz96mN\n" + "KbhcLeBaZfphXu4WSVvZBzdnIRW1PpHF2QAozz8ak5U6FT3lO0QITpzP9rc2aTkm\n" + "2u/rstd6pa1om5LzFoZmnfFtFxXMWPeiz7ct0aUekvglmTp0Aivn6etgVGVEVwlN\n" + "FJKPICFeeyIqxWtRrb7I2L22mDl5p+OiG0S10VGMqX0LUZX1HtaiQ1DIl0fh7epR\n" + "tEjj6RRwVM6SeHPJDbOU2GiI4H3/F3WT1veeFSMCIErrA74jhq8+JAeL0CixaJ9e\n" + "FHyfRSyM6wLsWcydtjoDV2zur+mCOQI4l9oCNmMKU8Def0NaGYaXkvqzbnueY1dg\n" + "8JBp5kMucAA1rCoCh5//Ch4b7FIgRxk9lOtd8e/VPuoRRMp4lAhS9eyXJ5BLNm7e\n" + "T14tMx+tX8KC6ixH6SMUJ3HD3XWoc1dIfe+Z5fGOnZ7WI8F10CiIxR+CwHqA1UcW\n" + "s8PCvb4unwqbuq6+tNUpNodkBvXADo5LvQpewFeX5iB8WrbIjxpohCG9BaEU9Nfe\n" + "KsJB+g6L7f9H92Ldy+qpEAT40x6FCVyBBUmUrTgm40S6lgQIEPwLKtHeSM+t4ALG\n" + "LlpJoHMas4NEvBY23xa/YH1WhV5W1oQAPHGOS62eWgmZefzd7rHEp3ds03o0F8sO\n" + "GE4p75vA6HR1umY74J4Aq1Yut8D3Fl+WmptCQUGYzPG/8qLI1omkFOznZiknZlaJ\n" + "6U25YeuuxWFcvBp4lcaFGslhQy/xEY1GB9Mu+dxzLVEzO+S00OMN3qeE7Ki+R+dB\n" + "vpwZYx3EcKUu9NwTpPNjP9Q014fBcJd7QX31mOHQ3eUGu3HW8LwX7HDjsDzcGWXL\n" + "Npk/YzsEcuUNCSOsbGb98dPmRZzBIfD1+U0J6dvPXWkOIyM4OKC6y3xjjRsmUKQw\n" + "jNFxtoVRJtHaZypu2FqNeMKG+1b0qz0hSXUoBFxjJiyKQq8vmALFO3u4vijnj+C1\n" + "zkX7t6GvGjsoqNlLeJDjyILjm8mOnwrXYCW/DdLwApjnFBoiaz187kFPYE0eC6VN\n" + "EdX+WLzOpq13rS6MHKrPMkWQFLe5EAGx76itFypSP7jjZbV3Ehv5/Yiixgwh6CHX\n" + "tqy0elqZXkDKztXCI7j+beXhjp0uWJOu/rt6rn/xoUYmDi8RDpOVKCE6ACWjjsea\n" + "q8hhsl68UJpGdMEyqqy34BRvFO/RHPyvTKpPd1pxbOMl4KQ1pNNJ1yC88TdFCvxF\n" + "BG/Bofg6nTKXd6cITkqtrnEizpcAWTBSjrPH9/ESmzcoh6NxFVo7ogGiXL8dy2Tn\n" + "ze4JLDFB+1VQ/j0N2C6HDleLK0ZQCBgRO49laXc8Z3OFtppCt33Lp6z/2V/URS4j\n" + "qqHTfh2iFR6mWNQKNZayesn4Ep3GzwZDdyYktZ9PRhIw30ccomCHw5QtXGaH32CC\n" + "g1k1o/h8t2Kww7HQ3aSmUzllvvG3uCkuJUwBTQkP7YV8RMGDnGlMCmTj+tkKEfU0\n" + "citu4VdPLhSdVddE3kiHAk4IURQxwGJ1DhbHSrnzJC8ts/+xKo1hB/qiKdb2NzsH\n" + "8205MrO9sEwZ3WTq3X+Tw8Vkw1ihyB3PHJwx5bBlaPl1RMF9wVaYxcs4mDqa/EJ4\n" + "P6p3OlLJ2CYGkL6eMVaqW8FQneo/aVh2lc1v8XK6g+am2KfWu+u7zaNnJzGYP4m8\n" + "WDHcN8PzxcVvrMaX88sgvV2629cC5UhErC9iaQH+FZ25Pf1Hc9j+c1YrhGwfyFbR\n" + "gCdihA68cteYi951y8pw0xnTLODMAlO7KtRVcj7gx/RzbObmZlxayjKkgcU4Obwl\n" + "kWewE9BCM5Xuuaqu4yBhSafVUNZ/xf3+SopcNdJRC2ZDeauPcoVaKvR6vOKmMgSO\n" + "r4nly0qI3rxTpZUQOszk8c/xis/wev4etXFqoeQLYxNMOjrpV5+of1Fb4JPC0p22\n" + "1rZck2YeAGNrWScE0JPMZxbCNC6xhT1IyFxjrIooVEYse3fn470erFvKKP+qALXT\n" + "SfilR62HW5aowrKRDJMBMJo/kTilaTER9Vs8AJypR8Od/ILZjrHKpKnL6IX3hvqG\n" + "5VvgYiIvi6kKl0BzMmsxISrs4KNKYA==\n" + "-----END PUBLIC KEY-----\n"; // https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/06/ // C.1. Example Private Key const char *mldsa_44_priv_pem_str = -"-----BEGIN PRIVATE KEY-----\n" -"MDICAQAwCwYJYIZIAWUDBAMRBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n" -"HB0eHw==\n" -"-----END PRIVATE KEY-----\n"; + "-----BEGIN PRIVATE KEY-----\n" + "MDICAQAwCwYJYIZIAWUDBAMRBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n" + "HB0eHw==\n" + "-----END PRIVATE KEY-----\n"; const char *mldsa_65_priv_pem_str = -"-----BEGIN PRIVATE KEY-----\n" -"MDICAQAwCwYJYIZIAWUDBAMSBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n" -"HB0eHw==\n" -"-----END PRIVATE KEY-----\n"; + "-----BEGIN PRIVATE KEY-----\n" + "MDICAQAwCwYJYIZIAWUDBAMSBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n" + "HB0eHw==\n" + "-----END PRIVATE KEY-----\n"; const char *mldsa_87_priv_pem_str = -"-----BEGIN PRIVATE KEY-----\n" -"MDICAQAwCwYJYIZIAWUDBAMTBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n" -"HB0eHw==\n" -"-----END PRIVATE KEY-----\n"; + "-----BEGIN PRIVATE KEY-----\n" + "MDICAQAwCwYJYIZIAWUDBAMTBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n" + "HB0eHw==\n" + "-----END PRIVATE KEY-----\n"; struct PQDSATestVector { const char name[20]; @@ -1120,101 +1195,76 @@ struct PQDSATestVector { int (*keygen)(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); - int (*sign)(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len, - const uint8_t *rnd); + int (*sign)(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, + const uint8_t *message, size_t message_len, const uint8_t *pre, + size_t pre_len, const uint8_t *rnd); - int (*verify)(const uint8_t *public_key, - const uint8_t *sig, size_t sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len); + int (*verify)(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, + const uint8_t *message, size_t message_len, const uint8_t *pre, + size_t pre_len); int (*pack_key)(uint8_t *public_key, const uint8_t *private_key); }; -#define CMP_VEC_AND_PTR(vec, ptr, len) \ - { \ - std::vector tmp(len); \ - tmp.assign(ptr, ptr + len); \ - EXPECT_EQ(Bytes(vec), Bytes(tmp)); \ - } +#define CMP_VEC_AND_PTR(vec, ptr, len) \ + { \ + std::vector tmp(len); \ + tmp.assign(ptr, ptr + len); \ + EXPECT_EQ(Bytes(vec), Bytes(tmp)); \ + } #define CMP_VEC_AND_PKEY_PUBLIC(vec, pkey, len) \ -CMP_VEC_AND_PTR(vec, pkey->pkey.pqdsa_key->public_key, len) + CMP_VEC_AND_PTR(vec, pkey->pkey.pqdsa_key->public_key, len) #define CMP_VEC_AND_PKEY_SECRET(vec, pkey, len) \ -CMP_VEC_AND_PTR(vec, pkey->pkey.pqdsa_key->private_key, len) + CMP_VEC_AND_PTR(vec, pkey->pkey.pqdsa_key->private_key, len) -#define GET_ERR_AND_CHECK_REASON(reason) \ - { \ - uint32_t err = ERR_get_error(); \ - EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); \ - EXPECT_EQ(reason, ERR_GET_REASON(err)); \ - } +#define GET_ERR_AND_CHECK_REASON(reason) \ + { \ + uint32_t err = ERR_get_error(); \ + EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err)); \ + EXPECT_EQ(reason, ERR_GET_REASON(err)); \ + } static const struct PQDSATestVector parameterSet[] = { - { - "MLDSA44", - NID_MLDSA44, - 1312, - 2560, - 2420, - "ml_dsa/kat/MLDSA_44_hedged_pure.txt", - mldsa44kPublicKey, - mldsa44kPublicKeySPKI, - 1334, - mldsa_44_pub_pem_str, - mldsa_44_priv_pem_str, - ml_dsa_44_keypair_internal, - ml_dsa_44_sign_internal, - ml_dsa_44_verify_internal, - ml_dsa_44_pack_pk_from_sk, - }, - { - "MLDSA65", - NID_MLDSA65, - 1952, - 4032, - 3309, - "ml_dsa/kat/MLDSA_65_hedged_pure.txt", - mldsa65kPublicKey, - mldsa65kPublicKeySPKI, - 1974, - mldsa_65_pub_pem_str, - mldsa_65_priv_pem_str, - ml_dsa_65_keypair_internal, - ml_dsa_65_sign_internal, - ml_dsa_65_verify_internal, - ml_dsa_65_pack_pk_from_sk - }, - { - "MLDSA87", - NID_MLDSA87, - 2592, - 4896, - 4627, - "ml_dsa/kat/MLDSA_87_hedged_pure.txt", - mldsa87kPublicKey, - mldsa87kPublicKeySPKI, - 2614, - mldsa_87_pub_pem_str, - mldsa_87_priv_pem_str, - ml_dsa_87_keypair_internal, - ml_dsa_87_sign_internal, - ml_dsa_87_verify_internal, - ml_dsa_87_pack_pk_from_sk - }, + { + "MLDSA44", + NID_MLDSA44, + 1312, + 2560, + 2420, + "ml_dsa/kat/MLDSA_44_hedged_pure.txt", + mldsa44kPublicKey, + mldsa44kPublicKeySPKI, + 1334, + mldsa_44_pub_pem_str, + mldsa_44_priv_pem_str, + ml_dsa_44_keypair_internal, + ml_dsa_44_sign_internal, + ml_dsa_44_verify_internal, + ml_dsa_44_pack_pk_from_sk, + }, + {"MLDSA65", NID_MLDSA65, 1952, 4032, 3309, + "ml_dsa/kat/MLDSA_65_hedged_pure.txt", mldsa65kPublicKey, + mldsa65kPublicKeySPKI, 1974, mldsa_65_pub_pem_str, mldsa_65_priv_pem_str, + ml_dsa_65_keypair_internal, ml_dsa_65_sign_internal, + ml_dsa_65_verify_internal, ml_dsa_65_pack_pk_from_sk}, + {"MLDSA87", NID_MLDSA87, 2592, 4896, 4627, + "ml_dsa/kat/MLDSA_87_hedged_pure.txt", mldsa87kPublicKey, + mldsa87kPublicKeySPKI, 2614, mldsa_87_pub_pem_str, mldsa_87_priv_pem_str, + ml_dsa_87_keypair_internal, ml_dsa_87_sign_internal, + ml_dsa_87_verify_internal, ml_dsa_87_pack_pk_from_sk}, }; class PQDSAParameterTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(All, PQDSAParameterTest, testing::ValuesIn(parameterSet), - [](const testing::TestParamInfo ¶ms) - -> std::string { return params.param.name; }); +INSTANTIATE_TEST_SUITE_P( + All, PQDSAParameterTest, testing::ValuesIn(parameterSet), + [](const testing::TestParamInfo ¶ms) -> std::string { + return params.param.name; + }); TEST_P(PQDSAParameterTest, KAT) { std::string kat_filepath = "crypto/fipsmodule/"; @@ -1266,35 +1316,32 @@ TEST_P(PQDSAParameterTest, KAT) { m_prime[0] = 0; m_prime[1] = ctxstr.size(); ASSERT_TRUE(ctxstr.size() <= 255); - OPENSSL_memcpy(m_prime + 2 , ctxstr.data(), ctxstr.size()); + OPENSSL_memcpy(m_prime + 2, ctxstr.data(), ctxstr.size()); // Generate signature by signing |msg|. - ASSERT_TRUE(GetParam().sign(priv.data(), - signature.data(), &sig_len, - msg.data(), mlen_int, - m_prime, m_prime_len, + ASSERT_TRUE(GetParam().sign(priv.data(), signature.data(), &sig_len, + msg.data(), mlen_int, m_prime, m_prime_len, rng.data())); // Assert that signature is equal to expected signature ASSERT_EQ(Bytes(signature), Bytes(sm)); // Assert that the signature verifies correctly. - ASSERT_TRUE(GetParam().verify(pub.data(), - signature.data(), sig_len, - msg.data(), mlen_int, - m_prime, m_prime_len)); + ASSERT_TRUE(GetParam().verify(pub.data(), signature.data(), sig_len, + msg.data(), mlen_int, m_prime, m_prime_len)); }); } TEST_P(PQDSAParameterTest, KeyGen) { // ---- 1. Test basic key generation flow ---- // Create context of PQDSA type and a key pair - bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr)); + bssl::UniquePtr ctx( + EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr)); ASSERT_TRUE(ctx); // Setup the context with specific PQDSA parameters. int nid = GetParam().nid; - ASSERT_TRUE(EVP_PKEY_CTX_pqdsa_set_params(ctx.get(),nid)); + ASSERT_TRUE(EVP_PKEY_CTX_pqdsa_set_params(ctx.get(), nid)); // Generate a key pair. EVP_PKEY *raw = nullptr; @@ -1348,11 +1395,11 @@ TEST_P(PQDSAParameterTest, KeyGen) { GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_OPERATION); // nid is not a PQDSA. - tmp = (void*) ctx.get()->pkey; + tmp = (void *)ctx.get()->pkey; ctx.get()->pkey = nullptr; ASSERT_FALSE(EVP_PKEY_CTX_pqdsa_set_params(ctx.get(), NID_MLKEM768)); GET_ERR_AND_CHECK_REASON(EVP_R_UNSUPPORTED_ALGORITHM); - ctx.get()->pkey = (EVP_PKEY*) tmp; + ctx.get()->pkey = (EVP_PKEY *)tmp; } // Helper function that: @@ -1362,7 +1409,6 @@ TEST_P(PQDSAParameterTest, KeyGen) { // 4. Creates an EVP_PKEY object from the generated key (as a bssl::UniquePtr). // 5. returns the PKEY. static bssl::UniquePtr generate_key_pair(int pqdsa_nid) { - EVP_PKEY_CTX *ctx = nullptr; EVP_PKEY *raw = nullptr; @@ -1405,7 +1451,7 @@ TEST_P(PQDSAParameterTest, KeySize) { bssl::UniquePtr pkey(generate_key_pair(nid)); EXPECT_EQ(sig_len, EVP_PKEY_size(pkey.get())); - EXPECT_EQ(8*(pk_len), EVP_PKEY_bits(pkey.get())); + EXPECT_EQ(8 * (pk_len), EVP_PKEY_bits(pkey.get())); } TEST_P(PQDSAParameterTest, RawFunctions) { @@ -1446,12 +1492,13 @@ TEST_P(PQDSAParameterTest, RawFunctions) { EXPECT_EQ(sk_len, GetParam().private_key_len); // ---- 4. Test creating PKEYs from raw data ---- - bssl::UniquePtrpublic_pkey( - EVP_PKEY_pqdsa_new_raw_public_key(nid, pkey->pkey.pqdsa_key->public_key, pk_len)); - bssl::UniquePtr private_pkey( - EVP_PKEY_pqdsa_new_raw_private_key(nid, pkey->pkey.pqdsa_key->private_key, sk_len)); + bssl::UniquePtr public_pkey(EVP_PKEY_pqdsa_new_raw_public_key( + nid, pkey->pkey.pqdsa_key->public_key, pk_len)); + bssl::UniquePtr private_pkey(EVP_PKEY_pqdsa_new_raw_private_key( + nid, pkey->pkey.pqdsa_key->private_key, sk_len)); - // check that public key is present and private key is not present in public_key + // check that public key is present and private key is not present in + // public_key ASSERT_NE(public_pkey, nullptr); EXPECT_NE(public_pkey->pkey.pqdsa_key->public_key, nullptr); EXPECT_EQ(public_pkey->pkey.pqdsa_key->private_key, nullptr); @@ -1478,14 +1525,14 @@ TEST_P(PQDSAParameterTest, RawFunctions) { GET_ERR_AND_CHECK_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); // Invalid PKEY (missing ameth) must fail correctly. - void *tmp = (void*) pkey.get()->ameth; + void *tmp = (void *)pkey.get()->ameth; pkey.get()->ameth = nullptr; ASSERT_FALSE(EVP_PKEY_get_raw_public_key(pkey.get(), pk.data(), &pk_len)); GET_ERR_AND_CHECK_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); ASSERT_FALSE(EVP_PKEY_get_raw_private_key(pkey.get(), sk.data(), &sk_len)); GET_ERR_AND_CHECK_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - pkey.get()->ameth = (const EVP_PKEY_ASN1_METHOD*)(tmp); + pkey.get()->ameth = (const EVP_PKEY_ASN1_METHOD *)(tmp); // Invalid lengths pk_len = GetParam().public_key_len - 1; @@ -1562,18 +1609,21 @@ TEST_P(PQDSAParameterTest, MarshalParse) { CBS_init(&cbs, der, der_len); bssl::UniquePtr priv_pkey_from_der(EVP_parse_private_key(&cbs)); ASSERT_TRUE(priv_pkey_from_der); - EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->private_key, GetParam().private_key_len), - Bytes(pkey->pkey.pqdsa_key->private_key, GetParam().private_key_len)); + EXPECT_EQ( + Bytes(priv_pkey_from_der->pkey.pqdsa_key->private_key, + GetParam().private_key_len), + Bytes(pkey->pkey.pqdsa_key->private_key, GetParam().private_key_len)); // When importing a PQDSA private key, the public key will be calculated and // used to populate the public key. To test the calculated key is correct, - // we first check that the public key has been populated, then test for equality - // with the expected public key: + // we first check that the public key has been populated, then test for + // equality with the expected public key: ASSERT_NE(priv_pkey_from_der, nullptr); EXPECT_NE(priv_pkey_from_der->pkey.pqdsa_key->public_key, nullptr); EXPECT_NE(priv_pkey_from_der->pkey.pqdsa_key->private_key, nullptr); - EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->public_key, GetParam().public_key_len), + EXPECT_EQ(Bytes(priv_pkey_from_der->pkey.pqdsa_key->public_key, + GetParam().public_key_len), Bytes(pkey->pkey.pqdsa_key->public_key, GetParam().public_key_len)); } @@ -1582,40 +1632,47 @@ TEST_P(PQDSAParameterTest, SIGOperations) { bssl::UniquePtr pkey(generate_key_pair(GetParam().nid)); bssl::ScopedEVP_MD_CTX md_ctx, md_ctx_verify; - // msg2 differs from msg1 by one byte - std::vector msg1 = { - 0x4a, 0x41, 0x4b, 0x45, 0x20, 0x4d, 0x41, 0x53, 0x53, 0x49, - 0x4d, 0x4f, 0x20, 0x41, 0x57, 0x53, 0x32, 0x30, 0x32, 0x32, 0x2e}; - std::vector msg2 = { - 0x4a, 0x41, 0x4b, 0x45, 0x20, 0x4d, 0x41, 0x53, 0x53, 0x49, - 0x4d, 0x4f, 0x20, 0x41, 0x57, 0x53, 0x32, 0x30, 0x32, 0x31, 0x2e}; + // msg2 differs from msg1 by one byte + std::vector msg1 = {0x4a, 0x41, 0x4b, 0x45, 0x20, 0x4d, 0x41, + 0x53, 0x53, 0x49, 0x4d, 0x4f, 0x20, 0x41, + 0x57, 0x53, 0x32, 0x30, 0x32, 0x32, 0x2e}; + std::vector msg2 = {0x4a, 0x41, 0x4b, 0x45, 0x20, 0x4d, 0x41, + 0x53, 0x53, 0x49, 0x4d, 0x4f, 0x20, 0x41, + 0x57, 0x53, 0x32, 0x30, 0x32, 0x31, 0x2e}; // ---- 2. Test signature round trip (sign + verify) ---- // Initalize the signing context |md_ctx| with the |pkey| we generated - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); + ASSERT_TRUE( + EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); // To sign, we first need to allocate memory for the signature. We call - // EVP_DigestSign with sig = nullptr to indicate that we are doing a size check - // on the signature size. The variable |sig_len| will be returned with the - // correct signature size, so we can allocate memory. + // EVP_DigestSign with sig = nullptr to indicate that we are doing a size + // check on the signature size. The variable |sig_len| will be returned with + // the correct signature size, so we can allocate memory. size_t sig_len = 0; - ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), nullptr, &sig_len, msg1.data(), msg1.size())); + ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), nullptr, &sig_len, msg1.data(), + msg1.size())); // Verify that the returned signature size is as expected ASSERT_EQ(sig_len, GetParam().signature_len); // Allocate memory for the signature and sign first message; msg1 std::vector sig1(sig_len); - ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig1.data(), &sig_len, msg1.data(), msg1.size())); + ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig1.data(), &sig_len, msg1.data(), + msg1.size())); // Verify the correct signed message - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr, nullptr, pkey.get())); - ASSERT_TRUE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, msg1.data(), msg1.size())); + ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr, + nullptr, pkey.get())); + ASSERT_TRUE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, + msg1.data(), msg1.size())); // ---- 3. Test signature failure modes: incompatible messages/signatures ---- - // Check that the verification of signature1 fails for a different message; msg2 - ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, msg2.data(), msg2.size())); + // Check that the verification of signature1 fails for a different message; + // msg2 + ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, + msg2.data(), msg2.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); // reset the contexts between tests @@ -1624,22 +1681,28 @@ TEST_P(PQDSAParameterTest, SIGOperations) { // PQDSA signature schemes can be either in randomized (every signature on a // fixed message is different) or in deterministic mode (every signature is - // the same). We currently support randomized signatures (as they are preferable), - // thus, signing the same message twice should result in unique signatures. + // the same). We currently support randomized signatures (as they are + // preferable), thus, signing the same message twice should result in unique + // signatures. std::vector sig3(sig_len); - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); - ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig3.data(), &sig_len, msg1.data(), msg1.size())); + ASSERT_TRUE( + EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); + ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig3.data(), &sig_len, msg1.data(), + msg1.size())); EXPECT_NE(0, OPENSSL_memcmp(sig1.data(), sig3.data(), sig_len)); // Sign a different message, msg2 and verify that the signature for // msg1 is not the same as the signature for msg2. std::vector sig2(sig_len); - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); - ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig2.data(), &sig_len, msg2.data(), msg2.size())); + ASSERT_TRUE( + EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, pkey.get())); + ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), sig2.data(), &sig_len, msg2.data(), + msg2.size())); EXPECT_NE(0, OPENSSL_memcmp(sig1.data(), sig2.data(), sig_len)); // Check that the signature for msg2 fails to verify with msg1 - ASSERT_FALSE(EVP_DigestVerify(md_ctx.get(), sig2.data(), sig_len, msg1.data(), msg1.size())); + ASSERT_FALSE(EVP_DigestVerify(md_ctx.get(), sig2.data(), sig_len, msg1.data(), + msg1.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); md_ctx.Reset(); @@ -1649,17 +1712,21 @@ TEST_P(PQDSAParameterTest, SIGOperations) { // Check that verification fails upon providing a different public key // than the one that was used to sign. bssl::UniquePtr new_pkey(generate_key_pair(GetParam().nid)); - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr, nullptr, new_pkey.get())); - ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, msg1.data(), msg1.size())); + ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr, + nullptr, new_pkey.get())); + ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, + msg1.data(), msg1.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); // Check that verification fails upon providing a signature of invalid length sig_len = GetParam().signature_len - 1; - ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, msg1.data(), msg1.size())); + ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, + msg1.data(), msg1.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); sig_len = GetParam().signature_len + 1; - ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, msg1.data(), msg1.size())); + ASSERT_FALSE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, + msg1.data(), msg1.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); md_ctx.Reset(); @@ -1673,11 +1740,12 @@ TEST_P(PQDSAParameterTest, ParsePublicKey) { // ---- 1. Setup phase: generate PQDSA key from raw ---- int nid = GetParam().nid; size_t pk_len = GetParam().public_key_len; - const uint8_t * kPublicKey = GetParam().kPublicKey; - const uint8_t * kPublicKeySPKI = GetParam().kPublicKeySPKI; + const uint8_t *kPublicKey = GetParam().kPublicKey; + const uint8_t *kPublicKeySPKI = GetParam().kPublicKeySPKI; size_t kPublicKeySPKI_len = GetParam().kPublicKeySPKI_len; - bssl::UniquePtr pkey_pk_new(EVP_PKEY_pqdsa_new_raw_public_key(nid, kPublicKey, pk_len)); + bssl::UniquePtr pkey_pk_new( + EVP_PKEY_pqdsa_new_raw_public_key(nid, kPublicKey, pk_len)); ASSERT_TRUE(pkey_pk_new); // ---- 2. Encode the public key as DER ---- @@ -1704,7 +1772,8 @@ TEST_P(PQDSAParameterTest, ParsePublicKey) { // 2. Reads the provided |pem_string| into bio // 3. Reads the PEM into DER encoding // 4. Returns the DER data and length -static bool PEM_to_DER(const char* pem_str, uint8_t** out_der, long* out_der_len) { +static bool PEM_to_DER(const char *pem_str, uint8_t **out_der, + long *out_der_len) { char *name = nullptr; char *header = nullptr; @@ -1761,9 +1830,9 @@ TEST_P(PQDSAParameterTest, ParsePrivateKey) { TEST_P(PQDSAParameterTest, KeyConsistencyTest) { // This test: generates a random PQDSA key pair extracts the private key, and - // runs the public key calculator function to populate the coresponding public key. - // The test is sucessful when the calculated public key is equal to the original - // public key generated. + // runs the public key calculator function to populate the coresponding public + // key. The test is sucessful when the calculated public key is equal to the + // original public key generated. // ---- 1. Setup phase: generate a key and key buffers ---- int nid = GetParam().nid; @@ -1784,7 +1853,8 @@ TEST_P(PQDSAParameterTest, KeyConsistencyTest) { CMP_VEC_AND_PKEY_PUBLIC(pk, pkey, pk_len); } -// ML-DSA specific test framework to test pre-hash modes only applicable to ML-DSA +// ML-DSA specific test framework to test pre-hash modes only applicable to +// ML-DSA struct KnownMLDSA { const char name[20]; const int nid; @@ -1797,97 +1867,46 @@ struct KnownMLDSA { int (*keygen)(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); - int (*sign)(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len, - const uint8_t *rnd); + int (*sign)(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, + const uint8_t *message, size_t message_len, const uint8_t *pre, + size_t pre_len, const uint8_t *rnd); - int (*verify)(const uint8_t *public_key, - const uint8_t *sig, size_t sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len); + int (*verify)(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, + const uint8_t *message, size_t message_len, const uint8_t *pre, + size_t pre_len); }; static const struct KnownMLDSA kMLDSAs[] = { - { - "MLDSA44", - NID_MLDSA44, - 1312, - 2560, - 2420, - "ml_dsa/kat/MLDSA_44_ACVP_keyGen.txt", - "ml_dsa/kat/MLDSA_44_ACVP_sigGen.txt", - "ml_dsa/kat/MLDSA_44_ACVP_sigVer.txt", - ml_dsa_44_keypair_internal, - ml_dsa_44_sign_internal, - ml_dsa_44_verify_internal - }, - { - "MLDSA65", - NID_MLDSA65, - 1952, - 4032, - 3309, - "ml_dsa/kat/MLDSA_65_ACVP_keyGen.txt", - "ml_dsa/kat/MLDSA_65_ACVP_sigGen.txt", - "ml_dsa/kat/MLDSA_65_ACVP_sigVer.txt", - ml_dsa_65_keypair_internal, - ml_dsa_65_sign_internal, - ml_dsa_65_verify_internal - }, - { - "MLDSA87", - NID_MLDSA87, - 2592, - 4896, - 4627, - "ml_dsa/kat/MLDSA_87_ACVP_keyGen.txt", - "ml_dsa/kat/MLDSA_87_ACVP_sigGen.txt", - "ml_dsa/kat/MLDSA_87_ACVP_sigVer.txt", - ml_dsa_87_keypair_internal, - ml_dsa_87_sign_internal, - ml_dsa_87_verify_internal - }, - { - "MLDSAEXTMU44", - NID_MLDSA44, - 1312, - 2560, - 2420, - "ml_dsa/kat/MLDSA_44_ACVP_keyGen.txt", - "ml_dsa/kat/MLDSA_EXTMU_44_ACVP_sigGen.txt", - "ml_dsa/kat/MLDSA_EXTMU_44_ACVP_sigVer.txt", - ml_dsa_44_keypair_internal, - ml_dsa_extmu_44_sign_internal, - ml_dsa_extmu_44_verify_internal - }, - { - "MLDSAEXTMU65", - NID_MLDSA65, - 1952, - 4032, - 3309, - "ml_dsa/kat/MLDSA_65_ACVP_keyGen.txt", - "ml_dsa/kat/MLDSA_EXTMU_65_ACVP_sigGen.txt", - "ml_dsa/kat/MLDSA_EXTMU_65_ACVP_sigVer.txt", - ml_dsa_65_keypair_internal, - ml_dsa_extmu_65_sign_internal, - ml_dsa_extmu_65_verify_internal - }, - { - "MLDSAEXTMU87", - NID_MLDSA87, - 2592, - 4896, - 4627, - "ml_dsa/kat/MLDSA_87_ACVP_keyGen.txt", - "ml_dsa/kat/MLDSA_EXTMU_87_ACVP_sigGen.txt", - "ml_dsa/kat/MLDSA_EXTMU_87_ACVP_sigVer.txt", - ml_dsa_87_keypair_internal, - ml_dsa_extmu_87_sign_internal, - ml_dsa_extmu_87_verify_internal - }, + {"MLDSA44", NID_MLDSA44, 1312, 2560, 2420, + "ml_dsa/kat/MLDSA_44_ACVP_keyGen.txt", + "ml_dsa/kat/MLDSA_44_ACVP_sigGen.txt", + "ml_dsa/kat/MLDSA_44_ACVP_sigVer.txt", ml_dsa_44_keypair_internal, + ml_dsa_44_sign_internal, ml_dsa_44_verify_internal}, + {"MLDSA65", NID_MLDSA65, 1952, 4032, 3309, + "ml_dsa/kat/MLDSA_65_ACVP_keyGen.txt", + "ml_dsa/kat/MLDSA_65_ACVP_sigGen.txt", + "ml_dsa/kat/MLDSA_65_ACVP_sigVer.txt", ml_dsa_65_keypair_internal, + ml_dsa_65_sign_internal, ml_dsa_65_verify_internal}, + {"MLDSA87", NID_MLDSA87, 2592, 4896, 4627, + "ml_dsa/kat/MLDSA_87_ACVP_keyGen.txt", + "ml_dsa/kat/MLDSA_87_ACVP_sigGen.txt", + "ml_dsa/kat/MLDSA_87_ACVP_sigVer.txt", ml_dsa_87_keypair_internal, + ml_dsa_87_sign_internal, ml_dsa_87_verify_internal}, + {"MLDSAEXTMU44", NID_MLDSA44, 1312, 2560, 2420, + "ml_dsa/kat/MLDSA_44_ACVP_keyGen.txt", + "ml_dsa/kat/MLDSA_EXTMU_44_ACVP_sigGen.txt", + "ml_dsa/kat/MLDSA_EXTMU_44_ACVP_sigVer.txt", ml_dsa_44_keypair_internal, + ml_dsa_extmu_44_sign_internal, ml_dsa_extmu_44_verify_internal}, + {"MLDSAEXTMU65", NID_MLDSA65, 1952, 4032, 3309, + "ml_dsa/kat/MLDSA_65_ACVP_keyGen.txt", + "ml_dsa/kat/MLDSA_EXTMU_65_ACVP_sigGen.txt", + "ml_dsa/kat/MLDSA_EXTMU_65_ACVP_sigVer.txt", ml_dsa_65_keypair_internal, + ml_dsa_extmu_65_sign_internal, ml_dsa_extmu_65_verify_internal}, + {"MLDSAEXTMU87", NID_MLDSA87, 2592, 4896, 4627, + "ml_dsa/kat/MLDSA_87_ACVP_keyGen.txt", + "ml_dsa/kat/MLDSA_EXTMU_87_ACVP_sigGen.txt", + "ml_dsa/kat/MLDSA_EXTMU_87_ACVP_sigVer.txt", ml_dsa_87_keypair_internal, + ml_dsa_extmu_87_sign_internal, ml_dsa_extmu_87_verify_internal}, }; class PerMLDSATest : public testing::TestWithParam {}; @@ -1900,12 +1919,13 @@ TEST_P(PerMLDSATest, ExternalMu) { // ---- 1. Setup phase: generate PQDSA EVP KEY and sign/verify contexts ---- bssl::UniquePtr pkey(generate_key_pair(GetParam().nid)); bssl::UniquePtr ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr)); - bssl::UniquePtr md_ctx_mu(EVP_MD_CTX_new()), md_ctx_pk(EVP_MD_CTX_new()); + bssl::UniquePtr md_ctx_mu(EVP_MD_CTX_new()), + md_ctx_pk(EVP_MD_CTX_new()); bssl::ScopedEVP_MD_CTX md_ctx_verify; - std::vector msg1 = { - 0x4a, 0x41, 0x4b, 0x45, 0x20, 0x4d, 0x41, 0x53, 0x53, 0x49, - 0x4d, 0x4f, 0x20, 0x41, 0x57, 0x53, 0x32, 0x30, 0x32, 0x32, 0x2e}; + std::vector msg1 = {0x4a, 0x41, 0x4b, 0x45, 0x20, 0x4d, 0x41, + 0x53, 0x53, 0x49, 0x4d, 0x4f, 0x20, 0x41, + 0x57, 0x53, 0x32, 0x30, 0x32, 0x32, 0x2e}; // ---- 2. Pre-hash setup phase: compute tr, mu ---- size_t TRBYTES = 64; @@ -1920,7 +1940,7 @@ TEST_P(PerMLDSATest, ExternalMu) { pre[0] = 0; pre[1] = 0; - //get public key and hash it + // get public key and hash it ASSERT_TRUE(EVP_PKEY_get_raw_public_key(pkey.get(), pk.data(), &pk_len)); ASSERT_TRUE(EVP_DigestInit_ex(md_ctx_pk.get(), EVP_shake256(), nullptr)); ASSERT_TRUE(EVP_DigestUpdate(md_ctx_pk.get(), pk.data(), pk_len)); @@ -1939,15 +1959,19 @@ TEST_P(PerMLDSATest, ExternalMu) { // ---- 3. Sign mu ---- ASSERT_TRUE(EVP_PKEY_sign_init(ctx.get())); - ASSERT_TRUE(EVP_PKEY_sign(ctx.get(), sig1.data(), &sig_len, mu.data(), mu.size())); + ASSERT_TRUE( + EVP_PKEY_sign(ctx.get(), sig1.data(), &sig_len, mu.data(), mu.size())); // ---- 4. Verify mu (pre-hash) ---- ASSERT_TRUE(EVP_PKEY_verify_init(ctx.get())); - ASSERT_TRUE(EVP_PKEY_verify(ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); + ASSERT_TRUE( + EVP_PKEY_verify(ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); // ---- 5. Bonus: Verify raw message with digest verify (no pre-hash) ---- - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr, nullptr, pkey.get())); - ASSERT_TRUE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, msg1.data(), msg1.size())); + ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx_verify.get(), nullptr, nullptr, + nullptr, pkey.get())); + ASSERT_TRUE(EVP_DigestVerify(md_ctx_verify.get(), sig1.data(), sig_len, + msg1.data(), msg1.size())); // reset the contexts between tests md_ctx_verify.Reset(); @@ -1955,20 +1979,24 @@ TEST_P(PerMLDSATest, ExternalMu) { // ---- 6. Test signature failure modes: invalid keys and signatures ---- // Check that verification fails upon providing a signature of invalid length sig_len = GetParam().signature_len - 1; - ASSERT_FALSE(EVP_PKEY_verify(ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); + ASSERT_FALSE( + EVP_PKEY_verify(ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); sig_len = GetParam().signature_len + 1; - ASSERT_FALSE(EVP_PKEY_verify(ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); + ASSERT_FALSE( + EVP_PKEY_verify(ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); // Check that verification fails upon providing a different public key // than the one that was used to sign. bssl::UniquePtr new_pkey(generate_key_pair(GetParam().nid)); - bssl::UniquePtr new_ctx(EVP_PKEY_CTX_new(new_pkey.get(), nullptr)); + bssl::UniquePtr new_ctx( + EVP_PKEY_CTX_new(new_pkey.get(), nullptr)); ASSERT_TRUE(EVP_PKEY_verify_init(new_ctx.get())); - ASSERT_FALSE(EVP_PKEY_verify(new_ctx.get(), sig1.data(), sig_len, mu.data(), mu.size())); + ASSERT_FALSE(EVP_PKEY_verify(new_ctx.get(), sig1.data(), sig_len, mu.data(), + mu.size())); GET_ERR_AND_CHECK_REASON(EVP_R_INVALID_SIGNATURE); md_ctx_verify.Reset(); } @@ -1991,8 +2019,9 @@ TEST_P(PerMLDSATest, ACVPKeyGen) { std::vector generated_pk(pk_len); std::vector generated_sk(sk_len); - //generate key pair from provided seed - ASSERT_TRUE(GetParam().keygen(generated_pk.data(), generated_sk.data(), seed.data())); + // generate key pair from provided seed + ASSERT_TRUE(GetParam().keygen(generated_pk.data(), generated_sk.data(), + seed.data())); // Assert that key pair is as expected ASSERT_EQ(Bytes(pk), Bytes(generated_pk)); @@ -2027,20 +2056,16 @@ TEST_P(PerMLDSATest, ACVPSigGen) { std::vector signature(sig_len); // Generate signature by signing |data|. - ASSERT_TRUE(GetParam().sign(sk.data(), - signature.data(), &sig_len, - data.data(), data.size(), - nullptr, 0, + ASSERT_TRUE(GetParam().sign(sk.data(), signature.data(), &sig_len, + data.data(), data.size(), nullptr, 0, rnd.data())); // Assert that signature is equal to expected signature ASSERT_EQ(Bytes(signature), Bytes(sig)); // Assert that the signature verifies correctly. - ASSERT_TRUE(GetParam().verify(pk.data(), - signature.data(), sig_len, - data.data(), data.size(), - nullptr, 0)); + ASSERT_TRUE(GetParam().verify(pk.data(), signature.data(), sig_len, + data.data(), data.size(), nullptr, 0)); }); } @@ -2066,17 +2091,14 @@ TEST_P(PerMLDSATest, ACVPSigVer) { data = mu; } - int res = GetParam().verify(pk.data(), - sig.data(), sig.size(), - data.data(), data.size(), - nullptr, 0); + int res = GetParam().verify(pk.data(), sig.data(), sig.size(), data.data(), + data.size(), nullptr, 0); // ACVP test both positive and negative results we read the intended result // from the KAT and attest that the same result is in |res|. - if(!res) { + if (!res) { ASSERT_TRUE(strcmp(result.data(), "False") == 0); - } - else { + } else { ASSERT_TRUE(strcmp(result.data(), "True") == 0); } }); diff --git a/crypto/evp_extra/p_rsa_asn1.c b/crypto/evp_extra/p_rsa_asn1.c index 05f5881112..3bc03e8194 100644 --- a/crypto/evp_extra/p_rsa_asn1.c +++ b/crypto/evp_extra/p_rsa_asn1.c @@ -61,9 +61,9 @@ #include #include -#include "../rsa_extra/internal.h" #include "../fipsmodule/evp/internal.h" #include "../fipsmodule/rsa/internal.h" +#include "../rsa_extra/internal.h" #include "internal.h" static int rsa_pub_encode(CBB *out, const EVP_PKEY *key) { @@ -119,8 +119,7 @@ static int rsa_pss_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { RSASSA_PSS_PARAMS_free(pss); return 0; } - if (rsa == NULL || - CBS_len(key) != 0 || + if (rsa == NULL || CBS_len(key) != 0 || !EVP_PKEY_assign(out, EVP_PKEY_RSA_PSS, rsa)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); RSA_free(rsa); @@ -153,15 +152,14 @@ static int rsa_priv_encode(CBB *out, const EVP_PKEY *key) { } static int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { - if(pubkey) { + if (pubkey) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } // Per RFC 3447, A.1, the parameters have type NULL. CBS null; - if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || - CBS_len(&null) != 0 || + if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; @@ -178,7 +176,8 @@ static int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { return 1; } -static int rsa_pss_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { +static int rsa_pss_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, + CBS *pubkey) { RSASSA_PSS_PARAMS *pss = NULL; if (!RSASSA_PSS_parse_params(params, &pss)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); @@ -192,8 +191,7 @@ static int rsa_pss_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey RSASSA_PSS_PARAMS_free(pss); return 0; } - if (rsa == NULL || - CBS_len(key) != 0 || + if (rsa == NULL || CBS_len(key) != 0 || !EVP_PKEY_assign(out, EVP_PKEY_RSA_PSS, rsa)) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); RSA_free(rsa); @@ -210,70 +208,74 @@ static int int_rsa_size(const EVP_PKEY *pkey) { return RSA_size(pkey->pkey.rsa); } -static int rsa_bits(const EVP_PKEY *pkey) { - return RSA_bits(pkey->pkey.rsa); -} +static int rsa_bits(const EVP_PKEY *pkey) { return RSA_bits(pkey->pkey.rsa); } static void int_rsa_free(EVP_PKEY *pkey) { RSA_free(pkey->pkey.rsa); } const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { - EVP_PKEY_RSA, - // 1.2.840.113549.1.1.1 - {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, 9, + EVP_PKEY_RSA, + // 1.2.840.113549.1.1.1 + {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, + 9, - "RSA", - "OpenSSL RSA method", + "RSA", + "OpenSSL RSA method", - rsa_pub_decode, - rsa_pub_encode, - rsa_pub_cmp, + rsa_pub_decode, + rsa_pub_encode, + rsa_pub_cmp, - rsa_priv_decode, - rsa_priv_encode, - NULL /* priv_encode_v2 */, + rsa_priv_decode, + rsa_priv_encode, + NULL /* priv_encode_v2 */, - NULL /* set_priv_raw */, - NULL /* set_pub_raw */, - NULL /* get_priv_raw */, - NULL /* get_pub_raw */, + NULL /* set_priv_raw */, + NULL /* set_pub_raw */, + NULL /* get_priv_raw */, + NULL /* get_pub_raw */, - rsa_opaque, + rsa_opaque, - int_rsa_size, - rsa_bits, + int_rsa_size, + rsa_bits, - 0,0,0, + 0, + 0, + 0, - int_rsa_free, + int_rsa_free, }; const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { - EVP_PKEY_RSA_PSS, - // 1.2.840.113549.1.1.10 - {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0a}, 9, + EVP_PKEY_RSA_PSS, + // 1.2.840.113549.1.1.10 + {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0a}, + 9, - "RSA-PSS", - "OpenSSL RSA-PSS method", + "RSA-PSS", + "OpenSSL RSA-PSS method", - rsa_pss_pub_decode, - NULL /* pub_encode */, - rsa_pub_cmp, + rsa_pss_pub_decode, + NULL /* pub_encode */, + rsa_pub_cmp, - rsa_pss_priv_decode, - NULL /* priv_encode */, - NULL /* priv_encode_v2 */, + rsa_pss_priv_decode, + NULL /* priv_encode */, + NULL /* priv_encode_v2 */, - NULL /* set_priv_raw */, - NULL /* set_pub_raw */, - NULL /* get_priv_raw */, - NULL /* get_pub_raw */, + NULL /* set_priv_raw */, + NULL /* set_pub_raw */, + NULL /* get_priv_raw */, + NULL /* get_pub_raw */, - rsa_opaque, + rsa_opaque, - int_rsa_size, - rsa_bits, + int_rsa_size, + rsa_bits, - 0,0,0, + 0, + 0, + 0, - int_rsa_free, + int_rsa_free, }; diff --git a/crypto/evp_extra/p_x25519_asn1.c b/crypto/evp_extra/p_x25519_asn1.c index b6963a8228..47ef591487 100644 --- a/crypto/evp_extra/p_x25519_asn1.c +++ b/crypto/evp_extra/p_x25519_asn1.c @@ -29,7 +29,9 @@ static void x25519_free(EVP_PKEY *pkey) { pkey->pkey.ptr = NULL; } -static int x25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *privkey, size_t privkey_len, const uint8_t* pubkey, size_t pubkey_len) { +static int x25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *privkey, + size_t privkey_len, const uint8_t *pubkey, + size_t pubkey_len) { if (privkey_len != X25519_PRIVATE_KEY_LEN) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; @@ -50,7 +52,7 @@ static int x25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *privkey, size_t pr key->has_private = 1; // If a public key was provided, validate that it matches the computed value. - if(pubkey && OPENSSL_memcmp(key->pub, pubkey, pubkey_len) != 0) { + if (pubkey && OPENSSL_memcmp(key->pub, pubkey, pubkey_len) != 0) { OPENSSL_free(key); OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; @@ -81,7 +83,7 @@ static int x25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) { } static int x25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out, - size_t *out_len) { + size_t *out_len) { const X25519_KEY *key = pkey->pkey.ptr; if (!key->has_private) { OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY); @@ -104,7 +106,7 @@ static int x25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out, } static int x25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out, - size_t *out_len) { + size_t *out_len) { const X25519_KEY *key = pkey->pkey.ptr; if (out == NULL) { *out_len = 32; @@ -144,8 +146,7 @@ static int x25519_pub_encode(CBB *out, const EVP_PKEY *pkey) { !CBB_add_bytes(&oid, x25519_asn1_meth.oid, x25519_asn1_meth.oid_len) || !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || !CBB_add_u8(&key_bitstring, 0 /* padding */) || - !CBB_add_bytes(&key_bitstring, key->pub, 32) || - !CBB_flush(out)) { + !CBB_add_bytes(&key_bitstring, key->pub, 32) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } @@ -159,20 +160,20 @@ static int x25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { return OPENSSL_memcmp(a_key->pub, b_key->pub, 32) == 0; } -static int x25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) { +static int x25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, + CBS *pubkey) { // See RFC 8410, section 7. // Parameters must be empty. The key is a 32-byte value wrapped in an extra // OCTET STRING layer. CBS inner; if (CBS_len(params) != 0 || - !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || - CBS_len(key) != 0) { + !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } - const uint8_t *public= NULL; + const uint8_t *public = NULL; size_t public_len = 0; if (pubkey) { uint8_t padding; @@ -184,7 +185,8 @@ static int x25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey) public_len = CBS_len(pubkey); } - return x25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner), public, public_len); + return x25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner), public, + public_len); } static int x25519_priv_encode(CBB *out, const EVP_PKEY *pkey) { @@ -205,8 +207,7 @@ static int x25519_priv_encode(CBB *out, const EVP_PKEY *pkey) { !CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) || // The PKCS#8 encoding stores only the 32-byte seed which is the first 32 // bytes of the private key. - !CBB_add_bytes(&inner, key->priv, 32) || - !CBB_flush(out)) { + !CBB_add_bytes(&inner, key->priv, 32) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } @@ -233,10 +234,9 @@ static int x25519_priv_encode_v2(CBB *out, const EVP_PKEY *pkey) { // The PKCS#8 encoding stores only the 32-byte seed which is the first 32 // bytes of the private key. !CBB_add_bytes(&inner, key->priv, 32) || - !CBB_add_asn1(&pkcs8, &public_key, CBS_ASN1_CONTEXT_SPECIFIC|1) || + !CBB_add_asn1(&pkcs8, &public_key, CBS_ASN1_CONTEXT_SPECIFIC | 1) || !CBB_add_u8(&public_key, 0 /*no padding required*/) || - !CBB_add_bytes(&public_key, key->pub, 32) || - !CBB_flush(out)) { + !CBB_add_bytes(&public_key, key->pub, 32) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } diff --git a/crypto/evp_extra/print.c b/crypto/evp_extra/print.c index 01f244f06c..6a4b1655a2 100644 --- a/crypto/evp_extra/print.c +++ b/crypto/evp_extra/print.c @@ -60,12 +60,12 @@ #include #include -#include "internal.h" -#include "../internal.h" #include "../fipsmodule/evp/internal.h" -#include "../fipsmodule/rsa/internal.h" #include "../fipsmodule/ml_dsa/ml_dsa.h" #include "../fipsmodule/pqdsa/internal.h" +#include "../fipsmodule/rsa/internal.h" +#include "../internal.h" +#include "internal.h" static int print_hex(BIO *bp, const uint8_t *data, size_t len, int off) { for (size_t i = 0; i < len; i++) { @@ -108,7 +108,7 @@ static int bn_print(BIO *bp, const char *name, const BIGNUM *num, int off) { } if (BIO_printf(bp, "%s%s", name, - (BN_is_negative(num)) ? " (Negative)" : "") <= 0) { + (BN_is_negative(num)) ? " (Negative)" : "") <= 0) { return 0; } @@ -163,8 +163,7 @@ static int do_rsa_print(BIO *out, const RSA *rsa, int off, str = "Modulus:"; s = "Exponent:"; } - if (!bn_print(out, str, rsa->n, off) || - !bn_print(out, s, rsa->e, off)) { + if (!bn_print(out, str, rsa->n, off) || !bn_print(out, s, rsa->e, off)) { return 0; } @@ -310,7 +309,8 @@ static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) { // MLDSA keys. -static int do_mldsa_65_print(BIO *bp, const EVP_PKEY *pkey, int off, int ptype) { +static int do_mldsa_65_print(BIO *bp, const EVP_PKEY *pkey, int off, + int ptype) { if (pkey == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return 0; diff --git a/crypto/evp_extra/scrypt.c b/crypto/evp_extra/scrypt.c index 04fb5341fe..c1ab9dc610 100644 --- a/crypto/evp_extra/scrypt.c +++ b/crypto/evp_extra/scrypt.c @@ -29,7 +29,9 @@ // A block_t is a Salsa20 block. #define SCRYPT_BLOCK_WORD_CNT 16 -typedef struct { uint32_t words[SCRYPT_BLOCK_WORD_CNT]; } block_t; +typedef struct { + uint32_t words[SCRYPT_BLOCK_WORD_CNT]; +} block_t; OPENSSL_STATIC_ASSERT(sizeof(block_t) == 64, block_t_has_padding) @@ -113,7 +115,7 @@ static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, block_t *V) { // Steps 1 and 2. #ifdef OPENSSL_BIG_ENDIAN - for(size_t i = 0; i < (2 * r * SCRYPT_BLOCK_WORD_CNT); i++) { + for (size_t i = 0; i < (2 * r * SCRYPT_BLOCK_WORD_CNT); i++) { CRYPTO_store_u32_le(&V->words[i], B->words[i]); } #else @@ -135,7 +137,7 @@ static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, scryptBlockMix(B, T, r); } #ifdef OPENSSL_BIG_ENDIAN - for(size_t i = 0; i < (2 * r * SCRYPT_BLOCK_WORD_CNT); i++) { + for (size_t i = 0; i < (2 * r * SCRYPT_BLOCK_WORD_CNT); i++) { CRYPTO_store_u32_le(&B->words[i], B->words[i]); } #endif @@ -175,8 +177,7 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, } size_t max_scrypt_blocks = max_mem / (2 * r * sizeof(block_t)); - if (max_scrypt_blocks < p + 1 || - max_scrypt_blocks - p - 1 < N) { + if (max_scrypt_blocks < p + 1 || max_scrypt_blocks - p - 1 < N) { OPENSSL_PUT_ERROR(EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } @@ -188,7 +189,8 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, size_t B_bytes = B_blocks * sizeof(block_t); size_t T_blocks = 2 * r; size_t V_blocks = N * 2 * r; - block_t *B = OPENSSL_calloc((B_blocks + T_blocks + V_blocks), sizeof(block_t)); + block_t *B = + OPENSSL_calloc((B_blocks + T_blocks + V_blocks), sizeof(block_t)); if (B == NULL) { return 0; } diff --git a/crypto/evp_extra/scrypt_test.cc b/crypto/evp_extra/scrypt_test.cc index f56a523a28..f3007b77ad 100644 --- a/crypto/evp_extra/scrypt_test.cc +++ b/crypto/evp_extra/scrypt_test.cc @@ -90,7 +90,7 @@ TEST(ScryptTest, InvalidParameters) { EXPECT_FALSE(EVP_PBE_scrypt(nullptr, 0, nullptr, 0, 1023 /* N */, 8 /* r */, 1 /* p */, 0 /* max_mem */, key, sizeof(key))); EXPECT_TRUE(EVP_PBE_scrypt(nullptr, 0, nullptr, 0, 1024 /* N */, 8 /* r */, - 1 /* p */, 0 /* max_mem */, key, sizeof(key))); + 1 /* p */, 0 /* max_mem */, key, sizeof(key))); EXPECT_FALSE(EVP_PBE_scrypt(nullptr, 0, nullptr, 0, 1025 /* N */, 8 /* r */, 1 /* p */, 0 /* max_mem */, key, sizeof(key))); diff --git a/crypto/evp_extra/sign.c b/crypto/evp_extra/sign.c index 837c2b5bfa..2adf961182 100644 --- a/crypto/evp_extra/sign.c +++ b/crypto/evp_extra/sign.c @@ -142,8 +142,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len, EVP_MD_CTX_cleanup(&tmp_ctx); pkctx = EVP_PKEY_CTX_new(pkey, NULL); - if (!pkctx || - !EVP_PKEY_verify_init(pkctx) || + if (!pkctx || !EVP_PKEY_verify_init(pkctx) || !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest)) { goto out; } diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 867ced3c94..9f5dc9163f 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -156,7 +156,7 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index, // The index must fit in |int|. if (sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth) > - (size_t)(INT_MAX - ex_data_class->num_reserved)) { + (size_t)(INT_MAX - ex_data_class->num_reserved)) { OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); goto err; } @@ -236,9 +236,7 @@ static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out, return 1; } -void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad) { - ad->sk = NULL; -} +void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad) { ad->sk = NULL; } void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj, CRYPTO_EX_DATA *ad) { diff --git a/crypto/fipsmodule/aes/aes.c b/crypto/fipsmodule/aes/aes.c index d78fd094ce..ca53bfa93e 100644 --- a/crypto/fipsmodule/aes/aes.c +++ b/crypto/fipsmodule/aes/aes.c @@ -50,8 +50,8 @@ #include -#include "internal.h" #include "../modes/internal.h" +#include "internal.h" // Be aware that different sets of AES functions use incompatible key diff --git a/crypto/fipsmodule/aes/aes_test.cc b/crypto/fipsmodule/aes/aes_test.cc index a90ffb7b4e..35808f9239 100644 --- a/crypto/fipsmodule/aes/aes_test.cc +++ b/crypto/fipsmodule/aes/aes_test.cc @@ -238,157 +238,163 @@ TEST(AESTest, TestVectors) { } TEST(AESTest, WycheproofKeyWrap) { - FileTestGTest("third_party/wycheproof_testvectors/kw_test.txt", - [](FileTest *t) { - std::string key_size; - ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); - std::vector ct, key, msg; - ASSERT_TRUE(t->GetBytes(&ct, "ct")); - ASSERT_TRUE(t->GetBytes(&key, "key")); - ASSERT_TRUE(t->GetBytes(&msg, "msg")); - ASSERT_EQ(static_cast(atoi(key_size.c_str())), key.size() * 8); - WycheproofResult result; - ASSERT_TRUE(GetWycheproofResult(t, &result)); - - if (result.IsValid()) { - ASSERT_GE(ct.size(), 8u); - - AES_KEY aes; - ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); - std::vector out(ct.size() - 8); - int len = AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size()); - ASSERT_EQ(static_cast(out.size()), len); - EXPECT_EQ(Bytes(msg), Bytes(out)); - - out.resize(msg.size() + 8); - ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes)); - len = AES_wrap_key(&aes, nullptr, out.data(), msg.data(), msg.size()); - ASSERT_EQ(static_cast(out.size()), len); - EXPECT_EQ(Bytes(ct), Bytes(out)); - } else { - AES_KEY aes; - ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); - std::vector out(ct.size() < 8 ? 0 : ct.size() - 8); - int len = AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size()); - EXPECT_EQ(-1, len); - } - }); + FileTestGTest( + "third_party/wycheproof_testvectors/kw_test.txt", [](FileTest *t) { + std::string key_size; + ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); + std::vector ct, key, msg; + ASSERT_TRUE(t->GetBytes(&ct, "ct")); + ASSERT_TRUE(t->GetBytes(&key, "key")); + ASSERT_TRUE(t->GetBytes(&msg, "msg")); + ASSERT_EQ(static_cast(atoi(key_size.c_str())), + key.size() * 8); + WycheproofResult result; + ASSERT_TRUE(GetWycheproofResult(t, &result)); + + if (result.IsValid()) { + ASSERT_GE(ct.size(), 8u); + + AES_KEY aes; + ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); + std::vector out(ct.size() - 8); + int len = + AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size()); + ASSERT_EQ(static_cast(out.size()), len); + EXPECT_EQ(Bytes(msg), Bytes(out)); + + out.resize(msg.size() + 8); + ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes)); + len = AES_wrap_key(&aes, nullptr, out.data(), msg.data(), msg.size()); + ASSERT_EQ(static_cast(out.size()), len); + EXPECT_EQ(Bytes(ct), Bytes(out)); + } else { + AES_KEY aes; + ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); + std::vector out(ct.size() < 8 ? 0 : ct.size() - 8); + int len = + AES_unwrap_key(&aes, nullptr, out.data(), ct.data(), ct.size()); + EXPECT_EQ(-1, len); + } + }); } TEST(AESTest, WycheproofEVPKeyWrap) { - FileTestGTest("third_party/wycheproof_testvectors/kw_test.txt", - [](FileTest *t) { - std::string key_size; - ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); - std::vector ct, key, msg; - ASSERT_TRUE(t->GetBytes(&ct, "ct")); - ASSERT_TRUE(t->GetBytes(&key, "key")); - ASSERT_TRUE(t->GetBytes(&msg, "msg")); - ASSERT_EQ(static_cast(atoi(key_size.c_str())), key.size() * 8); - WycheproofResult result; - ASSERT_TRUE(GetWycheproofResult(t, &result)); - - // Only 256 bit keys are supported for key wrap from EVP_CIPHER at the - // moment. - if (key.size() != 32) { - return; - } + FileTestGTest( + "third_party/wycheproof_testvectors/kw_test.txt", [](FileTest *t) { + std::string key_size; + ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); + std::vector ct, key, msg; + ASSERT_TRUE(t->GetBytes(&ct, "ct")); + ASSERT_TRUE(t->GetBytes(&key, "key")); + ASSERT_TRUE(t->GetBytes(&msg, "msg")); + ASSERT_EQ(static_cast(atoi(key_size.c_str())), + key.size() * 8); + WycheproofResult result; + ASSERT_TRUE(GetWycheproofResult(t, &result)); + + // Only 256 bit keys are supported for key wrap from EVP_CIPHER at the + // moment. + if (key.size() != 32) { + return; + } - const EVP_CIPHER *cipher = EVP_aes_256_wrap(); - - if (result.IsValid()) { - ASSERT_GE(ct.size(), 8u); - - bssl::ScopedEVP_CIPHER_CTX ctx; - std::vector out(ct.size() - 8); - int len; - ASSERT_TRUE( - EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), nullptr)); - ASSERT_TRUE(EVP_DecryptUpdate(ctx.get(), out.data(), &len, ct.data(), - ct.size())); - ASSERT_EQ(static_cast(out.size()), len); - ASSERT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); - EXPECT_EQ(Bytes(msg), Bytes(out)); - - ctx.Reset(); - out.resize(msg.size() + 8); - ASSERT_TRUE( - EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), nullptr)); - ASSERT_TRUE(EVP_EncryptUpdate(ctx.get(), out.data(), &len, msg.data(), - msg.size())); - ASSERT_EQ(static_cast(out.size()), len); - ASSERT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); - EXPECT_EQ(Bytes(ct), Bytes(out)); - } else { - bssl::ScopedEVP_CIPHER_CTX ctx; - std::vector out(ct.size() < 8 ? 0 : ct.size() - 8); - int len; - ASSERT_TRUE( - EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), nullptr)); - if (!ct.empty()) { - EXPECT_FALSE(EVP_DecryptUpdate(ctx.get(), out.data(), &len, ct.data(), - ct.size())); - // There is no "Final" function for |EVP_aes_256_wrap|, so this will - // always return 1. - EXPECT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); - } else { - // The EVP version of AES-KEY Wrap will return 1 if the ciphertext is - // NULL. This is consistent with OpenSSL behaviour. - EXPECT_EQ(EVP_DecryptUpdate(ctx.get(), out.data(), &len, ct.data(), - ct.size()), 1); - EXPECT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); - } - } - }); + const EVP_CIPHER *cipher = EVP_aes_256_wrap(); + + if (result.IsValid()) { + ASSERT_GE(ct.size(), 8u); + + bssl::ScopedEVP_CIPHER_CTX ctx; + std::vector out(ct.size() - 8); + int len; + ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), + nullptr)); + ASSERT_TRUE(EVP_DecryptUpdate(ctx.get(), out.data(), &len, ct.data(), + ct.size())); + ASSERT_EQ(static_cast(out.size()), len); + ASSERT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); + EXPECT_EQ(Bytes(msg), Bytes(out)); + + ctx.Reset(); + out.resize(msg.size() + 8); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), + nullptr)); + ASSERT_TRUE(EVP_EncryptUpdate(ctx.get(), out.data(), &len, msg.data(), + msg.size())); + ASSERT_EQ(static_cast(out.size()), len); + ASSERT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); + EXPECT_EQ(Bytes(ct), Bytes(out)); + } else { + bssl::ScopedEVP_CIPHER_CTX ctx; + std::vector out(ct.size() < 8 ? 0 : ct.size() - 8); + int len; + ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), + nullptr)); + if (!ct.empty()) { + EXPECT_FALSE(EVP_DecryptUpdate(ctx.get(), out.data(), &len, + ct.data(), ct.size())); + // There is no "Final" function for |EVP_aes_256_wrap|, so this will + // always return 1. + EXPECT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); + } else { + // The EVP version of AES-KEY Wrap will return 1 if the ciphertext + // is NULL. This is consistent with OpenSSL behaviour. + EXPECT_EQ(EVP_DecryptUpdate(ctx.get(), out.data(), &len, ct.data(), + ct.size()), + 1); + EXPECT_TRUE(EVP_EncryptFinal(ctx.get(), out.data(), &len)); + } + } + }); } TEST(AESTest, WycheproofKeyWrapWithPadding) { - FileTestGTest("third_party/wycheproof_testvectors/kwp_test.txt", - [](FileTest *t) { - std::string key_size; - ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); - std::vector ct, key, msg; - ASSERT_TRUE(t->GetBytes(&ct, "ct")); - ASSERT_TRUE(t->GetBytes(&key, "key")); - ASSERT_TRUE(t->GetBytes(&msg, "msg")); - ASSERT_EQ(static_cast(atoi(key_size.c_str())), key.size() * 8); - WycheproofResult result; - ASSERT_TRUE(GetWycheproofResult(t, &result)); - - // Wycheproof contains test vectors with empty messages that it believes - // should pass. However, both RFC 5649 and SP 800-38F section 5.3.1 say that - // the minimum length is one. Therefore we consider test cases with an empty - // message to be invalid. - // - // Wycheproof marks various weak parameters as acceptable. We do not enforce - // policy in the library, so we map those flags to valid. - if (result.IsValid({"SmallKey", "WeakWrapping"}) && !msg.empty()) { - AES_KEY aes; - ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); - std::vector out(ct.size() - 8); - size_t len; - ASSERT_TRUE(AES_unwrap_key_padded(&aes, out.data(), &len, ct.size() - 8, - ct.data(), ct.size())); - EXPECT_EQ(Bytes(msg), Bytes(out.data(), len)); - - out.resize(msg.size() + 15); - ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes)); - ASSERT_TRUE(AES_wrap_key_padded(&aes, out.data(), &len, msg.size() + 15, - msg.data(), msg.size())); - EXPECT_EQ(Bytes(ct), Bytes(out.data(), len)); - } else { - AES_KEY aes; - ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); - std::vector out(ct.size()); - size_t len; - ASSERT_FALSE(AES_unwrap_key_padded(&aes, out.data(), &len, ct.size(), - ct.data(), ct.size())); - } - }); + FileTestGTest( + "third_party/wycheproof_testvectors/kwp_test.txt", [](FileTest *t) { + std::string key_size; + ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); + std::vector ct, key, msg; + ASSERT_TRUE(t->GetBytes(&ct, "ct")); + ASSERT_TRUE(t->GetBytes(&key, "key")); + ASSERT_TRUE(t->GetBytes(&msg, "msg")); + ASSERT_EQ(static_cast(atoi(key_size.c_str())), + key.size() * 8); + WycheproofResult result; + ASSERT_TRUE(GetWycheproofResult(t, &result)); + + // Wycheproof contains test vectors with empty messages that it believes + // should pass. However, both RFC 5649 and SP 800-38F section 5.3.1 say + // that the minimum length is one. Therefore we consider test cases with + // an empty message to be invalid. + // + // Wycheproof marks various weak parameters as acceptable. We do not + // enforce policy in the library, so we map those flags to valid. + if (result.IsValid({"SmallKey", "WeakWrapping"}) && !msg.empty()) { + AES_KEY aes; + ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); + std::vector out(ct.size() - 8); + size_t len; + ASSERT_TRUE(AES_unwrap_key_padded( + &aes, out.data(), &len, ct.size() - 8, ct.data(), ct.size())); + EXPECT_EQ(Bytes(msg), Bytes(out.data(), len)); + + out.resize(msg.size() + 15); + ASSERT_EQ(0, AES_set_encrypt_key(key.data(), 8 * key.size(), &aes)); + ASSERT_TRUE(AES_wrap_key_padded( + &aes, out.data(), &len, msg.size() + 15, msg.data(), msg.size())); + EXPECT_EQ(Bytes(ct), Bytes(out.data(), len)); + } else { + AES_KEY aes; + ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes)); + std::vector out(ct.size()); + size_t len; + ASSERT_FALSE(AES_unwrap_key_padded(&aes, out.data(), &len, ct.size(), + ct.data(), ct.size())); + } + }); } TEST(AESTest, WrapBadLengths) { - uint8_t key[128/8] = {0}; + uint8_t key[128 / 8] = {0}; AES_KEY aes; ASSERT_EQ(0, AES_set_encrypt_key(key, 128, &aes)); @@ -415,7 +421,7 @@ TEST(AESTest, InvalidKeySize) { TEST(AESTest, ABI) { for (int bits : {128, 192, 256}) { SCOPED_TRACE(bits); - const uint8_t kKey[256/8] = {0}; + const uint8_t kKey[256 / 8] = {0}; AES_KEY key; uint8_t block[AES_BLOCK_SIZE]; uint8_t buf[AES_BLOCK_SIZE * 64] = {0}; @@ -485,9 +491,9 @@ TEST(AESTest, ABI) { for (size_t i = 0; i < 64; i++) { buf[i] = i; } - std::string buf_before = testing::PrintToString(Bytes(buf,64)); + std::string buf_before = testing::PrintToString(Bytes(buf, 64)); CHECK_ABI(aes_hw_ctr32_encrypt_blocks, buf, buf, blocks, &key, block); - EXPECT_EQ(buf_before, testing::PrintToString(Bytes(buf,64))); + EXPECT_EQ(buf_before, testing::PrintToString(Bytes(buf, 64))); } CHECK_ABI(aes_hw_ctr32_encrypt_blocks, buf, buf, blocks, &key, block); diff --git a/crypto/fipsmodule/aes/internal.h b/crypto/fipsmodule/aes/internal.h index 97d260f9bf..feba0ac6b7 100644 --- a/crypto/fipsmodule/aes/internal.h +++ b/crypto/fipsmodule/aes/internal.h @@ -18,9 +18,9 @@ #include #include -#include "../service_indicator/internal.h" -#include "../cpucap/internal.h" #include "../../internal.h" +#include "../cpucap/internal.h" +#include "../service_indicator/internal.h" #if defined(__cplusplus) extern "C" { @@ -31,10 +31,8 @@ extern "C" { #if defined(OPENSSL_X86_64) OPENSSL_INLINE int avx512_xts_available(void) { - return (CRYPTO_is_VAES_capable() && - CRYPTO_is_VBMI2_capable() && - CRYPTO_is_AVX512_capable() && - CRYPTO_is_VPCLMULQDQ_capable()); + return (CRYPTO_is_VAES_capable() && CRYPTO_is_VBMI2_capable() && + CRYPTO_is_AVX512_capable() && CRYPTO_is_VPCLMULQDQ_capable()); } #endif @@ -152,16 +150,18 @@ void aes_hw_ecb_encrypt(const uint8_t *in, uint8_t *out, size_t length, #if defined(HWAES_XTS) void aes_hw_xts_encrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, - const uint8_t iv[16]); + const AES_KEY *key1, const AES_KEY *key2, + const uint8_t iv[16]); void aes_hw_xts_decrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, - const uint8_t iv[16]); -OPENSSL_EXPORT int aes_hw_xts_cipher(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, - const uint8_t iv[16], int enc); - -#if defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) && !defined(OPENSSL_WINDOWS) + const AES_KEY *key1, const AES_KEY *key2, + const uint8_t iv[16]); +OPENSSL_EXPORT int aes_hw_xts_cipher(const uint8_t *in, uint8_t *out, + size_t length, const AES_KEY *key1, + const AES_KEY *key2, const uint8_t iv[16], + int enc); + +#if defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) && \ + !defined(OPENSSL_WINDOWS) #define AES_XTS_X86_64_AVX512 void aes_hw_xts_encrypt_avx512(const uint8_t *in, uint8_t *out, size_t length, const AES_KEY *key1, const AES_KEY *key2, @@ -171,24 +171,27 @@ void aes_hw_xts_decrypt_avx512(const uint8_t *in, uint8_t *out, size_t length, const uint8_t iv[16]); int crypto_xts_avx512_enabled(void); -#endif //AES_XTS_X86_64_AVX512 +#endif // AES_XTS_X86_64_AVX512 #else OPENSSL_INLINE int hwaes_xts_available(void) { return 0; } -OPENSSL_INLINE void aes_hw_xts_encrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, +OPENSSL_INLINE void aes_hw_xts_encrypt(const uint8_t *in, uint8_t *out, + size_t length, const AES_KEY *key1, + const AES_KEY *key2, const uint8_t iv[16]) { abort(); } -OPENSSL_INLINE void aes_hw_xts_decrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, - const uint8_t iv[16]) { +OPENSSL_INLINE void aes_hw_xts_decrypt(const uint8_t *in, uint8_t *out, + size_t length, const AES_KEY *key1, + const AES_KEY *key2, + const uint8_t iv[16]) { abort(); } -OPENSSL_INLINE int aes_hw_xts_cipher(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, - const uint8_t iv[16], int enc) { +OPENSSL_INLINE int aes_hw_xts_cipher(const uint8_t *in, uint8_t *out, + size_t length, const AES_KEY *key1, + const AES_KEY *key2, const uint8_t iv[16], + int enc) { abort(); } #endif // HWAES_XTS diff --git a/crypto/fipsmodule/aes/key_wrap.c b/crypto/fipsmodule/aes/key_wrap.c index c39f529cab..558bd8c2ba 100644 --- a/crypto/fipsmodule/aes/key_wrap.c +++ b/crypto/fipsmodule/aes/key_wrap.c @@ -206,7 +206,7 @@ int AES_wrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len, end: FIPS_service_indicator_unlock_state(); - if(ret) { + if (ret) { FIPS_service_indicator_update_state(); } return ret; @@ -244,7 +244,7 @@ int AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len, *out_len = constant_time_select_w(ok, claimed_len, 0); const int ret = ok & 1; - if(ret) { + if (ret) { FIPS_service_indicator_update_state(); } return ret; diff --git a/crypto/fipsmodule/aes/mode_wrappers.c b/crypto/fipsmodule/aes/mode_wrappers.c index ced71adac6..f6c7541742 100644 --- a/crypto/fipsmodule/aes/mode_wrappers.c +++ b/crypto/fipsmodule/aes/mode_wrappers.c @@ -51,8 +51,8 @@ #include #include "../aes/internal.h" -#include "../modes/internal.h" #include "../cipher/internal.h" +#include "../modes/internal.h" void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[AES_BLOCK_SIZE], @@ -115,24 +115,21 @@ void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length, } void AES_cfb1_encrypt(const uint8_t *in, uint8_t *out, size_t bits, - const AES_KEY *key, uint8_t *ivec, int *num, - int enc) { + const AES_KEY *key, uint8_t *ivec, int *num, int enc) { unsigned num_u = (unsigned)(*num); CRYPTO_cfb128_1_encrypt(in, out, bits, key, ivec, &num_u, enc, AES_encrypt); *num = (int)num_u; } void AES_cfb8_encrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key, uint8_t *ivec, int *num, - int enc) { + const AES_KEY *key, uint8_t *ivec, int *num, int enc) { unsigned num_u = (unsigned)(*num); CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, &num_u, enc, AES_encrypt); *num = (int)num_u; } void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key, uint8_t *ivec, int *num, - int enc) { + const AES_KEY *key, uint8_t *ivec, int *num, int enc) { unsigned num_u = (unsigned)(*num); CRYPTO_cfb128_encrypt(in, out, length, key, ivec, &num_u, enc, AES_encrypt); *num = (int)num_u; @@ -140,12 +137,13 @@ void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t length, #if defined(HWAES_XTS) int aes_hw_xts_cipher(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key1, const AES_KEY *key2, - const uint8_t iv[16], int enc) { + const AES_KEY *key1, const AES_KEY *key2, + const uint8_t iv[16], int enc) { // The assembly functions abort on the following condition. // They can be modified to return 0/1 instead of void, but // this is the easy way out for now. - if (length < 16) return 0; + if (length < 16) + return 0; if (enc) { #if defined(AES_XTS_X86_64_AVX512) @@ -167,4 +165,4 @@ int aes_hw_xts_cipher(const uint8_t *in, uint8_t *out, size_t length, return 1; } -#endif // HWAES_XTS +#endif // HWAES_XTS diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index 5be601c0d9..338b3d1366 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -24,9 +24,9 @@ #include #endif -// On Windows place the bcm code in a specific section that uses Grouped Sections -// to control the order. $b section will place bcm in between the start/end markers -// which are in $a and $z. +// On Windows place the bcm code in a specific section that uses Grouped +// Sections to control the order. $b section will place bcm in between the +// start/end markers which are in $a and $z. #if defined(BORINGSSL_FIPS) && defined(OPENSSL_WINDOWS) #pragma code_seg(".fipstx$b") #pragma data_seg(".fipsda$b") @@ -71,18 +71,18 @@ #include "cipher/e_aes.c" #include "cipher/e_aesccm.c" -#include "cpucap/internal.h" #include "cpucap/cpu_aarch64.c" -#include "cpucap/cpu_aarch64_sysreg.c" #include "cpucap/cpu_aarch64_apple.c" #include "cpucap/cpu_aarch64_freebsd.c" #include "cpucap/cpu_aarch64_linux.c" #include "cpucap/cpu_aarch64_openbsd.c" +#include "cpucap/cpu_aarch64_sysreg.c" #include "cpucap/cpu_aarch64_win.c" #include "cpucap/cpu_arm_freebsd.c" #include "cpucap/cpu_arm_linux.c" #include "cpucap/cpu_intel.c" #include "cpucap/cpu_ppc64le.c" +#include "cpucap/internal.h" #include "cmac/cmac.c" #include "curve25519/curve25519.c" @@ -92,8 +92,6 @@ #include "dh/dh.c" #include "digest/digest.c" #include "digest/digests.c" -#include "ecdh/ecdh.c" -#include "ecdsa/ecdsa.c" #include "ec/ec.c" #include "ec/ec_key.c" #include "ec/ec_montgomery.c" @@ -101,8 +99,8 @@ #include "ec/felem.c" #include "ec/oct.c" #include "ec/p224-64.c" -#include "ec/p256.c" #include "ec/p256-nistz.c" +#include "ec/p256.c" #include "ec/p384.c" #include "ec/p521.c" #include "ec/scalar.c" @@ -110,6 +108,8 @@ #include "ec/simple_mul.c" #include "ec/util.c" #include "ec/wnaf.c" +#include "ecdh/ecdh.c" +#include "ecdsa/ecdsa.c" #include "evp/digestsign.c" #include "evp/evp.c" #include "evp/evp_ctx.c" @@ -135,8 +135,8 @@ #include "modes/gcm.c" #include "modes/gcm_nohw.c" #include "modes/ofb.c" -#include "modes/xts.c" #include "modes/polyval.c" +#include "modes/xts.c" #include "pbkdf/pbkdf.c" #include "pqdsa/pqdsa.c" #include "rand/ctrdrbg.c" @@ -164,13 +164,13 @@ #if !defined(OPENSSL_ASAN) -static const void* function_entry_ptr(const void* func_sym) { +static const void *function_entry_ptr(const void *func_sym) { #if defined(OPENSSL_PPC64BE) // Function pointers on ppc64 point to a function descriptor. // https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC-ADDRESS - return (const void*)(((uint64_t *)func_sym)[0]); + return (const void *)(((uint64_t *)func_sym)[0]); #else - return (const void*)func_sym; + return (const void *)func_sym; #endif } @@ -187,18 +187,22 @@ extern const uint8_t BORINGSSL_bcm_rodata_end[]; #define STRING_POINTER_LENGTH 18 #define MAX_FUNCTION_NAME 32 -#define ASSERT_WITHIN_MSG "FIPS module doesn't span expected symbol (%s). Expected %p <= %p < %p\n" -#define MAX_WITHIN_MSG_LEN sizeof(ASSERT_WITHIN_MSG) + (3 * STRING_POINTER_LENGTH) + MAX_FUNCTION_NAME -#define ASSERT_OUTSIDE_MSG "FIPS module spans unexpected symbol (%s), expected %p < %p || %p > %p\n" -#define MAX_OUTSIDE_MSG_LEN sizeof(ASSERT_OUTSIDE_MSG) + (4 * STRING_POINTER_LENGTH) + MAX_FUNCTION_NAME +#define ASSERT_WITHIN_MSG \ + "FIPS module doesn't span expected symbol (%s). Expected %p <= %p < %p\n" +#define MAX_WITHIN_MSG_LEN \ + sizeof(ASSERT_WITHIN_MSG) + (3 * STRING_POINTER_LENGTH) + MAX_FUNCTION_NAME +#define ASSERT_OUTSIDE_MSG \ + "FIPS module spans unexpected symbol (%s), expected %p < %p || %p > %p\n" +#define MAX_OUTSIDE_MSG_LEN \ + sizeof(ASSERT_OUTSIDE_MSG) + (4 * STRING_POINTER_LENGTH) + MAX_FUNCTION_NAME // assert_within is used to sanity check that certain symbols are within the // bounds of the integrity check. It checks that start <= symbol < end and // aborts otherwise. static void assert_within(const void *start, const void *symbol, const char *symbol_name, const void *end) { - const uintptr_t start_val = (uintptr_t) start; - const uintptr_t symbol_val = (uintptr_t) symbol; - const uintptr_t end_val = (uintptr_t) end; + const uintptr_t start_val = (uintptr_t)start; + const uintptr_t symbol_val = (uintptr_t)symbol; + const uintptr_t end_val = (uintptr_t)end; if (start_val <= symbol_val && symbol_val < end_val) { return; @@ -206,15 +210,16 @@ static void assert_within(const void *start, const void *symbol, assert(sizeof(symbol_name) < MAX_FUNCTION_NAME); char message[MAX_WITHIN_MSG_LEN] = {0}; - snprintf(message, sizeof(message), ASSERT_WITHIN_MSG, symbol_name, start, symbol, end); + snprintf(message, sizeof(message), ASSERT_WITHIN_MSG, symbol_name, start, + symbol, end); AWS_LC_FIPS_failure(message); } static void assert_not_within(const void *start, const void *symbol, - const char *symbol_name, const void *end) { - const uintptr_t start_val = (uintptr_t) start; - const uintptr_t symbol_val = (uintptr_t) symbol; - const uintptr_t end_val = (uintptr_t) end; + const char *symbol_name, const void *end) { + const uintptr_t start_val = (uintptr_t)start; + const uintptr_t symbol_val = (uintptr_t)symbol; + const uintptr_t end_val = (uintptr_t)end; if (start_val >= symbol_val || symbol_val > end_val) { return; @@ -222,11 +227,13 @@ static void assert_not_within(const void *start, const void *symbol, assert(sizeof(symbol_name) < MAX_FUNCTION_NAME); char message[MAX_WITHIN_MSG_LEN] = {0}; - snprintf(message, sizeof(message), ASSERT_OUTSIDE_MSG, symbol_name, symbol, start, symbol, end); + snprintf(message, sizeof(message), ASSERT_OUTSIDE_MSG, symbol_name, symbol, + start, symbol, end); AWS_LC_FIPS_failure(message); } -// TODO: Re-enable once all data has been moved out of .text segments CryptoAlg-2360 +// TODO: Re-enable once all data has been moved out of .text segments +// CryptoAlg-2360 #if 0 //#if defined(OPENSSL_ANDROID) && defined(OPENSSL_AARCH64) static void BORINGSSL_maybe_set_module_text_permissions(int permission) { @@ -254,16 +261,17 @@ static void BORINGSSL_maybe_set_module_text_permissions(int _permission) {} #if defined(_MSC_VER) #pragma section(".CRT$XCU", read) static void BORINGSSL_bcm_power_on_self_test(void); -__declspec(allocate(".CRT$XCU")) void(*fips_library_init_constructor)(void) = +__declspec(allocate(".CRT$XCU")) void (*fips_library_init_constructor)(void) = BORINGSSL_bcm_power_on_self_test; #else -static void BORINGSSL_bcm_power_on_self_test(void) __attribute__ ((constructor)); +static void BORINGSSL_bcm_power_on_self_test(void) __attribute__((constructor)); #endif static void BORINGSSL_bcm_power_on_self_test(void) { -// TODO: remove !defined(OPENSSL_PPC64BE) from the check below when starting to support -// PPC64BE that has VCRYPTO capability. In that case, add `|| defined(OPENSSL_PPC64BE)` -// to `#if defined(OPENSSL_PPC64LE)` wherever it occurs. +// TODO: remove !defined(OPENSSL_PPC64BE) from the check below when starting to +// support PPC64BE that has VCRYPTO capability. In that case, add `|| +// defined(OPENSSL_PPC64BE)` to `#if defined(OPENSSL_PPC64LE)` wherever it +// occurs. #if defined(HAS_OPENSSL_CPUID_SETUP) && !defined(OPENSSL_NO_ASM) OPENSSL_cpuid_setup(); #endif @@ -297,10 +305,14 @@ int BORINGSSL_integrity_test(void) { assert_within(start, function_entry_ptr(RAND_bytes), "RAND_bytes", end); assert_within(start, function_entry_ptr(EC_GROUP_cmp), "EC_GROUP_cmp", end); assert_within(start, function_entry_ptr(SHA256_Update), "SHA256_Update", end); - assert_within(start, function_entry_ptr(ECDSA_do_verify), "ECDSA_do_verify", end); - assert_within(start, function_entry_ptr(EVP_AEAD_CTX_seal), "EVP_AEAD_CTX_seal", end); - assert_not_within(start, function_entry_ptr(OPENSSL_cleanse), "OPENSSL_cleanse", end); - assert_not_within(start, function_entry_ptr(CRYPTO_chacha_20), "CRYPTO_chacha_20", end); + assert_within(start, function_entry_ptr(ECDSA_do_verify), "ECDSA_do_verify", + end); + assert_within(start, function_entry_ptr(EVP_AEAD_CTX_seal), + "EVP_AEAD_CTX_seal", end); + assert_not_within(start, function_entry_ptr(OPENSSL_cleanse), + "OPENSSL_cleanse", end); + assert_not_within(start, function_entry_ptr(CRYPTO_chacha_20), + "CRYPTO_chacha_20", end); #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) assert_not_within(start, OPENSSL_ia32cap_P, "OPENSSL_ia32cap_P", end); #elif defined(OPENSSL_AARCH64) @@ -318,11 +330,14 @@ int BORINGSSL_integrity_test(void) { assert_within(rodata_start, kPrimes, "kPrimes", rodata_end); assert_within(rodata_start, kP256Field, "kP256Field", rodata_end); - assert_within(rodata_start, kPKCS1SigPrefixes, "kPKCS1SigPrefixes", rodata_end); + assert_within(rodata_start, kPKCS1SigPrefixes, "kPKCS1SigPrefixes", + rodata_end); #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) - assert_not_within(rodata_start, OPENSSL_ia32cap_P, "OPENSSL_ia32cap_P", rodata_end); + assert_not_within(rodata_start, OPENSSL_ia32cap_P, "OPENSSL_ia32cap_P", + rodata_end); #elif defined(OPENSSL_AARCH64) - assert_not_within(rodata_start, &OPENSSL_armcap_P, "OPENSSL_armcap_P", rodata_end); + assert_not_within(rodata_start, &OPENSSL_armcap_P, "OPENSSL_armcap_P", + rodata_end); #endif // Per FIPS 140-3 we have to perform the CAST of the HMAC used for integrity @@ -332,8 +347,7 @@ int BORINGSSL_integrity_test(void) { uint8_t result[SHA256_DIGEST_LENGTH]; const EVP_MD *const kHashFunction = EVP_sha256(); - if (!boringssl_self_test_sha256() || - !boringssl_self_test_hmac_sha256()) { + if (!boringssl_self_test_sha256() || !boringssl_self_test_hmac_sha256()) { return 0; } @@ -372,25 +386,27 @@ int BORINGSSL_integrity_test(void) { fprintf(stderr, "HMAC failed.\n"); return 0; } - HMAC_CTX_cleanse(&hmac_ctx); // FIPS 140-3, AS05.10. + HMAC_CTX_cleanse(&hmac_ctx); // FIPS 140-3, AS05.10. const uint8_t *expected = BORINGSSL_bcm_text_hash; #if defined(BORINGSSL_FIPS_BREAK_TESTS) // Check the integrity but don't call AWS_LC_FIPS_failure or return 0 - check_test_optional_abort(expected, result, sizeof(result), "FIPS integrity test", false); + check_test_optional_abort(expected, result, sizeof(result), + "FIPS integrity test", false); #else - // Check the integrity, call AWS_LC_FIPS_failure if it doesn't match which will - // result in an abort - check_test_optional_abort(expected, result, sizeof(result), "FIPS integrity test", true); + // Check the integrity, call AWS_LC_FIPS_failure if it doesn't match which + // will result in an abort + check_test_optional_abort(expected, result, sizeof(result), + "FIPS integrity test", true); #endif - OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10. + OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10. return 1; } #endif // OPENSSL_ASAN -void AWS_LC_FIPS_failure(const char* message) { +void AWS_LC_FIPS_failure(const char *message) { fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message); fflush(stderr); for (;;) { @@ -399,8 +415,8 @@ void AWS_LC_FIPS_failure(const char* message) { } } -#else // BORINGSSL_FIPS -void AWS_LC_FIPS_failure(const char* message) { +#else // BORINGSSL_FIPS +void AWS_LC_FIPS_failure(const char *message) { fprintf(stderr, "AWS-LC FIPS failure caused by:\n%s\n", message); fflush(stderr); } @@ -428,7 +444,5 @@ void AWS_LC_FIPS_failure(const char* message) { // don't expect to happen with significant probability. In case it happens, the // application would have to call the |CRYPTO_library_init| function itself to // ensure the initialization is done. -void dummy_func_for_constructor(void) { - CRYPTO_library_init(); -} +void dummy_func_for_constructor(void) { CRYPTO_library_init(); } #endif diff --git a/crypto/fipsmodule/bn/asm/x86_64-gcc.c b/crypto/fipsmodule/bn/asm/x86_64-gcc.c index 30fff21777..32380a6412 100644 --- a/crypto/fipsmodule/bn/asm/x86_64-gcc.c +++ b/crypto/fipsmodule/bn/asm/x86_64-gcc.c @@ -194,7 +194,7 @@ BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, return 0; } - __asm__ volatile ( + __asm__ volatile( " subq %0,%0 \n" // clear carry " jmp 1f \n" ".p2align 4 \n" @@ -222,7 +222,7 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, return 0; } - __asm__ volatile ( + __asm__ volatile( " subq %0,%0 \n" // clear borrow " jmp 1f \n" ".p2align 4 \n" diff --git a/crypto/fipsmodule/bn/bn.c b/crypto/fipsmodule/bn/bn.c index ff78bbcdef..3cf145d4b2 100644 --- a/crypto/fipsmodule/bn/bn.c +++ b/crypto/fipsmodule/bn/bn.c @@ -62,8 +62,8 @@ #include #include -#include "internal.h" #include "../delocate.h" +#include "internal.h" // BN_MAX_WORDS is the maximum number of words allowed in a |BIGNUM|. It is @@ -85,9 +85,7 @@ BIGNUM *BN_new(void) { BIGNUM *BN_secure_new(void) { return BN_new(); } -void BN_init(BIGNUM *bn) { - OPENSSL_memset(bn, 0, sizeof(BIGNUM)); -} +void BN_init(BIGNUM *bn) { OPENSSL_memset(bn, 0, sizeof(BIGNUM)); } void BN_free(BIGNUM *bn) { if (bn == NULL) { @@ -105,9 +103,7 @@ void BN_free(BIGNUM *bn) { } } -void BN_clear_free(BIGNUM *bn) { - BN_free(bn); -} +void BN_clear_free(BIGNUM *bn) { BN_free(bn); } BIGNUM *BN_dup(const BIGNUM *src) { BIGNUM *copy; @@ -155,8 +151,8 @@ void BN_clear(BIGNUM *bn) { } DEFINE_METHOD_FUNCTION(BIGNUM, BN_value_one) { - static const BN_ULONG kOneLimbs[1] = { 1 }; - out->d = (BN_ULONG*) kOneLimbs; + static const BN_ULONG kOneLimbs[1] = {1}; + out->d = (BN_ULONG *)kOneLimbs; out->width = 1; out->dmax = 1; out->neg = 0; @@ -227,17 +223,11 @@ unsigned BN_num_bits(const BIGNUM *bn) { return (width - 1) * BN_BITS2 + BN_num_bits_word(bn->d[width - 1]); } -unsigned BN_num_bytes(const BIGNUM *bn) { - return (BN_num_bits(bn) + 7) / 8; -} +unsigned BN_num_bytes(const BIGNUM *bn) { return (BN_num_bits(bn) + 7) / 8; } -void BN_zero(BIGNUM *bn) { - bn->width = bn->neg = 0; -} +void BN_zero(BIGNUM *bn) { bn->width = bn->neg = 0; } -int BN_one(BIGNUM *bn) { - return BN_set_word(bn, 1); -} +int BN_one(BIGNUM *bn) { return BN_set_word(bn, 1); } int BN_set_word(BIGNUM *bn, BN_ULONG value) { if (value == 0) { @@ -330,9 +320,7 @@ int bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn) { return 1; } -int BN_is_negative(const BIGNUM *bn) { - return bn->neg != 0; -} +int BN_is_negative(const BIGNUM *bn) { return bn->neg != 0; } void BN_set_negative(BIGNUM *bn, int sign) { if (sign && !BN_is_zero(bn)) { @@ -378,7 +366,7 @@ int bn_expand(BIGNUM *bn, size_t bits) { OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG); return 0; } - return bn_wexpand(bn, (bits+BN_BITS2-1)/BN_BITS2); + return bn_wexpand(bn, (bits + BN_BITS2 - 1) / BN_BITS2); } int bn_resize_words(BIGNUM *bn, size_t words) { @@ -442,8 +430,6 @@ void bn_set_minimal_width(BIGNUM *bn) { } } -int BN_get_flags(const BIGNUM *bn, int flags) { - return bn->flags & flags; -} +int BN_get_flags(const BIGNUM *bn, int flags) { return bn->flags & flags; } -void BN_set_flags(BIGNUM *b, int n) { } +void BN_set_flags(BIGNUM *b, int n) {} diff --git a/crypto/fipsmodule/bn/bn_test.cc b/crypto/fipsmodule/bn/bn_test.cc index 8e747722e2..b4f74f2c92 100644 --- a/crypto/fipsmodule/bn/bn_test.cc +++ b/crypto/fipsmodule/bn/bn_test.cc @@ -87,13 +87,13 @@ #include #include -#include "./internal.h" -#include "./rsaz_exp.h" #include "../../internal.h" #include "../../test/abi_test.h" #include "../../test/file_test.h" #include "../../test/test_util.h" #include "../../test/wycheproof_util.h" +#include "./internal.h" +#include "./rsaz_exp.h" static int HexToBIGNUM(bssl::UniquePtr *out, const char *in) { @@ -160,10 +160,12 @@ class BIGNUMFileTest { unsigned num_bignums_; }; -static testing::AssertionResult AssertBIGNUMSEqual( - const char *operation_expr, const char *expected_expr, - const char *actual_expr, const char *operation, const BIGNUM *expected, - const BIGNUM *actual) { +static testing::AssertionResult AssertBIGNUMSEqual(const char *operation_expr, + const char *expected_expr, + const char *actual_expr, + const char *operation, + const BIGNUM *expected, + const BIGNUM *actual) { if (BN_cmp(expected, actual) == 0) { return testing::AssertionSuccess(); } @@ -649,8 +651,7 @@ static void TestModMul(BIGNUMFileTest *t, BN_CTX *ctx) { ASSERT_TRUE(mont); // Sanity-check that the constant-time version computes the same n0 and RR. - bssl::UniquePtr mont2( - BN_MONT_CTX_new_consttime(m.get(), ctx)); + bssl::UniquePtr mont2(BN_MONT_CTX_new_consttime(m.get(), ctx)); ASSERT_TRUE(mont2); EXPECT_BIGNUMS_EQUAL("RR (mod M) (constant-time)", &mont->RR, &mont2->RR); EXPECT_EQ(mont->n0[0], mont2->n0[0]); @@ -699,8 +700,8 @@ static void TestModMul(BIGNUMFileTest *t, BN_CTX *ctx) { bn_from_montgomery_small(r_words.get(), m_width, r_words.get(), m_width, mont.get()); ASSERT_TRUE(bn_set_words(ret.get(), r_words.get(), m_width)); - EXPECT_BIGNUMS_EQUAL("A * B (mod M) (Montgomery, words)", - mod_mul.get(), ret.get()); + EXPECT_BIGNUMS_EQUAL("A * B (mod M) (Montgomery, words)", mod_mul.get(), + ret.get()); } #endif } @@ -867,14 +868,14 @@ static void TestModExp2(BIGNUMFileTest *t, BN_CTX *ctx) { ASSERT_TRUE(mont2 = BN_MONT_CTX_new()); ASSERT_TRUE(BN_MONT_CTX_set(mont2, m2.get(), ctx)); - ASSERT_TRUE(BN_mod_exp_mont_consttime_x2(ret1.get(), a1.get(), e1.get(), m1.get(), mont1, - ret2.get(), a2.get(), e2.get(), m2.get(), mont2, - ctx)); + ASSERT_TRUE(BN_mod_exp_mont_consttime_x2( + ret1.get(), a1.get(), e1.get(), m1.get(), mont1, ret2.get(), a2.get(), + e2.get(), m2.get(), mont2, ctx)); EXPECT_BIGNUMS_EQUAL("A1 ^ E1 (mod M1) (constant-time)", mod_exp1.get(), - ret1.get()); + ret1.get()); EXPECT_BIGNUMS_EQUAL("A2 ^ E2 (mod M2) (constant-time)", mod_exp2.get(), - ret2.get()); + ret2.get()); BN_MONT_CTX_free(mont1); BN_MONT_CTX_free(mont2); @@ -1056,7 +1057,7 @@ static void RunBNFileTest(FileTest *t, BN_CTX *ctx) { {"ModInv", TestModInv}, {"GCD", TestGCD}, }; - void (*func)(BIGNUMFileTest * t, BN_CTX * ctx) = nullptr; + void (*func)(BIGNUMFileTest *t, BN_CTX *ctx) = nullptr; for (const auto &test : kTests) { if (t->GetType() == test.name) { func = test.func; @@ -1357,12 +1358,12 @@ struct MPITest { }; static const MPITest kMPITests[] = { - { "0", "\x00\x00\x00\x00", 4 }, - { "1", "\x00\x00\x00\x01\x01", 5 }, - { "-1", "\x00\x00\x00\x01\x81", 5 }, - { "128", "\x00\x00\x00\x02\x00\x80", 6 }, - { "256", "\x00\x00\x00\x02\x01\x00", 6 }, - { "-256", "\x00\x00\x00\x02\x81\x00", 6 }, + {"0", "\x00\x00\x00\x00", 4}, + {"1", "\x00\x00\x00\x01\x01", 5}, + {"-1", "\x00\x00\x00\x01\x81", 5}, + {"128", "\x00\x00\x00\x02\x00\x80", 6}, + {"256", "\x00\x00\x00\x02\x01\x00", 6}, + {"-256", "\x00\x00\x00\x02\x81\x00", 6}, }; TEST_F(BNTest, MPI) { @@ -1469,9 +1470,7 @@ TEST_F(BNTest, RandRange) { ASSERT_TRUE(BN_rand_range_ex(bn.get(), 1, six.get())); BN_ULONG word = BN_get_word(bn.get()); - if (BN_is_negative(bn.get()) || - word < 1 || - word >= 6) { + if (BN_is_negative(bn.get()) || word < 1 || word >= 6) { FAIL() << "BN_rand_range_ex generated invalid value: " << word; } @@ -1500,10 +1499,8 @@ static const ASN1Test kASN1Tests[] = { {"127", "\x02\x01\x7f", 3}, {"128", "\x02\x02\x00\x80", 4}, {"0xdeadbeef", "\x02\x05\x00\xde\xad\xbe\xef", 7}, - {"0x0102030405060708", - "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10}, - {"0xffffffffffffffff", - "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11}, + {"0x0102030405060708", "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10}, + {"0xffffffffffffffff", "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11}, }; struct ASN1InvalidTest { @@ -1533,7 +1530,7 @@ TEST_F(BNTest, ASN1) { bssl::UniquePtr bn2(BN_new()); ASSERT_TRUE(bn2); CBS cbs; - CBS_init(&cbs, reinterpret_cast(test.der), test.der_len); + CBS_init(&cbs, reinterpret_cast(test.der), test.der_len); ASSERT_TRUE(BN_parse_asn1_unsigned(&cbs, bn2.get())); EXPECT_EQ(0u, CBS_len(&cbs)); EXPECT_BIGNUMS_EQUAL("decode ASN.1", bn.get(), bn2.get()); @@ -1550,7 +1547,8 @@ TEST_F(BNTest, ASN1) { } for (const ASN1InvalidTest &test : kASN1InvalidTests) { - SCOPED_TRACE(Bytes(test.der, test.der_len));; + SCOPED_TRACE(Bytes(test.der, test.der_len)); + ; bssl::UniquePtr bn(BN_new()); ASSERT_TRUE(bn); CBS cbs; @@ -1740,7 +1738,7 @@ TEST_F(BNTest, SmallPrime) { bssl::UniquePtr r(BN_new()); ASSERT_TRUE(r); ASSERT_TRUE(BN_generate_prime_ex(r.get(), static_cast(kBits), 0, NULL, - NULL, NULL)); + NULL, NULL)); EXPECT_EQ(kBits, BN_num_bits(r.get())); } @@ -1823,7 +1821,7 @@ TEST_F(BNTest, SetGetU64) { {"ffffffffffffffff", UINT64_C(0xffffffffffffffff)}, }; - for (const auto& test : kU64Tests) { + for (const auto &test : kU64Tests) { SCOPED_TRACE(test.hex); bssl::UniquePtr bn(BN_new()), expected; ASSERT_TRUE(bn); @@ -2120,7 +2118,7 @@ TEST_F(BNTest, PrimeChecking) { int is_probably_prime_1 = 0, is_probably_prime_2 = 0; enum bn_primality_result_t result_3; - const int max_prime = kPrimes[OPENSSL_ARRAY_SIZE(kPrimes)-1]; + const int max_prime = kPrimes[OPENSSL_ARRAY_SIZE(kPrimes) - 1]; size_t next_prime_index = 0; for (int i = 0; i <= max_prime; i++) { @@ -2732,16 +2730,14 @@ TEST_F(BNTest, NonMinimal) { bssl::UniquePtr mont( BN_MONT_CTX_new_for_modulus(p.get(), ctx())); ASSERT_TRUE(mont); - bssl::UniquePtr mont2( - BN_MONT_CTX_new_consttime(p.get(), ctx())); + bssl::UniquePtr mont2(BN_MONT_CTX_new_consttime(p.get(), ctx())); ASSERT_TRUE(mont2); ASSERT_TRUE(bn_resize_words(p.get(), 32)); bssl::UniquePtr mont3( BN_MONT_CTX_new_for_modulus(p.get(), ctx())); ASSERT_TRUE(mont3); - bssl::UniquePtr mont4( - BN_MONT_CTX_new_consttime(p.get(), ctx())); + bssl::UniquePtr mont4(BN_MONT_CTX_new_consttime(p.get(), ctx())); ASSERT_TRUE(mont4); EXPECT_EQ(mont->N.width, mont2->N.width); @@ -2904,7 +2900,7 @@ TEST_F(BNTest, BNMulMontABI) { CHECK_ABI(bn_mulx4x_mont, r.data(), a.data(), a.data(), mont->N.d, mont->n0, words); } -#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) +#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) if (bn_mul4x_mont_capable(words)) { CHECK_ABI(bn_mul4x_mont, r.data(), a.data(), b.data(), mont->N.d, mont->n0, words); @@ -2920,7 +2916,7 @@ TEST_F(BNTest, BNMulMontABI) { CHECK_ABI(bn_sqr8x_mont, r.data(), a.data(), bn_mulx_adx_capable(), mont->N.d, mont->n0, words); } -#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) +#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) #elif defined(OPENSSL_ARM) if (bn_mul8x_mont_neon_capable(words)) { CHECK_ABI(bn_mul8x_mont_neon, r.data(), a.data(), b.data(), mont->N.d, @@ -2940,7 +2936,7 @@ TEST_F(BNTest, BNMulMontABI) { #endif } } -#endif // OPENSSL_BN_ASM_MONT && SUPPORTS_ABI_TEST +#endif // OPENSSL_BN_ASM_MONT && SUPPORTS_ABI_TEST #if defined(OPENSSL_BN_ASM_MONT5) && defined(SUPPORTS_ABI_TEST) TEST_F(BNTest, BNMulMont5ABI) { @@ -2988,17 +2984,17 @@ TEST_F(BNTest, RSAZABI) { return; } - stack_align_type buffer_table[64 + (sizeof(BN_ULONG) * (32*18))] = {0}; + stack_align_type buffer_table[64 + (sizeof(BN_ULONG) * (32 * 18))] = {0}; stack_align_type buffer_rsaz1[64 + (sizeof(BN_ULONG) * 40)]; stack_align_type buffer_rsaz2[64 + (sizeof(BN_ULONG) * 40)]; stack_align_type buffer_rsaz3[64 + (sizeof(BN_ULONG) * 40)]; stack_align_type buffer_n_rsaz[64 + (sizeof(BN_ULONG) * 40)]; - BN_ULONG *aligned_table = (BN_ULONG *) align_pointer(buffer_table, 64); - BN_ULONG *aligned_rsaz1 = (BN_ULONG *) align_pointer(buffer_rsaz1, 64); - BN_ULONG *aligned_rsaz2 = (BN_ULONG *) align_pointer(buffer_rsaz2, 64); - BN_ULONG *aligned_rsaz3 = (BN_ULONG *) align_pointer(buffer_rsaz3, 64); - BN_ULONG *aligned_n_rsaz = (BN_ULONG *) align_pointer(buffer_n_rsaz, 64); + BN_ULONG *aligned_table = (BN_ULONG *)align_pointer(buffer_table, 64); + BN_ULONG *aligned_rsaz1 = (BN_ULONG *)align_pointer(buffer_rsaz1, 64); + BN_ULONG *aligned_rsaz2 = (BN_ULONG *)align_pointer(buffer_rsaz2, 64); + BN_ULONG *aligned_rsaz3 = (BN_ULONG *)align_pointer(buffer_rsaz3, 64); + BN_ULONG *aligned_n_rsaz = (BN_ULONG *)align_pointer(buffer_n_rsaz, 64); BN_ULONG norm[16], n_norm[16]; @@ -3015,37 +3011,37 @@ TEST_F(BNTest, RSAZABI) { CHECK_ABI(rsaz_1024_norm2red_avx2, aligned_rsaz1, norm); CHECK_ABI(rsaz_1024_norm2red_avx2, aligned_n_rsaz, n_norm); - CHECK_ABI(rsaz_1024_sqr_avx2, aligned_rsaz2, aligned_rsaz1, aligned_n_rsaz, k, 1); - CHECK_ABI(rsaz_1024_sqr_avx2, aligned_rsaz3, aligned_rsaz2, aligned_n_rsaz, k, 4); - CHECK_ABI(rsaz_1024_mul_avx2, aligned_rsaz3, aligned_rsaz1, aligned_rsaz2, aligned_n_rsaz, k); + CHECK_ABI(rsaz_1024_sqr_avx2, aligned_rsaz2, aligned_rsaz1, aligned_n_rsaz, k, + 1); + CHECK_ABI(rsaz_1024_sqr_avx2, aligned_rsaz3, aligned_rsaz2, aligned_n_rsaz, k, + 4); + CHECK_ABI(rsaz_1024_mul_avx2, aligned_rsaz3, aligned_rsaz1, aligned_rsaz2, + aligned_n_rsaz, k); CHECK_ABI(rsaz_1024_scatter5_avx2, aligned_table, aligned_rsaz3, 7); CHECK_ABI(rsaz_1024_gather5_avx2, aligned_rsaz1, aligned_table, 7); CHECK_ABI(rsaz_1024_red2norm_avx2, norm, aligned_rsaz1); #ifdef RSAZ_512_ENABLED if (CRYPTO_is_AVX512IFMA_capable()) { - #define TWOK (40 * 2) -#define TWOK_TABLE (2 * 20 * (1<<5)) +#define TWOK_TABLE (2 * 20 * (1 << 5)) #define THREEK (64 * 2) -#define THREEK_TABLE (2 * 32 * (1<<5)) +#define THREEK_TABLE (2 * 32 * (1 << 5)) #define FOURK (80 * 2) -#define FOURK_TABLE (2 * 40 * (1<<5)) +#define FOURK_TABLE (2 * 40 * (1 << 5)) - int storage_bytes = - ((TWOK * 2) + // res2 / red_y2 - TWOK_TABLE + // red_table2k - (THREEK * 2) + // res3 / red_y3 - THREEK_TABLE + // red_table3k - (FOURK * 2) + // res4 / red_y4 - FOURK_TABLE) * // red_table4k - sizeof(uint64_t); + int storage_bytes = ((TWOK * 2) + // res2 / red_y2 + TWOK_TABLE + // red_table2k + (THREEK * 2) + // res3 / red_y3 + THREEK_TABLE + // red_table3k + (FOURK * 2) + // res4 / red_y4 + FOURK_TABLE) * // red_table4k + sizeof(uint64_t); - uint64_t *storage = (uint64_t*)OPENSSL_malloc(storage_bytes); + uint64_t *storage = (uint64_t *)OPENSSL_malloc(storage_bytes); - uint64_t *res2, *res3, *res4, - *red_y2, *red_y3, *red_y4, - *red_table2k, *red_table3k, *red_table4k; + uint64_t *res2, *res3, *res4, *red_y2, *red_y3, *red_y4, *red_table2k, + *red_table3k, *red_table4k; res2 = storage; red_y2 = storage + TWOK; @@ -3079,6 +3075,6 @@ TEST_F(BNTest, RSAZABI) { OPENSSL_free(storage); } -#endif // RSAZ_512_ENABLED +#endif // RSAZ_512_ENABLED } -#endif // RSAZ_ENABLED && SUPPORTS_ABI_TEST +#endif // RSAZ_ENABLED && SUPPORTS_ABI_TEST diff --git a/crypto/fipsmodule/bn/bytes.c b/crypto/fipsmodule/bn/bytes.c index c8b3a15fe6..47417e1c88 100644 --- a/crypto/fipsmodule/bn/bytes.c +++ b/crypto/fipsmodule/bn/bytes.c @@ -150,16 +150,17 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } -void bn_little_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, const size_t in_len) { +void bn_little_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, + const size_t in_len) { assert(out_len > 0); #ifdef OPENSSL_BIG_ENDIAN size_t in_index = 0; for (size_t i = 0; i < out_len; i++) { - if ((in_len-in_index) < sizeof(BN_ULONG)) { + if ((in_len - in_index) < sizeof(BN_ULONG)) { // Load the last partial word. BN_ULONG word = 0; // size_t is unsigned, so j >= 0 is always true. - for (size_t j = in_len-1; j >= in_index && j < in_len; j--) { + for (size_t j = in_len - 1; j >= in_index && j < in_len; j--) { word = (word << 8) | in[j]; } in_index = in_len; @@ -179,7 +180,8 @@ void bn_little_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, #else OPENSSL_memcpy(out, in, in_len); // Fill the remainder with zeros. - OPENSSL_memset( ((uint8_t*)out) + in_len, 0, sizeof(BN_ULONG)*out_len - in_len); + OPENSSL_memset(((uint8_t *)out) + in_len, 0, + sizeof(BN_ULONG) * out_len - in_len); #endif } @@ -194,7 +196,7 @@ static int fits_in_bytes(const BN_ULONG *words, size_t num_words, for (size_t j = 0; j < BN_BYTES; j++) { if ((i * BN_BYTES) + j < num_bytes) { // For the first word we don't need to check any bytes shorter than len - continue ; + continue; } else { mask |= (word >> (j * 8)) & 0xff; } @@ -211,7 +213,8 @@ static int fits_in_bytes(const BN_ULONG *words, size_t num_words, } // Asserts that the BIGNUM can be represented within |num| bytes. -// The logic is consistent with `fits_in_bytes` but assertions will fail when false. +// The logic is consistent with `fits_in_bytes` but assertions will fail when +// false. void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) { const uint8_t *bytes = (const uint8_t *)bn->d; size_t tot_bytes = bn->width * sizeof(BN_ULONG); @@ -225,7 +228,8 @@ void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) { BN_ULONG word = bn->d[i]; for (size_t j = 0; j < BN_BYTES; j++) { if ((i * BN_BYTES) + j < num) { - // For the first word we don't need to check any bytes shorter than len + // For the first word we don't need to check any bytes shorter than + // len continue; } else { uint8_t byte = (word >> (j * 8)) & 0xff; @@ -273,7 +277,8 @@ size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) { return n; } -void bn_words_to_little_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, const size_t in_len) { +void bn_words_to_little_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, + const size_t in_len) { // The caller should have selected an output length without truncation. assert(fits_in_bytes(in, in_len, out_len)); size_t num_bytes = in_len * sizeof(BN_ULONG); @@ -284,7 +289,7 @@ void bn_words_to_little_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, size_t byte_idx = 0; for (size_t word_idx = 0; word_idx < in_len; word_idx++) { BN_ULONG l = in[word_idx]; - for(size_t j = 0; j < BN_BYTES && byte_idx < num_bytes; j++) { + for (size_t j = 0; j < BN_BYTES && byte_idx < num_bytes; j++) { out[byte_idx] = (uint8_t)(l & 0xff); l >>= 8; byte_idx++; @@ -336,7 +341,7 @@ int BN_get_u64(const BIGNUM *bn, uint64_t *out) { return 1; #if defined(OPENSSL_32_BIT) case 2: - *out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32); + *out = (uint64_t)bn->d[0] | (((uint64_t)bn->d[1]) << 32); return 1; #endif default: diff --git a/crypto/fipsmodule/bn/cmp.c b/crypto/fipsmodule/bn/cmp.c index 1ba6f1821e..8334657fa6 100644 --- a/crypto/fipsmodule/bn/cmp.c +++ b/crypto/fipsmodule/bn/cmp.c @@ -59,8 +59,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" static int bn_cmp_words_consttime(const BN_ULONG *a, size_t a_len, @@ -149,9 +149,7 @@ int BN_cmp_word(const BIGNUM *a, BN_ULONG b) { return BN_cmp(a, &b_bn); } -int BN_is_zero(const BIGNUM *bn) { - return bn_fits_in_words(bn, 0); -} +int BN_is_zero(const BIGNUM *bn) { return bn_fits_in_words(bn, 0); } int BN_is_one(const BIGNUM *bn) { return bn->neg == 0 && BN_abs_is_word(bn, 1); @@ -161,9 +159,7 @@ int BN_is_word(const BIGNUM *bn, BN_ULONG w) { return BN_abs_is_word(bn, w) && (w == 0 || bn->neg == 0); } -int BN_is_odd(const BIGNUM *bn) { - return bn->width > 0 && (bn->d[0] & 1) == 1; -} +int BN_is_odd(const BIGNUM *bn) { return bn->width > 0 && (bn->d[0] & 1) == 1; } int BN_is_pow2(const BIGNUM *bn) { int width = bn_minimal_width(bn); @@ -177,7 +173,7 @@ int BN_is_pow2(const BIGNUM *bn) { } } - return 0 == (bn->d[width-1] & (bn->d[width-1] - 1)); + return 0 == (bn->d[width - 1] & (bn->d[width - 1] - 1)); } int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b) { diff --git a/crypto/fipsmodule/bn/ctx.c b/crypto/fipsmodule/bn/ctx.c index 1ec1c0f2fb..5dcf8f95d8 100644 --- a/crypto/fipsmodule/bn/ctx.c +++ b/crypto/fipsmodule/bn/ctx.c @@ -7,7 +7,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -199,9 +199,7 @@ static void BN_STACK_init(BN_STACK *st) { st->depth = st->size = 0; } -static void BN_STACK_cleanup(BN_STACK *st) { - OPENSSL_free(st->indexes); -} +static void BN_STACK_cleanup(BN_STACK *st) { OPENSSL_free(st->indexes); } static int BN_STACK_push(BN_STACK *st, size_t idx) { if (st->depth == st->size) { diff --git a/crypto/fipsmodule/bn/div.c b/crypto/fipsmodule/bn/div.c index f524f8939a..f5a4043e0e 100644 --- a/crypto/fipsmodule/bn/div.c +++ b/crypto/fipsmodule/bn/div.c @@ -335,12 +335,11 @@ int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, } t2 -= d1; } -#else // !BN_ULLONG +#else // !BN_ULLONG BN_ULONG t2l, t2h; BN_UMULT_LOHI(t2l, t2h, d1, q); for (;;) { - if (t2h < rm || - (t2h == rm && t2l <= wnump[-2])) { + if (t2h < rm || (t2h == rm && t2l <= wnump[-2])) { break; } q--; @@ -481,8 +480,7 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, } BIGNUM *tmp = BN_CTX_get(ctx); if (q == NULL || r == NULL || tmp == NULL || - !bn_wexpand(q, numerator->width) || - !bn_wexpand(r, divisor->width) || + !bn_wexpand(q, numerator->width) || !bn_wexpand(r, divisor->width) || !bn_wexpand(tmp, divisor->width)) { goto err; } @@ -547,8 +545,7 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, static BIGNUM *bn_scratch_space_from_ctx(size_t width, BN_CTX *ctx) { BIGNUM *ret = BN_CTX_get(ctx); - if (ret == NULL || - !bn_wexpand(ret, width)) { + if (ret == NULL || !bn_wexpand(ret, width)) { return NULL; } ret->neg = 0; @@ -569,9 +566,7 @@ static const BIGNUM *bn_resized_from_ctx(const BIGNUM *bn, size_t width, return bn; } BIGNUM *ret = bn_scratch_space_from_ctx(width, ctx); - if (ret == NULL || - !BN_copy(ret, bn) || - !bn_resize_words(ret, width)) { + if (ret == NULL || !BN_copy(ret, bn) || !bn_resize_words(ret, width)) { return NULL; } return ret; @@ -588,8 +583,7 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { BN_CTX *ctx = BN_CTX_new(); - int ok = ctx != NULL && - bn_mod_add_consttime(r, a, b, m, ctx); + int ok = ctx != NULL && bn_mod_add_consttime(r, a, b, m, ctx); BN_CTX_free(ctx); return ok; } @@ -600,8 +594,7 @@ int bn_mod_add_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, a = bn_resized_from_ctx(a, m->width, ctx); b = bn_resized_from_ctx(b, m->width, ctx); BIGNUM *tmp = bn_scratch_space_from_ctx(m->width, ctx); - int ok = a != NULL && b != NULL && tmp != NULL && - bn_wexpand(r, m->width); + int ok = a != NULL && b != NULL && tmp != NULL && bn_wexpand(r, m->width); if (ok) { bn_mod_add_words(r->d, a->d, b->d, m->d, tmp->d, m->width); r->width = m->width; @@ -625,8 +618,7 @@ int bn_mod_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, a = bn_resized_from_ctx(a, m->width, ctx); b = bn_resized_from_ctx(b, m->width, ctx); BIGNUM *tmp = bn_scratch_space_from_ctx(m->width, ctx); - int ok = a != NULL && b != NULL && tmp != NULL && - bn_wexpand(r, m->width); + int ok = a != NULL && b != NULL && tmp != NULL && bn_wexpand(r, m->width); if (ok) { bn_mod_sub_words(r->d, a->d, b->d, m->d, tmp->d, m->width); r->width = m->width; @@ -639,8 +631,7 @@ int bn_mod_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { BN_CTX *ctx = BN_CTX_new(); - int ok = ctx != NULL && - bn_mod_sub_consttime(r, a, b, m, ctx); + int ok = ctx != NULL && bn_mod_sub_consttime(r, a, b, m, ctx); BN_CTX_free(ctx); return ok; } @@ -711,8 +702,7 @@ int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, int bn_mod_lshift_consttime(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx) { - if (!BN_copy(r, a) || - !bn_resize_words(r, m->width)) { + if (!BN_copy(r, a) || !bn_resize_words(r, m->width)) { return 0; } @@ -731,8 +721,7 @@ int bn_mod_lshift_consttime(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) { BN_CTX *ctx = BN_CTX_new(); - int ok = ctx != NULL && - bn_mod_lshift_consttime(r, a, n, m, ctx); + int ok = ctx != NULL && bn_mod_lshift_consttime(r, a, n, m, ctx); BN_CTX_free(ctx); return ok; } @@ -752,8 +741,7 @@ int bn_mod_lshift1_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m) { BN_CTX *ctx = BN_CTX_new(); - int ok = ctx != NULL && - bn_mod_lshift1_consttime(r, a, m, ctx); + int ok = ctx != NULL && bn_mod_lshift1_consttime(r, a, m, ctx); BN_CTX_free(ctx); return ok; } @@ -764,7 +752,7 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) { if (!w) { // actually this an error (division by zero) - return (BN_ULONG) - 1; + return (BN_ULONG)-1; } if (a->width == 0) { @@ -775,7 +763,7 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) { j = BN_BITS2 - BN_num_bits_word(w); w <<= j; if (!BN_lshift(a, a, j)) { - return (BN_ULONG) - 1; + return (BN_ULONG)-1; } for (i = a->width - 1; i >= 0; i--) { @@ -801,7 +789,7 @@ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) { int i; if (w == 0) { - return (BN_ULONG) -1; + return (BN_ULONG)-1; } #ifndef BN_CAN_DIVIDE_ULLONG @@ -838,7 +826,7 @@ int BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { size_t num_words = 1 + ((e - 1) / BN_BITS2); // If |a| definitely has less than |e| bits, just BN_copy. - if ((size_t) a->width < num_words) { + if ((size_t)a->width < num_words) { return BN_copy(r, a) != NULL; } @@ -854,12 +842,12 @@ int BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { // If |e| isn't word-aligned, we have to mask off some of our bits. size_t top_word_exponent = e % (sizeof(BN_ULONG) * 8); if (top_word_exponent != 0) { - r->d[num_words - 1] &= (((BN_ULONG) 1) << top_word_exponent) - 1; + r->d[num_words - 1] &= (((BN_ULONG)1) << top_word_exponent) - 1; } // Fill in the remaining fields of |r|. r->neg = a->neg; - r->width = (int) num_words; + r->width = (int)num_words; bn_set_minimal_width(r); return 1; } @@ -886,7 +874,7 @@ int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { // Set parameters of |r|. r->neg = 0; - r->width = (int) num_words; + r->width = (int)num_words; // Now, invert every word. The idea here is that we want to compute 2^e-|x|, // which is actually equivalent to the twos-complement representation of |x| @@ -898,7 +886,7 @@ int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { // If our exponent doesn't span the top word, we have to mask the rest. size_t top_word_exponent = e % BN_BITS2; if (top_word_exponent != 0) { - r->d[r->width - 1] &= (((BN_ULONG) 1) << top_word_exponent) - 1; + r->d[r->width - 1] &= (((BN_ULONG)1) << top_word_exponent) - 1; } // Keep the minimal-width invariant for |BIGNUM|. diff --git a/crypto/fipsmodule/bn/div_extra.c b/crypto/fipsmodule/bn/div_extra.c index f75c9146c2..bdfc47f518 100644 --- a/crypto/fipsmodule/bn/div_extra.c +++ b/crypto/fipsmodule/bn/div_extra.c @@ -20,7 +20,8 @@ // The following functions use a Barrett reduction variant to avoid leaking the -// numerator. See http://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html +// numerator. See +// http://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html // // We use 32-bit numerator and 16-bit divisor for simplicity. This allows // computing |m| and |q| without architecture-specific code. diff --git a/crypto/fipsmodule/bn/exponentiation.c b/crypto/fipsmodule/bn/exponentiation.c index a35658223b..6b17bb56c8 100644 --- a/crypto/fipsmodule/bn/exponentiation.c +++ b/crypto/fipsmodule/bn/exponentiation.c @@ -119,9 +119,9 @@ #include "internal.h" #include "rsaz_exp.h" -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE) || \ - defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)) && \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE) || \ + defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)) && \ defined(OPENSSL_AARCH64) #include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" @@ -136,10 +136,10 @@ OPENSSL_INLINE int exponentiation_use_s2n_bignum(void) { return 0; } #endif -static void exponentiation_s2n_bignum_copy_from_prebuf(BN_ULONG *dest, int width, - const BN_ULONG *table, int rowidx, - int window) { - +static void exponentiation_s2n_bignum_copy_from_prebuf(BN_ULONG *dest, + int width, + const BN_ULONG *table, + int rowidx, int window) { #if defined(BN_EXPONENTIATION_S2N_BIGNUM_CAPABLE) int table_height = 1 << window; @@ -537,9 +537,9 @@ static int mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } } - start = 1; // This is used to avoid multiplication etc - // when there is only the value '1' in the - // buffer. + start = 1; // This is used to avoid multiplication etc + // when there is only the value '1' in the + // buffer. wstart = bits - 1; // The top bit of the window if (!BN_one(r)) { @@ -548,7 +548,7 @@ static int mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, for (;;) { int wvalue; // The 'value' of the window - int wend; // The bottom bit of the window + int wend; // The bottom bit of the window if (!BN_is_bit_set(p, wstart)) { if (!start) { @@ -687,8 +687,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } if (window > 1) { BIGNUM *d = BN_CTX_get(ctx); - if (d == NULL || - !BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) { + if (d == NULL || !BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) { goto err; } for (int i = 1; i < 1 << (window - 1); i++) { @@ -1011,8 +1010,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, assert((size_t)top <= BN_MONTGOMERY_MAX_WORDS); OPENSSL_STATIC_ASSERT( BN_MONTGOMERY_MAX_WORDS <= - INT_MAX / sizeof(BN_ULONG) / ((1 << - BN_window_bits_for_ctime_exponent_size) + 3), + INT_MAX / sizeof(BN_ULONG) / + ((1 << BN_window_bits_for_ctime_exponent_size) + 3), powerbuf_len_may_overflow); #if defined(OPENSSL_BN_ASM_MONT5) @@ -1051,16 +1050,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, tmp.neg = am.neg = 0; tmp.flags = am.flags = BN_FLG_STATIC_DATA; - if (!bn_one_to_montgomery(&tmp, mont, ctx) || - !bn_resize_words(&tmp, top)) { + if (!bn_one_to_montgomery(&tmp, mont, ctx) || !bn_resize_words(&tmp, top)) { goto err; } // Prepare a^1 in the Montgomery domain. assert(!a->neg); declassify_assert(BN_ucmp(a, m) < 0); - if (!BN_to_montgomery(&am, a, mont, ctx) || - !bn_resize_words(&am, top)) { + if (!BN_to_montgomery(&am, a, mont, ctx) || !bn_resize_words(&am, top)) { goto err; } @@ -1274,39 +1271,38 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, // // The width of each base, exponent, and modulus must match and the // contexts are expected to be initialized. -int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, const BIGNUM *p1, - const BIGNUM *m1, const BN_MONT_CTX *in_mont1, - BIGNUM *rr2, const BIGNUM *a2, const BIGNUM *p2, +int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *m1, + const BN_MONT_CTX *in_mont1, BIGNUM *rr2, + const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m2, const BN_MONT_CTX *in_mont2, - BN_CTX *ctx) -{ + BN_CTX *ctx) { int ret = 0; #ifdef RSAZ_512_ENABLED if (CRYPTO_is_AVX512IFMA_capable() && - (((a1->width == 16) && (p1->width == 16) && (BN_num_bits(m1) == 1024) && - (a2->width == 16) && (p2->width == 16) && (BN_num_bits(m2) == 1024)) || - ((a1->width == 24) && (p1->width == 24) && (BN_num_bits(m1) == 1536) && - (a2->width == 24) && (p2->width == 24) && (BN_num_bits(m2) == 1536)) || - ((a1->width == 32) && (p1->width == 32) && (BN_num_bits(m1) == 2048) && - (a2->width == 32) && (p2->width == 32) && (BN_num_bits(m2) == 2048)))) { - + (((a1->width == 16) && (p1->width == 16) && (BN_num_bits(m1) == 1024) && + (a2->width == 16) && (p2->width == 16) && (BN_num_bits(m2) == 1024)) || + ((a1->width == 24) && (p1->width == 24) && (BN_num_bits(m1) == 1536) && + (a2->width == 24) && (p2->width == 24) && (BN_num_bits(m2) == 1536)) || + ((a1->width == 32) && (p1->width == 32) && (BN_num_bits(m1) == 2048) && + (a2->width == 32) && (p2->width == 32) && (BN_num_bits(m2) == 2048)))) { int widthn = a1->width; if (!bn_wexpand(rr1, widthn)) { - return ret; + return ret; } if (!bn_wexpand(rr2, widthn)) { - return ret; + return ret; } - + /* Ensure that montgomery contexts are initialized */ if (in_mont1 == NULL) { - return ret; + return ret; } if (in_mont2 == NULL) { - return ret; + return ret; } @@ -1319,17 +1315,15 @@ int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, const BIGNUM *p1 return 0; } if ((a1->neg || BN_ucmp(a1, m1) >= 0) || - (a2->neg || BN_ucmp(a2, m2) >= 0)) { + (a2->neg || BN_ucmp(a2, m2) >= 0)) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } int mod_bits = BN_num_bits(m1); - ret = RSAZ_mod_exp_avx512_x2(rr1->d, a1->d, p1->d, m1->d, - in_mont1->RR.d, in_mont1->n0[0], - rr2->d, a2->d, p2->d, m2->d, - in_mont2->RR.d, in_mont2->n0[0], - mod_bits); + ret = RSAZ_mod_exp_avx512_x2(rr1->d, a1->d, p1->d, m1->d, in_mont1->RR.d, + in_mont1->n0[0], rr2->d, a2->d, p2->d, m2->d, + in_mont2->RR.d, in_mont2->n0[0], mod_bits); rr1->width = widthn; rr1->neg = 0; diff --git a/crypto/fipsmodule/bn/gcd.c b/crypto/fipsmodule/bn/gcd.c index 7aa004335e..f884b6643c 100644 --- a/crypto/fipsmodule/bn/gcd.c +++ b/crypto/fipsmodule/bn/gcd.c @@ -376,8 +376,7 @@ int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx, const BN_MONT_CTX *mont_p) { BN_CTX_start(ctx); BIGNUM *p_minus_2 = BN_CTX_get(ctx); - int ok = p_minus_2 != NULL && - BN_copy(p_minus_2, p) && + int ok = p_minus_2 != NULL && BN_copy(p_minus_2, p) && BN_sub_word(p_minus_2, 2) && BN_mod_exp_mont(out, a, p_minus_2, p, ctx, mont_p); BN_CTX_end(ctx); @@ -388,8 +387,7 @@ int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx, const BN_MONT_CTX *mont_p) { BN_CTX_start(ctx); BIGNUM *p_minus_2 = BN_CTX_get(ctx); - int ok = p_minus_2 != NULL && - BN_copy(p_minus_2, p) && + int ok = p_minus_2 != NULL && BN_copy(p_minus_2, p) && BN_sub_word(p_minus_2, 2) && BN_mod_exp_mont_consttime(out, a, p_minus_2, p, ctx, mont_p); BN_CTX_end(ctx); diff --git a/crypto/fipsmodule/bn/gcd_extra.c b/crypto/fipsmodule/bn/gcd_extra.c index 531ff59f39..0c6bacae5d 100644 --- a/crypto/fipsmodule/bn/gcd_extra.c +++ b/crypto/fipsmodule/bn/gcd_extra.c @@ -35,7 +35,7 @@ static void maybe_rshift1_words_carry(BN_ULONG *a, BN_ULONG carry, maybe_rshift1_words(a, mask, tmp, num); if (num != 0) { carry &= mask; - a[num - 1] |= carry << (BN_BITS2-1); + a[num - 1] |= carry << (BN_BITS2 - 1); } } @@ -61,12 +61,9 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, BIGNUM *u = BN_CTX_get(ctx); BIGNUM *v = BN_CTX_get(ctx); BIGNUM *tmp = BN_CTX_get(ctx); - if (u == NULL || v == NULL || tmp == NULL || - !BN_copy(u, x) || - !BN_copy(v, y) || - !bn_resize_words(u, width) || - !bn_resize_words(v, width) || - !bn_resize_words(tmp, width)) { + if (u == NULL || v == NULL || tmp == NULL || !BN_copy(u, x) || + !BN_copy(v, y) || !bn_resize_words(u, width) || + !bn_resize_words(v, width) || !bn_resize_words(tmp, width)) { goto err; } @@ -121,8 +118,7 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, int BN_gcd(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) { unsigned shift; - return bn_gcd_consttime(r, &shift, x, y, ctx) && - BN_lshift(r, r, shift); + return bn_gcd_consttime(r, &shift, x, y, ctx) && BN_lshift(r, r, shift); } int bn_is_relatively_prime(int *out_relatively_prime, const BIGNUM *x, @@ -131,8 +127,7 @@ int bn_is_relatively_prime(int *out_relatively_prime, const BIGNUM *x, BN_CTX_start(ctx); unsigned shift; BIGNUM *gcd = BN_CTX_get(ctx); - if (gcd == NULL || - !bn_gcd_consttime(gcd, &shift, x, y, ctx)) { + if (gcd == NULL || !bn_gcd_consttime(gcd, &shift, x, y, ctx)) { goto err; } @@ -218,23 +213,16 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a, BIGNUM *tmp = BN_CTX_get(ctx); BIGNUM *tmp2 = BN_CTX_get(ctx); if (u == NULL || v == NULL || A == NULL || B == NULL || C == NULL || - D == NULL || tmp == NULL || tmp2 == NULL || - !BN_copy(u, a) || - !BN_copy(v, n) || - !BN_one(A) || - !BN_one(D) || + D == NULL || tmp == NULL || tmp2 == NULL || !BN_copy(u, a) || + !BN_copy(v, n) || !BN_one(A) || !BN_one(D) || // For convenience, size |u| and |v| equivalently. - !bn_resize_words(u, n_width) || - !bn_resize_words(v, n_width) || + !bn_resize_words(u, n_width) || !bn_resize_words(v, n_width) || // |A| and |C| are bounded by |m|. - !bn_resize_words(A, n_width) || - !bn_resize_words(C, n_width) || + !bn_resize_words(A, n_width) || !bn_resize_words(C, n_width) || // |B| and |D| are bounded by |a|. - !bn_resize_words(B, a_width) || - !bn_resize_words(D, a_width) || + !bn_resize_words(B, a_width) || !bn_resize_words(D, a_width) || // |tmp| and |tmp2| may be used at either size. - !bn_resize_words(tmp, n_width) || - !bn_resize_words(tmp2, n_width)) { + !bn_resize_words(tmp, n_width) || !bn_resize_words(tmp2, n_width)) { goto err; } diff --git a/crypto/fipsmodule/bn/internal.h b/crypto/fipsmodule/bn/internal.h index c5ae9364f2..7d77029348 100644 --- a/crypto/fipsmodule/bn/internal.h +++ b/crypto/fipsmodule/bn/internal.h @@ -429,16 +429,16 @@ OPENSSL_INLINE int bn_sqr8x_mont_capable(size_t num) { } int bn_sqr8x_mont(BN_ULONG *rp, const BN_ULONG *ap, BN_ULONG mulx_adx_capable, const BN_ULONG *np, const BN_ULONG *n0, size_t num); -#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) +#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) #elif defined(OPENSSL_ARM) - OPENSSL_INLINE int bn_mul8x_mont_neon_capable(size_t num) { - return (num & 7) == 0 && CRYPTO_is_NEON_capable(); - } - int bn_mul8x_mont_neon(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, size_t num); - int bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, +OPENSSL_INLINE int bn_mul8x_mont_neon_capable(size_t num) { + return (num & 7) == 0 && CRYPTO_is_NEON_capable(); +} +int bn_mul8x_mont_neon(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, size_t num); -#endif // defined(OPENSSL_X86_64) +int bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +#endif // defined(OPENSSL_X86_64) #endif @@ -747,7 +747,7 @@ int BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock, // bn_mul_small sets |r| to |a|*|b|. |num_r| must be |num_a| + |num_b|. |r| may // not alias with |a| or |b|. void bn_mul_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a, - const BN_ULONG *b, size_t num_b); + const BN_ULONG *b, size_t num_b); // bn_sqr_small sets |r| to |a|^2. |num_a| must be at most |BN_SMALL_MAX_WORDS|. // |num_r| must be |num_a|*2. |r| and |a| may not alias. @@ -807,10 +807,10 @@ void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, // Word-based byte conversion functions. // bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian, -// unsigned integer and writes the result to |out_len| words in |out|. The output -// is in little-endian word order with |out[0]| being the least-significant word. -// |out_len| must be large enough to represent any |in_len|-byte value. That is, -// |in_len| must be at most |BN_BYTES * out_len|. +// unsigned integer and writes the result to |out_len| words in |out|. The +// output is in little-endian word order with |out[0]| being the +// least-significant word. |out_len| must be large enough to represent any +// |in_len|-byte value. That is, |in_len| must be at most |BN_BYTES * out_len|. void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len); @@ -824,21 +824,23 @@ void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, size_t in_len); -// bn_little_endian_to_words interprets |in_len| bytes from |in| as a little-endian, -// unsigned integer and writes the result to |out_len| words in |out|. The output -// is in little-endian word order with |out[0]| being the least-significant word. -// |out_len| must be large enough to represent any |in_len|-byte value. That is, -// |out_len| must be at least |BN_BYTES * in_len|. -void bn_little_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, const size_t in_len); - -// bn_words_to_little_endian represents |in_len| words from |in| (in little-endian -// word order) as a little-endian, unsigned integer in |out_len| bytes. It -// writes the result to |out|. |out_len| must be large enough to represent |in| -// without truncation. +// bn_little_endian_to_words interprets |in_len| bytes from |in| as a +// little-endian, unsigned integer and writes the result to |out_len| words in +// |out|. The output is in little-endian word order with |out[0]| being the +// least-significant word. |out_len| must be large enough to represent any +// |in_len|-byte value. That is, |out_len| must be at least |BN_BYTES * in_len|. +void bn_little_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, + const size_t in_len); + +// bn_words_to_little_endian represents |in_len| words from |in| (in +// little-endian word order) as a little-endian, unsigned integer in |out_len| +// bytes. It writes the result to |out|. |out_len| must be large enough to +// represent |in| without truncation. // // Note |out_len| may be less than |BN_BYTES * in_len| if |in| is known to have // leading zeros. -void bn_words_to_little_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, const size_t in_len); +void bn_words_to_little_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, + const size_t in_len); #if defined(__cplusplus) } // extern C diff --git a/crypto/fipsmodule/bn/jacobi.c b/crypto/fipsmodule/bn/jacobi.c index d1a9d506a5..4e8af45ad5 100644 --- a/crypto/fipsmodule/bn/jacobi.c +++ b/crypto/fipsmodule/bn/jacobi.c @@ -58,7 +58,7 @@ // least significant word -#define BN_lsw(n) (((n)->width == 0) ? (BN_ULONG) 0 : (n)->d[0]) +#define BN_lsw(n) (((n)->width == 0) ? (BN_ULONG)0 : (n)->d[0]) int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { // In 'tab', only odd-indexed entries are relevant: @@ -88,8 +88,7 @@ int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { goto end; } - if (!BN_copy(A, a) || - !BN_copy(B, b)) { + if (!BN_copy(A, a) || !BN_copy(B, b)) { goto end; } diff --git a/crypto/fipsmodule/bn/montgomery.c b/crypto/fipsmodule/bn/montgomery.c index 38a651b9bb..b6ff8152b0 100644 --- a/crypto/fipsmodule/bn/montgomery.c +++ b/crypto/fipsmodule/bn/montgomery.c @@ -118,13 +118,13 @@ #include #include -#include "internal.h" -#include "../cpucap/internal.h" #include "../../internal.h" +#include "../cpucap/internal.h" +#include "internal.h" -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE) || \ - defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)) && \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE) || \ + defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)) && \ defined(OPENSSL_AARCH64) && defined(OPENSSL_BN_ASM_MONT) #include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" @@ -146,9 +146,7 @@ OPENSSL_INLINE int montgomery_use_s2n_bignum(unsigned int num) { #else -OPENSSL_INLINE int montgomery_use_s2n_bignum(unsigned int num) { - return 0; -} +OPENSSL_INLINE int montgomery_use_s2n_bignum(unsigned int num) { return 0; } #endif @@ -187,8 +185,7 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, const BN_MONT_CTX *from) { return to; } - if (!BN_copy(&to->RR, &from->RR) || - !BN_copy(&to->N, &from->N)) { + if (!BN_copy(&to->RR, &from->RR) || !BN_copy(&to->N, &from->N)) { return NULL; } to->n0[0] = from->n0[0]; @@ -275,8 +272,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { BN_MONT_CTX *BN_MONT_CTX_new_for_modulus(const BIGNUM *mod, BN_CTX *ctx) { BN_MONT_CTX *mont = BN_MONT_CTX_new(); - if (mont == NULL || - !BN_MONT_CTX_set(mont, mod, ctx)) { + if (mont == NULL || !BN_MONT_CTX_set(mont, mod, ctx)) { BN_MONT_CTX_free(mont); return NULL; } @@ -285,8 +281,7 @@ BN_MONT_CTX *BN_MONT_CTX_new_for_modulus(const BIGNUM *mod, BN_CTX *ctx) { BN_MONT_CTX *BN_MONT_CTX_new_consttime(const BIGNUM *mod, BN_CTX *ctx) { BN_MONT_CTX *mont = BN_MONT_CTX_new(); - if (mont == NULL || - !bn_mont_ctx_set_N_and_n0(mont, mod) || + if (mont == NULL || !bn_mont_ctx_set_N_and_n0(mont, mod) || !bn_mont_ctx_set_RR_consttime(mont, ctx)) { BN_MONT_CTX_free(mont); return NULL; @@ -363,8 +358,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, } int max = 2 * n->width; // carry is stored separately - if (!bn_resize_words(r, max) || - !bn_wexpand(ret, n->width)) { + if (!bn_resize_words(r, max) || !bn_wexpand(ret, n->width)) { return 0; } @@ -380,8 +374,7 @@ int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX_start(ctx); t = BN_CTX_get(ctx); - if (t == NULL || - !BN_copy(t, a)) { + if (t == NULL || !BN_copy(t, a)) { goto err; } @@ -462,7 +455,6 @@ static void montgomery_s2n_bignum_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, size_t num) { - #if defined(BN_MONTGOMERY_S2N_BIGNUM_CAPABLE) // t is a temporary buffer used by Karatsuba multiplication. @@ -516,12 +508,13 @@ static void montgomery_s2n_bignum_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, // 2. Optionally subtract the result if the (result of step 1) >= m. // The comparison is true if either A or B holds: // A. The result of step 1 >= 2^(64*num), meaning that bignum_emontredc_8n - // returned 1. Since m is less than 2^(64*num), (result of step 1) >= m holds. + // returned 1. Since m is less than 2^(64*num), (result of step 1) >= m + // holds. // B. The result of step 1 fits in 2^(64*num), and the result >= m. - uint64_t c = CRYPTO_is_NEON_capable() ? - bignum_emontredc_8n_neon(num, mulres, np, w) : - bignum_emontredc_8n(num, mulres, np, w); // c: case A - c |= bignum_ge(num, mulres + num, num, np); // c: case B + uint64_t c = CRYPTO_is_NEON_capable() + ? bignum_emontredc_8n_neon(num, mulres, np, w) + : bignum_emontredc_8n(num, mulres, np, w); // c: case A + c |= bignum_ge(num, mulres + num, num, np); // c: case B // Optionally subtract and store the result at rp bignum_optsub(num, rp, mulres + num, c, np); @@ -546,9 +539,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, #if defined(OPENSSL_BN_ASM_MONT) // |bn_mul_mont| requires at least 128 bits of limbs, at least for x86. int num = mont->N.width; - if (num >= (128 / BN_BITS2) && - a->width == num && - b->width == num) { + if (num >= (128 / BN_BITS2) && a->width == num && b->width == num) { if (!bn_wexpand(r, num)) { return 0; } @@ -578,8 +569,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } int bn_less_than_montgomery_R(const BIGNUM *bn, const BN_MONT_CTX *mont) { - return !BN_is_negative(bn) && - bn_fits_in_words(bn, mont->N.width); + return !BN_is_negative(bn) && bn_fits_in_words(bn, mont->N.width); } void bn_to_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num, @@ -635,8 +625,7 @@ void bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a, #if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_X86_64) int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, size_t num) -{ + const BN_ULONG *np, const BN_ULONG *n0, size_t num) { #if !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) if (ap == bp && bn_sqr8x_mont_capable(num)) { return bn_sqr8x_mont(rp, ap, bn_mulx_adx_capable(), np, n0, num); @@ -644,7 +633,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, if (bn_mulx4x_mont_capable(num)) { return bn_mulx4x_mont(rp, ap, bp, np, n0, num); } -#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) +#endif // !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) if (bn_mul4x_mont_capable(num)) { return bn_mul4x_mont(rp, ap, bp, np, n0, num); } diff --git a/crypto/fipsmodule/bn/montgomery_inv.c b/crypto/fipsmodule/bn/montgomery_inv.c index 98089f84c8..5f15643ba0 100644 --- a/crypto/fipsmodule/bn/montgomery_inv.c +++ b/crypto/fipsmodule/bn/montgomery_inv.c @@ -16,8 +16,8 @@ #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" static uint64_t bn_neg_inv_mod_r_u64(uint64_t n); @@ -205,8 +205,8 @@ int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx) { // first n_bits - 1 doubles can be skipped because we don't need to reduce. if (!BN_set_bit(&mont->RR, n_bits - 1) || !bn_mod_lshift_consttime(&mont->RR, &mont->RR, - threshold + (lgBigR - (n_bits - 1)), - &mont->N, ctx)) { + threshold + (lgBigR - (n_bits - 1)), &mont->N, + ctx)) { return 0; } diff --git a/crypto/fipsmodule/bn/mul.c b/crypto/fipsmodule/bn/mul.c index 09d92380c4..a8e116c544 100644 --- a/crypto/fipsmodule/bn/mul.c +++ b/crypto/fipsmodule/bn/mul.c @@ -64,8 +64,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" #define BN_MUL_RECURSIVE_SIZE_NORMAL 16 @@ -182,9 +182,7 @@ int bn_abs_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int r_len = a->width < b->width ? b->width : a->width; BN_CTX_start(ctx); BIGNUM *tmp = BN_CTX_get(ctx); - int ok = tmp != NULL && - bn_wexpand(r, r_len) && - bn_wexpand(tmp, r_len); + int ok = tmp != NULL && bn_wexpand(r, r_len) && bn_wexpand(tmp, r_len); if (ok) { bn_abs_sub_part_words(r->d, a->d, b->d, cl, dl, tmp->d); r->width = r_len; @@ -209,8 +207,8 @@ static void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, // |n2| is a power of two. assert(n2 != 0 && (n2 & (n2 - 1)) == 0); // Check |dna| and |dnb| are in range. - assert(-BN_MUL_RECURSIVE_SIZE_NORMAL/2 <= dna && dna <= 0); - assert(-BN_MUL_RECURSIVE_SIZE_NORMAL/2 <= dnb && dnb <= 0); + assert(-BN_MUL_RECURSIVE_SIZE_NORMAL / 2 <= dna && dna <= 0); + assert(-BN_MUL_RECURSIVE_SIZE_NORMAL / 2 <= dnb && dnb <= 0); // Only call bn_mul_comba 8 if n2 == 8 and the // two arrays are complete [steve] @@ -472,8 +470,7 @@ static int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, // algorithms. Is this optimization necessary? See notes in // https://boringssl-review.googlesource.com/q/I0bd604e2cd6a75c266f64476c23a730ca1721ea6 assert(al >= j && bl >= j); - if (!bn_wexpand(t, j * 8) || - !bn_wexpand(rr, j * 4)) { + if (!bn_wexpand(t, j * 8) || !bn_wexpand(rr, j * 4)) { goto err; } bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d); @@ -481,8 +478,7 @@ static int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, // al <= j && bl <= j. Additionally, we know j <= al or j <= bl, so one // of al - j or bl - j is zero. The other, by the bound on |i| above, is // zero or -1. Thus, we can use |bn_mul_recursive|. - if (!bn_wexpand(t, j * 4) || - !bn_wexpand(rr, j * 2)) { + if (!bn_wexpand(t, j * 4) || !bn_wexpand(rr, j * 2)) { goto err; } bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d); diff --git a/crypto/fipsmodule/bn/prime.c b/crypto/fipsmodule/bn/prime.c index 3704414973..dbf4e0ee31 100644 --- a/crypto/fipsmodule/bn/prime.c +++ b/crypto/fipsmodule/bn/prime.c @@ -111,8 +111,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // kPrimes contains the first 1024 primes. @@ -364,15 +364,14 @@ BN_GENCB *BN_GENCB_new(void) { return OPENSSL_zalloc(sizeof(BN_GENCB)); } void BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); } void BN_GENCB_set(BN_GENCB *callback, - int (*f)(int event, int n, struct bn_gencb_st *), - void *arg) { + int (*f)(int event, int n, struct bn_gencb_st *), void *arg) { callback->type = BN_GENCB_NEW_STYLE; callback->callback.new_style = f; callback->arg = arg; } -void BN_GENCB_set_old(BN_GENCB *callback, - void (*f)(int, int, void *), void *arg) { +void BN_GENCB_set_old(BN_GENCB *callback, void (*f)(int, int, void *), + void *arg) { callback->type = BN_GENCB_OLD_STYLE; callback->callback.old_style = f; callback->arg = arg; @@ -528,10 +527,8 @@ int bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin, const BN_MONT_CTX *mont, miller_rabin->m = BN_CTX_get(ctx); miller_rabin->one_mont = BN_CTX_get(ctx); miller_rabin->w1_mont = BN_CTX_get(ctx); - if (miller_rabin->w1 == NULL || - miller_rabin->m == NULL || - miller_rabin->one_mont == NULL || - miller_rabin->w1_mont == NULL) { + if (miller_rabin->w1 == NULL || miller_rabin->m == NULL || + miller_rabin->one_mont == NULL || miller_rabin->w1_mont == NULL) { return 0; } @@ -764,7 +761,7 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, // Step 4.1-4.2 int is_uniform; if (!bn_rand_secret_range(b, &is_uniform, 2, miller_rabin.w1)) { - goto err; + goto err; } uniform_iterations += is_uniform; @@ -833,9 +830,7 @@ int BN_enhanced_miller_rabin_primality_test( BN_CTX_start(ctx); BIGNUM *w1 = BN_CTX_get(ctx); - if (w1 == NULL || - !BN_copy(w1, w) || - !BN_sub_word(w1, 1)) { + if (w1 == NULL || !BN_copy(w1, w) || !BN_sub_word(w1, 1)) { goto err; } @@ -845,8 +840,7 @@ int BN_enhanced_miller_rabin_primality_test( a++; } BIGNUM *m = BN_CTX_get(ctx); - if (m == NULL || - !BN_rshift(m, w1, a)) { + if (m == NULL || !BN_rshift(m, w1, a)) { goto err; } @@ -855,11 +849,7 @@ int BN_enhanced_miller_rabin_primality_test( BIGNUM *z = BN_CTX_get(ctx); BIGNUM *x = BN_CTX_get(ctx); BIGNUM *x1 = BN_CTX_get(ctx); - if (b == NULL || - g == NULL || - z == NULL || - x == NULL || - x1 == NULL) { + if (b == NULL || g == NULL || z == NULL || x == NULL || x1 == NULL) { goto err; } @@ -920,11 +910,9 @@ int BN_enhanced_miller_rabin_primality_test( goto err; } - composite: + composite: // Step 4.12-4.14 - if (!BN_copy(x1, x) || - !BN_sub_word(x1, 1) || - !BN_gcd(g, x1, w, ctx)) { + if (!BN_copy(x1, x) || !BN_sub_word(x1, 1) || !BN_gcd(g, x1, w, ctx)) { goto err; } if (BN_cmp_word(g, 1) > 0) { @@ -936,7 +924,7 @@ int BN_enhanced_miller_rabin_primality_test( ret = 1; goto err; - loop: + loop: // Step 4.15 if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i - 1)) { goto err; diff --git a/crypto/fipsmodule/bn/random.c b/crypto/fipsmodule/bn/random.c index 04e737900d..f777fc9f9d 100644 --- a/crypto/fipsmodule/bn/random.c +++ b/crypto/fipsmodule/bn/random.c @@ -115,9 +115,9 @@ #include #include -#include "internal.h" #include "../../internal.h" #include "../rand/internal.h" +#include "internal.h" int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) { @@ -226,8 +226,7 @@ static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask, while (words > 0 && max_exclusive[words - 1] == 0) { words--; } - if (words == 0 || - (words == 1 && max_exclusive[0] <= min_inclusive)) { + if (words == 0 || (words == 1 && max_exclusive[0] <= min_inclusive)) { OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE); return 0; } diff --git a/crypto/fipsmodule/bn/rsaz_exp.c b/crypto/fipsmodule/bn/rsaz_exp.c index 4df5470473..1b29d5dbed 100644 --- a/crypto/fipsmodule/bn/rsaz_exp.c +++ b/crypto/fipsmodule/bn/rsaz_exp.c @@ -18,16 +18,16 @@ #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // rsaz_one is 1 in RSAZ's representation. alignas(64) static const BN_ULONG rsaz_one[40] = { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -// rsaz_two80 is 2^80 in RSAZ's representation. Note RSAZ uses base 2^29, so this is -// 2^(29*2 + 22) = 2^80, not 2^(64*2 + 22). +// rsaz_two80 is 2^80 in RSAZ's representation. Note RSAZ uses base 2^29, so +// this is 2^(29*2 + 22) = 2^80, not 2^(64*2 + 22). alignas(64) static const BN_ULONG rsaz_two80[40] = { 0, 0, 1 << 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; diff --git a/crypto/fipsmodule/bn/rsaz_exp.h b/crypto/fipsmodule/bn/rsaz_exp.h index 72e39e5572..ecc310e5f8 100644 --- a/crypto/fipsmodule/bn/rsaz_exp.h +++ b/crypto/fipsmodule/bn/rsaz_exp.h @@ -17,9 +17,9 @@ #include -#include "internal.h" #include "../../internal.h" #include "../cpucap/internal.h" +#include "internal.h" #if defined(__cplusplus) extern "C" { @@ -41,9 +41,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16], BN_ULONG k0, BN_ULONG storage_words[MOD_EXP_CTIME_STORAGE_LEN]); -OPENSSL_INLINE int rsaz_avx2_capable(void) { - return CRYPTO_is_AVX2_capable(); -} +OPENSSL_INLINE int rsaz_avx2_capable(void) { return CRYPTO_is_AVX2_capable(); } OPENSSL_INLINE int rsaz_avx2_preferred(void) { if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() && @@ -136,19 +134,12 @@ void rsaz_1024_red2norm_avx2(BN_ULONG norm[16], const BN_ULONG red[40]); // NB: This function does not do any checks on its arguments, its // caller, `BN_mod_exp_mont_consttime_x2`, checks args. It should be // the function used directly. -int RSAZ_mod_exp_avx512_x2(uint64_t *res1, - const uint64_t *base1, - const uint64_t *exponent1, - const uint64_t *m1, - const uint64_t *RR1, - uint64_t k0_1, - uint64_t *res2, - const uint64_t *base2, - const uint64_t *exponent2, - const uint64_t *m2, - const uint64_t *RR2, - uint64_t k0_2, - int modlen); +int RSAZ_mod_exp_avx512_x2(uint64_t *res1, const uint64_t *base1, + const uint64_t *exponent1, const uint64_t *m1, + const uint64_t *RR1, uint64_t k0_1, uint64_t *res2, + const uint64_t *base2, const uint64_t *exponent2, + const uint64_t *m2, const uint64_t *RR2, + uint64_t k0_2, int modlen); // Naming convention for the following functions: // @@ -207,8 +198,7 @@ void rsaz_amm52x20_x2_ifma256(uint64_t *out, const uint64_t *a, // Extracted value (output) is 2 20 digit numbers in 2^52 radix. // // EXP_WIN_SIZE = 5 -void extract_multiplier_2x20_win5(uint64_t *red_Y, - const uint64_t *red_table, +void extract_multiplier_2x20_win5(uint64_t *red_Y, const uint64_t *red_table, int red_table_idx1, int red_table_idx2); // Almost Montgomery Multiplication (AMM) for 30-digit number in radix @@ -264,8 +254,7 @@ void rsaz_amm52x30_x2_ifma256(uint64_t *out, const uint64_t *a, // radix. (2 high QW is zero padding) // // EXP_WIN_SIZE = 5 -void extract_multiplier_2x30_win5(uint64_t *red_Y, - const uint64_t *red_table, +void extract_multiplier_2x30_win5(uint64_t *red_Y, const uint64_t *red_table, int red_table_idx1, int red_table_idx2); // Almost Montgomery Multiplication (AMM) for 40-digit number in radix @@ -309,16 +298,16 @@ void rsaz_amm52x40_x2_ifma256(uint64_t *out, const uint64_t *a, // Constant time extraction from the precomputed table of powers base^i, where // i = 0..2^EXP_WIN_SIZE-1 // -// The input |red_table| contains precomputations for two independent base values. -// |red_table_idx1| and |red_table_idx2| are corresponding power indexes. +// The input |red_table| contains precomputations for two independent base +// values. |red_table_idx1| and |red_table_idx2| are corresponding power +// indexes. // // Extracted value (output) is 2 40 digits numbers in 2^52 radix. // // EXP_WIN_SIZE = 5 -void extract_multiplier_2x40_win5(uint64_t *red_Y, - const uint64_t *red_table, +void extract_multiplier_2x40_win5(uint64_t *red_Y, const uint64_t *red_table, int red_table_idx1, int red_table_idx2); -#endif // !MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX +#endif // !MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX #endif // !OPENSSL_NO_ASM && OPENSSL_X86_64 diff --git a/crypto/fipsmodule/bn/rsaz_exp_x2.c b/crypto/fipsmodule/bn/rsaz_exp_x2.c index a967671f64..fc6c6e53af 100644 --- a/crypto/fipsmodule/bn/rsaz_exp_x2.c +++ b/crypto/fipsmodule/bn/rsaz_exp_x2.c @@ -13,23 +13,23 @@ // Intel Corporation #ifdef RSAZ_512_ENABLED -#include #include +#include #include "../../internal.h" #include "rsaz_exp.h" // Internal radix -# define DIGIT_SIZE (52) +#define DIGIT_SIZE (52) // 52-bit mask -# define DIGIT_MASK ((uint64_t)0xFFFFFFFFFFFFF) +#define DIGIT_MASK ((uint64_t)0xFFFFFFFFFFFFF) -# define BITS2WORD8_SIZE(x) (((x) + 7) >> 3) -# define BITS2WORD64_SIZE(x) (((x) + 63) >> 6) +#define BITS2WORD8_SIZE(x) (((x) + 7) >> 3) +#define BITS2WORD64_SIZE(x) (((x) + 63) >> 6) // Number of registers required to hold |digits_num| amount of qword // digits -# define NUMBER_OF_REGISTERS(digits_num, register_size) \ - (((digits_num) * 64 + (register_size) - 1) / (register_size)) +#define NUMBER_OF_REGISTERS(digits_num, register_size) \ + (((digits_num)*64 + (register_size)-1) / (register_size)) OPENSSL_INLINE uint64_t get_digit(const uint8_t *in, int in_len); OPENSSL_INLINE void put_digit(uint8_t *out, int out_len, uint64_t digit); @@ -39,9 +39,8 @@ static void from_words52(uint64_t *bn_out, int out_bitsize, const uint64_t *in); OPENSSL_INLINE void set_bit(uint64_t *a, int idx); // Number of |digit_size|-bit digits in |bitsize|-bit value -OPENSSL_INLINE int number_of_digits(int bitsize, int digit_size) -{ - return (bitsize + digit_size - 1) / digit_size; +OPENSSL_INLINE int number_of_digits(int bitsize, int digit_size) { + return (bitsize + digit_size - 1) / digit_size; } @@ -54,7 +53,8 @@ OPENSSL_INLINE int number_of_digits(int bitsize, int digit_size) // [out] res - result of modular exponentiation: 2x{20,30,40} qword // values in 2^52 radix. // [in] base - base (2x{20,30,40} qword values in 2^52 radix) -// [in] exp - array of 2 pointers to {16,24,32} qword values in 2^64 radix. +// [in] exp - array of 2 pointers to {16,24,32} qword values in 2^64 +// radix. // Exponent is not converted to redundant representation. // [in] m - moduli (2x{20,30,40} qword values in 2^52 radix) // [in] rr - Montgomery parameter for 2 moduli: @@ -73,547 +73,533 @@ static int rsaz_mod_exp_x2_ifma256(uint64_t *res, const uint64_t *base, // NB: This function does not do any checks on its arguments, its // caller `BN_mod_exp_mont_consttime_x2`, checks args. It should be // the function used directly. -int RSAZ_mod_exp_avx512_x2(uint64_t *res1, - const uint64_t *base1, - const uint64_t *exp1, - const uint64_t *m1, - const uint64_t *rr1, - uint64_t k0_1, - uint64_t *res2, - const uint64_t *base2, - const uint64_t *exp2, - const uint64_t *m2, - const uint64_t *rr2, - uint64_t k0_2, - int modlen) -{ +int RSAZ_mod_exp_avx512_x2(uint64_t *res1, const uint64_t *base1, + const uint64_t *exp1, const uint64_t *m1, + const uint64_t *rr1, uint64_t k0_1, uint64_t *res2, + const uint64_t *base2, const uint64_t *exp2, + const uint64_t *m2, const uint64_t *rr2, + uint64_t k0_2, int modlen) { #ifdef BORINGSSL_DISPATCH_TEST - BORINGSSL_function_hit[8] = 1; + BORINGSSL_function_hit[8] = 1; #endif - typedef void (*AMM)(uint64_t *res, const uint64_t *a, - const uint64_t *b, const uint64_t *m, uint64_t k0); - int ret = 0; - - // Number of word-size (uint64_t) digits to store values in - // redundant representation. - int red_digits = number_of_digits(modlen + 2, DIGIT_SIZE); - - // n = modlen, d = DIGIT_SIZE, s = d * ceil((n+2)/d) > n - // k = 4 * (s - n) = bitlen_diff - // - // Given the Montgomery domain conversion value RR = R^2 mod m[i] - // = 2^2n mod m[i] and that for the larger representation in s - // bits, RR' = R'^2 mod m[i] = 2^2s mod m[i], bitlen_diff is - // needed to convert from RR to RR' as explained below in its - // calculation. - int bitlen_diff = 4 * (DIGIT_SIZE * red_digits - modlen); - - // Number of YMM registers required to store a value - int num_ymm_regs = NUMBER_OF_REGISTERS(red_digits, 256); - // Capacity of the register set (in qwords = 64-bits) to store a - // value - int regs_capacity = num_ymm_regs * 4; - - // The following 7 values are in redundant representation and are - // to be stored contiguously in storage_aligned as needed by the - // function rsaz_mod_exp_x2_ifma256. - uint64_t *base1_red, *m1_red, *rr1_red; - uint64_t *base2_red, *m2_red, *rr2_red; - uint64_t *coeff_red; - - uint64_t *storage = NULL; - uint64_t *storage_aligned = NULL; - int storage_len_bytes = 7 * regs_capacity * sizeof(uint64_t) - + 64; // alignment - - const uint64_t *exp[2] = {0}; - uint64_t k0[2] = {0}; - // AMM = Almost Montgomery Multiplication - AMM amm = NULL; - - switch (modlen) { + typedef void (*AMM)(uint64_t *res, const uint64_t *a, const uint64_t *b, + const uint64_t *m, uint64_t k0); + int ret = 0; + + // Number of word-size (uint64_t) digits to store values in + // redundant representation. + int red_digits = number_of_digits(modlen + 2, DIGIT_SIZE); + + // n = modlen, d = DIGIT_SIZE, s = d * ceil((n+2)/d) > n + // k = 4 * (s - n) = bitlen_diff + // + // Given the Montgomery domain conversion value RR = R^2 mod m[i] + // = 2^2n mod m[i] and that for the larger representation in s + // bits, RR' = R'^2 mod m[i] = 2^2s mod m[i], bitlen_diff is + // needed to convert from RR to RR' as explained below in its + // calculation. + int bitlen_diff = 4 * (DIGIT_SIZE * red_digits - modlen); + + // Number of YMM registers required to store a value + int num_ymm_regs = NUMBER_OF_REGISTERS(red_digits, 256); + // Capacity of the register set (in qwords = 64-bits) to store a + // value + int regs_capacity = num_ymm_regs * 4; + + // The following 7 values are in redundant representation and are + // to be stored contiguously in storage_aligned as needed by the + // function rsaz_mod_exp_x2_ifma256. + uint64_t *base1_red, *m1_red, *rr1_red; + uint64_t *base2_red, *m2_red, *rr2_red; + uint64_t *coeff_red; + + uint64_t *storage = NULL; + uint64_t *storage_aligned = NULL; + int storage_len_bytes = + 7 * regs_capacity * sizeof(uint64_t) + 64; // alignment + + const uint64_t *exp[2] = {0}; + uint64_t k0[2] = {0}; + // AMM = Almost Montgomery Multiplication + AMM amm = NULL; + + switch (modlen) { case 1024: - amm = rsaz_amm52x20_x1_ifma256; - break; + amm = rsaz_amm52x20_x1_ifma256; + break; case 1536: - amm = rsaz_amm52x30_x1_ifma256; - break; + amm = rsaz_amm52x30_x1_ifma256; + break; case 2048: - amm = rsaz_amm52x40_x1_ifma256; - break; + amm = rsaz_amm52x40_x1_ifma256; + break; default: - goto err; - } - - storage = (uint64_t *)OPENSSL_malloc(storage_len_bytes); - if (storage == NULL) - goto err; - storage_aligned = (uint64_t *)align_pointer(storage, 64); - - // Memory layout for red(undant) representations - base1_red = storage_aligned; - base2_red = storage_aligned + 1 * regs_capacity; - m1_red = storage_aligned + 2 * regs_capacity; - m2_red = storage_aligned + 3 * regs_capacity; - rr1_red = storage_aligned + 4 * regs_capacity; - rr2_red = storage_aligned + 5 * regs_capacity; - coeff_red = storage_aligned + 6 * regs_capacity; - - // Convert base_i, m_i, rr_i, from regular to 52-bit radix - to_words52(base1_red, regs_capacity, base1, modlen); - to_words52(base2_red, regs_capacity, base2, modlen); - to_words52(m1_red, regs_capacity, m1, modlen); - to_words52(m2_red, regs_capacity, m2, modlen); - to_words52(rr1_red, regs_capacity, rr1, modlen); - to_words52(rr2_red, regs_capacity, rr2, modlen); - - // Based on the definition of n and s above, we have - // R = 2^n mod m; RR = R^2 mod m - // R' = 2^s mod m; RR' = R'^2 mod m - // To obtain R'^2 from R^2: - // - Let t = AMM(RR, RR) = R^4 / R' mod m -- (1) - // - Note that R'4 = R^4 * 2^{4*(s-n)} mod m - // - Let k = 4 * (s - n) - // - We have AMM(t, 2^k) = R^4 * 2^{4*(s-n)} / R'^2 mod m -- (2) - // = R'^4 / R'^2 mod m - // = R'^2 mod m - // For example, for n = 1024, s = 1040, k = 64, - // RR = 2^2048 mod m, RR' = 2^2080 mod m - - OPENSSL_memset(coeff_red, 0, red_digits * sizeof(uint64_t)); - // coeff_red = 2^k = 1 << bitlen_diff taking into account the - // redundant representation in digits of DIGIT_SIZE bits - set_bit(coeff_red, 64 * (int)(bitlen_diff / DIGIT_SIZE) + bitlen_diff % DIGIT_SIZE); - - amm(rr1_red, rr1_red, rr1_red, m1_red, k0_1); // (1) for m1 - amm(rr1_red, rr1_red, coeff_red, m1_red, k0_1); // (2) for m1 - - amm(rr2_red, rr2_red, rr2_red, m2_red, k0_2); // (1) for m2 - amm(rr2_red, rr2_red, coeff_red, m2_red, k0_2); // (2) for m2 - - exp[0] = exp1; - exp[1] = exp2; - - k0[0] = k0_1; - k0[1] = k0_2; - - // Compute res|i| = base|i| ^ exp|i| mod m|i| in parallel in - // their contiguous form. - ret = rsaz_mod_exp_x2_ifma256(rr1_red, base1_red, exp, m1_red, rr1_red, - k0, modlen); - if (!ret) - goto err; - - // Convert rr_i back to regular radix - from_words52(res1, modlen, rr1_red); - from_words52(res2, modlen, rr2_red); - - // bn_reduce_once_in_place expects number of uint64_t, not bit - // size - modlen /= sizeof(uint64_t) * 8; - - bn_reduce_once_in_place(res1, 0, m1, storage, modlen); - bn_reduce_once_in_place(res2, 0, m2, storage, modlen); + goto err; + } + + storage = (uint64_t *)OPENSSL_malloc(storage_len_bytes); + if (storage == NULL) + goto err; + storage_aligned = (uint64_t *)align_pointer(storage, 64); + + // Memory layout for red(undant) representations + base1_red = storage_aligned; + base2_red = storage_aligned + 1 * regs_capacity; + m1_red = storage_aligned + 2 * regs_capacity; + m2_red = storage_aligned + 3 * regs_capacity; + rr1_red = storage_aligned + 4 * regs_capacity; + rr2_red = storage_aligned + 5 * regs_capacity; + coeff_red = storage_aligned + 6 * regs_capacity; + + // Convert base_i, m_i, rr_i, from regular to 52-bit radix + to_words52(base1_red, regs_capacity, base1, modlen); + to_words52(base2_red, regs_capacity, base2, modlen); + to_words52(m1_red, regs_capacity, m1, modlen); + to_words52(m2_red, regs_capacity, m2, modlen); + to_words52(rr1_red, regs_capacity, rr1, modlen); + to_words52(rr2_red, regs_capacity, rr2, modlen); + + // Based on the definition of n and s above, we have + // R = 2^n mod m; RR = R^2 mod m + // R' = 2^s mod m; RR' = R'^2 mod m + // To obtain R'^2 from R^2: + // - Let t = AMM(RR, RR) = R^4 / R' mod m -- (1) + // - Note that R'4 = R^4 * 2^{4*(s-n)} mod m + // - Let k = 4 * (s - n) + // - We have AMM(t, 2^k) = R^4 * 2^{4*(s-n)} / R'^2 mod m -- (2) + // = R'^4 / R'^2 mod m + // = R'^2 mod m + // For example, for n = 1024, s = 1040, k = 64, + // RR = 2^2048 mod m, RR' = 2^2080 mod m + + OPENSSL_memset(coeff_red, 0, red_digits * sizeof(uint64_t)); + // coeff_red = 2^k = 1 << bitlen_diff taking into account the + // redundant representation in digits of DIGIT_SIZE bits + set_bit(coeff_red, + 64 * (int)(bitlen_diff / DIGIT_SIZE) + bitlen_diff % DIGIT_SIZE); + + amm(rr1_red, rr1_red, rr1_red, m1_red, k0_1); // (1) for m1 + amm(rr1_red, rr1_red, coeff_red, m1_red, k0_1); // (2) for m1 + + amm(rr2_red, rr2_red, rr2_red, m2_red, k0_2); // (1) for m2 + amm(rr2_red, rr2_red, coeff_red, m2_red, k0_2); // (2) for m2 + + exp[0] = exp1; + exp[1] = exp2; + + k0[0] = k0_1; + k0[1] = k0_2; + + // Compute res|i| = base|i| ^ exp|i| mod m|i| in parallel in + // their contiguous form. + ret = rsaz_mod_exp_x2_ifma256(rr1_red, base1_red, exp, m1_red, rr1_red, k0, + modlen); + if (!ret) + goto err; + + // Convert rr_i back to regular radix + from_words52(res1, modlen, rr1_red); + from_words52(res2, modlen, rr2_red); + + // bn_reduce_once_in_place expects number of uint64_t, not bit + // size + modlen /= sizeof(uint64_t) * 8; + + bn_reduce_once_in_place(res1, 0, m1, storage, modlen); + bn_reduce_once_in_place(res2, 0, m2, storage, modlen); err: - if (storage != NULL) { - OPENSSL_cleanse(storage, storage_len_bytes); - OPENSSL_free(storage); - } - return ret; + if (storage != NULL) { + OPENSSL_cleanse(storage, storage_len_bytes); + OPENSSL_free(storage); + } + return ret; } -int rsaz_mod_exp_x2_ifma256(uint64_t *out, - const uint64_t *base, - const uint64_t *exp[2], - const uint64_t *m, - const uint64_t *rr, - const uint64_t k0[2], - int modlen) -{ - - typedef void (*DAMM)(uint64_t *res, const uint64_t *a, - const uint64_t *b, const uint64_t *m, - const uint64_t k0[2]); - typedef void (*DEXTRACT)(uint64_t *res, const uint64_t *red_table, - int red_table_idx, int tbl_idx); - - int ret = 0; - int idx; - - // Exponent window size - int exp_win_size = 5; - int two_to_exp_win_size = 1U << exp_win_size; - int exp_win_mask = two_to_exp_win_size - 1; - - // Number of digits (64-bit words) in redundant representation to - // handle modulus bits - int red_digits = 0; - // Number of digits (64-bit words) to store the two exponents, - // found in `exp`. - int exp_digits = 0; - - uint64_t *storage = NULL; - uint64_t *storage_aligned = NULL; - int storage_len_bytes = 0; - - // Red(undant) result Y and multiplier X - uint64_t *red_Y = NULL; // [2][red_digits] - uint64_t *red_X = NULL; // [2][red_digits] - /* Pre-computed table of base powers */ - uint64_t *red_table = NULL; // [two_to_exp_win_size][2][red_digits] - // Expanded exponent - uint64_t *expz = NULL; // [2][exp_digits + 1] - - // Dual AMM - DAMM damm = NULL; - // Extractor from red_table - DEXTRACT extract = NULL; +int rsaz_mod_exp_x2_ifma256(uint64_t *out, const uint64_t *base, + const uint64_t *exp[2], const uint64_t *m, + const uint64_t *rr, const uint64_t k0[2], + int modlen) { + typedef void (*DAMM)(uint64_t *res, const uint64_t *a, const uint64_t *b, + const uint64_t *m, const uint64_t k0[2]); + typedef void (*DEXTRACT)(uint64_t *res, const uint64_t *red_table, + int red_table_idx, int tbl_idx); + + int ret = 0; + int idx; + + // Exponent window size + int exp_win_size = 5; + int two_to_exp_win_size = 1U << exp_win_size; + int exp_win_mask = two_to_exp_win_size - 1; + + // Number of digits (64-bit words) in redundant representation to + // handle modulus bits + int red_digits = 0; + // Number of digits (64-bit words) to store the two exponents, + // found in `exp`. + int exp_digits = 0; + + uint64_t *storage = NULL; + uint64_t *storage_aligned = NULL; + int storage_len_bytes = 0; + + // Red(undant) result Y and multiplier X + uint64_t *red_Y = NULL; // [2][red_digits] + uint64_t *red_X = NULL; // [2][red_digits] + /* Pre-computed table of base powers */ + uint64_t *red_table = NULL; // [two_to_exp_win_size][2][red_digits] + // Expanded exponent + uint64_t *expz = NULL; // [2][exp_digits + 1] + + // Dual AMM + DAMM damm = NULL; + // Extractor from red_table + DEXTRACT extract = NULL; // Squaring is done using multiplication now. That can be a subject of // optimization in future. -# define DAMS(r,a,m,k0) damm((r),(a),(a),(m),(k0)) +#define DAMS(r, a, m, k0) damm((r), (a), (a), (m), (k0)) - switch (modlen) { + switch (modlen) { case 1024: - red_digits = 20; - exp_digits = 16; - damm = rsaz_amm52x20_x2_ifma256; - extract = extract_multiplier_2x20_win5; - break; + red_digits = 20; + exp_digits = 16; + damm = rsaz_amm52x20_x2_ifma256; + extract = extract_multiplier_2x20_win5; + break; case 1536: - // Extended with 2 digits padding to avoid mask ops in high YMM register - red_digits = 30 + 2; - exp_digits = 24; - damm = rsaz_amm52x30_x2_ifma256; - extract = extract_multiplier_2x30_win5; - break; + // Extended with 2 digits padding to avoid mask ops in high YMM register + red_digits = 30 + 2; + exp_digits = 24; + damm = rsaz_amm52x30_x2_ifma256; + extract = extract_multiplier_2x30_win5; + break; case 2048: - red_digits = 40; - exp_digits = 32; - damm = rsaz_amm52x40_x2_ifma256; - extract = extract_multiplier_2x40_win5; - break; + red_digits = 40; + exp_digits = 32; + damm = rsaz_amm52x40_x2_ifma256; + extract = extract_multiplier_2x40_win5; + break; default: - goto err; - } - - // allocate space for 2x num digits, aligned because the data in - // the vectors need to be 64-bit aligned. - storage_len_bytes = (2 * red_digits // red_Y - + 2 * red_digits // red_X - + 2 * red_digits * two_to_exp_win_size // red_table - + 2 * (exp_digits + 1)) // expz - * sizeof(uint64_t) - + 64; // alignment - - storage = (uint64_t *)OPENSSL_malloc(storage_len_bytes); - if (storage == NULL) - goto err; - OPENSSL_cleanse(storage, storage_len_bytes); - storage_aligned = (uint64_t *)align_pointer(storage, 64); - - red_Y = storage_aligned; - red_X = red_Y + 2 * red_digits; - red_table = red_X + 2 * red_digits; - expz = red_table + 2 * red_digits * two_to_exp_win_size; - - // Compute table of powers base^i mod m, - // i = 0, ..., (2^EXP_WIN_SIZE) - 1 - // using the dual multiplication. Each table entry contains - // base1^i mod m1, then base2^i mod m2. - - red_X[0 * red_digits] = 1; - red_X[1 * red_digits] = 1; - damm(&red_table[0 * 2 * red_digits], (const uint64_t*)red_X, rr, m, k0); - damm(&red_table[1 * 2 * red_digits], base, rr, m, k0); - - for (idx = 1; idx < (int)(two_to_exp_win_size / 2); idx++) { - DAMS(&red_table[(2 * idx + 0) * 2 * red_digits], - &red_table[(1 * idx) * 2 * red_digits], m, k0); - damm(&red_table[(2 * idx + 1) * 2 * red_digits], - &red_table[(2 * idx) * 2 * red_digits], - &red_table[1 * 2 * red_digits], m, k0); - } - - // Copy and expand exponents - memcpy(&expz[0 * (exp_digits + 1)], exp[0], exp_digits * sizeof(uint64_t)); - expz[1 * (exp_digits + 1) - 1] = 0; - memcpy(&expz[1 * (exp_digits + 1)], exp[1], exp_digits * sizeof(uint64_t)); - expz[2 * (exp_digits + 1) - 1] = 0; + goto err; + } + + // allocate space for 2x num digits, aligned because the data in + // the vectors need to be 64-bit aligned. + storage_len_bytes = (2 * red_digits // red_Y + + 2 * red_digits // red_X + + 2 * red_digits * two_to_exp_win_size // red_table + + 2 * (exp_digits + 1)) // expz + * sizeof(uint64_t) + + 64; // alignment + + storage = (uint64_t *)OPENSSL_malloc(storage_len_bytes); + if (storage == NULL) + goto err; + OPENSSL_cleanse(storage, storage_len_bytes); + storage_aligned = (uint64_t *)align_pointer(storage, 64); + + red_Y = storage_aligned; + red_X = red_Y + 2 * red_digits; + red_table = red_X + 2 * red_digits; + expz = red_table + 2 * red_digits * two_to_exp_win_size; + + // Compute table of powers base^i mod m, + // i = 0, ..., (2^EXP_WIN_SIZE) - 1 + // using the dual multiplication. Each table entry contains + // base1^i mod m1, then base2^i mod m2. + + red_X[0 * red_digits] = 1; + red_X[1 * red_digits] = 1; + damm(&red_table[0 * 2 * red_digits], (const uint64_t *)red_X, rr, m, k0); + damm(&red_table[1 * 2 * red_digits], base, rr, m, k0); + + for (idx = 1; idx < (int)(two_to_exp_win_size / 2); idx++) { + DAMS(&red_table[(2 * idx + 0) * 2 * red_digits], + &red_table[(1 * idx) * 2 * red_digits], m, k0); + damm(&red_table[(2 * idx + 1) * 2 * red_digits], + &red_table[(2 * idx) * 2 * red_digits], &red_table[1 * 2 * red_digits], + m, k0); + } + + // Copy and expand exponents + memcpy(&expz[0 * (exp_digits + 1)], exp[0], exp_digits * sizeof(uint64_t)); + expz[1 * (exp_digits + 1) - 1] = 0; + memcpy(&expz[1 * (exp_digits + 1)], exp[1], exp_digits * sizeof(uint64_t)); + expz[2 * (exp_digits + 1) - 1] = 0; + + + // Exponentiation + // + // This is Algorithm 3 in iacr 2011-239 which is cited below as + // well. + // + // Rather than compute base^{exp} in one shot, the powers of + // base^i for i = [0..2^{exp_win_size}) are precomputed and stored + // in `red_table`. Each window of the exponent is then used as an + // index to look up the power in the table, and then that result + // goes through a "series of squaring", which repositions it with + // respect to where it appears in the complete exponent. That + // result is then multiplied by the previous result. + // + // The `extract` routine does the lookup, `DAMS` wraps the `damm` + // routine to set up squaring, while `damm` is the AMM + // routine. That is what you find happening in each iteration of + // this loop—the stepping through the exponent one + // `win_exp_size`-bit window at a time. + { + const int rem = modlen % exp_win_size; + const uint64_t table_idx_mask = exp_win_mask; + + int exp_bit_no = modlen - rem; + int exp_chunk_no = exp_bit_no / 64; + int exp_chunk_shift = exp_bit_no % 64; + + uint64_t red_table_idx_1, red_table_idx_2; + + // `rem` is { 1024, 1536, 2048 } % 5 which is { 4, 1, 3 } + // respectively. + // + // If this assertion ever fails then we should set this easy + // fix exp_bit_no = modlen - exp_win_size + assert(rem == 4 || rem == 1 || rem == 3); - // Exponentiation - // - // This is Algorithm 3 in iacr 2011-239 which is cited below as - // well. - // - // Rather than compute base^{exp} in one shot, the powers of - // base^i for i = [0..2^{exp_win_size}) are precomputed and stored - // in `red_table`. Each window of the exponent is then used as an - // index to look up the power in the table, and then that result - // goes through a "series of squaring", which repositions it with - // respect to where it appears in the complete exponent. That - // result is then multiplied by the previous result. - // - // The `extract` routine does the lookup, `DAMS` wraps the `damm` - // routine to set up squaring, while `damm` is the AMM - // routine. That is what you find happening in each iteration of - // this loop—the stepping through the exponent one - // `win_exp_size`-bit window at a time. - { - const int rem = modlen % exp_win_size; - const uint64_t table_idx_mask = exp_win_mask; - - int exp_bit_no = modlen - rem; - int exp_chunk_no = exp_bit_no / 64; - int exp_chunk_shift = exp_bit_no % 64; - - uint64_t red_table_idx_1, red_table_idx_2; - - // `rem` is { 1024, 1536, 2048 } % 5 which is { 4, 1, 3 } - // respectively. - // - // If this assertion ever fails then we should set this easy - // fix exp_bit_no = modlen - exp_win_size - assert(rem == 4 || rem == 1 || rem == 3); - - - // Find the location of the 5-bit window in the exponent which - // is stored in 64-bit digits. Left pad it with 0s to form a - // 64-bit digit to become an index in the precomputed table. - // The window location in the exponent is identified by its - // least significant bit `exp_bit_no`. + // Find the location of the 5-bit window in the exponent which + // is stored in 64-bit digits. Left pad it with 0s to form a + // 64-bit digit to become an index in the precomputed table. + // The window location in the exponent is identified by its + // least significant bit `exp_bit_no`. #define EXP_CHUNK(i) (exp_chunk_no) + ((i) * (exp_digits + 1)) #define EXP_CHUNK1(i) (exp_chunk_no) + 1 + ((i) * (exp_digits + 1)) - // Process 1-st exp window - just init result - red_table_idx_1 = expz[EXP_CHUNK(0)]; - red_table_idx_2 = expz[EXP_CHUNK(1)]; - - // The function operates with fixed moduli sizes divisible by - // 64, thus table index here is always in supported range [0, - // EXP_WIN_SIZE). - red_table_idx_1 >>= exp_chunk_shift; - red_table_idx_2 >>= exp_chunk_shift; - - extract(&red_Y[0 * red_digits], (const uint64_t*)red_table, - (int)red_table_idx_1, (int)red_table_idx_2); - - // Process other exp windows - for (exp_bit_no -= exp_win_size; exp_bit_no >= 0; exp_bit_no -= exp_win_size) { - // Extract pre-computed multiplier from the table - { - uint64_t T; - - exp_chunk_no = exp_bit_no / 64; - exp_chunk_shift = exp_bit_no % 64; - { - red_table_idx_1 = expz[EXP_CHUNK(0)]; - T = expz[EXP_CHUNK1(0)]; - - red_table_idx_1 >>= exp_chunk_shift; - // Get additional bits from then next quadword - // when 64-bit boundaries are crossed. - if (exp_chunk_shift > 64 - exp_win_size) { - T <<= (64 - exp_chunk_shift); - red_table_idx_1 ^= T; - } - red_table_idx_1 &= table_idx_mask; - } - { - red_table_idx_2 = expz[EXP_CHUNK(1)]; - T = expz[EXP_CHUNK1(1)]; - - red_table_idx_2 >>= exp_chunk_shift; - // Get additional bits from then next quadword - // when 64-bit boundaries are crossed. - if (exp_chunk_shift > 64 - exp_win_size) { - T <<= (64 - exp_chunk_shift); - red_table_idx_2 ^= T; - } - red_table_idx_2 &= table_idx_mask; - } - - extract(&red_X[0 * red_digits], (const uint64_t*)red_table, - (int)red_table_idx_1, (int)red_table_idx_2); - } - - // The number of squarings is equal to the window size. - DAMS((uint64_t*)red_Y, (const uint64_t*)red_Y, m, k0); - DAMS((uint64_t*)red_Y, (const uint64_t*)red_Y, m, k0); - DAMS((uint64_t*)red_Y, (const uint64_t*)red_Y, m, k0); - DAMS((uint64_t*)red_Y, (const uint64_t*)red_Y, m, k0); - DAMS((uint64_t*)red_Y, (const uint64_t*)red_Y, m, k0); - - damm((uint64_t*)red_Y, (const uint64_t*)red_Y, (const uint64_t*)red_X, m, k0); + // Process 1-st exp window - just init result + red_table_idx_1 = expz[EXP_CHUNK(0)]; + red_table_idx_2 = expz[EXP_CHUNK(1)]; + + // The function operates with fixed moduli sizes divisible by + // 64, thus table index here is always in supported range [0, + // EXP_WIN_SIZE). + red_table_idx_1 >>= exp_chunk_shift; + red_table_idx_2 >>= exp_chunk_shift; + + extract(&red_Y[0 * red_digits], (const uint64_t *)red_table, + (int)red_table_idx_1, (int)red_table_idx_2); + + // Process other exp windows + for (exp_bit_no -= exp_win_size; exp_bit_no >= 0; + exp_bit_no -= exp_win_size) { + // Extract pre-computed multiplier from the table + { + uint64_t T; + + exp_chunk_no = exp_bit_no / 64; + exp_chunk_shift = exp_bit_no % 64; + { + red_table_idx_1 = expz[EXP_CHUNK(0)]; + T = expz[EXP_CHUNK1(0)]; + + red_table_idx_1 >>= exp_chunk_shift; + // Get additional bits from then next quadword + // when 64-bit boundaries are crossed. + if (exp_chunk_shift > 64 - exp_win_size) { + T <<= (64 - exp_chunk_shift); + red_table_idx_1 ^= T; + } + red_table_idx_1 &= table_idx_mask; + } + { + red_table_idx_2 = expz[EXP_CHUNK(1)]; + T = expz[EXP_CHUNK1(1)]; + + red_table_idx_2 >>= exp_chunk_shift; + // Get additional bits from then next quadword + // when 64-bit boundaries are crossed. + if (exp_chunk_shift > 64 - exp_win_size) { + T <<= (64 - exp_chunk_shift); + red_table_idx_2 ^= T; + } + red_table_idx_2 &= table_idx_mask; } - } - // NB: After the last AMM of exponentiation in Montgomery domain, the result - // may be (modlen + 1), but the conversion out of Montgomery domain - // performs an AMM(x,1) which guarantees that the final result is less than - // |m|, so no conditional subtraction is needed here. See [1] for details. - // - // [1] Gueron, S. Efficient software implementations of modular exponentiation. - // DOI: 10.1007/s13389-012-0031-5 + extract(&red_X[0 * red_digits], (const uint64_t *)red_table, + (int)red_table_idx_1, (int)red_table_idx_2); + } - // Convert exponentiation result out of Montgomery form but still - // in the redundant DIGIT_SIZE-bit representation. - memset(red_X, 0, 2 * red_digits * sizeof(uint64_t)); - red_X[0 * red_digits] = 1; - red_X[1 * red_digits] = 1; - damm(out, (const uint64_t*)red_Y, (const uint64_t*)red_X, m, k0); + // The number of squarings is equal to the window size. + DAMS((uint64_t *)red_Y, (const uint64_t *)red_Y, m, k0); + DAMS((uint64_t *)red_Y, (const uint64_t *)red_Y, m, k0); + DAMS((uint64_t *)red_Y, (const uint64_t *)red_Y, m, k0); + DAMS((uint64_t *)red_Y, (const uint64_t *)red_Y, m, k0); + DAMS((uint64_t *)red_Y, (const uint64_t *)red_Y, m, k0); - ret = 1; + damm((uint64_t *)red_Y, (const uint64_t *)red_Y, (const uint64_t *)red_X, + m, k0); + } + } + + // NB: After the last AMM of exponentiation in Montgomery domain, the result + // may be (modlen + 1), but the conversion out of Montgomery domain + // performs an AMM(x,1) which guarantees that the final result is less than + // |m|, so no conditional subtraction is needed here. See [1] for details. + // + // [1] Gueron, S. Efficient software implementations of modular + // exponentiation. + // DOI: 10.1007/s13389-012-0031-5 + + // Convert exponentiation result out of Montgomery form but still + // in the redundant DIGIT_SIZE-bit representation. + memset(red_X, 0, 2 * red_digits * sizeof(uint64_t)); + red_X[0 * red_digits] = 1; + red_X[1 * red_digits] = 1; + damm(out, (const uint64_t *)red_Y, (const uint64_t *)red_X, m, k0); + + ret = 1; err: - if (storage != NULL) { - // Clear whole storage - OPENSSL_cleanse(storage, storage_len_bytes); - OPENSSL_free(storage); - } + if (storage != NULL) { + // Clear whole storage + OPENSSL_cleanse(storage, storage_len_bytes); + OPENSSL_free(storage); + } #undef DAMS - return ret; + return ret; } // Compute the digit represented by the bytes given in |in|. -OPENSSL_INLINE uint64_t get_digit(const uint8_t *in, int in_len) -{ - uint64_t digit = 0; +OPENSSL_INLINE uint64_t get_digit(const uint8_t *in, int in_len) { + uint64_t digit = 0; - assert(in != NULL); - assert(in_len <= 8); + assert(in != NULL); + assert(in_len <= 8); - for (; in_len > 0; in_len--) { - digit <<= 8; - digit += (uint64_t)(in[in_len - 1]); - } - return digit; + for (; in_len > 0; in_len--) { + digit <<= 8; + digit += (uint64_t)(in[in_len - 1]); + } + return digit; } // Convert array of words in regular (base=2^64) representation to // array of words in redundant (base=2^52) one. This is because the // multiply/add instruction uses 52-bit representations to leave room // for carries. -static void to_words52(uint64_t *out, int out_len, - const uint64_t *in, int in_bitsize) -{ - uint8_t *in_str = NULL; - - assert(out != NULL); - assert(in != NULL); - // Check destination buffer capacity - assert(out_len >= number_of_digits(in_bitsize, DIGIT_SIZE)); - - in_str = (uint8_t *)in; - - for (; in_bitsize >= (2 * DIGIT_SIZE); in_bitsize -= (2 * DIGIT_SIZE), out += 2) { - uint64_t digit; - - memcpy(&digit, in_str, sizeof(digit)); - out[0] = digit & DIGIT_MASK; - in_str += 6; - memcpy(&digit, in_str, sizeof(digit)); - out[1] = (digit >> 4) & DIGIT_MASK; - in_str += 7; - out_len -= 2; - } - - if (in_bitsize > DIGIT_SIZE) { - uint64_t digit = get_digit(in_str, 7); - - out[0] = digit & DIGIT_MASK; - in_str += 6; - in_bitsize -= DIGIT_SIZE; - digit = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); - out[1] = digit >> 4; - out += 2; - out_len -= 2; - } else if (in_bitsize > 0) { - out[0] = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); - out++; - out_len--; - } - - while (out_len > 0) { - *out = 0; - out_len--; - out++; - } +static void to_words52(uint64_t *out, int out_len, const uint64_t *in, + int in_bitsize) { + uint8_t *in_str = NULL; + + assert(out != NULL); + assert(in != NULL); + // Check destination buffer capacity + assert(out_len >= number_of_digits(in_bitsize, DIGIT_SIZE)); + + in_str = (uint8_t *)in; + + for (; in_bitsize >= (2 * DIGIT_SIZE); + in_bitsize -= (2 * DIGIT_SIZE), out += 2) { + uint64_t digit; + + memcpy(&digit, in_str, sizeof(digit)); + out[0] = digit & DIGIT_MASK; + in_str += 6; + memcpy(&digit, in_str, sizeof(digit)); + out[1] = (digit >> 4) & DIGIT_MASK; + in_str += 7; + out_len -= 2; + } + + if (in_bitsize > DIGIT_SIZE) { + uint64_t digit = get_digit(in_str, 7); + + out[0] = digit & DIGIT_MASK; + in_str += 6; + in_bitsize -= DIGIT_SIZE; + digit = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); + out[1] = digit >> 4; + out += 2; + out_len -= 2; + } else if (in_bitsize > 0) { + out[0] = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); + out++; + out_len--; + } + + while (out_len > 0) { + *out = 0; + out_len--; + out++; + } } // Convert a 64-bit unsigned integer into a byte array, |out|, which // is in little-endian order. -OPENSSL_INLINE void put_digit(uint8_t *out, int out_len, uint64_t digit) -{ - assert(out != NULL); - assert(out_len <= 8); - - for (; out_len > 0; out_len--) { - *out++ = (uint8_t)(digit & 0xFF); - digit >>= 8; - } +OPENSSL_INLINE void put_digit(uint8_t *out, int out_len, uint64_t digit) { + assert(out != NULL); + assert(out_len <= 8); + + for (; out_len > 0; out_len--) { + *out++ = (uint8_t)(digit & 0xFF); + digit >>= 8; + } } // Convert array of words in redundant (base=2^52) representation to // array of words in regular (base=2^64) one. This is because the // multiply/add instruction uses 52-bit representations to leave room // for carries. -static void from_words52(uint64_t *out, int out_bitsize, const uint64_t *in) -{ - int i; - int out_len = BITS2WORD64_SIZE(out_bitsize); - - assert(out != NULL); - assert(in != NULL); - - for (i = 0; i < out_len; i++) - out[i] = 0; - - { - uint8_t *out_str = (uint8_t *)out; - - for (; out_bitsize >= (2 * DIGIT_SIZE); - out_bitsize -= (2 * DIGIT_SIZE), in += 2) { - uint64_t digit; - - digit = in[0]; - memcpy(out_str, &digit, sizeof(digit)); - out_str += 6; - digit = digit >> 48 | in[1] << 4; - memcpy(out_str, &digit, sizeof(digit)); - out_str += 7; - } +static void from_words52(uint64_t *out, int out_bitsize, const uint64_t *in) { + int i; + int out_len = BITS2WORD64_SIZE(out_bitsize); - if (out_bitsize > DIGIT_SIZE) { - put_digit(out_str, 7, in[0]); - out_str += 6; - out_bitsize -= DIGIT_SIZE; - put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), - (in[1] << 4 | in[0] >> 48)); - } else if (out_bitsize) { - put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), in[0]); - } + assert(out != NULL); + assert(in != NULL); + + for (i = 0; i < out_len; i++) + out[i] = 0; + + { + uint8_t *out_str = (uint8_t *)out; + + for (; out_bitsize >= (2 * DIGIT_SIZE); + out_bitsize -= (2 * DIGIT_SIZE), in += 2) { + uint64_t digit; + + digit = in[0]; + memcpy(out_str, &digit, sizeof(digit)); + out_str += 6; + digit = digit >> 48 | in[1] << 4; + memcpy(out_str, &digit, sizeof(digit)); + out_str += 7; } + + if (out_bitsize > DIGIT_SIZE) { + put_digit(out_str, 7, in[0]); + out_str += 6; + out_bitsize -= DIGIT_SIZE; + put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), + (in[1] << 4 | in[0] >> 48)); + } else if (out_bitsize) { + put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), in[0]); + } + } } // Set bit at index |idx| in the words array |a|. It does not do any // boundaries checks, make sure the index is valid before calling the // function. -OPENSSL_INLINE void set_bit(uint64_t *a, int idx) -{ - assert(a != NULL); +OPENSSL_INLINE void set_bit(uint64_t *a, int idx) { + assert(a != NULL); - { - int i, j; + { + int i, j; - i = idx / BN_BITS2; - j = idx % BN_BITS2; - a[i] |= (((uint64_t)1) << j); - } + i = idx / BN_BITS2; + j = idx % BN_BITS2; + a[i] |= (((uint64_t)1) << j); + } } #endif diff --git a/crypto/fipsmodule/bn/shift.c b/crypto/fipsmodule/bn/shift.c index 85a62784dd..72f11cfdf1 100644 --- a/crypto/fipsmodule/bn/shift.c +++ b/crypto/fipsmodule/bn/shift.c @@ -174,9 +174,7 @@ int bn_rshift_secret_shift(BIGNUM *r, const BIGNUM *a, unsigned n, int ret = 0; BN_CTX_start(ctx); BIGNUM *tmp = BN_CTX_get(ctx); - if (tmp == NULL || - !BN_copy(r, a) || - !bn_wexpand(tmp, r->width)) { + if (tmp == NULL || !BN_copy(r, a) || !bn_wexpand(tmp, r->width)) { goto err; } diff --git a/crypto/fipsmodule/bn/sqrt.c b/crypto/fipsmodule/bn/sqrt.c index 4f636f6550..f113162f74 100644 --- a/crypto/fipsmodule/bn/sqrt.c +++ b/crypto/fipsmodule/bn/sqrt.c @@ -76,8 +76,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { if (ret == NULL) { ret = BN_new(); } - if (ret == NULL || - !BN_set_word(ret, BN_is_bit_set(a, 0))) { + if (ret == NULL || !BN_set_word(ret, BN_is_bit_set(a, 0))) { if (ret != in) { BN_free(ret); } @@ -94,8 +93,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { if (ret == NULL) { ret = BN_new(); } - if (ret == NULL || - !BN_set_word(ret, BN_is_one(a))) { + if (ret == NULL || !BN_set_word(ret, BN_is_one(a))) { if (ret != in) { BN_free(ret); } @@ -145,8 +143,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { goto end; } q->neg = 0; - if (!BN_add_word(q, 1) || - !BN_mod_exp_mont(ret, A, q, p, ctx, NULL)) { + if (!BN_add_word(q, 1) || !BN_mod_exp_mont(ret, A, q, p, ctx, NULL)) { goto end; } err = 0; @@ -177,7 +174,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { // // (This is due to A.O.L. Atkin, // , + // http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>, // November 1992.) // t := 2*a @@ -200,14 +197,12 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { } // t := (2*a)*b^2 - 1 - if (!BN_mod_mul(t, t, y, p, ctx) || - !BN_sub_word(t, 1)) { + if (!BN_mod_mul(t, t, y, p, ctx) || !BN_sub_word(t, 1)) { goto end; } // x = a*b*t - if (!BN_mod_mul(x, A, b, p, ctx) || - !BN_mod_mul(x, x, t, p, ctx)) { + if (!BN_mod_mul(x, A, b, p, ctx) || !BN_mod_mul(x, x, t, p, ctx)) { goto end; } @@ -332,8 +327,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { } // b := a*x^2 (= a^q) - if (!BN_mod_sqr(b, x, p, ctx) || - !BN_mod_mul(b, b, A, p, ctx)) { + if (!BN_mod_sqr(b, x, p, ctx) || !BN_mod_mul(b, b, A, p, ctx)) { goto end; } @@ -388,8 +382,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { goto end; } } - if (!BN_mod_mul(y, t, t, p, ctx) || - !BN_mod_mul(x, x, t, p, ctx) || + if (!BN_mod_mul(y, t, t, p, ctx) || !BN_mod_mul(x, x, t, p, ctx) || !BN_mod_mul(b, b, y, p, ctx)) { goto end; } @@ -450,7 +443,7 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) { } // We estimate that the square root of an n-bit number is 2^{n/2}. - if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) { + if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in) / 2)) { goto err; } @@ -458,8 +451,7 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) { // |in| = 0. for (;;) { // |estimate| = 1/2 * (|estimate| + |in|/|estimate|) - if (!BN_div(tmp, NULL, in, estimate, ctx) || - !BN_add(tmp, tmp, estimate) || + if (!BN_div(tmp, NULL, in, estimate, ctx) || !BN_add(tmp, tmp, estimate) || !BN_rshift1(estimate, tmp) || // |tmp| = |estimate|^2 !BN_sqr(tmp, estimate, ctx) || diff --git a/crypto/fipsmodule/cipher/aead.c b/crypto/fipsmodule/cipher/aead.c index 8ae39706a1..704d5f782d 100644 --- a/crypto/fipsmodule/cipher/aead.c +++ b/crypto/fipsmodule/cipher/aead.c @@ -45,7 +45,7 @@ EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead, const uint8_t *key, return NULL; } // NO-OP: struct already zeroed - //EVP_AEAD_CTX_zero(ctx); + // EVP_AEAD_CTX_zero(ctx); if (EVP_AEAD_CTX_init(ctx, aead, key, key_len, tag_len, NULL)) { return ctx; @@ -164,7 +164,7 @@ int EVP_AEAD_CTX_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t in_len, const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, size_t ad_len) { - SET_DIT_AUTO_RESET; //check that it was preserved + SET_DIT_AUTO_RESET; // check that it was preserved // |in| and |out| may alias exactly, |out_tag| may not alias. if (!check_alias(in, in_len, out, in_len) || buffers_alias(out, in_len, out_tag, max_out_tag_len) || diff --git a/crypto/fipsmodule/cipher/cipher.c b/crypto/fipsmodule/cipher/cipher.c index 8a10429dd6..2ac9ca7f4e 100644 --- a/crypto/fipsmodule/cipher/cipher.c +++ b/crypto/fipsmodule/cipher/cipher.c @@ -65,8 +65,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { @@ -598,9 +598,7 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { return ctx->cipher; } -int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { - return ctx->cipher->nid; -} +int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { return ctx->cipher->nid; } int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) { return ctx->encrypt; @@ -762,8 +760,6 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { return EVP_DecryptFinal_ex(ctx, out, out_len); } -int EVP_add_cipher_alias(const char *a, const char *b) { - return 1; -} +int EVP_add_cipher_alias(const char *a, const char *b) { return 1; } void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, uint32_t flags) {} diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c index 60921abaa0..5b33f5e1bf 100644 --- a/crypto/fipsmodule/cipher/e_aes.c +++ b/crypto/fipsmodule/cipher/e_aes.c @@ -143,7 +143,7 @@ typedef struct { double align; AES_KEY ks; } ks; - const uint8_t *iv; // Indicates if an IV has been set. + const uint8_t *iv; // Indicates if an IV has been set. } EVP_AES_WRAP_CTX; static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, @@ -711,7 +711,7 @@ static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { } static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, - const uint8_t *iv, int enc) { + const uint8_t *iv, int enc) { EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; if (iv == NULL && key == NULL) { return 1; diff --git a/crypto/fipsmodule/cipher/e_aesccm.c b/crypto/fipsmodule/cipher/e_aesccm.c index 4c0cd4a328..8b1f1bfef9 100644 --- a/crypto/fipsmodule/cipher/e_aesccm.c +++ b/crypto/fipsmodule/cipher/e_aesccm.c @@ -78,7 +78,7 @@ typedef struct cipher_aes_ccm_ctx { union { uint64_t align; AES_KEY ks; - } ks; // AES key schedule to use + } ks; // AES key schedule to use CCM128_CTX ccm; CCM128_STATE ccm_state; @@ -91,8 +91,8 @@ typedef struct cipher_aes_ccm_ctx { uint8_t ccm_set; // L and M parameters from RFC3610 - uint32_t L; // Number of octets in length field - uint32_t M; // Number of octets in authentication field + uint32_t L; // Number of octets in length field + uint32_t M; // Number of octets in authentication field size_t message_len; uint8_t tag[EVP_AEAD_AES_CCM_MAX_TAG_LEN]; @@ -109,8 +109,8 @@ typedef struct cipher_aes_ccm_ctx { static int CRYPTO_ccm128_init(struct ccm128_context *ctx, block128_f block, ctr128_f ctr, unsigned M, unsigned L) { - if (M < EVP_AEAD_AES_CCM_MIN_TAG_LEN || M > EVP_AEAD_AES_CCM_MAX_TAG_LEN - || (M & 1) != 0 || L < 2 || L > 8) { + if (M < EVP_AEAD_AES_CCM_MIN_TAG_LEN || M > EVP_AEAD_AES_CCM_MAX_TAG_LEN || + (M & 1) != 0 || L < 2 || L > 8) { return 0; } if (block) { @@ -209,7 +209,7 @@ static int ccm128_init_state(const struct ccm128_context *ctx, size_t remaining_blocks = 2 * ((plaintext_len + 15) / 16) + 1; if (plaintext_len + 15 < plaintext_len || remaining_blocks + blocks < blocks || - (uint64_t) remaining_blocks + blocks > UINT64_C(1) << 61) { + (uint64_t)remaining_blocks + blocks > UINT64_C(1) << 61) { return 0; } @@ -521,24 +521,24 @@ static CIPHER_AES_CCM_CTX *aes_ccm_from_cipher_ctx(EVP_CIPHER_CTX *ctx) { } static int cipher_aes_ccm_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, - const uint8_t *iv, int enc) { + const uint8_t *iv, int enc) { CIPHER_AES_CCM_CTX *cipher_ctx = aes_ccm_from_cipher_ctx(ctx); if (!iv && !key) { return 1; } if (key) { block128_f block; - ctr128_f ctr = aes_ctr_set_key(&cipher_ctx->ks.ks, NULL, &block, key, - ctx->key_len); + ctr128_f ctr = + aes_ctr_set_key(&cipher_ctx->ks.ks, NULL, &block, key, ctx->key_len); if (!CRYPTO_ccm128_init(&cipher_ctx->ccm, block, ctr, cipher_ctx->M, - cipher_ctx->L)) { + cipher_ctx->L)) { return 0; } cipher_ctx->key_set = 1; } if (iv) { if (!CRYPTO_ccm128_init(&cipher_ctx->ccm, NULL, NULL, cipher_ctx->M, - cipher_ctx->L)) { + cipher_ctx->L)) { return 0; } OPENSSL_memcpy(cipher_ctx->nonce, iv, CCM_L_TO_NONCE_LEN(cipher_ctx->L)); @@ -577,8 +577,8 @@ static int cipher_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return -1; } // We now have everything we need to initialize the CBC-MAC state - if (ccm128_init_state(ccm_ctx, ccm_state, - &cipher_ctx->ks.ks, cipher_ctx->nonce, + if (ccm128_init_state(ccm_ctx, ccm_state, &cipher_ctx->ks.ks, + cipher_ctx->nonce, CCM_L_TO_NONCE_LEN(cipher_ctx->L), in, len, cipher_ctx->message_len)) { cipher_ctx->ccm_set = 1; @@ -638,7 +638,7 @@ static int cipher_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, cipher_ctx->len_set = 0; cipher_ctx->ccm_set = 0; } - return (int) len; + return (int)len; } static int cipher_aes_ccm_ctrl_set_L(CIPHER_AES_CCM_CTX *ctx, int L) { @@ -675,8 +675,8 @@ static int cipher_aes_ccm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return cipher_aes_ccm_ctrl_set_L(cipher_ctx, arg); case EVP_CTRL_AEAD_SET_TAG: // |arg| is the tag length in bytes. - if ((arg & 1) || arg < EVP_AEAD_AES_CCM_MIN_TAG_LEN - || arg > EVP_AEAD_AES_CCM_MAX_TAG_LEN) { + if ((arg & 1) || arg < EVP_AEAD_AES_CCM_MIN_TAG_LEN || + arg > EVP_AEAD_AES_CCM_MAX_TAG_LEN) { return 0; } @@ -698,7 +698,7 @@ static int cipher_aes_ccm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, if (!ctx->encrypt || !cipher_ctx->tag_set) { return 0; } - if ((size_t) arg != cipher_ctx->M) { + if ((size_t)arg != cipher_ctx->M) { return 0; } OPENSSL_memcpy(ptr, cipher_ctx->tag, cipher_ctx->M); @@ -726,7 +726,7 @@ static int cipher_aes_ccm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ccm) { memset(out, 0, sizeof(EVP_CIPHER)); out->nid = NID_aes_128_ccm; - out->block_size = 1; // stream cipher + out->block_size = 1; // stream cipher out->key_len = 16; out->iv_len = 13; out->ctx_size = sizeof(CIPHER_AES_CCM_CTX) + CIPHER_AES_CCM_CTX_PADDING; @@ -742,7 +742,7 @@ DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ccm) { DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ccm) { memset(out, 0, sizeof(EVP_CIPHER)); out->nid = NID_aes_128_ccm; - out->block_size = 1; // stream cipher + out->block_size = 1; // stream cipher out->key_len = 24; out->iv_len = 13; out->ctx_size = sizeof(CIPHER_AES_CCM_CTX) + CIPHER_AES_CCM_CTX_PADDING; @@ -758,7 +758,7 @@ DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ccm) { DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ccm) { memset(out, 0, sizeof(EVP_CIPHER)); out->nid = NID_aes_128_ccm; - out->block_size = 1; // stream cipher + out->block_size = 1; // stream cipher out->key_len = 32; out->iv_len = 13; out->ctx_size = sizeof(CIPHER_AES_CCM_CTX) + CIPHER_AES_CCM_CTX_PADDING; diff --git a/crypto/fipsmodule/cmac/cmac.c b/crypto/fipsmodule/cmac/cmac.c index a42ca02bbf..66cd36d174 100644 --- a/crypto/fipsmodule/cmac/cmac.c +++ b/crypto/fipsmodule/cmac/cmac.c @@ -99,7 +99,7 @@ int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len, // We have to verify that all the CMAC services actually succeed before // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); - + size_t scratch_out_len; CMAC_CTX ctx; CMAC_CTX_init(&ctx); @@ -109,7 +109,7 @@ int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len, CMAC_Final(&ctx, out, &scratch_out_len); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { AES_CMAC_verify_service_indicator(&ctx); } CMAC_CTX_cleanup(&ctx); @@ -120,7 +120,7 @@ CMAC_CTX *CMAC_CTX_new(void) { CMAC_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) { // NO-OP: struct already zeroed - //CMAC_CTX_init(ctx); + // CMAC_CTX_init(ctx); } return ctx; } @@ -154,7 +154,7 @@ static void binary_field_mul_x_128(uint8_t out[16], const uint8_t in[16]) { // Shift |in| to left, including carry. for (i = 0; i < 15; i++) { - out[i] = (in[i] << 1) | (in[i+1] >> 7); + out[i] = (in[i] << 1) | (in[i + 1] >> 7); } // If MSB set fixup with R. @@ -171,7 +171,7 @@ static void binary_field_mul_x_64(uint8_t out[8], const uint8_t in[8]) { // Shift |in| to left, including carry. for (i = 0; i < 7; i++) { - out[i] = (in[i] << 1) | (in[i+1] >> 7); + out[i] = (in[i] << 1) | (in[i + 1] >> 7); } // If MSB set fixup with R. @@ -269,7 +269,7 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) { OPENSSL_memcpy(ctx->block, in, in_len); // |in_len| is bounded by |block_size|, which fits in |unsigned|. OPENSSL_STATIC_ASSERT(EVP_MAX_BLOCK_LENGTH < UINT_MAX, - EVP_MAX_BLOCK_LENGTH_is_too_large); + EVP_MAX_BLOCK_LENGTH_is_too_large); ctx->block_used = (unsigned)in_len; ret = 1; @@ -311,7 +311,7 @@ int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) { end: FIPS_service_indicator_unlock_state(); - if(ret) { + if (ret) { AES_CMAC_verify_service_indicator(ctx); } return ret; diff --git a/crypto/fipsmodule/cmac/cmac_test.cc b/crypto/fipsmodule/cmac/cmac_test.cc index e7cd9166d9..a01677bb7f 100644 --- a/crypto/fipsmodule/cmac/cmac_test.cc +++ b/crypto/fipsmodule/cmac/cmac_test.cc @@ -89,25 +89,22 @@ TEST(CMACTest, RFC4493TestVectors) { 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c, }; static const uint8_t kMsg3[] = { - 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, - 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, - 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, - 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, - 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, + 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, + 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, + 0x8e, 0x51, 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, }; static const uint8_t kOut3[16] = { 0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30, 0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27, }; static const uint8_t kMsg4[] = { - 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, - 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, - 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, - 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, - 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, - 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, - 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, - 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10, + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, + 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, + 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, + 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, + 0x1a, 0x0a, 0x52, 0xef, 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, + 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10, }; static const uint8_t kOut4[16] = { 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, @@ -121,67 +118,68 @@ TEST(CMACTest, RFC4493TestVectors) { } TEST(CMACTest, Wycheproof) { - FileTestGTest("third_party/wycheproof_testvectors/aes_cmac_test.txt", - [](FileTest *t) { - std::string key_size, tag_size; - ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); - ASSERT_TRUE(t->GetInstruction(&tag_size, "tagSize")); - WycheproofResult result; - ASSERT_TRUE(GetWycheproofResult(t, &result)); - std::vector key, msg, tag; - ASSERT_TRUE(t->GetBytes(&key, "key")); - ASSERT_TRUE(t->GetBytes(&msg, "msg")); - ASSERT_TRUE(t->GetBytes(&tag, "tag")); - - const EVP_CIPHER *cipher; - switch (atoi(key_size.c_str())) { - case 128: - cipher = EVP_aes_128_cbc(); - break; - case 192: - cipher = EVP_aes_192_cbc(); - break; - case 256: - cipher = EVP_aes_256_cbc(); - break; - default: - // Some test vectors intentionally give the wrong key size. Our API - // requires the caller pick the sized CBC primitive, so these tests - // aren't useful for us. - EXPECT_FALSE(result.IsValid()); - return; - } - - size_t tag_len = static_cast(atoi(tag_size.c_str())) / 8; - - uint8_t out[16]; - bssl::UniquePtr ctx(CMAC_CTX_new()); - ASSERT_TRUE(ctx); - ASSERT_TRUE(CMAC_Init(ctx.get(), key.data(), key.size(), cipher, NULL)); - ASSERT_TRUE(CMAC_Update(ctx.get(), msg.data(), msg.size())); - size_t out_len; - ASSERT_TRUE(CMAC_Final(ctx.get(), out, &out_len)); - // Truncate the tag, if requested. - out_len = std::min(out_len, tag_len); - - if (result.IsValid()) { - EXPECT_EQ(Bytes(tag), Bytes(out, out_len)); - - // Test the streaming API as well. - ASSERT_TRUE(CMAC_Reset(ctx.get())); - for (uint8_t b : msg) { - ASSERT_TRUE(CMAC_Update(ctx.get(), &b, 1)); - } - ASSERT_TRUE(CMAC_Final(ctx.get(), out, &out_len)); - out_len = std::min(out_len, tag_len); - EXPECT_EQ(Bytes(tag), Bytes(out, out_len)); - } else { - // Wycheproof's invalid tests assume the implementation internally does - // the comparison, whereas our API only computes the tag. Check that - // they're not equal, but these tests are mostly not useful for us. - EXPECT_NE(Bytes(tag), Bytes(out, out_len)); - } - }); + FileTestGTest( + "third_party/wycheproof_testvectors/aes_cmac_test.txt", [](FileTest *t) { + std::string key_size, tag_size; + ASSERT_TRUE(t->GetInstruction(&key_size, "keySize")); + ASSERT_TRUE(t->GetInstruction(&tag_size, "tagSize")); + WycheproofResult result; + ASSERT_TRUE(GetWycheproofResult(t, &result)); + std::vector key, msg, tag; + ASSERT_TRUE(t->GetBytes(&key, "key")); + ASSERT_TRUE(t->GetBytes(&msg, "msg")); + ASSERT_TRUE(t->GetBytes(&tag, "tag")); + + const EVP_CIPHER *cipher; + switch (atoi(key_size.c_str())) { + case 128: + cipher = EVP_aes_128_cbc(); + break; + case 192: + cipher = EVP_aes_192_cbc(); + break; + case 256: + cipher = EVP_aes_256_cbc(); + break; + default: + // Some test vectors intentionally give the wrong key size. Our API + // requires the caller pick the sized CBC primitive, so these tests + // aren't useful for us. + EXPECT_FALSE(result.IsValid()); + return; + } + + size_t tag_len = static_cast(atoi(tag_size.c_str())) / 8; + + uint8_t out[16]; + bssl::UniquePtr ctx(CMAC_CTX_new()); + ASSERT_TRUE(ctx); + ASSERT_TRUE(CMAC_Init(ctx.get(), key.data(), key.size(), cipher, NULL)); + ASSERT_TRUE(CMAC_Update(ctx.get(), msg.data(), msg.size())); + size_t out_len; + ASSERT_TRUE(CMAC_Final(ctx.get(), out, &out_len)); + // Truncate the tag, if requested. + out_len = std::min(out_len, tag_len); + + if (result.IsValid()) { + EXPECT_EQ(Bytes(tag), Bytes(out, out_len)); + + // Test the streaming API as well. + ASSERT_TRUE(CMAC_Reset(ctx.get())); + for (uint8_t b : msg) { + ASSERT_TRUE(CMAC_Update(ctx.get(), &b, 1)); + } + ASSERT_TRUE(CMAC_Final(ctx.get(), out, &out_len)); + out_len = std::min(out_len, tag_len); + EXPECT_EQ(Bytes(tag), Bytes(out, out_len)); + } else { + // Wycheproof's invalid tests assume the implementation internally + // does the comparison, whereas our API only computes the tag. Check + // that they're not equal, but these tests are mostly not useful for + // us. + EXPECT_NE(Bytes(tag), Bytes(out, out_len)); + } + }); } static void RunCAVPTest(const char *path, const EVP_CIPHER *cipher, @@ -248,20 +246,21 @@ static void RunCAVPTest(const char *path, const EVP_CIPHER *cipher, } TEST(CMACTest, CAVPAES128) { - RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt", EVP_aes_128_cbc(), - false); + RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes128_cmac_tests.txt", + EVP_aes_128_cbc(), false); } TEST(CMACTest, CAVPAES192) { - RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt", EVP_aes_192_cbc(), - false); + RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes192_cmac_tests.txt", + EVP_aes_192_cbc(), false); } TEST(CMACTest, CAVPAES256) { - RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt", EVP_aes_256_cbc(), - false); + RunCAVPTest("crypto/fipsmodule/cmac/cavp_aes256_cmac_tests.txt", + EVP_aes_256_cbc(), false); } TEST(CMACTest, CAVP3DES) { - RunCAVPTest("crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt", EVP_des_ede3_cbc(), true); + RunCAVPTest("crypto/fipsmodule/cmac/cavp_3des_cmac_tests.txt", + EVP_des_ede3_cbc(), true); } diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64.c b/crypto/fipsmodule/cpucap/cpu_aarch64.c index f6dfc91ebc..a582fb336a 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64.c +++ b/crypto/fipsmodule/cpucap/cpu_aarch64.c @@ -8,8 +8,8 @@ void handle_cpu_env(uint32_t *out, const char *in) { const int invert = in[0] == '~'; const int or = in[0] == '|'; - const int skip_first_byte = invert || or; - const int hex = in[skip_first_byte] == '0' && in[skip_first_byte+1] == 'x'; + const int skip_first_byte = invert || or ; + const int hex = in[skip_first_byte] == '0' && in[skip_first_byte + 1] == 'x'; uint32_t armcap = out[0]; int sscanf_result; @@ -32,10 +32,10 @@ void handle_cpu_env(uint32_t *out, const char *in) { // abort instead of crashing later. // The case of invert cannot enable an unexisting capability; // it can only disable an existing one. - if (!invert && armcap && (~armcap & v)) - { + if (!invert && armcap && (~armcap & v)) { fprintf(stderr, - "Fatal Error: HW capability found: 0x%02X, but HW capability requested: 0x%02X.\n", + "Fatal Error: HW capability found: 0x%02X, but HW capability " + "requested: 0x%02X.\n", armcap, v); abort(); } @@ -59,22 +59,22 @@ DEFINE_STATIC_MUTEX(OPENSSL_armcap_P_lock) uint64_t armv8_get_dit(void) { if (CRYPTO_is_ARMv8_DIT_capable()) { uint64_t val = 0; - __asm__ volatile("mrs %0, s3_3_c4_c2_5" : "=r" (val)); + __asm__ volatile("mrs %0, s3_3_c4_c2_5" : "=r"(val)); return (val >> 24) & 1; } else { return 0; } } -// See https://github.com/torvalds/linux/blob/53eaeb7fbe2702520125ae7d72742362c071a1f2/arch/arm64/include/asm/sysreg.h#L82 +// See +// https://github.com/torvalds/linux/blob/53eaeb7fbe2702520125ae7d72742362c071a1f2/arch/arm64/include/asm/sysreg.h#L82 // As per Arm ARM for v8-A, Section "C.5.1.3 op0 == 0b00, architectural hints, // barriers and CLREX, and PSTATE access", ARM DDI 0487 J.a, system instructions // for accessing PSTATE fields have the following encoding // and C5.2.4 DIT, Data Independent Timing: // Op0 = 0, CRn = 4 -// Op1 (3 for DIT) , Op2 (5 for DIT) encodes the PSTATE field modified and defines the constraints. -// CRm = Imm4 (#0 or #1 below) -// Rt = 0x1f +// Op1 (3 for DIT) , Op2 (5 for DIT) encodes the PSTATE field modified and +// defines the constraints. CRm = Imm4 (#0 or #1 below) Rt = 0x1f uint64_t armv8_set_dit(void) { if (CRYPTO_is_ARMv8_DIT_capable()) { uint64_t original_dit = armv8_get_dit(); @@ -111,4 +111,4 @@ int CRYPTO_is_ARMv8_DIT_capable_for_testing(void) { #endif // AARCH64_DIT_SUPPORTED -#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP +#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64.h b/crypto/fipsmodule/cpucap/cpu_aarch64.h index 0999d58c53..b1a2fe6a66 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64.h +++ b/crypto/fipsmodule/cpucap/cpu_aarch64.h @@ -16,16 +16,17 @@ extern "C" { #if defined(OPENSSL_AARCH64) && !defined(OPENSSL_STATIC_ARMCAP) -// cpu_aarch64 contains common functions used across multiple cpu_aarch64_* files +// cpu_aarch64 contains common functions used across multiple cpu_aarch64_* +// files // handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|. // See the comment in |OPENSSL_cpuid_setup| about this. void handle_cpu_env(uint32_t *out, const char *in); -#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP +#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP #if defined(__cplusplus) } #endif -#endif // OPENSSL_HEADER_CPUCAP_CPU_AARCH64_H +#endif // OPENSSL_HEADER_CPUCAP_CPU_AARCH64_H diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc b/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc index bbc184e716..67c1457043 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc +++ b/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc @@ -1,8 +1,8 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include #include +#include #include "internal.h" @@ -19,13 +19,13 @@ static void NestedMacroInvocation(uint64_t one) { uint64_t current_dit = armv8_get_dit(); EXPECT_EQ(current_dit, one); } -#endif // ENABLE_AUTO_SET_RESET_DIT +#endif // ENABLE_AUTO_SET_RESET_DIT TEST(DITTest, SetReset) { - uint64_t one = CRYPTO_is_ARMv8_DIT_capable_for_testing()? (uint64_t)1 : (uint64_t)0; + uint64_t one = + CRYPTO_is_ARMv8_DIT_capable_for_testing() ? (uint64_t)1 : (uint64_t)0; - uint64_t original_dit = 0, original_dit_2 = 0, - current_dit = 0; + uint64_t original_dit = 0, original_dit_2 = 0, current_dit = 0; original_dit = armv8_set_dit(); EXPECT_EQ(original_dit, (uint64_t)0); @@ -41,7 +41,7 @@ TEST(DITTest, SetReset) { EXPECT_EQ(current_dit, (uint64_t)0); #if defined(ENABLE_AUTO_SET_RESET_DIT) - { // invoke the macro within a scope + { // invoke the macro within a scope // to test that it restores the CPU DIT flag at the end SET_DIT_AUTO_RESET; current_dit = armv8_get_dit(); @@ -53,13 +53,14 @@ TEST(DITTest, SetReset) { } current_dit = armv8_get_dit(); EXPECT_EQ(current_dit, (uint64_t)0); -#endif // ENABLE_AUTO_SET_RESET_DIT +#endif // ENABLE_AUTO_SET_RESET_DIT } #if defined(OPENSSL_THREADS) TEST(DITTest, Threads) { - uint64_t one = CRYPTO_is_ARMv8_DIT_capable_for_testing()? (uint64_t)1 : (uint64_t)0; + uint64_t one = + CRYPTO_is_ARMv8_DIT_capable_for_testing() ? (uint64_t)1 : (uint64_t)0; { // Test that the CPU DIT flag (bit in PSTATE register) is @@ -121,7 +122,7 @@ TEST(DITTest, Threads) { current_dit = armv8_get_dit(); EXPECT_EQ(current_dit, (uint64_t)0); - armv8_disable_dit(); // disable DIT capability at run-time + armv8_disable_dit(); // disable DIT capability at run-time }); thread1.join(); @@ -141,7 +142,6 @@ TEST(DITTest, Threads) { armv8_restore_dit(&original_dit); current_dit = armv8_get_dit(); EXPECT_EQ(current_dit, (uint64_t)0); - }); thread2.join(); @@ -168,9 +168,8 @@ TEST(DITTest, Threads) { }); thread4.join(); - } } -#endif // OPENSSL_THREADS +#endif // OPENSSL_THREADS #endif // AARCH64_DIT_SUPPORTED && !OPENSSL_STATIC_ARMCAP diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c b/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c index c681a2e0a0..deb4083edd 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c +++ b/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c @@ -29,7 +29,7 @@ static uint64_t armv8_cpuid_probe(void) { uint64_t val; - __asm__ volatile("mrs %0, MIDR_EL1" : "=r" (val)); + __asm__ volatile("mrs %0, MIDR_EL1" : "=r"(val)); return val; } diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_openbsd.c b/crypto/fipsmodule/cpucap/cpu_aarch64_openbsd.c index 6ceb636430..dd182a582e 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64_openbsd.c +++ b/crypto/fipsmodule/cpucap/cpu_aarch64_openbsd.c @@ -17,10 +17,10 @@ #if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \ !defined(OPENSSL_STATIC_ARMCAP) -#include -#include #include +#include #include +#include #include @@ -30,7 +30,7 @@ void OPENSSL_cpuid_setup(void) { // CTL_MACHDEP from sys/sysctl.h // CPU_ID_AA64ISAR0 from machine/cpu.h - int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; + int isar0_mib[] = {CTL_MACHDEP, CPU_ID_AA64ISAR0}; size_t len = sizeof(uint64_t); uint64_t cpu_id = 0; diff --git a/crypto/fipsmodule/cpucap/cpu_arm_linux.h b/crypto/fipsmodule/cpucap/cpu_arm_linux.h index 47fcc4b907..07839b1492 100644 --- a/crypto/fipsmodule/cpucap/cpu_arm_linux.h +++ b/crypto/fipsmodule/cpucap/cpu_arm_linux.h @@ -29,35 +29,35 @@ extern "C" { // cross-platform fuzzers without adding code to those platforms normally. #if defined(HWCAP_NEON) && HWCAP_NEON != (1 << 12) - #error "HWCAP_NEON is defined but has wrong value (expected (1 << 12))" +#error "HWCAP_NEON is defined but has wrong value (expected (1 << 12))" #elif !defined(HWCAP_NEON) - #define HWCAP_NEON (1 << 12) +#define HWCAP_NEON (1 << 12) #endif // See /usr/include/asm/hwcap.h on an ARM installation for the source of // these values. #if defined(HWCAP2_AES) && HWCAP2_AES != (1 << 0) - #error "HWCAP2_AES is defined but has wrong value (expected (1 << 0))" +#error "HWCAP2_AES is defined but has wrong value (expected (1 << 0))" #elif !defined(HWCAP2_AES) - #define HWCAP2_AES (1 << 0) +#define HWCAP2_AES (1 << 0) #endif #if defined(HWCAP2_PMULL) && HWCAP2_PMULL != (1 << 1) - #error "HWCAP2_PMULL is defined but has wrong value (expected (1 << 1))" +#error "HWCAP2_PMULL is defined but has wrong value (expected (1 << 1))" #elif !defined(HWCAP2_PMULL) - #define HWCAP2_PMULL (1 << 1) +#define HWCAP2_PMULL (1 << 1) #endif #if defined(HWCAP2_SHA1) && HWCAP2_SHA1 != (1 << 2) - #error "HWCAP2_SHA1 is defined but has wrong value (expected (1 << 2))" +#error "HWCAP2_SHA1 is defined but has wrong value (expected (1 << 2))" #elif !defined(HWCAP2_SHA1) - #define HWCAP2_SHA1 (1 << 2) +#define HWCAP2_SHA1 (1 << 2) #endif #if defined(HWCAP2_SHA2) && HWCAP2_SHA2 != (1 << 3) - #error "HWCAP2_SHA2 is defined but has wrong value (expected (1 << 3))" +#error "HWCAP2_SHA2 is defined but has wrong value (expected (1 << 3))" #elif !defined(HWCAP2_SHA2) - #define HWCAP2_SHA2 (1 << 3) +#define HWCAP2_SHA2 (1 << 3) #endif typedef struct { @@ -92,7 +92,8 @@ static int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right, // to |out| and updating |s| to point beyond it. It returns one on success and // zero if |s| is empty. If |s| is has no copies of |sep| and is non-empty, it // reads the entire string to |out|. -static int STRING_PIECE_get_delimited(STRING_PIECE *s, STRING_PIECE *out, char sep) { +static int STRING_PIECE_get_delimited(STRING_PIECE *s, STRING_PIECE *out, + char sep) { if (s->len == 0) { return 0; } diff --git a/crypto/fipsmodule/cpucap/cpu_intel.c b/crypto/fipsmodule/cpucap/cpu_intel.c index bbf8543c86..eabcc0456e 100644 --- a/crypto/fipsmodule/cpucap/cpu_intel.c +++ b/crypto/fipsmodule/cpucap/cpu_intel.c @@ -57,7 +57,8 @@ #include #include "internal.h" -#if !defined(OPENSSL_NO_ASM) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64)) +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86) || defined(OPENSSL_X86_64)) #ifndef __STDC_FORMAT_MACROS #define __STDC_FORMAT_MACROS @@ -90,21 +91,19 @@ static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx, #elif defined(__pic__) && defined(OPENSSL_32_BIT) // Inline assembly may not clobber the PIC register. For 32-bit, this is EBX. // See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602. - __asm__ volatile ( - "xor %%ecx, %%ecx\n" - "mov %%ebx, %%edi\n" - "cpuid\n" - "xchg %%edi, %%ebx\n" - : "=a"(*out_eax), "=D"(*out_ebx), "=c"(*out_ecx), "=d"(*out_edx) - : "a"(leaf) - ); + __asm__ volatile( + "xor %%ecx, %%ecx\n" + "mov %%ebx, %%edi\n" + "cpuid\n" + "xchg %%edi, %%ebx\n" + : "=a"(*out_eax), "=D"(*out_ebx), "=c"(*out_ecx), "=d"(*out_edx) + : "a"(leaf)); #else - __asm__ volatile ( - "xor %%ecx, %%ecx\n" - "cpuid\n" - : "=a"(*out_eax), "=b"(*out_ebx), "=c"(*out_ecx), "=d"(*out_edx) - : "a"(leaf) - ); + __asm__ volatile( + "xor %%ecx, %%ecx\n" + "cpuid\n" + : "=a"(*out_eax), "=b"(*out_ebx), "=c"(*out_ecx), "=d"(*out_edx) + : "a"(leaf)); #endif } @@ -118,9 +117,9 @@ static uint64_t OPENSSL_xgetbv(uint32_t xcr) { #if defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX) // Some old assemblers don't support the xgetbv instruction so we emit // the opcode of xgetbv directly. - __asm__ volatile (".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c"(xcr)); + __asm__ volatile(".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c"(xcr)); #else - __asm__ volatile ("xgetbv" : "=a"(eax), "=d"(edx) : "c"(xcr)); + __asm__ volatile("xgetbv" : "=a"(eax), "=d"(edx) : "c"(xcr)); #endif return (((uint64_t)edx) << 32) | eax; #endif @@ -131,8 +130,8 @@ static uint64_t OPENSSL_xgetbv(uint32_t xcr) { static void handle_cpu_env(uint32_t *out, const char *in) { const int invert = in[0] == '~'; const int or = in[0] == '|'; - const int skip_first_byte = invert || or; - const int hex = in[skip_first_byte] == '0' && in[skip_first_byte+1] == 'x'; + const int skip_first_byte = invert || or ; + const int hex = in[skip_first_byte] == '0' && in[skip_first_byte + 1] == 'x'; uint32_t intelcap0 = out[0]; uint32_t intelcap1 = out[1]; @@ -157,9 +156,10 @@ static void handle_cpu_env(uint32_t *out, const char *in) { // it can only disable an existing one. if (!invert && (intelcap0 || intelcap1)) { // Allow Intel indicator bit to be set for testing - if((~(1u << 30 | intelcap0) & reqcap0) || (~intelcap1 & reqcap1)) { + if ((~(1u << 30 | intelcap0) & reqcap0) || (~intelcap1 & reqcap1)) { fprintf(stderr, - "Fatal Error: HW capability found: 0x%02X 0x%02X, but HW capability requested: 0x%02X 0x%02X.\n", + "Fatal Error: HW capability found: 0x%02X 0x%02X, but HW " + "capability requested: 0x%02X 0x%02X.\n", intelcap0, intelcap1, reqcap0, reqcap1); abort(); } @@ -186,11 +186,9 @@ void OPENSSL_cpuid_setup(void) { uint32_t num_ids = eax; - int is_intel = ebx == 0x756e6547 /* Genu */ && - edx == 0x49656e69 /* ineI */ && + int is_intel = ebx == 0x756e6547 /* Genu */ && edx == 0x49656e69 /* ineI */ && ecx == 0x6c65746e /* ntel */; - int is_amd = ebx == 0x68747541 /* Auth */ && - edx == 0x69746e65 /* enti */ && + int is_amd = ebx == 0x68747541 /* Auth */ && edx == 0x69746e65 /* enti */ && ecx == 0x444d4163 /* cAMD */; uint32_t extended_features[2] = {0}; diff --git a/crypto/fipsmodule/cpucap/cpu_ppc64le.c b/crypto/fipsmodule/cpucap/cpu_ppc64le.c index db420dcc72..8df944ab08 100644 --- a/crypto/fipsmodule/cpucap/cpu_ppc64le.c +++ b/crypto/fipsmodule/cpucap/cpu_ppc64le.c @@ -25,12 +25,13 @@ #endif static void handle_cpu_env(unsigned long *out, const char *in) { - OPENSSL_STATIC_ASSERT(sizeof(unsigned long) == 8, PPC64LE_UNSIGNED_LONG_NOT_8_BYTES); + OPENSSL_STATIC_ASSERT(sizeof(unsigned long) == 8, + PPC64LE_UNSIGNED_LONG_NOT_8_BYTES); const int invert = in[0] == '~'; const int or = in[0] == '|'; const int skip_first_byte = (invert || or) ? 1 : 0; - const int hex = in[skip_first_byte] == '0' && in[skip_first_byte+1] == 'x'; + const int hex = in[skip_first_byte] == '0' && in[skip_first_byte + 1] == 'x'; unsigned long ppccap = *out; int sscanf_result; @@ -51,7 +52,8 @@ static void handle_cpu_env(unsigned long *out, const char *in) { // it can only disable an existing one. if (!invert && ppccap && (~ppccap & reqcap)) { fprintf(stderr, - "Fatal Error: HW capability found: 0x%02lX, but HW capability requested: 0x%02lX.\n", + "Fatal Error: HW capability found: 0x%02lX, but HW capability " + "requested: 0x%02lX.\n", ppccap, reqcap); abort(); } @@ -89,7 +91,6 @@ void OPENSSL_cpuid_setup(void) { if (env != NULL) { handle_cpu_env(&OPENSSL_ppc64le_hwcap2, env); } - } int CRYPTO_is_PPC64LE_vcrypto_capable(void) { diff --git a/crypto/fipsmodule/cpucap/cpucap.c b/crypto/fipsmodule/cpucap/cpucap.c index 8082b081fe..6deadd9dbc 100644 --- a/crypto/fipsmodule/cpucap/cpucap.c +++ b/crypto/fipsmodule/cpucap/cpucap.c @@ -72,10 +72,12 @@ HIDDEN uint32_t OPENSSL_armcap_P = #if defined(OPENSSL_STATIC_ARMCAP_SHA3) || defined(__ARM_FEATURE_SHA3) ARMV8_SHA3 | #endif -#if defined(OPENSSL_STATIC_ARMCAP_NEOVERSE_V1) || defined(__ARM_FEATURE_NEOVERSE_V1) +#if defined(OPENSSL_STATIC_ARMCAP_NEOVERSE_V1) || \ + defined(__ARM_FEATURE_NEOVERSE_V1) ARMV8_NEOVERSE_V1 | #endif -#if defined(OPENSSL_STATIC_ARMCAP_NEOVERSE_V2) || defined(__ARM_FEATURE_NEOVERSE_V2) +#if defined(OPENSSL_STATIC_ARMCAP_NEOVERSE_V2) || \ + defined(__ARM_FEATURE_NEOVERSE_V2) ARMV8_NEOVERSE_V2 | #endif 0; @@ -89,7 +91,7 @@ HIDDEN uint32_t OPENSSL_armcap_P = 0; #if defined(BORINGSSL_DISPATCH_TEST) // This value must be explicitly initialized to zero. See similar comment above. HIDDEN uint8_t BORINGSSL_function_hit[9] = {0}; -#endif // BORINGSSL_DISPATCH_TEST +#endif // BORINGSSL_DISPATCH_TEST // This variable is used only for testing purposes to ensure that the library // constructor is executed and the capability variable is initialized. diff --git a/crypto/fipsmodule/cpucap/internal.h b/crypto/fipsmodule/cpucap/internal.h index 21aa351635..dfa925f8a5 100644 --- a/crypto/fipsmodule/cpucap/internal.h +++ b/crypto/fipsmodule/cpucap/internal.h @@ -125,7 +125,8 @@ OPENSSL_INLINE int CRYPTO_is_SHAEXT_capable(void) { // 1100_0000_0000_0011_0000_0000_0000_0000 #define CPU_CAP_AVX512_BITFLAGS 0xC0030000 OPENSSL_INLINE int CRYPTO_is_AVX512_capable(void) { - return (OPENSSL_ia32cap_get()[2] & CPU_CAP_AVX512_BITFLAGS) == CPU_CAP_AVX512_BITFLAGS; + return (OPENSSL_ia32cap_get()[2] & CPU_CAP_AVX512_BITFLAGS) == + CPU_CAP_AVX512_BITFLAGS; } OPENSSL_INLINE int CRYPTO_is_VAES_capable(void) { @@ -241,13 +242,13 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_GCM_8x_capable(void) { OPENSSL_INLINE int CRYPTO_is_ARMv8_wide_multiplier_capable(void) { return (OPENSSL_armcap_P & ARMV8_NEOVERSE_V1) != 0 || - (OPENSSL_armcap_P & ARMV8_NEOVERSE_V2) != 0 || - (OPENSSL_armcap_P & ARMV8_APPLE_M) != 0; + (OPENSSL_armcap_P & ARMV8_NEOVERSE_V2) != 0 || + (OPENSSL_armcap_P & ARMV8_APPLE_M) != 0; } OPENSSL_INLINE int CRYPTO_is_ARMv8_DIT_capable(void) { return (OPENSSL_armcap_P & (ARMV8_DIT | ARMV8_DIT_ALLOWED)) == - (ARMV8_DIT | ARMV8_DIT_ALLOWED); + (ARMV8_DIT | ARMV8_DIT_ALLOWED); } // This function is used only for testing; hence, not inlined @@ -278,10 +279,10 @@ OPENSSL_EXPORT void armv8_restore_dit(volatile uint64_t *original_dit); // Instead of the macro, the functions above can be used. // An example of their usage is present in the benchmarking function // `Speed()` in `tool/speed.cc` when the option `-dit` is passed in. -#define SET_DIT_AUTO_RESET \ - volatile uint64_t _dit_restore_orig \ - __attribute__((cleanup(armv8_restore_dit))) \ - OPENSSL_UNUSED = armv8_set_dit(); +#define SET_DIT_AUTO_RESET \ + volatile uint64_t _dit_restore_orig \ + __attribute__((cleanup(armv8_restore_dit))) OPENSSL_UNUSED = \ + armv8_set_dit(); #else #define SET_DIT_AUTO_RESET @@ -305,4 +306,4 @@ extern unsigned long OPENSSL_ppc64le_hwcap2; } #endif -#endif // OPENSSL_HEADER_CPUCAP_INTERNAL_H +#endif // OPENSSL_HEADER_CPUCAP_INTERNAL_H diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c index 841de4b41e..526c1f6434 100644 --- a/crypto/fipsmodule/curve25519/curve25519.c +++ b/crypto/fipsmodule/curve25519/curve25519.c @@ -79,8 +79,8 @@ void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], const void *input1, // Public interface functions void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t seed[ED25519_SEED_LEN]) { + uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t seed[ED25519_SEED_LEN]) { // ED25519_keypair already ensures this with the same check, and is also the // function that is approved for FIPS (sets the indicator). Ensuring it here // for brevity. @@ -92,9 +92,9 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], SHA512(seed, ED25519_SEED_LEN, az); // Step: rfc8032 5.1.5.2 - az[0] &= 248; // 11111000_2 - az[31] &= 127; // 01111111_2 - az[31] |= 64; // 01000000_2 + az[0] &= 248; // 11111000_2 + az[31] &= 127; // 01111111_2 + az[31] |= 64; // 01000000_2 // Step: rfc8032 5.1.5.[3,4] // Compute [az]B and encode public key to a 32 byte octet. @@ -106,20 +106,22 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], // Encoded public key is a suffix in the private key. Avoids having to // generate the public key from the private key when signing. - OPENSSL_STATIC_ASSERT(ED25519_PRIVATE_KEY_LEN == (ED25519_SEED_LEN + ED25519_PUBLIC_KEY_LEN), ed25519_parameter_length_mismatch) + OPENSSL_STATIC_ASSERT( + ED25519_PRIVATE_KEY_LEN == (ED25519_SEED_LEN + ED25519_PUBLIC_KEY_LEN), + ed25519_parameter_length_mismatch) OPENSSL_memcpy(out_private_key, seed, ED25519_SEED_LEN); OPENSSL_memcpy(out_private_key + ED25519_SEED_LEN, out_public_key, - ED25519_PUBLIC_KEY_LEN); + ED25519_PUBLIC_KEY_LEN); } static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) { + uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) { #if defined(AWSLC_FIPS) uint8_t msg[16] = {16}; uint8_t out_sig[ED25519_SIGNATURE_LEN]; if (ED25519_sign_no_self_test(out_sig, msg, 16, private_key) != 1) { - // This should never happen and static analysis will say that ED25519_sign_no_self_test - // always returns 1 + // This should never happen and static analysis will say that + // ED25519_sign_no_self_test always returns 1 AWS_LC_FIPS_failure("Ed25519 keygen PCT failed"); } if (boringssl_fips_break_test("EDDSA_PWCT")) { @@ -132,7 +134,7 @@ static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN], } void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) { + uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) { // We have to avoid the self tests and digest function in ed25519_keypair_pct // from updating the service indicator. FIPS_service_indicator_lock_state(); @@ -155,8 +157,8 @@ void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], FIPS_service_indicator_update_state(); } -int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, +int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]) { FIPS_service_indicator_lock_state(); boringssl_ensure_eddsa_self_test(); @@ -222,12 +224,11 @@ static int dom2(ed25519_algorithm_t alg, uint8_t buffer[MAX_DOM2_SIZE], return 1; } -int ed25519_sign_internal( - ed25519_algorithm_t alg, - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t *ctx, size_t ctx_len) { +int ed25519_sign_internal(ed25519_algorithm_t alg, + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *ctx, size_t ctx_len) { // NOTE: The documentation on this function says that it returns zero on // allocation failure. While that can't happen with the current // implementation, we want to reserve the ability to allocate in this @@ -245,9 +246,9 @@ int ed25519_sign_internal( SHA512(private_key, ED25519_PRIVATE_KEY_SEED_LEN, az); // s = az[0:31] // prefix = az[32:61] - az[0] &= 248; // 11111000_2 - az[31] &= 63; // 00111111_2 - az[31] |= 64; // 01000000_2 + az[0] &= 248; // 11111000_2 + az[31] &= 63; // 00111111_2 + az[31] |= 64; // 01000000_2 uint8_t r[SHA512_DIGEST_LENGTH]; uint8_t dom2_buffer[MAX_DOM2_SIZE] = {0}; @@ -295,7 +296,7 @@ int ED25519_verify(const uint8_t *message, size_t message_len, int res = ED25519_verify_no_self_test(message, message_len, signature, public_key); FIPS_service_indicator_unlock_state(); - if(res) { + if (res) { FIPS_service_indicator_update_state(); } return res; @@ -309,12 +310,11 @@ int ED25519_verify_no_self_test( public_key, NULL, 0); } -int ed25519_verify_internal( - ed25519_algorithm_t alg, - const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *ctx, size_t ctx_len) { +int ed25519_verify_internal(ed25519_algorithm_t alg, const uint8_t *message, + size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *ctx, size_t ctx_len) { // Ed25519 verify: rfc8032 5.1.7 // Step: rfc8032 5.1.7.1 (up to decoding the public key) @@ -336,10 +336,10 @@ int ed25519_verify_internal( // S must be in the range [0, order) in order to prevent signature // malleability. kOrder is the order of curve25519 in little-endian form. static const uint64_t kOrder[4] = { - UINT64_C(0x5812631a5cf5d3ed), - UINT64_C(0x14def9dea2f79cd6), - 0, - UINT64_C(0x1000000000000000), + UINT64_C(0x5812631a5cf5d3ed), + UINT64_C(0x14def9dea2f79cd6), + 0, + UINT64_C(0x1000000000000000), }; for (size_t i = 3;; i--) { uint64_t word = CRYPTO_load_u64_le(S + i * 8); @@ -360,7 +360,8 @@ int ed25519_verify_internal( } // Step: rfc8032 5.1.7.[1,2,3] - // Verification works by computing [S]B - [k]A' and comparing against R_expected. + // Verification works by computing [S]B - [k]A' and comparing against + // R_expected. int res = 0; uint8_t R_computed_encoded[32]; #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) @@ -386,8 +387,8 @@ int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { } void X25519_public_from_private( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { SET_DIT_AUTO_RESET; #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) @@ -395,12 +396,12 @@ void X25519_public_from_private( #else x25519_public_from_private_nohw(out_public_value, private_key); #endif - // The public key is derived from the private key, but it is public. + // The public key is derived from the private key, but it is public. CONSTTIME_DECLASSIFY(out_public_value, X25519_PUBLIC_VALUE_LEN); } void X25519_keypair(uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - uint8_t out_private_key[X25519_PRIVATE_KEY_LEN]) { + uint8_t out_private_key[X25519_PRIVATE_KEY_LEN]) { SET_DIT_AUTO_RESET; RAND_bytes(out_private_key, X25519_PRIVATE_KEY_LEN); @@ -426,16 +427,17 @@ void X25519_keypair(uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], } int X25519(uint8_t out_shared_key[X25519_SHARED_KEY_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN], - const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { - + const uint8_t private_key[X25519_PRIVATE_KEY_LEN], + const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { SET_DIT_AUTO_RESET; static const uint8_t kZeros[X25519_SHARED_KEY_LEN] = {0}; #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) - x25519_scalar_mult_generic_s2n_bignum(out_shared_key, private_key, peer_public_value); + x25519_scalar_mult_generic_s2n_bignum(out_shared_key, private_key, + peer_public_value); #else - x25519_scalar_mult_generic_nohw(out_shared_key, private_key, peer_public_value); + x25519_scalar_mult_generic_nohw(out_shared_key, private_key, + peer_public_value); #endif // The all-zero output results when the input is a point of small order. diff --git a/crypto/fipsmodule/curve25519/curve25519_nohw.c b/crypto/fipsmodule/curve25519/curve25519_nohw.c index 04200bc40b..b061409587 100644 --- a/crypto/fipsmodule/curve25519/curve25519_nohw.c +++ b/crypto/fipsmodule/curve25519/curve25519_nohw.c @@ -24,8 +24,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // Various pre-computed constants. #include "./curve25519_tables.h" @@ -164,13 +164,9 @@ static void fe_tobytes(uint8_t s[32], const fe *f) { } // h = 0 -static void fe_0(fe *h) { - OPENSSL_memset(h, 0, sizeof(fe)); -} +static void fe_0(fe *h) { OPENSSL_memset(h, 0, sizeof(fe)); } -static void fe_loose_0(fe_loose *h) { - OPENSSL_memset(h, 0, sizeof(fe_loose)); -} +static void fe_loose_0(fe_loose *h) { OPENSSL_memset(h, 0, sizeof(fe_loose)); } // h = 1 static void fe_1(fe *h) { @@ -201,7 +197,7 @@ static void fe_sub(fe_loose *h, const fe *f, const fe *g) { assert_fe_loose(h->v); } -static void fe_carry(fe *h, const fe_loose* f) { +static void fe_carry(fe *h, const fe_loose *f) { assert_fe_loose(f->v); fiat_25519_carry(h->v, f->v); assert_fe(h->v); @@ -257,7 +253,7 @@ static void fe_sq_tt(fe *h, const fe *f) { // // Preconditions: b in {0,1}. static void fe_cswap(fe *f, fe *g, fe_limb_t b) { - b = 0-b; + b = 0 - b; for (unsigned i = 0; i < FE_NUM_LIMBS; i++) { fe_limb_t x = f->v[i] ^ g->v[i]; x &= b; @@ -291,7 +287,7 @@ static void fe_cmov(fe_loose *f, const fe_loose *g, fe_limb_t b) { // different one. (void)fiat_25519_selectznz; - b = 0-b; + b = 0 - b; for (unsigned i = 0; i < FE_NUM_LIMBS; i++) { fe_limb_t x = f->v[i] ^ g->v[i]; x &= b; @@ -300,9 +296,7 @@ static void fe_cmov(fe_loose *f, const fe_loose *g, fe_limb_t b) { } // h = f -static void fe_copy(fe *h, const fe *f) { - OPENSSL_memmove(h, f, sizeof(fe)); -} +static void fe_copy(fe *h, const fe *f) { OPENSSL_memmove(h, f, sizeof(fe)); } static void fe_copy_lt(fe_loose *h, const fe *f) { OPENSSL_STATIC_ASSERT(sizeof(fe_loose) == sizeof(fe), @@ -313,7 +307,7 @@ static void fe_copy_lt(fe_loose *h, const fe *f) { static void fe_copy_ll(fe_loose *h, const fe_loose *f) { OPENSSL_memmove(h, f, sizeof(fe_loose)); } -#endif // !defined(OPENSSL_SMALL) +#endif // !defined(OPENSSL_SMALL) static void fe_loose_invert(fe *out, const fe_loose *z) { fe t0; @@ -508,8 +502,8 @@ int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) { fe_carry(&u, &v); fe_add(&v, &vxx, &h->Z); // v = dy^2+1 - fe_mul_ttl(&w, &u, &v); // w = u*v - fe_pow22523(&h->X, &w); // x = w^((q-5)/8) + fe_mul_ttl(&w, &u, &v); // w = u*v + fe_pow22523(&h->X, &w); // x = w^((q-5)/8) fe_mul_ttt(&h->X, &h->X, &u); // x = u*w^((q-5)/8) fe_sq_tt(&vxx, &h->X); @@ -718,7 +712,7 @@ void x25519_ge_scalarmult_small_precomp( for (i = 0; i < 15; i++) { // The precomputed table is assumed to already clear the top bit, so // |fe_frombytes_strict| may be used directly. - const uint8_t *bytes = &precomp_table[i*(2 * 32)]; + const uint8_t *bytes = &precomp_table[i * (2 * 32)]; fe x, y; fe_frombytes_strict(&x, bytes); fe_frombytes_strict(&y, bytes + 32); @@ -748,7 +742,7 @@ void x25519_ge_scalarmult_small_precomp( ge_precomp_0(&e); for (j = 1; j < 16; j++) { - cmov(&e, &multiples[j-1], equal(index, j)); + cmov(&e, &multiples[j - 1], equal(index, j)); } ge_cached cached; @@ -902,7 +896,7 @@ void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) { ge_p2_dbl(&t, r); x25519_ge_p1p1_to_p3(&u, &t); - uint8_t index = scalar[31 - i/8]; + uint8_t index = scalar[31 - i / 8]; index >>= 4 - (i & 4); index &= 0xf; @@ -1864,10 +1858,9 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, } void x25519_scalar_mult_generic_nohw( - uint8_t out_shared_key[X25519_SHARED_KEY_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN], - const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { - + uint8_t out_shared_key[X25519_SHARED_KEY_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN], + const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { fe x1, x2, z2, x3, z3, tmp0, tmp1; fe_loose x2l, z2l, x3l, tmp0l, tmp1l; @@ -1917,8 +1910,10 @@ void x25519_scalar_mult_generic_nohw( // Coq transcription of ladderstep formula (called from transcribed loop): // // - // x1 != 0 - // x1 = 0 + // x1 != 0 + // + // x1 = 0 + // fe_sub(&tmp0l, &x3, &z3); fe_sub(&tmp1l, &x2, &z2); fe_add(&x2l, &x2, &z2); @@ -1948,9 +1943,8 @@ void x25519_scalar_mult_generic_nohw( } void x25519_public_from_private_nohw( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { - + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { uint8_t e[X25519_PRIVATE_KEY_LEN]; OPENSSL_memcpy(e, private_key, X25519_PRIVATE_KEY_LEN); e[0] &= 248; @@ -1973,18 +1967,18 @@ void x25519_public_from_private_nohw( } void ed25519_public_key_from_hashed_seed_nohw( - uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t az[SHA512_DIGEST_LENGTH]) { - + uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t az[SHA512_DIGEST_LENGTH]) { ge_p3 A; x25519_ge_scalarmult_base(&A, az); ge_p3_tobytes(out_public_key, &A); } void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], - uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, const uint8_t *A, - const void *message, size_t message_len, const uint8_t* dom2, size_t dom2_len) { - + uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, + const uint8_t *A, const void *message, + size_t message_len, const uint8_t *dom2, + size_t dom2_len) { // Reduce r modulo the order of the base-point B. x25519_sc_reduce(r); ge_p3 R; @@ -1996,8 +1990,8 @@ void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], uint8_t k[SHA512_DIGEST_LENGTH]; if (dom2_len > 0) { // Compute k = SHA512(dom2(phflag, context) || R || A || message) - ed25519_sha512(k, dom2, dom2_len, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, - message_len); + ed25519_sha512(k, dom2, dom2_len, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, + message, message_len); } else { // Compute k = SHA512(R || A || message) ed25519_sha512(k, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, @@ -2012,9 +2006,10 @@ void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], } int ed25519_verify_nohw(uint8_t R_computed_encoded[32], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], uint8_t R_expected[32], - uint8_t S[32], const uint8_t *message, size_t message_len, const uint8_t *dom2, size_t dom2_len) { - + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t R_expected[32], uint8_t S[32], + const uint8_t *message, size_t message_len, + const uint8_t *dom2, size_t dom2_len) { // Decode public key as A'. ge_p3 A; if (!x25519_ge_frombytes_vartime(&A, public_key)) { @@ -2023,8 +2018,9 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32], // Step: rfc8032 5.1.7.2 uint8_t k[SHA512_DIGEST_LENGTH]; - if(dom2_len > 0) { - // Compute k = SHA512(dom2(phflag, context) || R_expected || public_key || message). + if (dom2_len > 0) { + // Compute k = SHA512(dom2(phflag, context) || R_expected || public_key || + // message). ed25519_sha512(k, dom2, dom2_len, R_expected, 32, public_key, ED25519_PUBLIC_KEY_LEN, message, message_len); } else { @@ -2057,7 +2053,8 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32], return 1; } -int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { +int ed25519_check_public_key_nohw( + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { ge_p3 A; if (!x25519_ge_frombytes_vartime(&A, public_key)) { return 0; diff --git a/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c b/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c index af225f6784..d5cc761aa8 100644 --- a/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c +++ b/crypto/fipsmodule/curve25519/curve25519_s2n_bignum_asm.c @@ -1,45 +1,44 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include "internal.h" #include "../cpucap/internal.h" +#include "internal.h" #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) #include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" void x25519_scalar_mult_generic_s2n_bignum( - uint8_t out_shared_key[X25519_SHARED_KEY_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN], - const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { - + uint8_t out_shared_key[X25519_SHARED_KEY_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN], + const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { uint8_t private_key_internal_demask[X25519_PRIVATE_KEY_LEN]; - OPENSSL_memcpy(private_key_internal_demask, private_key, X25519_PRIVATE_KEY_LEN); + OPENSSL_memcpy(private_key_internal_demask, private_key, + X25519_PRIVATE_KEY_LEN); private_key_internal_demask[0] &= 248; private_key_internal_demask[31] &= 127; private_key_internal_demask[31] |= 64; - curve25519_x25519_byte_selector(out_shared_key, - private_key_internal_demask, + curve25519_x25519_byte_selector(out_shared_key, private_key_internal_demask, peer_public_value); } void x25519_public_from_private_s2n_bignum( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { - + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { uint8_t private_key_internal_demask[X25519_PRIVATE_KEY_LEN]; - OPENSSL_memcpy(private_key_internal_demask, private_key, X25519_PRIVATE_KEY_LEN); + OPENSSL_memcpy(private_key_internal_demask, private_key, + X25519_PRIVATE_KEY_LEN); private_key_internal_demask[0] &= 248; private_key_internal_demask[31] &= 127; private_key_internal_demask[31] |= 64; - curve25519_x25519base_byte_selector(out_public_value, private_key_internal_demask); + curve25519_x25519base_byte_selector(out_public_value, + private_key_internal_demask); } void ed25519_public_key_from_hashed_seed_s2n_bignum( - uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t az[SHA512_DIGEST_LENGTH]) { - + uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t az[SHA512_DIGEST_LENGTH]) { uint64_t uint64_point[8] = {0}; uint64_t uint64_hashed_seed[4] = {0}; OPENSSL_memcpy(uint64_hashed_seed, az, 32); @@ -50,9 +49,10 @@ void ed25519_public_key_from_hashed_seed_s2n_bignum( } void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], - uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, const uint8_t *A, - const void *message, size_t message_len, const uint8_t *dom2, size_t dom2_len) { - + uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, + const uint8_t *A, const void *message, + size_t message_len, const uint8_t *dom2, + size_t dom2_len) { uint8_t k[SHA512_DIGEST_LENGTH] = {0}; uint64_t R[8] = {0}; uint64_t S[4] = {0}; @@ -72,8 +72,8 @@ void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], // R is of length 32 octets if (dom2_len > 0) { // Compute k = SHA512(dom2(phflag, context) || R || A || message) - ed25519_sha512(k, dom2, dom2_len, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, - message_len); + ed25519_sha512(k, dom2, dom2_len, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, + message, message_len); } else { // Compute k = SHA512(R || A || message) ed25519_sha512(k, out_sig, 32, A, ED25519_PUBLIC_KEY_LEN, message, @@ -89,9 +89,10 @@ void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], } int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], uint8_t R_expected[32], - uint8_t S[32], const uint8_t *message, size_t message_len, const uint8_t *dom2, size_t dom2_len) { - + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t R_expected[32], uint8_t S[32], + const uint8_t *message, size_t message_len, + const uint8_t *dom2, size_t dom2_len) { uint8_t k[SHA512_DIGEST_LENGTH] = {0}; uint64_t uint64_k[8] = {0}; uint64_t uint64_R[8] = {0}; @@ -104,8 +105,9 @@ int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32], } // Step: rfc8032 5.1.7.2 - if(dom2_len > 0) { - // Compute k = SHA512(dom2(phflag, context) || R_expected || public_key || message). + if (dom2_len > 0) { + // Compute k = SHA512(dom2(phflag, context) || R_expected || public_key || + // message). ed25519_sha512(k, dom2, dom2_len, R_expected, 32, public_key, ED25519_PUBLIC_KEY_LEN, message, message_len); } else { @@ -132,7 +134,8 @@ int ed25519_verify_s2n_bignum(uint8_t R_computed_encoded[32], return 1; } -int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { +int ed25519_check_public_key_s2n_bignum( + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { uint64_t A[8] = {0}; if (edwards25519_decode_selector(A, public_key) != 0) { return 0; diff --git a/crypto/fipsmodule/curve25519/ed25519_test.cc b/crypto/fipsmodule/curve25519/ed25519_test.cc index 932f96bfe4..4a3a0c2129 100644 --- a/crypto/fipsmodule/curve25519/ed25519_test.cc +++ b/crypto/fipsmodule/curve25519/ed25519_test.cc @@ -25,29 +25,31 @@ TEST(Ed25519Test, TestVectors) { - FileTestGTest("crypto/fipsmodule/curve25519/ed25519_tests.txt", [](FileTest *t) { - std::vector private_key, public_key, message, expected_signature; - ASSERT_TRUE(t->GetBytes(&private_key, "PRIV")); - ASSERT_EQ(64u, private_key.size()); - ASSERT_TRUE(t->GetBytes(&public_key, "PUB")); - ASSERT_EQ(32u, public_key.size()); - ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); - ASSERT_TRUE(t->GetBytes(&expected_signature, "SIG")); - ASSERT_EQ(64u, expected_signature.size()); - - // Signing should not leak the private key or the message. - CONSTTIME_SECRET(private_key.data(), private_key.size()); - CONSTTIME_SECRET(message.data(), message.size()); - uint8_t signature[64]; - ASSERT_TRUE(ED25519_sign(signature, message.data(), message.size(), - private_key.data())); - CONSTTIME_DECLASSIFY(signature, sizeof(signature)); - CONSTTIME_DECLASSIFY(message.data(), message.size()); - - EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); - EXPECT_TRUE(ED25519_verify(message.data(), message.size(), signature, - public_key.data())); - }); + FileTestGTest("crypto/fipsmodule/curve25519/ed25519_tests.txt", + [](FileTest *t) { + std::vector private_key, public_key, message, + expected_signature; + ASSERT_TRUE(t->GetBytes(&private_key, "PRIV")); + ASSERT_EQ(64u, private_key.size()); + ASSERT_TRUE(t->GetBytes(&public_key, "PUB")); + ASSERT_EQ(32u, public_key.size()); + ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); + ASSERT_TRUE(t->GetBytes(&expected_signature, "SIG")); + ASSERT_EQ(64u, expected_signature.size()); + + // Signing should not leak the private key or the message. + CONSTTIME_SECRET(private_key.data(), private_key.size()); + CONSTTIME_SECRET(message.data(), message.size()); + uint8_t signature[64]; + ASSERT_TRUE(ED25519_sign(signature, message.data(), + message.size(), private_key.data())); + CONSTTIME_DECLASSIFY(signature, sizeof(signature)); + CONSTTIME_DECLASSIFY(message.data(), message.size()); + + EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); + EXPECT_TRUE(ED25519_verify(message.data(), message.size(), + signature, public_key.data())); + }); } TEST(Ed25519Test, Malleability) { @@ -132,83 +134,89 @@ TEST(Ed25519Test, KeypairFromSeed) { } TEST(Ed25519phTest, TestVectors) { - FileTestGTest("crypto/fipsmodule/curve25519/ed25519ph_tests.txt", [](FileTest *t) { - std::vector seed, q, message, context, expected_signature; - ASSERT_TRUE(t->GetBytes(&seed, "SEED")); - ASSERT_EQ(32u, seed.size()); - ASSERT_TRUE(t->GetBytes(&q, "Q")); - ASSERT_EQ(32u, q.size()); - ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); - ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); - ASSERT_EQ(64u, expected_signature.size()); - - if (t->HasAttribute("CONTEXT")) { - t->GetBytes(&context, "CONTEXT"); - } else { - context = std::vector(); - } - - uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; - uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; - - ED25519_keypair_from_seed(public_key, private_key, seed.data()); - ASSERT_EQ(Bytes(q), Bytes(public_key)); - - // Signing should not leak the private key or the message. - CONSTTIME_SECRET(&private_key[0], sizeof(private_key)); - CONSTTIME_SECRET(message.data(), message.size()); - CONSTTIME_SECRET(context.data(), context.size()); - uint8_t signature[64]; - ASSERT_TRUE(ED25519ph_sign(signature, message.data(), message.size(), - private_key, context.data(), context.size())); - CONSTTIME_DECLASSIFY(signature, sizeof(signature)); - CONSTTIME_DECLASSIFY(message.data(), message.size()); - CONSTTIME_DECLASSIFY(context.data(), context.size()); - - EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); - EXPECT_TRUE(ED25519ph_verify(message.data(), message.size(), signature, - public_key, context.data(), context.size())); - }); + FileTestGTest( + "crypto/fipsmodule/curve25519/ed25519ph_tests.txt", [](FileTest *t) { + std::vector seed, q, message, context, expected_signature; + ASSERT_TRUE(t->GetBytes(&seed, "SEED")); + ASSERT_EQ(32u, seed.size()); + ASSERT_TRUE(t->GetBytes(&q, "Q")); + ASSERT_EQ(32u, q.size()); + ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); + ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); + ASSERT_EQ(64u, expected_signature.size()); + + if (t->HasAttribute("CONTEXT")) { + t->GetBytes(&context, "CONTEXT"); + } else { + context = std::vector(); + } + + uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; + uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; + + ED25519_keypair_from_seed(public_key, private_key, seed.data()); + ASSERT_EQ(Bytes(q), Bytes(public_key)); + + // Signing should not leak the private key or the message. + CONSTTIME_SECRET(&private_key[0], sizeof(private_key)); + CONSTTIME_SECRET(message.data(), message.size()); + CONSTTIME_SECRET(context.data(), context.size()); + uint8_t signature[64]; + ASSERT_TRUE(ED25519ph_sign(signature, message.data(), message.size(), + private_key, context.data(), + context.size())); + CONSTTIME_DECLASSIFY(signature, sizeof(signature)); + CONSTTIME_DECLASSIFY(message.data(), message.size()); + CONSTTIME_DECLASSIFY(context.data(), context.size()); + + EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); + EXPECT_TRUE(ED25519ph_verify(message.data(), message.size(), signature, + public_key, context.data(), + context.size())); + }); } TEST(Ed25519ctxTest, TestVectors) { - FileTestGTest("crypto/fipsmodule/curve25519/ed25519ctx_tests.txt", [](FileTest *t) { - std::vector seed, q, message, context, expected_signature; - ASSERT_TRUE(t->GetBytes(&seed, "SEED")); - ASSERT_EQ(32u, seed.size()); - ASSERT_TRUE(t->GetBytes(&q, "Q")); - ASSERT_EQ(32u, q.size()); - ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); - ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); - ASSERT_EQ(64u, expected_signature.size()); - - if (t->HasAttribute("CONTEXT")) { - t->GetBytes(&context, "CONTEXT"); - } else { - context = std::vector(); - } - - uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; - uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; - - ED25519_keypair_from_seed(public_key, private_key, seed.data()); - ASSERT_EQ(Bytes(q), Bytes(public_key)); - - // Signing should not leak the private key or the message. - CONSTTIME_SECRET(&private_key[0], sizeof(private_key)); - CONSTTIME_SECRET(message.data(), message.size()); - CONSTTIME_SECRET(context.data(), context.size()); - uint8_t signature[64]; - ASSERT_TRUE(ED25519ctx_sign(signature, message.data(), message.size(), - private_key, context.data(), context.size())); - CONSTTIME_DECLASSIFY(signature, sizeof(signature)); - CONSTTIME_DECLASSIFY(message.data(), message.size()); - CONSTTIME_DECLASSIFY(context.data(), context.size()); - - EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); - EXPECT_TRUE(ED25519ctx_verify(message.data(), message.size(), signature, - public_key, context.data(), context.size())); - }); + FileTestGTest( + "crypto/fipsmodule/curve25519/ed25519ctx_tests.txt", [](FileTest *t) { + std::vector seed, q, message, context, expected_signature; + ASSERT_TRUE(t->GetBytes(&seed, "SEED")); + ASSERT_EQ(32u, seed.size()); + ASSERT_TRUE(t->GetBytes(&q, "Q")); + ASSERT_EQ(32u, q.size()); + ASSERT_TRUE(t->GetBytes(&message, "MESSAGE")); + ASSERT_TRUE(t->GetBytes(&expected_signature, "SIGNATURE")); + ASSERT_EQ(64u, expected_signature.size()); + + if (t->HasAttribute("CONTEXT")) { + t->GetBytes(&context, "CONTEXT"); + } else { + context = std::vector(); + } + + uint8_t private_key[ED25519_PRIVATE_KEY_LEN] = {0}; + uint8_t public_key[ED25519_PUBLIC_KEY_LEN] = {0}; + + ED25519_keypair_from_seed(public_key, private_key, seed.data()); + ASSERT_EQ(Bytes(q), Bytes(public_key)); + + // Signing should not leak the private key or the message. + CONSTTIME_SECRET(&private_key[0], sizeof(private_key)); + CONSTTIME_SECRET(message.data(), message.size()); + CONSTTIME_SECRET(context.data(), context.size()); + uint8_t signature[64]; + ASSERT_TRUE(ED25519ctx_sign(signature, message.data(), message.size(), + private_key, context.data(), + context.size())); + CONSTTIME_DECLASSIFY(signature, sizeof(signature)); + CONSTTIME_DECLASSIFY(message.data(), message.size()); + CONSTTIME_DECLASSIFY(context.data(), context.size()); + + EXPECT_EQ(Bytes(expected_signature), Bytes(signature)); + EXPECT_TRUE(ED25519ctx_verify(message.data(), message.size(), signature, + public_key, context.data(), + context.size())); + }); } TEST(Ed25519ctxTest, EmptyContext) { @@ -219,7 +227,8 @@ TEST(Ed25519ctxTest, EmptyContext) { ED25519_keypair(public_key, private_key); - EXPECT_FALSE(ED25519ctx_sign(signature, message, sizeof(message), private_key, NULL, 0)); - EXPECT_FALSE(ED25519ctx_verify(message, sizeof(message), signature, public_key, NULL, 0)); + EXPECT_FALSE(ED25519ctx_sign(signature, message, sizeof(message), private_key, + NULL, 0)); + EXPECT_FALSE(ED25519ctx_verify(message, sizeof(message), signature, + public_key, NULL, 0)); } - diff --git a/crypto/fipsmodule/curve25519/internal.h b/crypto/fipsmodule/curve25519/internal.h index 42e68d82c9..e80820fc15 100644 --- a/crypto/fipsmodule/curve25519/internal.h +++ b/crypto/fipsmodule/curve25519/internal.h @@ -40,24 +40,21 @@ typedef enum { #define MAX_DOM2_SIZE \ (DOM2_PREFIX_SIZE + DOM2_F_SIZE + DOM2_C_SIZE + MAX_DOM2_CONTEXT_SIZE) -int ed25519_sign_internal( - ed25519_algorithm_t alg, - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t *ctx, size_t ctx_len); - -int ed25519_verify_internal( - ed25519_algorithm_t alg, - const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *ctx, size_t ctx_len); +int ed25519_sign_internal(ed25519_algorithm_t alg, + uint8_t out_sig[ED25519_SIGNATURE_LEN], + const uint8_t *message, size_t message_len, + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t *ctx, size_t ctx_len); + +int ed25519_verify_internal(ed25519_algorithm_t alg, const uint8_t *message, + size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], + const uint8_t *ctx, size_t ctx_len); int ED25519_sign_no_self_test( - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); int ED25519_verify_no_self_test( const uint8_t *message, size_t message_len, @@ -66,10 +63,11 @@ int ED25519_verify_no_self_test( // If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not // set, s2n-bignum path is capable. -#if ((defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \ - defined(OPENSSL_AARCH64)) && \ - (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE) || \ - defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)) && \ +#if ((defined(OPENSSL_X86_64) && \ + !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \ + defined(OPENSSL_AARCH64)) && \ + (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE) || \ + defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)) && \ !defined(OPENSSL_NO_ASM) #define CURVE25519_S2N_BIGNUM_CAPABLE #endif @@ -84,22 +82,31 @@ int ED25519_verify_no_self_test( // t[3]+2^204 t[4]. // fe limbs are bounded by 1.125*2^51. // Multiplication and carrying produce fe from fe_loose. -typedef struct fe { uint64_t v[5]; } fe; +typedef struct fe { + uint64_t v[5]; +} fe; // fe_loose limbs are bounded by 3.375*2^51. // Addition and subtraction produce fe_loose from (fe, fe). -typedef struct fe_loose { uint64_t v[5]; } fe_loose; +typedef struct fe_loose { + uint64_t v[5]; +} fe_loose; #else // fe means field element. Here the field is \Z/(2^255-19). An element t, // entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 // t[3]+2^102 t[4]+...+2^230 t[9]. // fe limbs are bounded by 1.125*2^26,1.125*2^25,1.125*2^26,1.125*2^25,etc. // Multiplication and carrying produce fe from fe_loose. -typedef struct fe { uint32_t v[10]; } fe; - -// fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc. -// Addition and subtraction produce fe_loose from (fe, fe). -typedef struct fe_loose { uint32_t v[10]; } fe_loose; +typedef struct fe { + uint32_t v[10]; +} fe; + +// fe_loose limbs are bounded +// by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc. Addition and subtraction +// produce fe_loose from (fe, fe). +typedef struct fe_loose { + uint32_t v[10]; +} fe_loose; #endif // ge means group element. @@ -165,34 +172,34 @@ void x25519_sc_reduce(uint8_t s[64]); // |peer_public_value| and the scalar is |private_key|. The resulting shared key // is returned in |out_shared_key|. void x25519_scalar_mult_generic_s2n_bignum( - uint8_t out_shared_key[X25519_SHARED_KEY_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN], - const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]); + uint8_t out_shared_key[X25519_SHARED_KEY_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN], + const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]); void x25519_scalar_mult_generic_nohw( - uint8_t out_shared_key[X25519_SHARED_KEY_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN], - const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]); + uint8_t out_shared_key[X25519_SHARED_KEY_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN], + const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]); // x25519_public_from_private_[s2n_bignum,nohw] computes the x25519 function // from rfc7748 6.1 using the base-coordinate 9 and scalar |private_key|. The // resulting (encoded) public key coordinate (either K_A or K_B) is returned in // |out_public_value|. void x25519_public_from_private_s2n_bignum( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN]); + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN]); void x25519_public_from_private_nohw( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN]); + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN]); // ed25519_public_key_from_hashed_seed_[s2n_bignum,nohw] handles steps // rfc8032 5.1.5.[3,4]. Computes [az]B and encodes the public key to a 32-byte // octet string returning it in |out_public_key|. void ed25519_public_key_from_hashed_seed_s2n_bignum( - uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t az[SHA512_DIGEST_LENGTH]); + uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t az[SHA512_DIGEST_LENGTH]); void ed25519_public_key_from_hashed_seed_nohw( - uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t az[SHA512_DIGEST_LENGTH]); + uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t az[SHA512_DIGEST_LENGTH]); // ed25519_sign_[s2n_bignum,nohw] handles steps rfc8032 5.1.6.[3,5,6,7]. // Computes the signature S = r + k * s modulo the order of the base-point B. @@ -201,14 +208,14 @@ void ed25519_public_key_from_hashed_seed_nohw( // |ED25519_PUBLIC_KEY_LEN|. void ed25519_sign_s2n_bignum(uint8_t out_sig[ED25519_SIGNATURE_LEN], uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, - const uint8_t *A, - const void *message, size_t message_len, - const uint8_t *dom2, size_t dom2_len); + const uint8_t *A, const void *message, + size_t message_len, const uint8_t *dom2, + size_t dom2_len); void ed25519_sign_nohw(uint8_t out_sig[ED25519_SIGNATURE_LEN], uint8_t r[SHA512_DIGEST_LENGTH], const uint8_t *s, - const uint8_t *A, - const void *message, size_t message_len, - const uint8_t *dom2, size_t dom2_len); + const uint8_t *A, const void *message, + size_t message_len, const uint8_t *dom2, + size_t dom2_len); // ed25519_verify_[s2n_bignum,nohw] handles steps rfc8032 5.1.7.[1,2,3]. // Computes [S]B - [k]A' and returns the result in |R_computed_encoded|. Returns @@ -230,14 +237,18 @@ int ed25519_verify_nohw(uint8_t R_computed_encoded[32], // hash is computed over the concatenation: |input1| || |input2| || |input3| || // |input4|. The final two pairs may have |len3| == 0 or |len4| == 0, meaning // those input values will be ignored. The result is written to |out|. -void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], - const void *input1, size_t len1, const void *input2, size_t len2, - const void *input3, size_t len3, const void *input4, size_t len4); +void ed25519_sha512(uint8_t out[SHA512_DIGEST_LENGTH], const void *input1, + size_t len1, const void *input2, size_t len2, + const void *input3, size_t len3, const void *input4, + size_t len4); -int ed25519_check_public_key_s2n_bignum(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); -int ed25519_check_public_key_nohw(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); -OPENSSL_EXPORT int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); +int ed25519_check_public_key_s2n_bignum( + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); +int ed25519_check_public_key_nohw( + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); +OPENSSL_EXPORT int ED25519_check_public_key( + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); #if defined(__cplusplus) } // extern C diff --git a/crypto/fipsmodule/curve25519/x25519_test.cc b/crypto/fipsmodule/curve25519/x25519_test.cc index adac333b58..95c7aebfd5 100644 --- a/crypto/fipsmodule/curve25519/x25519_test.cc +++ b/crypto/fipsmodule/curve25519/x25519_test.cc @@ -198,25 +198,25 @@ TEST(X25519Test, DISABLED_IteratedLarge) { } TEST(X25519Test, Wycheproof) { - FileTestGTest("third_party/wycheproof_testvectors/x25519_test.txt", - [](FileTest *t) { - t->IgnoreInstruction("curve"); - t->IgnoreAttribute("curve"); - - WycheproofResult result; - ASSERT_TRUE(GetWycheproofResult(t, &result)); - std::vector priv, pub, shared; - ASSERT_TRUE(t->GetBytes(&priv, "private")); - ASSERT_TRUE(t->GetBytes(&pub, "public")); - ASSERT_TRUE(t->GetBytes(&shared, "shared")); - ASSERT_EQ(32u, priv.size()); - ASSERT_EQ(32u, pub.size()); - - uint8_t secret[32]; - int ret = ctwrapX25519(secret, priv.data(), pub.data()); - EXPECT_EQ(ret, result.IsValid({"NonCanonicalPublic", "Twist"}) ? 1 : 0); - EXPECT_EQ(Bytes(secret), Bytes(shared)); - }); + FileTestGTest( + "third_party/wycheproof_testvectors/x25519_test.txt", [](FileTest *t) { + t->IgnoreInstruction("curve"); + t->IgnoreAttribute("curve"); + + WycheproofResult result; + ASSERT_TRUE(GetWycheproofResult(t, &result)); + std::vector priv, pub, shared; + ASSERT_TRUE(t->GetBytes(&priv, "private")); + ASSERT_TRUE(t->GetBytes(&pub, "public")); + ASSERT_TRUE(t->GetBytes(&shared, "shared")); + ASSERT_EQ(32u, priv.size()); + ASSERT_EQ(32u, pub.size()); + + uint8_t secret[32]; + int ret = ctwrapX25519(secret, priv.data(), pub.data()); + EXPECT_EQ(ret, result.IsValid({"NonCanonicalPublic", "Twist"}) ? 1 : 0); + EXPECT_EQ(Bytes(secret), Bytes(shared)); + }); } #if defined(BORINGSSL_X25519_NEON) && defined(SUPPORTS_ABI_TEST) diff --git a/crypto/fipsmodule/dh/check.c b/crypto/fipsmodule/dh/check.c index e0df54d940..bc015f37e4 100644 --- a/crypto/fipsmodule/dh/check.c +++ b/crypto/fipsmodule/dh/check.c @@ -106,9 +106,7 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { // Check |pub_key| is less than |dh->p| - 1. BIGNUM *tmp = BN_CTX_get(ctx); - if (tmp == NULL || - !BN_copy(tmp, dh->p) || - !BN_sub_word(tmp, 1)) { + if (tmp == NULL || !BN_copy(tmp, dh->p) || !BN_sub_word(tmp, 1)) { goto err; } if (BN_cmp(pub_key, tmp) >= 0) { diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c index 3d0f4543e8..9e2b26fa6f 100644 --- a/crypto/fipsmodule/dh/dh.c +++ b/crypto/fipsmodule/dh/dh.c @@ -59,14 +59,14 @@ #include #include -#include #include +#include #include #include -#include "internal.h" #include "../../internal.h" #include "../bn/internal.h" +#include "internal.h" DH *DH_new(void) { @@ -124,7 +124,8 @@ unsigned DH_bits(const DH *dh) { const BIGNUM *DH_get0_pub_key(const DH *dh) { SET_DIT_AUTO_RESET; - return dh->pub_key;; + return dh->pub_key; + ; } const BIGNUM *DH_get0_priv_key(const DH *dh) { @@ -160,8 +161,8 @@ void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key, void DH_clear_flags(DH *dh, int flags) { SET_DIT_AUTO_RESET; - (void) dh; - (void) flags; + (void)dh; + (void)flags; } int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { @@ -195,8 +196,7 @@ void DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q, int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { SET_DIT_AUTO_RESET; - if ((dh->p == NULL && p == NULL) || - (dh->g == NULL && g == NULL)) { + if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) { return 0; } @@ -368,8 +368,7 @@ static int dh_compute_key(DH *dh, BIGNUM *out_shared_key, if (!BN_mod_exp_mont_consttime(out_shared_key, peers_key, dh->priv_key, dh->p, ctx, dh->method_mont_p) || - !BN_copy(p_minus_1, dh->p) || - !BN_sub_word(p_minus_1, 1)) { + !BN_copy(p_minus_1, dh->p) || !BN_sub_word(p_minus_1, 1)) { OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB); goto err; } @@ -383,7 +382,7 @@ static int dh_compute_key(DH *dh, BIGNUM *out_shared_key, ret = 1; - err: +err: BN_CTX_end(ctx); return ret; } @@ -399,8 +398,7 @@ int dh_compute_key_padded_no_self_test(unsigned char *out, int dh_size = DH_size(dh); int ret = -1; BIGNUM *shared_key = BN_CTX_get(ctx); - if (shared_key && - dh_compute_key(dh, shared_key, peers_key, ctx) && + if (shared_key && dh_compute_key(dh, shared_key, peers_key, ctx) && BN_bn2bin_padded(out, dh_size, shared_key)) { ret = dh_size; } @@ -451,8 +449,8 @@ int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, return 0; } - // We have to avoid the underlying |EVP_Digest| services updating the indicator - // state, so we lock the state here. + // We have to avoid the underlying |EVP_Digest| services updating the + // indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); int ret = 0; @@ -475,7 +473,7 @@ int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, *out_len = digest_len; ret = 1; - err: +err: FIPS_service_indicator_unlock_state(); OPENSSL_free(shared_bytes); return ret; @@ -512,8 +510,7 @@ static DH *calculate_rfc7919_DH_from_p(const BN_ULONG data[], size_t data_len) { bn_set_static_words(ffdhe_p, data, data_len); - if (!BN_rshift1(ffdhe_q, ffdhe_p) || - !BN_set_word(ffdhe_g, 2) || + if (!BN_rshift1(ffdhe_q, ffdhe_p) || !BN_set_word(ffdhe_g, 2) || !DH_set0_pqg(dh, ffdhe_p, ffdhe_q, ffdhe_g)) { goto err; } @@ -526,7 +523,6 @@ static DH *calculate_rfc7919_DH_from_p(const BN_ULONG data[], size_t data_len) { BN_free(ffdhe_g); DH_free(dh); return NULL; - } DH *DH_get_rfc7919_2048(void) { @@ -551,81 +547,82 @@ DH *DH_get_rfc7919_2048(void) { TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff), }; - return calculate_rfc7919_DH_from_p(kFFDHE2048Data, OPENSSL_ARRAY_SIZE(kFFDHE2048Data)); + return calculate_rfc7919_DH_from_p(kFFDHE2048Data, + OPENSSL_ARRAY_SIZE(kFFDHE2048Data)); } DH *DH_get_rfc7919_3072(void) { // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.2, // which is specifically approved for FIPS in appendix D of SP 800-56Ar3. static const BN_ULONG kFFDHE3072Data[] = { - TOBN(0xffffffff, 0xffffffff), TOBN(0x25e41d2b, 0x66c62e37), - TOBN(0x3c1b20ee, 0x3fd59d7c), TOBN(0x0abcd06b, 0xfa53ddef), - TOBN(0x1dbf9a42, 0xd5c4484e), TOBN(0xabc52197, 0x9b0deada), - TOBN(0xe86d2bc5, 0x22363a0d), TOBN(0x5cae82ab, 0x9c9df69e), - TOBN(0x64f2e21e, 0x71f54bff), TOBN(0xf4fd4452, 0xe2d74dd3), - TOBN(0xb4130c93, 0xbc437944), TOBN(0xaefe1309, 0x85139270), - TOBN(0x598cb0fa, 0xc186d91c), TOBN(0x7ad91d26, 0x91f7f7ee), - TOBN(0x61b46fc9, 0xd6e6c907), TOBN(0xbc34f4de, 0xf99c0238), - TOBN(0xde355b3b, 0x6519035b), TOBN(0x886b4238, 0x611fcfdc), - TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2), - TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73), - TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff), - TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec), - TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19), - TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468), - TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61), - TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735), - TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77), - TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3), - TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561), - TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8), - TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb), - TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1), - TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff)}; + TOBN(0xffffffff, 0xffffffff), TOBN(0x25e41d2b, 0x66c62e37), + TOBN(0x3c1b20ee, 0x3fd59d7c), TOBN(0x0abcd06b, 0xfa53ddef), + TOBN(0x1dbf9a42, 0xd5c4484e), TOBN(0xabc52197, 0x9b0deada), + TOBN(0xe86d2bc5, 0x22363a0d), TOBN(0x5cae82ab, 0x9c9df69e), + TOBN(0x64f2e21e, 0x71f54bff), TOBN(0xf4fd4452, 0xe2d74dd3), + TOBN(0xb4130c93, 0xbc437944), TOBN(0xaefe1309, 0x85139270), + TOBN(0x598cb0fa, 0xc186d91c), TOBN(0x7ad91d26, 0x91f7f7ee), + TOBN(0x61b46fc9, 0xd6e6c907), TOBN(0xbc34f4de, 0xf99c0238), + TOBN(0xde355b3b, 0x6519035b), TOBN(0x886b4238, 0x611fcfdc), + TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2), + TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73), + TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff), + TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec), + TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19), + TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468), + TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61), + TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735), + TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77), + TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3), + TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561), + TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8), + TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb), + TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1), + TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff)}; return calculate_rfc7919_DH_from_p(kFFDHE3072Data, OPENSSL_ARRAY_SIZE(kFFDHE3072Data)); } DH *DH_get_rfc7919_4096(void) { - // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.3, - // which is specifically approved for FIPS in appendix D of SP 800-56Ar3. - static const BN_ULONG kFFDHE4096Data[] = { - TOBN(0xFFFFFFFF, 0xFFFFFFFF),TOBN(0xC68A007E, 0x5E655F6A), - TOBN(0x4DB5A851, 0xF44182E1),TOBN(0x8EC9B55A, 0x7F88A46B), - TOBN(0x0A8291CD, 0xCEC97DCF),TOBN(0x2A4ECEA9, 0xF98D0ACC), - TOBN(0x1A1DB93D, 0x7140003C),TOBN(0x092999A3, 0x33CB8B7A), - TOBN(0x6DC778F9, 0x71AD0038),TOBN(0xA907600A, 0x918130C4), - TOBN(0xED6A1E01, 0x2D9E6832),TOBN(0x7135C886, 0xEFB4318A), - TOBN(0x87F55BA5, 0x7E31CC7A),TOBN(0x7763CF1D, 0x55034004), - TOBN(0xAC7D5F42, 0xD69F6D18),TOBN(0x7930E9E4, 0xE58857B6), - TOBN(0x6E6F52C3, 0x164DF4FB),TOBN(0x25E41D2B, 0x669E1EF1), - TOBN(0x3C1B20EE, 0x3FD59D7C),TOBN(0x0ABCD06B, 0xFA53DDEF), - TOBN(0x1DBF9A42, 0xD5C4484E),TOBN(0xABC52197, 0x9B0DEADA), - TOBN(0xE86D2BC5, 0x22363A0D),TOBN(0x5CAE82AB, 0x9C9DF69E), - TOBN(0x64F2E21E, 0x71F54BFF),TOBN(0xF4FD4452, 0xE2D74DD3), - TOBN(0xB4130C93, 0xBC437944),TOBN(0xAEFE1309, 0x85139270), - TOBN(0x598CB0FA, 0xC186D91C),TOBN(0x7AD91D26, 0x91F7F7EE), - TOBN(0x61B46FC9, 0xD6E6C907),TOBN(0xBC34F4DE, 0xF99C0238), - TOBN(0xDE355B3B, 0x6519035B),TOBN(0x886B4238, 0x611FCFDC), - TOBN(0xC6F34A26, 0xC1B2EFFA),TOBN(0xC58EF183, 0x7D1683B2), - TOBN(0x3BB5FCBC, 0x2EC22005),TOBN(0xC3FE3B1B, 0x4C6FAD73), - TOBN(0x8E4F1232, 0xEEF28183),TOBN(0x9172FE9C, 0xE98583FF), - TOBN(0xC03404CD, 0x28342F61),TOBN(0x9E02FCE1, 0xCDF7E2EC), - TOBN(0x0B07A7C8, 0xEE0A6D70),TOBN(0xAE56EDE7, 0x6372BB19), - TOBN(0x1D4F42A3, 0xDE394DF4),TOBN(0xB96ADAB7, 0x60D7F468), - TOBN(0xD108A94B, 0xB2C8E3FB),TOBN(0xBC0AB182, 0xB324FB61), - TOBN(0x30ACCA4F, 0x483A797A),TOBN(0x1DF158A1, 0x36ADE735), - TOBN(0xE2A689DA, 0xF3EFE872),TOBN(0x984F0C70, 0xE0E68B77), - TOBN(0xB557135E, 0x7F57C935),TOBN(0x85636555, 0x3DED1AF3), - TOBN(0x2433F51F, 0x5F066ED0),TOBN(0xD3DF1ED5, 0xD5FD6561), - TOBN(0xF681B202, 0xAEC4617A),TOBN(0x7D2FE363, 0x630C75D8), - TOBN(0xCC939DCE, 0x249B3EF9),TOBN(0xA9E13641, 0x146433FB), - TOBN(0xD8B9C583, 0xCE2D3695),TOBN(0xAFDC5620, 0x273D3CF1), - TOBN(0xADF85458, 0xA2BB4A9A),TOBN(0xFFFFFFFF, 0xFFFFFFFF) - }; - - return calculate_rfc7919_DH_from_p(kFFDHE4096Data, OPENSSL_ARRAY_SIZE(kFFDHE4096Data)); + // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.3, + // which is specifically approved for FIPS in appendix D of SP 800-56Ar3. + static const BN_ULONG kFFDHE4096Data[] = { + TOBN(0xFFFFFFFF, 0xFFFFFFFF), TOBN(0xC68A007E, 0x5E655F6A), + TOBN(0x4DB5A851, 0xF44182E1), TOBN(0x8EC9B55A, 0x7F88A46B), + TOBN(0x0A8291CD, 0xCEC97DCF), TOBN(0x2A4ECEA9, 0xF98D0ACC), + TOBN(0x1A1DB93D, 0x7140003C), TOBN(0x092999A3, 0x33CB8B7A), + TOBN(0x6DC778F9, 0x71AD0038), TOBN(0xA907600A, 0x918130C4), + TOBN(0xED6A1E01, 0x2D9E6832), TOBN(0x7135C886, 0xEFB4318A), + TOBN(0x87F55BA5, 0x7E31CC7A), TOBN(0x7763CF1D, 0x55034004), + TOBN(0xAC7D5F42, 0xD69F6D18), TOBN(0x7930E9E4, 0xE58857B6), + TOBN(0x6E6F52C3, 0x164DF4FB), TOBN(0x25E41D2B, 0x669E1EF1), + TOBN(0x3C1B20EE, 0x3FD59D7C), TOBN(0x0ABCD06B, 0xFA53DDEF), + TOBN(0x1DBF9A42, 0xD5C4484E), TOBN(0xABC52197, 0x9B0DEADA), + TOBN(0xE86D2BC5, 0x22363A0D), TOBN(0x5CAE82AB, 0x9C9DF69E), + TOBN(0x64F2E21E, 0x71F54BFF), TOBN(0xF4FD4452, 0xE2D74DD3), + TOBN(0xB4130C93, 0xBC437944), TOBN(0xAEFE1309, 0x85139270), + TOBN(0x598CB0FA, 0xC186D91C), TOBN(0x7AD91D26, 0x91F7F7EE), + TOBN(0x61B46FC9, 0xD6E6C907), TOBN(0xBC34F4DE, 0xF99C0238), + TOBN(0xDE355B3B, 0x6519035B), TOBN(0x886B4238, 0x611FCFDC), + TOBN(0xC6F34A26, 0xC1B2EFFA), TOBN(0xC58EF183, 0x7D1683B2), + TOBN(0x3BB5FCBC, 0x2EC22005), TOBN(0xC3FE3B1B, 0x4C6FAD73), + TOBN(0x8E4F1232, 0xEEF28183), TOBN(0x9172FE9C, 0xE98583FF), + TOBN(0xC03404CD, 0x28342F61), TOBN(0x9E02FCE1, 0xCDF7E2EC), + TOBN(0x0B07A7C8, 0xEE0A6D70), TOBN(0xAE56EDE7, 0x6372BB19), + TOBN(0x1D4F42A3, 0xDE394DF4), TOBN(0xB96ADAB7, 0x60D7F468), + TOBN(0xD108A94B, 0xB2C8E3FB), TOBN(0xBC0AB182, 0xB324FB61), + TOBN(0x30ACCA4F, 0x483A797A), TOBN(0x1DF158A1, 0x36ADE735), + TOBN(0xE2A689DA, 0xF3EFE872), TOBN(0x984F0C70, 0xE0E68B77), + TOBN(0xB557135E, 0x7F57C935), TOBN(0x85636555, 0x3DED1AF3), + TOBN(0x2433F51F, 0x5F066ED0), TOBN(0xD3DF1ED5, 0xD5FD6561), + TOBN(0xF681B202, 0xAEC4617A), TOBN(0x7D2FE363, 0x630C75D8), + TOBN(0xCC939DCE, 0x249B3EF9), TOBN(0xA9E13641, 0x146433FB), + TOBN(0xD8B9C583, 0xCE2D3695), TOBN(0xAFDC5620, 0x273D3CF1), + TOBN(0xADF85458, 0xA2BB4A9A), TOBN(0xFFFFFFFF, 0xFFFFFFFF)}; + + return calculate_rfc7919_DH_from_p(kFFDHE4096Data, + OPENSSL_ARRAY_SIZE(kFFDHE4096Data)); } DH *DH_get_rfc7919_8192(void) { diff --git a/crypto/fipsmodule/digest/digest.c b/crypto/fipsmodule/digest/digest.c index 8e279ca58f..19d0ecf729 100644 --- a/crypto/fipsmodule/digest/digest.c +++ b/crypto/fipsmodule/digest/digest.c @@ -89,7 +89,7 @@ EVP_MD_CTX *EVP_MD_CTX_new(void) { if (ctx) { // NO-OP: struct already zeroed - //EVP_MD_CTX_init(ctx); + // EVP_MD_CTX_init(ctx); } return ctx; @@ -106,7 +106,8 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { assert(ctx->pctx == NULL || ctx->pctx_ops != NULL); // |pctx| should be freed by the user of |EVP_MD_CTX| if - // |EVP_MD_CTX_FLAG_KEEP_PKEY_CTX| is set. Everything other than the external |pctx| that |ctx->pctx| was pointing to is cleaned up when the flag is set. + // |EVP_MD_CTX_FLAG_KEEP_PKEY_CTX| is set. Everything other than the external + // |pctx| that |ctx->pctx| was pointing to is cleaned up when the flag is set. if (ctx->pctx_ops && !(ctx->flags & EVP_MD_CTX_FLAG_KEEP_PKEY_CTX)) { ctx->pctx_ops->free(ctx->pctx); } diff --git a/crypto/fipsmodule/digest/digests.c b/crypto/fipsmodule/digest/digests.c index d869723685..0bbebe02a6 100644 --- a/crypto/fipsmodule/digest/digests.c +++ b/crypto/fipsmodule/digest/digests.c @@ -70,15 +70,13 @@ #include "internal.h" #if defined(NDEBUG) -#define CHECK(x) (void) (x) +#define CHECK(x) (void)(x) #else #define CHECK(x) assert(x) #endif -static void md4_init(EVP_MD_CTX *ctx) { - CHECK(MD4_Init(ctx->md_data)); -} +static void md4_init(EVP_MD_CTX *ctx) { CHECK(MD4_Init(ctx->md_data)); } static void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(MD4_Update(ctx->md_data, data, count)); @@ -101,9 +99,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) { } -static void md5_init(EVP_MD_CTX *ctx) { - CHECK(MD5_Init(ctx->md_data)); -} +static void md5_init(EVP_MD_CTX *ctx) { CHECK(MD5_Init(ctx->md_data)); } static void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(MD5_Update(ctx->md_data, data, count)); @@ -151,9 +147,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_ripemd160) { } -static void sha1_init(EVP_MD_CTX *ctx) { - CHECK(SHA1_Init(ctx->md_data)); -} +static void sha1_init(EVP_MD_CTX *ctx) { CHECK(SHA1_Init(ctx->md_data)); } static void sha1_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(SHA1_Update(ctx->md_data, data, count)); @@ -176,9 +170,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha1) { } -static void sha224_init(EVP_MD_CTX *ctx) { - CHECK(SHA224_Init(ctx->md_data)); -} +static void sha224_init(EVP_MD_CTX *ctx) { CHECK(SHA224_Init(ctx->md_data)); } static void sha224_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(SHA224_Update(ctx->md_data, data, count)); @@ -201,9 +193,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha224) { } -static void sha256_init(EVP_MD_CTX *ctx) { - CHECK(SHA256_Init(ctx->md_data)); -} +static void sha256_init(EVP_MD_CTX *ctx) { CHECK(SHA256_Init(ctx->md_data)); } static void sha256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(SHA256_Update(ctx->md_data, data, count)); @@ -226,9 +216,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha256) { } -static void sha384_init(EVP_MD_CTX *ctx) { - CHECK(SHA384_Init(ctx->md_data)); -} +static void sha384_init(EVP_MD_CTX *ctx) { CHECK(SHA384_Init(ctx->md_data)); } static void sha384_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(SHA384_Update(ctx->md_data, data, count)); @@ -251,9 +239,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha384) { } -static void sha512_init(EVP_MD_CTX *ctx) { - CHECK(SHA512_Init(ctx->md_data)); -} +static void sha512_init(EVP_MD_CTX *ctx) { CHECK(SHA512_Init(ctx->md_data)); } static void sha512_update(EVP_MD_CTX *ctx, const void *data, size_t count) { CHECK(SHA512_Update(ctx->md_data, data, count)); diff --git a/crypto/fipsmodule/digest/internal.h b/crypto/fipsmodule/digest/internal.h index 148e467077..5688bdb47b 100644 --- a/crypto/fipsmodule/digest/internal.h +++ b/crypto/fipsmodule/digest/internal.h @@ -90,8 +90,8 @@ struct env_md_st { // ctx_size contains the size, in bytes, of the state of the hash function. unsigned ctx_size; - // finalXOF completes the hash and writes |len| bytes of digest extended output - // to |out|. + // finalXOF completes the hash and writes |len| bytes of digest extended + // output to |out|. void (*finalXOF)(EVP_MD_CTX *ctx, uint8_t *out, size_t len); }; @@ -101,11 +101,11 @@ struct env_md_st { struct evp_md_pctx_ops { // free is called when an |EVP_MD_CTX| is being freed and the |pctx| also // needs to be freed. - void (*free) (EVP_PKEY_CTX *pctx); + void (*free)(EVP_PKEY_CTX *pctx); // dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs // to be copied. - EVP_PKEY_CTX* (*dup) (EVP_PKEY_CTX *pctx); + EVP_PKEY_CTX *(*dup)(EVP_PKEY_CTX *pctx); }; diff --git a/crypto/fipsmodule/ec/builtin_curves.h b/crypto/fipsmodule/ec/builtin_curves.h index e05c774e6d..e15a8b0c9b 100644 --- a/crypto/fipsmodule/ec/builtin_curves.h +++ b/crypto/fipsmodule/ec/builtin_curves.h @@ -53,38 +53,38 @@ OPENSSL_UNUSED static const uint64_t kP224MontGY[] = { 0x00000000614786f1}; #elif defined(OPENSSL_32_BIT) OPENSSL_UNUSED static const uint32_t kP224Field[] = { - 0x00000001, 0x00000000, 0x00000000, 0xffffffff, 0xffffffff, 0xffffffff, - 0xffffffff}; + 0x00000001, 0x00000000, 0x00000000, 0xffffffff, + 0xffffffff, 0xffffffff, 0xffffffff}; OPENSSL_UNUSED static const uint32_t kP224Order[] = { - 0x5c5c2a3d, 0x13dd2945, 0xe0b8f03e, 0xffff16a2, 0xffffffff, 0xffffffff, - 0xffffffff}; + 0x5c5c2a3d, 0x13dd2945, 0xe0b8f03e, 0xffff16a2, + 0xffffffff, 0xffffffff, 0xffffffff}; OPENSSL_UNUSED static const uint32_t kP224B[] = { - 0x2355ffb4, 0x270b3943, 0xd7bfd8ba, 0x5044b0b7, 0xf5413256, 0x0c04b3ab, - 0xb4050a85}; + 0x2355ffb4, 0x270b3943, 0xd7bfd8ba, 0x5044b0b7, + 0xf5413256, 0x0c04b3ab, 0xb4050a85}; OPENSSL_UNUSED static const uint32_t kP224GX[] = { - 0x115c1d21, 0x343280d6, 0x56c21122, 0x4a03c1d3, 0x321390b9, 0x6bb4bf7f, - 0xb70e0cbd}; + 0x115c1d21, 0x343280d6, 0x56c21122, 0x4a03c1d3, + 0x321390b9, 0x6bb4bf7f, 0xb70e0cbd}; OPENSSL_UNUSED static const uint32_t kP224GY[] = { - 0x85007e34, 0x44d58199, 0x5a074764, 0xcd4375a0, 0x4c22dfe6, 0xb5f723fb, - 0xbd376388}; + 0x85007e34, 0x44d58199, 0x5a074764, 0xcd4375a0, + 0x4c22dfe6, 0xb5f723fb, 0xbd376388}; OPENSSL_UNUSED static const uint32_t kP224FieldR[] = { - 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, 0x00000000, 0x00000000, - 0x00000000}; + 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, + 0x00000000, 0x00000000, 0x00000000}; OPENSSL_UNUSED static const uint32_t kP224FieldRR[] = { - 0x00000001, 0x00000000, 0x00000000, 0xfffffffe, 0xffffffff, 0xffffffff, - 0x00000000}; + 0x00000001, 0x00000000, 0x00000000, 0xfffffffe, + 0xffffffff, 0xffffffff, 0x00000000}; OPENSSL_UNUSED static const uint32_t kP224OrderRR[] = { - 0x3ad01289, 0x6bdaae6c, 0x97a54552, 0x6ad09d91, 0xb1e97961, 0x1822bc47, - 0xd4baa4cf}; + 0x3ad01289, 0x6bdaae6c, 0x97a54552, 0x6ad09d91, + 0xb1e97961, 0x1822bc47, 0xd4baa4cf}; OPENSSL_UNUSED static const uint32_t kP224MontB[] = { - 0xe768cdf7, 0xccf01310, 0x743b1cc0, 0xc8528150, 0x3dceba98, 0x7fc02f93, - 0x9c3fa633}; + 0xe768cdf7, 0xccf01310, 0x743b1cc0, 0xc8528150, + 0x3dceba98, 0x7fc02f93, 0x9c3fa633}; OPENSSL_UNUSED static const uint32_t kP224MontGX[] = { - 0xbc905227, 0x6018bfaa, 0xf22fe220, 0xf96bec04, 0x6dd3af9b, 0xa21b5e60, - 0x92f5b516}; + 0xbc905227, 0x6018bfaa, 0xf22fe220, 0xf96bec04, + 0x6dd3af9b, 0xa21b5e60, 0x92f5b516}; OPENSSL_UNUSED static const uint32_t kP224MontGY[] = { - 0x2edca1e6, 0x05335a6b, 0xe8c15513, 0x03dfe878, 0xaea9c5ae, 0x614786f1, - 0x100c1218}; + 0x2edca1e6, 0x05335a6b, 0xe8c15513, 0x03dfe878, + 0xaea9c5ae, 0x614786f1, 0x100c1218}; #else #error "unknown word size" #endif @@ -119,29 +119,29 @@ OPENSSL_UNUSED static const uint64_t kP256MontGY[] = { 0x8571ff1825885d85}; #elif defined(OPENSSL_32_BIT) OPENSSL_UNUSED static const uint32_t kP256Field[] = { - 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, 0x00000000, 0x00000000, - 0x00000001, 0xffffffff}; + 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, + 0x00000000, 0x00000000, 0x00000001, 0xffffffff}; OPENSSL_UNUSED static const uint32_t kP256Order[] = { - 0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, 0xffffffff, 0xffffffff, - 0x00000000, 0xffffffff}; + 0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, + 0xffffffff, 0xffffffff, 0x00000000, 0xffffffff}; OPENSSL_UNUSED static const uint32_t kP256FieldR[] = { - 0x00000001, 0x00000000, 0x00000000, 0xffffffff, 0xffffffff, 0xffffffff, - 0xfffffffe, 0x00000000}; + 0x00000001, 0x00000000, 0x00000000, 0xffffffff, + 0xffffffff, 0xffffffff, 0xfffffffe, 0x00000000}; OPENSSL_UNUSED static const uint32_t kP256FieldRR[] = { - 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb, 0xfffffffe, 0xffffffff, - 0xfffffffd, 0x00000004}; + 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb, + 0xfffffffe, 0xffffffff, 0xfffffffd, 0x00000004}; OPENSSL_UNUSED static const uint32_t kP256OrderRR[] = { - 0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c, 0x2b6bec59, 0x2845b239, - 0xf3d95620, 0x66e12d94}; + 0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c, + 0x2b6bec59, 0x2845b239, 0xf3d95620, 0x66e12d94}; OPENSSL_UNUSED static const uint32_t kP256MontB[] = { - 0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd, 0xf7212ed6, 0xe5a220ab, - 0x04874834, 0xdc30061d}; + 0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd, + 0xf7212ed6, 0xe5a220ab, 0x04874834, 0xdc30061d}; OPENSSL_UNUSED static const uint32_t kP256MontGX[] = { - 0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc, 0x77622510, 0x79fb732b, - 0xa53755c6, 0x18905f76}; + 0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc, + 0x77622510, 0x79fb732b, 0xa53755c6, 0x18905f76}; OPENSSL_UNUSED static const uint32_t kP256MontGY[] = { - 0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4, 0xdd21f325, 0xd2e88688, - 0x25885d85, 0x8571ff18}; + 0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4, + 0xdd21f325, 0xd2e88688, 0x25885d85, 0x8571ff18}; #else #error "unknown word size" #endif @@ -330,29 +330,29 @@ OPENSSL_UNUSED static const uint64_t ksecp256k1MontGY[] = { 0xcf3f851fd4a582d6}; #elif defined(OPENSSL_32_BIT) OPENSSL_UNUSED static const uint32_t ksecp256k1Field[] = { - 0xfffffc2f, 0xfffffffe, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, - 0xffffffff, 0xffffffff}; + 0xfffffc2f, 0xfffffffe, 0xffffffff, 0xffffffff, + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff}; OPENSSL_UNUSED static const uint32_t ksecp256k1Order[] = { - 0xd0364141, 0xbfd25e8c, 0xaf48a03b, 0xbaaedce6, 0xfffffffe, 0xffffffff, - 0xffffffff, 0xffffffff}; + 0xd0364141, 0xbfd25e8c, 0xaf48a03b, 0xbaaedce6, + 0xfffffffe, 0xffffffff, 0xffffffff, 0xffffffff}; OPENSSL_UNUSED static const uint32_t ksecp256k1FieldR[] = { - 0x000003d1, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, - 0x00000000, 0x00000000}; + 0x000003d1, 0x00000001, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000}; OPENSSL_UNUSED static const uint32_t ksecp256k1FieldRR[] = { - 0x000e90a1, 0x000007a2, 0x00000001, 0x00000000, 0x00000000, 0x00000000, - 0x00000000, 0x00000000}; + 0x000e90a1, 0x000007a2, 0x00000001, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000}; OPENSSL_UNUSED static const uint32_t ksecp256k1OrderRR[] = { - 0x67d7d140, 0x896cf214, 0x0e7cf878, 0x741496c2, 0x5bcd07c6, 0xe697f5e4, - 0x81c69bc5, 0x9d671cd5}; + 0x67d7d140, 0x896cf214, 0x0e7cf878, 0x741496c2, + 0x5bcd07c6, 0xe697f5e4, 0x81c69bc5, 0x9d671cd5}; OPENSSL_UNUSED static const uint32_t ksecp256k1MontB[] = { - 0x00001ab7, 0x00000007, 0x00000000, 0x00000000, 0x00000000, 0x00000000, - 0x00000000, 0x00000000}; + 0x00001ab7, 0x00000007, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000}; OPENSSL_UNUSED static const uint32_t ksecp256k1MontGX[] = { - 0x487e2097, 0xd7362e5a, 0x29bc66db, 0x231e2953, 0x33fd129c, 0x979f48c0, - 0xe9089f48, 0x9981e643}; + 0x487e2097, 0xd7362e5a, 0x29bc66db, 0x231e2953, + 0x33fd129c, 0x979f48c0, 0xe9089f48, 0x9981e643}; OPENSSL_UNUSED static const uint32_t ksecp256k1MontGY[] = { - 0xd3dbabe2, 0xb15ea6d2, 0x1f1dc64d, 0x8dfc5d5d, 0xac19c136, 0x70b6b59a, - 0xd4a582d6, 0xcf3f851f}; + 0xd3dbabe2, 0xb15ea6d2, 0x1f1dc64d, 0x8dfc5d5d, + 0xac19c136, 0x70b6b59a, 0xd4a582d6, 0xcf3f851f}; #else #error "unknown word size" #endif diff --git a/crypto/fipsmodule/ec/ec.c b/crypto/fipsmodule/ec/ec.c index 7acfbc1e26..4ef83d40ad 100644 --- a/crypto/fipsmodule/ec/ec.c +++ b/crypto/fipsmodule/ec/ec.c @@ -75,10 +75,10 @@ #include #include -#include "internal.h" #include "../../internal.h" #include "../bn/internal.h" #include "../delocate.h" +#include "internal.h" #include "builtin_curves.h" @@ -259,16 +259,21 @@ DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_secp256k1) { out->oid_len = sizeof(kOIDP256K1); ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(ksecp256k1Field), - ksecp256k1Field, ksecp256k1FieldRR, ksecp256k1FieldN0); + ksecp256k1Field, ksecp256k1FieldRR, + ksecp256k1FieldN0); ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(ksecp256k1Order), - ksecp256k1Order, ksecp256k1OrderRR, ksecp256k1OrderN0); + ksecp256k1Order, ksecp256k1OrderRR, + ksecp256k1OrderN0); out->meth = EC_GFp_mont_method(); out->generator.group = out; - OPENSSL_memcpy(out->generator.raw.X.words, ksecp256k1MontGX, sizeof(ksecp256k1MontGX)); - OPENSSL_memcpy(out->generator.raw.Y.words, ksecp256k1MontGY, sizeof(ksecp256k1MontGY)); - OPENSSL_memcpy(out->generator.raw.Z.words, ksecp256k1FieldR, sizeof(ksecp256k1FieldR)); + OPENSSL_memcpy(out->generator.raw.X.words, ksecp256k1MontGX, + sizeof(ksecp256k1MontGX)); + OPENSSL_memcpy(out->generator.raw.Y.words, ksecp256k1MontGY, + sizeof(ksecp256k1MontGY)); + OPENSSL_memcpy(out->generator.raw.Z.words, ksecp256k1FieldR, + sizeof(ksecp256k1FieldR)); OPENSSL_memcpy(out->b.words, ksecp256k1MontB, sizeof(ksecp256k1MontB)); ec_group_set_a_zero(out); @@ -300,8 +305,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, BIGNUM *a_reduced = BN_CTX_get(ctx); BIGNUM *b_reduced = BN_CTX_get(ctx); if (a_reduced == NULL || b_reduced == NULL || - !BN_nnmod(a_reduced, a, p, ctx) || - !BN_nnmod(b_reduced, b, p, ctx)) { + !BN_nnmod(a_reduced, a, p, ctx) || !BN_nnmod(b_reduced, b, p, ctx)) { goto err; } @@ -356,8 +360,7 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, // the ECDSA implementation. int ret = 0; BIGNUM *tmp = BN_new(); - if (tmp == NULL || - !BN_lshift1(tmp, order)) { + if (tmp == NULL || !BN_lshift1(tmp, order)) { goto err; } if (BN_cmp(tmp, &group->field.N) <= 0) { @@ -394,7 +397,7 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) { case NID_secp521r1: return (EC_GROUP *)EC_group_p521(); case NID_secp256k1: - return (EC_GROUP *)EC_group_secp256k1(); + return (EC_GROUP *)EC_group_secp256k1(); default: OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); return NULL; @@ -831,8 +834,7 @@ static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, // This is an unusual input, so we do not guarantee constant-time processing. BN_CTX_start(ctx); BIGNUM *tmp = BN_CTX_get(ctx); - int ok = tmp != NULL && - BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) && + int ok = tmp != NULL && BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) && ec_bignum_to_scalar(group, out, tmp); BN_CTX_end(ctx); return ok; @@ -845,7 +847,7 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, // nothing to multiply. But, nobody should be calling this function with // nothing to multiply in the first place. if ((g_scalar == NULL && p_scalar == NULL) || - (p == NULL) != (p_scalar == NULL)) { + (p == NULL) != (p_scalar == NULL)) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -989,8 +991,7 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, - const EC_JACOBIAN *p2, - const EC_SCALAR *scalar2) { + const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) { if (group->meth->mul_batch == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; @@ -1041,7 +1042,7 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, } void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, - const EC_JACOBIAN *a, const EC_JACOBIAN *b) { + const EC_JACOBIAN *a, const EC_JACOBIAN *b) { ec_felem_select(group, &out->X, mask, &a->X, &b->X); ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y); ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z); diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c index d7aea95f1f..486a19f0ad 100644 --- a/crypto/fipsmodule/ec/ec_key.c +++ b/crypto/fipsmodule/ec/ec_key.c @@ -78,9 +78,9 @@ #include #include -#include "internal.h" -#include "../delocate.h" #include "../../internal.h" +#include "../delocate.h" +#include "internal.h" DEFINE_STATIC_EX_DATA_CLASS(g_ec_ex_data_class) @@ -112,10 +112,10 @@ EC_KEY *EC_KEY_new_method(const ENGINE *engine) { if (engine) { // Cast away const - ret->eckey_method = (EC_KEY_METHOD *) ENGINE_get_EC(engine); + ret->eckey_method = (EC_KEY_METHOD *)ENGINE_get_EC(engine); } - if(ret->eckey_method == NULL) { + if (ret->eckey_method == NULL) { ret->eckey_method = EC_KEY_get_default_method(); } @@ -124,7 +124,8 @@ EC_KEY *EC_KEY_new_method(const ENGINE *engine) { CRYPTO_new_ex_data(&ret->ex_data); - if (ret->eckey_method && ret->eckey_method->init && !ret->eckey_method->init(ret)) { + if (ret->eckey_method && ret->eckey_method->init && + !ret->eckey_method->init(ret)) { CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), ret, &ret->ex_data); OPENSSL_free(ret); return NULL; @@ -179,10 +180,8 @@ EC_KEY *EC_KEY_dup(const EC_KEY *src) { return NULL; } - if ((src->group != NULL && - !EC_KEY_set_group(ret, src->group)) || - (src->pub_key != NULL && - !EC_KEY_set_public_key(ret, src->pub_key)) || + if ((src->group != NULL && !EC_KEY_set_group(ret, src->group)) || + (src->pub_key != NULL && !EC_KEY_set_public_key(ret, src->pub_key)) || (src->priv_key != NULL && !EC_KEY_set_private_key(ret, EC_KEY_get0_private_key(src)))) { EC_KEY_free(ret); @@ -336,21 +335,19 @@ static int EVP_EC_KEY_check_fips(EC_KEY *key) { uint8_t msg[16] = {0}; size_t msg_len = 16; int ret = 0; - uint8_t* sig_der = NULL; + uint8_t *sig_der = NULL; EVP_PKEY *evp_pkey = EVP_PKEY_new(); EVP_MD_CTX ctx; EVP_MD_CTX_init(&ctx); const EVP_MD *hash = EVP_sha256(); size_t sign_len; - if (!evp_pkey || - !EVP_PKEY_set1_EC_KEY(evp_pkey, key) || + if (!evp_pkey || !EVP_PKEY_set1_EC_KEY(evp_pkey, key) || !EVP_DigestSignInit(&ctx, NULL, hash, NULL, evp_pkey) || !EVP_DigestSign(&ctx, NULL, &sign_len, msg, msg_len)) { goto err; } sig_der = OPENSSL_malloc(sign_len); - if (!sig_der || - !EVP_DigestSign(&ctx, sig_der, &sign_len, msg, msg_len)) { + if (!sig_der || !EVP_DigestSign(&ctx, sig_der, &sign_len, msg, msg_len)) { goto err; } if (boringssl_fips_break_test("ECDSA_PWCT")) { @@ -392,7 +389,7 @@ int EC_KEY_check_fips(const EC_KEY *key) { // ec_felem_to_bignum() calls BN_bin2bn() which sets the `neg` flag to 0. EC_POINT *pub_key = key->pub_key; EC_GROUP *group = key->pub_key->group; - if(ec_felem_equal(group, ec_felem_one(group), &pub_key->raw.Z)) { + if (ec_felem_equal(group, ec_felem_one(group), &pub_key->raw.Z)) { BIGNUM *x = BN_new(); BIGNUM *y = BN_new(); int check_ret = 1; @@ -417,7 +414,7 @@ int EC_KEY_check_fips(const EC_KEY *key) { } if (key->priv_key) { - if (!EVP_EC_KEY_check_fips((EC_KEY*)key)) { + if (!EVP_EC_KEY_check_fips((EC_KEY *)key)) { OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED); goto end; } @@ -426,8 +423,8 @@ int EC_KEY_check_fips(const EC_KEY *key) { ret = 1; end: FIPS_service_indicator_unlock_state(); - if(ret){ - EC_KEY_keygen_verify_service_indicator((EC_KEY*)key); + if (ret) { + EC_KEY_keygen_verify_service_indicator((EC_KEY *)key); } return ret; } @@ -445,8 +442,7 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, const BIGNUM *x, point = EC_POINT_new(key->group); if (point == NULL || !EC_POINT_set_affine_coordinates_GFp(key->group, point, x, y, NULL) || - !EC_KEY_set_public_key(key, point) || - !EC_KEY_check_key(key)) { + !EC_KEY_set_public_key(key, point) || !EC_KEY_check_key(key)) { goto err; } @@ -587,24 +583,24 @@ EC_KEY_METHOD *EC_KEY_METHOD_new(const EC_KEY_METHOD *eckey_meth) { EC_KEY_METHOD *ret; ret = OPENSSL_zalloc(sizeof(EC_KEY_METHOD)); - if(ret == NULL) { + if (ret == NULL) { return NULL; } - if(eckey_meth) { + if (eckey_meth) { *ret = *eckey_meth; } return ret; } void EC_KEY_METHOD_free(EC_KEY_METHOD *eckey_meth) { - if(eckey_meth != NULL) { + if (eckey_meth != NULL) { OPENSSL_free(eckey_meth); } } int EC_KEY_set_method(EC_KEY *ec, const EC_KEY_METHOD *meth) { - if(ec == NULL || meth == NULL) { + if (ec == NULL || meth == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -614,7 +610,7 @@ int EC_KEY_set_method(EC_KEY *ec, const EC_KEY_METHOD *meth) { } const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *ec) { - if(ec == NULL) { + if (ec == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return NULL; } @@ -624,7 +620,7 @@ const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *ec) { void EC_KEY_METHOD_set_init_awslc(EC_KEY_METHOD *meth, int (*init)(EC_KEY *key), void (*finish)(EC_KEY *key)) { - if(meth == NULL) { + if (meth == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return; } @@ -633,17 +629,15 @@ void EC_KEY_METHOD_set_init_awslc(EC_KEY_METHOD *meth, int (*init)(EC_KEY *key), meth->finish = finish; } -void EC_KEY_METHOD_set_sign_awslc(EC_KEY_METHOD *meth, - int (*sign)(int type, const uint8_t *digest, - int digest_len, uint8_t *sig, - unsigned int *siglen, const BIGNUM *k_inv, - const BIGNUM *r, EC_KEY *eckey), - ECDSA_SIG *(*sign_sig)(const uint8_t *digest, - int digest_len, - const BIGNUM *in_kinv, const BIGNUM *in_r, - EC_KEY *eckey)) { - - if(meth == NULL) { +void EC_KEY_METHOD_set_sign_awslc( + EC_KEY_METHOD *meth, + int (*sign)(int type, const uint8_t *digest, int digest_len, uint8_t *sig, + unsigned int *siglen, const BIGNUM *k_inv, const BIGNUM *r, + EC_KEY *eckey), + ECDSA_SIG *(*sign_sig)(const uint8_t *digest, int digest_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return; } @@ -653,7 +647,7 @@ void EC_KEY_METHOD_set_sign_awslc(EC_KEY_METHOD *meth, } int EC_KEY_METHOD_set_flags(EC_KEY_METHOD *meth, int flags) { - if(!meth || flags != ECDSA_FLAG_OPAQUE) { + if (!meth || flags != ECDSA_FLAG_OPAQUE) { return 0; } diff --git a/crypto/fipsmodule/ec/ec_montgomery.c b/crypto/fipsmodule/ec/ec_montgomery.c index 896382b8e6..d3ec3be199 100644 --- a/crypto/fipsmodule/ec/ec_montgomery.c +++ b/crypto/fipsmodule/ec/ec_montgomery.c @@ -340,7 +340,7 @@ void ec_GFp_mont_dbl(const EC_GROUP *group, EC_JACOBIAN *r, // https://github.com/aws/aws-lc/issues/1185 EC_FELEM delta = {{0}}, gamma = {{0}}, beta = {{0}}, ftmp = {{0}}; EC_FELEM ftmp2 = {{0}}, tmptmp = {{0}}, alpha = {{0}}, fourbeta = {{0}}; - + // delta = z^2 ec_GFp_mont_felem_sqr(group, &delta, &a->Z); // gamma = y^2 diff --git a/crypto/fipsmodule/ec/ec_nistp.c b/crypto/fipsmodule/ec/ec_nistp.c index 1ba7a246c2..098581c440 100644 --- a/crypto/fipsmodule/ec/ec_nistp.c +++ b/crypto/fipsmodule/ec/ec_nistp.c @@ -12,7 +12,7 @@ // 5. scalar multiplication of a base and an arbitrary point. // // Matrix of what has been done so far: -// +// // | op | P-521 | P-384 | P-256 | // |----------------------------| // | 1. | x | x | x* | @@ -20,7 +20,7 @@ // | 3. | x | x | x* | // | 4. | x | x | x* | // | 5. | x | x | x* | -// * For P-256, only the Fiat-crypto implementation in p256.c is replaced. +// * For P-256, only the Fiat-crypto implementation in p256.c is replaced. #include "ec_nistp.h" @@ -37,10 +37,8 @@ typedef ec_nistp_felem_limb ec_nistp_felem[FELEM_MAX_NUM_OF_LIMBS]; // Conditional copy in constant-time (out = t == 0 ? z : nz). -static void cmovznz(ec_nistp_felem_limb *out, - size_t num_limbs, - ec_nistp_felem_limb t, - const ec_nistp_felem_limb *z, +static void cmovznz(ec_nistp_felem_limb *out, size_t num_limbs, + ec_nistp_felem_limb t, const ec_nistp_felem_limb *z, const ec_nistp_felem_limb *nz) { ec_nistp_felem_limb mask = constant_time_is_zero_w(t); for (size_t i = 0; i < num_limbs; i++) { @@ -70,8 +68,7 @@ static void cmovznz(ec_nistp_felem_limb *out, // // Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed; // while x_out == y_in is not (maybe this works, but it's not tested). -void ec_nistp_point_double(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x_out, +void ec_nistp_point_double(const ec_nistp_meth *ctx, ec_nistp_felem_limb *x_out, ec_nistp_felem_limb *y_out, ec_nistp_felem_limb *z_out, const ec_nistp_felem_limb *x_in, @@ -137,14 +134,11 @@ void ec_nistp_point_double(const ec_nistp_meth *ctx, // are equal, (while not equal to the point at infinity). This case should // never happen during single point multiplication, so there is no timing leak // for ECDH and ECDSA. -void ec_nistp_point_add(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x3, - ec_nistp_felem_limb *y3, - ec_nistp_felem_limb *z3, +void ec_nistp_point_add(const ec_nistp_meth *ctx, ec_nistp_felem_limb *x3, + ec_nistp_felem_limb *y3, ec_nistp_felem_limb *z3, const ec_nistp_felem_limb *x1, const ec_nistp_felem_limb *y1, - const ec_nistp_felem_limb *z1, - const int mixed, + const ec_nistp_felem_limb *z1, const int mixed, const ec_nistp_felem_limb *x2, const ec_nistp_felem_limb *y2, const ec_nistp_felem_limb *z2) { @@ -216,9 +210,8 @@ void ec_nistp_point_add(const ec_nistp_meth *ctx, // This case will never occur in the constant-time |ec_GFp_mont_mul|. ec_nistp_felem_limb is_nontrivial_double = - constant_time_is_zero_w(xneq | yneq) & - ~constant_time_is_zero_w(z1nz) & - ~constant_time_is_zero_w(z2nz); + constant_time_is_zero_w(xneq | yneq) & ~constant_time_is_zero_w(z1nz) & + ~constant_time_is_zero_w(z2nz); if (constant_time_declassify_w(is_nontrivial_double)) { ec_nistp_point_double(ctx, x3, y3, z3, x1, y1, z1); return; @@ -260,7 +253,7 @@ void ec_nistp_point_add(const ec_nistp_meth *ctx, } // Returns i-th bit of the scalar (zero or one). -// The caller is responsible for making sure i is within bounds of the scalar. +// The caller is responsible for making sure i is within bounds of the scalar. static int16_t get_bit(const EC_SCALAR *in, size_t i) { // |in->words| is an array of BN_ULONGs which can be either 8 or 4 bytes long. #if defined(OPENSSL_64_BIT) @@ -315,7 +308,7 @@ static void scalar_rwnaf(int16_t *out, size_t window_size, // Each point in the table has 3 coordinates that are field elements, // and each field element has a defined maximum number of limbs. #define SCALAR_MUL_TABLE_MAX_NUM_FELEM_LIMBS \ - (SCALAR_MUL_TABLE_NUM_POINTS * 3 * FELEM_MAX_NUM_OF_LIMBS) + (SCALAR_MUL_TABLE_NUM_POINTS * 3 * FELEM_MAX_NUM_OF_LIMBS) // The maximum number of bits for a scalar. #define SCALAR_MUL_MAX_SCALAR_BITS (521) @@ -323,16 +316,14 @@ static void scalar_rwnaf(int16_t *out, size_t window_size, // Maximum number of windows (digits) for a scalar encoding which is // determined by the maximum scalar bit size -- 521 bits in our case. #define SCALAR_MUL_MAX_NUM_WINDOWS \ - DIV_AND_CEIL(SCALAR_MUL_MAX_SCALAR_BITS, SCALAR_MUL_WINDOW_SIZE) + DIV_AND_CEIL(SCALAR_MUL_MAX_SCALAR_BITS, SCALAR_MUL_WINDOW_SIZE) // Generate table of multiples of the input point P = (x_in, y_in, z_in): // table <-- [2i + 1]P for i in [0, SCALAR_MUL_TABLE_NUM_POINTS - 1]. -static void generate_table(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *table, +static void generate_table(const ec_nistp_meth *ctx, ec_nistp_felem_limb *table, const ec_nistp_felem_limb *x_in, const ec_nistp_felem_limb *y_in, - const ec_nistp_felem_limb *z_in) -{ + const ec_nistp_felem_limb *z_in) { const size_t felem_num_limbs = ctx->felem_num_limbs; const size_t felem_num_bytes = felem_num_limbs * sizeof(ec_nistp_felem_limb); @@ -348,8 +339,8 @@ static void generate_table(const ec_nistp_meth *ctx, // Compute 2P. ec_nistp_felem x_in_dbl, y_in_dbl, z_in_dbl; - ctx->point_dbl(x_in_dbl, y_in_dbl, z_in_dbl, - &table[x_idx], &table[y_idx], &table[z_idx]); + ctx->point_dbl(x_in_dbl, y_in_dbl, z_in_dbl, &table[x_idx], &table[y_idx], + &table[z_idx]); // Compute the rest of the table. for (size_t i = 1; i < SCALAR_MUL_TABLE_NUM_POINTS; i++) { @@ -359,8 +350,8 @@ static void generate_table(const ec_nistp_meth *ctx, // table[i] <-- table[i - 1] + 2P ctx->point_add(&point_i[x_idx], &point_i[y_idx], &point_i[z_idx], - &point_im1[x_idx], &point_im1[y_idx], &point_im1[z_idx], - 0, x_in_dbl, y_in_dbl, z_in_dbl); + &point_im1[x_idx], &point_im1[y_idx], &point_im1[z_idx], 0, + x_in_dbl, y_in_dbl, z_in_dbl); } } @@ -378,12 +369,14 @@ static inline void select_point_from_table(const ec_nistp_meth *ctx, // would be best for simplicity, but unfortunatelly, on x86 systems it is // significantly slower than constant_..._table_w. #if defined(EC_NISTP_USE_64BIT_LIMB) && defined(OPENSSL_64_BIT) - constant_time_select_entry_from_table_w(out, (crypto_word_t*) table, idx, - SCALAR_MUL_TABLE_NUM_POINTS, point_num_limbs); + constant_time_select_entry_from_table_w(out, (crypto_word_t *)table, idx, + SCALAR_MUL_TABLE_NUM_POINTS, + point_num_limbs); #else size_t entry_size = point_num_limbs * sizeof(ec_nistp_felem_limb); - constant_time_select_entry_from_table_8((uint8_t*)out, (uint8_t*)table, - idx, SCALAR_MUL_TABLE_NUM_POINTS, entry_size); + constant_time_select_entry_from_table_8((uint8_t *)out, (uint8_t *)table, idx, + SCALAR_MUL_TABLE_NUM_POINTS, + entry_size); #endif } @@ -416,10 +409,8 @@ static inline void select_point_from_table(const ec_nistp_meth *ctx, // 5. Subtract P from the result if the scalar is even. // // Note: this function is constant-time. -void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x_out, - ec_nistp_felem_limb *y_out, - ec_nistp_felem_limb *z_out, +void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, ec_nistp_felem_limb *x_out, + ec_nistp_felem_limb *y_out, ec_nistp_felem_limb *z_out, const ec_nistp_felem_limb *x_in, const ec_nistp_felem_limb *y_in, const ec_nistp_felem_limb *z_in, @@ -451,7 +442,8 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, // The actual number of windows (digits) of the scalar (denoted by m in the // description above the function). - const size_t num_windows = DIV_AND_CEIL(ctx->felem_num_bits, SCALAR_MUL_WINDOW_SIZE); + const size_t num_windows = + DIV_AND_CEIL(ctx->felem_num_bits, SCALAR_MUL_WINDOW_SIZE); // Step 1. Initialize the accmulator (res) with the input point multiplied by // the most significant digit of the scalar s_{m-1} (note that this digit @@ -469,8 +461,8 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, // Step 4a. Compute abs(s_i). int16_t d = rwnaf[i]; - int16_t is_neg = (d >> 15) & 1; // is_neg = (d < 0) ? 1 : 0 - d = (d ^ -is_neg) + is_neg; // d = abs(d) + int16_t is_neg = (d >> 15) & 1; // is_neg = (d < 0) ? 1 : 0 + d = (d ^ -is_neg) + is_neg; // d = abs(d) // Step 4b. Select from table the point corresponding to abs(s_i). idx = d >> 1; @@ -483,7 +475,8 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, cmovznz(y_tmp, ctx->felem_num_limbs, is_neg, y_tmp, ftmp); // Step 4d. Add the point to the accumulator. - ctx->point_add(x_res, y_res, z_res, x_res, y_res, z_res, 0, x_tmp, y_tmp, z_tmp); + ctx->point_add(x_res, y_res, z_res, x_res, y_res, z_res, 0, x_tmp, y_tmp, + z_tmp); } // Step 5a. Negate the input point P (we negate it in-place since we already @@ -570,7 +563,8 @@ void ec_nistp_scalar_mul_base(const ec_nistp_meth *ctx, // Regular-wNAF encoding of the scalar. int16_t rwnaf[SCALAR_MUL_MAX_NUM_WINDOWS]; scalar_rwnaf(rwnaf, SCALAR_MUL_WINDOW_SIZE, scalar, ctx->felem_num_bits); - size_t num_windows = DIV_AND_CEIL(ctx->felem_num_bits, SCALAR_MUL_WINDOW_SIZE); + size_t num_windows = + DIV_AND_CEIL(ctx->felem_num_bits, SCALAR_MUL_WINDOW_SIZE); // We need two point accumulators, so we define them of maximum size // to avoid allocation, and just take pointers to individual coordinates. @@ -601,8 +595,8 @@ void ec_nistp_scalar_mul_base(const ec_nistp_meth *ctx, // from the table and add it to |res|. If |d| is negative, negate // the point before adding it to |res|. int16_t d = rwnaf[j]; - int16_t is_neg = (d >> 15) & 1; // is_neg = (d < 0) ? 1 : 0 - d = (d ^ -is_neg) + is_neg; // d = abs(d) + int16_t is_neg = (d >> 15) & 1; // is_neg = (d < 0) ? 1 : 0 + d = (d ^ -is_neg) + is_neg; // d = abs(d) int16_t idx = d >> 1; @@ -620,19 +614,21 @@ void ec_nistp_scalar_mul_base(const ec_nistp_meth *ctx, cmovznz(y_tmp, ctx->felem_num_limbs, is_neg, y_tmp, ftmp); // Add the point to the accumulator |res|. - ctx->point_add(x_res, y_res, z_res, x_res, y_res, z_res, 1, - x_tmp, y_tmp, ctx->felem_one); + ctx->point_add(x_res, y_res, z_res, x_res, y_res, z_res, 1, x_tmp, y_tmp, + ctx->felem_one); } } // Conditionally subtract G if the scalar is even, in constant-time. const ec_nistp_felem_limb *x_mp = &ctx->scalar_mul_base_table[0]; - const ec_nistp_felem_limb *y_mp = &ctx->scalar_mul_base_table[ctx->felem_num_limbs]; + const ec_nistp_felem_limb *y_mp = + &ctx->scalar_mul_base_table[ctx->felem_num_limbs]; ec_nistp_felem ftmp; ctx->felem_neg(ftmp, y_mp); // Subtract P from the accumulator. - ctx->point_add(x_tmp, y_tmp, z_tmp, x_res, y_res, z_res, 1, x_mp, ftmp, ctx->felem_one); + ctx->point_add(x_tmp, y_tmp, z_tmp, x_res, y_res, z_res, 1, x_mp, ftmp, + ctx->felem_one); // Select |res| or |res - P| based on parity of the scalar. ec_nistp_felem_limb t = scalar->words[0] & 1; @@ -671,32 +667,31 @@ void ec_nistp_scalar_mul_base(const ec_nistp_meth *ctx, // g_scalar, negate it if the digit is negative, and add it to the // accumulator. // Note: this function is NOT constant-time. -void ec_nistp_scalar_mul_public(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x_out, - ec_nistp_felem_limb *y_out, - ec_nistp_felem_limb *z_out, - const EC_SCALAR *g_scalar, - const ec_nistp_felem_limb *x_p, - const ec_nistp_felem_limb *y_p, - const ec_nistp_felem_limb *z_p, - const EC_SCALAR *p_scalar) { - - const size_t felem_num_bytes = ctx->felem_num_limbs * sizeof(ec_nistp_felem_limb); +void ec_nistp_scalar_mul_public( + const ec_nistp_meth *ctx, ec_nistp_felem_limb *x_out, + ec_nistp_felem_limb *y_out, ec_nistp_felem_limb *z_out, + const EC_SCALAR *g_scalar, const ec_nistp_felem_limb *x_p, + const ec_nistp_felem_limb *y_p, const ec_nistp_felem_limb *z_p, + const EC_SCALAR *p_scalar) { + const size_t felem_num_bytes = + ctx->felem_num_limbs * sizeof(ec_nistp_felem_limb); // Table of multiples of P. ec_nistp_felem_limb p_table[SCALAR_MUL_TABLE_MAX_NUM_FELEM_LIMBS]; generate_table(ctx, p_table, x_p, y_p, z_p); - const size_t p_point_num_limbs = 3 * ctx->felem_num_limbs; // Projective. + const size_t p_point_num_limbs = 3 * ctx->felem_num_limbs; // Projective. // Table of multiples of G. const ec_nistp_felem_limb *g_table = ctx->scalar_mul_base_table; - const size_t g_point_num_limbs = 2 * ctx->felem_num_limbs; // Affine. + const size_t g_point_num_limbs = 2 * ctx->felem_num_limbs; // Affine. // Recode the scalars. int8_t p_wnaf[SCALAR_MUL_MAX_SCALAR_BITS + 1] = {0}; int8_t g_wnaf[SCALAR_MUL_MAX_SCALAR_BITS + 1] = {0}; - ec_compute_wNAF(p_wnaf, p_scalar, ctx->felem_num_bits, SCALAR_MUL_WINDOW_SIZE); - ec_compute_wNAF(g_wnaf, g_scalar, ctx->felem_num_bits, SCALAR_MUL_WINDOW_SIZE); + ec_compute_wNAF(p_wnaf, p_scalar, ctx->felem_num_bits, + SCALAR_MUL_WINDOW_SIZE); + ec_compute_wNAF(g_wnaf, g_scalar, ctx->felem_num_bits, + SCALAR_MUL_WINDOW_SIZE); // In the beginning res is set to point-at-infinity, so we set the flag. int16_t res_is_inf = 1; @@ -704,7 +699,6 @@ void ec_nistp_scalar_mul_public(const ec_nistp_meth *ctx, ec_nistp_felem ftmp; for (int i = ctx->felem_num_bits; i >= 0; i--) { - // If |res| is point-at-infinity there is no point in doubling so skip it. if (!res_is_inf) { ctx->point_dbl(x_out, y_out, z_out, x_out, y_out, z_out); @@ -721,8 +715,10 @@ void ec_nistp_scalar_mul_public(const ec_nistp_meth *ctx, // we can simply copy it. const size_t table_idx = idx * p_point_num_limbs; OPENSSL_memcpy(x_out, &p_table[table_idx], felem_num_bytes); - OPENSSL_memcpy(y_out, &p_table[table_idx + ctx->felem_num_limbs], felem_num_bytes); - OPENSSL_memcpy(z_out, &p_table[table_idx + ctx->felem_num_limbs * 2], felem_num_bytes); + OPENSSL_memcpy(y_out, &p_table[table_idx + ctx->felem_num_limbs], + felem_num_bytes); + OPENSSL_memcpy(z_out, &p_table[table_idx + ctx->felem_num_limbs * 2], + felem_num_bytes); res_is_inf = 0; } else { // Otherwise, add to the accumulator either the point at position idx @@ -733,10 +729,10 @@ void ec_nistp_scalar_mul_public(const ec_nistp_meth *ctx, ctx->felem_neg(ftmp, y_tmp); y_tmp = ftmp; } - ctx->point_add(x_out, y_out, z_out, x_out, y_out, z_out, 0, - &p_table[idx * p_point_num_limbs], - y_tmp, - &p_table[idx * p_point_num_limbs + ctx->felem_num_limbs * 2]); + ctx->point_add( + x_out, y_out, z_out, x_out, y_out, z_out, 0, + &p_table[idx * p_point_num_limbs], y_tmp, + &p_table[idx * p_point_num_limbs + ctx->felem_num_limbs * 2]); } } @@ -751,20 +747,23 @@ void ec_nistp_scalar_mul_public(const ec_nistp_meth *ctx, // we can simply copy it. const size_t table_idx = idx * g_point_num_limbs; OPENSSL_memcpy(x_out, &g_table[table_idx], felem_num_bytes); - OPENSSL_memcpy(y_out, &g_table[table_idx + ctx->felem_num_limbs], felem_num_bytes); + OPENSSL_memcpy(y_out, &g_table[table_idx + ctx->felem_num_limbs], + felem_num_bytes); OPENSSL_memcpy(z_out, ctx->felem_one, felem_num_bytes); res_is_inf = 0; } else { // Otherwise, add to the accumulator either the point at position idx // in the table or its negation. - const ec_nistp_felem_limb *y_tmp ; + const ec_nistp_felem_limb *y_tmp; y_tmp = &g_table[idx * g_point_num_limbs + ctx->felem_num_limbs]; if (is_neg) { - ctx->felem_neg(ftmp, &g_table[idx * g_point_num_limbs + ctx->felem_num_limbs]); + ctx->felem_neg( + ftmp, &g_table[idx * g_point_num_limbs + ctx->felem_num_limbs]); y_tmp = ftmp; } ctx->point_add(x_out, y_out, z_out, x_out, y_out, z_out, 1, - &g_table[idx * g_point_num_limbs], y_tmp, ctx->felem_one); + &g_table[idx * g_point_num_limbs], y_tmp, + ctx->felem_one); } } } @@ -775,7 +774,8 @@ void ec_nistp_point_to_coordinates(ec_nistp_felem_limb *x_out, ec_nistp_felem_limb *z_out, const ec_nistp_felem_limb *xyz_in, size_t num_limbs_per_coord) { - size_t num_bytes_per_coord = num_limbs_per_coord * sizeof(ec_nistp_felem_limb); + size_t num_bytes_per_coord = + num_limbs_per_coord * sizeof(ec_nistp_felem_limb); OPENSSL_memcpy(x_out, xyz_in, num_bytes_per_coord); OPENSSL_memcpy(y_out, &xyz_in[num_limbs_per_coord], num_bytes_per_coord); OPENSSL_memcpy(z_out, &xyz_in[num_limbs_per_coord * 2], num_bytes_per_coord); @@ -786,7 +786,8 @@ void ec_nistp_coordinates_to_point(ec_nistp_felem_limb *xyz_out, const ec_nistp_felem_limb *y_in, const ec_nistp_felem_limb *z_in, size_t num_limbs_per_coord) { - size_t num_bytes_per_coord = num_limbs_per_coord * sizeof(ec_nistp_felem_limb); + size_t num_bytes_per_coord = + num_limbs_per_coord * sizeof(ec_nistp_felem_limb); OPENSSL_memcpy(xyz_out, x_in, num_bytes_per_coord); OPENSSL_memcpy(&xyz_out[num_limbs_per_coord], y_in, num_bytes_per_coord); OPENSSL_memcpy(&xyz_out[num_limbs_per_coord * 2], z_in, num_bytes_per_coord); diff --git a/crypto/fipsmodule/ec/ec_nistp.h b/crypto/fipsmodule/ec/ec_nistp.h index 503bf2ee65..105166047a 100644 --- a/crypto/fipsmodule/ec/ec_nistp.h +++ b/crypto/fipsmodule/ec/ec_nistp.h @@ -15,17 +15,18 @@ // implements the operations in assembly for x86_64 and aarch64 platforms. // If (1) x86_64 or aarch64, (2) linux or apple, and (3) OPENSSL_NO_ASM is not // set, s2n-bignum path is capable. -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)) && \ - ((defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)) && \ + ((defined(OPENSSL_X86_64) && \ + !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX)) || \ defined(OPENSSL_AARCH64)) -# define EC_NISTP_USE_S2N_BIGNUM -# define EC_NISTP_USE_64BIT_LIMB +#define EC_NISTP_USE_S2N_BIGNUM +#define EC_NISTP_USE_64BIT_LIMB #else // Fiat-crypto has both 64-bit and 32-bit implementation. -# if defined(BORINGSSL_HAS_UINT128) -# define EC_NISTP_USE_64BIT_LIMB -# endif +#if defined(BORINGSSL_HAS_UINT128) +#define EC_NISTP_USE_64BIT_LIMB +#endif #endif #if defined(EC_NISTP_USE_64BIT_LIMB) @@ -48,27 +49,25 @@ typedef uint32_t ec_nistp_felem_limb; typedef struct { size_t felem_num_limbs; size_t felem_num_bits; - void (*felem_add)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a, const ec_nistp_felem_limb *b); - void (*felem_sub)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a, const ec_nistp_felem_limb *b); - void (*felem_mul)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a, const ec_nistp_felem_limb *b); + void (*felem_add)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a, + const ec_nistp_felem_limb *b); + void (*felem_sub)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a, + const ec_nistp_felem_limb *b); + void (*felem_mul)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a, + const ec_nistp_felem_limb *b); void (*felem_sqr)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a); void (*felem_neg)(ec_nistp_felem_limb *c, const ec_nistp_felem_limb *a); ec_nistp_felem_limb (*felem_nz)(const ec_nistp_felem_limb *a); const ec_nistp_felem_limb *felem_one; - void (*point_dbl)(ec_nistp_felem_limb *x_out, - ec_nistp_felem_limb *y_out, - ec_nistp_felem_limb *z_out, - const ec_nistp_felem_limb *x_in, + void (*point_dbl)(ec_nistp_felem_limb *x_out, ec_nistp_felem_limb *y_out, + ec_nistp_felem_limb *z_out, const ec_nistp_felem_limb *x_in, const ec_nistp_felem_limb *y_in, const ec_nistp_felem_limb *z_in); - void (*point_add)(ec_nistp_felem_limb *x3, - ec_nistp_felem_limb *y3, - ec_nistp_felem_limb *z3, - const ec_nistp_felem_limb *x1, + void (*point_add)(ec_nistp_felem_limb *x3, ec_nistp_felem_limb *y3, + ec_nistp_felem_limb *z3, const ec_nistp_felem_limb *x1, const ec_nistp_felem_limb *y1, - const ec_nistp_felem_limb *z1, - const int mixed, + const ec_nistp_felem_limb *z1, const int mixed, const ec_nistp_felem_limb *x2, const ec_nistp_felem_limb *y2, const ec_nistp_felem_limb *z2); @@ -80,30 +79,24 @@ const ec_nistp_meth *p256_methods(void); const ec_nistp_meth *p384_methods(void); const ec_nistp_meth *p521_methods(void); -void ec_nistp_point_double(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x_out, +void ec_nistp_point_double(const ec_nistp_meth *ctx, ec_nistp_felem_limb *x_out, ec_nistp_felem_limb *y_out, ec_nistp_felem_limb *z_out, const ec_nistp_felem_limb *x_in, const ec_nistp_felem_limb *y_in, const ec_nistp_felem_limb *z_in); -void ec_nistp_point_add(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x3, - ec_nistp_felem_limb *y3, - ec_nistp_felem_limb *z3, +void ec_nistp_point_add(const ec_nistp_meth *ctx, ec_nistp_felem_limb *x3, + ec_nistp_felem_limb *y3, ec_nistp_felem_limb *z3, const ec_nistp_felem_limb *x1, const ec_nistp_felem_limb *y1, - const ec_nistp_felem_limb *z1, - const int mixed, + const ec_nistp_felem_limb *z1, const int mixed, const ec_nistp_felem_limb *x2, const ec_nistp_felem_limb *y2, const ec_nistp_felem_limb *z2); -void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x_out, - ec_nistp_felem_limb *y_out, - ec_nistp_felem_limb *z_out, +void ec_nistp_scalar_mul(const ec_nistp_meth *ctx, ec_nistp_felem_limb *x_out, + ec_nistp_felem_limb *y_out, ec_nistp_felem_limb *z_out, const ec_nistp_felem_limb *x_in, const ec_nistp_felem_limb *y_in, const ec_nistp_felem_limb *z_in, @@ -115,15 +108,12 @@ void ec_nistp_scalar_mul_base(const ec_nistp_meth *ctx, ec_nistp_felem_limb *z_out, const EC_SCALAR *scalar); -void ec_nistp_scalar_mul_public(const ec_nistp_meth *ctx, - ec_nistp_felem_limb *x_out, - ec_nistp_felem_limb *y_out, - ec_nistp_felem_limb *z_out, - const EC_SCALAR *g_scalar, - const ec_nistp_felem_limb *x_p, - const ec_nistp_felem_limb *y_p, - const ec_nistp_felem_limb *z_p, - const EC_SCALAR *p_scalar); +void ec_nistp_scalar_mul_public( + const ec_nistp_meth *ctx, ec_nistp_felem_limb *x_out, + ec_nistp_felem_limb *y_out, ec_nistp_felem_limb *z_out, + const EC_SCALAR *g_scalar, const ec_nistp_felem_limb *x_p, + const ec_nistp_felem_limb *y_p, const ec_nistp_felem_limb *z_p, + const EC_SCALAR *p_scalar); void ec_nistp_point_to_coordinates(ec_nistp_felem_limb *x_out, ec_nistp_felem_limb *y_out, @@ -136,5 +126,4 @@ void ec_nistp_coordinates_to_point(ec_nistp_felem_limb *xyz_out, const ec_nistp_felem_limb *y_in, const ec_nistp_felem_limb *z_in, size_t num_limbs_per_coord); -#endif // EC_NISTP_H - +#endif // EC_NISTP_H diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc index d5c5ad9b91..a60c56c378 100644 --- a/crypto/fipsmodule/ec/ec_test.cc +++ b/crypto/fipsmodule/ec/ec_test.cc @@ -26,12 +26,12 @@ #include #include #include -#include -#include #include +#include #include #include #include +#include #include #include "../../ec_extra/internal.h" @@ -44,10 +44,11 @@ // kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field // omitted. static const uint8_t kECKeyWithoutPublic[] = { - 0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, - 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, - 0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, - 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, + 0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, + 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, + 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, + 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, 0xa0, 0x0a, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, }; // kECKeySpecifiedCurve is the above key with P-256's parameters explicitly @@ -84,29 +85,31 @@ static const uint8_t kECKeySpecifiedCurve[] = { // the private key is one. The private key is incorrectly encoded without zero // padding. static const uint8_t kECKeyMissingZeros[] = { - 0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a, - 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, - 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, - 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, - 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, - 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, - 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, + 0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, + 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, + 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, + 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, + 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, + 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, }; // kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where // the private key is one. The private key is encoded with the required zero // padding. static const uint8_t kECKeyWithZeros[] = { - 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, - 0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, - 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, - 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, - 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, - 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, - 0x37, 0xbf, 0x51, 0xf5, + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, + 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, + 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, + 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, + 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, + 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, }; // DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the @@ -191,358 +194,330 @@ TEST(ECTest, Encoding) { // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/key-management static const uint8_t kP224PublicKey_uncompressed_0x02[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, - 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3, 0xea -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, + 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, + 0xd6, 0x45, 0xa3, 0xea}; static const uint8_t kP224PublicKey_compressed_0x02[] = { - 0x02, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85 -}; + 0x02, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85}; static const uint8_t kP224PublicKey_hybrid_0x02[] = { - /* uncompressed */ - 0x06, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, - 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3, 0xea -}; + /* uncompressed */ + 0x06, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, + 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, + 0xd6, 0x45, 0xa3, 0xea}; static const uint8_t kP224PublicKey_uncompressed_0x03[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0x1f, 0xbc, 0x51, 0x84, 0x51, 0x5c, 0x88, 0xd7, 0x9f, 0xc6, 0x3f, 0x83, - 0xfb, 0xe4, 0x85, 0xc3, 0xa2, 0x89, 0x69, 0x25, 0x22, 0x58, 0xfa, 0xe5, - 0x29, 0xba, 0x5c, 0x17 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0x1f, 0xbc, 0x51, 0x84, 0x51, 0x5c, 0x88, 0xd7, 0x9f, 0xc6, 0x3f, 0x83, + 0xfb, 0xe4, 0x85, 0xc3, 0xa2, 0x89, 0x69, 0x25, 0x22, 0x58, 0xfa, 0xe5, + 0x29, 0xba, 0x5c, 0x17}; static const uint8_t kP224PublicKey_compressed_0x03[] = { - 0x03, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85 -}; + 0x03, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85}; static const uint8_t kP224PublicKey_hybrid_0x03[] = { - /* uncompressed */ - 0x07, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0x1f, 0xbc, 0x51, 0x84, 0x51, 0x5c, 0x88, 0xd7, 0x9f, 0xc6, 0x3f, 0x83, - 0xfb, 0xe4, 0x85, 0xc3, 0xa2, 0x89, 0x69, 0x25, 0x22, 0x58, 0xfa, 0xe5, - 0x29, 0xba, 0x5c, 0x17 -}; + /* uncompressed */ + 0x07, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0x1f, 0xbc, 0x51, 0x84, 0x51, 0x5c, 0x88, 0xd7, 0x9f, 0xc6, 0x3f, 0x83, + 0xfb, 0xe4, 0x85, 0xc3, 0xa2, 0x89, 0x69, 0x25, 0x22, 0x58, 0xfa, 0xe5, + 0x29, 0xba, 0x5c, 0x17}; static const uint8_t kP256PublicKey_uncompressed_0x02[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, - /* y-coordinate */ - 0xc9, 0x53, 0x67, 0xc0, 0xd2, 0x90, 0x46, 0x86, 0x61, 0x8b, 0xf6, 0xf2, - 0xd9, 0x0b, 0x7c, 0xcb, 0x31, 0xb0, 0xb4, 0x8c, 0x60, 0xc0, 0x28, 0x55, - 0x6d, 0x1d, 0x3a, 0xbf, 0xdc, 0xd3, 0x1e, 0x42 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, + 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, + 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, + /* y-coordinate */ + 0xc9, 0x53, 0x67, 0xc0, 0xd2, 0x90, 0x46, 0x86, 0x61, 0x8b, 0xf6, 0xf2, + 0xd9, 0x0b, 0x7c, 0xcb, 0x31, 0xb0, 0xb4, 0x8c, 0x60, 0xc0, 0x28, 0x55, + 0x6d, 0x1d, 0x3a, 0xbf, 0xdc, 0xd3, 0x1e, 0x42}; static const uint8_t kP256PublicKey_compressed_0x02[] = { - 0x02, - /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b -}; + 0x02, + /* x-coordinate */ + 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, + 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, + 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b}; static const uint8_t kP256PublicKey_hybrid_0x02[] = { - /* uncompressed */ - 0x06, - /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, - /* y-coordinate */ - 0xc9, 0x53, 0x67, 0xc0, 0xd2, 0x90, 0x46, 0x86, 0x61, 0x8b, 0xf6, 0xf2, - 0xd9, 0x0b, 0x7c, 0xcb, 0x31, 0xb0, 0xb4, 0x8c, 0x60, 0xc0, 0x28, 0x55, - 0x6d, 0x1d, 0x3a, 0xbf, 0xdc, 0xd3, 0x1e, 0x42 -}; + /* uncompressed */ + 0x06, + /* x-coordinate */ + 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, + 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, + 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, + /* y-coordinate */ + 0xc9, 0x53, 0x67, 0xc0, 0xd2, 0x90, 0x46, 0x86, 0x61, 0x8b, 0xf6, 0xf2, + 0xd9, 0x0b, 0x7c, 0xcb, 0x31, 0xb0, 0xb4, 0x8c, 0x60, 0xc0, 0x28, 0x55, + 0x6d, 0x1d, 0x3a, 0xbf, 0xdc, 0xd3, 0x1e, 0x42}; static const uint8_t kP256PublicKey_uncompressed_0x03[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, - /* y-coordinate */ - 0x36, 0xac, 0x98, 0x3e, 0x2d, 0x6f, 0xb9, 0x7a, 0x9e, 0x74, 0x09, 0x0d, - 0x26, 0xf4, 0x83, 0x34, 0xce, 0x4f, 0x4b, 0x74, 0x9f, 0x3f, 0xd7, 0xaa, - 0x92, 0xe2, 0xc5, 0x40, 0x23, 0x2c, 0xe1, 0xbd -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, + 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, + 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, + /* y-coordinate */ + 0x36, 0xac, 0x98, 0x3e, 0x2d, 0x6f, 0xb9, 0x7a, 0x9e, 0x74, 0x09, 0x0d, + 0x26, 0xf4, 0x83, 0x34, 0xce, 0x4f, 0x4b, 0x74, 0x9f, 0x3f, 0xd7, 0xaa, + 0x92, 0xe2, 0xc5, 0x40, 0x23, 0x2c, 0xe1, 0xbd}; static const uint8_t kP256PublicKey_compressed_0x03[] = { - 0x03, - /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b -}; + 0x03, + /* x-coordinate */ + 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, + 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, + 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b}; static const uint8_t kP256PublicKey_hybrid_0x03[] = { - /* uncompressed */ - 0x07, - /* x-coordinate */ - 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, - 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, - 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, - /* y-coordinate */ - 0x36, 0xac, 0x98, 0x3e, 0x2d, 0x6f, 0xb9, 0x7a, 0x9e, 0x74, 0x09, 0x0d, - 0x26, 0xf4, 0x83, 0x34, 0xce, 0x4f, 0x4b, 0x74, 0x9f, 0x3f, 0xd7, 0xaa, - 0x92, 0xe2, 0xc5, 0x40, 0x23, 0x2c, 0xe1, 0xbd -}; + /* uncompressed */ + 0x07, + /* x-coordinate */ + 0xe1, 0x5a, 0x44, 0x72, 0x91, 0xf0, 0x84, 0xfe, 0x88, 0x7a, 0x6c, 0x2c, + 0x03, 0x22, 0x9a, 0xf3, 0x04, 0x8a, 0x5d, 0xfe, 0x84, 0x73, 0x70, 0xc9, + 0x3f, 0x92, 0x72, 0x9b, 0x31, 0xc5, 0x5f, 0x7b, + /* y-coordinate */ + 0x36, 0xac, 0x98, 0x3e, 0x2d, 0x6f, 0xb9, 0x7a, 0x9e, 0x74, 0x09, 0x0d, + 0x26, 0xf4, 0x83, 0x34, 0xce, 0x4f, 0x4b, 0x74, 0x9f, 0x3f, 0xd7, 0xaa, + 0x92, 0xe2, 0xc5, 0x40, 0x23, 0x2c, 0xe1, 0xbd}; static const uint8_t kP384PublicKey_uncompressed_0x02[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, - 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, - 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, - 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, - /* y-coordinate */ - 0x06, 0x9d, 0x5d, 0x8c, 0x95, 0x31, 0xad, 0xa9, 0xe7, 0xea, 0x2a, 0x66, - 0xac, 0x5f, 0xe6, 0xe4, 0xe0, 0x4e, 0x0d, 0x77, 0x5b, 0xa0, 0x71, 0xd7, - 0xc2, 0xbf, 0x5a, 0x00, 0xf1, 0x7c, 0xc0, 0x0b, 0xf4, 0x29, 0xfa, 0x4d, - 0xf3, 0x07, 0x3d, 0x93, 0xa8, 0xb2, 0xb3, 0xd1, 0xf2, 0x32, 0x31, 0xde -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, + 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, + 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, + 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, + /* y-coordinate */ + 0x06, 0x9d, 0x5d, 0x8c, 0x95, 0x31, 0xad, 0xa9, 0xe7, 0xea, 0x2a, 0x66, + 0xac, 0x5f, 0xe6, 0xe4, 0xe0, 0x4e, 0x0d, 0x77, 0x5b, 0xa0, 0x71, 0xd7, + 0xc2, 0xbf, 0x5a, 0x00, 0xf1, 0x7c, 0xc0, 0x0b, 0xf4, 0x29, 0xfa, 0x4d, + 0xf3, 0x07, 0x3d, 0x93, 0xa8, 0xb2, 0xb3, 0xd1, 0xf2, 0x32, 0x31, 0xde}; static const uint8_t kP384PublicKey_compressed_0x02[] = { - 0x02, - /* x-coordinate */ - 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, - 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, - 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, - 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d -}; + 0x02, + /* x-coordinate */ + 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, + 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, + 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, + 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d}; static const uint8_t kP384PublicKey_hybrid_0x02[] = { - /* uncompressed */ - 0x06, - /* x-coordinate */ - 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, - 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, - 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, - 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, - /* y-coordinate */ - 0x06, 0x9d, 0x5d, 0x8c, 0x95, 0x31, 0xad, 0xa9, 0xe7, 0xea, 0x2a, 0x66, - 0xac, 0x5f, 0xe6, 0xe4, 0xe0, 0x4e, 0x0d, 0x77, 0x5b, 0xa0, 0x71, 0xd7, - 0xc2, 0xbf, 0x5a, 0x00, 0xf1, 0x7c, 0xc0, 0x0b, 0xf4, 0x29, 0xfa, 0x4d, - 0xf3, 0x07, 0x3d, 0x93, 0xa8, 0xb2, 0xb3, 0xd1, 0xf2, 0x32, 0x31, 0xde -}; + /* uncompressed */ + 0x06, + /* x-coordinate */ + 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, + 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, + 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, + 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, + /* y-coordinate */ + 0x06, 0x9d, 0x5d, 0x8c, 0x95, 0x31, 0xad, 0xa9, 0xe7, 0xea, 0x2a, 0x66, + 0xac, 0x5f, 0xe6, 0xe4, 0xe0, 0x4e, 0x0d, 0x77, 0x5b, 0xa0, 0x71, 0xd7, + 0xc2, 0xbf, 0x5a, 0x00, 0xf1, 0x7c, 0xc0, 0x0b, 0xf4, 0x29, 0xfa, 0x4d, + 0xf3, 0x07, 0x3d, 0x93, 0xa8, 0xb2, 0xb3, 0xd1, 0xf2, 0x32, 0x31, 0xde}; static const uint8_t kP384PublicKey_uncompressed_0x03[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, - 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, - 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, - 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, - /* y-coordinate */ - 0xf9, 0x62, 0xa2, 0x73, 0x6a, 0xce, 0x52, 0x56, 0x18, 0x15, 0xd5, 0x99, - 0x53, 0xa0, 0x19, 0x1b, 0x1f, 0xb1, 0xf2, 0x88, 0xa4, 0x5f, 0x8e, 0x28, - 0x3d, 0x40, 0xa5, 0xff, 0x0e, 0x83, 0x3f, 0xf3, 0x0b, 0xd6, 0x05, 0xb1, - 0x0c, 0xf8, 0xc2, 0x6c, 0x57, 0x4d, 0x4c, 0x2f, 0x0d, 0xcd, 0xce, 0x21 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, + 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, + 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, + 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, + /* y-coordinate */ + 0xf9, 0x62, 0xa2, 0x73, 0x6a, 0xce, 0x52, 0x56, 0x18, 0x15, 0xd5, 0x99, + 0x53, 0xa0, 0x19, 0x1b, 0x1f, 0xb1, 0xf2, 0x88, 0xa4, 0x5f, 0x8e, 0x28, + 0x3d, 0x40, 0xa5, 0xff, 0x0e, 0x83, 0x3f, 0xf3, 0x0b, 0xd6, 0x05, 0xb1, + 0x0c, 0xf8, 0xc2, 0x6c, 0x57, 0x4d, 0x4c, 0x2f, 0x0d, 0xcd, 0xce, 0x21}; static const uint8_t kP384PublicKey_compressed_0x03[] = { - 0x03, - /* x-coordinate */ - 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, - 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, - 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, - 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d -}; + 0x03, + /* x-coordinate */ + 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, + 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, + 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, + 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d}; static const uint8_t kP384PublicKey_hybrid_0x03[] = { - /* uncompressed */ - 0x07, - /* x-coordinate */ - 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, - 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, - 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, - 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, - /* y-coordinate */ - 0xf9, 0x62, 0xa2, 0x73, 0x6a, 0xce, 0x52, 0x56, 0x18, 0x15, 0xd5, 0x99, - 0x53, 0xa0, 0x19, 0x1b, 0x1f, 0xb1, 0xf2, 0x88, 0xa4, 0x5f, 0x8e, 0x28, - 0x3d, 0x40, 0xa5, 0xff, 0x0e, 0x83, 0x3f, 0xf3, 0x0b, 0xd6, 0x05, 0xb1, - 0x0c, 0xf8, 0xc2, 0x6c, 0x57, 0x4d, 0x4c, 0x2f, 0x0d, 0xcd, 0xce, 0x21 -}; + /* uncompressed */ + 0x07, + /* x-coordinate */ + 0xe4, 0xe7, 0x0e, 0x43, 0xc6, 0xd0, 0x43, 0x46, 0xdd, 0xd7, 0x62, 0xa6, + 0x14, 0x17, 0x6d, 0x22, 0x78, 0xb0, 0x47, 0xc5, 0xec, 0x28, 0x64, 0x84, + 0x65, 0xf2, 0xa3, 0x90, 0xf6, 0xdd, 0x6b, 0xba, 0x54, 0xb9, 0x0b, 0x1e, + 0x62, 0xb3, 0x91, 0x85, 0xf8, 0xf3, 0x95, 0xf6, 0x65, 0x73, 0x6d, 0x1d, + /* y-coordinate */ + 0xf9, 0x62, 0xa2, 0x73, 0x6a, 0xce, 0x52, 0x56, 0x18, 0x15, 0xd5, 0x99, + 0x53, 0xa0, 0x19, 0x1b, 0x1f, 0xb1, 0xf2, 0x88, 0xa4, 0x5f, 0x8e, 0x28, + 0x3d, 0x40, 0xa5, 0xff, 0x0e, 0x83, 0x3f, 0xf3, 0x0b, 0xd6, 0x05, 0xb1, + 0x0c, 0xf8, 0xc2, 0x6c, 0x57, 0x4d, 0x4c, 0x2f, 0x0d, 0xcd, 0xce, 0x21}; static const uint8_t kP521PublicKey_uncompressed_0x02[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, - 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, - 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, - 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, - 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, - 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, - /* y-coordinate */ - 0x00, 0xe4, 0x45, 0x33, 0xe8, 0x7f, 0xa9, 0x74, 0x64, 0xcd, 0x2b, 0x7d, - 0xc0, 0xcd, 0x65, 0xb9, 0x27, 0xc6, 0xc6, 0x2e, 0xe7, 0x33, 0x68, 0x86, - 0x72, 0xa2, 0x05, 0xf7, 0x4b, 0xd8, 0x2c, 0x51, 0x1b, 0x89, 0xb0, 0xb9, - 0xb8, 0x06, 0x0d, 0xb1, 0x30, 0xf0, 0x11, 0x92, 0x9e, 0x63, 0x86, 0x8c, - 0x57, 0xaa, 0xb5, 0x2a, 0xae, 0xec, 0xf2, 0xe1, 0xc0, 0x93, 0x62, 0xd1, - 0x1c, 0x5d, 0x57, 0x90, 0x0a, 0x3c -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, + 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, + 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, + 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, + 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, + 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, + /* y-coordinate */ + 0x00, 0xe4, 0x45, 0x33, 0xe8, 0x7f, 0xa9, 0x74, 0x64, 0xcd, 0x2b, 0x7d, + 0xc0, 0xcd, 0x65, 0xb9, 0x27, 0xc6, 0xc6, 0x2e, 0xe7, 0x33, 0x68, 0x86, + 0x72, 0xa2, 0x05, 0xf7, 0x4b, 0xd8, 0x2c, 0x51, 0x1b, 0x89, 0xb0, 0xb9, + 0xb8, 0x06, 0x0d, 0xb1, 0x30, 0xf0, 0x11, 0x92, 0x9e, 0x63, 0x86, 0x8c, + 0x57, 0xaa, 0xb5, 0x2a, 0xae, 0xec, 0xf2, 0xe1, 0xc0, 0x93, 0x62, 0xd1, + 0x1c, 0x5d, 0x57, 0x90, 0x0a, 0x3c}; static const uint8_t kP521PublicKey_compressed_0x02[] = { - 0x02, - /* x-coordinate */ - 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, - 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, - 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, - 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, - 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, - 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b -}; + 0x02, + /* x-coordinate */ + 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, + 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, + 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, + 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, + 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, + 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b}; static const uint8_t kP521PublicKey_hybrid_0x02[] = { - /* uncompressed */ - 0x06, - /* x-coordinate */ - 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, - 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, - 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, - 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, - 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, - 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, - /* y-coordinate */ - 0x00, 0xe4, 0x45, 0x33, 0xe8, 0x7f, 0xa9, 0x74, 0x64, 0xcd, 0x2b, 0x7d, - 0xc0, 0xcd, 0x65, 0xb9, 0x27, 0xc6, 0xc6, 0x2e, 0xe7, 0x33, 0x68, 0x86, - 0x72, 0xa2, 0x05, 0xf7, 0x4b, 0xd8, 0x2c, 0x51, 0x1b, 0x89, 0xb0, 0xb9, - 0xb8, 0x06, 0x0d, 0xb1, 0x30, 0xf0, 0x11, 0x92, 0x9e, 0x63, 0x86, 0x8c, - 0x57, 0xaa, 0xb5, 0x2a, 0xae, 0xec, 0xf2, 0xe1, 0xc0, 0x93, 0x62, 0xd1, - 0x1c, 0x5d, 0x57, 0x90, 0x0a, 0x3c -}; + /* uncompressed */ + 0x06, + /* x-coordinate */ + 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, + 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, + 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, + 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, + 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, + 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, + /* y-coordinate */ + 0x00, 0xe4, 0x45, 0x33, 0xe8, 0x7f, 0xa9, 0x74, 0x64, 0xcd, 0x2b, 0x7d, + 0xc0, 0xcd, 0x65, 0xb9, 0x27, 0xc6, 0xc6, 0x2e, 0xe7, 0x33, 0x68, 0x86, + 0x72, 0xa2, 0x05, 0xf7, 0x4b, 0xd8, 0x2c, 0x51, 0x1b, 0x89, 0xb0, 0xb9, + 0xb8, 0x06, 0x0d, 0xb1, 0x30, 0xf0, 0x11, 0x92, 0x9e, 0x63, 0x86, 0x8c, + 0x57, 0xaa, 0xb5, 0x2a, 0xae, 0xec, 0xf2, 0xe1, 0xc0, 0x93, 0x62, 0xd1, + 0x1c, 0x5d, 0x57, 0x90, 0x0a, 0x3c}; static const uint8_t kP521PublicKey_uncompressed_0x03[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, - 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, - 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, - 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, - 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, - 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, - /* y-coordinate */ - 0x01, 0x1b, 0xba, 0xcc, 0x17, 0x80, 0x56, 0x8b, 0x9b, 0x32, 0xd4, 0x82, - 0x3f, 0x32, 0x9a, 0x46, 0xd8, 0x39, 0x39, 0xd1, 0x18, 0xcc, 0x97, 0x79, - 0x8d, 0x5d, 0xfa, 0x08, 0xb4, 0x27, 0xd3, 0xae, 0xe4, 0x76, 0x4f, 0x46, - 0x47, 0xf9, 0xf2, 0x4e, 0xcf, 0x0f, 0xee, 0x6d, 0x61, 0x9c, 0x79, 0x73, - 0xa8, 0x55, 0x4a, 0xd5, 0x51, 0x13, 0x0d, 0x1e, 0x3f, 0x6c, 0x9d, 0x2e, - 0xe3, 0xa2, 0xa8, 0x6f, 0xf5, 0xc3 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, + 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, + 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, + 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, + 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, + 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, + /* y-coordinate */ + 0x01, 0x1b, 0xba, 0xcc, 0x17, 0x80, 0x56, 0x8b, 0x9b, 0x32, 0xd4, 0x82, + 0x3f, 0x32, 0x9a, 0x46, 0xd8, 0x39, 0x39, 0xd1, 0x18, 0xcc, 0x97, 0x79, + 0x8d, 0x5d, 0xfa, 0x08, 0xb4, 0x27, 0xd3, 0xae, 0xe4, 0x76, 0x4f, 0x46, + 0x47, 0xf9, 0xf2, 0x4e, 0xcf, 0x0f, 0xee, 0x6d, 0x61, 0x9c, 0x79, 0x73, + 0xa8, 0x55, 0x4a, 0xd5, 0x51, 0x13, 0x0d, 0x1e, 0x3f, 0x6c, 0x9d, 0x2e, + 0xe3, 0xa2, 0xa8, 0x6f, 0xf5, 0xc3}; static const uint8_t kP521PublicKey_compressed_0x03[] = { - 0x03, - /* x-coordinate */ - 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, - 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, - 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, - 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, - 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, - 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b -}; + 0x03, + /* x-coordinate */ + 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, + 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, + 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, + 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, + 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, + 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b}; static const uint8_t kP521PublicKey_hybrid_0x03[] = { - /* uncompressed */ - 0x07, - /* x-coordinate */ - 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, - 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, - 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, - 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, - 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, - 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, - /* y-coordinate */ - 0x01, 0x1b, 0xba, 0xcc, 0x17, 0x80, 0x56, 0x8b, 0x9b, 0x32, 0xd4, 0x82, - 0x3f, 0x32, 0x9a, 0x46, 0xd8, 0x39, 0x39, 0xd1, 0x18, 0xcc, 0x97, 0x79, - 0x8d, 0x5d, 0xfa, 0x08, 0xb4, 0x27, 0xd3, 0xae, 0xe4, 0x76, 0x4f, 0x46, - 0x47, 0xf9, 0xf2, 0x4e, 0xcf, 0x0f, 0xee, 0x6d, 0x61, 0x9c, 0x79, 0x73, - 0xa8, 0x55, 0x4a, 0xd5, 0x51, 0x13, 0x0d, 0x1e, 0x3f, 0x6c, 0x9d, 0x2e, - 0xe3, 0xa2, 0xa8, 0x6f, 0xf5, 0xc3 -}; + /* uncompressed */ + 0x07, + /* x-coordinate */ + 0x01, 0x03, 0x7e, 0x95, 0xff, 0x8e, 0x40, 0x31, 0xe0, 0xb0, 0x36, 0x1c, + 0x58, 0xc0, 0x62, 0x61, 0x39, 0x56, 0xaa, 0x30, 0x77, 0x0c, 0xed, 0x17, + 0x15, 0xed, 0x1b, 0x4d, 0x34, 0x29, 0x33, 0x0f, 0xac, 0x2f, 0xc5, 0xc9, + 0x3a, 0x69, 0xf7, 0x98, 0x63, 0x3a, 0x15, 0x75, 0x5e, 0x2d, 0xb8, 0x65, + 0x09, 0x87, 0xf5, 0x75, 0x85, 0xcd, 0xe3, 0x51, 0x6b, 0x6d, 0xd0, 0xfc, + 0x9f, 0x5f, 0xb4, 0xf8, 0xe7, 0x7b, + /* y-coordinate */ + 0x01, 0x1b, 0xba, 0xcc, 0x17, 0x80, 0x56, 0x8b, 0x9b, 0x32, 0xd4, 0x82, + 0x3f, 0x32, 0x9a, 0x46, 0xd8, 0x39, 0x39, 0xd1, 0x18, 0xcc, 0x97, 0x79, + 0x8d, 0x5d, 0xfa, 0x08, 0xb4, 0x27, 0xd3, 0xae, 0xe4, 0x76, 0x4f, 0x46, + 0x47, 0xf9, 0xf2, 0x4e, 0xcf, 0x0f, 0xee, 0x6d, 0x61, 0x9c, 0x79, 0x73, + 0xa8, 0x55, 0x4a, 0xd5, 0x51, 0x13, 0x0d, 0x1e, 0x3f, 0x6c, 0x9d, 0x2e, + 0xe3, 0xa2, 0xa8, 0x6f, 0xf5, 0xc3}; static const uint8_t ksecp256k1PublicKey_uncompressed_0x02[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xc5, 0xea, 0xe6, 0x37, 0xf3, 0xbd, 0x76, 0xad, 0x09, 0x64, 0x54, 0x9d, - 0x52, 0xa6, 0x00, 0x46, 0x7e, 0xdb, 0x30, 0x3d, 0x9c, 0x32, 0xa8, 0xab, - 0x12, 0xd0, 0xed, 0x0a, 0x88, 0x67, 0x59, 0x0b, - /* y-coordinate */ - 0xfc, 0x97, 0x38, 0x6b, 0xc9, 0x8f, 0xf5, 0xfc, 0x2d, 0xa5, 0x77, 0x96, - 0x62, 0xd2, 0x72, 0x69, 0x6a, 0xd2, 0xac, 0xa3, 0x7b, 0x4d, 0x5c, 0x84, - 0x6c, 0xa4, 0x2c, 0xec, 0xb2, 0x4c, 0x3d, 0x94 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xc5, 0xea, 0xe6, 0x37, 0xf3, 0xbd, 0x76, 0xad, 0x09, 0x64, 0x54, 0x9d, + 0x52, 0xa6, 0x00, 0x46, 0x7e, 0xdb, 0x30, 0x3d, 0x9c, 0x32, 0xa8, 0xab, + 0x12, 0xd0, 0xed, 0x0a, 0x88, 0x67, 0x59, 0x0b, + /* y-coordinate */ + 0xfc, 0x97, 0x38, 0x6b, 0xc9, 0x8f, 0xf5, 0xfc, 0x2d, 0xa5, 0x77, 0x96, + 0x62, 0xd2, 0x72, 0x69, 0x6a, 0xd2, 0xac, 0xa3, 0x7b, 0x4d, 0x5c, 0x84, + 0x6c, 0xa4, 0x2c, 0xec, 0xb2, 0x4c, 0x3d, 0x94}; static const uint8_t ksecp256k1PublicKey_compressed_0x02[] = { - 0x02, - /* x-coordinate */ - 0xc5, 0xea, 0xe6, 0x37, 0xf3, 0xbd, 0x76, 0xad, 0x09, 0x64, 0x54, 0x9d, - 0x52, 0xa6, 0x00, 0x46, 0x7e, 0xdb, 0x30, 0x3d, 0x9c, 0x32, 0xa8, 0xab, - 0x12, 0xd0, 0xed, 0x0a, 0x88, 0x67, 0x59, 0x0b -}; + 0x02, + /* x-coordinate */ + 0xc5, 0xea, 0xe6, 0x37, 0xf3, 0xbd, 0x76, 0xad, 0x09, 0x64, 0x54, 0x9d, + 0x52, 0xa6, 0x00, 0x46, 0x7e, 0xdb, 0x30, 0x3d, 0x9c, 0x32, 0xa8, 0xab, + 0x12, 0xd0, 0xed, 0x0a, 0x88, 0x67, 0x59, 0x0b}; static const uint8_t ksecp256k1PublicKey_uncompressed_0x03[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xad, 0xa8, 0x37, 0xe6, 0x83, 0x94, 0x67, 0xbf, 0x79, 0xa8, 0xa8, 0x3b, - 0x17, 0x3d, 0x4a, 0x56, 0x07, 0xa0, 0x57, 0x66, 0x19, 0xc6, 0x67, 0x56, - 0xa2, 0x48, 0x8c, 0x6d, 0xff, 0xda, 0xf2, 0xa9, - /* y-coordinate */ - 0x50, 0xd1, 0x4b, 0xff, 0x7a, 0x83, 0xb7, 0x02, 0x4c, 0xeb, 0x29, 0x2e, - 0xc8, 0x32, 0xa0, 0x16, 0xc5, 0x83, 0x74, 0x80, 0x1a, 0xf6, 0xc8, 0xb8, - 0xb8, 0x1d, 0x6a, 0xa6, 0xdc, 0xae, 0xfe, 0x63 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xad, 0xa8, 0x37, 0xe6, 0x83, 0x94, 0x67, 0xbf, 0x79, 0xa8, 0xa8, 0x3b, + 0x17, 0x3d, 0x4a, 0x56, 0x07, 0xa0, 0x57, 0x66, 0x19, 0xc6, 0x67, 0x56, + 0xa2, 0x48, 0x8c, 0x6d, 0xff, 0xda, 0xf2, 0xa9, + /* y-coordinate */ + 0x50, 0xd1, 0x4b, 0xff, 0x7a, 0x83, 0xb7, 0x02, 0x4c, 0xeb, 0x29, 0x2e, + 0xc8, 0x32, 0xa0, 0x16, 0xc5, 0x83, 0x74, 0x80, 0x1a, 0xf6, 0xc8, 0xb8, + 0xb8, 0x1d, 0x6a, 0xa6, 0xdc, 0xae, 0xfe, 0x63}; static const uint8_t ksecp256k1PublicKey_compressed_0x03[] = { - 0x03, - /* x-coordinate */ - 0xad, 0xa8, 0x37, 0xe6, 0x83, 0x94, 0x67, 0xbf, 0x79, 0xa8, 0xa8, 0x3b, - 0x17, 0x3d, 0x4a, 0x56, 0x07, 0xa0, 0x57, 0x66, 0x19, 0xc6, 0x67, 0x56, - 0xa2, 0x48, 0x8c, 0x6d, 0xff, 0xda, 0xf2, 0xa9 -}; + 0x03, + /* x-coordinate */ + 0xad, 0xa8, 0x37, 0xe6, 0x83, 0x94, 0x67, 0xbf, 0x79, 0xa8, 0xa8, 0x3b, + 0x17, 0x3d, 0x4a, 0x56, 0x07, 0xa0, 0x57, 0x66, 0x19, 0xc6, 0x67, 0x56, + 0xa2, 0x48, 0x8c, 0x6d, 0xff, 0xda, 0xf2, 0xa9}; struct ECPublicKeyTestInput { const uint8_t *input_key; @@ -861,170 +836,133 @@ INSTANTIATE_TEST_SUITE_P(All, ECPublicKeyTest, // The 1st byte should be |0x04| to indicate this is uncompressed ECPublicKey. // This test is modified from |kP224PublicKey_uncompressed_0x02|. static const uint8_t kP224PublicKey_wrong_uncompressed_byte[] = { - /* wrong uncompressed byte */ - 0x01, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, - 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3, 0xea -}; + /* wrong uncompressed byte */ + 0x01, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, + 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, + 0xd6, 0x45, 0xa3, 0xea}; // The last byte should be |0xea| instead of |0xe1|. // This test is modified from |kP224PublicKey_uncompressed_0x02|. static const uint8_t kP224PublicKey_uncompressed_wrong_y[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, - 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3, 0xe1 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, + 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, + 0xd6, 0x45, 0xa3, 0xe1}; // The last byte |0xe1| should not exist. // This test is modified from |kP224PublicKey_uncompressed_0x02|. static const uint8_t kP224PublicKey_uncompressed_too_long[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, - 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3, 0xea, - /* extra but not needed bytes */ - 0xe1 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, + 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, + 0xd6, 0x45, 0xa3, 0xea, + /* extra but not needed bytes */ + 0xe1}; // Additional one byte |0xea| should be appended to this array. // This test is modified from |kP224PublicKey_uncompressed_0x02|. static const uint8_t kP224PublicKey_uncompressed_too_short[] = { - /* uncompressed */ - 0x04, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* y-coordinate */ - 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, - 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, - 0xd6, 0x45, 0xa3 -}; + /* uncompressed */ + 0x04, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* y-coordinate */ + 0xe0, 0x43, 0xae, 0x7b, 0xae, 0xa3, 0x77, 0x28, 0x60, 0x39, 0xc0, 0x7c, + 0x04, 0x1b, 0x7a, 0x3b, 0x5d, 0x76, 0x96, 0xda, 0xdd, 0xa7, 0x05, 0x1a, + 0xd6, 0x45, 0xa3}; // The 1st byte should be 0x02. // This test is modified from |kP224PublicKey_compressed_0x02|. static const uint8_t kP224PublicKey_wrong_compressed_byte[] = { - 0x01, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85 -}; + 0x01, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85}; // The last byte should be |0x85| instead of |0x87|. // This test is modified from |kP224PublicKey_compressed_0x02|. static const uint8_t kP224PublicKey_compressed_wrong_x[] = { - 0x02, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x87 -}; + 0x02, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x87}; // Additional one byte |0x85| should be appended to this array. // This test is modified from |kP224PublicKey_compressed_0x02|. static const uint8_t kP224PublicKey_compressed_too_short[] = { - 0x02, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78 -}; + 0x02, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78}; // The last byte |0xe1| should not exist. // This test is modified from |kP224PublicKey_compressed_0x02|. static const uint8_t kP224PublicKey_compressed_too_long[] = { - 0x02, - /* x-coordinate */ - 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, - 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, - 0xc5, 0x82, 0x78, 0x85, - /* extra but not needed bytes */ - 0xe1 -}; + 0x02, + /* x-coordinate */ + 0xd6, 0xf5, 0xf0, 0x6e, 0xf4, 0xc5, 0x56, 0x0a, 0xff, 0x8f, 0x49, 0x90, + 0xef, 0xdb, 0xa5, 0x9a, 0xf8, 0xa8, 0xd3, 0x77, 0x0d, 0x80, 0x14, 0x6a, + 0xc5, 0x82, 0x78, 0x85, + /* extra but not needed bytes */ + 0xe1}; struct InvalidECPublicKey { const uint8_t *input_key; size_t input_key_len; int nid; } kInvalidECPublicKeyInputs[] = { - /* Test 1: incorrect compresion representation. */ - { - kP224PublicKey_wrong_compressed_byte, - sizeof(kP224PublicKey_wrong_compressed_byte), - NID_secp224r1 - }, - { - kP224PublicKey_wrong_uncompressed_byte, - sizeof(kP224PublicKey_wrong_uncompressed_byte), - NID_secp224r1 - }, - /* Test 2: incorrect NID. */ - { - kP224PublicKey_uncompressed_0x02, - sizeof(kP224PublicKey_uncompressed_0x02), - NID_secp521r1 - }, - { - kP224PublicKey_compressed_0x02, - sizeof(kP224PublicKey_compressed_0x02), - NID_secp521r1 - }, - /* Test 3: bytes are too long, too short or wrong. */ - { - kP224PublicKey_compressed_too_long, - sizeof(kP224PublicKey_compressed_too_long), - NID_secp224r1 - }, - { - kP224PublicKey_compressed_too_short, - sizeof(kP224PublicKey_compressed_too_short), - NID_secp224r1 - }, - { - kP224PublicKey_compressed_wrong_x, - sizeof(kP224PublicKey_compressed_wrong_x), - NID_secp224r1 - }, - { - kP224PublicKey_uncompressed_too_long, - sizeof(kP224PublicKey_uncompressed_too_long), - NID_secp224r1 - }, - { - kP224PublicKey_uncompressed_too_short, - sizeof(kP224PublicKey_uncompressed_too_short), - NID_secp224r1 - }, - { - kP224PublicKey_uncompressed_wrong_y, - sizeof(kP224PublicKey_uncompressed_wrong_y), - NID_secp224r1 - } -}; - -class ECPublicKeyInvalidTest : public testing::TestWithParam {}; - -// This is to test |EC_KEY| failing to decode some bytes using |o2i_ECPublicKey|. + /* Test 1: incorrect compresion representation. */ + {kP224PublicKey_wrong_compressed_byte, + sizeof(kP224PublicKey_wrong_compressed_byte), NID_secp224r1}, + {kP224PublicKey_wrong_uncompressed_byte, + sizeof(kP224PublicKey_wrong_uncompressed_byte), NID_secp224r1}, + /* Test 2: incorrect NID. */ + {kP224PublicKey_uncompressed_0x02, sizeof(kP224PublicKey_uncompressed_0x02), + NID_secp521r1}, + {kP224PublicKey_compressed_0x02, sizeof(kP224PublicKey_compressed_0x02), + NID_secp521r1}, + /* Test 3: bytes are too long, too short or wrong. */ + {kP224PublicKey_compressed_too_long, + sizeof(kP224PublicKey_compressed_too_long), NID_secp224r1}, + {kP224PublicKey_compressed_too_short, + sizeof(kP224PublicKey_compressed_too_short), NID_secp224r1}, + {kP224PublicKey_compressed_wrong_x, + sizeof(kP224PublicKey_compressed_wrong_x), NID_secp224r1}, + {kP224PublicKey_uncompressed_too_long, + sizeof(kP224PublicKey_uncompressed_too_long), NID_secp224r1}, + {kP224PublicKey_uncompressed_too_short, + sizeof(kP224PublicKey_uncompressed_too_short), NID_secp224r1}, + {kP224PublicKey_uncompressed_wrong_y, + sizeof(kP224PublicKey_uncompressed_wrong_y), NID_secp224r1}}; + +class ECPublicKeyInvalidTest + : public testing::TestWithParam {}; + +// This is to test |EC_KEY| failing to decode some bytes using +// |o2i_ECPublicKey|. TEST_P(ECPublicKeyInvalidTest, Decode) { const auto ¶m = GetParam(); const auto input_key = param.input_key; @@ -1439,7 +1377,8 @@ TEST(ECTest, SmallGroupOrder) { ASSERT_TRUE(key); ASSERT_TRUE(EC_KEY_generate_key(key.get())); - bssl::UniquePtr group_org(EC_GROUP_new_by_curve_name(NID_secp224r1)); + bssl::UniquePtr group_org( + EC_GROUP_new_by_curve_name(NID_secp224r1)); ASSERT_TRUE(group_org); bssl::UniquePtr ctx(BN_CTX_new()); ASSERT_TRUE(ctx); @@ -1452,15 +1391,15 @@ TEST(ECTest, SmallGroupOrder) { bssl::UniquePtr order(BN_new()); ASSERT_TRUE(order); ASSERT_TRUE(BN_copy(order.get(), EC_GROUP_get0_order(group_org.get()))); - ASSERT_TRUE(EC_GROUP_get_curve_GFp(group_org.get(), - p.get(), a.get(), b.get(), ctx.get())); + ASSERT_TRUE(EC_GROUP_get_curve_GFp(group_org.get(), p.get(), a.get(), b.get(), + ctx.get())); // Set a new group with p, a, b bssl::UniquePtr group( EC_GROUP_new_curve_GFp(p.get(), a.get(), b.get(), ctx.get())); ASSERT_TRUE(group); - // The generator has to be created using the new group so they match when calling - // |EC_GROUP_set_generator| + // The generator has to be created using the new group so they match when + // calling |EC_GROUP_set_generator| bssl::UniquePtr generator(EC_POINT_new(group.get())); ASSERT_TRUE(generator); // Get the original group's generator's coordinates. @@ -1469,7 +1408,8 @@ TEST(ECTest, SmallGroupOrder) { bssl::UniquePtr gy(BN_new()); ASSERT_TRUE(gy); EXPECT_TRUE(EC_POINT_get_affine_coordinates_GFp( - group_org.get(), EC_GROUP_get0_generator(group_org.get()), gx.get(), gy.get(), ctx.get())); + group_org.get(), EC_GROUP_get0_generator(group_org.get()), gx.get(), + gy.get(), ctx.get())); // Set the coordinates of the new generator. ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( group.get(), generator.get(), gx.get(), gy.get(), ctx.get())); @@ -1497,7 +1437,8 @@ TEST(ECDeathTest, SmallGroupOrderAndDie) { ASSERT_TRUE(key); ASSERT_TRUE(EC_KEY_generate_key(key.get())); - bssl::UniquePtr group_org(EC_GROUP_new_by_curve_name(NID_secp224r1)); + bssl::UniquePtr group_org( + EC_GROUP_new_by_curve_name(NID_secp224r1)); ASSERT_TRUE(group_org); bssl::UniquePtr ctx(BN_CTX_new()); ASSERT_TRUE(ctx); @@ -1510,15 +1451,15 @@ TEST(ECDeathTest, SmallGroupOrderAndDie) { bssl::UniquePtr order(BN_new()); ASSERT_TRUE(order); ASSERT_TRUE(BN_copy(order.get(), EC_GROUP_get0_order(group_org.get()))); - ASSERT_TRUE(EC_GROUP_get_curve_GFp(group_org.get(), - p.get(), a.get(), b.get(), ctx.get())); + ASSERT_TRUE(EC_GROUP_get_curve_GFp(group_org.get(), p.get(), a.get(), b.get(), + ctx.get())); // Set a new group with p, a, b bssl::UniquePtr group( EC_GROUP_new_curve_GFp(p.get(), a.get(), b.get(), ctx.get())); ASSERT_TRUE(group); - // The generator has to be created using the new group so they match when calling - // |EC_GROUP_set_generator| + // The generator has to be created using the new group so they match when + // calling |EC_GROUP_set_generator| bssl::UniquePtr generator(EC_POINT_new(group.get())); ASSERT_TRUE(generator); // Get the original group's generator's coordinates. @@ -1527,7 +1468,8 @@ TEST(ECDeathTest, SmallGroupOrderAndDie) { bssl::UniquePtr gy(BN_new()); ASSERT_TRUE(gy); EXPECT_TRUE(EC_POINT_get_affine_coordinates_GFp( - group_org.get(), EC_GROUP_get0_generator(group_org.get()), gx.get(), gy.get(), ctx.get())); + group_org.get(), EC_GROUP_get0_generator(group_org.get()), gx.get(), + gy.get(), ctx.get())); // Set the coordinates of the new generator. ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( group.get(), generator.get(), gx.get(), gy.get(), ctx.get())); @@ -1556,7 +1498,7 @@ class ECCurveTest : public testing::TestWithParam { EC_GROUP *group() const { return group_.get(); } void SetUp() override { - if(GetParam().mutable_group) { + if (GetParam().mutable_group) { group_.reset(EC_GROUP_new_by_curve_name_mutable(GetParam().nid)); ASSERT_TRUE(group_); } else { @@ -2047,7 +1989,7 @@ static std::vector AllCurves() { std::vector nids; for (const auto &curve : curves) { // Curve test parameter to use static groups. - CurveParam curve_param = { curve.nid, false }; + CurveParam curve_param = {curve.nid, false}; nids.push_back(curve_param); // Curve test parameter to use mutable groups. @@ -2137,116 +2079,120 @@ TEST(ECTest, LargeXCoordinateVectors) { bssl::UniquePtr ctx(BN_CTX_new()); ASSERT_TRUE(ctx); - FileTestGTest("crypto/fipsmodule/ec/large_x_coordinate_points.txt", - [&](FileTest *t) { - const EC_GROUP *group = GetCurve(t, "Curve"); - ASSERT_TRUE(group); - bssl::UniquePtr x = GetBIGNUM(t, "X"); - ASSERT_TRUE(x); - bssl::UniquePtr xpp = GetBIGNUM(t, "XplusP"); - ASSERT_TRUE(xpp); - bssl::UniquePtr y = GetBIGNUM(t, "Y"); - ASSERT_TRUE(y); - bssl::UniquePtr key(EC_KEY_new()); - ASSERT_TRUE(key); - bssl::UniquePtr pub_key(EC_POINT_new(group)); - ASSERT_TRUE(pub_key); - - ASSERT_TRUE(EC_KEY_set_group(key.get(), group)); - - // |EC_POINT_set_affine_coordinates_GFp| sets given (x, y) according to the - // form the curve is using. If the curve is using Montgomery form, |x| and - // |y| will be converted to Montgomery form. - ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( - group, pub_key.get(), x.get(), y.get(), nullptr)); - ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get())); - ASSERT_TRUE(EC_KEY_check_fips(key.get())); - - // Set the raw point directly with the BIGNUM coordinates. - // Note that both are in little-endian byte order. - OPENSSL_memcpy(key.get()->pub_key->raw.X.words, - x.get()->d, BN_BYTES * group->field.N.width); - OPENSSL_memcpy(key.get()->pub_key->raw.Y.words, - y.get()->d, BN_BYTES * group->field.N.width); - OPENSSL_memset(key.get()->pub_key->raw.Z.words, 0, BN_BYTES * group->field.N.width); - key.get()->pub_key->raw.Z.words[0] = 1; - - // |EC_KEY_check_fips| first calls the |EC_KEY_check_key| function that - // checks if the key point is on the curve (among other checks). If the - // curve uses Montgomery form the point-on-curve check will fail because - // we set the raw point coordinates in regular form above. - int curve_nid = group->curve_name; - if (!is_curve_using_mont_felem_impl(curve_nid)) { - ASSERT_TRUE(EC_KEY_check_fips(key.get())); - } else { - ASSERT_FALSE(EC_KEY_check_fips(key.get())); - EXPECT_EQ(EC_R_POINT_IS_NOT_ON_CURVE, - ERR_GET_REASON(ERR_peek_last_error_line(&file, &line))); - EXPECT_PRED2(HasSuffix, file, "ec_key.c"); // within EC_KEY_check_key - } - - // Now replace the x-coordinate with the larger one, x+p. - OPENSSL_memcpy(key.get()->pub_key->raw.X.words, - xpp.get()->d, BN_BYTES * group->field.N.width); - // We expect |EC_KEY_check_fips| to always fail when given key with x > p. - ASSERT_FALSE(EC_KEY_check_fips(key.get())); - - // But the failure is for different reasons in case of curves using the - // Montgomery form versus those that don't, as explained above. - if (!is_curve_using_mont_felem_impl(curve_nid)) { - EXPECT_EQ(EC_R_COORDINATES_OUT_OF_RANGE, - ERR_GET_REASON(ERR_peek_last_error_line(&file, &line))); - EXPECT_PRED2(HasSuffix, file, "ec_key.c"); // within EC_KEY_check_fips - } else { - EXPECT_EQ(EC_R_POINT_IS_NOT_ON_CURVE, - ERR_GET_REASON(ERR_peek_last_error_line(&file, &line))); - EXPECT_PRED2(HasSuffix, file, "ec_key.c"); // within EC_KEY_check_key - } - }); + FileTestGTest( + "crypto/fipsmodule/ec/large_x_coordinate_points.txt", [&](FileTest *t) { + const EC_GROUP *group = GetCurve(t, "Curve"); + ASSERT_TRUE(group); + bssl::UniquePtr x = GetBIGNUM(t, "X"); + ASSERT_TRUE(x); + bssl::UniquePtr xpp = GetBIGNUM(t, "XplusP"); + ASSERT_TRUE(xpp); + bssl::UniquePtr y = GetBIGNUM(t, "Y"); + ASSERT_TRUE(y); + bssl::UniquePtr key(EC_KEY_new()); + ASSERT_TRUE(key); + bssl::UniquePtr pub_key(EC_POINT_new(group)); + ASSERT_TRUE(pub_key); + + ASSERT_TRUE(EC_KEY_set_group(key.get(), group)); + + // |EC_POINT_set_affine_coordinates_GFp| sets given (x, y) according to + // the form the curve is using. If the curve is using Montgomery form, + // |x| and |y| will be converted to Montgomery form. + ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( + group, pub_key.get(), x.get(), y.get(), nullptr)); + ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get())); + ASSERT_TRUE(EC_KEY_check_fips(key.get())); + + // Set the raw point directly with the BIGNUM coordinates. + // Note that both are in little-endian byte order. + OPENSSL_memcpy(key.get()->pub_key->raw.X.words, x.get()->d, + BN_BYTES * group->field.N.width); + OPENSSL_memcpy(key.get()->pub_key->raw.Y.words, y.get()->d, + BN_BYTES * group->field.N.width); + OPENSSL_memset(key.get()->pub_key->raw.Z.words, 0, + BN_BYTES * group->field.N.width); + key.get()->pub_key->raw.Z.words[0] = 1; + + // |EC_KEY_check_fips| first calls the |EC_KEY_check_key| function that + // checks if the key point is on the curve (among other checks). If the + // curve uses Montgomery form the point-on-curve check will fail because + // we set the raw point coordinates in regular form above. + int curve_nid = group->curve_name; + if (!is_curve_using_mont_felem_impl(curve_nid)) { + ASSERT_TRUE(EC_KEY_check_fips(key.get())); + } else { + ASSERT_FALSE(EC_KEY_check_fips(key.get())); + EXPECT_EQ(EC_R_POINT_IS_NOT_ON_CURVE, + ERR_GET_REASON(ERR_peek_last_error_line(&file, &line))); + EXPECT_PRED2(HasSuffix, file, "ec_key.c"); // within EC_KEY_check_key + } + + // Now replace the x-coordinate with the larger one, x+p. + OPENSSL_memcpy(key.get()->pub_key->raw.X.words, xpp.get()->d, + BN_BYTES * group->field.N.width); + // We expect |EC_KEY_check_fips| to always fail when given key with x > + // p. + ASSERT_FALSE(EC_KEY_check_fips(key.get())); + + // But the failure is for different reasons in case of curves using the + // Montgomery form versus those that don't, as explained above. + if (!is_curve_using_mont_felem_impl(curve_nid)) { + EXPECT_EQ(EC_R_COORDINATES_OUT_OF_RANGE, + ERR_GET_REASON(ERR_peek_last_error_line(&file, &line))); + EXPECT_PRED2(HasSuffix, file, + "ec_key.c"); // within EC_KEY_check_fips + } else { + EXPECT_EQ(EC_R_POINT_IS_NOT_ON_CURVE, + ERR_GET_REASON(ERR_peek_last_error_line(&file, &line))); + EXPECT_PRED2(HasSuffix, file, "ec_key.c"); // within EC_KEY_check_key + } + }); } TEST(ECTest, ScalarBaseMultVectors) { bssl::UniquePtr ctx(BN_CTX_new()); ASSERT_TRUE(ctx); - FileTestGTest("crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt", - [&](FileTest *t) { - const EC_GROUP *group = GetCurve(t, "Curve"); - ASSERT_TRUE(group); - bssl::UniquePtr n = GetBIGNUM(t, "N"); - ASSERT_TRUE(n); - bssl::UniquePtr x = GetBIGNUM(t, "X"); - ASSERT_TRUE(x); - bssl::UniquePtr y = GetBIGNUM(t, "Y"); - ASSERT_TRUE(y); - bool is_infinity = BN_is_zero(x.get()) && BN_is_zero(y.get()); - - bssl::UniquePtr px(BN_new()); - ASSERT_TRUE(px); - bssl::UniquePtr py(BN_new()); - ASSERT_TRUE(py); - auto check_point = [&](const EC_POINT *p) { - if (is_infinity) { - EXPECT_TRUE(EC_POINT_is_at_infinity(group, p)); - } else { - ASSERT_TRUE(EC_POINT_get_affine_coordinates_GFp( - group, p, px.get(), py.get(), ctx.get())); - EXPECT_EQ(0, BN_cmp(x.get(), px.get())); - EXPECT_EQ(0, BN_cmp(y.get(), py.get())); - } - }; - - const EC_POINT *g = EC_GROUP_get0_generator(group); - bssl::UniquePtr p(EC_POINT_new(group)); - ASSERT_TRUE(p); - // Test single-point multiplication. - ASSERT_TRUE(EC_POINT_mul(group, p.get(), n.get(), nullptr, nullptr, - ctx.get())); - check_point(p.get()); - - ASSERT_TRUE(EC_POINT_mul(group, p.get(), nullptr, g, n.get(), ctx.get())); - check_point(p.get()); - }); + FileTestGTest( + "crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt", [&](FileTest *t) { + const EC_GROUP *group = GetCurve(t, "Curve"); + ASSERT_TRUE(group); + bssl::UniquePtr n = GetBIGNUM(t, "N"); + ASSERT_TRUE(n); + bssl::UniquePtr x = GetBIGNUM(t, "X"); + ASSERT_TRUE(x); + bssl::UniquePtr y = GetBIGNUM(t, "Y"); + ASSERT_TRUE(y); + bool is_infinity = BN_is_zero(x.get()) && BN_is_zero(y.get()); + + bssl::UniquePtr px(BN_new()); + ASSERT_TRUE(px); + bssl::UniquePtr py(BN_new()); + ASSERT_TRUE(py); + auto check_point = [&](const EC_POINT *p) { + if (is_infinity) { + EXPECT_TRUE(EC_POINT_is_at_infinity(group, p)); + } else { + ASSERT_TRUE(EC_POINT_get_affine_coordinates_GFp( + group, p, px.get(), py.get(), ctx.get())); + EXPECT_EQ(0, BN_cmp(x.get(), px.get())); + EXPECT_EQ(0, BN_cmp(y.get(), py.get())); + } + }; + + const EC_POINT *g = EC_GROUP_get0_generator(group); + bssl::UniquePtr p(EC_POINT_new(group)); + ASSERT_TRUE(p); + // Test single-point multiplication. + ASSERT_TRUE( + EC_POINT_mul(group, p.get(), n.get(), nullptr, nullptr, ctx.get())); + check_point(p.get()); + + ASSERT_TRUE( + EC_POINT_mul(group, p.get(), nullptr, g, n.get(), ctx.get())); + check_point(p.get()); + }); } // These tests take a very long time, but are worth running when we make @@ -2255,61 +2201,62 @@ TEST(ECTest, DISABLED_ScalarBaseMultVectorsTwoPoint) { bssl::UniquePtr ctx(BN_CTX_new()); ASSERT_TRUE(ctx); - FileTestGTest("crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt", - [&](FileTest *t) { - const EC_GROUP *group = GetCurve(t, "Curve"); - ASSERT_TRUE(group); - bssl::UniquePtr n = GetBIGNUM(t, "N"); - ASSERT_TRUE(n); - bssl::UniquePtr x = GetBIGNUM(t, "X"); - ASSERT_TRUE(x); - bssl::UniquePtr y = GetBIGNUM(t, "Y"); - ASSERT_TRUE(y); - bool is_infinity = BN_is_zero(x.get()) && BN_is_zero(y.get()); - - bssl::UniquePtr px(BN_new()); - ASSERT_TRUE(px); - bssl::UniquePtr py(BN_new()); - ASSERT_TRUE(py); - auto check_point = [&](const EC_POINT *p) { - if (is_infinity) { - EXPECT_TRUE(EC_POINT_is_at_infinity(group, p)); - } else { - ASSERT_TRUE(EC_POINT_get_affine_coordinates_GFp( - group, p, px.get(), py.get(), ctx.get())); - EXPECT_EQ(0, BN_cmp(x.get(), px.get())); - EXPECT_EQ(0, BN_cmp(y.get(), py.get())); - } - }; - - const EC_POINT *g = EC_GROUP_get0_generator(group); - bssl::UniquePtr p(EC_POINT_new(group)); - ASSERT_TRUE(p); - bssl::UniquePtr a(BN_new()), b(BN_new()); - for (int i = -64; i < 64; i++) { - SCOPED_TRACE(i); - ASSERT_TRUE(BN_set_word(a.get(), abs(i))); - if (i < 0) { - ASSERT_TRUE(BN_sub(a.get(), EC_GROUP_get0_order(group), a.get())); - } - - ASSERT_TRUE(BN_copy(b.get(), n.get())); - ASSERT_TRUE(BN_sub(b.get(), b.get(), a.get())); - if (BN_is_negative(b.get())) { - ASSERT_TRUE(BN_add(b.get(), b.get(), EC_GROUP_get0_order(group))); - } - - ASSERT_TRUE(EC_POINT_mul(group, p.get(), a.get(), g, b.get(), ctx.get())); - check_point(p.get()); - - EC_SCALAR a_scalar, b_scalar; - ASSERT_TRUE(ec_bignum_to_scalar(group, &a_scalar, a.get())); - ASSERT_TRUE(ec_bignum_to_scalar(group, &b_scalar, b.get())); - ASSERT_TRUE(ec_point_mul_scalar_public(group, &p->raw, &a_scalar, &g->raw, - &b_scalar)); - check_point(p.get()); - } - }); + FileTestGTest( + "crypto/fipsmodule/ec/ec_scalar_base_mult_tests.txt", [&](FileTest *t) { + const EC_GROUP *group = GetCurve(t, "Curve"); + ASSERT_TRUE(group); + bssl::UniquePtr n = GetBIGNUM(t, "N"); + ASSERT_TRUE(n); + bssl::UniquePtr x = GetBIGNUM(t, "X"); + ASSERT_TRUE(x); + bssl::UniquePtr y = GetBIGNUM(t, "Y"); + ASSERT_TRUE(y); + bool is_infinity = BN_is_zero(x.get()) && BN_is_zero(y.get()); + + bssl::UniquePtr px(BN_new()); + ASSERT_TRUE(px); + bssl::UniquePtr py(BN_new()); + ASSERT_TRUE(py); + auto check_point = [&](const EC_POINT *p) { + if (is_infinity) { + EXPECT_TRUE(EC_POINT_is_at_infinity(group, p)); + } else { + ASSERT_TRUE(EC_POINT_get_affine_coordinates_GFp( + group, p, px.get(), py.get(), ctx.get())); + EXPECT_EQ(0, BN_cmp(x.get(), px.get())); + EXPECT_EQ(0, BN_cmp(y.get(), py.get())); + } + }; + + const EC_POINT *g = EC_GROUP_get0_generator(group); + bssl::UniquePtr p(EC_POINT_new(group)); + ASSERT_TRUE(p); + bssl::UniquePtr a(BN_new()), b(BN_new()); + for (int i = -64; i < 64; i++) { + SCOPED_TRACE(i); + ASSERT_TRUE(BN_set_word(a.get(), abs(i))); + if (i < 0) { + ASSERT_TRUE(BN_sub(a.get(), EC_GROUP_get0_order(group), a.get())); + } + + ASSERT_TRUE(BN_copy(b.get(), n.get())); + ASSERT_TRUE(BN_sub(b.get(), b.get(), a.get())); + if (BN_is_negative(b.get())) { + ASSERT_TRUE(BN_add(b.get(), b.get(), EC_GROUP_get0_order(group))); + } + + ASSERT_TRUE( + EC_POINT_mul(group, p.get(), a.get(), g, b.get(), ctx.get())); + check_point(p.get()); + + EC_SCALAR a_scalar, b_scalar; + ASSERT_TRUE(ec_bignum_to_scalar(group, &a_scalar, a.get())); + ASSERT_TRUE(ec_bignum_to_scalar(group, &b_scalar, b.get())); + ASSERT_TRUE(ec_point_mul_scalar_public(group, &p->raw, &a_scalar, + &g->raw, &b_scalar)); + check_point(p.get()); + } + }); } TEST(ECTest, DeriveFromSecret) { @@ -2586,19 +2533,19 @@ TEST(ECTest, HashToScalar) { } TEST(ECTest, FelemBytes) { - std::tuple test_cases[2] = { - std::make_tuple(NID_secp384r1, P384_EC_FELEM_BYTES, P384_EC_FELEM_WORDS), - std::make_tuple(NID_secp521r1, P521_EC_FELEM_BYTES, P521_EC_FELEM_WORDS) - }; + std::tuple test_cases[2] = { + std::make_tuple(NID_secp384r1, P384_EC_FELEM_BYTES, P384_EC_FELEM_WORDS), + std::make_tuple(NID_secp521r1, P521_EC_FELEM_BYTES, P521_EC_FELEM_WORDS)}; - for(size_t i = 0; i < sizeof(test_cases)/sizeof(std::tuple); i++) { + for (size_t i = 0; i < sizeof(test_cases) / sizeof(std::tuple); + i++) { int nid = std::get<0>(test_cases[i]); int expected_felem_bytes = std::get<1>(test_cases[i]); int expected_felem_words = std::get<2>(test_cases[i]); ASSERT_TRUE(expected_felem_bytes <= EC_MAX_BYTES); ASSERT_TRUE(expected_felem_words <= EC_MAX_WORDS); - if( 0 == (expected_felem_bytes % BN_BYTES)) { + if (0 == (expected_felem_bytes % BN_BYTES)) { ASSERT_EQ(expected_felem_words, expected_felem_bytes / BN_BYTES); } else { ASSERT_EQ(expected_felem_words, 1 + (expected_felem_bytes / BN_BYTES)); @@ -2610,18 +2557,17 @@ TEST(ECTest, FelemBytes) { } } -static ECDSA_SIG * ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, - const BIGNUM *in_kinv, const BIGNUM *in_r, - EC_KEY *ec) { +static ECDSA_SIG *ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, + const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *ec) { // To track whether custom implementation was called - EC_KEY_set_ex_data(ec, 1, (void*)"ecdsa_sign_sig"); + EC_KEY_set_ex_data(ec, 1, (void *)"ecdsa_sign_sig"); return nullptr; } static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) { - ECDSA_SIG *ret = ECDSA_do_sign(dgst, dgstlen, ec); if (!ret) { *siglen = 0; @@ -2631,8 +2577,7 @@ static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, CBB cbb; CBB_init_fixed(&cbb, sig, ECDSA_size(ec)); size_t len; - if (!ECDSA_SIG_marshal(&cbb, ret) || - !CBB_finish(&cbb, nullptr, &len)) { + if (!ECDSA_SIG_marshal(&cbb, ret) || !CBB_finish(&cbb, nullptr, &len)) { ECDSA_SIG_free(ret); OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); *siglen = 0; @@ -2642,16 +2587,15 @@ static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, *siglen = (unsigned)len; // To track whether custom implementation was called - EC_KEY_set_ex_data(ec, 0, (void*)"ecdsa_sign"); + EC_KEY_set_ex_data(ec, 0, (void *)"ecdsa_sign"); ECDSA_SIG_free(ret); return 1; } -static void openvpn_extkey_ec_finish(EC_KEY *ec) -{ +static void openvpn_extkey_ec_finish(EC_KEY *ec) { const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec); - EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth); + EC_KEY_METHOD_free((EC_KEY_METHOD *)ec_meth); } TEST(ECTest, ECKEYMETHOD) { @@ -2665,8 +2609,8 @@ TEST(ECTest, ECKEYMETHOD) { ASSERT_FALSE(ec_method->finish && ec_method->sign); // Can only set these fields - EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, - NULL, NULL, NULL, NULL); + EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, + NULL, NULL); ASSERT_TRUE(ec_method->finish); // Checking Sign EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, NULL); @@ -2685,9 +2629,11 @@ TEST(ECTest, ECKEYMETHOD) { bssl::UniquePtr ec_key(EVP_PKEY_new()); ASSERT_TRUE(ec_key.get()); EVP_PKEY_assign_EC_KEY(ec_key.get(), ec.get()); - // EVP_PKEY_assign_EC_KEY doesn't up the reference, so do that here for proper test cleanup + // EVP_PKEY_assign_EC_KEY doesn't up the reference, so do that here for proper + // test cleanup ASSERT_TRUE(EC_KEY_up_ref(ec.get())); - bssl::UniquePtr ec_key_ctx(EVP_PKEY_CTX_new(ec_key.get(), NULL)); + bssl::UniquePtr ec_key_ctx( + EVP_PKEY_CTX_new(ec_key.get(), NULL)); ASSERT_TRUE(ec_key_ctx.get()); // Do a signature, should call custom openvpn_extkey_ec_finish @@ -2697,12 +2643,12 @@ TEST(ECTest, ECKEYMETHOD) { std::vector signature(ECDSA_size(ec.get())); size_t sig_len = ECDSA_size(ec.get()); ASSERT_TRUE(EVP_PKEY_sign_init(ec_key_ctx.get())); - ASSERT_TRUE(EVP_PKEY_sign(ec_key_ctx.get(), signature.data(), - &sig_len, digest, 20)); + ASSERT_TRUE( + EVP_PKEY_sign(ec_key_ctx.get(), signature.data(), &sig_len, digest, 20)); signature.resize(sig_len); - ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(ec.get(), 0)) - , "ecdsa_sign"); + ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(ec.get(), 0)), + "ecdsa_sign"); // Verify the signature EXPECT_TRUE(ECDSA_verify(0, digest, 20, signature.data(), signature.size(), ec.get())); @@ -2712,7 +2658,7 @@ TEST(ECTest, ECKEYMETHOD) { ASSERT_TRUE(ec_method->sign_sig && !ec_method->sign); ECDSA_do_sign(digest, 20, ec.get()); - ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(ec.get(), 1)), + ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(ec.get(), 1)), "ecdsa_sign_sig"); // Flags @@ -2738,8 +2684,8 @@ TEST(ECTest, ECEngine) { // Call custom Engine implementation ECDSA_do_sign(NULL, 0, key); - ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(key, 1)) - , "ecdsa_sign_sig"); + ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(key, 1)), + "ecdsa_sign_sig"); EC_KEY_free(key); ENGINE_free(engine); diff --git a/crypto/fipsmodule/ec/felem.c b/crypto/fipsmodule/ec/felem.c index 60648195ac..2475fbd988 100644 --- a/crypto/fipsmodule/ec/felem.c +++ b/crypto/fipsmodule/ec/felem.c @@ -18,9 +18,9 @@ #include -#include "internal.h" -#include "../bn/internal.h" #include "../../internal.h" +#include "../bn/internal.h" +#include "internal.h" const EC_FELEM *ec_felem_one(const EC_GROUP *group) { diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h index 8621b4dc39..660ad85b79 100644 --- a/crypto/fipsmodule/ec/internal.h +++ b/crypto/fipsmodule/ec/internal.h @@ -769,42 +769,42 @@ const EC_METHOD *EC_GFp_nistz256_method(void); // fields at all. If this struct is made public in the future, to maintain // OpenSSL compatability and match the struct size, they should be added in. struct ec_key_method_st { - int (*init)(EC_KEY *key); - void (*finish)(EC_KEY *key); - - // AWS-LC doesn't support custom values for EC_KEY operations - // as of now. |k_inv| and |r| must be NULL parameters. - // The |type| parameter is ignored in OpenSSL, we pass in zero for it. - // The default behavior for |sign| is implemented in |ECDSA_sign|. If custom - // functionality is provided, |sign| will be invoked within |ECDSA_sign|. - int (*sign)(int type, const uint8_t *digest, int digest_len, - uint8_t *sig, unsigned int *siglen, const BIGNUM *k_inv, - const BIGNUM *r, EC_KEY *eckey); - - // AWS-LC doesn't support custom values for EC_KEY operations - // as of now. |k_inv| and |r| must be NULL parameters. The default behavior - // for |sign_sig| is implemented in |ECDSA_do_sign|. If custom functionality - // is provided, |sign_sig| will be invoked within |ECDSA_do_sign|. - ECDSA_SIG *(*sign_sig)(const uint8_t *digest, int digest_len, - const BIGNUM *in_kinv, const BIGNUM *in_r, - EC_KEY *eckey); - - // Currently, |EC_KEY_METHOD| only supports |ECDSA_FLAG_OPAQUE|. It is - // not set by default. - int flags; - - // AWS-LC currently does not support these fields directly. However, they - // are left commented out here because the associated setter - // functions (macros) still include support for them in their signatures. - // Note: Compile-time checks (static asserts) are in place to ensure that - // these fields cannot be set by consumers, enforcing the requirement that - // NULL must be passed for these parameters. - // int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **k_inv, - // BIGNUM **r); - // int (*copy)(EC_KEY *dest, const EC_KEY *src); - // int (*set_group)(EC_KEY *key, const EC_GROUP *group); - // int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); - // int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); + int (*init)(EC_KEY *key); + void (*finish)(EC_KEY *key); + + // AWS-LC doesn't support custom values for EC_KEY operations + // as of now. |k_inv| and |r| must be NULL parameters. + // The |type| parameter is ignored in OpenSSL, we pass in zero for it. + // The default behavior for |sign| is implemented in |ECDSA_sign|. If custom + // functionality is provided, |sign| will be invoked within |ECDSA_sign|. + int (*sign)(int type, const uint8_t *digest, int digest_len, uint8_t *sig, + unsigned int *siglen, const BIGNUM *k_inv, const BIGNUM *r, + EC_KEY *eckey); + + // AWS-LC doesn't support custom values for EC_KEY operations + // as of now. |k_inv| and |r| must be NULL parameters. The default behavior + // for |sign_sig| is implemented in |ECDSA_do_sign|. If custom functionality + // is provided, |sign_sig| will be invoked within |ECDSA_do_sign|. + ECDSA_SIG *(*sign_sig)(const uint8_t *digest, int digest_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey); + + // Currently, |EC_KEY_METHOD| only supports |ECDSA_FLAG_OPAQUE|. It is + // not set by default. + int flags; + + // AWS-LC currently does not support these fields directly. However, they + // are left commented out here because the associated setter + // functions (macros) still include support for them in their signatures. + // Note: Compile-time checks (static asserts) are in place to ensure that + // these fields cannot be set by consumers, enforcing the requirement that + // NULL must be passed for these parameters. + // int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **k_inv, + // BIGNUM **r); + // int (*copy)(EC_KEY *dest, const EC_KEY *src); + // int (*set_group)(EC_KEY *key, const EC_GROUP *group); + // int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); + // int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); }; // An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM| diff --git a/crypto/fipsmodule/ec/oct.c b/crypto/fipsmodule/ec/oct.c index 2e9c112679..518e0e9f6d 100644 --- a/crypto/fipsmodule/ec/oct.c +++ b/crypto/fipsmodule/ec/oct.c @@ -150,7 +150,7 @@ int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, } static int ec_point_from_hybrid(const EC_GROUP *group, EC_AFFINE *out, - const uint8_t *in, size_t len) { + const uint8_t *in, size_t len) { const size_t field_len = BN_num_bytes(&group->field.N); // |POINT_CONVERSION_HYBRID| has the solution of y encoded in the first byte // as well. @@ -277,7 +277,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, // OpenSSL encodes infinity to a single 0 octet. if (ec_GFp_simple_is_at_infinity(group, &point->raw)) { - if(buf != NULL) { + if (buf != NULL) { if (len < 1) { OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); return 0; @@ -333,8 +333,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, BIGNUM *a = BN_CTX_get(ctx); BIGNUM *b = BN_CTX_get(ctx); BIGNUM *y = BN_CTX_get(ctx); - if (y == NULL || - !EC_GROUP_get_curve_GFp(group, NULL, a, b, ctx)) { + if (y == NULL || !EC_GROUP_get_curve_GFp(group, NULL, a, b, ctx)) { goto err; } diff --git a/crypto/fipsmodule/ec/p224-64.c b/crypto/fipsmodule/ec/p224-64.c index 6a550498ef..4dfd45d34a 100644 --- a/crypto/fipsmodule/ec/p224-64.c +++ b/crypto/fipsmodule/ec/p224-64.c @@ -27,9 +27,9 @@ #include -#include "internal.h" -#include "../delocate.h" #include "../../internal.h" +#include "../delocate.h" +#include "internal.h" #if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL) @@ -473,12 +473,12 @@ static p224_limb p224_felem_is_zero(const p224_felem in) { zero = (((int64_t)(zero)-1) >> 63) & 1; p224_limb two224m96p1 = (in[0] ^ 1) | (in[1] ^ 0x00ffff0000000000) | - (in[2] ^ 0x00ffffffffffffff) | - (in[3] ^ 0x00ffffffffffffff); + (in[2] ^ 0x00ffffffffffffff) | + (in[3] ^ 0x00ffffffffffffff); two224m96p1 = (((int64_t)(two224m96p1)-1) >> 63) & 1; p224_limb two225m97p2 = (in[0] ^ 2) | (in[1] ^ 0x00fffe0000000000) | - (in[2] ^ 0x00ffffffffffffff) | - (in[3] ^ 0x01ffffffffffffff); + (in[2] ^ 0x00ffffffffffffff) | + (in[3] ^ 0x01ffffffffffffff); two225m97p2 = (((int64_t)(two225m97p2)-1) >> 63) & 1; return (zero | two224m96p1 | two225m97p2); } @@ -506,7 +506,7 @@ static void p224_felem_inv(p224_felem out, const p224_felem in) { p224_felem_mul(tmp, ftmp2, ftmp); p224_felem_reduce(ftmp, tmp); // 2^6 - 1 p224_felem_square(tmp, ftmp); - p224_felem_reduce(ftmp2, tmp); // 2^7 - 2 + p224_felem_reduce(ftmp2, tmp); // 2^7 - 2 for (size_t i = 0; i < 5; ++i) { // 2^12 - 2^6 p224_felem_square(tmp, ftmp2); p224_felem_reduce(ftmp2, tmp); @@ -514,7 +514,7 @@ static void p224_felem_inv(p224_felem out, const p224_felem in) { p224_felem_mul(tmp, ftmp2, ftmp); p224_felem_reduce(ftmp2, tmp); // 2^12 - 1 p224_felem_square(tmp, ftmp2); - p224_felem_reduce(ftmp3, tmp); // 2^13 - 2 + p224_felem_reduce(ftmp3, tmp); // 2^13 - 2 for (size_t i = 0; i < 11; ++i) { // 2^24 - 2^12 p224_felem_square(tmp, ftmp3); p224_felem_reduce(ftmp3, tmp); @@ -522,7 +522,7 @@ static void p224_felem_inv(p224_felem out, const p224_felem in) { p224_felem_mul(tmp, ftmp3, ftmp2); p224_felem_reduce(ftmp2, tmp); // 2^24 - 1 p224_felem_square(tmp, ftmp2); - p224_felem_reduce(ftmp3, tmp); // 2^25 - 2 + p224_felem_reduce(ftmp3, tmp); // 2^25 - 2 for (size_t i = 0; i < 23; ++i) { // 2^48 - 2^24 p224_felem_square(tmp, ftmp3); p224_felem_reduce(ftmp3, tmp); @@ -530,7 +530,7 @@ static void p224_felem_inv(p224_felem out, const p224_felem in) { p224_felem_mul(tmp, ftmp3, ftmp2); p224_felem_reduce(ftmp3, tmp); // 2^48 - 1 p224_felem_square(tmp, ftmp3); - p224_felem_reduce(ftmp4, tmp); // 2^49 - 2 + p224_felem_reduce(ftmp4, tmp); // 2^49 - 2 for (size_t i = 0; i < 47; ++i) { // 2^96 - 2^48 p224_felem_square(tmp, ftmp4); p224_felem_reduce(ftmp4, tmp); @@ -538,13 +538,13 @@ static void p224_felem_inv(p224_felem out, const p224_felem in) { p224_felem_mul(tmp, ftmp3, ftmp4); p224_felem_reduce(ftmp3, tmp); // 2^96 - 1 p224_felem_square(tmp, ftmp3); - p224_felem_reduce(ftmp4, tmp); // 2^97 - 2 + p224_felem_reduce(ftmp4, tmp); // 2^97 - 2 for (size_t i = 0; i < 23; ++i) { // 2^120 - 2^24 p224_felem_square(tmp, ftmp4); p224_felem_reduce(ftmp4, tmp); } p224_felem_mul(tmp, ftmp2, ftmp4); - p224_felem_reduce(ftmp2, tmp); // 2^120 - 1 + p224_felem_reduce(ftmp2, tmp); // 2^120 - 1 for (size_t i = 0; i < 6; ++i) { // 2^126 - 2^6 p224_felem_square(tmp, ftmp2); p224_felem_reduce(ftmp2, tmp); @@ -554,7 +554,7 @@ static void p224_felem_inv(p224_felem out, const p224_felem in) { p224_felem_square(tmp, ftmp); p224_felem_reduce(ftmp, tmp); // 2^127 - 2 p224_felem_mul(tmp, ftmp, in); - p224_felem_reduce(ftmp, tmp); // 2^127 - 1 + p224_felem_reduce(ftmp, tmp); // 2^127 - 1 for (size_t i = 0; i < 97; ++i) { // 2^224 - 2^97 p224_felem_square(tmp, ftmp); p224_felem_reduce(ftmp, tmp); @@ -838,9 +838,9 @@ static void p224_select_point(const uint64_t idx, size_t size, for (size_t i = 0; i < size; i++) { const p224_limb *inlimbs = &pre_comp[i][0][0]; OPENSSL_STATIC_ASSERT(sizeof(uint64_t) <= sizeof(crypto_word_t), - crypto_word_t_is_too_small); + crypto_word_t_is_too_small); OPENSSL_STATIC_ASSERT(sizeof(size_t) <= sizeof(crypto_word_t), - crypto_word_t_is_too_small); + crypto_word_t_is_too_small); // Without a value barrier, Clang adds a branch here. uint64_t mask = value_barrier_w(constant_time_eq_w(i, idx)); for (size_t j = 0; j < 4 * 3; j++) { @@ -861,8 +861,7 @@ static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) { // Takes the Jacobian coordinates (X, Y, Z) of a point and returns // (X', Y') = (X/Z^2, Y/Z^3) static int ec_GFp_nistp224_point_get_affine_coordinates( - const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x, - EC_FELEM *y) { + const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x, EC_FELEM *y) { if (constant_time_declassify_int( ec_GFp_simple_is_at_infinity(group, point))) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); diff --git a/crypto/fipsmodule/ec/p256-nistz.c b/crypto/fipsmodule/ec/p256-nistz.c index 3e8afd6aad..b125762241 100644 --- a/crypto/fipsmodule/ec/p256-nistz.c +++ b/crypto/fipsmodule/ec/p256-nistz.c @@ -26,27 +26,29 @@ #include #include +#include "../../internal.h" #include "../bn/internal.h" #include "../delocate.h" -#include "../../internal.h" +#include "ec_nistp.h" #include "internal.h" #include "p256-nistz.h" -#include "ec_nistp.h" #if defined(EC_NISTP_USE_S2N_BIGNUM) #include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" #endif -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; // One converted into the Montgomery domain static const BN_ULONG ONE[P256_LIMBS] = { - TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000), - TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe), + TOBN(0x00000000, 0x00000001), + TOBN(0xffffffff, 0x00000000), + TOBN(0xffffffff, 0xffffffff), + TOBN(0x00000000, 0xfffffffe), }; // Precomputed tables for the default generator @@ -109,11 +111,11 @@ static void copy_conditional(BN_ULONG dst[P256_LIMBS], // // (declare-fun x () (_ BitVec 64)) // -// (assert (and (= x #x0000000000000000) (= (is_not_zero x) #x0000000000000001))) -// (check-sat) +// (assert (and (= x #x0000000000000000) (= (is_not_zero x) +// #x0000000000000001))) (check-sat) // -// (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) #x0000000000000000))) -// (check-sat) +// (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) +// #x0000000000000000))) (check-sat) // static BN_ULONG is_not_zero(BN_ULONG in) { in |= (0 - in); @@ -211,7 +213,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, // add no more than 63 bytes of overhead. Thus, |table| should require // ~1599 ((96 * 16) + 63) bytes of stack space. stack_align_type table_buffer[64 + (sizeof(P256_POINT) * 16)]; - P256_POINT *aligned_table = (P256_POINT *) align_pointer(table_buffer, 64); + P256_POINT *aligned_table = (P256_POINT *)align_pointer(table_buffer, 64); uint8_t p_str[33]; OPENSSL_memcpy(p_str, p_scalar->words, 32); p_str[32] = 0; @@ -243,7 +245,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, BN_ULONG tmp[P256_LIMBS]; stack_align_type buffer_h[32 + sizeof(P256_POINT)]; - P256_POINT *aligned_h = (P256_POINT *) align_pointer(buffer_h, 32); + P256_POINT *aligned_h = (P256_POINT *)align_pointer(buffer_h, 32); size_t index = 255; crypto_word_t wvalue = p_str[(index - 1) / 8]; wvalue = (wvalue >> ((index - 1) % 8)) & kMask; @@ -318,12 +320,14 @@ static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, #if defined(EC_NISTP_USE_S2N_BIGNUM) ec_nistp_felem_limb in[P256_LIMBS * 3]; ec_nistp_felem_limb out[P256_LIMBS * 3]; - ec_nistp_coordinates_to_point(in, p->X.words, p->Y.words, p->Z.words, P256_LIMBS); + ec_nistp_coordinates_to_point(in, p->X.words, p->Y.words, p->Z.words, + P256_LIMBS); p256_montjscalarmul_selector(out, scalar->words, in); - ec_nistp_point_to_coordinates(r->X.words, r->Y.words, r->Z.words, out, P256_LIMBS); + ec_nistp_point_to_coordinates(r->X.words, r->Y.words, r->Z.words, out, + P256_LIMBS); #else stack_align_type buffer_out[32 + sizeof(P256_POINT)]; - P256_POINT *aligned_out = (P256_POINT *) align_pointer(buffer_out, 32); + P256_POINT *aligned_out = (P256_POINT *)align_pointer(buffer_out, 32); ecp_nistz256_windowed_mul(group, aligned_out, p, scalar); assert(group->field.N.width == P256_LIMBS); @@ -335,11 +339,11 @@ static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar) { - stack_align_type buffer_t[32 + sizeof(P256_POINT_AFFINE)]; - P256_POINT_AFFINE *aligned_t = (P256_POINT_AFFINE *) align_pointer(buffer_t, 32); + P256_POINT_AFFINE *aligned_t = + (P256_POINT_AFFINE *)align_pointer(buffer_t, 32); stack_align_type buffer_p[32 + sizeof(P256_POINT)]; - P256_POINT *aligned_p = (P256_POINT *) align_pointer(buffer_p, 32); + P256_POINT *aligned_p = (P256_POINT *)align_pointer(buffer_p, 32); uint8_t p_str[33]; OPENSSL_memcpy(p_str, scalar->words, 32); @@ -367,7 +371,7 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, ecp_nistz256_select_w7(aligned_t, ecp_nistz256_precomputed[i], wvalue >> 1); stack_align_type buffer_neg_y[32 + (sizeof(BN_ULONG) * P256_LIMBS)]; - BN_ULONG *aligned_neg_y = (BN_ULONG *) align_pointer(buffer_neg_y, 32); + BN_ULONG *aligned_neg_y = (BN_ULONG *)align_pointer(buffer_neg_y, 32); ecp_nistz256_neg(aligned_neg_y, aligned_t->Y); copy_conditional(aligned_t->Y, aligned_neg_y, wvalue & 1); @@ -390,7 +394,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL); stack_align_type buffer_p[32 + sizeof(P256_POINT)]; - P256_POINT *aligned_p = (P256_POINT *) align_pointer(buffer_p, 32); + P256_POINT *aligned_p = (P256_POINT *)align_pointer(buffer_p, 32); uint8_t p_str[33]; OPENSSL_memcpy(p_str, g_scalar->words, 32); @@ -404,9 +408,11 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, // is infinity and |ONE| otherwise. |p| was computed from the table, so it // is infinity iff |wvalue >> 1| is zero. if ((wvalue >> 1) != 0) { - OPENSSL_memcpy(aligned_p->X, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X, + OPENSSL_memcpy(aligned_p->X, + &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X, sizeof(aligned_p->X)); - OPENSSL_memcpy(aligned_p->Y, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y, + OPENSSL_memcpy(aligned_p->Y, + &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y, sizeof(aligned_p->Y)); OPENSSL_memcpy(aligned_p->Z, ONE, sizeof(aligned_p->Z)); } else { @@ -426,7 +432,8 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, } stack_align_type buffer_t[32 + sizeof(P256_POINT_AFFINE)]; - P256_POINT_AFFINE *aligned_t = (P256_POINT_AFFINE *) align_pointer(buffer_t, 32); + P256_POINT_AFFINE *aligned_t = + (P256_POINT_AFFINE *)align_pointer(buffer_t, 32); OPENSSL_memcpy(aligned_t, &ecp_nistz256_precomputed[i][(wvalue >> 1) - 1], sizeof(*aligned_t)); @@ -442,7 +449,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, } stack_align_type buffer_tmp[32 + sizeof(P256_POINT)]; - P256_POINT *aligned_tmp = (P256_POINT *) align_pointer(buffer_tmp, 32); + P256_POINT *aligned_tmp = (P256_POINT *)align_pointer(buffer_tmp, 32); ecp_nistz256_windowed_mul(group, aligned_tmp, p_, p_scalar); ecp_nistz256_point_add(aligned_p, aligned_p, aligned_tmp); @@ -588,11 +595,10 @@ static void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out, } static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, - EC_SCALAR *out, - const EC_SCALAR *in) { - + EC_SCALAR *out, + const EC_SCALAR *in) { #if defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX) - return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in); + return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in); #else #if defined(OPENSSL_X86_64) @@ -673,6 +679,6 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) { out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate; } -#endif /* !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ +#endif /* !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) */ diff --git a/crypto/fipsmodule/ec/p256-nistz.h b/crypto/fipsmodule/ec/p256-nistz.h index c61018bd21..2d6ef5a7b6 100644 --- a/crypto/fipsmodule/ec/p256-nistz.h +++ b/crypto/fipsmodule/ec/p256-nistz.h @@ -30,7 +30,7 @@ extern "C" { #endif -#if !defined(OPENSSL_NO_ASM) && \ +#if !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) @@ -60,7 +60,7 @@ void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], // by multiplying with 1. static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG in[P256_LIMBS]) { - static const BN_ULONG ONE[P256_LIMBS] = { 1 }; + static const BN_ULONG ONE[P256_LIMBS] = {1}; ecp_nistz256_mul_mont(res, in, ONE); } @@ -133,8 +133,8 @@ void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a, const P256_POINT_AFFINE *b); -#endif /* !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ +#endif /* !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) */ diff --git a/crypto/fipsmodule/ec/p256-nistz_test.cc b/crypto/fipsmodule/ec/p256-nistz_test.cc index 81cb923bb4..6352c699f5 100644 --- a/crypto/fipsmodule/ec/p256-nistz_test.cc +++ b/crypto/fipsmodule/ec/p256-nistz_test.cc @@ -24,28 +24,29 @@ #include #include -#include "internal.h" -#include "../bn/internal.h" -#include "../cpucap/internal.h" #include "../../internal.h" #include "../../test/abi_test.h" #include "../../test/file_test.h" #include "../../test/test_util.h" +#include "../bn/internal.h" +#include "../cpucap/internal.h" +#include "internal.h" #include "p256-nistz.h" // Disable tests if BORINGSSL_SHARED_LIBRARY is defined. These tests need access // to internal functions. #if !defined(OPENSSL_NO_ASM) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) && !defined(BORINGSSL_SHARED_LIBRARY) TEST(P256_NistzTest, SelectW5) { // Fill a table with some garbage input. stack_align_type buffer_table[64 + (sizeof(P256_POINT) * 16)]; - P256_POINT *aligned_table = (P256_POINT *) align_pointer(buffer_table, 64); + P256_POINT *aligned_table = (P256_POINT *)align_pointer(buffer_table, 64); for (size_t i = 0; i < 16; i++) { - OPENSSL_memset(aligned_table[i].X, static_cast(3 * i), sizeof(aligned_table[i].X)); + OPENSSL_memset(aligned_table[i].X, static_cast(3 * i), + sizeof(aligned_table[i].X)); OPENSSL_memset(aligned_table[i].Y, static_cast(3 * i + 1), sizeof(aligned_table[i].Y)); OPENSSL_memset(aligned_table[i].Z, static_cast(3 * i + 2), @@ -60,11 +61,12 @@ TEST(P256_NistzTest, SelectW5) { if (i == 0) { OPENSSL_memset(&expected, 0, sizeof(expected)); } else { - expected = aligned_table[i-1]; + expected = aligned_table[i - 1]; } - EXPECT_EQ(Bytes(reinterpret_cast(&expected), sizeof(expected)), - Bytes(reinterpret_cast(&val), sizeof(val))); + EXPECT_EQ( + Bytes(reinterpret_cast(&expected), sizeof(expected)), + Bytes(reinterpret_cast(&val), sizeof(val))); } // This is a constant-time function, so it is only necessary to instrument one @@ -76,10 +78,12 @@ TEST(P256_NistzTest, SelectW5) { TEST(P256_NistzTest, SelectW7) { // Fill a table with some garbage input. stack_align_type buffer_table[64 + (sizeof(P256_POINT_AFFINE) * 64)]; - P256_POINT_AFFINE *aligned_table = (P256_POINT_AFFINE *) align_pointer(buffer_table, 64); + P256_POINT_AFFINE *aligned_table = + (P256_POINT_AFFINE *)align_pointer(buffer_table, 64); for (size_t i = 0; i < 64; i++) { - OPENSSL_memset(aligned_table[i].X, static_cast(2 * i), sizeof(aligned_table[i].X)); + OPENSSL_memset(aligned_table[i].X, static_cast(2 * i), + sizeof(aligned_table[i].X)); OPENSSL_memset(aligned_table[i].Y, static_cast(2 * i + 1), sizeof(aligned_table[i].Y)); } @@ -92,11 +96,12 @@ TEST(P256_NistzTest, SelectW7) { if (i == 0) { OPENSSL_memset(&expected, 0, sizeof(expected)); } else { - expected = aligned_table[i-1]; + expected = aligned_table[i - 1]; } - EXPECT_EQ(Bytes(reinterpret_cast(&expected), sizeof(expected)), - Bytes(reinterpret_cast(&val), sizeof(val))); + EXPECT_EQ( + Bytes(reinterpret_cast(&expected), sizeof(expected)), + Bytes(reinterpret_cast(&val), sizeof(val))); } // This is a constant-time function, so it is only necessary to instrument one @@ -196,7 +201,7 @@ static bool GetFieldElement(FileTest *t, BN_ULONG out[P256_LIMBS], static std::string FieldElementToString(const BN_ULONG a[P256_LIMBS]) { std::string ret; - for (size_t i = P256_LIMBS-1; i < P256_LIMBS; i--) { + for (size_t i = P256_LIMBS - 1; i < P256_LIMBS; i--) { char buf[2 * BN_BYTES + 1]; snprintf(buf, sizeof(buf), BN_HEX_FMT2, a[i]); ret += buf; @@ -230,16 +235,14 @@ static bool PointToAffine(P256_POINT_AFFINE *out, const P256_POINT *in) { bssl::UniquePtr x(BN_new()), y(BN_new()), z(BN_new()); bssl::UniquePtr p(BN_bin2bn(kP, sizeof(kP), nullptr)); - if (!x || !y || !z || !p || - !bn_set_words(x.get(), in->X, P256_LIMBS) || + if (!x || !y || !z || !p || !bn_set_words(x.get(), in->X, P256_LIMBS) || !bn_set_words(y.get(), in->Y, P256_LIMBS) || !bn_set_words(z.get(), in->Z, P256_LIMBS)) { return false; } // Coordinates must be fully-reduced. - if (BN_cmp(x.get(), p.get()) >= 0 || - BN_cmp(y.get(), p.get()) >= 0 || + if (BN_cmp(x.get(), p.get()) >= 0 || BN_cmp(y.get(), p.get()) >= 0 || BN_cmp(z.get(), p.get()) >= 0) { return false; } @@ -493,20 +496,20 @@ static void TestOrdMulMont(FileTest *t) { TEST(P256_NistzTest, TestVectors) { return FileTestGTest("crypto/fipsmodule/ec/p256-nistz_tests.txt", [](FileTest *t) { - if (t->GetParameter() == "Negate") { - TestNegate(t); - } else if (t->GetParameter() == "MulMont") { - TestMulMont(t); - } else if (t->GetParameter() == "FromMont") { - TestFromMont(t); - } else if (t->GetParameter() == "PointAdd") { - TestPointAdd(t); - } else if (t->GetParameter() == "OrdMulMont") { - TestOrdMulMont(t); - } else { - FAIL() << "Unknown test type:" << t->GetParameter(); - } - }); + if (t->GetParameter() == "Negate") { + TestNegate(t); + } else if (t->GetParameter() == "MulMont") { + TestMulMont(t); + } else if (t->GetParameter() == "FromMont") { + TestFromMont(t); + } else if (t->GetParameter() == "PointAdd") { + TestPointAdd(t); + } else if (t->GetParameter() == "OrdMulMont") { + TestOrdMulMont(t); + } else { + FAIL() << "Unknown test type:" << t->GetParameter(); + } + }); } // Instrument the functions covered in TestVectors for ABI checking. @@ -570,8 +573,8 @@ TEST(P256_NistzTest, ABI) { }; // This file represents affine infinity as (0, 0). static const P256_POINT_AFFINE kInfinityAffine = { - {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)}, - {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)}, + {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)}, + {TOBN(0, 0), TOBN(0, 0), TOBN(0, 0), TOBN(0, 0)}, }; CHECK_ABI(ecp_nistz256_point_add_affine, &p, &kA, &kC); @@ -580,6 +583,7 @@ TEST(P256_NistzTest, ABI) { CHECK_ABI(ecp_nistz256_point_add_affine, &p, &kInfinity, &kC); } -#endif /* !defined(OPENSSL_NO_ASM) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ +#endif /* !defined(OPENSSL_NO_ASM) && \ + !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) && !defined(BORINGSSL_SHARED_LIBRARY) */ diff --git a/crypto/fipsmodule/ec/p256.c b/crypto/fipsmodule/ec/p256.c index 0082d897a9..f13a0ff63d 100644 --- a/crypto/fipsmodule/ec/p256.c +++ b/crypto/fipsmodule/ec/p256.c @@ -153,8 +153,7 @@ static void fiat_p256_inv_square(fiat_p256_felem out, fiat_p256_square(out, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2 } -static void fiat_p256_point_double(fiat_p256_felem x_out, - fiat_p256_felem y_out, +static void fiat_p256_point_double(fiat_p256_felem x_out, fiat_p256_felem y_out, fiat_p256_felem z_out, const fiat_p256_felem x_in, const fiat_p256_felem y_in, @@ -175,18 +174,19 @@ static void fiat_p256_point_add(fiat_p256_felem x3, fiat_p256_felem y3, #include "./p256_table.h" DEFINE_METHOD_FUNCTION(ec_nistp_meth, p256_methods) { - out->felem_num_limbs = FIAT_P256_NLIMBS; - out->felem_num_bits = 256; - out->felem_add = fiat_p256_add; - out->felem_sub = fiat_p256_sub; - out->felem_mul = fiat_p256_mul; - out->felem_sqr = fiat_p256_square; - out->felem_neg = fiat_p256_opp; - out->felem_nz = fiat_p256_nz; - out->felem_one = fiat_p256_one; - out->point_dbl = fiat_p256_point_double; - out->point_add = fiat_p256_point_add; - out->scalar_mul_base_table = (const ec_nistp_felem_limb*) fiat_p256_g_pre_comp; + out->felem_num_limbs = FIAT_P256_NLIMBS; + out->felem_num_bits = 256; + out->felem_add = fiat_p256_add; + out->felem_sub = fiat_p256_sub; + out->felem_mul = fiat_p256_mul; + out->felem_sqr = fiat_p256_square; + out->felem_neg = fiat_p256_opp; + out->felem_nz = fiat_p256_nz; + out->felem_one = fiat_p256_one; + out->point_dbl = fiat_p256_point_double; + out->point_add = fiat_p256_point_add; + out->scalar_mul_base_table = + (const ec_nistp_felem_limb *)fiat_p256_g_pre_comp; } // OPENSSL EC_METHOD FUNCTIONS @@ -261,7 +261,8 @@ static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, fiat_p256_from_generic(tmp[1], &p->Y); fiat_p256_from_generic(tmp[2], &p->Z); - ec_nistp_scalar_mul(p256_methods(), res[0], res[1], res[2], tmp[0], tmp[1], tmp[2], scalar); + ec_nistp_scalar_mul(p256_methods(), res[0], res[1], res[2], tmp[0], tmp[1], + tmp[2], scalar); fiat_p256_to_generic(&r->X, res[0]); fiat_p256_to_generic(&r->Y, res[1]); @@ -290,7 +291,8 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, fiat_p256_from_generic(tmp[1], &p->Y); fiat_p256_from_generic(tmp[2], &p->Z); - ec_nistp_scalar_mul_public(p256_methods(), res[0], res[1], res[2], g_scalar, tmp[0], tmp[1], tmp[2], p_scalar); + ec_nistp_scalar_mul_public(p256_methods(), res[0], res[1], res[2], g_scalar, + tmp[0], tmp[1], tmp[2], p_scalar); fiat_p256_to_generic(&r->X, res[0]); fiat_p256_to_generic(&r->Y, res[1]); diff --git a/crypto/fipsmodule/ec/p384.c b/crypto/fipsmodule/ec/p384.c index ba5d780a79..8d875351dd 100644 --- a/crypto/fipsmodule/ec/p384.c +++ b/crypto/fipsmodule/ec/p384.c @@ -13,19 +13,19 @@ #include "../bn/internal.h" #include "../cpucap/internal.h" #include "../delocate.h" -#include "internal.h" #include "ec_nistp.h" +#include "internal.h" #if !defined(OPENSSL_SMALL) #if defined(EC_NISTP_USE_S2N_BIGNUM) -# include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" +#include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" +#else +#if defined(EC_NISTP_USE_64BIT_LIMB) +#include "../../../third_party/fiat/p384_64.h" #else -# if defined(EC_NISTP_USE_64BIT_LIMB) -# include "../../../third_party/fiat/p384_64.h" -# else -# include "../../../third_party/fiat/p384_32.h" -# endif +#include "../../../third_party/fiat/p384_32.h" +#endif #endif #if defined(EC_NISTP_USE_64BIT_LIMB) @@ -48,31 +48,32 @@ static const p384_felem p384_felem_one = { #if defined(EC_NISTP_USE_S2N_BIGNUM) -#define p384_felem_add(out, in0, in1) bignum_add_p384(out, in0, in1) -#define p384_felem_sub(out, in0, in1) bignum_sub_p384(out, in0, in1) -#define p384_felem_opp(out, in0) bignum_neg_p384(out, in0) -#define p384_felem_to_bytes(out, in0) bignum_tolebytes_6(out, in0) +#define p384_felem_add(out, in0, in1) bignum_add_p384(out, in0, in1) +#define p384_felem_sub(out, in0, in1) bignum_sub_p384(out, in0, in1) +#define p384_felem_opp(out, in0) bignum_neg_p384(out, in0) +#define p384_felem_to_bytes(out, in0) bignum_tolebytes_6(out, in0) #define p384_felem_from_bytes(out, in0) bignum_fromlebytes_6(out, in0) -#define p384_felem_to_mont(out, in0) bignum_tomont_p384_selector(out, in0) -#define p384_felem_from_mont(out, in0) bignum_deamont_p384_selector(out, in0) -#define p384_felem_mul(out, in0, in1) bignum_montmul_p384_selector(out, in0, in1) -#define p384_felem_sqr(out, in0) bignum_montsqr_p384_selector(out, in0) +#define p384_felem_to_mont(out, in0) bignum_tomont_p384_selector(out, in0) +#define p384_felem_from_mont(out, in0) bignum_deamont_p384_selector(out, in0) +#define p384_felem_mul(out, in0, in1) \ + bignum_montmul_p384_selector(out, in0, in1) +#define p384_felem_sqr(out, in0) bignum_montsqr_p384_selector(out, in0) static p384_limb_t p384_felem_nz(const p384_limb_t in1[P384_NLIMBS]) { return bignum_nonzero_6(in1); } -#else // EC_NISTP_USE_S2N_BIGNUM +#else // EC_NISTP_USE_S2N_BIGNUM // Fiat-crypto implementation of field arithmetic -#define p384_felem_add(out, in0, in1) fiat_p384_add(out, in0, in1) -#define p384_felem_sub(out, in0, in1) fiat_p384_sub(out, in0, in1) -#define p384_felem_opp(out, in0) fiat_p384_opp(out, in0) -#define p384_felem_mul(out, in0, in1) fiat_p384_mul(out, in0, in1) -#define p384_felem_sqr(out, in0) fiat_p384_square(out, in0) -#define p384_felem_to_mont(out, in0) fiat_p384_to_montgomery(out, in0) -#define p384_felem_from_mont(out, in0) fiat_p384_from_montgomery(out, in0) -#define p384_felem_to_bytes(out, in0) fiat_p384_to_bytes(out, in0) +#define p384_felem_add(out, in0, in1) fiat_p384_add(out, in0, in1) +#define p384_felem_sub(out, in0, in1) fiat_p384_sub(out, in0, in1) +#define p384_felem_opp(out, in0) fiat_p384_opp(out, in0) +#define p384_felem_mul(out, in0, in1) fiat_p384_mul(out, in0, in1) +#define p384_felem_sqr(out, in0) fiat_p384_square(out, in0) +#define p384_felem_to_mont(out, in0) fiat_p384_to_montgomery(out, in0) +#define p384_felem_from_mont(out, in0) fiat_p384_from_montgomery(out, in0) +#define p384_felem_to_bytes(out, in0) fiat_p384_to_bytes(out, in0) #define p384_felem_from_bytes(out, in0) fiat_p384_from_bytes(out, in0) static p384_limb_t p384_felem_nz(const p384_limb_t in1[P384_NLIMBS]) { @@ -81,7 +82,7 @@ static p384_limb_t p384_felem_nz(const p384_limb_t in1[P384_NLIMBS]) { return ret; } -#endif // EC_NISTP_USE_S2N_BIGNUM +#endif // EC_NISTP_USE_S2N_BIGNUM // The wrapper functions are needed for FIPS static build. // Otherwise, initializing ec_nistp_meth with pointers to s2n-bignum @@ -107,7 +108,8 @@ static inline void p384_felem_neg_wrapper(ec_nistp_felem_limb *c, static void p384_from_generic(p384_felem out, const EC_FELEM *in) { #ifdef OPENSSL_BIG_ENDIAN uint8_t tmp[P384_EC_FELEM_BYTES]; - bn_words_to_little_endian(tmp, P384_EC_FELEM_BYTES, in->words, P384_EC_FELEM_WORDS); + bn_words_to_little_endian(tmp, P384_EC_FELEM_BYTES, in->words, + P384_EC_FELEM_WORDS); p384_felem_from_bytes(out, tmp); #else p384_felem_from_bytes(out, (const uint8_t *)in->words); @@ -123,7 +125,8 @@ static void p384_to_generic(EC_FELEM *out, const p384_felem in) { #ifdef OPENSSL_BIG_ENDIAN uint8_t tmp[P384_EC_FELEM_BYTES]; p384_felem_to_bytes(tmp, in); - bn_little_endian_to_words(out->words, P384_EC_FELEM_WORDS, tmp, P384_EC_FELEM_BYTES); + bn_little_endian_to_words(out->words, P384_EC_FELEM_WORDS, tmp, + P384_EC_FELEM_BYTES); #else p384_felem_to_bytes((uint8_t *)out->words, in); #endif @@ -132,7 +135,8 @@ static void p384_to_generic(EC_FELEM *out, const p384_felem in) { static void p384_from_scalar(p384_felem out, const EC_SCALAR *in) { #ifdef OPENSSL_BIG_ENDIAN uint8_t tmp[P384_EC_FELEM_BYTES]; - bn_words_to_little_endian(tmp, P384_EC_FELEM_BYTES, in->words, P384_EC_FELEM_WORDS); + bn_words_to_little_endian(tmp, P384_EC_FELEM_BYTES, in->words, + P384_EC_FELEM_WORDS); p384_felem_from_bytes(out, tmp); #else p384_felem_from_bytes(out, (const uint8_t *)in->words); @@ -149,8 +153,7 @@ static void p384_from_scalar(p384_felem out, const EC_SCALAR *in) { // Hexadecimal representation of p − 3: // p-3 = ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe // ffffffff 00000000 00000000 fffffffc -static void p384_inv_square(p384_felem out, - const p384_felem in) { +static void p384_inv_square(p384_felem out, const p384_felem in) { #if defined(EC_NISTP_USE_S2N_BIGNUM) ec_nistp_felem_limb in_sqr[P384_NLIMBS]; p384_felem_sqr(in_sqr, in); @@ -160,48 +163,49 @@ static void p384_inv_square(p384_felem out, // https://briansmith.org/ecc-inversion-addition-chains-01#p384_field_inversion // The side comments show the value of the exponent: // squaring the element => doubling the exponent - // multiplying by an element => adding to the exponent the power of that element + // multiplying by an element => adding to the exponent the power of that + // element p384_felem x2, x3, x6, x12, x15, x30, x60, x120; - p384_felem_sqr(x2, in); // 2^2 - 2^1 + p384_felem_sqr(x2, in); // 2^2 - 2^1 p384_felem_mul(x2, x2, in); // 2^2 - 2^0 - p384_felem_sqr(x3, x2); // 2^3 - 2^1 + p384_felem_sqr(x3, x2); // 2^3 - 2^1 p384_felem_mul(x3, x3, in); // 2^3 - 2^0 p384_felem_sqr(x6, x3); for (int i = 1; i < 3; i++) { p384_felem_sqr(x6, x6); - } // 2^6 - 2^3 + } // 2^6 - 2^3 p384_felem_mul(x6, x6, x3); // 2^6 - 2^0 p384_felem_sqr(x12, x6); for (int i = 1; i < 6; i++) { p384_felem_sqr(x12, x12); - } // 2^12 - 2^6 + } // 2^12 - 2^6 p384_felem_mul(x12, x12, x6); // 2^12 - 2^0 p384_felem_sqr(x15, x12); for (int i = 1; i < 3; i++) { p384_felem_sqr(x15, x15); - } // 2^15 - 2^3 + } // 2^15 - 2^3 p384_felem_mul(x15, x15, x3); // 2^15 - 2^0 p384_felem_sqr(x30, x15); for (int i = 1; i < 15; i++) { p384_felem_sqr(x30, x30); - } // 2^30 - 2^15 + } // 2^30 - 2^15 p384_felem_mul(x30, x30, x15); // 2^30 - 2^0 p384_felem_sqr(x60, x30); for (int i = 1; i < 30; i++) { p384_felem_sqr(x60, x60); - } // 2^60 - 2^30 + } // 2^60 - 2^30 p384_felem_mul(x60, x60, x30); // 2^60 - 2^0 p384_felem_sqr(x120, x60); for (int i = 1; i < 60; i++) { p384_felem_sqr(x120, x120); - } // 2^120 - 2^60 + } // 2^120 - 2^60 p384_felem_mul(x120, x120, x60); // 2^120 - 2^0 p384_felem ret; @@ -209,12 +213,12 @@ static void p384_inv_square(p384_felem out, for (int i = 1; i < 120; i++) { p384_felem_sqr(ret, ret); } // 2^240 - 2^120 - p384_felem_mul(ret, ret, x120); // 2^240 - 2^0 + p384_felem_mul(ret, ret, x120); // 2^240 - 2^0 for (int i = 0; i < 15; i++) { p384_felem_sqr(ret, ret); - } // 2^255 - 2^15 - p384_felem_mul(ret, ret, x15); // 2^255 - 2^0 + } // 2^255 - 2^15 + p384_felem_mul(ret, ret, x15); // 2^255 - 2^0 // Why (1 + 30) in the loop? // This is as expressed in: @@ -223,16 +227,17 @@ static void p384_inv_square(p384_felem out, // won't add x31 to make all the new bits 1s, as was done in previous steps, // but we're going to add x30 so there will be 255 1s, then a 0, then 30 1s // to form this pattern: - // ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe ffffffff + // ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe + // ffffffff // (the last 2 1s are appended in the following step). for (int i = 0; i < (1 + 30); i++) { p384_felem_sqr(ret, ret); - } // 2^286 - 2^31 - p384_felem_mul(ret, ret, x30); // 2^286 - 2^30 - 2^0 + } // 2^286 - 2^31 + p384_felem_mul(ret, ret, x30); // 2^286 - 2^30 - 2^0 p384_felem_sqr(ret, ret); p384_felem_sqr(ret, ret); // 2^288 - 2^32 - 2^2 - p384_felem_mul(ret, ret, x2); // 2^288 - 2^32 - 2^0 + p384_felem_mul(ret, ret, x2); // 2^288 - 2^32 - 2^0 // Why not 94 instead of (64 + 30) in the loop? // Similarly to the comment above, there is a shift of 94 bits @@ -242,20 +247,17 @@ static void p384_inv_square(p384_felem out, // (the last 2 0s are appended by the last 2 shifts). for (int i = 0; i < (64 + 30); i++) { p384_felem_sqr(ret, ret); - } // 2^382 - 2^126 - 2^94 - p384_felem_mul(ret, ret, x30); // 2^382 - 2^126 - 2^94 + 2^30 - 2^0 + } // 2^382 - 2^126 - 2^94 + p384_felem_mul(ret, ret, x30); // 2^382 - 2^126 - 2^94 + 2^30 - 2^0 p384_felem_sqr(ret, ret); - p384_felem_sqr(out, ret); // 2^384 - 2^128 - 2^96 + 2^32 - 2^2 = p - 3 + p384_felem_sqr(out, ret); // 2^384 - 2^128 - 2^96 + 2^32 - 2^2 = p - 3 #endif } -static void p384_point_double(p384_felem x_out, - p384_felem y_out, - p384_felem z_out, - const p384_felem x_in, - const p384_felem y_in, - const p384_felem z_in) { +static void p384_point_double(p384_felem x_out, p384_felem y_out, + p384_felem z_out, const p384_felem x_in, + const p384_felem y_in, const p384_felem z_in) { #if defined(EC_NISTP_USE_S2N_BIGNUM) ec_nistp_felem_limb in[P384_NLIMBS * 3]; ec_nistp_felem_limb out[P384_NLIMBS * 3]; @@ -277,12 +279,9 @@ static void p384_point_double(p384_felem x_out, // // static void p384_point_add(p384_felem x3, p384_felem y3, p384_felem z3, - const p384_felem x1, - const p384_felem y1, - const p384_felem z1, - const int mixed, - const p384_felem x2, - const p384_felem y2, + const p384_felem x1, const p384_felem y1, + const p384_felem z1, const int mixed, + const p384_felem x2, const p384_felem y2, const p384_felem z2) { ec_nistp_point_add(p384_methods(), x3, y3, z3, x1, y1, z1, mixed, x2, y2, z2); } @@ -291,33 +290,33 @@ static void p384_point_add(p384_felem x3, p384_felem y3, p384_felem z3, #if defined(EC_NISTP_USE_S2N_BIGNUM) DEFINE_METHOD_FUNCTION(ec_nistp_meth, p384_methods) { - out->felem_num_limbs = P384_NLIMBS; - out->felem_num_bits = 384; - out->felem_add = p384_felem_add_wrapper; - out->felem_sub = p384_felem_sub_wrapper; - out->felem_mul = bignum_montmul_p384_selector; - out->felem_sqr = bignum_montsqr_p384_selector; - out->felem_neg = p384_felem_neg_wrapper; - out->felem_nz = p384_felem_nz; - out->felem_one = p384_felem_one; - out->point_dbl = p384_point_double; - out->point_add = p384_point_add; - out->scalar_mul_base_table = (const ec_nistp_felem_limb*) p384_g_pre_comp; + out->felem_num_limbs = P384_NLIMBS; + out->felem_num_bits = 384; + out->felem_add = p384_felem_add_wrapper; + out->felem_sub = p384_felem_sub_wrapper; + out->felem_mul = bignum_montmul_p384_selector; + out->felem_sqr = bignum_montsqr_p384_selector; + out->felem_neg = p384_felem_neg_wrapper; + out->felem_nz = p384_felem_nz; + out->felem_one = p384_felem_one; + out->point_dbl = p384_point_double; + out->point_add = p384_point_add; + out->scalar_mul_base_table = (const ec_nistp_felem_limb *)p384_g_pre_comp; } #else DEFINE_METHOD_FUNCTION(ec_nistp_meth, p384_methods) { - out->felem_num_limbs = P384_NLIMBS; - out->felem_num_bits = 384; - out->felem_add = fiat_p384_add; - out->felem_sub = fiat_p384_sub; - out->felem_mul = fiat_p384_mul; - out->felem_sqr = fiat_p384_square; - out->felem_neg = fiat_p384_opp; - out->felem_nz = p384_felem_nz; - out->felem_one = p384_felem_one; - out->point_dbl = p384_point_double; - out->point_add = p384_point_add; - out->scalar_mul_base_table = (const ec_nistp_felem_limb*) p384_g_pre_comp; + out->felem_num_limbs = P384_NLIMBS; + out->felem_num_bits = 384; + out->felem_add = fiat_p384_add; + out->felem_sub = fiat_p384_sub; + out->felem_mul = fiat_p384_mul; + out->felem_sqr = fiat_p384_square; + out->felem_neg = fiat_p384_opp; + out->felem_nz = p384_felem_nz; + out->felem_one = p384_felem_one; + out->point_dbl = p384_point_double; + out->point_add = p384_point_add; + out->scalar_mul_base_table = (const ec_nistp_felem_limb *)p384_g_pre_comp; } #endif @@ -326,9 +325,8 @@ DEFINE_METHOD_FUNCTION(ec_nistp_meth, p384_methods) { // Takes the Jacobian coordinates (X, Y, Z) of a point and returns: // (X', Y') = (X/Z^2, Y/Z^3). static int ec_GFp_nistp384_point_get_affine_coordinates( - const EC_GROUP *group, const EC_JACOBIAN *point, - EC_FELEM *x_out, EC_FELEM *y_out) { - + const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out, + EC_FELEM *y_out) { if (constant_time_declassify_w(ec_GFp_simple_is_at_infinity(group, point))) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); return 0; @@ -348,9 +346,9 @@ static int ec_GFp_nistp384_point_get_affine_coordinates( if (y_out != NULL) { p384_felem y; p384_from_generic(y, &point->Y); - p384_felem_sqr(z2, z2); // z^-4 - p384_felem_mul(y, y, z1); // y * z - p384_felem_mul(y, y, z2); // y * z^-3 + p384_felem_sqr(z2, z2); // z^-4 + p384_felem_mul(y, y, z1); // y * z + p384_felem_mul(y, y, z2); // y * z^-3 p384_to_generic(y_out, y); } @@ -387,9 +385,9 @@ static void ec_GFp_nistp384_dbl(const EC_GROUP *group, EC_JACOBIAN *r, // The calls to from/to_generic are needed for the case // when BORINGSSL_HAS_UINT128 is undefined, i.e. p384_32.h fiat code is used; // while OPENSSL_64_BIT is defined, i.e. BN_ULONG is uint64_t -static void ec_GFp_nistp384_mont_felem_to_bytes( - const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_FELEM *in) { - +static void ec_GFp_nistp384_mont_felem_to_bytes(const EC_GROUP *group, + uint8_t *out, size_t *out_len, + const EC_FELEM *in) { size_t len = BN_num_bytes(&group->field.N); EC_FELEM felem_tmp; p384_felem tmp; @@ -402,9 +400,10 @@ static void ec_GFp_nistp384_mont_felem_to_bytes( *out_len = len; } -static int ec_GFp_nistp384_mont_felem_from_bytes( - const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, size_t len) { - +static int ec_GFp_nistp384_mont_felem_from_bytes(const EC_GROUP *group, + EC_FELEM *out, + const uint8_t *in, + size_t len) { EC_FELEM felem_tmp; p384_felem tmp; // This function calls bn_cmp_words_consttime @@ -468,7 +467,6 @@ static int ec_GFp_nistp384_cmp_x_coordinate(const EC_GROUP *group, static void ec_GFp_nistp384_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar) { - p384_felem res[3] = {{0}, {0}, {0}}, tmp[3] = {{0}, {0}, {0}}; p384_from_generic(tmp[0], &p->X); @@ -476,9 +474,10 @@ static void ec_GFp_nistp384_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, p384_from_generic(tmp[2], &p->Z); #if defined(EC_NISTP_USE_S2N_BIGNUM) - p384_montjscalarmul_selector((uint64_t*)res, scalar->words, (uint64_t*)tmp); + p384_montjscalarmul_selector((uint64_t *)res, scalar->words, (uint64_t *)tmp); #else - ec_nistp_scalar_mul(p384_methods(), res[0], res[1], res[2], tmp[0], tmp[1], tmp[2], scalar); + ec_nistp_scalar_mul(p384_methods(), res[0], res[1], res[2], tmp[0], tmp[1], + tmp[2], scalar); #endif p384_to_generic(&r->X, res[0]); @@ -507,14 +506,14 @@ static void ec_GFp_nistp384_point_mul_public(const EC_GROUP *group, const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, const EC_SCALAR *p_scalar) { - p384_felem res[3] = {{0}, {0}, {0}}, tmp[3] = {{0}, {0}, {0}}; p384_from_generic(tmp[0], &p->X); p384_from_generic(tmp[1], &p->Y); p384_from_generic(tmp[2], &p->Z); - ec_nistp_scalar_mul_public(p384_methods(), res[0], res[1], res[2], g_scalar, tmp[0], tmp[1], tmp[2], p_scalar); + ec_nistp_scalar_mul_public(p384_methods(), res[0], res[1], res[2], g_scalar, + tmp[0], tmp[1], tmp[2], p_scalar); p384_to_generic(&r->X, res[0]); p384_to_generic(&r->Y, res[1]); @@ -525,22 +524,23 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp384_method) { out->point_get_affine_coordinates = ec_GFp_nistp384_point_get_affine_coordinates; out->jacobian_to_affine_batch = - ec_GFp_mont_jacobian_to_affine_batch; // needed for TrustToken tests + ec_GFp_mont_jacobian_to_affine_batch; // needed for TrustToken tests out->add = ec_GFp_nistp384_add; out->dbl = ec_GFp_nistp384_dbl; out->mul = ec_GFp_nistp384_point_mul; out->mul_base = ec_GFp_nistp384_point_mul_base; out->mul_public = ec_GFp_nistp384_point_mul_public; - out->mul_batch = ec_GFp_mont_mul_batch; // needed for TrustToken tests + out->mul_batch = ec_GFp_mont_mul_batch; // needed for TrustToken tests out->mul_public_batch = ec_GFp_mont_mul_public_batch; - out->init_precomp = ec_GFp_mont_init_precomp; // needed for TrustToken tests - out->mul_precomp = ec_GFp_mont_mul_precomp; // needed for TrustToken tests + out->init_precomp = ec_GFp_mont_init_precomp; // needed for TrustToken tests + out->mul_precomp = ec_GFp_mont_mul_precomp; // needed for TrustToken tests out->felem_mul = ec_GFp_mont_felem_mul; out->felem_sqr = ec_GFp_mont_felem_sqr; out->felem_to_bytes = ec_GFp_nistp384_mont_felem_to_bytes; out->felem_from_bytes = ec_GFp_nistp384_mont_felem_from_bytes; - out->felem_reduce = ec_GFp_mont_felem_reduce; // needed for ECTest.HashToCurve - out->felem_exp = ec_GFp_mont_felem_exp; // needed for ECTest.HashToCurve + out->felem_reduce = + ec_GFp_mont_felem_reduce; // needed for ECTest.HashToCurve + out->felem_exp = ec_GFp_mont_felem_exp; // needed for ECTest.HashToCurve out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery; out->scalar_to_montgomery_inv_vartime = ec_simple_scalar_to_montgomery_inv_vartime; @@ -552,8 +552,8 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp384_method) { // p384_felem_mul_scalar_rwnaf() // ---------------------------------------------------------------------------- // -// The JT scalar recoding is Algorithm 6: (Odd) Signed-Digit Recoding Algorithm in -// Joye, Tunstall, "Exponent Recoding and Regular Exponentiation Algorithms", +// The JT scalar recoding is Algorithm 6: (Odd) Signed-Digit Recoding Algorithm +// in Joye, Tunstall, "Exponent Recoding and Regular Exponentiation Algorithms", // AfricaCrypt 2009, available from // https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.477.1245&rep=rep1&type=pdf // @@ -776,12 +776,15 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp384_method) { // from array import * // // # P-384 group order -// n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973 +// n = +// 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973 // // # k value that causes a doubling case in left-to-right reconstruction -// k = 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc5294d +// k = +// 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc5294d // # k value that causes a doubling case in right-to-left reconstruction -// k_r2l = 0xe00000000000000000000000000000000000000000000000389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d +// k_r2l = +// 0xe00000000000000000000000000000000000000000000000389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d // // // def recode(k, w): @@ -864,19 +867,33 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp384_method) { // ''' // Output: // ------- -// k = 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc5294d +// k = +// 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc5294d // Digits of the recoded scalar: -// -0x13, -0x15, -0x15, -0x15, -0x13, 0x7, 0xb, 0xd, -0x7, 0x1, 0x1b, -0x7, 0xf, 0x1d, -0x3, -0xb, 0x11, -0x1b, -0xd, 0x5, -0x5, -0x19, 0x9, -0x1d, -0x7, 0x1b, 0x17, -0x5, 0x13, -0x5, -0xf, 0x1f, -0x1f, 0xd, -0xd, -0x19, 0x17, 0x3, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0xf, +// -0x13, -0x15, -0x15, -0x15, -0x13, 0x7, 0xb, 0xd, -0x7, 0x1, 0x1b, -0x7, 0xf, +// 0x1d, -0x3, -0xb, 0x11, -0x1b, -0xd, 0x5, -0x5, -0x19, 0x9, -0x1d, -0x7, +// 0x1b, 0x17, -0x5, 0x13, -0x5, -0xf, 0x1f, -0x1f, 0xd, -0xd, -0x19, 0x17, 0x3, +// 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, +// 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, +// 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0xf, // L2R Doubling case: // i = 0 digit = -0x13 -// a = 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52960 +// a = +// 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52960 // -// k = 0xe00000000000000000000000000000000000000000000000389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d +// k = +// 0xe00000000000000000000000000000000000000000000000389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d // Digits of the recoded scalar: -// -0x13, 0x15, 0x15, 0x15, 0x13, -0x7, -0xb, -0xd, 0x7, -0x1, -0x1b, 0x7, -0xf, -0x1d, 0x3, 0xb, -0x11, 0x1b, 0xd, -0x5, 0x5, 0x19, -0x9, 0x1d, 0x7, -0x1b, -0x17, 0x5, -0x13, 0x5, 0xf, -0x1f, 0x1f, -0xd, 0xd, 0x19, -0x17, -0x3, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, 0xf, -// R2L Doubling case: +// -0x13, 0x15, 0x15, 0x15, 0x13, -0x7, -0xb, -0xd, 0x7, -0x1, -0x1b, 0x7, -0xf, +// -0x1d, 0x3, 0xb, -0x11, 0x1b, 0xd, -0x5, 0x5, 0x19, -0x9, 0x1d, 0x7, -0x1b, +// -0x17, 0x5, -0x13, 0x5, 0xf, -0x1f, 0x1f, -0xd, 0xd, 0x19, -0x17, -0x3, +// -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, +// -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, +// -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, +// -0x1f, -0x1f, -0x1f, -0x1f, -0x1f, 0xf, R2L Doubling case: // i = 76 digit = 0xf -// a = -0xfffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 +// a = +// -0xfffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 // ''' // -#endif // !defined(OPENSSL_SMALL) +#endif // !defined(OPENSSL_SMALL) diff --git a/crypto/fipsmodule/ec/p384_table.h b/crypto/fipsmodule/ec/p384_table.h index 91a1396059..092f281d68 100644 --- a/crypto/fipsmodule/ec/p384_table.h +++ b/crypto/fipsmodule/ec/p384_table.h @@ -1372,7 +1372,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x7c8906a4, 0xa39c8931, 0x9e821ee6, 0xb6e7ecdd, 0xf0df4fe6, 0x2ecf8340, 0x53c14965, 0xd42f7dc9, 0xe3ba8285, 0x1afb51a3, 0x0a3305d1, 0x6c07c404}, {0x127fc1da, 0xdab83288, 0x374c4b08, 0xbc0a699b, 0x42eb20dd, 0x402a9bab, - 0x045a7a1c, 0xd7dd464f, 0x36beecc4, 0x5b3d0d6d, 0x6398a19d, 0x475a3e75}}}, + 0x045a7a1c, 0xd7dd464f, 0x36beecc4, 0x5b3d0d6d, 0x6398a19d, + 0x475a3e75}}}, {{{0x72876ae8, 0x31bdb483, 0x961ed1bf, 0xe3325d98, 0x9b6fc64d, 0x18c04246, 0x15786b8c, 0x0dcc15fa, 0x8e63da4a, 0x81acdb06, 0xdada70fb, 0xd3a4b643}, {0xdea424eb, 0x46361afe, 0x89b92970, 0xdc2d2cae, 0x615694e6, 0xf389b61b, @@ -1436,7 +1437,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xd66c1a59, 0xb2d986f6, 0x78e0e423, 0x927deb16, 0x49c3dedc, 0x9e673cde, 0xf7ecb6cf, 0xfa362d84, 0x1ba17340, 0x078e5f40, 0x1f4e489c, 0x934ca5d1}, {0x64eef493, 0xc03c0731, 0xd7931a7e, 0x631a353b, 0x65dd74f1, 0x8e7cc3bb, - 0x702676a5, 0xd55864c5, 0x439f04bd, 0x6d306ac4, 0x2bafed57, 0x58544f67}}}, + 0x702676a5, 0xd55864c5, 0x439f04bd, 0x6d306ac4, 0x2bafed57, + 0x58544f67}}}, {{{0xec074aea, 0xb083ba6a, 0x7f0b505b, 0x46fac5ef, 0xfc82dc03, 0x95367a21, 0x9d3679d8, 0x227be26a, 0x7e9724c0, 0xc70f6d6c, 0xf9ebec0f, 0xcd68c757}, {0x8ff321b2, 0x29dde03e, 0x031939dc, 0xf84ad7bb, 0x0f602f4b, 0xdaf590c9, @@ -1500,7 +1502,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xa110d331, 0x75db5723, 0x7123d89f, 0x67c66f6a, 0x4009d570, 0x27abbd4b, 0xc73451bc, 0xacda6f84, 0x05575acf, 0xe4b9a239, 0xab2d3d6c, 0x3c2db7ef}, {0x29115145, 0x01ccdd08, 0x57b5814a, 0x9e0602fe, 0x87862838, 0x679b35c2, - 0x38ad598d, 0x0277dc4c, 0x6d896dd4, 0xef80a213, 0xe7b9047b, 0xc8812213}}}, + 0x38ad598d, 0x0277dc4c, 0x6d896dd4, 0xef80a213, 0xe7b9047b, + 0xc8812213}}}, {{{0xedc9ce62, 0xac6dbdf6, 0x0f9c006e, 0xa58f5b44, 0xdc28e1b0, 0x16694de3, 0xa6647711, 0x2d039cf2, 0xc5b08b4b, 0xa13bbe6f, 0x10ebd8ce, 0xe44da930}, {0x19649a16, 0xcd472087, 0x683e5df1, 0xe18f4e44, 0x929bfa28, 0xb3f66303, @@ -1564,7 +1567,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xfddd17f3, 0xe4d9bc94, 0xc1016c20, 0xc74b8fed, 0xb49c060e, 0x095de39b, 0x8ac0df00, 0xdbcc6795, 0x1c34f4df, 0x4cf6baeb, 0xe8390170, 0x72c55c21}, {0xf6c48e79, 0x4f17bfd2, 0x017a80ba, 0x18bf4da0, 0xbcf4b138, 0xcf51d829, - 0xf48f8b0d, 0x598aee5f, 0x20f10809, 0x83faee56, 0x779f0850, 0x4615d4dc}}}, + 0xf48f8b0d, 0x598aee5f, 0x20f10809, 0x83faee56, 0x779f0850, + 0x4615d4dc}}}, {{{0x5852b59b, 0x22313dee, 0xb6a0b37f, 0x6f56c8e8, 0xa76ec380, 0x43d6eeae, 0x0275ad36, 0xa1655136, 0xdf095bda, 0xe5c1b65a, 0x367c44b0, 0xbd1ffa8d}, {0x6b48af2b, 0xe2b419c2, 0x3da194c8, 0x57bbbd97, 0xa2baff05, 0xb5fbe51f, @@ -1628,7 +1632,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x53e3494b, 0x6b97a2bf, 0x70f7a13e, 0xa8aa05c5, 0xf1305b51, 0x209709c2, 0xdab76f2c, 0x57b31888, 0xaa2a406a, 0x75b2ecd7, 0xa35374a4, 0x88801a00}, {0x45c0471b, 0xe1458d1c, 0x322c1ab0, 0x5760e306, 0xad6ab0a6, 0x789a0af1, - 0xf458b9ce, 0x74398de1, 0x32e0c65f, 0x1652ff9f, 0xfffb3a52, 0xfaf1f9d5}}}, + 0xf458b9ce, 0x74398de1, 0x32e0c65f, 0x1652ff9f, 0xfffb3a52, + 0xfaf1f9d5}}}, {{{0xd1d1b007, 0xa05c751c, 0x0213e478, 0x016c213b, 0xf4c98fee, 0x9c56e26c, 0xe7b3a7c7, 0x6084f8b9, 0xdecc1646, 0xa0b042f6, 0xfbf3a0bc, 0x4a6f3c1a}, {0x51c9f909, 0x94524c2c, 0x3a6d3748, 0xf3b3ad40, 0x7ce1f9f5, 0x18792d6e, @@ -1692,7 +1697,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x276ac5f3, 0x73c0e4ff, 0xbdb97ea1, 0xe7ba5a6a, 0xc5808398, 0x638ca54e, 0x413855e5, 0x8258dc82, 0x57f07614, 0x35ddd2e9, 0x1dc13bf9, 0xf98dd692}, {0xf16dcd84, 0x3a4c0088, 0x833d83f9, 0xf192eadd, 0xa6d61d29, 0x3c26c931, - 0xde0ad7a1, 0x589fdd52, 0x0442d37f, 0x7cd83dd2, 0x403ecbfc, 0x1e47e777}}}, + 0xde0ad7a1, 0x589fdd52, 0x0442d37f, 0x7cd83dd2, 0x403ecbfc, + 0x1e47e777}}}, {{{0x70d4d7bc, 0x2af8ed81, 0xb632435c, 0xabc3e15f, 0x78219356, 0x4c0e726f, 0xb87254c4, 0x8c1962a1, 0xc9e7691a, 0x30796a71, 0xa75a12ee, 0xd453ef19}, {0x13ae4964, 0x535f42c2, 0x0da9586a, 0x86831c3c, 0xe39a7a58, 0xb7f1ef35, @@ -1756,7 +1762,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xb9cfe6bf, 0xd1f2d6b8, 0x00073f6f, 0x6358810b, 0xd712106e, 0x5fce5993, 0x1c024c91, 0x5ee6b271, 0x453db663, 0xd0248ff5, 0xadb835e8, 0xd6d81cb2}, {0xfdfcb4c7, 0x8696cfec, 0x53bc9045, 0x696b7fcb, 0xdda56981, 0xab4d3807, - 0x1e4b943b, 0x2f998052, 0x166b7f18, 0x8aa76adb, 0x52a2d7ed, 0x63934301}}}, + 0x1e4b943b, 0x2f998052, 0x166b7f18, 0x8aa76adb, 0x52a2d7ed, + 0x63934301}}}, {{{0xa368eff6, 0xbbccce39, 0x8ceb5c43, 0xd8caabdf, 0xd2252fda, 0x9eae35a5, 0x54e7dd49, 0xa8f4f209, 0x295100fd, 0xa56d72a6, 0x56767727, 0x20fc1fe8}, {0x0bbaa5ab, 0xbf60b248, 0x313911f2, 0xa4f3ce5a, 0xb93dab9c, 0xc2a67ad4, @@ -1820,7 +1827,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x71e15bb3, 0xd53b592d, 0x8820e0d0, 0x1f03c0e9, 0x3cccb726, 0xce93947d, 0x1d547590, 0x2790fee0, 0xc59cdd7a, 0x4401d847, 0xa926dd9d, 0x72d69120}, {0x4229f289, 0x38b8f21d, 0x7fe978af, 0x9f412e40, 0xcdb59af1, 0xae07901b, - 0xd1d4715e, 0x1e6be5eb, 0x18c96bef, 0x3715bd8b, 0xe11b3798, 0x4b71f6e6}}}, + 0xd1d4715e, 0x1e6be5eb, 0x18c96bef, 0x3715bd8b, 0xe11b3798, + 0x4b71f6e6}}}, {{{0xf0ce2df4, 0x11a8fde5, 0xfa8d26df, 0xbc70ca3e, 0xc74dfe82, 0x6818c275, 0x38373a50, 0x2b0294ac, 0xe8e5f88f, 0x584c4061, 0x7342383a, 0x1c05c1ca}, {0x911430ec, 0x263895b3, 0xa5171453, 0xef9b0032, 0x84da7f0c, 0x144359da, @@ -1884,7 +1892,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x9d76ddc7, 0x90a5e871, 0xedfc8e2e, 0x39dc8fae, 0x5b079c62, 0x98467a23, 0x05450c98, 0xe25e3785, 0x96140083, 0x2fe23a4d, 0xe9900312, 0x65ce3b9a}, {0x6b72b5d9, 0x1d87d088, 0xfd9afc82, 0x72f53220, 0x9e1f71fa, 0xc63c7c15, - 0x8d449637, 0x90df26ea, 0xc1c2b215, 0x97089f40, 0x42317faa, 0x83af2664}}}, + 0x8d449637, 0x90df26ea, 0xc1c2b215, 0x97089f40, 0x42317faa, + 0x83af2664}}}, {{{0x8d688e31, 0xfa2db51a, 0xa09c88d4, 0x225b696c, 0x6059171f, 0x9f88af1d, 0x782a0993, 0x1c5fea5e, 0x4ec710d3, 0xe0fb1588, 0xd32ce365, 0xfaf372e5}, {0x26506f45, 0xd9f896ab, 0x8373c724, 0x8d350338, 0xca6e7342, 0x1b76992d, @@ -1948,7 +1957,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xf960b41b, 0x315ccc01, 0x1d99e722, 0x90b417c9, 0x013463e0, 0x84afaa0d, 0x13e6d9e1, 0xf133c5d8, 0x525b7430, 0xd95c6adc, 0x7a25106a, 0x082c61ad}, {0xba1ce179, 0xabc1966d, 0xa5db529a, 0xe0578b77, 0xec84107d, 0x10988c05, - 0x1b207f83, 0xfcade5d7, 0xc5ba83db, 0x0beb6fdb, 0x57537e34, 0x1c39b86d}}}, + 0x1b207f83, 0xfcade5d7, 0xc5ba83db, 0x0beb6fdb, 0x57537e34, + 0x1c39b86d}}}, {{{0x2a7aeced, 0x5b0b5d69, 0x01dc545f, 0x4c03450c, 0x404a3458, 0x72ad0a4a, 0x9f467b60, 0x1de8e255, 0x90634809, 0xa4b35705, 0x706f0178, 0x76f30205}, {0x4454f0e5, 0x588d21ab, 0x64134928, 0xd22df549, 0x241bcd90, 0xf4e7e73d, @@ -2012,7 +2022,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xfa2a21c2, 0x5c8afcf9, 0x1928d133, 0x71cbf282, 0x42b29506, 0x56bef28e, 0x70323de2, 0xafba250c, 0x7ded2c30, 0x3fe208d1, 0xce9aa598, 0xbd2cd213}, {0xcfeed070, 0x52c5ec52, 0xd3da336b, 0x0a7223e7, 0xce156b46, 0x7156a4ed, - 0xed7e6159, 0x9af6c499, 0x13c029ad, 0x9d7a6797, 0x9018dc77, 0xe5b5c924}}}, + 0xed7e6159, 0x9af6c499, 0x13c029ad, 0x9d7a6797, 0x9018dc77, + 0xe5b5c924}}}, {{{0xde1e4e55, 0x3f2eff53, 0xe4d3ecc4, 0x6b749943, 0x0dde190d, 0xaf10b18a, 0xa26b0409, 0xf491b98d, 0xa2b1d944, 0x66080782, 0x97e8c541, 0x59277dc6}, {0x006f18aa, 0xfdbfc5f6, 0xfadd8be1, 0x435d165b, 0x57645ef4, 0x8e5d2638, @@ -2076,7 +2087,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x7be1f89e, 0x33b9f2de, 0x299b15c9, 0xd4e80821, 0x0e13f37f, 0x87a3067a, 0x55fd239f, 0x6d4c09ed, 0x92ef014f, 0x48b1042d, 0xb385a759, 0xa382b2e0}, {0x7f6f84f8, 0xbf571bb0, 0x0ce87f50, 0x25affa37, 0xfe54f1bc, 0x826906d3, - 0xc53ae76a, 0x6b0421f4, 0x4855eb3c, 0x44f85a3a, 0x8d1f2b27, 0xf49e2151}}}, + 0xc53ae76a, 0x6b0421f4, 0x4855eb3c, 0x44f85a3a, 0x8d1f2b27, + 0xf49e2151}}}, {{{0x5e3c647b, 0xc0426b77, 0x8cf05348, 0xbfcbd939, 0x172c0d3d, 0x31d312e3, 0xee754737, 0x5f49fde6, 0x6da7ee61, 0x895530f0, 0xe8b3a5fb, 0xcf281b0a}, {0x41b8a543, 0xfd149735, 0x3080dd30, 0x41a625a7, 0x653908cf, 0xe2baae07, @@ -2140,7 +2152,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x87b0526c, 0xb04659dd, 0x2307565e, 0x593c604a, 0x7c630ab8, 0x49e52225, 0xdce9cd23, 0x24c1d0c6, 0x85177079, 0x6fdb241c, 0xf250c351, 0x5f521d19}, {0xa6fb61df, 0xfb56134b, 0xd75c07ed, 0xa4e70d69, 0x7d8825a8, 0xb7a82448, - 0xdd64bbcc, 0xa3aea7d4, 0x8692f539, 0xd53e6e6c, 0xf7aa4bc0, 0x8ddda83b}}}, + 0xdd64bbcc, 0xa3aea7d4, 0x8692f539, 0xd53e6e6c, 0xf7aa4bc0, + 0x8ddda83b}}}, {{{0xdd93d50a, 0x140a0f9f, 0x83b7abac, 0x4799ffde, 0x04a1f742, 0x78ff7c23, 0x195ba34e, 0xc0568f51, 0x3b7f78b4, 0xe9718360, 0xf9efaa53, 0x9cfd1ff1}, {0xbb06022e, 0xe924d2c5, 0xfaa2af6d, 0x9987fa86, 0x6ee37e0f, 0x4b12e73f, @@ -2204,7 +2217,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x03112816, 0xd0f4e248, 0xccbe9e16, 0xfcad9ddb, 0x5ae01ea0, 0x177999bf, 0xce832dce, 0xd20c78b9, 0x50c8c646, 0x3cc694fb, 0xc93d4887, 0x24d75968}, {0x87bc08af, 0x9f06366a, 0x7fd0df2a, 0x59fab50e, 0x6c4cc234, 0x5ffcc7f7, - 0x65f52d86, 0x87198dd7, 0xa855df04, 0x5b9c94b0, 0x8a067ad7, 0xd8ba6c73}}}, + 0x65f52d86, 0x87198dd7, 0xa855df04, 0x5b9c94b0, 0x8a067ad7, + 0xd8ba6c73}}}, {{{0x1c4c9d90, 0x9e9af315, 0xd12e0a89, 0x8665c5a9, 0x58286493, 0x204abd92, 0xb2e09205, 0x79959889, 0xfe56b101, 0x0c727a3d, 0x8b657f26, 0xf366244c}, {0xcca65be2, 0xde35d954, 0xb0fd41ce, 0x52ee1230, 0x36019fee, 0xfa03261f, @@ -2268,7 +2282,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x2be579cc, 0xd6524685, 0xc456fded, 0x849316f1, 0x2d1b67da, 0xc51b7da4, 0x41bc6d6a, 0xc25b539e, 0xa9bf8bed, 0xe3b7cca3, 0x045c15e4, 0x813ef18c}, {0x697982c4, 0x5f3789a1, 0x8c435566, 0x4c125369, 0xdc0a92c6, 0x00a7ae6e, - 0x2f64a053, 0x1abc929b, 0x38666b44, 0xf4925c4c, 0x0f3de7f6, 0xa81044b0}}}, + 0x2f64a053, 0x1abc929b, 0x38666b44, 0xf4925c4c, 0x0f3de7f6, + 0xa81044b0}}}, {{{0xc2ec3731, 0xbcc88422, 0x10dc4ec2, 0x78a3e4d4, 0x2571d6b1, 0x745da1ef, 0x739a956e, 0xf01c2921, 0xe4bffc16, 0xeffd8065, 0xf36fe72c, 0x6efe62a1}, {0x0f4629a4, 0xf49e90d2, 0x8ce646f4, 0xadd1dcc7, 0xb7240d91, 0xcb78b583, @@ -2332,7 +2347,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x3cd98610, 0x72cd7d55, 0x74504adf, 0xc3d560b0, 0xcebb5d5d, 0x23f0a982, 0xb839ddb8, 0x1431c15b, 0xceb72207, 0x7e207cd8, 0xe7efb28d, 0x28e0a848}, {0x1bd96f6e, 0xd22561fe, 0x62a8236b, 0x04812c18, 0x975491fa, 0xa0bf2334, - 0x435df87f, 0x294f42a6, 0xa5d6f4f6, 0x2772b783, 0x2724f853, 0x348f92ed}}}, + 0x435df87f, 0x294f42a6, 0xa5d6f4f6, 0x2772b783, 0x2724f853, + 0x348f92ed}}}, {{{0x1a42e5e7, 0xc20fb911, 0x81d12863, 0x075a678b, 0x5cc0aa89, 0x12bcbc6a, 0x4fb9f01e, 0x5279c6ab, 0x11ae1b89, 0xbc8e1789, 0xc290003c, 0xae74a706}, {0x79df3f45, 0x9949d6ec, 0x96c8d37f, 0xba18e262, 0xdd2275bf, 0x68de6ee2, @@ -2396,7 +2412,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x74aab4b1, 0x788caa52, 0x2feafc7e, 0xeb84aba1, 0xac04ff77, 0x31da71da, 0x24e4d0bf, 0x39d12eb9, 0x87a34ef8, 0x4f2f292f, 0xa237a8ed, 0x9b324372}, {0x2ee3a82d, 0xbb2d04b1, 0xd18d36b2, 0xed4ff367, 0xa6ea0138, 0x99d231ee, - 0x4f92e04a, 0x7c2d4f06, 0xca272fd0, 0x78a82ab2, 0xab8cdc32, 0x7ec41340}}}, + 0x4f92e04a, 0x7c2d4f06, 0xca272fd0, 0x78a82ab2, 0xab8cdc32, + 0x7ec41340}}}, {{{0xd2e15a8c, 0xd23658c8, 0x16ba28ca, 0x23f93df7, 0x082210f1, 0x6dab10ec, 0xbfc36490, 0xfb1add91, 0x9a4f2d14, 0xeda8b02f, 0x56560443, 0x9060318c}, {0x64711ab2, 0x6c01479e, 0xe337eb85, 0x41446fc7, 0x71888397, 0x4dcf3c1d, @@ -2460,7 +2477,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x8f04b4d2, 0x160bc7a1, 0xb10de174, 0x79ca81dd, 0x2da1e9c7, 0xe2a280b0, 0x1d6a0a29, 0xb4f6bd99, 0x1c5b8f27, 0x57cf3edd, 0x158c2fd4, 0x7e34fc57}, {0xcac93459, 0x828cfd89, 0xb7af499f, 0x9e631b6f, 0xda26c135, 0xf4dc8bc0, - 0x37186735, 0x6128ed39, 0x67bf0ba5, 0xbb45538b, 0x0064a3ab, 0x1addd4c1}}}, + 0x37186735, 0x6128ed39, 0x67bf0ba5, 0xbb45538b, 0x0064a3ab, + 0x1addd4c1}}}, {{{0xdd14d47e, 0xc32730e8, 0xc0f01e0f, 0xcdc1fd42, 0x3f5cd846, 0x2bacfdbf, 0x7272d4dd, 0x45f36416, 0x5eb75776, 0xdd813a79, 0x50997be2, 0xb57885e4}, {0xdb8c9829, 0xda054e2b, 0xaab5a594, 0x4161d820, 0x026116a3, 0x4c428f31, @@ -2524,7 +2542,8 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0xa0321e0e, 0x2e7ac078, 0xef3daab6, 0x5c5a1168, 0xaddd454a, 0xd2d573cb, 0x36259cc7, 0x27e149e2, 0xa63f47f1, 0x1edfd469, 0xf1bd2cfd, 0x039ad674}, {0x3077d3cc, 0xbfa633fc, 0x2fd64e9f, 0x14a7c82f, 0x9d824999, 0xaaa65014, - 0x21760f2e, 0x41ab113b, 0x1cae260a, 0x23e646c5, 0x68dc5159, 0x08062c8f}}}, + 0x21760f2e, 0x41ab113b, 0x1cae260a, 0x23e646c5, 0x68dc5159, + 0x08062c8f}}}, {{{0x204be028, 0x2e7d0a16, 0xd0e41851, 0x4f1d082e, 0x3eb317f9, 0x15f1ddc6, 0x5adf71d7, 0xf0275071, 0xee858bc3, 0x2ce33c2e, 0xda73b71a, 0xa24c76d1}, {0x6c70c483, 0x9ef6a70a, 0x05cf9612, 0xefcf1705, 0x7502de64, 0x9f5bf5a6, @@ -2588,5 +2607,6 @@ static const p384_felem p384_g_pre_comp[20][16][2] = { {{0x0e31f639, 0x4bc950ec, 0x6016be30, 0xb7abd3dc, 0x6703dad0, 0x3b0f4473, 0x0ac1c4ea, 0xcc405f8b, 0x176c3fee, 0x9bed5e57, 0x36ae36c2, 0xf4524810}, {0x15d7b503, 0xc1edbb83, 0xe30f3657, 0x943b1156, 0x98377805, 0x984e9eef, - 0x36cf1deb, 0x291ae7ac, 0xa9f66df3, 0xfed8748c, 0xfea8fa5d, 0xeca758bb}}}}; + 0x36cf1deb, 0x291ae7ac, 0xa9f66df3, 0xfed8748c, 0xfea8fa5d, + 0xeca758bb}}}}; #endif diff --git a/crypto/fipsmodule/ec/p521.c b/crypto/fipsmodule/ec/p521.c index db45e51850..6824a520bd 100644 --- a/crypto/fipsmodule/ec/p521.c +++ b/crypto/fipsmodule/ec/p521.c @@ -16,19 +16,19 @@ #include "../bn/internal.h" #include "../cpucap/internal.h" #include "../delocate.h" -#include "internal.h" #include "ec_nistp.h" +#include "internal.h" #if !defined(OPENSSL_SMALL) #if defined(EC_NISTP_USE_S2N_BIGNUM) -# include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" +#include "../../../third_party/s2n-bignum/include/s2n-bignum_aws-lc.h" +#else +#if defined(EC_NISTP_USE_64BIT_LIMB) +#include "../../../third_party/fiat/p521_64.h" #else -# if defined(EC_NISTP_USE_64BIT_LIMB) -# include "../../../third_party/fiat/p521_64.h" -# else -# include "../../../third_party/fiat/p521_32.h" -# endif +#include "../../../third_party/fiat/p521_32.h" +#endif #endif #if defined(EC_NISTP_USE_S2N_BIGNUM) @@ -36,57 +36,49 @@ #define P521_NLIMBS (9) typedef uint64_t p521_limb_t; -typedef uint64_t p521_felem[P521_NLIMBS]; // field element +typedef uint64_t p521_felem[P521_NLIMBS]; // field element static const p521_limb_t p521_felem_one[P521_NLIMBS] = { - 0x0000000000000001, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000}; + 0x0000000000000001, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}; // The field characteristic p. static const p521_limb_t p521_felem_p[P521_NLIMBS] = { - 0xffffffffffffffff, 0xffffffffffffffff, - 0xffffffffffffffff, 0xffffffffffffffff, - 0xffffffffffffffff, 0xffffffffffffffff, - 0xffffffffffffffff, 0xffffffffffffffff, - 0x1ff}; + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff, 0x1ff}; // s2n-bignum implementation of field arithmetic -#define p521_felem_add(out, in0, in1) bignum_add_p521(out, in0, in1) -#define p521_felem_sub(out, in0, in1) bignum_sub_p521(out, in0, in1) -#define p521_felem_opp(out, in0) bignum_neg_p521(out, in0) -#define p521_felem_to_bytes(out, in0) bignum_tolebytes_p521(out, in0) +#define p521_felem_add(out, in0, in1) bignum_add_p521(out, in0, in1) +#define p521_felem_sub(out, in0, in1) bignum_sub_p521(out, in0, in1) +#define p521_felem_opp(out, in0) bignum_neg_p521(out, in0) +#define p521_felem_to_bytes(out, in0) bignum_tolebytes_p521(out, in0) #define p521_felem_from_bytes(out, in0) bignum_fromlebytes_p521(out, in0) -#define p521_felem_mul(out, in0, in1) bignum_mul_p521_selector(out, in0, in1) -#define p521_felem_sqr(out, in0) bignum_sqr_p521_selector(out, in0) +#define p521_felem_mul(out, in0, in1) bignum_mul_p521_selector(out, in0, in1) +#define p521_felem_sqr(out, in0) bignum_sqr_p521_selector(out, in0) -#else // EC_NISTP_USE_S2N_BIGNUM +#else // EC_NISTP_USE_S2N_BIGNUM #if defined(EC_NISTP_USE_64BIT_LIMB) // In the 64-bit case Fiat-crypto represents a field element by 9 58-bit digits. #define P521_NLIMBS (9) -typedef uint64_t p521_felem[P521_NLIMBS]; // field element +typedef uint64_t p521_felem[P521_NLIMBS]; // field element typedef uint64_t p521_limb_t; // One in Fiat-crypto's representation (58-bit digits). static const p521_limb_t p521_felem_one[P521_NLIMBS] = { - 0x0000000000000001, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000, 0x0000000000000000, - 0x0000000000000000}; + 0x0000000000000001, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}; // The field characteristic p in Fiat-crypto's representation (58-bit digits). static const p521_limb_t p521_felem_p[P521_NLIMBS] = { - 0x03ffffffffffffff, 0x03ffffffffffffff, - 0x03ffffffffffffff, 0x03ffffffffffffff, - 0x03ffffffffffffff, 0x03ffffffffffffff, - 0x03ffffffffffffff, 0x03ffffffffffffff, - 0x01ffffffffffffff}; + 0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff, + 0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff, + 0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff}; #else // 64BIT; else 32BIT @@ -95,36 +87,32 @@ static const p521_limb_t p521_felem_p[P521_NLIMBS] = { // [28, 27, 28, 27, 28, 27, 27, 28, 27, 28, 27, 28, 27, 27, 28, 27, 28, 27, 27]. #define P521_NLIMBS (19) -typedef uint32_t p521_felem[P521_NLIMBS]; // field element +typedef uint32_t p521_felem[P521_NLIMBS]; // field element typedef uint32_t p521_limb_t; // One in Fiat-crypto's representation. static const p521_limb_t p521_felem_one[P521_NLIMBS] = { - 0x0000001, 0x0000000, 0x0000000, 0x0000000, - 0x0000000, 0x0000000, 0x0000000, 0x0000000, - 0x0000000, 0x0000000, 0x0000000, 0x0000000, - 0x0000000, 0x0000000, 0x0000000, 0x0000000, - 0x0000000, 0x0000000, 0x0000000}; + 0x0000001, 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000, + 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000, + 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000}; // The field characteristic p in Fiat-crypto's representation. static const p521_limb_t p521_felem_p[P521_NLIMBS] = { - 0xfffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, - 0xfffffff, 0x7ffffff, 0x7ffffff, 0xfffffff, - 0x7ffffff, 0xfffffff, 0x7ffffff, 0xfffffff, - 0x7ffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, - 0xfffffff, 0x7ffffff, 0x7ffffff}; + 0xfffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, 0x7ffffff, + 0xfffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, 0x7ffffff, + 0xfffffff, 0x7ffffff, 0xfffffff, 0x7ffffff, 0x7ffffff}; #endif // 64BIT // Fiat-crypto implementation of field arithmetic -#define p521_felem_add(out, in0, in1) fiat_secp521r1_carry_add(out, in0, in1) -#define p521_felem_sub(out, in0, in1) fiat_secp521r1_carry_sub(out, in0, in1) -#define p521_felem_opp(out, in0) fiat_secp521r1_carry_opp(out, in0) -#define p521_felem_mul(out, in0, in1) fiat_secp521r1_carry_mul(out, in0, in1) -#define p521_felem_sqr(out, in0) fiat_secp521r1_carry_square(out, in0) -#define p521_felem_to_bytes(out, in0) fiat_secp521r1_to_bytes(out, in0) +#define p521_felem_add(out, in0, in1) fiat_secp521r1_carry_add(out, in0, in1) +#define p521_felem_sub(out, in0, in1) fiat_secp521r1_carry_sub(out, in0, in1) +#define p521_felem_opp(out, in0) fiat_secp521r1_carry_opp(out, in0) +#define p521_felem_mul(out, in0, in1) fiat_secp521r1_carry_mul(out, in0, in1) +#define p521_felem_sqr(out, in0) fiat_secp521r1_carry_square(out, in0) +#define p521_felem_to_bytes(out, in0) fiat_secp521r1_to_bytes(out, in0) #define p521_felem_from_bytes(out, in0) fiat_secp521r1_from_bytes(out, in0) -#endif // EC_NISTP_USE_S2N_BIGNUM +#endif // EC_NISTP_USE_S2N_BIGNUM // The wrapper functions are needed for FIPS static build. // Otherwise, initializing ec_nistp_meth with pointers to s2n-bignum @@ -172,7 +160,8 @@ static p521_limb_t p521_felem_nz(const p521_limb_t in1[P521_NLIMBS]) { static void p521_from_generic(p521_felem out, const EC_FELEM *in) { #ifdef OPENSSL_BIG_ENDIAN uint8_t tmp[P521_EC_FELEM_BYTES]; - bn_words_to_little_endian(tmp, P521_EC_FELEM_BYTES, in->words, P521_EC_FELEM_WORDS); + bn_words_to_little_endian(tmp, P521_EC_FELEM_BYTES, in->words, + P521_EC_FELEM_WORDS); p521_felem_from_bytes(out, tmp); #else p521_felem_from_bytes(out, (const uint8_t *)in->words); @@ -192,9 +181,10 @@ static void p521_to_generic(EC_FELEM *out, const p521_felem in) { #ifdef OPENSSL_BIG_ENDIAN uint8_t tmp[P521_EC_FELEM_BYTES]; p521_felem_to_bytes(tmp, in); - bn_little_endian_to_words(out->words, P521_EC_FELEM_WORDS, tmp, P521_EC_FELEM_BYTES); + bn_little_endian_to_words(out->words, P521_EC_FELEM_WORDS, tmp, + P521_EC_FELEM_BYTES); #else - OPENSSL_memset((uint8_t*)out->words, 0, sizeof(out->words)); + OPENSSL_memset((uint8_t *)out->words, 0, sizeof(out->words)); // Convert the element to bytes. p521_felem_to_bytes((uint8_t *)out->words, in); #endif @@ -205,74 +195,71 @@ static void p521_to_generic(EC_FELEM *out, const p521_felem in) { // https://arxiv.org/abs/2007.11481 static void p521_felem_inv(p521_felem output, const p521_felem t1) { #if defined(EC_NISTP_USE_S2N_BIGNUM) - bignum_inv_p521(output, t1); + bignum_inv_p521(output, t1); #else - /* temporary variables */ - p521_felem acc, t2, t4, t8, t16, t32, t64; - p521_felem t128, t256, t512, t516, t518, t519; - - p521_felem_sqr(acc, t1); - p521_felem_mul(t2, acc, t1); - p521_felem_sqr(acc, t2); + /* temporary variables */ + p521_felem acc, t2, t4, t8, t16, t32, t64; + p521_felem t128, t256, t512, t516, t518, t519; + + p521_felem_sqr(acc, t1); + p521_felem_mul(t2, acc, t1); + p521_felem_sqr(acc, t2); + p521_felem_sqr(acc, acc); + p521_felem_mul(t4, acc, t2); + p521_felem_sqr(acc, t4); + for (int i = 0; i < 3; i++) { + p521_felem_sqr(acc, acc); + } + p521_felem_mul(t8, acc, t4); + p521_felem_sqr(acc, t8); + for (int i = 0; i < 7; i++) { + p521_felem_sqr(acc, acc); + } + p521_felem_mul(t16, acc, t8); + p521_felem_sqr(acc, t16); + for (int i = 0; i < 15; i++) { + p521_felem_sqr(acc, acc); + } + p521_felem_mul(t32, acc, t16); + p521_felem_sqr(acc, t32); + for (int i = 0; i < 31; i++) { + p521_felem_sqr(acc, acc); + } + p521_felem_mul(t64, acc, t32); + p521_felem_sqr(acc, t64); + for (int i = 0; i < 63; i++) { p521_felem_sqr(acc, acc); - p521_felem_mul(t4, acc, t2); - p521_felem_sqr(acc, t4); - for (int i = 0; i < 3; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t8, acc, t4); - p521_felem_sqr(acc, t8); - for (int i = 0; i < 7; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t16, acc, t8); - p521_felem_sqr(acc, t16); - for (int i = 0; i < 15; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t32, acc, t16); - p521_felem_sqr(acc, t32); - for (int i = 0; i < 31; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t64, acc, t32); - p521_felem_sqr(acc, t64); - for (int i = 0; i < 63; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t128, acc, t64); - p521_felem_sqr(acc, t128); - for (int i = 0; i < 127; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t256, acc, t128); - p521_felem_sqr(acc, t256); - for (int i = 0; i < 255; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t512, acc, t256); - p521_felem_sqr(acc, t512); - for (int i = 0; i < 3; i++) { - p521_felem_sqr(acc, acc); - } - p521_felem_mul(t516, acc, t4); - p521_felem_sqr(acc, t516); + } + p521_felem_mul(t128, acc, t64); + p521_felem_sqr(acc, t128); + for (int i = 0; i < 127; i++) { p521_felem_sqr(acc, acc); - p521_felem_mul(t518, acc, t2); - p521_felem_sqr(acc, t518); - p521_felem_mul(t519, acc, t1); - p521_felem_sqr(acc, t519); + } + p521_felem_mul(t256, acc, t128); + p521_felem_sqr(acc, t256); + for (int i = 0; i < 255; i++) { p521_felem_sqr(acc, acc); - p521_felem_mul(output, acc, t1); + } + p521_felem_mul(t512, acc, t256); + p521_felem_sqr(acc, t512); + for (int i = 0; i < 3; i++) { + p521_felem_sqr(acc, acc); + } + p521_felem_mul(t516, acc, t4); + p521_felem_sqr(acc, t516); + p521_felem_sqr(acc, acc); + p521_felem_mul(t518, acc, t2); + p521_felem_sqr(acc, t518); + p521_felem_mul(t519, acc, t1); + p521_felem_sqr(acc, t519); + p521_felem_sqr(acc, acc); + p521_felem_mul(output, acc, t1); #endif } -static void p521_point_double(p521_felem x_out, - p521_felem y_out, - p521_felem z_out, - const p521_felem x_in, - const p521_felem y_in, - const p521_felem z_in) { +static void p521_point_double(p521_felem x_out, p521_felem y_out, + p521_felem z_out, const p521_felem x_in, + const p521_felem y_in, const p521_felem z_in) { #if defined(EC_NISTP_USE_S2N_BIGNUM) ec_nistp_felem_limb in[P521_NLIMBS * 3]; ec_nistp_felem_limb out[P521_NLIMBS * 3]; @@ -294,12 +281,9 @@ static void p521_point_double(p521_felem x_out, // // static void p521_point_add(p521_felem x3, p521_felem y3, p521_felem z3, - const p521_felem x1, - const p521_felem y1, - const p521_felem z1, - const int mixed, - const p521_felem x2, - const p521_felem y2, + const p521_felem x1, const p521_felem y1, + const p521_felem z1, const int mixed, + const p521_felem x2, const p521_felem y2, const p521_felem z2) { ec_nistp_point_add(p521_methods(), x3, y3, z3, x1, y1, z1, mixed, x2, y2, z2); } @@ -308,33 +292,33 @@ static void p521_point_add(p521_felem x3, p521_felem y3, p521_felem z3, #if defined(EC_NISTP_USE_S2N_BIGNUM) DEFINE_METHOD_FUNCTION(ec_nistp_meth, p521_methods) { - out->felem_num_limbs = P521_NLIMBS; - out->felem_num_bits = 521; - out->felem_add = p521_felem_add_wrapper; - out->felem_sub = p521_felem_sub_wrapper; - out->felem_mul = bignum_mul_p521_selector; - out->felem_sqr = bignum_sqr_p521_selector; - out->felem_neg = p521_felem_neg_wrapper; - out->felem_nz = p521_felem_nz; - out->felem_one = p521_felem_one; - out->point_dbl = p521_point_double; - out->point_add = p521_point_add; - out->scalar_mul_base_table = (const ec_nistp_felem_limb*) p521_g_pre_comp; + out->felem_num_limbs = P521_NLIMBS; + out->felem_num_bits = 521; + out->felem_add = p521_felem_add_wrapper; + out->felem_sub = p521_felem_sub_wrapper; + out->felem_mul = bignum_mul_p521_selector; + out->felem_sqr = bignum_sqr_p521_selector; + out->felem_neg = p521_felem_neg_wrapper; + out->felem_nz = p521_felem_nz; + out->felem_one = p521_felem_one; + out->point_dbl = p521_point_double; + out->point_add = p521_point_add; + out->scalar_mul_base_table = (const ec_nistp_felem_limb *)p521_g_pre_comp; } #else DEFINE_METHOD_FUNCTION(ec_nistp_meth, p521_methods) { - out->felem_num_limbs = P521_NLIMBS; - out->felem_num_bits = 521; - out->felem_add = fiat_secp521r1_carry_add; - out->felem_sub = fiat_secp521r1_carry_sub; - out->felem_mul = fiat_secp521r1_carry_mul; - out->felem_sqr = fiat_secp521r1_carry_square; - out->felem_neg = fiat_secp521r1_carry_opp; - out->felem_nz = p521_felem_nz; - out->felem_one = p521_felem_one; - out->point_dbl = p521_point_double; - out->point_add = p521_point_add; - out->scalar_mul_base_table = (const ec_nistp_felem_limb*) p521_g_pre_comp; + out->felem_num_limbs = P521_NLIMBS; + out->felem_num_bits = 521; + out->felem_add = fiat_secp521r1_carry_add; + out->felem_sub = fiat_secp521r1_carry_sub; + out->felem_mul = fiat_secp521r1_carry_mul; + out->felem_sqr = fiat_secp521r1_carry_square; + out->felem_neg = fiat_secp521r1_carry_opp; + out->felem_nz = p521_felem_nz; + out->felem_one = p521_felem_one; + out->point_dbl = p521_point_double; + out->point_add = p521_point_add; + out->scalar_mul_base_table = (const ec_nistp_felem_limb *)p521_g_pre_comp; } #endif @@ -343,9 +327,8 @@ DEFINE_METHOD_FUNCTION(ec_nistp_meth, p521_methods) { // Takes the Jacobian coordinates (X, Y, Z) of a point and returns: // (X', Y') = (X/Z^2, Y/Z^3). static int ec_GFp_nistp521_point_get_affine_coordinates( - const EC_GROUP *group, const EC_JACOBIAN *point, - EC_FELEM *x_out, EC_FELEM *y_out) { - + const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out, + EC_FELEM *y_out) { if (constant_time_declassify_w(ec_GFp_simple_is_at_infinity(group, point))) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); return 0; @@ -366,9 +349,9 @@ static int ec_GFp_nistp521_point_get_affine_coordinates( if (y_out != NULL) { p521_felem y; p521_from_generic(y, &point->Y); - p521_felem_sqr(z2, z2); // z^-4 - p521_felem_mul(y, y, z1); // y * z - p521_felem_mul(y, y, z2); // y * z^-3 + p521_felem_sqr(z2, z2); // z^-4 + p521_felem_mul(y, y, z1); // y * z + p521_felem_mul(y, y, z2); // y * z^-3 p521_to_generic(y_out, y); } @@ -406,7 +389,6 @@ static void ec_GFp_nistp521_dbl(const EC_GROUP *group, EC_JACOBIAN *r, static void ec_GFp_nistp521_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar) { - p521_felem res[3] = {{0}, {0}, {0}}, tmp[3] = {{0}, {0}, {0}}; p521_from_generic(tmp[0], &p->X); @@ -414,9 +396,10 @@ static void ec_GFp_nistp521_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, p521_from_generic(tmp[2], &p->Z); #if defined(EC_NISTP_USE_S2N_BIGNUM) - p521_jscalarmul_selector((uint64_t*)res, scalar->words, (uint64_t*)tmp); + p521_jscalarmul_selector((uint64_t *)res, scalar->words, (uint64_t *)tmp); #else - ec_nistp_scalar_mul(p521_methods(), res[0], res[1], res[2], tmp[0], tmp[1], tmp[2], scalar); + ec_nistp_scalar_mul(p521_methods(), res[0], res[1], res[2], tmp[0], tmp[1], + tmp[2], scalar); #endif p521_to_generic(&r->X, res[0]); @@ -445,14 +428,14 @@ static void ec_GFp_nistp521_point_mul_public(const EC_GROUP *group, const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, const EC_SCALAR *p_scalar) { - p521_felem res[3] = {{0}, {0}, {0}}, tmp[3] = {{0}, {0}, {0}}; p521_from_generic(tmp[0], &p->X); p521_from_generic(tmp[1], &p->Y); p521_from_generic(tmp[2], &p->Z); - ec_nistp_scalar_mul_public(p521_methods(), res[0], res[1], res[2], g_scalar, tmp[0], tmp[1], tmp[2], p_scalar); + ec_nistp_scalar_mul_public(p521_methods(), res[0], res[1], res[2], g_scalar, + tmp[0], tmp[1], tmp[2], p_scalar); // Copy the result to the output. p521_to_generic(&r->X, res[0]); @@ -498,4 +481,4 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp521_method) { // ---------------------------------------------------------------------------- // Analysis of the doubling case occurrence in the Joye-Tunstall recoding: // see the analysis at the bottom of the |p384.c| file. -#endif // !defined(OPENSSL_SMALL) +#endif // !defined(OPENSSL_SMALL) diff --git a/crypto/fipsmodule/ec/scalar.c b/crypto/fipsmodule/ec/scalar.c index b05d50845d..b6480a5613 100644 --- a/crypto/fipsmodule/ec/scalar.c +++ b/crypto/fipsmodule/ec/scalar.c @@ -16,9 +16,9 @@ #include #include -#include "internal.h" -#include "../bn/internal.h" #include "../../internal.h" +#include "../bn/internal.h" +#include "internal.h" int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, diff --git a/crypto/fipsmodule/ec/simple.c b/crypto/fipsmodule/ec/simple.c index 406e108b3d..6d4d76eb02 100644 --- a/crypto/fipsmodule/ec/simple.c +++ b/crypto/fipsmodule/ec/simple.c @@ -73,8 +73,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // Most method functions in this file are designed to work with non-trivial @@ -113,8 +113,7 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p, } // group->a_is_minus3 - if (!BN_copy(tmp, a) || - !BN_add_word(tmp, 3)) { + if (!BN_copy(tmp, a) || !BN_add_word(tmp, 3)) { goto err; } group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field.N)); @@ -164,8 +163,7 @@ int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, return ec_felem_non_zero_mask(group, &point->Z) == 0; } -int ec_GFp_simple_is_on_curve(const EC_GROUP *group, - const EC_JACOBIAN *point) { +int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_JACOBIAN *point) { // We have a curve defined by a Weierstrass equation // y^2 = x^3 + a*x + b. // The point to consider is given in Jacobian projective coordinates diff --git a/crypto/fipsmodule/ec/simple_mul.c b/crypto/fipsmodule/ec/simple_mul.c index c450c85dd2..09191bd7b8 100644 --- a/crypto/fipsmodule/ec/simple_mul.c +++ b/crypto/fipsmodule/ec/simple_mul.c @@ -16,9 +16,9 @@ #include -#include "internal.h" -#include "../bn/internal.h" #include "../../internal.h" +#include "../bn/internal.h" +#include "internal.h" void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, @@ -40,7 +40,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, } // Divide bits in |scalar| into windows. - unsigned bits = EC_GROUP_order_bits(group); + unsigned bits = EC_GROUP_order_bits(group); int r_is_at_infinity = 1; for (unsigned i = bits - 1; i < bits; i--) { if (!r_is_at_infinity) { @@ -212,8 +212,7 @@ int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, OPENSSL_ARRAY_SIZE(comb)); } -static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, - EC_JACOBIAN *out, +static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, EC_JACOBIAN *out, const EC_PRECOMP *precomp, const EC_SCALAR *scalar, unsigned i) { const size_t width = group->order.N.width; @@ -221,8 +220,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, // Select the bits corresponding to the comb shifted up by |i|. unsigned window = 0; for (unsigned j = 0; j < EC_MONT_PRECOMP_COMB_SIZE; j++) { - window |= bn_is_bit_set_words(scalar->words, width, j * stride + i) - << j; + window |= bn_is_bit_set_words(scalar->words, width, j * stride + i) << j; } // Select precomp->comb[window - 1]. If |window| is zero, |match| will always diff --git a/crypto/fipsmodule/ec/util.c b/crypto/fipsmodule/ec/util.c index c4323f2f9d..76a3af79f0 100644 --- a/crypto/fipsmodule/ec/util.c +++ b/crypto/fipsmodule/ec/util.c @@ -245,7 +245,7 @@ void ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit, crypto_word_t s, d; s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as - * 6-bit value */ + * 6-bit value */ d = (1 << 6) - in - 1; d = (d & s) | (in & ~s); d = (d >> 1) + (d & 1); diff --git a/crypto/fipsmodule/ec/wnaf.c b/crypto/fipsmodule/ec/wnaf.c index da334fe657..1fde5f77bb 100644 --- a/crypto/fipsmodule/ec/wnaf.c +++ b/crypto/fipsmodule/ec/wnaf.c @@ -75,9 +75,9 @@ #include #include -#include "internal.h" -#include "../bn/internal.h" #include "../../internal.h" +#include "../bn/internal.h" +#include "internal.h" // This file implements the wNAF-based interleaving multi-exponentiation method @@ -139,7 +139,8 @@ void ec_compute_wNAF(int8_t *out, const EC_SCALAR *scalar, size_t bits, int w) { window_val >>= 1; const size_t bits_per_word = sizeof(scalar->words[0]) * 8; const size_t num_words = (bits + bits_per_word - 1) / bits_per_word; - window_val += bit * bn_is_bit_set_words(scalar->words, num_words, j + w + 1); + window_val += + bit * bn_is_bit_set_words(scalar->words, num_words, j + w + 1); assert(window_val <= next_bit); } @@ -188,11 +189,11 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, int ret = 0; int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1]; - int8_t (*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL; - int8_t (*wNAF)[EC_MAX_BYTES * 8 + 1]; + int8_t(*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL; + int8_t(*wNAF)[EC_MAX_BYTES * 8 + 1]; EC_JACOBIAN precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE]; - EC_JACOBIAN (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL; - EC_JACOBIAN (*precomp)[EC_WNAF_TABLE_SIZE]; + EC_JACOBIAN(*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL; + EC_JACOBIAN(*precomp)[EC_WNAF_TABLE_SIZE]; if (num <= EC_WNAF_STACK) { wNAF = wNAF_stack; precomp = precomp_stack; diff --git a/crypto/fipsmodule/ecdh/ecdh.c b/crypto/fipsmodule/ecdh/ecdh.c index 89149b14c6..989e590df8 100644 --- a/crypto/fipsmodule/ecdh/ecdh.c +++ b/crypto/fipsmodule/ecdh/ecdh.c @@ -79,7 +79,8 @@ #include "../service_indicator/internal.h" -int ECDH_compute_shared_secret(uint8_t *buf, size_t *buflen, const EC_POINT *pub_key, +int ECDH_compute_shared_secret(uint8_t *buf, size_t *buflen, + const EC_POINT *pub_key, const EC_KEY *priv_key) { boringssl_ensure_ecc_self_test(); if (priv_key->priv_key == NULL) { @@ -167,7 +168,7 @@ int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key, end: FIPS_service_indicator_unlock_state(); - if(ret) { + if (ret) { ECDH_verify_service_indicator(priv_key); } return ret; diff --git a/crypto/fipsmodule/ecdsa/ecdsa.c b/crypto/fipsmodule/ecdsa/ecdsa.c index 26a642e363..0fe0d82c6f 100644 --- a/crypto/fipsmodule/ecdsa/ecdsa.c +++ b/crypto/fipsmodule/ecdsa/ecdsa.c @@ -120,13 +120,9 @@ void ECDSA_SIG_free(ECDSA_SIG *sig) { OPENSSL_free(sig); } -const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { - return sig->r; -} +const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { return sig->r; } -const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { - return sig->s; -} +const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { return sig->s; } void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r, const BIGNUM **out_s) { @@ -159,10 +155,8 @@ int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, } EC_SCALAR r, s, u1, u2, s_inv_mont, m; - if (BN_is_zero(sig->r) || - !ec_bignum_to_scalar(group, &r, sig->r) || - BN_is_zero(sig->s) || - !ec_bignum_to_scalar(group, &s, sig->s)) { + if (BN_is_zero(sig->r) || !ec_bignum_to_scalar(group, &r, sig->r) || + BN_is_zero(sig->s) || !ec_bignum_to_scalar(group, &s, sig->s)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); return 0; } @@ -377,9 +371,9 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig, unsigned int *sig_len, const EC_KEY *eckey) { if (eckey->eckey_method && eckey->eckey_method->sign) { - return eckey->eckey_method->sign(type, digest, (int)digest_len, sig, sig_len, - NULL, NULL, - (EC_KEY*) eckey /* cast away const */); + return eckey->eckey_method->sign(type, digest, (int)digest_len, sig, + sig_len, NULL, NULL, + (EC_KEY *)eckey /* cast away const */); } int ret = 0; @@ -392,8 +386,7 @@ int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig, CBB cbb; CBB_init_fixed(&cbb, sig, ECDSA_size(eckey)); size_t len; - if (!ECDSA_SIG_marshal(&cbb, s) || - !CBB_finish(&cbb, NULL, &len)) { + if (!ECDSA_SIG_marshal(&cbb, s) || !CBB_finish(&cbb, NULL, &len)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); *sig_len = 0; goto err; @@ -423,8 +416,8 @@ int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len, // Defend against potential laxness in the DER parser. size_t der_len; - if (!ECDSA_SIG_to_bytes(&der, &der_len, s) || - der_len != sig_len || OPENSSL_memcmp(sig, der, sig_len) != 0) { + if (!ECDSA_SIG_to_bytes(&der, &der_len, s) || der_len != sig_len || + OPENSSL_memcmp(sig, der, sig_len) != 0) { // This should never happen. crypto/bytestring is strictly DER. OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR); goto err; @@ -454,7 +447,7 @@ ECDSA_SIG *ecdsa_digestsign_no_self_test(const EVP_MD *md, const uint8_t *input, int ecdsa_digestverify_no_self_test(const EVP_MD *md, const uint8_t *input, size_t in_len, const ECDSA_SIG *sig, - const EC_KEY *eckey){ + const EC_KEY *eckey) { uint8_t digest[EVP_MAX_MD_SIZE]; unsigned int digest_len = EVP_MAX_MD_SIZE; if (!EVP_Digest(input, in_len, digest, &digest_len, md, NULL)) { diff --git a/crypto/fipsmodule/ecdsa/ecdsa_test.cc b/crypto/fipsmodule/ecdsa/ecdsa_test.cc index 82b8a616d0..0f042f024b 100644 --- a/crypto/fipsmodule/ecdsa/ecdsa_test.cc +++ b/crypto/fipsmodule/ecdsa/ecdsa_test.cc @@ -64,9 +64,9 @@ #include #include -#include "../ec/internal.h" #include "../../test/file_test.h" #include "../../test/test_util.h" +#include "../ec/internal.h" static bssl::UniquePtr HexToBIGNUM(const char *hex) { @@ -141,9 +141,9 @@ static void VerifyECDSASig(API api, const uint8_t *digest, size_t digest_len, // TestTamperedSig verifies that signature verification fails when a valid // signature is tampered with. |ecdsa_sig| must be a valid signature, which will // be modified. -static void TestTamperedSig(API api, const uint8_t *digest, - size_t digest_len, ECDSA_SIG *ecdsa_sig, - EC_KEY *eckey, const BIGNUM *order) { +static void TestTamperedSig(API api, const uint8_t *digest, size_t digest_len, + ECDSA_SIG *ecdsa_sig, EC_KEY *eckey, + const BIGNUM *order) { SCOPED_TRACE(api); // Modify a single byte of the signature: to ensure we don't // garble the ASN1 structure, we read the raw signature and @@ -189,12 +189,9 @@ TEST(ECDSATest, BuiltinCurves) { int nid; const char *name; } kCurves[] = { - { NID_secp224r1, "secp224r1" }, - { NID_X9_62_prime256v1, "secp256r1" }, - { NID_secp384r1, "secp384r1" }, - { NID_secp521r1, "secp521r1" }, - { NID_secp160r1, "secp160r1" }, - { NID_secp256k1, "secp256k1" }, + {NID_secp224r1, "secp224r1"}, {NID_X9_62_prime256v1, "secp256r1"}, + {NID_secp384r1, "secp384r1"}, {NID_secp521r1, "secp521r1"}, + {NID_secp160r1, "secp160r1"}, {NID_secp256k1, "secp256k1"}, }; for (const auto &curve : kCurves) { @@ -376,95 +373,96 @@ static bssl::UniquePtr GetBIGNUM(FileTest *t, const char *key) { return nullptr; } - return bssl::UniquePtr(BN_bin2bn(bytes.data(), bytes.size(), nullptr)); + return bssl::UniquePtr( + BN_bin2bn(bytes.data(), bytes.size(), nullptr)); } TEST(ECDSATest, VerifyTestVectors) { - FileTestGTest("crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt", - [](FileTest *t) { - for (bool custom_group : {false, true}) { - SCOPED_TRACE(custom_group); - bssl::UniquePtr group = GetCurve(t, "Curve"); - ASSERT_TRUE(group); - if (custom_group) { - group = MakeCustomClone(group.get()); - ASSERT_TRUE(group); - } - bssl::UniquePtr x = GetBIGNUM(t, "X"); - ASSERT_TRUE(x); - bssl::UniquePtr y = GetBIGNUM(t, "Y"); - ASSERT_TRUE(y); - bssl::UniquePtr r = GetBIGNUM(t, "R"); - ASSERT_TRUE(r); - bssl::UniquePtr s = GetBIGNUM(t, "S"); - ASSERT_TRUE(s); - std::vector digest; - ASSERT_TRUE(t->GetBytes(&digest, "Digest")); - - bssl::UniquePtr key(EC_KEY_new()); - ASSERT_TRUE(key); - bssl::UniquePtr pub_key(EC_POINT_new(group.get())); - ASSERT_TRUE(pub_key); - bssl::UniquePtr sig(ECDSA_SIG_new()); - ASSERT_TRUE(sig); - ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get())); - ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( - group.get(), pub_key.get(), x.get(), y.get(), nullptr)); - ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get())); - ASSERT_TRUE(BN_copy(sig->r, r.get())); - ASSERT_TRUE(BN_copy(sig->s, s.get())); - - EXPECT_EQ( - t->HasAttribute("Invalid") ? 0 : 1, - ECDSA_do_verify(digest.data(), digest.size(), sig.get(), key.get())); - } - }); + FileTestGTest( + "crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt", [](FileTest *t) { + for (bool custom_group : {false, true}) { + SCOPED_TRACE(custom_group); + bssl::UniquePtr group = GetCurve(t, "Curve"); + ASSERT_TRUE(group); + if (custom_group) { + group = MakeCustomClone(group.get()); + ASSERT_TRUE(group); + } + bssl::UniquePtr x = GetBIGNUM(t, "X"); + ASSERT_TRUE(x); + bssl::UniquePtr y = GetBIGNUM(t, "Y"); + ASSERT_TRUE(y); + bssl::UniquePtr r = GetBIGNUM(t, "R"); + ASSERT_TRUE(r); + bssl::UniquePtr s = GetBIGNUM(t, "S"); + ASSERT_TRUE(s); + std::vector digest; + ASSERT_TRUE(t->GetBytes(&digest, "Digest")); + + bssl::UniquePtr key(EC_KEY_new()); + ASSERT_TRUE(key); + bssl::UniquePtr pub_key(EC_POINT_new(group.get())); + ASSERT_TRUE(pub_key); + bssl::UniquePtr sig(ECDSA_SIG_new()); + ASSERT_TRUE(sig); + ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get())); + ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( + group.get(), pub_key.get(), x.get(), y.get(), nullptr)); + ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get())); + ASSERT_TRUE(BN_copy(sig->r, r.get())); + ASSERT_TRUE(BN_copy(sig->s, s.get())); + + EXPECT_EQ(t->HasAttribute("Invalid") ? 0 : 1, + ECDSA_do_verify(digest.data(), digest.size(), sig.get(), + key.get())); + } + }); } TEST(ECDSATest, SignTestVectors) { - FileTestGTest("crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt", - [](FileTest *t) { - for (bool custom_group : {false, true}) { - SCOPED_TRACE(custom_group); - bssl::UniquePtr group = GetCurve(t, "Curve"); - ASSERT_TRUE(group); - if (custom_group) { - group = MakeCustomClone(group.get()); - ASSERT_TRUE(group); - } - bssl::UniquePtr priv_key = GetBIGNUM(t, "Private"); - ASSERT_TRUE(priv_key); - bssl::UniquePtr x = GetBIGNUM(t, "X"); - ASSERT_TRUE(x); - bssl::UniquePtr y = GetBIGNUM(t, "Y"); - ASSERT_TRUE(y); - std::vector k; - ASSERT_TRUE(t->GetBytes(&k, "K")); - bssl::UniquePtr r = GetBIGNUM(t, "R"); - ASSERT_TRUE(r); - bssl::UniquePtr s = GetBIGNUM(t, "S"); - ASSERT_TRUE(s); - std::vector digest; - ASSERT_TRUE(t->GetBytes(&digest, "Digest")); - - bssl::UniquePtr key(EC_KEY_new()); - ASSERT_TRUE(key); - bssl::UniquePtr pub_key(EC_POINT_new(group.get())); - ASSERT_TRUE(pub_key); - ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get())); - ASSERT_TRUE(EC_KEY_set_private_key(key.get(), priv_key.get())); - ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( - group.get(), pub_key.get(), x.get(), y.get(), nullptr)); - ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get())); - ASSERT_TRUE(EC_KEY_check_key(key.get())); - - bssl::UniquePtr sig( - ECDSA_sign_with_nonce_and_leak_private_key_for_testing( - digest.data(), digest.size(), key.get(), k.data(), k.size())); - ASSERT_TRUE(sig); - - EXPECT_EQ(0, BN_cmp(r.get(), sig->r)); - EXPECT_EQ(0, BN_cmp(s.get(), sig->s)); - } - }); + FileTestGTest( + "crypto/fipsmodule/ecdsa/ecdsa_sign_tests.txt", [](FileTest *t) { + for (bool custom_group : {false, true}) { + SCOPED_TRACE(custom_group); + bssl::UniquePtr group = GetCurve(t, "Curve"); + ASSERT_TRUE(group); + if (custom_group) { + group = MakeCustomClone(group.get()); + ASSERT_TRUE(group); + } + bssl::UniquePtr priv_key = GetBIGNUM(t, "Private"); + ASSERT_TRUE(priv_key); + bssl::UniquePtr x = GetBIGNUM(t, "X"); + ASSERT_TRUE(x); + bssl::UniquePtr y = GetBIGNUM(t, "Y"); + ASSERT_TRUE(y); + std::vector k; + ASSERT_TRUE(t->GetBytes(&k, "K")); + bssl::UniquePtr r = GetBIGNUM(t, "R"); + ASSERT_TRUE(r); + bssl::UniquePtr s = GetBIGNUM(t, "S"); + ASSERT_TRUE(s); + std::vector digest; + ASSERT_TRUE(t->GetBytes(&digest, "Digest")); + + bssl::UniquePtr key(EC_KEY_new()); + ASSERT_TRUE(key); + bssl::UniquePtr pub_key(EC_POINT_new(group.get())); + ASSERT_TRUE(pub_key); + ASSERT_TRUE(EC_KEY_set_group(key.get(), group.get())); + ASSERT_TRUE(EC_KEY_set_private_key(key.get(), priv_key.get())); + ASSERT_TRUE(EC_POINT_set_affine_coordinates_GFp( + group.get(), pub_key.get(), x.get(), y.get(), nullptr)); + ASSERT_TRUE(EC_KEY_set_public_key(key.get(), pub_key.get())); + ASSERT_TRUE(EC_KEY_check_key(key.get())); + + bssl::UniquePtr sig( + ECDSA_sign_with_nonce_and_leak_private_key_for_testing( + digest.data(), digest.size(), key.get(), k.data(), k.size())); + ASSERT_TRUE(sig); + + EXPECT_EQ(0, BN_cmp(r.get(), sig->r)); + EXPECT_EQ(0, BN_cmp(s.get(), sig->s)); + } + }); } diff --git a/crypto/fipsmodule/evp/digestsign.c b/crypto/fipsmodule/evp/digestsign.c index f804f0b272..d9bc40124c 100644 --- a/crypto/fipsmodule/evp/digestsign.c +++ b/crypto/fipsmodule/evp/digestsign.c @@ -57,13 +57,13 @@ #include -#include "../pqdsa/internal.h" #include "../delocate.h" #include "../digest/internal.h" +#include "../pqdsa/internal.h" #include "internal.h" #if defined(NDEBUG) -#define CHECK(x) (void) (x) +#define CHECK(x) (void)(x) #else #define CHECK(x) assert(x) #endif @@ -80,7 +80,8 @@ DEFINE_LOCAL_DATA(struct evp_md_pctx_ops, EVP_MD_pctx_ops) { static int uses_prehash(EVP_MD_CTX *ctx, enum evp_sign_verify_t op) { // Pre-hash modes of ML-DSA that uses an external mu calculation differs from - // other signing algorithms, so we specifically check for NIDs of type NID_MLDSAXX. + // other signing algorithms, so we specifically check for NIDs of type + // NID_MLDSAXX. if (ctx->pctx->pkey->type == EVP_PKEY_PQDSA && ctx->pctx->pkey->pkey.pqdsa_key != NULL) { int nid = ctx->pctx->pkey->pkey.pqdsa_key->pqdsa->nid; @@ -90,8 +91,8 @@ static int uses_prehash(EVP_MD_CTX *ctx, enum evp_sign_verify_t op) { } } - return (op == evp_sign) ? (ctx->pctx->pmeth->sign != NULL) - : (ctx->pctx->pmeth->verify != NULL); + return (op == evp_sign) ? (ctx->pctx->pmeth->sign != NULL) + : (ctx->pctx->pmeth->verify != NULL); } static void hmac_update(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -366,7 +367,7 @@ void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx) { EVP_PKEY_CTX *EVP_MD_CTX_get_pkey_ctx(const EVP_MD_CTX *ctx) { SET_DIT_AUTO_RESET; - if(ctx == NULL) { + if (ctx == NULL) { return NULL; } return ctx->pctx; diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index f241054889..b4965aeacb 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -227,9 +227,7 @@ int EVP_MD_get_pkey_type(const EVP_MD *md) { return 0; } -int EVP_MD_pkey_type(const EVP_MD *md){ - return EVP_MD_get_pkey_type(md); -} +int EVP_MD_pkey_type(const EVP_MD *md) { return EVP_MD_get_pkey_type(md); } const char *EVP_MD_get0_name(const EVP_MD *md) { if (md != NULL) { @@ -238,16 +236,14 @@ const char *EVP_MD_get0_name(const EVP_MD *md) { return NULL; } -const char *EVP_MD_name(const EVP_MD *md) { - return EVP_MD_get0_name(md); -} +const char *EVP_MD_name(const EVP_MD *md) { return EVP_MD_get0_name(md); } // evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which // should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is // unknown. static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) { - - const EVP_PKEY_ASN1_METHOD *const *methods = AWSLC_non_fips_pkey_evp_asn1_methods(); + const EVP_PKEY_ASN1_METHOD *const *methods = + AWSLC_non_fips_pkey_evp_asn1_methods(); for (size_t i = 0; i < ASN1_EVP_PKEY_METHODS; i++) { if (methods[i]->pkey_id == nid) { return methods[i]; @@ -290,7 +286,7 @@ EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, const uint8_t *mac_key, } HMAC_KEY *key = HMAC_KEY_new(); - if(key == NULL) { + if (key == NULL) { goto err; } key->key = OPENSSL_memdup(mac_key, mac_key_len); @@ -300,7 +296,7 @@ EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, const uint8_t *mac_key, } key->key_len = mac_key_len; - if(!EVP_PKEY_assign(ret, EVP_PKEY_HMAC, key)) { + if (!EVP_PKEY_assign(ret, EVP_PKEY_HMAC, key)) { OPENSSL_free(key); goto err; } @@ -547,8 +543,7 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused, int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len) { SET_DIT_AUTO_RESET; - if (pkey == NULL || - pkey->ameth == NULL || + if (pkey == NULL || pkey->ameth == NULL || pkey->ameth->get_priv_raw == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -560,9 +555,7 @@ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, uint8_t *out, int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len) { SET_DIT_AUTO_RESET; - if (pkey == NULL || - pkey->ameth == NULL || - pkey->ameth->get_pub_raw == NULL) { + if (pkey == NULL || pkey->ameth == NULL || pkey->ameth->get_pub_raw == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } @@ -653,7 +646,6 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey) { } static int evp_pkey_tls_encodedpoint_ec_curve_supported(const EC_KEY *ec_key) { - int ret = 0; int curve_nid = 0; const EC_GROUP *ec_key_group = NULL; @@ -670,10 +662,8 @@ static int evp_pkey_tls_encodedpoint_ec_curve_supported(const EC_KEY *ec_key) { } curve_nid = EC_GROUP_get_curve_name(ec_key_group); - if ((NID_secp224r1 != curve_nid) && - (NID_X9_62_prime256v1 != curve_nid) && - (NID_secp384r1 != curve_nid) && - (NID_secp521r1 != curve_nid)) { + if ((NID_secp224r1 != curve_nid) && (NID_X9_62_prime256v1 != curve_nid) && + (NID_secp384r1 != curve_nid) && (NID_secp521r1 != curve_nid)) { OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE); goto err; } @@ -685,8 +675,8 @@ static int evp_pkey_tls_encodedpoint_ec_curve_supported(const EC_KEY *ec_key) { } static int evp_pkey_set1_tls_encodedpoint_ec_key(EVP_PKEY *pkey, - const uint8_t *in, - size_t len) { + const uint8_t *in, + size_t len) { int ret = 0; EC_KEY *ec_key = NULL; const EC_GROUP *ec_key_group = NULL; @@ -748,7 +738,7 @@ static int evp_pkey_set1_tls_encodedpoint_ec_key(EVP_PKEY *pkey, goto err; } - if (0 == EC_KEY_set_public_key(ec_key, (const EC_POINT *) ec_point)) { + if (0 == EC_KEY_set_public_key(ec_key, (const EC_POINT *)ec_point)) { OPENSSL_PUT_ERROR(EVP, ERR_R_EVP_LIB); goto err; } @@ -761,8 +751,8 @@ static int evp_pkey_set1_tls_encodedpoint_ec_key(EVP_PKEY *pkey, } static int evp_pkey_set1_tls_encodedpoint_x25519(EVP_PKEY *pkey, - const uint8_t *in, - size_t len) { + const uint8_t *in, + size_t len) { int ret = 0; if ((NULL == pkey) || (NULL == in)) { @@ -797,7 +787,7 @@ static int evp_pkey_set1_tls_encodedpoint_x25519(EVP_PKEY *pkey, } int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in, - size_t len) { + size_t len) { SET_DIT_AUTO_RESET; if (NULL == pkey) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); @@ -819,8 +809,7 @@ int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in, } static size_t evp_pkey_get1_tls_encodedpoint_ec_key(const EVP_PKEY *pkey, - uint8_t **out_ptr) { - + uint8_t **out_ptr) { size_t ret = 0; const EC_KEY *ec_key = NULL; @@ -865,8 +854,7 @@ static size_t evp_pkey_get1_tls_encodedpoint_ec_key(const EVP_PKEY *pkey, } static size_t evp_pkey_get1_tls_encodedpoint_x25519(const EVP_PKEY *pkey, - uint8_t **out_ptr) { - + uint8_t **out_ptr) { size_t ret = 0; size_t out_len = 0; @@ -926,7 +914,7 @@ size_t EVP_PKEY_get1_tls_encodedpoint(const EVP_PKEY *pkey, uint8_t **out_ptr) { default: OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE); goto err; - } + } err: return 0; diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index 310d7ec674..2a967e59d3 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -63,9 +63,9 @@ #include #include +#include "../../evp_extra/internal.h" #include "../../internal.h" #include "internal.h" -#include "../../evp_extra/internal.h" DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) { out->methods[0] = EVP_PKEY_rsa_pkey_meth(); @@ -79,10 +79,10 @@ DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) { } static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) { - // First we search through the FIPS public key methods. We assume these are // the most popular. - const struct fips_evp_pkey_methods *const fips_methods = AWSLC_fips_evp_pkey_methods(); + const struct fips_evp_pkey_methods *const fips_methods = + AWSLC_fips_evp_pkey_methods(); for (size_t i = 0; i < FIPS_EVP_PKEY_METHODS; i++) { if (fips_methods->methods[i]->pkey_id == type) { return fips_methods->methods[i]; @@ -90,7 +90,8 @@ static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) { } // Can still seek non-fips validated algorithms in fips mode. - const EVP_PKEY_METHOD *const *non_fips_methods = AWSLC_non_fips_pkey_evp_methods(); + const EVP_PKEY_METHOD *const *non_fips_methods = + AWSLC_non_fips_pkey_evp_methods(); for (size_t i = 0; i < NON_FIPS_EVP_PKEY_METHODS; i++) { if (non_fips_methods[i]->pkey_id == type) { return non_fips_methods[i]; @@ -455,10 +456,8 @@ int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx) { return 1; } -int EVP_PKEY_keygen_deterministic(EVP_PKEY_CTX *ctx, - EVP_PKEY **out_pkey, - const uint8_t *seed, - size_t *seed_len) { +int EVP_PKEY_keygen_deterministic(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey, + const uint8_t *seed, size_t *seed_len) { int ret = 0; if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen_deterministic) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -503,8 +502,8 @@ int EVP_PKEY_keygen_deterministic(EVP_PKEY_CTX *ctx, } int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) { - // We have to avoid potential underlying services updating the indicator state, - // so we lock the state here. + // We have to avoid potential underlying services updating the indicator + // state, so we lock the state here. FIPS_service_indicator_lock_state(); SET_DIT_AUTO_RESET; int ret = 0; @@ -538,7 +537,7 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) { ret = 1; end: FIPS_service_indicator_unlock_state(); - if(ret) { + if (ret) { EVP_PKEY_keygen_verify_service_indicator(*out_pkey); } return ret; @@ -585,14 +584,13 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) { return 1; } -int EVP_PKEY_encapsulate_deterministic(EVP_PKEY_CTX *ctx, - uint8_t *ciphertext, +int EVP_PKEY_encapsulate_deterministic(EVP_PKEY_CTX *ctx, uint8_t *ciphertext, size_t *ciphertext_len, uint8_t *shared_secret, size_t *shared_secret_len, - const uint8_t *seed, - size_t *seed_len) { - if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->encapsulate_deterministic == NULL) { + const uint8_t *seed, size_t *seed_len) { + if (ctx == NULL || ctx->pmeth == NULL || + ctx->pmeth->encapsulate_deterministic == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } diff --git a/crypto/fipsmodule/evp/evp_ctx_test.cc b/crypto/fipsmodule/evp/evp_ctx_test.cc index 576b192fba..f1c67c0ae0 100644 --- a/crypto/fipsmodule/evp/evp_ctx_test.cc +++ b/crypto/fipsmodule/evp/evp_ctx_test.cc @@ -24,7 +24,7 @@ class EvpPkeyCtxCtrlStrTest : public ::testing::Test { }; class EvpPkeyCtxCtrlStrParamTest : public testing::TestWithParam { -protected: + protected: void SetUp() override {} void TearDown() override {} @@ -153,7 +153,6 @@ TEST_F(EvpPkeyCtxCtrlStrTest, RsaKeygenPubexp) { uint64_t pe_u64; ASSERT_TRUE(BN_get_u64(const_pe_bn, &pe_u64)); EXPECT_EQ(pe_u64, expected_pe); - } TEST_F(EvpPkeyCtxCtrlStrTest, RsaMgf1Md) { @@ -201,7 +200,7 @@ TEST_F(EvpPkeyCtxCtrlStrTest, RsaOaepLabel) { } TEST_P(EvpPkeyCtxCtrlStrParamTest, EcParamgenCurve) { - const char* name = GetParam(); + const char *name = GetParam(); // Create a EVP_PKEY_CTX with a newly generated EC key EVP_PKEY *raw = nullptr; @@ -214,15 +213,14 @@ TEST_P(EvpPkeyCtxCtrlStrParamTest, EcParamgenCurve) { bssl::UniquePtr pkey(raw); ASSERT_TRUE(pkey); - const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get()); + const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey.get()); ASSERT_TRUE(ec_key != nullptr); - const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key); + const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key); ASSERT_TRUE(ec_group != nullptr); ASSERT_EQ(NID_X9_62_prime256v1, EC_GROUP_get_curve_name(ec_group)); } -INSTANTIATE_TEST_SUITE_P(EcParamgenCurve, - EvpPkeyCtxCtrlStrParamTest, +INSTANTIATE_TEST_SUITE_P(EcParamgenCurve, EvpPkeyCtxCtrlStrParamTest, testing::Values("P-256", "prime256v1")); @@ -253,22 +251,24 @@ TEST_F(EvpPkeyCtxCtrlStrTest, DhParamGen) { ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_paramgen_init(ctx.get())); - ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "256"), 1); + ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "256"), + 1); ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "gg"), 1); - ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "255"), 1); + ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "255"), + 1); ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_generator", "5"), 1); ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "gg"), 1); ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dh_paramgen_prime_len", "1"), 1); - EVP_PKEY* raw = nullptr; + EVP_PKEY *raw = nullptr; ASSERT_EQ(EVP_PKEY_paramgen(ctx.get(), &raw), 1); bssl::UniquePtr pkey(raw); ASSERT_TRUE(raw); - const DH* dh = EVP_PKEY_get0_DH(pkey.get()); + const DH *dh = EVP_PKEY_get0_DH(pkey.get()); ASSERT_TRUE(dh); - const BIGNUM* p = DH_get0_p(dh); + const BIGNUM *p = DH_get0_p(dh); ASSERT_TRUE(p); unsigned p_size = BN_num_bits(p); ASSERT_EQ(p_size, 256u); @@ -328,14 +328,14 @@ TEST_F(EvpPkeyCtxCtrlStrTest, HkdfRaw) { size_t len; bssl::UniquePtr info_parsed(OPENSSL_hexstr2buf(hkdf_hexinfo, &len)); - bssl::UniquePtr info((uint8_t*)OPENSSL_zalloc(len+1)); + bssl::UniquePtr info((uint8_t *)OPENSSL_zalloc(len + 1)); OPENSSL_memcpy(info.get(), info_parsed.get(), len); ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "info", reinterpret_cast(info.get())), 1); bssl::UniquePtr key_parsed(OPENSSL_hexstr2buf(hkdf_hexkey, &len)); - bssl::UniquePtr key((uint8_t*)OPENSSL_zalloc(len+1)); + bssl::UniquePtr key((uint8_t *)OPENSSL_zalloc(len + 1)); OPENSSL_memcpy(key.get(), key_parsed.get(), len); ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "key", @@ -386,16 +386,16 @@ TEST_F(EvpPkeyCtxCtrlStrTest, HkdfExtract) { static const char *hmac_hexkey = "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"; TEST_F(EvpPkeyCtxCtrlStrTest, HMACKey) { - bssl::UniquePtr pkey_hex; { - bssl::UniquePtr ctx_hex(EVP_PKEY_CTX_new_id(EVP_PKEY_HMAC, NULL)); + bssl::UniquePtr ctx_hex( + EVP_PKEY_CTX_new_id(EVP_PKEY_HMAC, NULL)); ASSERT_TRUE(ctx_hex); ASSERT_TRUE(EVP_PKEY_keygen_init(ctx_hex.get())); ASSERT_NE(1, EVP_PKEY_CTX_ctrl_str(ctx_hex.get(), "hexkey", "nonsense")); ASSERT_TRUE(EVP_PKEY_CTX_ctrl_str(ctx_hex.get(), "hexkey", hmac_hexkey)); - EVP_PKEY* my_pkey = NULL; + EVP_PKEY *my_pkey = NULL; ASSERT_TRUE(EVP_PKEY_keygen(ctx_hex.get(), &my_pkey)); pkey_hex.reset(my_pkey); ASSERT_TRUE(pkey_hex); @@ -403,15 +403,17 @@ TEST_F(EvpPkeyCtxCtrlStrTest, HMACKey) { bssl::UniquePtr pkey_raw; { - bssl::UniquePtr ctx_hex(EVP_PKEY_CTX_new_id(EVP_PKEY_HMAC, NULL)); + bssl::UniquePtr ctx_hex( + EVP_PKEY_CTX_new_id(EVP_PKEY_HMAC, NULL)); ASSERT_TRUE(ctx_hex); ASSERT_TRUE(EVP_PKEY_keygen_init(ctx_hex.get())); std::vector raw_key; DecodeHex(&raw_key, hmac_hexkey); raw_key.push_back(0); - ASSERT_TRUE(EVP_PKEY_CTX_ctrl_str(ctx_hex.get(), "key", (char*)raw_key.data())); - EVP_PKEY* my_pkey = NULL; + ASSERT_TRUE( + EVP_PKEY_CTX_ctrl_str(ctx_hex.get(), "key", (char *)raw_key.data())); + EVP_PKEY *my_pkey = NULL; ASSERT_TRUE(EVP_PKEY_keygen(ctx_hex.get(), &my_pkey)); pkey_raw.reset(my_pkey); ASSERT_TRUE(pkey_raw); @@ -422,14 +424,14 @@ TEST_F(EvpPkeyCtxCtrlStrTest, HMACKey) { -static void verify_DSA(const DSA* dsa, unsigned psize, unsigned qsize) { - const BIGNUM* p = DSA_get0_p(dsa); +static void verify_DSA(const DSA *dsa, unsigned psize, unsigned qsize) { + const BIGNUM *p = DSA_get0_p(dsa); EXPECT_TRUE(p != NULL); if (p == NULL) { return; } EXPECT_EQ(BN_num_bytes(p), psize); - const BIGNUM* q = DSA_get0_q(dsa); + const BIGNUM *q = DSA_get0_q(dsa); EXPECT_TRUE(q != NULL); if (q == NULL) { return; @@ -439,7 +441,6 @@ static void verify_DSA(const DSA* dsa, unsigned psize, unsigned qsize) { TEST_F(EvpPkeyCtxCtrlStrTest, DSAParamGen) { - { bssl::UniquePtr ctx( EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, nullptr)); @@ -467,9 +468,12 @@ TEST_F(EvpPkeyCtxCtrlStrTest, DSAParamGen) { ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_paramgen_init(ctx.get())); ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_bits", "768"), 1); - ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "224"), 1); - ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "128"), 1); - ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "aghj"), 1); + ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "224"), + 1); + ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "128"), + 1); + ASSERT_NE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "aghj"), + 1); EVP_PKEY *pkey_raw = NULL; EVP_PKEY_paramgen(ctx.get(), &pkey_raw); @@ -487,7 +491,8 @@ TEST_F(EvpPkeyCtxCtrlStrTest, DSAParamGen) { ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_paramgen_init(ctx.get())); ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_bits", "512"), 1); - ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "160"), 1); + ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_q_bits", "160"), + 1); // MD takes precedence over qbits ASSERT_EQ(EVP_PKEY_CTX_ctrl_str(ctx.get(), "dsa_paramgen_md", "SHA256"), 1); diff --git a/crypto/fipsmodule/evp/internal.h b/crypto/fipsmodule/evp/internal.h index 454d1c4294..c267d0c8b8 100644 --- a/crypto/fipsmodule/evp/internal.h +++ b/crypto/fipsmodule/evp/internal.h @@ -59,9 +59,9 @@ #include -#include -#include #include +#include +#include #if defined(__cplusplus) extern "C" { @@ -117,7 +117,9 @@ struct evp_pkey_asn1_method_st { // the result to |out|. It returns one on success and zero on error. int (*priv_encode_v2)(CBB *out, const EVP_PKEY *key); - int (*set_priv_raw)(EVP_PKEY *pkey, const uint8_t *privkey, size_t privkey_len, const uint8_t *pubkey, size_t pubkey_len); + int (*set_priv_raw)(EVP_PKEY *pkey, const uint8_t *privkey, + size_t privkey_len, const uint8_t *pubkey, + size_t pubkey_len); int (*set_pub_raw)(EVP_PKEY *pkey, const uint8_t *in, size_t len); int (*get_priv_raw)(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); int (*get_pub_raw)(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); @@ -134,7 +136,7 @@ struct evp_pkey_asn1_method_st { int (*param_cmp)(const EVP_PKEY *a, const EVP_PKEY *b); void (*pkey_free)(EVP_PKEY *pkey); -}; // EVP_PKEY_ASN1_METHOD +}; // EVP_PKEY_ASN1_METHOD struct evp_pkey_st { CRYPTO_refcount_t references; @@ -150,7 +152,7 @@ struct evp_pkey_st { DH *dh; EC_KEY *ec; KEM_KEY *kem_key; - PQDSA_KEY * pqdsa_key; + PQDSA_KEY *pqdsa_key; } pkey; // ameth contains a pointer to a method table that contains many ASN.1 @@ -193,17 +195,19 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, // This function is deprecated and should not be used in new code. // // |ctx| is the context to operate on. -// |optype| is the operation type (e.g., EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_OP_KEYGEN). -// |cmd| is the specific command (e.g., EVP_PKEY_CTRL_MD). +// |optype| is the operation type (e.g., EVP_PKEY_OP_TYPE_SIG, +// EVP_PKEY_OP_KEYGEN). |cmd| is the specific command (e.g., EVP_PKEY_CTRL_MD). // |md| is the name of the message digest algorithm to use. // // It returns 1 for success and 0 or a negative value for failure. -OPENSSL_EXPORT int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md); +OPENSSL_EXPORT int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, + const char *md); // EVP_RSA_PKEY_CTX_ctrl is a wrapper of |EVP_PKEY_CTX_ctrl|. // Before calling |EVP_PKEY_CTX_ctrl|, a check is added to make sure // the |ctx->pmeth->pkey_id| is either |EVP_PKEY_RSA| or |EVP_PKEY_RSA_PSS|. -int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2); +int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, + void *p2); #define EVP_PKEY_CTRL_MD 1 #define EVP_PKEY_CTRL_GET_MD 2 @@ -281,7 +285,7 @@ struct evp_pkey_ctx_st { // See |EVP_PKEY_CTX_get_keygen_info| for more details. EVP_PKEY_gen_cb *pkey_gencb; int keygen_info[EVP_PKEY_CTX_KEYGEN_INFO_COUNT]; -}; // EVP_PKEY_CTX +}; // EVP_PKEY_CTX struct evp_pkey_method_st { int pkey_id; @@ -320,31 +324,27 @@ struct evp_pkey_method_st { int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2); - int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value); + int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value); // Encapsulate, encapsulate_deterministic, keygen_deterministic, and // decapsulate are operations defined for a Key Encapsulation Mechanism (KEM). - int (*keygen_deterministic)(EVP_PKEY_CTX *ctx, - EVP_PKEY *pkey, - const uint8_t *seed, - size_t *seed_len); + int (*keygen_deterministic)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, + const uint8_t *seed, size_t *seed_len); - int (*encapsulate_deterministic)(EVP_PKEY_CTX *ctx, - uint8_t *ciphertext, + int (*encapsulate_deterministic)(EVP_PKEY_CTX *ctx, uint8_t *ciphertext, size_t *ciphertext_len, uint8_t *shared_secret, size_t *shared_secret_len, - const uint8_t *seed, - size_t *seed_len); + const uint8_t *seed, size_t *seed_len); - int (*encapsulate)(EVP_PKEY_CTX *ctx, - uint8_t *ciphertext, size_t *ciphertext_len, - uint8_t *shared_secret, size_t *shared_secret_len); + int (*encapsulate)(EVP_PKEY_CTX *ctx, uint8_t *ciphertext, + size_t *ciphertext_len, uint8_t *shared_secret, + size_t *shared_secret_len); - int (*decapsulate)(EVP_PKEY_CTX *ctx, - uint8_t *shared_secret, size_t *shared_secret_len, - const uint8_t *ciphertext, size_t ciphertext_len); -}; // EVP_PKEY_METHOD + int (*decapsulate)(EVP_PKEY_CTX *ctx, uint8_t *shared_secret, + size_t *shared_secret_len, const uint8_t *ciphertext, + size_t ciphertext_len); +}; // EVP_PKEY_METHOD // used_for_hmac indicates if |ctx| is used specifically for the |EVP_PKEY_HMAC| // operation. @@ -356,16 +356,17 @@ typedef struct { } HMAC_KEY; typedef struct { - const EVP_MD *md; // MD for HMAC use. + const EVP_MD *md; // MD for HMAC use. HMAC_CTX ctx; HMAC_KEY ktmp; } HMAC_PKEY_CTX; // HMAC_KEY_set copies provided key into hmac_key. It frees any existing key // on hmac_key. It returns 1 on success, and 0 otherwise. -int HMAC_KEY_set(HMAC_KEY* hmac_key, const uint8_t* key, const size_t key_len); -// HMAC_KEY_copy allocates and a new |HMAC_KEY| with identical contents (internal use). -int HMAC_KEY_copy(HMAC_KEY* dest, HMAC_KEY* src); +int HMAC_KEY_set(HMAC_KEY *hmac_key, const uint8_t *key, const size_t key_len); +// HMAC_KEY_copy allocates and a new |HMAC_KEY| with identical contents +// (internal use). +int HMAC_KEY_copy(HMAC_KEY *dest, HMAC_KEY *src); // HMAC_KEY_new allocates and zeroizes a |HMAC_KEY| for internal use. HMAC_KEY *HMAC_KEY_new(void); @@ -388,7 +389,7 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); #define ASN1_EVP_PKEY_METHODS 11 struct fips_evp_pkey_methods { - const EVP_PKEY_METHOD * methods[FIPS_EVP_PKEY_METHODS]; + const EVP_PKEY_METHOD *methods[FIPS_EVP_PKEY_METHODS]; }; const EVP_PKEY_METHOD *EVP_PKEY_rsa_pkey_meth(void); @@ -404,7 +405,7 @@ const EVP_PKEY_METHOD *EVP_PKEY_ed25519ph_pkey_meth(void); struct evp_pkey_ctx_signature_context_params_st { const uint8_t *context; size_t context_len; -}; // EVP_PKEY_CTX_SIGNATURE_CONTEXT_PARAMS +}; // EVP_PKEY_CTX_SIGNATURE_CONTEXT_PARAMS #if defined(__cplusplus) } // extern C diff --git a/crypto/fipsmodule/evp/p_ec.c b/crypto/fipsmodule/evp/p_ec.c index d48bbaf3c4..6f17828d29 100644 --- a/crypto/fipsmodule/evp/p_ec.c +++ b/crypto/fipsmodule/evp/p_ec.c @@ -67,9 +67,9 @@ #include #include -#include "internal.h" -#include "../ec/internal.h" #include "../../internal.h" +#include "../ec/internal.h" +#include "internal.h" typedef struct { @@ -137,8 +137,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen, return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->pkey->pkey.ec); } -static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key, - size_t *keylen) { +static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *keylen) { const EC_POINT *pubkey = NULL; EC_KEY *eckey; uint8_t buf[EC_MAX_BYTES]; @@ -166,11 +165,11 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key, // Note: This is an internal function which will not update // the service indicator. if (!ECDH_compute_shared_secret(buf, &buflen, pubkey, eckey)) { - return 0; + return 0; } if (buflen < *keylen) { - *keylen = buflen; + *keylen = buflen; } OPENSSL_memcpy(key, buf, *keylen); @@ -193,8 +192,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { md_type != NID_sha512 && md_type != NID_sha512_224 && md_type != NID_sha512_256 && md_type != NID_sha3_224 && md_type != NID_sha3_256 && md_type != NID_sha3_384 && - md_type != NID_sha3_512 - ) { + md_type != NID_sha3_512) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE); return 0; } @@ -270,12 +268,12 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { group = EC_KEY_get0_group(ctx->pkey->pkey.ec); } EC_KEY *ec = EC_KEY_new(); - // In FIPS build, |EC_KEY_generate_key_fips| updates the service indicator so lock it here + // In FIPS build, |EC_KEY_generate_key_fips| updates the service indicator so + // lock it here FIPS_service_indicator_lock_state(); - if (ec == NULL || - !EC_KEY_set_group(ec, group) || + if (ec == NULL || !EC_KEY_set_group(ec, group) || (!is_fips_build() && !EC_KEY_generate_key(ec)) || - ( is_fips_build() && !EC_KEY_generate_key_fips(ec))) { + (is_fips_build() && !EC_KEY_generate_key_fips(ec))) { EC_KEY_free(ec); goto end; } @@ -294,8 +292,7 @@ static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { return 0; } EC_KEY *ec = EC_KEY_new(); - if (ec == NULL || - !EC_KEY_set_group(ec, dctx->gen_group)) { + if (ec == NULL || !EC_KEY_set_group(ec, dctx->gen_group)) { EC_KEY_free(ec); return 0; } @@ -304,24 +301,24 @@ static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { } DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_ec_pkey_meth) { - out->pkey_id = EVP_PKEY_EC; - out->init = pkey_ec_init; - out->copy = pkey_ec_copy; - out->cleanup = pkey_ec_cleanup; - out->keygen = pkey_ec_keygen; - out->sign_init = NULL; /* sign_init */ - out->sign = pkey_ec_sign; - out->sign_message = NULL; /* sign_message */ - out->verify_init = NULL; /* verify_init */ - out->verify = pkey_ec_verify; - out->verify_message = NULL; /* verify_message */ - out->verify_recover = NULL; /* verify_recover */ - out->encrypt = NULL; /* encrypt */ - out->decrypt = NULL; /* decrypt */ - out->derive = pkey_ec_derive; - out->paramgen = pkey_ec_paramgen; - out->ctrl = pkey_ec_ctrl; - out->ctrl_str = pkey_ec_ctrl_str; + out->pkey_id = EVP_PKEY_EC; + out->init = pkey_ec_init; + out->copy = pkey_ec_copy; + out->cleanup = pkey_ec_cleanup; + out->keygen = pkey_ec_keygen; + out->sign_init = NULL; /* sign_init */ + out->sign = pkey_ec_sign; + out->sign_message = NULL; /* sign_message */ + out->verify_init = NULL; /* verify_init */ + out->verify = pkey_ec_verify; + out->verify_message = NULL; /* verify_message */ + out->verify_recover = NULL; /* verify_recover */ + out->encrypt = NULL; /* encrypt */ + out->decrypt = NULL; /* decrypt */ + out->derive = pkey_ec_derive; + out->paramgen = pkey_ec_paramgen; + out->ctrl = pkey_ec_ctrl; + out->ctrl_str = pkey_ec_ctrl_str; } int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) { diff --git a/crypto/fipsmodule/evp/p_hkdf.c b/crypto/fipsmodule/evp/p_hkdf.c index 69a8552e62..0800e2fbb7 100644 --- a/crypto/fipsmodule/evp/p_hkdf.c +++ b/crypto/fipsmodule/evp/p_hkdf.c @@ -259,24 +259,24 @@ static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, } DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_hkdf_pkey_meth) { - out->pkey_id = EVP_PKEY_HKDF; - out->init = pkey_hkdf_init; - out->copy = pkey_hkdf_copy; - out->cleanup = pkey_hkdf_cleanup; - out->keygen = NULL; /* keygen */ - out->sign_init = NULL; /* sign_init */ - out->sign = NULL; /* sign */ - out->sign_message = NULL; /* sign_message */ - out->verify_init = NULL; /* verify_init */ - out->verify = NULL; /* verify */ - out->verify_message = NULL; /* verify_message */ - out->verify_recover = NULL; /* verify_recover */ - out->encrypt = NULL; /* encrypt */ - out->decrypt = NULL; /* decrypt */ - out->derive = pkey_hkdf_derive; - out->paramgen = NULL; /* paramgen */ - out->ctrl = pkey_hkdf_ctrl; - out->ctrl_str = pkey_hkdf_ctrl_str; + out->pkey_id = EVP_PKEY_HKDF; + out->init = pkey_hkdf_init; + out->copy = pkey_hkdf_copy; + out->cleanup = pkey_hkdf_cleanup; + out->keygen = NULL; /* keygen */ + out->sign_init = NULL; /* sign_init */ + out->sign = NULL; /* sign */ + out->sign_message = NULL; /* sign_message */ + out->verify_init = NULL; /* verify_init */ + out->verify = NULL; /* verify */ + out->verify_message = NULL; /* verify_message */ + out->verify_recover = NULL; /* verify_recover */ + out->encrypt = NULL; /* encrypt */ + out->decrypt = NULL; /* decrypt */ + out->derive = pkey_hkdf_derive; + out->paramgen = NULL; /* paramgen */ + out->ctrl = pkey_hkdf_ctrl; + out->ctrl_str = pkey_hkdf_ctrl_str; } int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *ctx, int mode) { diff --git a/crypto/fipsmodule/evp/p_hmac.c b/crypto/fipsmodule/evp/p_hmac.c index 6be4583ba3..c07a7307c2 100644 --- a/crypto/fipsmodule/evp/p_hmac.c +++ b/crypto/fipsmodule/evp/p_hmac.c @@ -81,7 +81,7 @@ static int hmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { sctx = src->data; dctx = dst->data; dctx->md = sctx->md; - if(sctx->ktmp.key != NULL && !HMAC_KEY_copy(&sctx->ktmp, &dctx->ktmp)) { + if (sctx->ktmp.key != NULL && !HMAC_KEY_copy(&sctx->ktmp, &dctx->ktmp)) { OPENSSL_free(dctx); return 0; } @@ -133,7 +133,7 @@ static int hmac_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, // What if the key contains a 0-byte? const size_t keylen = OPENSSL_strnlen(value, INT16_MAX); return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HMAC, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_SET_MAC_KEY, keylen, (void*)value); + EVP_PKEY_CTRL_SET_MAC_KEY, keylen, (void *)value); } if (strcmp(type, "hexkey") == 0) { size_t hex_keylen = 0; @@ -141,9 +141,8 @@ static int hmac_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, if (key == NULL) { return 0; } - int result = - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HMAC, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_SET_MAC_KEY, hex_keylen, key); + int result = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HMAC, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_SET_MAC_KEY, hex_keylen, key); OPENSSL_free(key); return result; } @@ -154,13 +153,13 @@ static int hmac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { GUARD_PTR(pkey); HMAC_KEY *hmac = NULL; HMAC_PKEY_CTX *hctx = ctx->data; - if(hctx == NULL) { + if (hctx == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); return 0; } if (!(hmac = HMAC_KEY_new())) { - return 0; + return 0; } if (!HMAC_KEY_copy(hmac, &hctx->ktmp) || @@ -195,8 +194,8 @@ HMAC_KEY *HMAC_KEY_new(void) { return key; } -int HMAC_KEY_set(HMAC_KEY* hmac_key, const uint8_t* key, const size_t key_len) { - if(hmac_key == NULL ) { +int HMAC_KEY_set(HMAC_KEY *hmac_key, const uint8_t *key, const size_t key_len) { + if (hmac_key == NULL) { return 0; } if (key == NULL || key_len == 0) { @@ -205,8 +204,8 @@ int HMAC_KEY_set(HMAC_KEY* hmac_key, const uint8_t* key, const size_t key_len) { return 1; } - uint8_t* new_key = OPENSSL_memdup(key, key_len); - if(new_key == NULL) { + uint8_t *new_key = OPENSSL_memdup(key, key_len); + if (new_key == NULL) { return 0; } OPENSSL_free(hmac_key->key); @@ -215,7 +214,7 @@ int HMAC_KEY_set(HMAC_KEY* hmac_key, const uint8_t* key, const size_t key_len) { return 1; } -int HMAC_KEY_copy(HMAC_KEY* dest, HMAC_KEY* src) { +int HMAC_KEY_copy(HMAC_KEY *dest, HMAC_KEY *src) { GUARD_PTR(dest); GUARD_PTR(src); diff --git a/crypto/fipsmodule/evp/p_kem.c b/crypto/fipsmodule/evp/p_kem.c index 9e696c5167..85f4ba1128 100644 --- a/crypto/fipsmodule/evp/p_kem.c +++ b/crypto/fipsmodule/evp/p_kem.c @@ -6,10 +6,9 @@ #include #include -#include "internal.h" +#include "../../internal.h" #include "../delocate.h" #include "../kem/internal.h" -#include "../../internal.h" #include "internal.h" typedef struct { @@ -28,12 +27,9 @@ static int pkey_kem_init(EVP_PKEY_CTX *ctx) { return 1; } -static void pkey_kem_cleanup(EVP_PKEY_CTX *ctx) { - OPENSSL_free(ctx->data); -} +static void pkey_kem_cleanup(EVP_PKEY_CTX *ctx) { OPENSSL_free(ctx->data); } -static int pkey_kem_keygen_deterministic(EVP_PKEY_CTX *ctx, - EVP_PKEY *pkey, +static int pkey_kem_keygen_deterministic(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, const uint8_t *seed, size_t *seed_len) { GUARD_PTR(ctx); @@ -67,9 +63,9 @@ static int pkey_kem_keygen_deterministic(EVP_PKEY_CTX *ctx, } KEM_KEY *key = KEM_KEY_new(); - if (key == NULL || - !KEM_KEY_init(key, kem) || - !kem->method->keygen_deterministic(key->public_key, key->secret_key, seed) || + if (key == NULL || !KEM_KEY_init(key, kem) || + !kem->method->keygen_deterministic(key->public_key, key->secret_key, + seed) || !EVP_PKEY_assign(pkey, EVP_PKEY_KEM, key)) { KEM_KEY_free(key); return 0; @@ -92,8 +88,7 @@ static int pkey_kem_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { } KEM_KEY *key = KEM_KEY_new(); - if (key == NULL || - !KEM_KEY_init(key, kem) || + if (key == NULL || !KEM_KEY_init(key, kem) || !kem->method->keygen(key->public_key, key->secret_key) || !EVP_PKEY_set_type(pkey, EVP_PKEY_KEM)) { KEM_KEY_free(key); @@ -104,13 +99,10 @@ static int pkey_kem_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { return 1; } -static int pkey_kem_encapsulate_deterministic(EVP_PKEY_CTX *ctx, - uint8_t *ciphertext, - size_t *ciphertext_len, - uint8_t *shared_secret, - size_t *shared_secret_len, - const uint8_t *seed, - size_t *seed_len) { +static int pkey_kem_encapsulate_deterministic( + EVP_PKEY_CTX *ctx, uint8_t *ciphertext, size_t *ciphertext_len, + uint8_t *shared_secret, size_t *shared_secret_len, const uint8_t *seed, + size_t *seed_len) { GUARD_PTR(ctx); KEM_PKEY_CTX *dctx = ctx->data; GUARD_PTR(dctx); @@ -124,7 +116,7 @@ static int pkey_kem_encapsulate_deterministic(EVP_PKEY_CTX *ctx, } // Check that size buffers can be written to. - if (ciphertext_len == NULL || shared_secret_len == NULL || seed_len == NULL ) { + if (ciphertext_len == NULL || shared_secret_len == NULL || seed_len == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -158,8 +150,7 @@ static int pkey_kem_encapsulate_deterministic(EVP_PKEY_CTX *ctx, } // Check that the context is properly configured. - if (ctx->pkey == NULL || - ctx->pkey->pkey.kem_key == NULL || + if (ctx->pkey == NULL || ctx->pkey->pkey.kem_key == NULL || ctx->pkey->type != EVP_PKEY_KEM) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); return 0; @@ -172,7 +163,8 @@ static int pkey_kem_encapsulate_deterministic(EVP_PKEY_CTX *ctx, return 0; } - if (!kem->method->encaps_deterministic(ciphertext, shared_secret, key->public_key, seed)) { + if (!kem->method->encaps_deterministic(ciphertext, shared_secret, + key->public_key, seed)) { return 0; } @@ -184,11 +176,9 @@ static int pkey_kem_encapsulate_deterministic(EVP_PKEY_CTX *ctx, return 1; } -static int pkey_kem_encapsulate(EVP_PKEY_CTX *ctx, - uint8_t *ciphertext, - size_t *ciphertext_len, - uint8_t *shared_secret, - size_t *shared_secret_len) { +static int pkey_kem_encapsulate(EVP_PKEY_CTX *ctx, uint8_t *ciphertext, + size_t *ciphertext_len, uint8_t *shared_secret, + size_t *shared_secret_len) { KEM_PKEY_CTX *dctx = ctx->data; const KEM *kem = dctx->kem; if (kem == NULL) { @@ -216,16 +206,15 @@ static int pkey_kem_encapsulate(EVP_PKEY_CTX *ctx, // The output buffers need to be large enough. if (*ciphertext_len < kem->ciphertext_len || *shared_secret_len < kem->shared_secret_len) { - OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); - return 0; + OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); + return 0; } // Check that the context is properly configured. - if (ctx->pkey == NULL || - ctx->pkey->pkey.kem_key == NULL || + if (ctx->pkey == NULL || ctx->pkey->pkey.kem_key == NULL || ctx->pkey->type != EVP_PKEY_KEM) { - OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); - return 0; + OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); + return 0; } // Check that the key has a public key set. @@ -247,9 +236,8 @@ static int pkey_kem_encapsulate(EVP_PKEY_CTX *ctx, return 1; } -static int pkey_kem_decapsulate(EVP_PKEY_CTX *ctx, - uint8_t *shared_secret, - size_t *shared_secret_len, +static int pkey_kem_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *shared_secret, + size_t *shared_secret_len, const uint8_t *ciphertext, size_t ciphertext_len) { KEM_PKEY_CTX *dctx = ctx->data; @@ -271,16 +259,15 @@ static int pkey_kem_decapsulate(EVP_PKEY_CTX *ctx, // The input and output buffers need to be large enough. if (ciphertext_len != kem->ciphertext_len || *shared_secret_len < kem->shared_secret_len) { - OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); - return 0; + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); + return 0; } // Check that the context is properly configured. - if (ctx->pkey == NULL || - ctx->pkey->pkey.kem_key == NULL || + if (ctx->pkey == NULL || ctx->pkey->pkey.kem_key == NULL || ctx->pkey->type != EVP_PKEY_KEM) { - OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); - return 0; + OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); + return 0; } // Check that the key has a secret key set. @@ -387,7 +374,8 @@ static EVP_PKEY *EVP_PKEY_kem_new(int nid) { return ret; } -EVP_PKEY *EVP_PKEY_kem_new_raw_public_key(int nid, const uint8_t *in, size_t len) { +EVP_PKEY *EVP_PKEY_kem_new_raw_public_key(int nid, const uint8_t *in, + size_t len) { if (in == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return NULL; @@ -417,7 +405,8 @@ EVP_PKEY *EVP_PKEY_kem_new_raw_public_key(int nid, const uint8_t *in, size_t len return NULL; } -EVP_PKEY *EVP_PKEY_kem_new_raw_secret_key(int nid, const uint8_t *in, size_t len) { +EVP_PKEY *EVP_PKEY_kem_new_raw_secret_key(int nid, const uint8_t *in, + size_t len) { if (in == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return NULL; @@ -447,9 +436,9 @@ EVP_PKEY *EVP_PKEY_kem_new_raw_secret_key(int nid, const uint8_t *in, size_t len return NULL; } -EVP_PKEY *EVP_PKEY_kem_new_raw_key(int nid, - const uint8_t *in_public, size_t len_public, - const uint8_t *in_secret, size_t len_secret) { +EVP_PKEY *EVP_PKEY_kem_new_raw_key(int nid, const uint8_t *in_public, + size_t len_public, const uint8_t *in_secret, + size_t len_secret) { if (in_public == NULL || in_secret == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return NULL; @@ -466,7 +455,7 @@ EVP_PKEY *EVP_PKEY_kem_new_raw_key(int nid, OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); goto err; } - + if (!KEM_KEY_set_raw_key(ret->pkey.kem_key, in_public, in_secret)) { // KEM_KEY_set_raw_key sets the appropriate error. goto err; diff --git a/crypto/fipsmodule/evp/p_pqdsa.c b/crypto/fipsmodule/evp/p_pqdsa.c index 2e82df2aee..e3531a8b71 100644 --- a/crypto/fipsmodule/evp/p_pqdsa.c +++ b/crypto/fipsmodule/evp/p_pqdsa.c @@ -1,14 +1,14 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include #include +#include #include #include "../crypto/evp_extra/internal.h" +#include "../crypto/internal.h" #include "../delocate.h" #include "../ml_dsa/ml_dsa.h" -#include "../crypto/internal.h" #include "../pqdsa/internal.h" // PQDSA PKEY functions @@ -29,9 +29,7 @@ static int pkey_pqdsa_init(EVP_PKEY_CTX *ctx) { return 1; } -static void pkey_pqdsa_cleanup(EVP_PKEY_CTX *ctx) { - OPENSSL_free(ctx->data); -} +static void pkey_pqdsa_cleanup(EVP_PKEY_CTX *ctx) { OPENSSL_free(ctx->data); } static int pkey_pqdsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { GUARD_PTR(ctx); @@ -47,13 +45,12 @@ static int pkey_pqdsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { } PQDSA_KEY *key = PQDSA_KEY_new(); - if (key == NULL || - !PQDSA_KEY_init(key, pqdsa) || + if (key == NULL || !PQDSA_KEY_init(key, pqdsa) || !pqdsa->method->pqdsa_keygen(key->public_key, key->private_key) || !EVP_PKEY_assign(pkey, EVP_PKEY_PQDSA, key)) { PQDSA_KEY_free(key); return 0; - } + } return 1; } @@ -84,8 +81,7 @@ static int pkey_pqdsa_sign_generic(EVP_PKEY_CTX *ctx, uint8_t *sig, } // Check that the context is properly configured. - if (ctx->pkey == NULL || - ctx->pkey->pkey.pqdsa_key == NULL || + if (ctx->pkey == NULL || ctx->pkey->pkey.pqdsa_key == NULL || ctx->pkey->type != EVP_PKEY_PQDSA) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); return 0; @@ -97,25 +93,27 @@ static int pkey_pqdsa_sign_generic(EVP_PKEY_CTX *ctx, uint8_t *sig, return 0; } - // |sign_digest| is a flag we use to indicate that the message to be signed has - // already been pre-processed and hashed into a message digest. - // When the PQDSA algorithm is selected as ML-DSA (i.e., NID_MLDSA{44/65/87}), - // |sign_digest| indicates that the input is |mu| which is the result of a SHAKE256 - // hash of the associated public key concatenated with a zero byte to indicate - // pure-mode, the context string length, the contents of the context string, - // and the input message in this order e.g. - // mu = SHAKE256(SHAKE256(pk) || 0 || |ctx| || ctx || M). + // |sign_digest| is a flag we use to indicate that the message to be signed + // has already been pre-processed and hashed into a message digest. When the + // PQDSA algorithm is selected as ML-DSA (i.e., NID_MLDSA{44/65/87}), + // |sign_digest| indicates that the input is |mu| which is the result of a + // SHAKE256 hash of the associated public key concatenated with a zero byte to + // indicate pure-mode, the context string length, the contents of the context + // string, and the input message in this order e.g. mu = SHAKE256(SHAKE256(pk) + // || 0 || |ctx| || ctx || M). // RAW sign mode if (!sign_digest) { - if (!pqdsa->method->pqdsa_sign_message(key->private_key, sig, sig_len, message, message_len, NULL, 0)) { + if (!pqdsa->method->pqdsa_sign_message(key->private_key, sig, sig_len, + message, message_len, NULL, 0)) { OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR); return 0; } } // DIGEST sign mode else { - if (!pqdsa->method->pqdsa_sign(key->private_key, sig, sig_len, message, message_len)) { + if (!pqdsa->method->pqdsa_sign(key->private_key, sig, sig_len, message, + message_len)) { OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR); return 0; } @@ -125,16 +123,15 @@ static int pkey_pqdsa_sign_generic(EVP_PKEY_CTX *ctx, uint8_t *sig, } // DIGEST signing -static int pkey_pqdsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, - size_t *sig_len, const uint8_t *digest, - size_t digest_len) { +static int pkey_pqdsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len, + const uint8_t *digest, size_t digest_len) { return pkey_pqdsa_sign_generic(ctx, sig, sig_len, digest, digest_len, 1); } // RAW message signing static int pkey_pqdsa_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig, - size_t *sig_len, const uint8_t *message, - size_t message_len) { + size_t *sig_len, const uint8_t *message, + size_t message_len) { return pkey_pqdsa_sign_generic(ctx, sig, sig_len, message, message_len, 0); } @@ -158,28 +155,28 @@ static int pkey_pqdsa_verify_generic(EVP_PKEY_CTX *ctx, const uint8_t *sig, pqdsa = PQDSA_KEY_get0_dsa(ctx->pkey->pkey.pqdsa_key); } // Check that the context is properly configured. - if (ctx->pkey == NULL || - ctx->pkey->pkey.pqdsa_key == NULL || - ctx->pkey->type != EVP_PKEY_PQDSA) { + if (ctx->pkey == NULL || ctx->pkey->pkey.pqdsa_key == NULL || + ctx->pkey->type != EVP_PKEY_PQDSA) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED); return 0; } PQDSA_KEY *key = ctx->pkey->pkey.pqdsa_key; - // |verify_digest| is a flag we use to indicate that the message to be verified has - // already been pre-processed and hashed into a message digest. + // |verify_digest| is a flag we use to indicate that the message to be + // verified has already been pre-processed and hashed into a message digest. // When the PQDSA algorithm is selected as ML-DSA (i.e., NID_MLDSA{44/65/87}), - // |verify_digest| indicates that the input is |mu| which is the result of a SHAKE256 - // hash of the associated public key concatenated with a zero byte to indicate - // pure-mode, the context string length, the contents of the context string, - // and the input message in this order e.g. - // mu = SHAKE256(SHAKE256(pk) || 0 || |ctx| || ctx || M). + // |verify_digest| indicates that the input is |mu| which is the result of a + // SHAKE256 hash of the associated public key concatenated with a zero byte to + // indicate pure-mode, the context string length, the contents of the context + // string, and the input message in this order e.g. mu = SHAKE256(SHAKE256(pk) + // || 0 || |ctx| || ctx || M). // RAW verify mode - if(!verify_digest) { + if (!verify_digest) { if (sig_len != pqdsa->signature_len || - !pqdsa->method->pqdsa_verify_message(key->public_key, sig, sig_len, message, message_len, NULL, 0)) { + !pqdsa->method->pqdsa_verify_message(key->public_key, sig, sig_len, + message, message_len, NULL, 0)) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE); return 0; } @@ -187,7 +184,8 @@ static int pkey_pqdsa_verify_generic(EVP_PKEY_CTX *ctx, const uint8_t *sig, // DIGEST verify mode else { if (sig_len != pqdsa->signature_len || - !pqdsa->method->pqdsa_verify(key->public_key, sig, sig_len, message, message_len)) { + !pqdsa->method->pqdsa_verify(key->public_key, sig, sig_len, message, + message_len)) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE); return 0; } @@ -205,8 +203,8 @@ static int pkey_pqdsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, // RAW message verification static int pkey_pqdsa_verify_message(EVP_PKEY_CTX *ctx, const uint8_t *sig, - size_t sig_len, const uint8_t *message, - size_t message_len) { + size_t sig_len, const uint8_t *message, + size_t message_len) { return pkey_pqdsa_verify_generic(ctx, sig, sig_len, message, message_len, 0); } @@ -274,7 +272,8 @@ static EVP_PKEY *EVP_PKEY_pqdsa_new(int nid) { return ret; } -EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_t *in, size_t len) { +EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_t *in, + size_t len) { if (in == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return NULL; @@ -295,12 +294,13 @@ EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_t *in, size_t l return ret; - err: - EVP_PKEY_free(ret); +err: + EVP_PKEY_free(ret); return NULL; } -EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t len) { +EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, + size_t len) { if (in == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); return NULL; @@ -337,8 +337,8 @@ EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t return ret; - err: - EVP_PKEY_free(ret); +err: + EVP_PKEY_free(ret); return NULL; } diff --git a/crypto/fipsmodule/evp/p_rsa.c b/crypto/fipsmodule/evp/p_rsa.c index 26e62205b4..7acdedde65 100644 --- a/crypto/fipsmodule/evp/p_rsa.c +++ b/crypto/fipsmodule/evp/p_rsa.c @@ -65,9 +65,9 @@ #include #include -#include "internal.h" -#include "../rsa/internal.h" #include "../../rsa_extra/internal.h" +#include "../rsa/internal.h" +#include "internal.h" #define NO_PSS_SALT_LEN_RESTRICTION -1 @@ -123,7 +123,8 @@ static int rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) { return 1; } RSA_PKEY_CTX *rctx = ctx->data; - return RSASSA_PSS_PARAMS_create(rctx->md, rctx->mgf1md, rctx->saltlen, &(rsa->pss)); + return RSASSA_PSS_PARAMS_create(rctx->md, rctx->mgf1md, rctx->saltlen, + &(rsa->pss)); } // Called for PSS sign or verify initialisation: checks PSS parameter @@ -181,9 +182,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *ctx) { // does not have the ability to handle ".data" sections. Splitting // |pkey_pss_init| into two functions: |pkey_pss_init_sign| and // |pkey_pss_init_verify|, gets around this undesired behaviour. -static int pkey_pss_init_sign(EVP_PKEY_CTX *ctx) { - return pkey_pss_init(ctx); -} +static int pkey_pss_init_sign(EVP_PKEY_CTX *ctx) { return pkey_pss_init(ctx); } static int pkey_pss_init_verify(EVP_PKEY_CTX *ctx) { return pkey_pss_init(ctx); @@ -303,9 +302,8 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen, return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode); } -static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, - size_t siglen, const uint8_t *tbs, - size_t tbslen) { +static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen, + const uint8_t *tbs, size_t tbslen) { RSA_PKEY_CTX *rctx = ctx->data; RSA *rsa = ctx->pkey->pkey.rsa; @@ -328,8 +326,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, if (!setup_tbuf(rctx, ctx) || !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen, rctx->pad_mode) || - rslen != tbslen || - CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) { + rslen != tbslen || CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) { return 0; } @@ -432,9 +429,8 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode); } -static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, - size_t *outlen, const uint8_t *in, - size_t inlen) { +static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, + const uint8_t *in, size_t inlen) { RSA_PKEY_CTX *rctx = ctx->data; RSA *rsa = ctx->pkey->pkey.rsa; const size_t key_len = EVP_PKEY_size(ctx->pkey); @@ -616,7 +612,8 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { } else { // Check if the hashAlgorithm is matched. // Sec 3.3 https://tools.ietf.org/html/rfc4055#section-3.3 - if (!pss_hash_algorithm_match(ctx, rctx->min_saltlen, rctx->mgf1md, p2)) { + if (!pss_hash_algorithm_match(ctx, rctx->min_saltlen, rctx->mgf1md, + p2)) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD); return 0; } @@ -676,7 +673,8 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { evp_pkey_set_cb_translate(pkey_ctx_cb, ctx); } - // In FIPS build, |RSA_generate_key_fips| updates the service indicator so lock it here + // In FIPS build, |RSA_generate_key_fips| updates the service indicator so + // lock it here FIPS_service_indicator_lock_state(); if ((!is_fips_build() && !RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pkey_ctx_cb)) || @@ -716,7 +714,7 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, pm = RSA_PKCS1_PADDING; } else if (strcmp(value, "none") == 0) { pm = RSA_NO_PADDING; - // OpenSSL also supports the typo. + // OpenSSL also supports the typo. } else if (strcmp(value, "oeap") == 0) { pm = RSA_PKCS1_OAEP_PADDING; } else if (strcmp(value, "oaep") == 0) { @@ -737,9 +735,9 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, if (!strcmp(value, "digest")) { saltlen = RSA_PSS_SALTLEN_DIGEST; } else { - char* str_end; + char *str_end; saltlen = strtol(value, &str_end, 10); - if(str_end == value || saltlen < 0 || saltlen > INT_MAX) { + if (str_end == value || saltlen < 0 || saltlen > INT_MAX) { OPENSSL_PUT_ERROR(EVP, RSA_R_INTERNAL_ERROR); return -2; } @@ -748,7 +746,7 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, } if (strcmp(type, "rsa_keygen_bits") == 0) { - char* str_end; + char *str_end; long nbits = strtol(value, &str_end, 10); if (str_end == value || nbits <= 0 || nbits > INT_MAX) { OPENSSL_PUT_ERROR(EVP, RSA_R_INTERNAL_ERROR); @@ -805,52 +803,53 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, } DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pkey_meth) { - out->pkey_id = EVP_PKEY_RSA; - out->init = pkey_rsa_init; - out->copy = pkey_rsa_copy; - out->cleanup = pkey_rsa_cleanup; - out->keygen = pkey_rsa_keygen; - out->sign_init = NULL; /* sign_init */ - out->sign = pkey_rsa_sign; - out->sign_message = NULL; /* sign_message */ - out->verify_init = NULL; /* verify_init */ - out->verify = pkey_rsa_verify; - out->verify_message = NULL; /* verify_message */ - out->verify_recover = pkey_rsa_verify_recover; /* verify_recover */ - out->encrypt = pkey_rsa_encrypt; /* encrypt */ - out->decrypt = pkey_rsa_decrypt; /* decrypt */ - out->derive = NULL; - out->paramgen = NULL; - out->ctrl = pkey_rsa_ctrl; - out->ctrl_str = pkey_rsa_ctrl_str; + out->pkey_id = EVP_PKEY_RSA; + out->init = pkey_rsa_init; + out->copy = pkey_rsa_copy; + out->cleanup = pkey_rsa_cleanup; + out->keygen = pkey_rsa_keygen; + out->sign_init = NULL; /* sign_init */ + out->sign = pkey_rsa_sign; + out->sign_message = NULL; /* sign_message */ + out->verify_init = NULL; /* verify_init */ + out->verify = pkey_rsa_verify; + out->verify_message = NULL; /* verify_message */ + out->verify_recover = pkey_rsa_verify_recover; /* verify_recover */ + out->encrypt = pkey_rsa_encrypt; /* encrypt */ + out->decrypt = pkey_rsa_decrypt; /* decrypt */ + out->derive = NULL; + out->paramgen = NULL; + out->ctrl = pkey_rsa_ctrl; + out->ctrl_str = pkey_rsa_ctrl_str; } DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_rsa_pss_pkey_meth) { - out->pkey_id = EVP_PKEY_RSA_PSS; - out->init = pkey_rsa_init; - out->copy = pkey_rsa_copy; - out->cleanup = pkey_rsa_cleanup; - out->keygen = pkey_rsa_keygen; - out->sign_init = pkey_pss_init_sign; /* sign_init */ - out->sign = pkey_rsa_sign; - out->sign_message = NULL; /* sign_message */ - out->verify_init = pkey_pss_init_verify; /* verify_init */ - out->verify = pkey_rsa_verify; - out->verify_message = NULL; /* verify_message */ - out->verify_recover = NULL; /* verify_recover */ - out->encrypt = NULL; /* encrypt */ - out->decrypt = NULL; /* decrypt */ - out->derive = NULL; - out->paramgen = NULL; - out->ctrl = pkey_rsa_ctrl; - out->ctrl_str = pkey_rsa_ctrl_str; -} - -int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) { + out->pkey_id = EVP_PKEY_RSA_PSS; + out->init = pkey_rsa_init; + out->copy = pkey_rsa_copy; + out->cleanup = pkey_rsa_cleanup; + out->keygen = pkey_rsa_keygen; + out->sign_init = pkey_pss_init_sign; /* sign_init */ + out->sign = pkey_rsa_sign; + out->sign_message = NULL; /* sign_message */ + out->verify_init = pkey_pss_init_verify; /* verify_init */ + out->verify = pkey_rsa_verify; + out->verify_message = NULL; /* verify_message */ + out->verify_recover = NULL; /* verify_recover */ + out->encrypt = NULL; /* encrypt */ + out->decrypt = NULL; /* decrypt */ + out->derive = NULL; + out->paramgen = NULL; + out->ctrl = pkey_rsa_ctrl; + out->ctrl_str = pkey_rsa_ctrl_str; +} + +int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, + void *p2) { /* If key type is not RSA or RSA-PSS return error */ - if ((ctx != NULL) && (ctx->pmeth != NULL) - && (ctx->pmeth->pkey_id != EVP_PKEY_RSA) - && (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)) { + if ((ctx != NULL) && (ctx->pmeth != NULL) && + (ctx->pmeth->pkey_id != EVP_PKEY_RSA) && + (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } @@ -858,11 +857,13 @@ int EVP_RSA_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void * } int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) { - return EVP_RSA_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, padding, NULL); + return EVP_RSA_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, padding, + NULL); } int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) { - return EVP_RSA_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, out_padding); + return EVP_RSA_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, + out_padding); } int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { @@ -879,25 +880,24 @@ int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, } int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { - return EVP_RSA_PKEY_CTX_ctrl(ctx, - (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), - EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL); + return EVP_RSA_PKEY_CTX_ctrl(ctx, (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL); } int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) { - return EVP_RSA_PKEY_CTX_ctrl(ctx, - (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), - EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len); + return EVP_RSA_PKEY_CTX_ctrl(ctx, (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY), + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, + out_salt_len); } int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) { return EVP_RSA_PKEY_CTX_ctrl(ctx, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL); + EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL); } int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) { return EVP_RSA_PKEY_CTX_ctrl(ctx, EVP_PKEY_OP_KEYGEN, - EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e); + EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e); } int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { @@ -907,19 +907,19 @@ int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void*) out_md); + EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)out_md); } int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { return EVP_RSA_PKEY_CTX_ctrl(ctx, - EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void*) md); + EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md); } int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { - return EVP_RSA_PKEY_CTX_ctrl(ctx, - EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, - EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void*) out_md); + return EVP_RSA_PKEY_CTX_ctrl( + ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)out_md); } int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label, diff --git a/crypto/fipsmodule/fips_empty_main.c b/crypto/fipsmodule/fips_empty_main.c index 3f62079b82..f0cb9bba23 100644 --- a/crypto/fipsmodule/fips_empty_main.c +++ b/crypto/fipsmodule/fips_empty_main.c @@ -14,4 +14,3 @@ int main(int argc, char *argv[]) { exit(1); } - diff --git a/crypto/fipsmodule/fips_shared_library_marker.c b/crypto/fipsmodule/fips_shared_library_marker.c index 504260d42d..58a9aa58cd 100644 --- a/crypto/fipsmodule/fips_shared_library_marker.c +++ b/crypto/fipsmodule/fips_shared_library_marker.c @@ -8,14 +8,15 @@ // The FIPS build on macOS/iOS/Windows is different than the build on Linux. // Apple's and Windows' linkers don't support linker scripts so we have to build // the module in a different way. This file is compiled twice: -// - with AWSLC_FIPS_SHARED_START flag to generate the start marker object file +// - with AWSLC_FIPS_SHARED_START flag to generate the start marker object +// file // - with AWSLC_FIPS_SHARED_END flag to generate the end marker object file // The two generated files are used to link with the module bcm.o such that // the final module object has start and end markers for __text and __const // sections that are used for the integrity check. -#include #include +#include #if defined(AWSLC_FIPS_SHARED_START) #if defined(_MSC_VER) @@ -27,11 +28,9 @@ // Dummy but not empty function and array to avoid the compiler completely // optimizing out the symbols. -const uint8_t *BORINGSSL_bcm_text_start(void) { - return NULL; -} -const uint8_t BORINGSSL_bcm_rodata_start[16] = - {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; +const uint8_t *BORINGSSL_bcm_text_start(void) { return NULL; } +const uint8_t BORINGSSL_bcm_rodata_start[16] = {0, 1, 2, 3, 4, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15}; #elif defined(AWSLC_FIPS_SHARED_END) #if defined(_MSC_VER) @@ -43,15 +42,13 @@ const uint8_t BORINGSSL_bcm_rodata_start[16] = // Dummy but not empty function and array to avoid the compiler completely // optimizing out the symbols. -const uint8_t *BORINGSSL_bcm_text_end(void){ - return NULL; -} -const uint8_t BORINGSSL_bcm_rodata_end[16] = - {16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31}; +const uint8_t *BORINGSSL_bcm_text_end(void) { return NULL; } +const uint8_t BORINGSSL_bcm_rodata_end[16] = {16, 17, 18, 19, 20, 21, 22, 23, + 24, 25, 26, 27, 28, 29, 30, 31}; #else -#error "This file should be compiled only as part of the Shared FIPS build on macOS/iOS/Windows." +#error \ + "This file should be compiled only as part of the Shared FIPS build on macOS/iOS/Windows." #endif - diff --git a/crypto/fipsmodule/hkdf/hkdf.c b/crypto/fipsmodule/hkdf/hkdf.c index 746e2d8f38..b9a634667a 100644 --- a/crypto/fipsmodule/hkdf/hkdf.c +++ b/crypto/fipsmodule/hkdf/hkdf.c @@ -21,8 +21,8 @@ #include #include "../../internal.h" -#include "../service_indicator/internal.h" #include "../cpucap/internal.h" +#include "../service_indicator/internal.h" // TODO(CryptoAlg-1281): We need to get our FIPS testing partner's opinion on // which API level(s) we need to check at. HKDF_extract() originally had checks @@ -119,8 +119,7 @@ int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest, !HMAC_Update(&hmac, previous, digest_len))) { goto out; } - if (!HMAC_Update(&hmac, info, info_len) || - !HMAC_Update(&hmac, &ctr, 1) || + if (!HMAC_Update(&hmac, info, info_len) || !HMAC_Update(&hmac, &ctr, 1) || !HMAC_Final(&hmac, previous, NULL)) { goto out; } diff --git a/crypto/fipsmodule/hkdf/hkdf_test.cc b/crypto/fipsmodule/hkdf/hkdf_test.cc index a61ac024ff..5918dfa315 100644 --- a/crypto/fipsmodule/hkdf/hkdf_test.cc +++ b/crypto/fipsmodule/hkdf/hkdf_test.cc @@ -41,211 +41,252 @@ struct HKDFTestVector { // These test vectors are from RFC 5869. static const HKDFTestVector kTests[] = { - { - EVP_sha256, - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - }, 22, - { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c, - }, 13, - { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, - }, 10, - { - 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f, 0x0d, - 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31, - 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5, - }, 32, - 42, { - 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64, - 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, - 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08, - 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 - } - }, - { - EVP_sha256, - { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + {EVP_sha256, + { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + }, + 22, + { + 0x00, + 0x01, + 0x02, + 0x03, + 0x04, + 0x05, + 0x06, + 0x07, + 0x08, + 0x09, + 0x0a, + 0x0b, + 0x0c, + }, + 13, + { + 0xf0, + 0xf1, + 0xf2, + 0xf3, + 0xf4, + 0xf5, + 0xf6, + 0xf7, + 0xf8, + 0xf9, + }, + 10, + { + 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f, + 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, + 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5, + }, + 32, + 42, + {0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, + 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, + 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, + 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65}}, + {EVP_sha256, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, - 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f - }, 80, - { - 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f}, + 80, + {0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, - 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf - }, 80, - { - 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, + 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf}, + 80, + {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, - 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff - }, 80, - { - 0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x06, 0x10, 0x4c, 0x9c, - 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01, - 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44, - }, 32, - 82, { - 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}, + 80, + { + 0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x06, 0x10, 0x4c, + 0x9c, 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, + 0x71, 0x01, 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44, + }, + 32, + 82, + {0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8, 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09, 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, - 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 - } - }, - { - EVP_sha256, - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - }, 22, - { - 0, - }, 0, - { - 0, - }, 0, - { - 0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33, 0xa9, 0x1d, - 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77, - 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04 - }, 32, - 42, { - 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80, 0x2a, - 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e, - 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, 0x20, 0x13, 0x95, - 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 - } - }, - { - EVP_sha1, - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - }, 11, - { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c, - }, 13, - { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, - }, 10, - { - 0x9b, 0x6c, 0x18, 0xc4, 0x32, 0xa7, 0xbf, 0x8f, 0x0e, 0x71, 0xc8, 0xeb, - 0x88, 0xf4, 0xb3, 0x0b, 0xaa, 0x2b, 0xa2, 0x43 - }, 20, - 42, { - 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06, 0x8b, 0x56, - 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, 0x09, 0x15, - 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, 0x2e, 0x42, 0x24, - 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96 - } - }, - { - EVP_sha1, - { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87}}, + {EVP_sha256, + { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + }, + 22, + { + 0, + }, + 0, + { + 0, + }, + 0, + {0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33, 0xa9, + 0x1d, 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, + 0x63, 0x77, 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04}, + 32, + 42, + {0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80, + 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, + 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, + 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8}}, + {EVP_sha1, + { + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + 0x0b, + }, + 11, + { + 0x00, + 0x01, + 0x02, + 0x03, + 0x04, + 0x05, + 0x06, + 0x07, + 0x08, + 0x09, + 0x0a, + 0x0b, + 0x0c, + }, + 13, + { + 0xf0, + 0xf1, + 0xf2, + 0xf3, + 0xf4, + 0xf5, + 0xf6, + 0xf7, + 0xf8, + 0xf9, + }, + 10, + {0x9b, 0x6c, 0x18, 0xc4, 0x32, 0xa7, 0xbf, 0x8f, 0x0e, 0x71, + 0xc8, 0xeb, 0x88, 0xf4, 0xb3, 0x0b, 0xaa, 0x2b, 0xa2, 0x43}, + 20, + 42, + {0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06, 0x8b, + 0x56, 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, + 0x09, 0x15, 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, + 0x2e, 0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96}}, + {EVP_sha1, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, - 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f - }, 80, - { - 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f}, + 80, + {0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, - 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf - }, 80, - { - 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, + 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf}, + 80, + {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, - 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff - }, 80, - { - 0x8a, 0xda, 0xe0, 0x9a, 0x2a, 0x30, 0x70, 0x59, 0x47, 0x8d, 0x30, 0x9b, - 0x26, 0xc4, 0x11, 0x5a, 0x22, 0x4c, 0xfa, 0xf6, - }, 20, - 82, { - 0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7, 0xc9, 0xf1, 0x2c, 0xd5, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}, + 80, + { + 0x8a, 0xda, 0xe0, 0x9a, 0x2a, 0x30, 0x70, 0x59, 0x47, 0x8d, + 0x30, 0x9b, 0x26, 0xc4, 0x11, 0x5a, 0x22, 0x4c, 0xfa, 0xf6, + }, + 20, + 82, + {0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7, 0xc9, 0xf1, 0x2c, 0xd5, 0x91, 0x2a, 0x06, 0xeb, 0xff, 0x6a, 0xdc, 0xae, 0x89, 0x9d, 0x92, 0x19, 0x1f, 0xe4, 0x30, 0x56, 0x73, 0xba, 0x2f, 0xfe, 0x8f, 0xa3, 0xf1, 0xa4, 0xe5, 0xad, 0x79, 0xf3, 0xf3, 0x34, 0xb3, 0xb2, 0x02, 0xb2, 0x17, 0x3c, 0x48, 0x6e, 0xa3, 0x7c, 0xe3, 0xd3, 0x97, 0xed, 0x03, 0x4c, 0x7f, 0x9d, 0xfe, 0xb1, 0x5c, 0x5e, 0x92, 0x73, 0x36, 0xd0, 0x44, 0x1f, 0x4c, 0x43, - 0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4 - } - }, - { - EVP_sha1, - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - }, 22, - { - 0, - }, 0, - { - 0, - }, 0, - { - 0xda, 0x8c, 0x8a, 0x73, 0xc7, 0xfa, 0x77, 0x28, 0x8e, 0xc6, 0xf5, 0xe7, - 0xc2, 0x97, 0x78, 0x6a, 0xa0, 0xd3, 0x2d, 0x01, - }, 20, - 42, { - 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5, 0x52, 0x98, - 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, 0xa3, 0x06, - 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea, 0x00, 0x03, 0x3d, - 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18 - } - }, - { - EVP_sha1, - { - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - }, 22, - { - 0, - }, 0, - { - 0, - }, 0, - { - 0x2a, 0xdc, 0xca, 0xda, 0x18, 0x77, 0x9e, 0x7c, 0x20, 0x77, 0xad, 0x2e, - 0xb1, 0x9d, 0x3f, 0x3e, 0x73, 0x13, 0x85, 0xdd, - }, 20, - 42, { - 0x2c, 0x91, 0x11, 0x72, 0x04, 0xd7, 0x45, 0xf3, 0x50, 0x0d, 0x63, 0x6a, - 0x62, 0xf6, 0x4f, 0x0a, 0xb3, 0xba, 0xe5, 0x48, 0xaa, 0x53, 0xd4, 0x23, - 0xb0, 0xd1, 0xf2, 0x7e, 0xbb, 0xa6, 0xf5, 0xe5, 0x67, 0x3a, 0x08, 0x1d, - 0x70, 0xcc, 0xe7, 0xac, 0xfc, 0x48 - } - }, + 0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4}}, + {EVP_sha1, + { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + }, + 22, + { + 0, + }, + 0, + { + 0, + }, + 0, + { + 0xda, 0x8c, 0x8a, 0x73, 0xc7, 0xfa, 0x77, 0x28, 0x8e, 0xc6, + 0xf5, 0xe7, 0xc2, 0x97, 0x78, 0x6a, 0xa0, 0xd3, 0x2d, 0x01, + }, + 20, + 42, + {0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5, 0x52, + 0x98, 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, + 0xa3, 0x06, 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea, + 0x00, 0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18}}, + {EVP_sha1, + { + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + }, + 22, + { + 0, + }, + 0, + { + 0, + }, + 0, + { + 0x2a, 0xdc, 0xca, 0xda, 0x18, 0x77, 0x9e, 0x7c, 0x20, 0x77, + 0xad, 0x2e, 0xb1, 0x9d, 0x3f, 0x3e, 0x73, 0x13, 0x85, 0xdd, + }, + 20, + 42, + {0x2c, 0x91, 0x11, 0x72, 0x04, 0xd7, 0x45, 0xf3, 0x50, 0x0d, 0x63, + 0x6a, 0x62, 0xf6, 0x4f, 0x0a, 0xb3, 0xba, 0xe5, 0x48, 0xaa, 0x53, + 0xd4, 0x23, 0xb0, 0xd1, 0xf2, 0x7e, 0xbb, 0xa6, 0xf5, 0xe5, 0x67, + 0x3a, 0x08, 0x1d, 0x70, 0xcc, 0xe7, 0xac, 0xfc, 0x48}}, }; TEST(HKDFTest, TestVectors) { @@ -420,8 +461,7 @@ TEST(HKDFTest, WycheproofSHA512) { // NIST CAVP tests for HKDF_expand() operating as a "KDF in Feedback Mode"; // data from "KDF in Feedback Mode Test Vectors where zero length IV is allowed" // https://csrc.nist.gov/Projects/cryptographic-algorithm-validation-program/key-derivation -static void RunTest(FileTest *t) -{ +static void RunTest(FileTest *t) { std::string prf, ctrlocation, rlen, count, l_str; std::vector ki, iv, fixed, ko; @@ -448,7 +488,7 @@ static void RunTest(FileTest *t) // Coverity will yell at us for this, as it should. But FIPS 140-3 still // allows it in some circumstances. md = EVP_sha1(); - } else if (prf == "HMAC_SHA224") { + } else if (prf == "HMAC_SHA224") { md = EVP_sha224(); } else if (prf == "HMAC_SHA256") { md = EVP_sha256(); @@ -570,7 +610,8 @@ static void RunTest(FileTest *t) // false positive. uint8_t *output = (uint8_t *)malloc(l_len); - ASSERT_TRUE(HKDF_expand(output, l_len, md, ki.data(), ki.size(), fixed.data(), fixed.size())); + ASSERT_TRUE(HKDF_expand(output, l_len, md, ki.data(), ki.size(), + fixed.data(), fixed.size())); EXPECT_EQ(Bytes(ko.data(), ko.size()), Bytes(output, l_len)); free(output); } diff --git a/crypto/fipsmodule/hmac/hmac.c b/crypto/fipsmodule/hmac/hmac.c index 211ae04d3c..a58d2f4afb 100644 --- a/crypto/fipsmodule/hmac/hmac.c +++ b/crypto/fipsmodule/hmac/hmac.c @@ -62,9 +62,9 @@ #include #include -#include "internal.h" #include "../../internal.h" #include "../service_indicator/internal.h" +#include "internal.h" #include "../md5/internal.h" #include "../sha/internal.h" @@ -76,7 +76,7 @@ typedef int (*HashInitFromState)(void *, const uint8_t *, uint64_t); typedef int (*HashGetState)(void *, uint8_t *, uint64_t *); struct hmac_methods_st { - const EVP_MD* evp_md; + const EVP_MD *evp_md; size_t chaining_length; // chaining length in bytes HashInit init; HashUpdate update; @@ -85,10 +85,12 @@ struct hmac_methods_st { HashGetState get_state; }; -// We need trampolines from the generic void* methods we use to the properly typed underlying methods. -// Without these methods some control flow integrity checks will fail because the function pointer types -// do not exactly match the destination functions. (Namely function pointers use void* pointers for the contexts) -// while the destination functions have specific pointer types for the relevant contexts. +// We need trampolines from the generic void* methods we use to the properly +// typed underlying methods. Without these methods some control flow integrity +// checks will fail because the function pointer types do not exactly match the +// destination functions. (Namely function pointers use void* pointers for the +// contexts) while the destination functions have specific pointer types for the +// relevant contexts. // // This also includes hash-specific static assertions as they can be added. #define MD_TRAMPOLINES_EXPLICIT(HASH_NAME, HASH_CTX, HASH_CBLOCK) \ @@ -147,7 +149,8 @@ struct hmac_method_array_st { HmacMethods methods[HMAC_METHOD_MAX]; }; -#define DEFINE_IN_PLACE_METHODS(EVP_MD, HASH_NAME) { \ +#define DEFINE_IN_PLACE_METHODS(EVP_MD, HASH_NAME) \ + { \ out->methods[idx].evp_md = EVP_MD; \ out->methods[idx].chaining_length = HASH_NAME##_CHAINING_LENGTH; \ out->methods[idx].init = AWS_LC_TRAMPOLINE_##HASH_NAME##_Init; \ @@ -161,10 +164,11 @@ struct hmac_method_array_st { } DEFINE_LOCAL_DATA(struct hmac_method_array_st, AWSLC_hmac_in_place_methods) { - OPENSSL_memset((void*) out->methods, 0, sizeof(out->methods)); + OPENSSL_memset((void *)out->methods, 0, sizeof(out->methods)); int idx = 0; - // Since we search these linearly it helps (just a bit) to put the most common ones first. - // This isn't based on hard metrics and will not make a significant different on performance. + // Since we search these linearly it helps (just a bit) to put the most common + // ones first. This isn't based on hard metrics and will not make a + // significant different on performance. // FIXME: all hashes but SHA256 have been disabled to check first SHA256 DEFINE_IN_PLACE_METHODS(EVP_sha256(), SHA256); DEFINE_IN_PLACE_METHODS(EVP_sha1(), SHA1); @@ -177,9 +181,12 @@ DEFINE_LOCAL_DATA(struct hmac_method_array_st, AWSLC_hmac_in_place_methods) { } static const HmacMethods *GetInPlaceMethods(const EVP_MD *evp_md) { - const struct hmac_method_array_st *method_array = AWSLC_hmac_in_place_methods(); + const struct hmac_method_array_st *method_array = + AWSLC_hmac_in_place_methods(); const HmacMethods *methods = method_array->methods; - for (size_t idx = 0; idx < sizeof(method_array->methods) / sizeof(struct hmac_methods_st); idx++) { + for (size_t idx = 0; + idx < sizeof(method_array->methods) / sizeof(struct hmac_methods_st); + idx++) { if (methods[idx].evp_md == evp_md) { return &methods[idx]; } @@ -191,37 +198,47 @@ static const HmacMethods *GetInPlaceMethods(const EVP_MD *evp_md) { // (Pre/Post conditions): // HMAC_STATE_UNINITIALIZED: Uninitialized. // HMAC_STATE_INIT_NO_DATA: Initialized with an md and key. No data processed. -// This means that if init is called but nothing changes, we don't need to reset our state. +// This means that if init is called but nothing changes, we don't need to +// reset our state. // HMAC_STATE_IN_PROGRESS: Initialized with an md and key. Data processed. // This means that if init is called we do need to reset state. -// HMAC_STATE_READY_NEEDS_INIT: Identical to state HMAC_STATE_INIT_NO_DATA but API contract requires that Init be called prior to use. -// This is an optimization because we can leave the context in a state ready for use after completion. -// HMAC_STATE_PRECOMPUTED_KEY_EXPORT_READY: Identical to state HMAC_STATE_READY_NEEDS_INIT but marked to allow precompute key export +// HMAC_STATE_READY_NEEDS_INIT: Identical to state HMAC_STATE_INIT_NO_DATA but +// API contract requires that Init be called prior to use. +// This is an optimization because we can leave the context in a state ready +// for use after completion. +// HMAC_STATE_PRECOMPUTED_KEY_EXPORT_READY: Identical to state +// HMAC_STATE_READY_NEEDS_INIT but marked to allow precompute key export // This state is treated as HMAC_STATE_READY_NEEDS_INIT by Init/Update/Final. -// This state is the only state that in which a precompute key can be exported. -// This state is set by HMAC_set_precomputed_key_export. -// other: Invalid state and likely a result of using unitialized memory. Treated the same as 0. +// This state is the only state that in which a precompute key can be +// exported. This state is set by HMAC_set_precomputed_key_export. +// other: Invalid state and likely a result of using unitialized memory. Treated +// the same as 0. // -// While we are within HMAC methods we allow for the state value and actual state of the context to diverge. +// While we are within HMAC methods we allow for the state value and actual +// state of the context to diverge. -// HMAC_STATE_UNINITIALIZED *MUST* remain `0` so that callers can do `HMAC_CTX ctx = {0};` to get a usable context. +// HMAC_STATE_UNINITIALIZED *MUST* remain `0` so that callers can do `HMAC_CTX +// ctx = {0};` to get a usable context. #define HMAC_STATE_UNINITIALIZED 0 #define HMAC_STATE_INIT_NO_DATA 1 #define HMAC_STATE_IN_PROGRESS 2 #define HMAC_STATE_READY_NEEDS_INIT 3 #define HMAC_STATE_PRECOMPUTED_KEY_EXPORT_READY 4 -// Static assertion to ensure that no one has changed the value of HMAC_STATE_UNINITIALIZED. -// This really must stay with a zero value. -OPENSSL_STATIC_ASSERT(HMAC_STATE_UNINITIALIZED == 0, HMAC_STATE_UNINITIALIZED_is_not_zero_t) +// Static assertion to ensure that no one has changed the value of +// HMAC_STATE_UNINITIALIZED. This really must stay with a zero value. +OPENSSL_STATIC_ASSERT(HMAC_STATE_UNINITIALIZED == 0, + HMAC_STATE_UNINITIALIZED_is_not_zero_t) -// Indicates that a context has the md and methods configured and is ready to use -#define hmac_ctx_is_initialized(ctx) ((HMAC_STATE_INIT_NO_DATA == (ctx)->state || HMAC_STATE_IN_PROGRESS == (ctx)->state)) +// Indicates that a context has the md and methods configured and is ready to +// use +#define hmac_ctx_is_initialized(ctx) \ + ((HMAC_STATE_INIT_NO_DATA == (ctx)->state || \ + HMAC_STATE_IN_PROGRESS == (ctx)->state)) uint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len, const uint8_t *data, size_t data_len, uint8_t *out, unsigned int *out_len) { - if (out == NULL) { // Prevent further work from being done return NULL; @@ -236,8 +253,7 @@ uint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len, FIPS_service_indicator_lock_state(); result = HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) && - HMAC_Update(&ctx, data, data_len) && - HMAC_Final(&ctx, out, out_len); + HMAC_Update(&ctx, data, data_len) && HMAC_Final(&ctx, out, out_len); FIPS_service_indicator_unlock_state(); @@ -273,8 +289,7 @@ uint8_t *HMAC_with_precompute(const EVP_MD *evp_md, const void *key, HMAC_get_precomputed_key(&ctx, precomputed_key, &precomputed_key_len) && HMAC_Init_from_precomputed_key(&ctx, precomputed_key, precomputed_key_len, evp_md) && - HMAC_Update(&ctx, data, data_len) && - HMAC_Final(&ctx, out, out_len); + HMAC_Update(&ctx, data, data_len) && HMAC_Final(&ctx, out, out_len); FIPS_service_indicator_unlock_state(); @@ -294,15 +309,13 @@ uint8_t *HMAC_with_precompute(const EVP_MD *evp_md, const void *key, } } -void HMAC_CTX_init(HMAC_CTX *ctx) { - OPENSSL_memset(ctx, 0, sizeof(HMAC_CTX)); -} +void HMAC_CTX_init(HMAC_CTX *ctx) { OPENSSL_memset(ctx, 0, sizeof(HMAC_CTX)); } HMAC_CTX *HMAC_CTX_new(void) { HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX)); if (ctx != NULL) { // NO-OP: struct already zeroed - //HMAC_CTX_init(ctx); + // HMAC_CTX_init(ctx); } return ctx; } @@ -312,9 +325,7 @@ void HMAC_CTX_cleanup(HMAC_CTX *ctx) { OPENSSL_cleanse(ctx, sizeof(HMAC_CTX)); } -void HMAC_CTX_cleanse(HMAC_CTX *ctx) { - HMAC_CTX_cleanup(ctx); -} +void HMAC_CTX_cleanse(HMAC_CTX *ctx) { HMAC_CTX_cleanup(ctx); } void HMAC_CTX_free(HMAC_CTX *ctx) { if (ctx == NULL) { @@ -361,14 +372,16 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, // exist callers which intend the latter, but the former is an awkward edge // case. Fix to API to avoid this. if (key == NULL && (md == NULL || md == ctx->md)) { - // If nothing is changing then we can return without doing any further work. + // If nothing is changing then we can return without doing any further + // work. return 1; } } - // At this point we *know* we need to change things and rekey because either the key has changed - // or the md and they key has changed. - // (It is a misuse to just change the md so we also assume that the key changes when the md changes.) + // At this point we *know* we need to change things and rekey because either + // the key has changed or the md and they key has changed. (It is a misuse to + // just change the md so we also assume that the key changes when the md + // changes.) if (!hmac_ctx_set_md_methods(ctx, md)) { return 0; @@ -391,7 +404,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, // Long keys are hashed. if (!methods->init(&ctx->md_ctx) || !methods->update(&ctx->md_ctx, key, key_len) || - !methods->finalize((uint8_t *) key_block, &ctx->md_ctx)) { + !methods->finalize((uint8_t *)key_block, &ctx->md_ctx)) { goto end; } } else { @@ -422,7 +435,8 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, OPENSSL_cleanse(key_block, EVP_MAX_MD_BLOCK_SIZE); FIPS_service_indicator_unlock_state(); if (result != 1) { - // We're in some error state, so return our context to a known and well defined zero state. + // We're in some error state, so return our context to a known and well + // defined zero state. HMAC_CTX_cleanup(ctx); } return result; @@ -462,7 +476,9 @@ int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len) { result = methods->finalize(out, &ctx->md_ctx); // Wipe out working state by initializing for next use OPENSSL_memcpy(&ctx->md_ctx, &ctx->i_ctx, sizeof(ctx->i_ctx)); - ctx->state = HMAC_STATE_READY_NEEDS_INIT; // Mark that we are ready for use but still need HMAC_Init_ex called. + ctx->state = + HMAC_STATE_READY_NEEDS_INIT; // Mark that we are ready for use but still + // need HMAC_Init_ex called. end: FIPS_service_indicator_unlock_state(); if (result) { @@ -538,19 +554,20 @@ int HMAC_get_precomputed_key(HMAC_CTX *ctx, uint8_t *out, size_t *out_len) { // is false". Note this should not be necessary because get_state cannot fail. uint64_t o_ctx_n = 0; - const int ok = ctx->methods->get_state(&ctx->i_ctx, out, &i_ctx_n) && + const int ok = + ctx->methods->get_state(&ctx->i_ctx, out, &i_ctx_n) && ctx->methods->get_state(&ctx->o_ctx, out + chaining_length, &o_ctx_n); // ok should always be true as in our setting: get_state should always be // successful since i_ctx/o_ctx have processed exactly one block assert(ok); - (void)ok; // avoid unused variable warning when asserts disabled + (void)ok; // avoid unused variable warning when asserts disabled // Sanity check: we must have processed a single block at this time size_t block_size = EVP_MD_block_size(ctx->md); assert(8 * block_size == i_ctx_n); assert(8 * block_size == o_ctx_n); - (void)block_size; // avoid unused variable warning when asserts disabled + (void)block_size; // avoid unused variable warning when asserts disabled // The context is ready to be used to compute HMAC values at this point. ctx->state = HMAC_STATE_INIT_NO_DATA; diff --git a/crypto/fipsmodule/hmac/internal.h b/crypto/fipsmodule/hmac/internal.h index a3c4defe2b..c59bdfe563 100644 --- a/crypto/fipsmodule/hmac/internal.h +++ b/crypto/fipsmodule/hmac/internal.h @@ -12,9 +12,9 @@ extern "C" { // HMAC_with_precompute is only used in FIPS ACVP harness, in order to test // the computation of HMAC using precomputed keys (internally). It should not -// be used for any other purposes as it outputs the same results as |HMAC| and is -// slower than |HMAC|. -// This function does not update the FIPS service indicator. +// be used for any other purposes as it outputs the same results as |HMAC| and +// is slower than |HMAC|. This function does not update the FIPS service +// indicator. OPENSSL_EXPORT uint8_t *HMAC_with_precompute(const EVP_MD *evp_md, const void *key, size_t key_len, const uint8_t *data, diff --git a/crypto/fipsmodule/kdf/sskdf.c b/crypto/fipsmodule/kdf/sskdf.c index 804d3b26cf..44e0ce8be8 100644 --- a/crypto/fipsmodule/kdf/sskdf.c +++ b/crypto/fipsmodule/kdf/sskdf.c @@ -346,7 +346,7 @@ int SSKDF_hmac(uint8_t *out_key, size_t out_len, const EVP_MD *digest, end: sskdf_variant_hmac_ctx_cleanup(&ctx); FIPS_service_indicator_unlock_state(); - if(ret) { + if (ret) { SSKDF_hmac_verify_service_indicator(digest); } return ret; diff --git a/crypto/fipsmodule/kem/internal.h b/crypto/fipsmodule/kem/internal.h index d0765043a2..408acf5ded 100644 --- a/crypto/fipsmodule/kem/internal.h +++ b/crypto/fipsmodule/kem/internal.h @@ -13,24 +13,17 @@ extern "C" { // KEM_METHOD structure and helper functions. typedef struct { - int (*keygen_deterministic)(uint8_t *ctx, - uint8_t *pkey, - const uint8_t *seed); + int (*keygen_deterministic)(uint8_t *ctx, uint8_t *pkey, const uint8_t *seed); - int (*keygen)(uint8_t *public_key, - uint8_t *secret_key); + int (*keygen)(uint8_t *public_key, uint8_t *secret_key); - int (*encaps_deterministic)(uint8_t *ciphertext, - uint8_t *shared_secret, - const uint8_t *public_key, - const uint8_t *seed); + int (*encaps_deterministic)(uint8_t *ciphertext, uint8_t *shared_secret, + const uint8_t *public_key, const uint8_t *seed); - int (*encaps)(uint8_t *ciphertext, - uint8_t *shared_secret, + int (*encaps)(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key); - int (*decaps)(uint8_t *shared_secret, - const uint8_t *ciphertext, + int (*decaps)(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key); } KEM_METHOD; @@ -61,7 +54,7 @@ const KEM *KEM_find_kem_by_nid(int nid); KEM_KEY *KEM_KEY_new(void); int KEM_KEY_init(KEM_KEY *key, const KEM *kem); void KEM_KEY_free(KEM_KEY *key); -const KEM *KEM_KEY_get0_kem(KEM_KEY* key); +const KEM *KEM_KEY_get0_kem(KEM_KEY *key); // KEM_KEY_set_raw_public_key function allocates the public key buffer // within the given |key| and copies the contents of |in| to it. @@ -85,10 +78,10 @@ int KEM_KEY_set_raw_secret_key(KEM_KEY *key, const uint8_t *in); // that the pointers are valid and |in_public| and |in_secret| // have the correct size. int KEM_KEY_set_raw_key(KEM_KEY *key, const uint8_t *in_public, - const uint8_t *in_secret); + const uint8_t *in_secret); #if defined(__cplusplus) } // extern C #endif -#endif // AWSLC_HEADER_KEM_TEST_INTERNAL_H +#endif // AWSLC_HEADER_KEM_TEST_INTERNAL_H diff --git a/crypto/fipsmodule/kem/kem.c b/crypto/fipsmodule/kem/kem.c index 5f8947cf33..682ef0d2f4 100644 --- a/crypto/fipsmodule/kem/kem.c +++ b/crypto/fipsmodule/kem/kem.c @@ -10,39 +10,40 @@ // https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration // 2.16.840.1.101.3.4.4.1 -static const uint8_t kOIDMLKEM512[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x01}; +static const uint8_t kOIDMLKEM512[] = {0x60, 0x86, 0x48, 0x01, 0x65, + 0x03, 0x04, 0x04, 0x01}; // 2.16.840.1.101.3.4.4.2 -static const uint8_t kOIDMLKEM768[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x02}; +static const uint8_t kOIDMLKEM768[] = {0x60, 0x86, 0x48, 0x01, 0x65, + 0x03, 0x04, 0x04, 0x02}; // 2.16.840.1.101.3.4.4.3 -static const uint8_t kOIDMLKEM1024[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x03}; +static const uint8_t kOIDMLKEM1024[] = {0x60, 0x86, 0x48, 0x01, 0x65, + 0x03, 0x04, 0x04, 0x03}; static int ml_kem_1024_keygen_deterministic(uint8_t *public_key, - uint8_t *secret_key, - const uint8_t *seed) { + uint8_t *secret_key, + const uint8_t *seed) { return ml_kem_1024_keypair_deterministic(public_key, secret_key, seed) == 0; } -static int ml_kem_1024_keygen(uint8_t *public_key, - uint8_t *secret_key) { +static int ml_kem_1024_keygen(uint8_t *public_key, uint8_t *secret_key) { return ml_kem_1024_keypair(public_key, secret_key) == 0; } static int ml_kem_1024_encaps_deterministic(uint8_t *ciphertext, - uint8_t *shared_secret, - const uint8_t *public_key, - const uint8_t *seed) { - return ml_kem_1024_encapsulate_deterministic(ciphertext, shared_secret, public_key, seed) == 0; + uint8_t *shared_secret, + const uint8_t *public_key, + const uint8_t *seed) { + return ml_kem_1024_encapsulate_deterministic(ciphertext, shared_secret, + public_key, seed) == 0; } -static int ml_kem_1024_encaps(uint8_t *ciphertext, - uint8_t *shared_secret, - const uint8_t *public_key) { +static int ml_kem_1024_encaps(uint8_t *ciphertext, uint8_t *shared_secret, + const uint8_t *public_key) { return ml_kem_1024_encapsulate(ciphertext, shared_secret, public_key) == 0; } -static int ml_kem_1024_decaps(uint8_t *shared_secret, - const uint8_t *ciphertext, - const uint8_t *secret_key) { +static int ml_kem_1024_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, + const uint8_t *secret_key) { return ml_kem_1024_decapsulate(shared_secret, ciphertext, secret_key) == 0; } @@ -55,32 +56,30 @@ DEFINE_LOCAL_DATA(KEM_METHOD, kem_ml_kem_1024_method) { } static int ml_kem_768_keygen_deterministic(uint8_t *public_key, - uint8_t *secret_key, - const uint8_t *seed) { + uint8_t *secret_key, + const uint8_t *seed) { return ml_kem_768_keypair_deterministic(public_key, secret_key, seed) == 0; } -static int ml_kem_768_keygen(uint8_t *public_key, - uint8_t *secret_key) { +static int ml_kem_768_keygen(uint8_t *public_key, uint8_t *secret_key) { return ml_kem_768_keypair(public_key, secret_key) == 0; } static int ml_kem_768_encaps_deterministic(uint8_t *ciphertext, - uint8_t *shared_secret, - const uint8_t *public_key, - const uint8_t *seed) { - return ml_kem_768_encapsulate_deterministic(ciphertext, shared_secret, public_key, seed) == 0; + uint8_t *shared_secret, + const uint8_t *public_key, + const uint8_t *seed) { + return ml_kem_768_encapsulate_deterministic(ciphertext, shared_secret, + public_key, seed) == 0; } -static int ml_kem_768_encaps(uint8_t *ciphertext, - uint8_t *shared_secret, - const uint8_t *public_key) { +static int ml_kem_768_encaps(uint8_t *ciphertext, uint8_t *shared_secret, + const uint8_t *public_key) { return ml_kem_768_encapsulate(ciphertext, shared_secret, public_key) == 0; } -static int ml_kem_768_decaps(uint8_t *shared_secret, - const uint8_t *ciphertext, - const uint8_t *secret_key) { +static int ml_kem_768_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, + const uint8_t *secret_key) { return ml_kem_768_decapsulate(shared_secret, ciphertext, secret_key) == 0; } @@ -93,31 +92,29 @@ DEFINE_LOCAL_DATA(KEM_METHOD, kem_ml_kem_768_method) { } static int ml_kem_512_keygen_deterministic(uint8_t *public_key, - uint8_t *secret_key, - const uint8_t *seed) { + uint8_t *secret_key, + const uint8_t *seed) { return ml_kem_512_keypair_deterministic(public_key, secret_key, seed) == 0; } -static int ml_kem_512_keygen(uint8_t *public_key, - uint8_t *secret_key) { +static int ml_kem_512_keygen(uint8_t *public_key, uint8_t *secret_key) { return ml_kem_512_keypair(public_key, secret_key) == 0; } static int ml_kem_512_encaps_deterministic(uint8_t *ciphertext, - uint8_t *shared_secret, - const uint8_t *public_key, - const uint8_t *seed) { - return ml_kem_512_encapsulate_deterministic(ciphertext, shared_secret, public_key, seed) == 0; + uint8_t *shared_secret, + const uint8_t *public_key, + const uint8_t *seed) { + return ml_kem_512_encapsulate_deterministic(ciphertext, shared_secret, + public_key, seed) == 0; } -static int ml_kem_512_encaps(uint8_t *ciphertext, - uint8_t *shared_secret, +static int ml_kem_512_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { return ml_kem_512_encapsulate(ciphertext, shared_secret, public_key) == 0; } -static int ml_kem_512_decaps(uint8_t *shared_secret, - const uint8_t *ciphertext, +static int ml_kem_512_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { return ml_kem_512_decapsulate(shared_secret, ciphertext, secret_key) == 0; } @@ -235,9 +232,7 @@ void KEM_KEY_free(KEM_KEY *key) { OPENSSL_free(key); } -const KEM *KEM_KEY_get0_kem(KEM_KEY* key) { - return key->kem; -} +const KEM *KEM_KEY_get0_kem(KEM_KEY *key) { return key->kem; } int KEM_KEY_set_raw_public_key(KEM_KEY *key, const uint8_t *in) { key->public_key = OPENSSL_memdup(in, key->kem->public_key_len); @@ -258,7 +253,7 @@ int KEM_KEY_set_raw_secret_key(KEM_KEY *key, const uint8_t *in) { } int KEM_KEY_set_raw_key(KEM_KEY *key, const uint8_t *in_public, - const uint8_t *in_secret) { + const uint8_t *in_secret) { key->public_key = OPENSSL_memdup(in_public, key->kem->public_key_len); key->secret_key = OPENSSL_memdup(in_secret, key->kem->secret_key_len); if (key->public_key == NULL || key->secret_key == NULL) { diff --git a/crypto/fipsmodule/md5/internal.h b/crypto/fipsmodule/md5/internal.h index e50b5582b8..a5de434400 100644 --- a/crypto/fipsmodule/md5/internal.h +++ b/crypto/fipsmodule/md5/internal.h @@ -45,8 +45,9 @@ OPENSSL_EXPORT int MD5_get_state(MD5_CTX *ctx, uint8_t out_h[MD5_CHAINING_LENGTH], uint64_t *out_n); -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_X86) || defined(OPENSSL_AARCH64)) +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_X86) || \ + defined(OPENSSL_AARCH64)) #define MD5_ASM extern void md5_block_asm_data_order(uint32_t *state, const uint8_t *data, size_t num); diff --git a/crypto/fipsmodule/md5/md5_test.cc b/crypto/fipsmodule/md5/md5_test.cc index 7df5bb2595..eb3de57ad8 100644 --- a/crypto/fipsmodule/md5/md5_test.cc +++ b/crypto/fipsmodule/md5/md5_test.cc @@ -16,8 +16,8 @@ #include -#include "internal.h" #include "../../test/abi_test.h" +#include "internal.h" #if defined(MD5_ASM) && defined(SUPPORTS_ABI_TEST) diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa.c b/crypto/fipsmodule/ml_dsa/ml_dsa.c index 512195658b..54b6edebff 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa.c @@ -1,9 +1,9 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC +#include "ml_dsa.h" #include "../../evp_extra/internal.h" #include "../evp/internal.h" -#include "ml_dsa.h" #include "ml_dsa_ref/params.h" #include "ml_dsa_ref/sign.h" @@ -23,279 +23,252 @@ // those can be conditionally (or based on compile-time flags) called here, // depending on platform support. -int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_dsa_self_test(); return ml_dsa_44_keypair_internal_no_self_test(public_key, private_key, seed); } -int ml_dsa_44_keypair_internal_no_self_test(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_dsa_44_keypair_internal_no_self_test(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */, + const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } -int ml_dsa_44_keypair(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */) { +int ml_dsa_44_keypair(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } -int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key /* OUT */, - const uint8_t *private_key /* IN */) { - +int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key /* OUT */, + const uint8_t *private_key /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); return ml_dsa_pack_pk_from_sk(¶ms, public_key, private_key) == 0; } -int ml_dsa_44_sign(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *ctx_string /* IN */, - size_t ctx_string_len /* IN */) { +int ml_dsa_44_sign(const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *ctx_string /* IN */, + size_t ctx_string_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, ctx_string, + ctx_string_len, private_key) == 0; } int ml_dsa_extmu_44_sign(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */) { + uint8_t *sig /* OUT */, size_t *sig_len /* OUT */, + const uint8_t *mu /* IN */, size_t mu_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); return ml_dsa_extmu_sign(¶ms, sig, sig_len, mu, mu_len, private_key) == 0; } -int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { +int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, + uint8_t *sig /* OUT */, size_t *sig_len /* OUT */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */, + const uint8_t *rnd /* IN */) { boringssl_ensure_ml_dsa_self_test(); - return ml_dsa_44_sign_internal_no_self_test(private_key, sig, sig_len, message, - message_len, pre, pre_len, rnd); + return ml_dsa_44_sign_internal_no_self_test( + private_key, sig, sig_len, message, message_len, pre, pre_len, rnd); } -int ml_dsa_44_sign_internal_no_self_test(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { +int ml_dsa_44_sign_internal_no_self_test( + const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *message /* IN */, + size_t message_len /* IN */, const uint8_t *pre /* IN */, + size_t pre_len /* IN */, const uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key, 0) == 0; -} - -int ml_dsa_extmu_44_sign_internal(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, pre, + pre_len, rnd, private_key, 0) == 0; +} + +int ml_dsa_extmu_44_sign_internal( + const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *mu /* IN */, + size_t mu_len /* IN */, const uint8_t *pre /* IN */, + size_t pre_len /* IN */, const uint8_t *rnd /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_sign_internal(¶ms, sig, sig_len, mu, mu_len, - pre, pre_len, rnd, private_key, 1) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, + rnd, private_key, 1) == 0; } int ml_dsa_44_verify(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, + const uint8_t *sig /* IN */, size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, const uint8_t *ctx_string /* IN */, - size_t ctx_string_len /* IN */) { + size_t ctx_string_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, ctx_string, + ctx_string_len, public_key) == 0; } int ml_dsa_extmu_44_verify(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */) { + const uint8_t *sig /* IN */, size_t sig_len /* IN */, + const uint8_t *mu /* IN */, size_t mu_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, NULL, 0, public_key, 1) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, NULL, 0, + public_key, 1) == 0; } int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { + const uint8_t *sig /* IN */, + size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); - return ml_dsa_44_verify_internal_no_self_test(public_key, sig, sig_len, message, - message_len, pre, pre_len); + return ml_dsa_44_verify_internal_no_self_test( + public_key, sig, sig_len, message, message_len, pre, pre_len); } int ml_dsa_44_verify_internal_no_self_test(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { + const uint8_t *sig /* IN */, + size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, pre, pre_len, public_key, 0) == 0; } -int ml_dsa_extmu_44_verify_internal(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { +int ml_dsa_extmu_44_verify_internal( + const uint8_t *public_key /* IN */, const uint8_t *sig /* IN */, + size_t sig_len /* IN */, const uint8_t *mu /* IN */, size_t mu_len /* IN */, + const uint8_t *pre /* IN */, size_t pre_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, - pre, pre_len, public_key, 1) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, + public_key, 1) == 0; } -int ml_dsa_65_keypair(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */) { +int ml_dsa_65_keypair(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } -int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key /* OUT */, - const uint8_t *private_key /* IN */) { +int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key /* OUT */, + const uint8_t *private_key /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); return ml_dsa_pack_pk_from_sk(¶ms, public_key, private_key) == 0; } -int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } -int ml_dsa_65_sign(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *ctx_string /* IN */, - size_t ctx_string_len /* IN */) { +int ml_dsa_65_sign(const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *ctx_string /* IN */, + size_t ctx_string_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, ctx_string, + ctx_string_len, private_key) == 0; } int ml_dsa_extmu_65_sign(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */) { + uint8_t *sig /* OUT */, size_t *sig_len /* OUT */, + const uint8_t *mu /* IN */, size_t mu_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); return ml_dsa_extmu_sign(¶ms, sig, sig_len, mu, mu_len, private_key) == 0; } -int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { +int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, + uint8_t *sig /* OUT */, size_t *sig_len /* OUT */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */, + const uint8_t *rnd /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key, 0) == 0; -} - -int ml_dsa_extmu_65_sign_internal(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, pre, + pre_len, rnd, private_key, 0) == 0; +} + +int ml_dsa_extmu_65_sign_internal( + const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *mu /* IN */, + size_t mu_len /* IN */, const uint8_t *pre /* IN */, + size_t pre_len /* IN */, const uint8_t *rnd /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_sign_internal(¶ms, sig, sig_len, mu, mu_len, - pre, pre_len, rnd, private_key, 1) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, + rnd, private_key, 1) == 0; } int ml_dsa_65_verify(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, + const uint8_t *sig /* IN */, size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, const uint8_t *ctx_string /* IN */, - size_t ctx_string_len /* IN */) { + size_t ctx_string_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, ctx_string, + ctx_string_len, public_key) == 0; } int ml_dsa_extmu_65_verify(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */) { + const uint8_t *sig /* IN */, size_t sig_len /* IN */, + const uint8_t *mu /* IN */, size_t mu_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, NULL, 0, public_key, 1) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, NULL, 0, + public_key, 1) == 0; } int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { + const uint8_t *sig /* IN */, + size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); @@ -303,132 +276,118 @@ int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, pre, pre_len, public_key, 0) == 0; } -int ml_dsa_extmu_65_verify_internal(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { +int ml_dsa_extmu_65_verify_internal( + const uint8_t *public_key /* IN */, const uint8_t *sig /* IN */, + size_t sig_len /* IN */, const uint8_t *mu /* IN */, size_t mu_len /* IN */, + const uint8_t *pre /* IN */, size_t pre_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, - pre, pre_len, public_key, 1) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, + public_key, 1) == 0; } -int ml_dsa_87_keypair(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */) { +int ml_dsa_87_keypair(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } -int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key /* OUT */, - const uint8_t *private_key /* IN */) { - +int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key /* OUT */, + const uint8_t *private_key /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); return ml_dsa_pack_pk_from_sk(¶ms, public_key, private_key) == 0; } -int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, - uint8_t *private_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, + uint8_t *private_key /* OUT */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } -int ml_dsa_87_sign(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *ctx_string /* IN */, - size_t ctx_string_len /* IN */) { +int ml_dsa_87_sign(const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *ctx_string /* IN */, + size_t ctx_string_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, ctx_string, + ctx_string_len, private_key) == 0; } int ml_dsa_extmu_87_sign(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */) { + uint8_t *sig /* OUT */, size_t *sig_len /* OUT */, + const uint8_t *mu /* IN */, size_t mu_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); return ml_dsa_extmu_sign(¶ms, sig, sig_len, mu, mu_len, private_key) == 0; } -int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { +int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, + uint8_t *sig /* OUT */, size_t *sig_len /* OUT */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */, + const uint8_t *rnd /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key, 0) == 0; -} - -int ml_dsa_extmu_87_sign_internal(const uint8_t *private_key /* IN */, - uint8_t *sig /* OUT */, - size_t *sig_len /* OUT */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */, - const uint8_t *rnd /* IN */) { + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, pre, + pre_len, rnd, private_key, 0) == 0; +} + +int ml_dsa_extmu_87_sign_internal( + const uint8_t *private_key /* IN */, uint8_t *sig /* OUT */, + size_t *sig_len /* OUT */, const uint8_t *mu /* IN */, + size_t mu_len /* IN */, const uint8_t *pre /* IN */, + size_t pre_len /* IN */, const uint8_t *rnd /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_sign_internal(¶ms, sig, sig_len, mu, mu_len, - pre, pre_len, rnd, private_key, 1) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, + rnd, private_key, 1) == 0; } int ml_dsa_87_verify(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, + const uint8_t *sig /* IN */, size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, const uint8_t *ctx_string /* IN */, - size_t ctx_string_len /* IN */) { + size_t ctx_string_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, ctx_string, + ctx_string_len, public_key) == 0; } int ml_dsa_extmu_87_verify(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */) { + const uint8_t *sig /* IN */, size_t sig_len /* IN */, + const uint8_t *mu /* IN */, size_t mu_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, NULL, 0, public_key, 1) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, NULL, 0, + public_key, 1) == 0; } int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *message /* IN */, - size_t message_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { + const uint8_t *sig /* IN */, + size_t sig_len /* IN */, + const uint8_t *message /* IN */, + size_t message_len /* IN */, + const uint8_t *pre /* IN */, + size_t pre_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); @@ -436,16 +395,13 @@ int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, pre, pre_len, public_key, 0) == 0; } -int ml_dsa_extmu_87_verify_internal(const uint8_t *public_key /* IN */, - const uint8_t *sig /* IN */, - size_t sig_len /* IN */, - const uint8_t *mu /* IN */, - size_t mu_len /* IN */, - const uint8_t *pre /* IN */, - size_t pre_len /* IN */) { +int ml_dsa_extmu_87_verify_internal( + const uint8_t *public_key /* IN */, const uint8_t *sig /* IN */, + size_t sig_len /* IN */, const uint8_t *mu /* IN */, size_t mu_len /* IN */, + const uint8_t *pre /* IN */, size_t pre_len /* IN */) { boringssl_ensure_ml_dsa_self_test(); ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, - pre, pre_len, public_key, 1) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, mu, mu_len, pre, pre_len, + public_key, 1) == 0; } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa.h b/crypto/fipsmodule/ml_dsa/ml_dsa.h index 79f220cde2..bd4452e7ee 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa.h @@ -4,10 +4,10 @@ #ifndef ML_DSA_H #define ML_DSA_H -#include -#include #include #include +#include +#include #define MLDSA44_PUBLIC_KEY_BYTES 1312 #define MLDSA44_PRIVATE_KEY_BYTES 2560 @@ -30,8 +30,7 @@ #if defined(__cplusplus) extern "C" { #endif -OPENSSL_EXPORT int ml_dsa_44_keypair(uint8_t *public_key, - uint8_t *secret_key); +OPENSSL_EXPORT int ml_dsa_44_keypair(uint8_t *public_key, uint8_t *secret_key); OPENSSL_EXPORT int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key, const uint8_t *private_key); @@ -44,10 +43,10 @@ OPENSSL_EXPORT int ml_dsa_44_keypair_internal(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); -OPENSSL_EXPORT int ml_dsa_44_sign(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *ctx_string, size_t ctx_string_len); +OPENSSL_EXPORT int ml_dsa_44_sign(const uint8_t *private_key, uint8_t *sig, + size_t *sig_len, const uint8_t *message, + size_t message_len, const uint8_t *ctx_string, + size_t ctx_string_len); OPENSSL_EXPORT int ml_dsa_extmu_44_sign(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, @@ -55,26 +54,27 @@ OPENSSL_EXPORT int ml_dsa_extmu_44_sign(const uint8_t *private_key, OPENSSL_EXPORT int ml_dsa_44_sign_internal(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, + const uint8_t *message, + size_t message_len, const uint8_t *pre, size_t pre_len, const uint8_t *rnd); int ml_dsa_44_sign_internal_no_self_test(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len, - const uint8_t *rnd); + const uint8_t *message, + size_t message_len, const uint8_t *pre, + size_t pre_len, const uint8_t *rnd); -OPENSSL_EXPORT int ml_dsa_extmu_44_sign_internal(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *mu, size_t mu_len, - const uint8_t *pre, size_t pre_len, - const uint8_t *rnd); +OPENSSL_EXPORT int ml_dsa_extmu_44_sign_internal( + const uint8_t *private_key, uint8_t *sig, size_t *sig_len, + const uint8_t *mu, size_t mu_len, const uint8_t *pre, size_t pre_len, + const uint8_t *rnd); OPENSSL_EXPORT int ml_dsa_44_verify(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, const uint8_t *message, size_t message_len, - const uint8_t *ctx_string, size_t ctx_string_len); + const uint8_t *ctx_string, + size_t ctx_string_len); OPENSSL_EXPORT int ml_dsa_extmu_44_verify(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, @@ -82,21 +82,22 @@ OPENSSL_EXPORT int ml_dsa_extmu_44_verify(const uint8_t *public_key, OPENSSL_EXPORT int ml_dsa_44_verify_internal(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len); + const uint8_t *message, + size_t message_len, + const uint8_t *pre, + size_t pre_len); int ml_dsa_44_verify_internal_no_self_test(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, - const uint8_t *message, size_t message_len, + const uint8_t *message, + size_t message_len, const uint8_t *pre, size_t pre_len); -OPENSSL_EXPORT int ml_dsa_extmu_44_verify_internal(const uint8_t *public_key, - const uint8_t *sig, size_t sig_len, - const uint8_t *mu, size_t mu_len, - const uint8_t *pre, size_t pre_len); +OPENSSL_EXPORT int ml_dsa_extmu_44_verify_internal( + const uint8_t *public_key, const uint8_t *sig, size_t sig_len, + const uint8_t *mu, size_t mu_len, const uint8_t *pre, size_t pre_len); -OPENSSL_EXPORT int ml_dsa_65_keypair(uint8_t *public_key, - uint8_t *secret_key); +OPENSSL_EXPORT int ml_dsa_65_keypair(uint8_t *public_key, uint8_t *secret_key); OPENSSL_EXPORT int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key, const uint8_t *private_key); @@ -105,10 +106,10 @@ OPENSSL_EXPORT int ml_dsa_65_keypair_internal(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); -OPENSSL_EXPORT int ml_dsa_65_sign(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *ctx_string, size_t ctx_string_len); +OPENSSL_EXPORT int ml_dsa_65_sign(const uint8_t *private_key, uint8_t *sig, + size_t *sig_len, const uint8_t *message, + size_t message_len, const uint8_t *ctx_string, + size_t ctx_string_len); OPENSSL_EXPORT int ml_dsa_extmu_65_sign(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, @@ -116,20 +117,21 @@ OPENSSL_EXPORT int ml_dsa_extmu_65_sign(const uint8_t *private_key, OPENSSL_EXPORT int ml_dsa_65_sign_internal(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, + const uint8_t *message, + size_t message_len, const uint8_t *pre, size_t pre_len, const uint8_t *rnd); -OPENSSL_EXPORT int ml_dsa_extmu_65_sign_internal(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *mu, size_t mu_len, - const uint8_t *pre, size_t pre_len, - const uint8_t *rnd); +OPENSSL_EXPORT int ml_dsa_extmu_65_sign_internal( + const uint8_t *private_key, uint8_t *sig, size_t *sig_len, + const uint8_t *mu, size_t mu_len, const uint8_t *pre, size_t pre_len, + const uint8_t *rnd); OPENSSL_EXPORT int ml_dsa_65_verify(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, const uint8_t *message, size_t message_len, - const uint8_t *ctx_string, size_t ctx_string_len); + const uint8_t *ctx_string, + size_t ctx_string_len); OPENSSL_EXPORT int ml_dsa_extmu_65_verify(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, @@ -137,16 +139,16 @@ OPENSSL_EXPORT int ml_dsa_extmu_65_verify(const uint8_t *public_key, OPENSSL_EXPORT int ml_dsa_65_verify_internal(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len); + const uint8_t *message, + size_t message_len, + const uint8_t *pre, + size_t pre_len); -OPENSSL_EXPORT int ml_dsa_extmu_65_verify_internal(const uint8_t *public_key, - const uint8_t *sig, size_t sig_len, - const uint8_t *mu, size_t mu_len, - const uint8_t *pre, size_t pre_len); +OPENSSL_EXPORT int ml_dsa_extmu_65_verify_internal( + const uint8_t *public_key, const uint8_t *sig, size_t sig_len, + const uint8_t *mu, size_t mu_len, const uint8_t *pre, size_t pre_len); -OPENSSL_EXPORT int ml_dsa_87_keypair(uint8_t *public_key, - uint8_t *secret_key); +OPENSSL_EXPORT int ml_dsa_87_keypair(uint8_t *public_key, uint8_t *secret_key); OPENSSL_EXPORT int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key, const uint8_t *private_key); @@ -155,10 +157,10 @@ OPENSSL_EXPORT int ml_dsa_87_keypair_internal(uint8_t *public_key, uint8_t *private_key, const uint8_t *seed); -OPENSSL_EXPORT int ml_dsa_87_sign(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *ctx_string, size_t ctx_string_len); +OPENSSL_EXPORT int ml_dsa_87_sign(const uint8_t *private_key, uint8_t *sig, + size_t *sig_len, const uint8_t *message, + size_t message_len, const uint8_t *ctx_string, + size_t ctx_string_len); OPENSSL_EXPORT int ml_dsa_extmu_87_sign(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, @@ -166,20 +168,21 @@ OPENSSL_EXPORT int ml_dsa_extmu_87_sign(const uint8_t *private_key, OPENSSL_EXPORT int ml_dsa_87_sign_internal(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, - const uint8_t *message, size_t message_len, + const uint8_t *message, + size_t message_len, const uint8_t *pre, size_t pre_len, const uint8_t *rnd); -OPENSSL_EXPORT int ml_dsa_extmu_87_sign_internal(const uint8_t *private_key, - uint8_t *sig, size_t *sig_len, - const uint8_t *mu, size_t mu_len, - const uint8_t *pre, size_t pre_len, - const uint8_t *rnd); +OPENSSL_EXPORT int ml_dsa_extmu_87_sign_internal( + const uint8_t *private_key, uint8_t *sig, size_t *sig_len, + const uint8_t *mu, size_t mu_len, const uint8_t *pre, size_t pre_len, + const uint8_t *rnd); OPENSSL_EXPORT int ml_dsa_87_verify(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, const uint8_t *message, size_t message_len, - const uint8_t *ctx_string, size_t ctx_string_len); + const uint8_t *ctx_string, + size_t ctx_string_len); OPENSSL_EXPORT int ml_dsa_extmu_87_verify(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, @@ -187,13 +190,14 @@ OPENSSL_EXPORT int ml_dsa_extmu_87_verify(const uint8_t *public_key, OPENSSL_EXPORT int ml_dsa_87_verify_internal(const uint8_t *public_key, const uint8_t *sig, size_t sig_len, - const uint8_t *message, size_t message_len, - const uint8_t *pre, size_t pre_len); - -OPENSSL_EXPORT int ml_dsa_extmu_87_verify_internal(const uint8_t *public_key, - const uint8_t *sig, size_t sig_len, - const uint8_t *mu, size_t mu_len, - const uint8_t *pre, size_t pre_len); + const uint8_t *message, + size_t message_len, + const uint8_t *pre, + size_t pre_len); + +OPENSSL_EXPORT int ml_dsa_extmu_87_verify_internal( + const uint8_t *public_key, const uint8_t *sig, size_t sig_len, + const uint8_t *mu, size_t mu_len, const uint8_t *pre, size_t pre_len); #if defined(__cplusplus) } #endif diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/ntt.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/ntt.c index a934c4b740..2075b743e7 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/ntt.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/ntt.c @@ -1,61 +1,66 @@ +#include "ntt.h" #include #include "params.h" -#include "ntt.h" #include "reduce.h" static const int32_t ml_dsa_zetas[ML_DSA_N] = { - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103, - 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, - -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221, - -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, - -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430, - -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618, - -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, - 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, - 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, - 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, - 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, - 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, - -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, - 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, - 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, - -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, - -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, - -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, - -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, - -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, - -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, - -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, - -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, - -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, - -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782 -}; + 0, 25847, -2608894, -518909, 237124, -777960, -876248, + 466468, 1826347, 2353451, -359251, -2091905, 3119733, -2884855, + 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, + -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, + 1757237, -19422, 4010497, 280005, 2706023, 95776, 3077325, + 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, -3043716, + 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, + -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, + 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, + -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, + 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, + -3157330, -3632928, 126922, 3412210, -983419, 2147896, 2715295, + -2967645, -3693493, -411027, -2477047, -671102, -1228525, -22981, + -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, + 508951, 3097992, 44288, -1100098, 904516, 3958618, -3724342, + -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, + 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, + 1341330, 1285669, -1584928, -812732, -1439742, -3019102, -3881060, + -3628969, 3839961, 2091667, 3407706, 2316500, 3817976, -3342478, + 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, + -3520352, -3759364, -1197226, -3193378, 900702, 1859098, 909542, + 819034, 495491, -1613174, -43260, -522500, -655327, -3122442, + 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, + 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, + 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, + 1595974, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, + 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, + 1312455, 3306115, -1962642, -1279661, 1917081, -2546312, -1374803, + 1500165, 777191, 2235880, 3406031, -542412, -2831860, -1671176, + -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, + 2454455, -164721, 1957272, 3369112, 185531, -1207385, -3183426, + 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, + -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, + 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, + -260646, -3833893, -2939036, -2235985, -420899, -2286327, 183443, + -976891, 1612842, -3545687, -554416, 3919660, -48306, -1362209, + 3937738, 1400424, -846154, 1976782}; /************************************************* -* Name: ml_dsa_ntt -* -* Description: FIPS 204: Algorithm 41. -* Forward NTT, in-place. No modular reduction is performed after -* additions or subtractions. Output vector is in bitreversed order. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ + * Name: ml_dsa_ntt + * + * Description: FIPS 204: Algorithm 41. + * Forward NTT, in-place. No modular reduction is performed after + * additions or subtractions. Output vector is in bitreversed + *order. + * + * Arguments: - uint32_t p[N]: input/output coefficient array + **************************************************/ void ml_dsa_ntt(int32_t a[ML_DSA_N]) { unsigned int len, start, j, k; int32_t zeta, t; k = 0; - for(len = 128; len > 0; len >>= 1) { - for(start = 0; start < ML_DSA_N; start = j + len) { + for (len = 128; len > 0; len >>= 1) { + for (start = 0; start < ML_DSA_N; start = j + len) { zeta = ml_dsa_zetas[++k]; - for(j = start; j < start + len; ++j) { + for (j = start; j < start + len; ++j) { t = ml_dsa_fqmul(zeta, a[j + len]); a[j + len] = a[j] - t; a[j] = a[j] + t; @@ -65,27 +70,27 @@ void ml_dsa_ntt(int32_t a[ML_DSA_N]) { } /************************************************* -* Name: ml_dsa_invntt_tomont -* -* Description: FIPS 204: Algorithm 42. -* Inverse NTT and multiplication by Montgomery factor 2^32. -* In-place. No modular reductions after additions or -* subtractions; input coefficients need to be smaller than -* Q in absolute value. Output coefficient are smaller than Q in -* absolute value. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ + * Name: ml_dsa_invntt_tomont + * + * Description: FIPS 204: Algorithm 42. + * Inverse NTT and multiplication by Montgomery factor 2^32. + * In-place. No modular reductions after additions or + * subtractions; input coefficients need to be smaller than + * Q in absolute value. Output coefficient are smaller than Q in + * absolute value. + * + * Arguments: - uint32_t p[N]: input/output coefficient array + **************************************************/ void ml_dsa_invntt_tomont(int32_t a[ML_DSA_N]) { unsigned int start, len, j, k; int32_t t, zeta; - const int32_t f = 41978; // mont^2/256 + const int32_t f = 41978; // mont^2/256 k = 256; - for(len = 1; len < ML_DSA_N; len <<= 1) { - for(start = 0; start < ML_DSA_N; start = j + len) { + for (len = 1; len < ML_DSA_N; len <<= 1) { + for (start = 0; start < ML_DSA_N; start = j + len) { zeta = -ml_dsa_zetas[--k]; - for(j = start; j < start + len; ++j) { + for (j = start; j < start + len; ++j) { t = a[j]; a[j] = t + a[j + len]; a[j + len] = t - a[j + len]; @@ -94,7 +99,7 @@ void ml_dsa_invntt_tomont(int32_t a[ML_DSA_N]) { } } - for(j = 0; j < ML_DSA_N; ++j) { + for (j = 0; j < ML_DSA_N; ++j) { a[j] = ml_dsa_fqmul(f, a[j]); } } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.c index 1d9124ab3e..3dec2a5ddc 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.c @@ -1,26 +1,25 @@ -#include "params.h" #include "packing.h" -#include "polyvec.h" -#include "poly.h" #include "../../sha/internal.h" +#include "params.h" +#include "poly.h" +#include "polyvec.h" /************************************************* -* Name: ml_dsa_pack_pk_from_sk -* -* Description: Takes a private key and constructs the corresponding public key. -* The hash of the contructed public key is then compared with -* the value of tr unpacked from the provided private key. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t pk: pointer to output byte array -* - const uint8_t sk: pointer to byte array containing bit-packed sk -* -* Returns 0 (when SHAKE256 hash of constructed pk matches tr) -**************************************************/ -int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t *sk) -{ + * Name: ml_dsa_pack_pk_from_sk + * + * Description: Takes a private key and constructs the corresponding public key. + * The hash of the contructed public key is then compared with + * the value of tr unpacked from the provided private key. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t pk: pointer to output byte array + * - const uint8_t sk: pointer to byte array containing bit-packed + *sk + * + * Returns 0 (when SHAKE256 hash of constructed pk matches tr) + **************************************************/ +int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, uint8_t *pk, + const uint8_t *sk) { uint8_t rho[ML_DSA_SEEDBYTES]; uint8_t tr[ML_DSA_TRBYTES]; uint8_t tr_validate[ML_DSA_TRBYTES]; @@ -29,7 +28,7 @@ int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, polyvecl s1; polyveck s2, t1, t0; - //unpack sk + // unpack sk ml_dsa_unpack_sk(params, rho, tr, key, &t0, &s1, &s2, sk); // generate matrix A @@ -61,212 +60,198 @@ int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_pack_pk -* -* Description: FIPS 204: Algorithm 22 pkEncode. -* Bit-pack public key pk = (rho, t1). -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t pk[]: pointer to output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void ml_dsa_pack_pk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t rho[ML_DSA_SEEDBYTES], - const polyveck *t1) -{ + * Name: ml_dsa_pack_pk + * + * Description: FIPS 204: Algorithm 22 pkEncode. + * Bit-pack public key pk = (rho, t1). + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t pk[]: pointer to output byte array + * - const uint8_t rho[]: byte array containing rho + * - const polyveck *t1: pointer to vector t1 + **************************************************/ +void ml_dsa_pack_pk(ml_dsa_params *params, uint8_t *pk, + const uint8_t rho[ML_DSA_SEEDBYTES], const polyveck *t1) { unsigned int i; - for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { + for (i = 0; i < ML_DSA_SEEDBYTES; ++i) { pk[i] = rho[i]; } pk += ML_DSA_SEEDBYTES; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_polyt1_pack(pk + i * ML_DSA_POLYT1_PACKEDBYTES, &t1->vec[i]); } } /************************************************* -* Name: ml_dsa_unpack_pk -* -* Description: FIPS 204: Algorithm 23 pkDecode. -* Unpack public key pk = (rho, t1). -* -* Arguments: - ml_dsa_params: parameter struct -* - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: pointer to byte array containing bit-packed pk -**************************************************/ -void ml_dsa_unpack_pk(ml_dsa_params *params, - uint8_t rho[ML_DSA_SEEDBYTES], - polyveck *t1, - const uint8_t *pk) -{ + * Name: ml_dsa_unpack_pk + * + * Description: FIPS 204: Algorithm 23 pkDecode. + * Unpack public key pk = (rho, t1). + * + * Arguments: - ml_dsa_params: parameter struct + * - const uint8_t rho[]: output byte array for rho + * - const polyveck *t1: pointer to output vector t1 + * - uint8_t pk[]: pointer to byte array containing bit-packed pk + **************************************************/ +void ml_dsa_unpack_pk(ml_dsa_params *params, uint8_t rho[ML_DSA_SEEDBYTES], + polyveck *t1, const uint8_t *pk) { unsigned int i; - for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { + for (i = 0; i < ML_DSA_SEEDBYTES; ++i) { rho[i] = pk[i]; } pk += ML_DSA_SEEDBYTES; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_polyt1_unpack(&t1->vec[i], pk + i * ML_DSA_POLYT1_PACKEDBYTES); } } /************************************************* -* Name: ml_dsa_pack_sk -* -* Description: FIPS 204: Algorithm 24 skEncode. -* Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t sk[]: pointer to output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void ml_dsa_pack_sk(ml_dsa_params *params, - uint8_t *sk, + * Name: ml_dsa_pack_sk + * + * Description: FIPS 204: Algorithm 24 skEncode. + * Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t sk[]: pointer to output byte array + * - const uint8_t rho[]: byte array containing rho + * - const uint8_t tr[]: byte array containing tr + * - const uint8_t key[]: byte array containing key + * - const polyveck *t0: pointer to vector t0 + * - const polyvecl *s1: pointer to vector s1 + * - const polyveck *s2: pointer to vector s2 + **************************************************/ +void ml_dsa_pack_sk(ml_dsa_params *params, uint8_t *sk, const uint8_t rho[ML_DSA_SEEDBYTES], const uint8_t tr[ML_DSA_TRBYTES], - const uint8_t key[ML_DSA_SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) -{ + const uint8_t key[ML_DSA_SEEDBYTES], const polyveck *t0, + const polyvecl *s1, const polyveck *s2) { unsigned int i; - for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { + for (i = 0; i < ML_DSA_SEEDBYTES; ++i) { sk[i] = rho[i]; } sk += ML_DSA_SEEDBYTES; - for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { + for (i = 0; i < ML_DSA_SEEDBYTES; ++i) { sk[i] = key[i]; } sk += ML_DSA_SEEDBYTES; - for(i = 0; i < ML_DSA_TRBYTES; ++i) { + for (i = 0; i < ML_DSA_TRBYTES; ++i) { sk[i] = tr[i]; } sk += ML_DSA_TRBYTES; - for(i = 0; i < params->l; ++i) { - ml_dsa_polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, &s1->vec[i]); + for (i = 0; i < params->l; ++i) { + ml_dsa_polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, + &s1->vec[i]); } - sk += params->l * params->poly_eta_packed_bytes; + sk += params->l * params->poly_eta_packed_bytes; - for(i = 0; i < params->k; ++i) { - ml_dsa_polyeta_pack(params,sk + i * params->poly_eta_packed_bytes, &s2->vec[i]); + for (i = 0; i < params->k; ++i) { + ml_dsa_polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, + &s2->vec[i]); } - sk += params->k * params->poly_eta_packed_bytes; + sk += params->k * params->poly_eta_packed_bytes; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_polyt0_pack(sk + i * ML_DSA_POLYT0_PACKEDBYTES, &t0->vec[i]); } } /************************************************* -* Name: ml_dsa_unpack_sk -* -* Description: FIPS 204: Algorithm 25 skDecode. -* Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t rho[]: output byte array for rho -* - uint8_t tr[]: output byte array for tr -* - uint8_t key[]: output byte array for key -* - polyveck *t0: pointer to output vector t0 -* - polyvecl *s1: pointer to output vector s1 -* - polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: pointer to byte array containing bit-packed sk -**************************************************/ -void ml_dsa_unpack_sk(ml_dsa_params *params, - uint8_t rho[ML_DSA_SEEDBYTES], - uint8_t tr[ML_DSA_TRBYTES], - uint8_t key[ML_DSA_SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t *sk) -{ + * Name: ml_dsa_unpack_sk + * + * Description: FIPS 204: Algorithm 25 skDecode. + * Unpack secret key sk = (rho, tr, key, t0, s1, s2). + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t rho[]: output byte array for rho + * - uint8_t tr[]: output byte array for tr + * - uint8_t key[]: output byte array for key + * - polyveck *t0: pointer to output vector t0 + * - polyvecl *s1: pointer to output vector s1 + * - polyveck *s2: pointer to output vector s2 + * - uint8_t sk[]: pointer to byte array containing bit-packed sk + **************************************************/ +void ml_dsa_unpack_sk(ml_dsa_params *params, uint8_t rho[ML_DSA_SEEDBYTES], + uint8_t tr[ML_DSA_TRBYTES], uint8_t key[ML_DSA_SEEDBYTES], + polyveck *t0, polyvecl *s1, polyveck *s2, + const uint8_t *sk) { unsigned int i; - for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { + for (i = 0; i < ML_DSA_SEEDBYTES; ++i) { rho[i] = sk[i]; } sk += ML_DSA_SEEDBYTES; - for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { + for (i = 0; i < ML_DSA_SEEDBYTES; ++i) { key[i] = sk[i]; } sk += ML_DSA_SEEDBYTES; - for(i = 0; i < ML_DSA_TRBYTES; ++i) { + for (i = 0; i < ML_DSA_TRBYTES; ++i) { tr[i] = sk[i]; } sk += ML_DSA_TRBYTES; - for(i=0; i < params->l; ++i) { - ml_dsa_polyeta_unpack(params, &s1->vec[i], sk + i * params->poly_eta_packed_bytes); + for (i = 0; i < params->l; ++i) { + ml_dsa_polyeta_unpack(params, &s1->vec[i], + sk + i * params->poly_eta_packed_bytes); } sk += params->l * params->poly_eta_packed_bytes; - for(i=0; i < params->k; ++i) { - ml_dsa_polyeta_unpack(params, &s2->vec[i], sk + i * params->poly_eta_packed_bytes); + for (i = 0; i < params->k; ++i) { + ml_dsa_polyeta_unpack(params, &s2->vec[i], + sk + i * params->poly_eta_packed_bytes); } sk += params->k * params->poly_eta_packed_bytes; - for(i=0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_polyt0_unpack(&t0->vec[i], sk + i * ML_DSA_POLYT0_PACKEDBYTES); } } /************************************************* -* Name: ml_dsa_pack_sig -* -* Description: FIPS 204: Algorithm 26 sigEncode. -* Bit-pack signature sig = (c, z, h). -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t sig[]: pointer to output byte array -* - const uint8_t *c: pointer to challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void ml_dsa_pack_sig(ml_dsa_params *params, - uint8_t *sig, - const uint8_t *c, - const polyvecl *z, - const polyveck *h) -{ + * Name: ml_dsa_pack_sig + * + * Description: FIPS 204: Algorithm 26 sigEncode. + * Bit-pack signature sig = (c, z, h). + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t sig[]: pointer to output byte array + * - const uint8_t *c: pointer to challenge hash length SEEDBYTES + * - const polyvecl *z: pointer to vector z + * - const polyveck *h: pointer to hint vector h + **************************************************/ +void ml_dsa_pack_sig(ml_dsa_params *params, uint8_t *sig, const uint8_t *c, + const polyvecl *z, const polyveck *h) { unsigned int i, j, k; - for(i=0; i < params->c_tilde_bytes; ++i) { + for (i = 0; i < params->c_tilde_bytes; ++i) { sig[i] = c[i]; } sig += params->c_tilde_bytes; - for(i = 0; i < params->l; ++i) { - ml_dsa_polyz_pack(params, sig + i * params->poly_z_packed_bytes, &z->vec[i]); + for (i = 0; i < params->l; ++i) { + ml_dsa_polyz_pack(params, sig + i * params->poly_z_packed_bytes, + &z->vec[i]); } sig += params->l * params->poly_z_packed_bytes; /* Encode h */ - for(i = 0; i < params->omega + params->k; ++i) { + for (i = 0; i < params->omega + params->k; ++i) { sig[i] = 0; } k = 0; - for(i = 0; i < params->k; ++i) { - for(j = 0; j < ML_DSA_N; ++j) { - if(h->vec[i].coeffs[j] != 0) { + for (i = 0; i < params->k; ++i) { + for (j = 0; j < ML_DSA_N; ++j) { + if (h->vec[i].coeffs[j] != 0) { sig[k++] = j; } } @@ -276,52 +261,49 @@ void ml_dsa_pack_sig(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_unpack_sig -* -* Description: FIPS 204: Algorithm 27 sigDecode. -* Unpack signature sig = (c, z, h). -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *c: pointer to output challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: pointer to byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int ml_dsa_unpack_sig(ml_dsa_params *params, - uint8_t *c, - polyvecl *z, - polyveck *h, - const uint8_t *sig) -{ + * Name: ml_dsa_unpack_sig + * + * Description: FIPS 204: Algorithm 27 sigDecode. + * Unpack signature sig = (c, z, h). + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *c: pointer to output challenge hash + * - polyvecl *z: pointer to output vector z + * - polyveck *h: pointer to output hint vector h + * - const uint8_t sig[]: pointer to byte array containing + * bit-packed signature + * + * Returns 1 in case of malformed signature; otherwise 0. + **************************************************/ +int ml_dsa_unpack_sig(ml_dsa_params *params, uint8_t *c, polyvecl *z, + polyveck *h, const uint8_t *sig) { unsigned int i, j, k; - for(i = 0; i < params->c_tilde_bytes; ++i) { + for (i = 0; i < params->c_tilde_bytes; ++i) { c[i] = sig[i]; } sig += params->c_tilde_bytes; - for(i = 0; i < params->l; ++i) { - ml_dsa_polyz_unpack(params, &z->vec[i], sig + i * params->poly_z_packed_bytes); + for (i = 0; i < params->l; ++i) { + ml_dsa_polyz_unpack(params, &z->vec[i], + sig + i * params->poly_z_packed_bytes); } sig += params->l * params->poly_z_packed_bytes; /* Decode h */ k = 0; - for(i = 0; i < params->k; ++i) { - for(j = 0; j < ML_DSA_N; ++j) { + for (i = 0; i < params->k; ++i) { + for (j = 0; j < ML_DSA_N; ++j) { h->vec[i].coeffs[j] = 0; } - if(sig[params->omega + i] < k || sig[params->omega + i] > params->omega) { + if (sig[params->omega + i] < k || sig[params->omega + i] > params->omega) { return 1; } - for(j = k; j < sig[params->omega + i]; ++j) { + for (j = k; j < sig[params->omega + i]; ++j) { /* Coefficients are ordered for strong unforgeability */ - if(j > k && sig[j] <= sig[j-1]) { + if (j > k && sig[j] <= sig[j - 1]) { return 1; } h->vec[i].coeffs[sig[j]] = 1; @@ -331,8 +313,8 @@ int ml_dsa_unpack_sig(ml_dsa_params *params, } /* Extra indices are zero for strong unforgeability */ - for(j = k; j < params->omega; ++j) { - if(sig[j]) { + for (j = k; j < params->omega; ++j) { + if (sig[j]) { return 1; } } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.h b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.h index 2e02932eb0..226016f858 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.h @@ -5,48 +5,30 @@ #include "params.h" #include "polyvec.h" -int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, - uint8_t *pk, +int ml_dsa_pack_pk_from_sk(ml_dsa_params *params, uint8_t *pk, const uint8_t *sk); -void ml_dsa_pack_pk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t rho[ML_DSA_SEEDBYTES], - const polyveck *t1); +void ml_dsa_pack_pk(ml_dsa_params *params, uint8_t *pk, + const uint8_t rho[ML_DSA_SEEDBYTES], const polyveck *t1); -void ml_dsa_pack_sk(ml_dsa_params *params, - uint8_t *sk, +void ml_dsa_pack_sk(ml_dsa_params *params, uint8_t *sk, const uint8_t rho[ML_DSA_SEEDBYTES], const uint8_t tr[ML_DSA_TRBYTES], - const uint8_t key[ML_DSA_SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void ml_dsa_pack_sig(ml_dsa_params *params, - uint8_t *sig, - const uint8_t *c, - const polyvecl *z, - const polyveck *h); - -void ml_dsa_unpack_pk(ml_dsa_params *params, - uint8_t rho[ML_DSA_SEEDBYTES], - polyveck *t1, - const uint8_t *pk); - -void ml_dsa_unpack_sk(ml_dsa_params *params, - uint8_t rho[ML_DSA_SEEDBYTES], - uint8_t tr[ML_DSA_TRBYTES], - uint8_t key[ML_DSA_SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, + const uint8_t key[ML_DSA_SEEDBYTES], const polyveck *t0, + const polyvecl *s1, const polyveck *s2); + +void ml_dsa_pack_sig(ml_dsa_params *params, uint8_t *sig, const uint8_t *c, + const polyvecl *z, const polyveck *h); + +void ml_dsa_unpack_pk(ml_dsa_params *params, uint8_t rho[ML_DSA_SEEDBYTES], + polyveck *t1, const uint8_t *pk); + +void ml_dsa_unpack_sk(ml_dsa_params *params, uint8_t rho[ML_DSA_SEEDBYTES], + uint8_t tr[ML_DSA_TRBYTES], uint8_t key[ML_DSA_SEEDBYTES], + polyveck *t0, polyvecl *s1, polyveck *s2, const uint8_t *sk); -int ml_dsa_unpack_sig(ml_dsa_params *params, - uint8_t *c, - polyvecl *z, - polyveck *h, - const uint8_t *sig); +int ml_dsa_unpack_sig(ml_dsa_params *params, uint8_t *c, polyvecl *z, + polyveck *h, const uint8_t *sig); #endif diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.c index 8eae29af76..6ad273d368 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.c @@ -1,5 +1,5 @@ -#include #include +#include #include "params.h" @@ -16,7 +16,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 80; params->c_tilde_bytes = 32; params->gamma1 = (1 << 17); - params->gamma2 = (ML_DSA_Q-1)/88; + params->gamma2 = (ML_DSA_Q - 1) / 88; params->eta = 2; params->poly_z_packed_bytes = 576; params->poly_w1_packed_bytes = 192; @@ -24,16 +24,16 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-44 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->public_key_bytes = + (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * ML_DSA_POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + - params->l * params->poly_z_packed_bytes + - params->poly_vech_packed_bytes); - } - else if (k == 3) { + params->bytes = + (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); + } else if (k == 3) { // Parameters for ML-DSA-65 from Table 1. FIPS-204: ML-DSA Parameter Sets. // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf Section 4 params->k = 6; @@ -43,7 +43,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 55; params->c_tilde_bytes = 48; params->gamma1 = (1 << 19); - params->gamma2 = (ML_DSA_Q-1)/32; + params->gamma2 = (ML_DSA_Q - 1) / 32; params->eta = 4; params->poly_z_packed_bytes = 640; params->poly_w1_packed_bytes = 128; @@ -51,16 +51,16 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-65 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->public_key_bytes = + (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * ML_DSA_POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + - params->l * params->poly_z_packed_bytes + - params->poly_vech_packed_bytes); - } - else { + params->bytes = + (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); + } else { // Parameters for ML-DSA-87 from Table 1. FIPS-204: ML-DSA Parameter Sets. // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf Section 4 params->k = 8; @@ -70,7 +70,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 75; params->c_tilde_bytes = 64; params->gamma1 = (1 << 19); - params->gamma2 = (ML_DSA_Q-1)/32; + params->gamma2 = (ML_DSA_Q - 1) / 32; params->eta = 2; params->poly_z_packed_bytes = 640; params->poly_w1_packed_bytes = 128; @@ -78,14 +78,15 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-87 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->public_key_bytes = + (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * ML_DSA_POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + - params->l * params->poly_z_packed_bytes + - params->poly_vech_packed_bytes); + params->bytes = + (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h index 8fe92013af..2bf8b7e2c0 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h @@ -16,8 +16,8 @@ extern "C" { #define ML_DSA_N 256 #define ML_DSA_Q 8380417 #define ML_DSA_D 13 -#define ML_DSA_POLYT1_PACKEDBYTES 320 -#define ML_DSA_POLYT0_PACKEDBYTES 416 +#define ML_DSA_POLYT1_PACKEDBYTES 320 +#define ML_DSA_POLYT0_PACKEDBYTES 416 // Structure for ML-DSA parameters that depend on the parameter set. typedef struct { @@ -45,7 +45,8 @@ typedef struct { #define ML_DSA_L_MAX (7) #define ML_DSA_C_TILDE_BYTES_MAX (64) #define ML_DSA_POLYW1_PACKEDBYTES_MAX (192) -#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_BLOCKSIZE - 1)/SHAKE256_BLOCKSIZE) +#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX \ + ((227 + SHAKE256_BLOCKSIZE - 1) / SHAKE256_BLOCKSIZE) #define ML_DSA_POLYZ_PACKEDBYTES_MAX (576) OPENSSL_EXPORT void ml_dsa_44_params_init(ml_dsa_params *params); diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.c index 456f7b5aa3..db9c33334b 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.c @@ -1,198 +1,195 @@ -#include -#include "params.h" #include "poly.h" +#include +#include "../../sha/internal.h" #include "ntt.h" +#include "params.h" #include "reduce.h" #include "rounding.h" -#include "../../sha/internal.h" /************************************************* -* Name: ml_dsa_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ + * Name: ml_dsa_poly_reduce + * + * Description: Inplace reduction of all coefficients of polynomial to + * representative in [-6283009,6283007]. + * + * Arguments: - poly *a: pointer to input/output polynomial + **************************************************/ void ml_dsa_poly_reduce(ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = ml_dsa_reduce32(a->coeffs[i]); } } /************************************************* -* Name: ml_dsa_poly_caddq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ + * Name: ml_dsa_poly_caddq + * + * Description: For all coefficients of in/out polynomial add Q if + * coefficient is negative. + * + * Arguments: - poly *a: pointer to input/output polynomial + **************************************************/ void ml_dsa_poly_caddq(ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = ml_dsa_caddq(a->coeffs[i]); } } /************************************************* -* Name: ml_dsa_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { + * Name: ml_dsa_poly_add + * + * Description: Add polynomials. No modular reduction is performed. + * + * Arguments: - poly *c: pointer to output polynomial + * - const poly *a: pointer to first summand + * - const poly *b: pointer to second summand + **************************************************/ +void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, + const ml_dsa_poly *b) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } } /************************************************* -* Name: ml_dsa_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { + * Name: ml_dsa_poly_sub + * + * Description: Subtract polynomials. No modular reduction is + * performed. + * + * Arguments: - poly *c: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial to be + * subtraced from first input polynomial + **************************************************/ +void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, + const ml_dsa_poly *b) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } } /************************************************* -* Name: ml_dsa_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ + * Name: ml_dsa_poly_shiftl + * + * Description: Multiply polynomial by 2^D without modular reduction. Assumes + * input coefficients to be less than 2^{31-D} in absolute value. + * + * Arguments: - poly *a: pointer to input/output polynomial + **************************************************/ void ml_dsa_poly_shiftl(ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] <<= ML_DSA_D; } } /************************************************* -* Name: ml_dsa_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void ml_dsa_poly_ntt(ml_dsa_poly *a) { - ml_dsa_ntt(a->coeffs); -} + * Name: ml_dsa_poly_ntt + * + * Description: Inplace forward NTT. Coefficients can grow by + * 8*Q in absolute value. + * + * Arguments: - poly *a: pointer to input/output polynomial + **************************************************/ +void ml_dsa_poly_ntt(ml_dsa_poly *a) { ml_dsa_ntt(a->coeffs); } /************************************************* -* Name: ml_dsa_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ + * Name: ml_dsa_poly_invntt_tomont + * + * Description: Inplace inverse NTT and multiplication by 2^{32}. + * Input coefficients need to be less than Q in absolute + * value and output coefficients are again bounded by Q. + * + * Arguments: - poly *a: pointer to input/output polynomial + **************************************************/ void ml_dsa_poly_invntt_tomont(ml_dsa_poly *a) { ml_dsa_invntt_tomont(a->coeffs); } /************************************************* -* Name: ml_dsa_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, - const ml_dsa_poly *a, + * Name: ml_dsa_poly_pointwise_montgomery + * + * Description: Pointwise multiplication of polynomials in NTT domain + * representation and multiplication of resulting polynomial + * by 2^{-32}. + * + * Arguments: - poly *c: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = ml_dsa_fqmul(a->coeffs[i], b->coeffs[i]); } } /************************************************* -* Name: ml_dsa_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, const ml_dsa_poly *a) { + * Name: ml_dsa_poly_power2round + * + * Description: For all coefficients c of the input polynomial, + * compute c0, c1 such that c mod Q = c1*2^D + c0 + * with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be + * standard representatives. + * + * Arguments: - poly *a1: pointer to output polynomial with coefficients c1 + * - poly *a0: pointer to output polynomial with coefficients c0 + * - const poly *a: pointer to input polynomial + **************************************************/ +void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, + const ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { a1->coeffs[i] = ml_dsa_power2round(&a0->coeffs[i], a->coeffs[i]); } } /************************************************* -* Name: ml_dsa_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void ml_dsa_poly_decompose(ml_dsa_params *params, - ml_dsa_poly *a1, - ml_dsa_poly *a0, - const ml_dsa_poly *a) { + * Name: ml_dsa_poly_decompose + * + * Description: For all coefficients c of the input polynomial, + * compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 + * with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we + * set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. + * Assumes coefficients to be standard representatives. + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *a1: pointer to output polynomial with coefficients c1 + * - poly *a0: pointer to output polynomial with coefficients c0 + * - const poly *a: pointer to input polynomial + **************************************************/ +void ml_dsa_poly_decompose(ml_dsa_params *params, ml_dsa_poly *a1, + ml_dsa_poly *a0, const ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { a1->coeffs[i] = ml_dsa_decompose(params, &a0->coeffs[i], a->coeffs[i]); } } /************************************************* -* Name: ml_dsa_poly_make_hint -* -* Description: Compute hint polynomial. The coefficients of which indicate -* whether the low bits of the corresponding coefficient of -* the input polynomial overflow into the high bits. -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *h: pointer to output hint polynomial -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of 1 bits. -**************************************************/ -unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, - ml_dsa_poly *h, + * Name: ml_dsa_poly_make_hint + * + * Description: Compute hint polynomial. The coefficients of which indicate + * whether the low bits of the corresponding coefficient of + * the input polynomial overflow into the high bits. + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *h: pointer to output hint polynomial + * - const poly *a0: pointer to low part of input polynomial + * - const poly *a1: pointer to high part of input polynomial + * + * Returns number of 1 bits. + **************************************************/ +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, ml_dsa_poly *h, const ml_dsa_poly *a0, const ml_dsa_poly *a1) { unsigned int i, s = 0; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { h->coeffs[i] = ml_dsa_make_hint(params, a0->coeffs[i], a1->coeffs[i]); s += h->coeffs[i]; } @@ -200,53 +197,51 @@ unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void ml_dsa_poly_use_hint(ml_dsa_params *params, - ml_dsa_poly *b, - const ml_dsa_poly *a, - const ml_dsa_poly *h) { + * Name: ml_dsa_poly_use_hint + * + * Description: Use hint polynomial to correct the high bits of a polynomial. + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *b: pointer to output polynomial with corrected high bits + * - const poly *a: pointer to input polynomial + * - const poly *h: pointer to input hint polynomial + **************************************************/ +void ml_dsa_poly_use_hint(ml_dsa_params *params, ml_dsa_poly *b, + const ml_dsa_poly *a, const ml_dsa_poly *h) { unsigned int i; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { b->coeffs[i] = ml_dsa_use_hint(params, a->coeffs[i], h->coeffs[i]); } } /************************************************* -* Name: ml_dsa_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input coefficients were reduced by reduce32(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ + * Name: ml_dsa_poly_chknorm + * + * Description: Check infinity norm of polynomial against given bound. + * Assumes input coefficients were reduced by reduce32(). + * + * Arguments: - const poly *a: pointer to polynomial + * - int32_t B: norm bound + * + * Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. + **************************************************/ int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B) { unsigned int i; int32_t t; - if(B > (ML_DSA_Q-1)/8) { + if (B > (ML_DSA_Q - 1) / 8) { return 1; } /* It is ok to leak which coefficient violates the bound since the probability for each coefficient is independent of secret data but we must not leak the sign of the centralized representative. */ - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { /* Absolute value */ t = a->coeffs[i] >> 31; - t = a->coeffs[i] - (t & 2*a->coeffs[i]); + t = a->coeffs[i] - (t & 2 * a->coeffs[i]); - if(t >= B) { + if (t >= B) { return 1; } } @@ -254,35 +249,33 @@ int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B) { } /************************************************* -* Name: ml_dsa_rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int ml_dsa_rej_uniform(int32_t *a, - unsigned int len, + * Name: ml_dsa_rej_uniform + * + * Description: Sample uniformly random coefficients in [0, Q-1] by + * performing rejection sampling on array of random bytes. + * + * Arguments: - int32_t *a: pointer to output array (allocated) + * - unsigned int len: number of coefficients to be sampled + * - const uint8_t *buf: array of random bytes + * - unsigned int buflen: length of array of random bytes + * + * Returns number of sampled coefficients. Can be smaller than len if not enough + * random bytes were given. + **************************************************/ +static unsigned int ml_dsa_rej_uniform(int32_t *a, unsigned int len, const uint8_t *buf, - unsigned int buflen) -{ + unsigned int buflen) { unsigned int ctr, pos; uint32_t t; ctr = pos = 0; - while(ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; + while (ctr < len && pos + 3 <= buflen) { + t = buf[pos++]; t |= (uint32_t)buf[pos++] << 8; t |= (uint32_t)buf[pos++] << 16; t &= 0x7FFFFF; - if(t < ML_DSA_Q) { + if (t < ML_DSA_Q) { a[ctr++] = t; } } @@ -290,25 +283,24 @@ static unsigned int ml_dsa_rej_uniform(int32_t *a, } /************************************************* -* Name: ml_dsa_poly_uniform -* -* Description: FIPS 204: Algorithm 30 RejNTTPoly. -* Sample polynomial with uniformly random coefficients -* in [0,ML_DSA_Q-1] by performing rejection sampling on the -* output stream of SHAKE128(seed|nonce) -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_BLOCKSIZE - 1)/ SHAKE128_BLOCKSIZE) -void ml_dsa_poly_uniform(ml_dsa_poly *a, - const uint8_t seed[ML_DSA_SEEDBYTES], - uint16_t nonce) -{ + * Name: ml_dsa_poly_uniform + * + * Description: FIPS 204: Algorithm 30 RejNTTPoly. + * Sample polynomial with uniformly random coefficients + * in [0,ML_DSA_Q-1] by performing rejection sampling on the + * output stream of SHAKE128(seed|nonce) + * + * Arguments: - poly *a: pointer to output polynomial + * - const uint8_t seed[]: byte array with seed of length SEEDBYTES + * - uint16_t nonce: 2-byte nonce + **************************************************/ +#define POLY_UNIFORM_NBLOCKS \ + ((768 + SHAKE128_BLOCKSIZE - 1) / SHAKE128_BLOCKSIZE) +void ml_dsa_poly_uniform(ml_dsa_poly *a, const uint8_t seed[ML_DSA_SEEDBYTES], + uint16_t nonce) { unsigned int i, ctr, off; - unsigned int buflen = POLY_UNIFORM_NBLOCKS*SHAKE128_BLOCKSIZE; - uint8_t buf[POLY_UNIFORM_NBLOCKS*SHAKE128_BLOCKSIZE + 2]; + unsigned int buflen = POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE; + uint8_t buf[POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE + 2]; KECCAK1600_CTX state; uint8_t t[2]; @@ -322,9 +314,9 @@ void ml_dsa_poly_uniform(ml_dsa_poly *a, ctr = ml_dsa_rej_uniform(a->coeffs, ML_DSA_N, buf, buflen); - while(ctr < ML_DSA_N) { + while (ctr < ML_DSA_N) { off = buflen % 3; - for(i = 0; i < off; ++i) + for (i = 0; i < off; ++i) buf[i] = buf[buflen - off + i]; SHAKE_Squeeze(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); @@ -337,53 +329,47 @@ void ml_dsa_poly_uniform(ml_dsa_poly *a, } /************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - ml_dsa_params: parameter struct -* - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(ml_dsa_params *params, - int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) -{ - - assert((params->eta == 2) || - (params->eta == 4)); + * Name: rej_eta + * + * Description: Sample uniformly random coefficients in [-ETA, ETA] by + * performing rejection sampling on array of random bytes. + * + * Arguments: - ml_dsa_params: parameter struct + * - int32_t *a: pointer to output array (allocated) + * - unsigned int len: number of coefficients to be sampled + * - const uint8_t *buf: array of random bytes + * - unsigned int buflen: length of array of random bytes + * + * Returns number of sampled coefficients. Can be smaller than len if not enough + * random bytes were given. + **************************************************/ +static unsigned int rej_eta(ml_dsa_params *params, int32_t *a, unsigned int len, + const uint8_t *buf, unsigned int buflen) { + assert((params->eta == 2) || (params->eta == 4)); unsigned int ctr, pos; uint32_t t0, t1; ctr = pos = 0; - while(ctr < len && pos < buflen) { + while (ctr < len && pos < buflen) { t0 = buf[pos] & 0x0F; t1 = buf[pos++] >> 4; if (params->eta == 2) { - if(t0 < 15) { - t0 = t0 - (205*t0 >> 10)*5; + if (t0 < 15) { + t0 = t0 - (205 * t0 >> 10) * 5; a[ctr++] = 2 - t0; } - if(t1 < 15 && ctr < len) { - t1 = t1 - (205*t1 >> 10)*5; + if (t1 < 15 && ctr < len) { + t1 = t1 - (205 * t1 >> 10) * 5; a[ctr++] = 2 - t1; } } else if (params->eta == 4) { - if(t0 < 9) + if (t0 < 9) a[ctr++] = 4 - t0; - if(t1 < 9 && ctr < len) + if (t1 < 9 && ctr < len) a[ctr++] = 4 - t1; } } @@ -391,25 +377,24 @@ static unsigned int rej_eta(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_poly_uniform_eta -* -* Description: FIPS 204: Algorithm 31 RejBoundedPoly. -* Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling on the -* output stream from SHAKE256(seed|nonce) -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void ml_dsa_poly_uniform_eta(ml_dsa_params *params, - ml_dsa_poly *a, - const uint8_t seed[ML_DSA_CRHBYTES], - uint16_t nonce) -{ + * Name: ml_dsa_poly_uniform_eta + * + * Description: FIPS 204: Algorithm 31 RejBoundedPoly. + * Sample polynomial with uniformly random coefficients + * in [-ETA,ETA] by performing rejection sampling on the + * output stream from SHAKE256(seed|nonce) + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *a: pointer to output polynomial + * - const uint8_t seed[]: byte array with seed of length CRHBYTES + * - uint16_t nonce: 2-byte nonce + **************************************************/ +void ml_dsa_poly_uniform_eta(ml_dsa_params *params, ml_dsa_poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int ctr; - unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE; + unsigned int buflen = + ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE; uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE]; KECCAK1600_CTX state; @@ -420,13 +405,15 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params, SHAKE_Init(&state, SHAKE256_BLOCKSIZE); SHAKE_Absorb(&state, seed, ML_DSA_CRHBYTES); SHAKE_Absorb(&state, t, 2); - SHAKE_Squeeze(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); + SHAKE_Squeeze(buf, &state, + ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); ctr = rej_eta(params, a->coeffs, ML_DSA_N, buf, buflen); - while(ctr < ML_DSA_N) { + while (ctr < ML_DSA_N) { SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE); - ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_BLOCKSIZE); + ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, + SHAKE256_BLOCKSIZE); } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ @@ -435,23 +422,22 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_poly_uniform_gamma1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_BLOCKSIZE - 1) / SHAKE256_BLOCKSIZE) -void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, - ml_dsa_poly *a, + * Name: ml_dsa_poly_uniform_gamma1 + * + * Description: Sample polynomial with uniformly random coefficients + * in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream + * of SHAKE256(seed|nonce) + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *a: pointer to output polynomial + * - const uint8_t seed[]: byte array with seed of length CRHBYTES + * - uint16_t nonce: 16-bit nonce + **************************************************/ +#define POLY_UNIFORM_GAMMA1_NBLOCKS \ + ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_BLOCKSIZE - 1) / SHAKE256_BLOCKSIZE) +void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, ml_dsa_poly *a, const uint8_t seed[ML_DSA_CRHBYTES], - uint16_t nonce) -{ + uint16_t nonce) { uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE]; KECCAK1600_CTX state; @@ -470,17 +456,19 @@ void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_poly_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES -**************************************************/ -void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed) { + * Name: ml_dsa_poly_challenge + * + * Description: Implementation of H. Samples polynomial with TAU nonzero + * coefficients in {-1,1} using the output stream of + * SHAKE256(seed). + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *c: pointer to output polynomial + * - const uint8_t mu[]: byte array containing seed of length + *CTILDEBYTES + **************************************************/ +void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, + const uint8_t *seed) { unsigned int i, b, pos; uint64_t signs; uint8_t buf[SHAKE256_BLOCKSIZE]; @@ -491,26 +479,26 @@ void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE); signs = 0; - for(i = 0; i < 8; ++i) { - signs |= (uint64_t)buf[i] << 8*i; + for (i = 0; i < 8; ++i) { + signs |= (uint64_t)buf[i] << 8 * i; } pos = 8; - for(i = 0; i < ML_DSA_N; ++i) { + for (i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = 0; } - for(i = ML_DSA_N-params->tau; i < ML_DSA_N; ++i) { + for (i = ML_DSA_N - params->tau; i < ML_DSA_N; ++i) { do { - if(pos >= SHAKE256_BLOCKSIZE) { + if (pos >= SHAKE256_BLOCKSIZE) { SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE); pos = 0; } b = buf[pos++]; - } while(b > i); + } while (b > i); c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2*(signs & 1); + c->coeffs[b] = 1 - 2 * (signs & 1); signs >>= 1; } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ @@ -520,381 +508,382 @@ void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t } /************************************************* -* Name: ml_dsa_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { + * Name: ml_dsa_polyeta_pack + * + * Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *r: pointer to output byte array with at least + * POLYETA_PACKEDBYTES bytes + * - const poly *a: pointer to input polynomial + **************************************************/ +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, + const ml_dsa_poly *a) { unsigned int i; uint8_t t[8]; - assert((params->eta == 2) || - (params->eta == 4)); + assert((params->eta == 2) || (params->eta == 4)); if (params->eta == 2) { - for(i = 0; i < ML_DSA_N/8; ++i) { - t[0] = params->eta - a->coeffs[8*i+0]; - t[1] = params->eta - a->coeffs[8*i+1]; - t[2] = params->eta - a->coeffs[8*i+2]; - t[3] = params->eta - a->coeffs[8*i+3]; - t[4] = params->eta - a->coeffs[8*i+4]; - t[5] = params->eta - a->coeffs[8*i+5]; - t[6] = params->eta - a->coeffs[8*i+6]; - t[7] = params->eta - a->coeffs[8*i+7]; - - r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6); - r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); - r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); + for (i = 0; i < ML_DSA_N / 8; ++i) { + t[0] = params->eta - a->coeffs[8 * i + 0]; + t[1] = params->eta - a->coeffs[8 * i + 1]; + t[2] = params->eta - a->coeffs[8 * i + 2]; + t[3] = params->eta - a->coeffs[8 * i + 3]; + t[4] = params->eta - a->coeffs[8 * i + 4]; + t[5] = params->eta - a->coeffs[8 * i + 5]; + t[6] = params->eta - a->coeffs[8 * i + 6]; + t[7] = params->eta - a->coeffs[8 * i + 7]; + + r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6); + r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); + r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); } - } - else if (params->eta == 4) { - for(i = 0; i < ML_DSA_N/2; ++i) { - t[0] = params->eta - a->coeffs[2*i+0]; - t[1] = params->eta - a->coeffs[2*i+1]; + } else if (params->eta == 4) { + for (i = 0; i < ML_DSA_N / 2; ++i) { + t[0] = params->eta - a->coeffs[2 * i + 0]; + t[1] = params->eta - a->coeffs[2 * i + 1]; r[i] = t[0] | (t[1] << 4); } } } /************************************************* -* Name: ml_dsa_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a) { + * Name: ml_dsa_polyeta_unpack + * + * Description: Unpack polynomial with coefficients in [-ETA,ETA]. + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *r: pointer to output polynomial + * - const uint8_t *a: byte array with bit-packed polynomial + **************************************************/ +void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, + const uint8_t *a) { unsigned int i; - assert((params->eta == 2) || - (params->eta == 4)); + assert((params->eta == 2) || (params->eta == 4)); if (params->eta == 2) { - for(i = 0; i < ML_DSA_N/8; ++i) { - r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7; - r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7; - r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7; - r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7; - r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7; - r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7; - r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7; - r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7; - - r->coeffs[8*i+0] = params->eta - r->coeffs[8*i+0]; - r->coeffs[8*i+1] = params->eta - r->coeffs[8*i+1]; - r->coeffs[8*i+2] = params->eta - r->coeffs[8*i+2]; - r->coeffs[8*i+3] = params->eta - r->coeffs[8*i+3]; - r->coeffs[8*i+4] = params->eta - r->coeffs[8*i+4]; - r->coeffs[8*i+5] = params->eta - r->coeffs[8*i+5]; - r->coeffs[8*i+6] = params->eta - r->coeffs[8*i+6]; - r->coeffs[8*i+7] = params->eta - r->coeffs[8*i+7]; + for (i = 0; i < ML_DSA_N / 8; ++i) { + r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7; + r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7; + r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7; + r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7; + r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7; + r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7; + r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7; + r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7; + + r->coeffs[8 * i + 0] = params->eta - r->coeffs[8 * i + 0]; + r->coeffs[8 * i + 1] = params->eta - r->coeffs[8 * i + 1]; + r->coeffs[8 * i + 2] = params->eta - r->coeffs[8 * i + 2]; + r->coeffs[8 * i + 3] = params->eta - r->coeffs[8 * i + 3]; + r->coeffs[8 * i + 4] = params->eta - r->coeffs[8 * i + 4]; + r->coeffs[8 * i + 5] = params->eta - r->coeffs[8 * i + 5]; + r->coeffs[8 * i + 6] = params->eta - r->coeffs[8 * i + 6]; + r->coeffs[8 * i + 7] = params->eta - r->coeffs[8 * i + 7]; } - } - else if (params->eta == 4) { - for(i = 0; i < ML_DSA_N/2; ++i) { - r->coeffs[2*i+0] = a[i] & 0x0F; - r->coeffs[2*i+1] = a[i] >> 4; - r->coeffs[2*i+0] = params->eta - r->coeffs[2*i+0]; - r->coeffs[2*i+1] = params->eta - r->coeffs[2*i+1]; + } else if (params->eta == 4) { + for (i = 0; i < ML_DSA_N / 2; ++i) { + r->coeffs[2 * i + 0] = a[i] & 0x0F; + r->coeffs[2 * i + 1] = a[i] >> 4; + r->coeffs[2 * i + 0] = params->eta - r->coeffs[2 * i + 0]; + r->coeffs[2 * i + 1] = params->eta - r->coeffs[2 * i + 1]; } } } /************************************************* -* Name: ml_dsa_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ + * Name: ml_dsa_polyt1_pack + * + * Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. + * Input coefficients are assumed to be standard representatives. + * + * Arguments: - uint8_t *r: pointer to output byte array with at least + * POLYT1_PACKEDBYTES bytes + * - const poly *a: pointer to input polynomial + **************************************************/ void ml_dsa_polyt1_pack(uint8_t *r, const ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < ML_DSA_N/4; ++i) { - r[5*i+0] = (a->coeffs[4*i+0] >> 0); - r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2); - r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4); - r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6); - r[5*i+4] = (a->coeffs[4*i+3] >> 2); + for (i = 0; i < ML_DSA_N / 4; ++i) { + r[5 * i + 0] = (a->coeffs[4 * i + 0] >> 0); + r[5 * i + 1] = (a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2); + r[5 * i + 2] = (a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4); + r[5 * i + 3] = (a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6); + r[5 * i + 4] = (a->coeffs[4 * i + 3] >> 2); } } /************************************************* -* Name: ml_dsa_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ + * Name: ml_dsa_polyt1_unpack + * + * Description: Unpack polynomial t1 with 10-bit coefficients. + * Output coefficients are standard representatives. + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *a: byte array with bit-packed polynomial + **************************************************/ void ml_dsa_polyt1_unpack(ml_dsa_poly *r, const uint8_t *a) { unsigned int i; - for(i = 0; i < ML_DSA_N/4; ++i) { - r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF; - r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF; - r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF; - r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF; + for (i = 0; i < ML_DSA_N / 4; ++i) { + r->coeffs[4 * i + 0] = + ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; + r->coeffs[4 * i + 1] = + ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; + r->coeffs[4 * i + 2] = + ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; + r->coeffs[4 * i + 3] = + ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; } } /************************************************* -* Name: ml_dsa_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ + * Name: ml_dsa_polyt0_pack + * + * Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. + * + * Arguments: - uint8_t *r: pointer to output byte array with at least + * POLYT0_PACKEDBYTES bytes + * - const poly *a: pointer to input polynomial + **************************************************/ void ml_dsa_polyt0_pack(uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint32_t t[8]; - for(i = 0; i < ML_DSA_N/8; ++i) { - t[0] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+0]; - t[1] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+1]; - t[2] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+2]; - t[3] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+3]; - t[4] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+4]; - t[5] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+5]; - t[6] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+6]; - t[7] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+7]; - - r[13*i+ 0] = t[0]; - r[13*i+ 1] = t[0] >> 8; - r[13*i+ 1] |= t[1] << 5; - r[13*i+ 2] = t[1] >> 3; - r[13*i+ 3] = t[1] >> 11; - r[13*i+ 3] |= t[2] << 2; - r[13*i+ 4] = t[2] >> 6; - r[13*i+ 4] |= t[3] << 7; - r[13*i+ 5] = t[3] >> 1; - r[13*i+ 6] = t[3] >> 9; - r[13*i+ 6] |= t[4] << 4; - r[13*i+ 7] = t[4] >> 4; - r[13*i+ 8] = t[4] >> 12; - r[13*i+ 8] |= t[5] << 1; - r[13*i+ 9] = t[5] >> 7; - r[13*i+ 9] |= t[6] << 6; - r[13*i+10] = t[6] >> 2; - r[13*i+11] = t[6] >> 10; - r[13*i+11] |= t[7] << 3; - r[13*i+12] = t[7] >> 5; + for (i = 0; i < ML_DSA_N / 8; ++i) { + t[0] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 0]; + t[1] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 1]; + t[2] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 2]; + t[3] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 3]; + t[4] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 4]; + t[5] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 5]; + t[6] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 6]; + t[7] = (1 << (ML_DSA_D - 1)) - a->coeffs[8 * i + 7]; + + r[13 * i + 0] = t[0]; + r[13 * i + 1] = t[0] >> 8; + r[13 * i + 1] |= t[1] << 5; + r[13 * i + 2] = t[1] >> 3; + r[13 * i + 3] = t[1] >> 11; + r[13 * i + 3] |= t[2] << 2; + r[13 * i + 4] = t[2] >> 6; + r[13 * i + 4] |= t[3] << 7; + r[13 * i + 5] = t[3] >> 1; + r[13 * i + 6] = t[3] >> 9; + r[13 * i + 6] |= t[4] << 4; + r[13 * i + 7] = t[4] >> 4; + r[13 * i + 8] = t[4] >> 12; + r[13 * i + 8] |= t[5] << 1; + r[13 * i + 9] = t[5] >> 7; + r[13 * i + 9] |= t[6] << 6; + r[13 * i + 10] = t[6] >> 2; + r[13 * i + 11] = t[6] >> 10; + r[13 * i + 11] |= t[7] << 3; + r[13 * i + 12] = t[7] >> 5; } } /************************************************* -* Name: ml_dsa_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ + * Name: ml_dsa_polyt0_unpack + * + * Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *a: byte array with bit-packed polynomial + **************************************************/ void ml_dsa_polyt0_unpack(ml_dsa_poly *r, const uint8_t *a) { unsigned int i; - for(i = 0; i < ML_DSA_N/8; ++i) { - r->coeffs[8*i+0] = a[13*i+0]; - r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8; - r->coeffs[8*i+0] &= 0x1FFF; - - r->coeffs[8*i+1] = a[13*i+1] >> 5; - r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3; - r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11; - r->coeffs[8*i+1] &= 0x1FFF; - - r->coeffs[8*i+2] = a[13*i+3] >> 2; - r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6; - r->coeffs[8*i+2] &= 0x1FFF; - - r->coeffs[8*i+3] = a[13*i+4] >> 7; - r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1; - r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9; - r->coeffs[8*i+3] &= 0x1FFF; - - r->coeffs[8*i+4] = a[13*i+6] >> 4; - r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4; - r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12; - r->coeffs[8*i+4] &= 0x1FFF; - - r->coeffs[8*i+5] = a[13*i+8] >> 1; - r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7; - r->coeffs[8*i+5] &= 0x1FFF; - - r->coeffs[8*i+6] = a[13*i+9] >> 6; - r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2; - r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10; - r->coeffs[8*i+6] &= 0x1FFF; - - r->coeffs[8*i+7] = a[13*i+11] >> 3; - r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5; - r->coeffs[8*i+7] &= 0x1FFF; - - r->coeffs[8*i+0] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+0]; - r->coeffs[8*i+1] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+1]; - r->coeffs[8*i+2] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+2]; - r->coeffs[8*i+3] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+3]; - r->coeffs[8*i+4] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+4]; - r->coeffs[8*i+5] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+5]; - r->coeffs[8*i+6] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+6]; - r->coeffs[8*i+7] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+7]; + for (i = 0; i < ML_DSA_N / 8; ++i) { + r->coeffs[8 * i + 0] = a[13 * i + 0]; + r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; + r->coeffs[8 * i + 0] &= 0x1FFF; + + r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; + r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; + r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; + r->coeffs[8 * i + 1] &= 0x1FFF; + + r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; + r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; + r->coeffs[8 * i + 2] &= 0x1FFF; + + r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; + r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; + r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; + r->coeffs[8 * i + 3] &= 0x1FFF; + + r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; + r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; + r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; + r->coeffs[8 * i + 4] &= 0x1FFF; + + r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; + r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; + r->coeffs[8 * i + 5] &= 0x1FFF; + + r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; + r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; + r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; + r->coeffs[8 * i + 6] &= 0x1FFF; + + r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; + r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; + r->coeffs[8 * i + 7] &= 0x1FFF; + + r->coeffs[8 * i + 0] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 0]; + r->coeffs[8 * i + 1] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 1]; + r->coeffs[8 * i + 2] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 2]; + r->coeffs[8 * i + 3] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 3]; + r->coeffs[8 * i + 4] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 4]; + r->coeffs[8 * i + 5] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 5]; + r->coeffs[8 * i + 6] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 6]; + r->coeffs[8 * i + 7] = (1 << (ML_DSA_D - 1)) - r->coeffs[8 * i + 7]; } } /************************************************* -* Name: ml_dsa_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { + * Name: ml_dsa_polyz_pack + * + * Description: Bit-pack polynomial with coefficients + * in [-(GAMMA1 - 1), GAMMA1]. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *r: pointer to output byte array with at least + * POLYZ_PACKEDBYTES bytes + * - const poly *a: pointer to input polynomial + **************************************************/ +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, + const ml_dsa_poly *a) { unsigned int i; uint32_t t[4]; - assert((params->gamma1 == (1 << 17)) || - (params->gamma1 == (1 << 19))); + assert((params->gamma1 == (1 << 17)) || (params->gamma1 == (1 << 19))); if (params->gamma1 == (1 << 17)) { - for(i = 0; i < ML_DSA_N/4; ++i) { - t[0] = params->gamma1 - a->coeffs[4*i+0]; - t[1] = params->gamma1 - a->coeffs[4*i+1]; - t[2] = params->gamma1 - a->coeffs[4*i+2]; - t[3] = params->gamma1 - a->coeffs[4*i+3]; - - r[9*i+0] = t[0]; - r[9*i+1] = t[0] >> 8; - r[9*i+2] = t[0] >> 16; - r[9*i+2] |= t[1] << 2; - r[9*i+3] = t[1] >> 6; - r[9*i+4] = t[1] >> 14; - r[9*i+4] |= t[2] << 4; - r[9*i+5] = t[2] >> 4; - r[9*i+6] = t[2] >> 12; - r[9*i+6] |= t[3] << 6; - r[9*i+7] = t[3] >> 2; - r[9*i+8] = t[3] >> 10; + for (i = 0; i < ML_DSA_N / 4; ++i) { + t[0] = params->gamma1 - a->coeffs[4 * i + 0]; + t[1] = params->gamma1 - a->coeffs[4 * i + 1]; + t[2] = params->gamma1 - a->coeffs[4 * i + 2]; + t[3] = params->gamma1 - a->coeffs[4 * i + 3]; + + r[9 * i + 0] = t[0]; + r[9 * i + 1] = t[0] >> 8; + r[9 * i + 2] = t[0] >> 16; + r[9 * i + 2] |= t[1] << 2; + r[9 * i + 3] = t[1] >> 6; + r[9 * i + 4] = t[1] >> 14; + r[9 * i + 4] |= t[2] << 4; + r[9 * i + 5] = t[2] >> 4; + r[9 * i + 6] = t[2] >> 12; + r[9 * i + 6] |= t[3] << 6; + r[9 * i + 7] = t[3] >> 2; + r[9 * i + 8] = t[3] >> 10; } - } - else if (params->gamma1 == (1 << 19)) { - for(i = 0; i < ML_DSA_N/2; ++i) { - t[0] = params->gamma1 - a->coeffs[2*i+0]; - t[1] = params->gamma1 - a->coeffs[2*i+1]; - - r[5*i+0] = t[0]; - r[5*i+1] = t[0] >> 8; - r[5*i+2] = t[0] >> 16; - r[5*i+2] |= t[1] << 4; - r[5*i+3] = t[1] >> 4; - r[5*i+4] = t[1] >> 12; + } else if (params->gamma1 == (1 << 19)) { + for (i = 0; i < ML_DSA_N / 2; ++i) { + t[0] = params->gamma1 - a->coeffs[2 * i + 0]; + t[1] = params->gamma1 - a->coeffs[2 * i + 1]; + + r[5 * i + 0] = t[0]; + r[5 * i + 1] = t[0] >> 8; + r[5 * i + 2] = t[0] >> 16; + r[5 * i + 2] |= t[1] << 4; + r[5 * i + 3] = t[1] >> 4; + r[5 * i + 4] = t[1] >> 12; } } } /************************************************* -* Name: ml_dsa_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a) { + * Name: ml_dsa_polyz_unpack + * + * Description: Unpack polynomial z with coefficients + * in [-(GAMMA1 - 1), GAMMA1]. + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *r: pointer to output polynomial + * - const uint8_t *a: byte array with bit-packed polynomial + **************************************************/ +void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, + const uint8_t *a) { unsigned int i; - assert((params->gamma1 == (1 << 17)) || - (params->gamma1 == (1 << 19))); + assert((params->gamma1 == (1 << 17)) || (params->gamma1 == (1 << 19))); if (params->gamma1 == (1 << 17)) { - for(i = 0; i < ML_DSA_N/4; ++i) { - r->coeffs[4*i+0] = a[9*i+0]; - r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8; - r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16; - r->coeffs[4*i+0] &= 0x3FFFF; - - r->coeffs[4*i+1] = a[9*i+2] >> 2; - r->coeffs[4*i+1] |= (uint32_t)a[9*i+3] << 6; - r->coeffs[4*i+1] |= (uint32_t)a[9*i+4] << 14; - r->coeffs[4*i+1] &= 0x3FFFF; - - r->coeffs[4*i+2] = a[9*i+4] >> 4; - r->coeffs[4*i+2] |= (uint32_t)a[9*i+5] << 4; - r->coeffs[4*i+2] |= (uint32_t)a[9*i+6] << 12; - r->coeffs[4*i+2] &= 0x3FFFF; - - r->coeffs[4*i+3] = a[9*i+6] >> 6; - r->coeffs[4*i+3] |= (uint32_t)a[9*i+7] << 2; - r->coeffs[4*i+3] |= (uint32_t)a[9*i+8] << 10; - r->coeffs[4*i+3] &= 0x3FFFF; - - r->coeffs[4*i+0] = params->gamma1 - r->coeffs[4*i+0]; - r->coeffs[4*i+1] = params->gamma1 - r->coeffs[4*i+1]; - r->coeffs[4*i+2] = params->gamma1 - r->coeffs[4*i+2]; - r->coeffs[4*i+3] = params->gamma1 - r->coeffs[4*i+3]; + for (i = 0; i < ML_DSA_N / 4; ++i) { + r->coeffs[4 * i + 0] = a[9 * i + 0]; + r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 1] << 8; + r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 2] << 16; + r->coeffs[4 * i + 0] &= 0x3FFFF; + + r->coeffs[4 * i + 1] = a[9 * i + 2] >> 2; + r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 3] << 6; + r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 4] << 14; + r->coeffs[4 * i + 1] &= 0x3FFFF; + + r->coeffs[4 * i + 2] = a[9 * i + 4] >> 4; + r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 5] << 4; + r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 6] << 12; + r->coeffs[4 * i + 2] &= 0x3FFFF; + + r->coeffs[4 * i + 3] = a[9 * i + 6] >> 6; + r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 7] << 2; + r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 8] << 10; + r->coeffs[4 * i + 3] &= 0x3FFFF; + + r->coeffs[4 * i + 0] = params->gamma1 - r->coeffs[4 * i + 0]; + r->coeffs[4 * i + 1] = params->gamma1 - r->coeffs[4 * i + 1]; + r->coeffs[4 * i + 2] = params->gamma1 - r->coeffs[4 * i + 2]; + r->coeffs[4 * i + 3] = params->gamma1 - r->coeffs[4 * i + 3]; } - } - else if (params->gamma1 == (1 << 19)) { - for(i = 0; i < ML_DSA_N/2; ++i) { - r->coeffs[2*i+0] = a[5*i+0]; - r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8; - r->coeffs[2*i+0] |= (uint32_t)a[5*i+2] << 16; - r->coeffs[2*i+0] &= 0xFFFFF; - - r->coeffs[2*i+1] = a[5*i+2] >> 4; - r->coeffs[2*i+1] |= (uint32_t)a[5*i+3] << 4; - r->coeffs[2*i+1] |= (uint32_t)a[5*i+4] << 12; - /* r->coeffs[2*i+1] &= 0xFFFFF; */ /* No effect, since we're anyway at 20 bits */ - - r->coeffs[2*i+0] = params->gamma1 - r->coeffs[2*i+0]; - r->coeffs[2*i+1] = params->gamma1 - r->coeffs[2*i+1]; + } else if (params->gamma1 == (1 << 19)) { + for (i = 0; i < ML_DSA_N / 2; ++i) { + r->coeffs[2 * i + 0] = a[5 * i + 0]; + r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8; + r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 2] << 16; + r->coeffs[2 * i + 0] &= 0xFFFFF; + + r->coeffs[2 * i + 1] = a[5 * i + 2] >> 4; + r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4; + r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12; + /* r->coeffs[2*i+1] &= 0xFFFFF; */ /* No effect, since we're anyway at 20 + bits */ + + r->coeffs[2 * i + 0] = params->gamma1 - r->coeffs[2 * i + 0]; + r->coeffs[2 * i + 1] = params->gamma1 - r->coeffs[2 * i + 1]; } } } /************************************************* -* Name: ml_dsa_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { + * Name: ml_dsa_polyw1_pack + * + * Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. + * Input coefficients are assumed to be standard representatives. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *r: pointer to output byte array with at least + * POLYW1_PACKEDBYTES bytes + * - const poly *a: pointer to input polynomial + **************************************************/ +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, + const ml_dsa_poly *a) { unsigned int i; - if (params->gamma2 == (ML_DSA_Q-1)/88) { - for(i = 0; i < ML_DSA_N/4; ++i) { - r[3*i+0] = a->coeffs[4*i+0]; - r[3*i+0] |= a->coeffs[4*i+1] << 6; - r[3*i+1] = a->coeffs[4*i+1] >> 2; - r[3*i+1] |= a->coeffs[4*i+2] << 4; - r[3*i+2] = a->coeffs[4*i+2] >> 4; - r[3*i+2] |= a->coeffs[4*i+3] << 2; + if (params->gamma2 == (ML_DSA_Q - 1) / 88) { + for (i = 0; i < ML_DSA_N / 4; ++i) { + r[3 * i + 0] = a->coeffs[4 * i + 0]; + r[3 * i + 0] |= a->coeffs[4 * i + 1] << 6; + r[3 * i + 1] = a->coeffs[4 * i + 1] >> 2; + r[3 * i + 1] |= a->coeffs[4 * i + 2] << 4; + r[3 * i + 2] = a->coeffs[4 * i + 2] >> 4; + r[3 * i + 2] |= a->coeffs[4 * i + 3] << 2; } - } - else if (params->gamma2 == (ML_DSA_Q-1)/32) { - for(i = 0; i < ML_DSA_N/2; ++i) - r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4); + } else if (params->gamma2 == (ML_DSA_Q - 1) / 32) { + for (i = 0; i < ML_DSA_N / 2; ++i) + r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4); } } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.h b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.h index fe8eee071c..f03d598ea6 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/poly.h @@ -12,9 +12,11 @@ void ml_dsa_poly_reduce(ml_dsa_poly *a); void ml_dsa_poly_caddq(ml_dsa_poly *a); -void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b); +void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, + const ml_dsa_poly *b); -void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b); +void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, + const ml_dsa_poly *b); void ml_dsa_poly_shiftl(ml_dsa_poly *a); @@ -22,48 +24,43 @@ void ml_dsa_poly_ntt(ml_dsa_poly *a); void ml_dsa_poly_invntt_tomont(ml_dsa_poly *a); -void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, - const ml_dsa_poly *a, - const ml_dsa_poly *b); +void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, const ml_dsa_poly *a, + const ml_dsa_poly *b); -void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, const ml_dsa_poly *a); +void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, + const ml_dsa_poly *a); -void ml_dsa_poly_decompose(ml_dsa_params *params, - ml_dsa_poly *a1, - ml_dsa_poly *a0, - const ml_dsa_poly *a); +void ml_dsa_poly_decompose(ml_dsa_params *params, ml_dsa_poly *a1, + ml_dsa_poly *a0, const ml_dsa_poly *a); -unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, - ml_dsa_poly *h, +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, ml_dsa_poly *h, const ml_dsa_poly *a0, const ml_dsa_poly *a1); -void ml_dsa_poly_use_hint(ml_dsa_params *params, - ml_dsa_poly *b, - const ml_dsa_poly *a, - const ml_dsa_poly *h); +void ml_dsa_poly_use_hint(ml_dsa_params *params, ml_dsa_poly *b, + const ml_dsa_poly *a, const ml_dsa_poly *h); int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B); -void ml_dsa_poly_uniform(ml_dsa_poly *a, - const uint8_t seed[ML_DSA_SEEDBYTES], +void ml_dsa_poly_uniform(ml_dsa_poly *a, const uint8_t seed[ML_DSA_SEEDBYTES], uint16_t nonce); -void ml_dsa_poly_uniform_eta(ml_dsa_params *params, - ml_dsa_poly *a, +void ml_dsa_poly_uniform_eta(ml_dsa_params *params, ml_dsa_poly *a, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce); -void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, - ml_dsa_poly *a, - const uint8_t seed[ML_DSA_CRHBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, ml_dsa_poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed); +void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, + const uint8_t *seed); -void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, + const ml_dsa_poly *a); -void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a); +void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, + const uint8_t *a); void ml_dsa_polyt1_pack(uint8_t *r, const ml_dsa_poly *a); @@ -75,8 +72,10 @@ void ml_dsa_polyt0_unpack(ml_dsa_poly *r, const uint8_t *a); void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); -void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a); +void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, + const uint8_t *a); -void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, + const ml_dsa_poly *a); #endif diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.c index 2041e754d3..8529df90bf 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.c @@ -1,48 +1,47 @@ +#include "polyvec.h" #include #include "params.h" -#include "polyvec.h" #include "poly.h" /************************************************* -* Name: ml_dsa_polyvec_matrix_expand -* -* Description: FIPS 204: Algorithm 32 ExpandA. -* Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl mat: pointer to output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, - polyvecl *mat, + * Name: ml_dsa_polyvec_matrix_expand + * + * Description: FIPS 204: Algorithm 32 ExpandA. + * Generates matrix A with uniformly + * random coefficients a_{i,j} by performing rejection + * sampling on the output stream of SHAKE128(rho|j|i) + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl mat: pointer to output matrix + * - const uint8_t rho[]: byte array containing seed rho + **************************************************/ +void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, polyvecl *mat, const uint8_t rho[ML_DSA_SEEDBYTES]) { unsigned int i, j; - for(i = 0; i < params->k; ++i) { - for(j = 0; j < params->l; ++j) { + for (i = 0; i < params->k; ++i) { + for (j = 0; j < params->l; ++j) { ml_dsa_poly_uniform(&mat[i].vec[j], rho, (i << 8) + j); } } } /************************************************* -* Name: ml_dsa_polyvec_matrix_pointwise_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length K, -* wrapper for polyvecl_pointwise_acc_montgomery. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck t: pointer to output polynomial -* - polyvecl mat: pointer to first input vector -* - polyvecl v: pointer to second input vector -**************************************************/ + * Name: ml_dsa_polyvec_matrix_pointwise_montgomery + * + * Description: Pointwise multiply vectors of polynomials of length K, + * wrapper for polyvecl_pointwise_acc_montgomery. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck t: pointer to output polynomial + * - polyvecl mat: pointer to first input vector + * - polyvecl v: pointer to second input vector + **************************************************/ void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, polyveck *t, const polyvecl *mat, const polyvecl *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_polyvecl_pointwise_acc_montgomery(params, &t->vec[i], &mat[i], v); } } @@ -52,183 +51,178 @@ void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, /**************************************************************/ /************************************************* -* Name: ml_dsa_polyvecl_uniform_eta -* -* Description: FIPS 204: Algorithm 33 ExpandS (for vectors l). -* Samples vector v with polynomial coordinates whose -* coefficients are in [-eta, eta]. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl v: pointer to output vector -* - const uint8_t seed: byte array containing seed -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, - polyvecl *v, + * Name: ml_dsa_polyvecl_uniform_eta + * + * Description: FIPS 204: Algorithm 33 ExpandS (for vectors l). + * Samples vector v with polynomial coordinates whose + * coefficients are in [-eta, eta]. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl v: pointer to output vector + * - const uint8_t seed: byte array containing seed + * - uint16_t nonce: 2-byte nonce + **************************************************/ +void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, polyvecl *v, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { unsigned int i; - for(i = 0; i < params->l; ++i) + for (i = 0; i < params->l; ++i) ml_dsa_poly_uniform_eta(params, &v->vec[i], seed, nonce++); } /************************************************* -* Name: ml_dsa_polyvecl_uniform_gamma1 -* -* Description: FIPS 204: Algorithm 34 ExpandMask. -* Samples vector v with polynomial coordinates whose -* coefficients are in [-gamma1 + 1, gamma1]. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl v: pointer to output vector -* - const uint8_t seed: byte array containing seed -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, - polyvecl *v, + * Name: ml_dsa_polyvecl_uniform_gamma1 + * + * Description: FIPS 204: Algorithm 34 ExpandMask. + * Samples vector v with polynomial coordinates whose + * coefficients are in [-gamma1 + 1, gamma1]. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl v: pointer to output vector + * - const uint8_t seed: byte array containing seed + * - uint16_t nonce: 2-byte nonce + **************************************************/ +void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, polyvecl *v, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { unsigned int i; - for(i = 0; i < params->l; ++i) { - ml_dsa_poly_uniform_gamma1(params, &v->vec[i], seed, params->l*nonce + i); + for (i = 0; i < params->l; ++i) { + ml_dsa_poly_uniform_gamma1(params, &v->vec[i], seed, params->l * nonce + i); } } /************************************************* -* Name: ml_dsa_polyvecl_reduce -* -* Description: Reduce coefficients of polynomials in vector of length L -* to representatives in [-6283009,6283007]. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyvecl_reduce + * + * Description: Reduce coefficients of polynomials in vector of length L + * to representatives in [-6283009,6283007]. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { unsigned int i; - for(i = 0; i < params->l; ++i) { + for (i = 0; i < params->l; ++i) { ml_dsa_poly_reduce(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void ml_dsa_polyvecl_add(ml_dsa_params *params, - polyvecl *w, - const polyvecl *u, + * Name: ml_dsa_polyvecl_add + * + * Description: Add vectors of polynomials of length L. + * No modular reduction is performed. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl *w: pointer to output vector + * - const polyvecl *u: pointer to first summand + * - const polyvecl *v: pointer to second summand + **************************************************/ +void ml_dsa_polyvecl_add(ml_dsa_params *params, polyvecl *w, const polyvecl *u, const polyvecl *v) { unsigned int i; - for(i = 0; i < params->l; ++i) { + for (i = 0; i < params->l; ++i) { ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyvecl_ntt + * + * Description: Forward NTT of all polynomials in vector of length L. Output + * coefficients can be up to 16*Q larger than input coefficients. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { unsigned int i; - for(i = 0; i < params->l; ++i) { + for (i = 0; i < params->l; ++i) { ml_dsa_poly_ntt(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyvecl_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length l. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyvecl_invntt_tomont + * + * Description: Inverse NTT and multiplication by 2^{32} of polynomials + * in vector of length l. Input coefficients need to be less + * than 2*Q. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { unsigned int i; - for(i = 0; i < params->l; ++i) { + for (i = 0; i < params->l; ++i) { ml_dsa_poly_invntt_tomont(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyvecl_pointwise_poly_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyvecl *r: pointer to output polynomial -* - const poly *a: pointer to input polynomial -* - const polyvecl *v: pointer to input vector -**************************************************/ + * Name: ml_dsa_polyvecl_pointwise_poly_montgomery + * + * Description: Pointwise multiplication of polynomials in NTT domain + * representation and multiplication of resulting polynomial + * by 2^{-32}. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyvecl *r: pointer to output polynomial + * - const poly *a: pointer to input polynomial + * - const polyvecl *v: pointer to input vector + **************************************************/ void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, polyvecl *r, const ml_dsa_poly *a, const polyvecl *v) { unsigned int i; - for(i = 0; i < params->l; ++i) { + for (i = 0; i < params->l; ++i) { ml_dsa_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - ml_dsa_params: parameter struct -* - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ + * Name: ml_dsa_polyvecl_pointwise_acc_montgomery + * + * Description: Pointwise multiply vectors of polynomials of length L, multiply + * resulting vector by 2^{-32} and add (accumulate) polynomials + * in it. Input/output vectors are in NTT domain representation. + * + * Arguments: - ml_dsa_params: parameter struct + * - poly *w: output polynomial + * - const polyvecl *u: pointer to first input vector + * - const polyvecl *v: pointer to second input vector + **************************************************/ void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - ml_dsa_poly *w, - const polyvecl *u, - const polyvecl *v) -{ + ml_dsa_poly *w, const polyvecl *u, + const polyvecl *v) { unsigned int i; ml_dsa_poly t; ml_dsa_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); - for(i = 1; i < params->l; ++i) { + for (i = 1; i < params->l; ++i) { ml_dsa_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); ml_dsa_poly_add(w, w, &t); } } /************************************************* -* Name: ml_dsa_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by polyvecl_reduce(). -* -* Arguments: - ml_dsa_params: parameter struct -* - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { + * Name: ml_dsa_polyvecl_chknorm + * + * Description: Check infinity norm of polynomials in vector of length L. + * Assumes input polyvecl to be reduced by polyvecl_reduce(). + * + * Arguments: - ml_dsa_params: parameter struct + * - const polyvecl *v: pointer to vector + * - int32_t B: norm bound + * + * Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 + * and 1 otherwise. + **************************************************/ +int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, + int32_t bound) { unsigned int i; - for(i = 0; i < params->l; ++i) { - if(ml_dsa_poly_chknorm(&v->vec[i], bound)) { + for (i = 0; i < params->l; ++i) { + if (ml_dsa_poly_chknorm(&v->vec[i], bound)) { return 1; } } @@ -240,190 +234,186 @@ int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bo /**************************************************************/ /************************************************* -* Name: ml_dsa_polyvecl_uniform_eta -* -* Description: FIPS 204: Algorithm 33 ExpandS (for vectors k). -* Samples vector v with polynomial coordinates whose -* coefficients are in [-eta, eta]. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck v: pointer to output vector -* - const uint8_t seed: byte array containing seed -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, - polyveck *v, + * Name: ml_dsa_polyvecl_uniform_eta + * + * Description: FIPS 204: Algorithm 33 ExpandS (for vectors k). + * Samples vector v with polynomial coordinates whose + * coefficients are in [-eta, eta]. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck v: pointer to output vector + * - const uint8_t seed: byte array containing seed + * - uint16_t nonce: 2-byte nonce + **************************************************/ +void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, polyveck *v, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_uniform_eta(params, &v->vec[i], seed, nonce++); } } /************************************************* -* Name: ml_dsa_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyveck_reduce + * + * Description: Reduce coefficients of polynomials in vector of length K + * to representatives in [-6283009,6283007]. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyveck_reduce(ml_dsa_params *params, polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_reduce(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyveck_caddq + * + * Description: For all coefficients of polynomials in vector of length K + * add Q if coefficient is negative. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyveck_caddq(ml_dsa_params *params, polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_caddq(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void ml_dsa_polyveck_add(ml_dsa_params *params, - polyveck *w, - const polyveck *u, + * Name: ml_dsa_polyveck_add + * + * Description: Add vectors of polynomials of length K. + * No modular reduction is performed. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *w: pointer to output vector + * - const polyveck *u: pointer to first summand + * - const polyveck *v: pointer to second summand + **************************************************/ +void ml_dsa_polyveck_add(ml_dsa_params *params, polyveck *w, const polyveck *u, const polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void ml_dsa_polyveck_sub(ml_dsa_params *params, - polyveck *w, - const polyveck *u, + * Name: ml_dsa_polyveck_sub + * + * Description: Subtract vectors of polynomials of length K. + * No modular reduction is performed. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *w: pointer to output vector + * - const polyveck *u: pointer to first input vector + * - const polyveck *v: pointer to second input vector to be + * subtracted from first input vector + **************************************************/ +void ml_dsa_polyveck_sub(ml_dsa_params *params, polyveck *w, const polyveck *u, const polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyveck_shiftl + * + * Description: Multiply vector of polynomials of Length K by 2^D without + *modular reduction. Assumes input coefficients to be less than 2^{31-D}. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyveck_shiftl(ml_dsa_params *params, polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_shiftl(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyveck_ntt + * + * Description: Forward NTT of all polynomials in vector of length K. Output + * coefficients can be up to 16*Q larger than input coefficients. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyveck_ntt(ml_dsa_params *params, polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_ntt(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v: pointer to input/output vector -**************************************************/ + * Name: ml_dsa_polyveck_invntt_tomont + * + * Description: Inverse NTT and multiplication by 2^{32} of polynomials + * in vector of length K. Input coefficients need to be less + * than 2*Q. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v: pointer to input/output vector + **************************************************/ void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_invntt_tomont(&v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_pointwise_poly_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *r: pointer to output polynomial -* - const poly *a: pointer to input polynomial -* - const polyveck *v: pointer to input vector -**************************************************/ + * Name: ml_dsa_polyveck_pointwise_poly_montgomery + * + * Description: Pointwise multiplication of polynomials in NTT domain + * representation and multiplication of resulting polynomial + * by 2^{-32}. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *r: pointer to output polynomial + * - const poly *a: pointer to input polynomial + * - const polyveck *v: pointer to input vector + **************************************************/ void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, polyveck *r, const ml_dsa_poly *a, const polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by polyveck_reduce(). -* -* Arguments: - ml_dsa_params: parameter struct -* - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { + * Name: ml_dsa_polyveck_chknorm + * + * Description: Check infinity norm of polynomials in vector of length K. + * Assumes input polyveck to be reduced by polyveck_reduce(). + * + * Arguments: - ml_dsa_params: parameter struct + * - const polyveck *v: pointer to vector + * - int32_t B: norm bound + * + * Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 + * and 1 otherwise. + **************************************************/ +int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, + int32_t bound) { unsigned int i; - for(i = 0; i < params->k; ++i) { - if(ml_dsa_poly_chknorm(&v->vec[i], bound)) { + for (i = 0; i < params->k; ++i) { + if (ml_dsa_poly_chknorm(&v->vec[i], bound)) { return 1; } } @@ -431,117 +421,108 @@ int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bo } /************************************************* -* Name: ml_dsa_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void ml_dsa_polyveck_power2round(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v) { + * Name: ml_dsa_polyveck_power2round + * + * Description: For all coefficients a of polynomials in vector of length K, + * compute a0, a1 such that a mod^+ Q = a1*2^D + a0 + * with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be + * standard representatives. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v1: pointer to output vector of polynomials with + * coefficients a1 + * - polyveck *v0: pointer to output vector of polynomials with + * coefficients a0 + * - const polyveck *v: pointer to input vector + **************************************************/ +void ml_dsa_polyveck_power2round(ml_dsa_params *params, polyveck *v1, + polyveck *v0, const polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void ml_dsa_polyveck_decompose(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v) { + * Name: ml_dsa_polyveck_decompose + * + * Description: For all coefficients a of polynomials in vector of length K, + * compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 + * with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we + * set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. + * Assumes coefficients to be standard representatives. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *v1: pointer to output vector of polynomials with + * coefficients a1 + * - polyveck *v0: pointer to output vector of polynomials with + * coefficients a0 + * - const polyveck *v: pointer to input vector + **************************************************/ +void ml_dsa_polyveck_decompose(ml_dsa_params *params, polyveck *v1, + polyveck *v0, const polyveck *v) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_decompose(params, &v1->vec[i], &v0->vec[i], &v->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *h: pointer to output vector -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, - polyveck *h, - const polyveck *v0, - const polyveck *v1) -{ + * Name: ml_dsa_polyveck_make_hint + * + * Description: Compute hint vector. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *h: pointer to output vector + * - const polyveck *v0: pointer to low part of input vector + * - const polyveck *v1: pointer to high part of input vector + * + * Returns number of 1 bits. + **************************************************/ +unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, polyveck *h, + const polyveck *v0, const polyveck *v1) { unsigned int i, s = 0; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { s += ml_dsa_poly_make_hint(params, &h->vec[i], &v0->vec[i], &v1->vec[i]); } return s; } /************************************************* -* Name: ml_dsa_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - ml_dsa_params: parameter struct -* - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void ml_dsa_polyveck_use_hint(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *h) { + * Name: ml_dsa_polyveck_use_hint + * + * Description: Use hint vector to correct the high bits of input vector. + * + * Arguments: - ml_dsa_params: parameter struct + * - polyveck *w: pointer to output vector of polynomials with + * corrected high bits + * - const polyveck *u: pointer to input vector + * - const polyveck *h: pointer to input hint vector + **************************************************/ +void ml_dsa_polyveck_use_hint(ml_dsa_params *params, polyveck *w, + const polyveck *u, const polyveck *h) { unsigned int i; - for(i = 0; i < params->k; ++i) { + for (i = 0; i < params->k; ++i) { ml_dsa_poly_use_hint(params, &w->vec[i], &u->vec[i], &h->vec[i]); } } /************************************************* -* Name: ml_dsa_polyveck_pack_w1 -* -* Description: FIPS 204: Algorithm 28 w1Encode. -* Encodes a polynomial vector |w1| into a byte string. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const polyvecl *w1: pointer to vector w1 -**************************************************/ -void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, - uint8_t *r, + * Name: ml_dsa_polyveck_pack_w1 + * + * Description: FIPS 204: Algorithm 28 w1Encode. + * Encodes a polynomial vector |w1| into a byte string. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *r: pointer to output byte array with at least + * POLYW1_PACKEDBYTES bytes + * - const polyvecl *w1: pointer to vector w1 + **************************************************/ +void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, uint8_t *r, const polyveck *w1) { unsigned int i; - for(i = 0; i < params->k; ++i) { - ml_dsa_polyw1_pack(params, &r[i*params->poly_w1_packed_bytes], &w1->vec[i]); + for (i = 0; i < params->k; ++i) { + ml_dsa_polyw1_pack(params, &r[i * params->poly_w1_packed_bytes], + &w1->vec[i]); } } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.h b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.h index dccf6b976e..3bb58271ed 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/polyvec.h @@ -10,22 +10,18 @@ typedef struct { ml_dsa_poly vec[ML_DSA_L_MAX]; } polyvecl; -void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, - polyvecl *v, +void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, polyvecl *v, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce); -void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, - polyvecl *v, +void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, polyvecl *v, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce); void ml_dsa_polyvecl_reduce(ml_dsa_params *params, polyvecl *v); -void ml_dsa_polyvecl_add(ml_dsa_params *params, - polyvecl *w, - const polyvecl *u, - const polyvecl *v); +void ml_dsa_polyvecl_add(ml_dsa_params *params, polyvecl *w, const polyvecl *u, + const polyvecl *v); void ml_dsa_polyvecl_ntt(ml_dsa_params *params, polyvecl *v); @@ -37,18 +33,17 @@ void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, const polyvecl *v); void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - ml_dsa_poly *w, - const polyvecl *u, + ml_dsa_poly *w, const polyvecl *u, const polyvecl *v); -int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); +int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, + int32_t B); typedef struct { ml_dsa_poly vec[ML_DSA_K_MAX]; } polyveck; -void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, - polyveck *v, +void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, polyveck *v, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce); @@ -56,15 +51,11 @@ void ml_dsa_polyveck_reduce(ml_dsa_params *params, polyveck *v); void ml_dsa_polyveck_caddq(ml_dsa_params *params, polyveck *v); -void ml_dsa_polyveck_add(ml_dsa_params *params, - polyveck *w, - const polyveck *u, +void ml_dsa_polyveck_add(ml_dsa_params *params, polyveck *w, const polyveck *u, const polyveck *v); -void ml_dsa_polyveck_sub(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v); +void ml_dsa_polyveck_sub(ml_dsa_params *params, polyveck *w, const polyveck *u, + const polyveck *v); void ml_dsa_polyveck_shiftl(ml_dsa_params *params, polyveck *v); @@ -77,34 +68,25 @@ void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, const ml_dsa_poly *a, const polyveck *v); -int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t B); +int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, + int32_t B); -void ml_dsa_polyveck_power2round(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v); +void ml_dsa_polyveck_power2round(ml_dsa_params *params, polyveck *v1, + polyveck *v0, const polyveck *v); -void ml_dsa_polyveck_decompose(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v); +void ml_dsa_polyveck_decompose(ml_dsa_params *params, polyveck *v1, + polyveck *v0, const polyveck *v); -unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, - polyveck *h, - const polyveck *v0, - const polyveck *v1); +unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, polyveck *h, + const polyveck *v0, const polyveck *v1); -void ml_dsa_polyveck_use_hint(ml_dsa_params *params, - polyveck *w, - const polyveck *v, - const polyveck *h); +void ml_dsa_polyveck_use_hint(ml_dsa_params *params, polyveck *w, + const polyveck *v, const polyveck *h); -void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, - uint8_t *r, +void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, uint8_t *r, const polyveck *w1); -void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, - polyvecl *mat, +void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, polyvecl *mat, const uint8_t rho[ML_DSA_SEEDBYTES]); void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c index 5a1eee8fd6..0c39992c6c 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c @@ -1,39 +1,39 @@ +#include "reduce.h" #include #include "params.h" -#include "reduce.h" /************************************************* -* Name: ml_dsa_fqmul -* -* Description: Multiplication followed by Montgomery reduction -* For finite field element a with -2^{31}Q <= a <= Q*2^31, -* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q. -* -* Arguments: - int32_t a: first factor -* - int32_t b: second factor -* -* Returns r. -**************************************************/ + * Name: ml_dsa_fqmul + * + * Description: Multiplication followed by Montgomery reduction + * For finite field element a with -2^{31}Q <= a <= Q*2^31, + * compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q. + * + * Arguments: - int32_t a: first factor + * - int32_t b: second factor + * + * Returns r. + **************************************************/ int64_t ml_dsa_fqmul(int32_t a, int32_t b) { int64_t s; int32_t t; - s = (int64_t)a*b; + s = (int64_t)a * b; t = (int64_t)(int32_t)s * ML_DSA_QINV; t = (s - (int64_t)t * ML_DSA_Q) >> 32; return t; } /************************************************* -* Name: ml_dsa_reduce32 -* -* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, -* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283008. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ + * Name: ml_dsa_reduce32 + * + * Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, + * compute r \equiv a (mod Q) such that -6283009 <= r <= 6283008. + * + * Arguments: - int32_t: finite field element a + * + * Returns r. + **************************************************/ int32_t ml_dsa_reduce32(int32_t a) { int32_t t; @@ -43,29 +43,29 @@ int32_t ml_dsa_reduce32(int32_t a) { } /************************************************* -* Name: ml_dsa_caddq -* -* Description: Add Q if input coefficient is negative. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ + * Name: ml_dsa_caddq + * + * Description: Add Q if input coefficient is negative. + * + * Arguments: - int32_t: finite field element a + * + * Returns r. + **************************************************/ int32_t ml_dsa_caddq(int32_t a) { a += (a >> 31) & ML_DSA_Q; return a; } /************************************************* -* Name: ml_dsa_freeze -* -* Description: For finite field element a, compute standard -* representative r = a mod^+ Q. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ + * Name: ml_dsa_freeze + * + * Description: For finite field element a, compute standard + * representative r = a mod^+ Q. + * + * Arguments: - int32_t: finite field element a + * + * Returns r. + **************************************************/ int32_t ml_dsa_freeze(int32_t a) { a = ml_dsa_reduce32(a); a = ml_dsa_caddq(a); diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.h b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.h index ab52ff3488..25f27cdcd8 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.h @@ -4,7 +4,7 @@ #include #include "params.h" -#define ML_DSA_QINV 58728449 // q^(-1) mod 2^32 +#define ML_DSA_QINV 58728449 // q^(-1) mod 2^32 int64_t ml_dsa_fqmul(int32_t a, int32_t b); diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/rounding.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/rounding.c index d087520812..2bb46145ac 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/rounding.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/rounding.c @@ -1,120 +1,118 @@ +#include "rounding.h" #include #include "params.h" -#include "rounding.h" /************************************************* -* Name: ml_dsa_power2round -* -* Description: FIPS 204: Algorithm 35. -* For finite field element a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be standard representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t ml_dsa_power2round(int32_t *a0, int32_t a) { + * Name: ml_dsa_power2round + * + * Description: FIPS 204: Algorithm 35. + * For finite field element a, compute a0, a1 such that + * a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. + * Assumes a to be standard representative. + * + * Arguments: - int32_t a: input element + * - int32_t *a0: pointer to output element a0 + * + * Returns a1. + **************************************************/ +int32_t ml_dsa_power2round(int32_t *a0, int32_t a) { int32_t a1; - a1 = (a + (1 << (ML_DSA_D-1)) - 1) >> ML_DSA_D; + a1 = (a + (1 << (ML_DSA_D - 1)) - 1) >> ML_DSA_D; *a0 = a - (a1 << ML_DSA_D); return a1; } /************************************************* -* Name: ml_dsa_decompose -* -* Description: FIPS 204: Algorithm 36. -* For finite field element a, compute high and low bits a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard -* representative. -* -* Arguments: - ml_dsa_params: parameter struct -* - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ + * Name: ml_dsa_decompose + * + * Description: FIPS 204: Algorithm 36. + * For finite field element a, compute high and low bits a0, a1 + *such that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except if a1 + *= (Q-1)/ALPHA where we set a1 = 0 and -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. + *Assumes a to be standard representative. + * + * Arguments: - ml_dsa_params: parameter struct + * - int32_t a: input element + * - int32_t *a0: pointer to output element a0 + * + * Returns a1. + **************************************************/ int32_t ml_dsa_decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { - assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); + assert((params->gamma2 == (ML_DSA_Q - 1) / 32) || + (params->gamma2 == (ML_DSA_Q - 1) / 88)); int32_t a1; - a1 = (a + 127) >> 7; - if (params->gamma2 == (ML_DSA_Q-1)/32) { - a1 = (a1*1025 + (1 << 21)) >> 22; + a1 = (a + 127) >> 7; + if (params->gamma2 == (ML_DSA_Q - 1) / 32) { + a1 = (a1 * 1025 + (1 << 21)) >> 22; a1 &= 15; } - if (params->gamma2 == (ML_DSA_Q-1)/88) { - a1 = (a1*11275 + (1 << 23)) >> 24; + if (params->gamma2 == (ML_DSA_Q - 1) / 88) { + a1 = (a1 * 11275 + (1 << 23)) >> 24; a1 ^= ((43 - a1) >> 31) & a1; } - *a0 = a - a1*2*params->gamma2; - *a0 -= (((ML_DSA_Q-1)/2 - *a0) >> 31) & ML_DSA_Q; + *a0 = a - a1 * 2 * params->gamma2; + *a0 -= (((ML_DSA_Q - 1) / 2 - *a0) >> 31) & ML_DSA_Q; return a1; } /************************************************* -* Name: ml_dsa_make_hint -* -* Description: FIPS 204: Algorithm 39 MakeHint. -* Compute hint bit indicating whether the low bits of the -* input element overflow into the high bits. -* -* Arguments: - ml_dsa_params: parameter struct -* - int32_t a0: low bits of input element -* - int32_t a1: high bits of input element -* -* Returns 1 if overflow. -**************************************************/ + * Name: ml_dsa_make_hint + * + * Description: FIPS 204: Algorithm 39 MakeHint. + * Compute hint bit indicating whether the low bits of the + * input element overflow into the high bits. + * + * Arguments: - ml_dsa_params: parameter struct + * - int32_t a0: low bits of input element + * - int32_t a1: high bits of input element + * + * Returns 1 if overflow. + **************************************************/ unsigned int ml_dsa_make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { - if(a0 > (params->gamma2) || a0 < -(params->gamma2) || - (a0 == -(params->gamma2) && a1 != 0)) { + if (a0 > (params->gamma2) || a0 < -(params->gamma2) || + (a0 == -(params->gamma2) && a1 != 0)) { return 1; } return 0; } /************************************************* -* Name: ml_dsa_use_hint -* -* Description: FIPS 204: Algorithm 40 UseHint. -* Correct high bits according to hint. -* -* Arguments: - ml_dsa_params: parameter struct -* - int32_t a: input element -* - unsigned int hint: hint bit -* -* Returns corrected high bits. -**************************************************/ + * Name: ml_dsa_use_hint + * + * Description: FIPS 204: Algorithm 40 UseHint. + * Correct high bits according to hint. + * + * Arguments: - ml_dsa_params: parameter struct + * - int32_t a: input element + * - unsigned int hint: hint bit + * + * Returns corrected high bits. + **************************************************/ int32_t ml_dsa_use_hint(ml_dsa_params *params, int32_t a, unsigned int hint) { int32_t a0, a1; - assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); + assert((params->gamma2 == (ML_DSA_Q - 1) / 32) || + (params->gamma2 == (ML_DSA_Q - 1) / 88)); a1 = ml_dsa_decompose(params, &a0, a); - if(hint == 0) { + if (hint == 0) { return a1; } - if (params->gamma2 == (ML_DSA_Q-1)/32) { - if(a0 > 0) { + if (params->gamma2 == (ML_DSA_Q - 1) / 32) { + if (a0 > 0) { return (a1 + 1) & 15; - } - else { + } else { return (a1 - 1) & 15; } - } - else { - if(a0 > 0) { - return (a1 == 43) ? 0 : a1 + 1; - } - else { - return (a1 == 0) ? 43 : a1 - 1; + } else { + if (a0 > 0) { + return (a1 == 43) ? 0 : a1 + 1; + } else { + return (a1 == 0) ? 43 : a1 - 1; } } } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c index c0474c5b33..8953df14a3 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c @@ -10,7 +10,8 @@ #if defined(AWSLC_FIPS) /************************************************* - * [FIPS 140-3 IG](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf) + * [FIPS 140-3 + *IG](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf) * * VE10.35.02: Pair-wise Consistency Test (PCT) for DSA keypairs * @@ -21,20 +22,20 @@ * * Note: FIPS 204 requires that public/private key pairs are to be used only for * the calculation and/of verification of digital signatures. -**************************************************/ -static int ml_dsa_keypair_pct(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk) { + **************************************************/ +static int ml_dsa_keypair_pct(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { uint8_t message[1] = {0}; uint8_t signature[MLDSA87_SIGNATURE_BYTES]; - int ret = ml_dsa_sign(params, signature, ¶ms->bytes, message, sizeof(message), NULL, 0, sk); + int ret = ml_dsa_sign(params, signature, ¶ms->bytes, message, + sizeof(message), NULL, 0, sk); if (ret < 0) { return 0; } if (boringssl_fips_break_test("MLDSA_PWCT")) { message[0] = ~message[0]; } - return ml_dsa_verify(params, signature, params->bytes, message, sizeof(message), NULL, 0, pk) == 0; + return ml_dsa_verify(params, signature, params->bytes, message, + sizeof(message), NULL, 0, pk) == 0; } #endif @@ -53,9 +54,7 @@ static int ml_dsa_keypair_pct(ml_dsa_params *params, * * Returns 0 (success) -1 on failure or abort depending on FIPS mode **************************************************/ -int ml_dsa_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, +int ml_dsa_keypair_internal(ml_dsa_params *params, uint8_t *pk, uint8_t *sk, const uint8_t *seed) { uint8_t seedbuf[2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES]; uint8_t tr[ML_DSA_TRBYTES]; @@ -68,7 +67,8 @@ int ml_dsa_keypair_internal(ml_dsa_params *params, OPENSSL_memcpy(seedbuf, seed, ML_DSA_SEEDBYTES); seedbuf[ML_DSA_SEEDBYTES + 0] = params->k; seedbuf[ML_DSA_SEEDBYTES + 1] = params->l; - SHAKE256(seedbuf, ML_DSA_SEEDBYTES + 2, seedbuf, 2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES); + SHAKE256(seedbuf, ML_DSA_SEEDBYTES + 2, seedbuf, + 2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES); rho = seedbuf; rhoprime = rho + ML_DSA_SEEDBYTES; key = rhoprime + ML_DSA_CRHBYTES; @@ -121,19 +121,19 @@ int ml_dsa_keypair_internal(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_keypair -* -* Description: FIPS 204: Algorithm 1 ML-DSA.KeyGen -* Generates public and private key. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *pk: pointer to output public key (allocated -* array of CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -1 on failure -**************************************************/ + * Name: ml_dsa_keypair + * + * Description: FIPS 204: Algorithm 1 ML-DSA.KeyGen + * Generates public and private key. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *pk: pointer to output public key (allocated + * array of CRYPTO_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key (allocated + * array of CRYPTO_SECRETKEYBYTES bytes) + * + * Returns 0 (success) -1 on failure + **************************************************/ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { uint8_t seed[ML_DSA_SEEDBYTES]; if (!RAND_bytes(seed, ML_DSA_SEEDBYTES)) { @@ -145,37 +145,32 @@ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { } /************************************************* -* Name: ml_dsa_sign_internal -* -* Description: FIPS 204: Algorithm 7 ML-DSA.Sign_internal. -* Computes signature. Internal API. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *pre: pointer to prefix string -* - size_t prelen: length of prefix string -* - uint8_t *rnd: pointer to random seed -* - uint8_t *sk: pointer to bit-packed secret key -* - int external_mu: indicates input message m is to be processed as mu -* -* Returns 0 (success) or -1 (context string too long) -**************************************************/ -int ml_dsa_sign_internal(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *rnd, - const uint8_t *sk, - int external_mu) -{ + * Name: ml_dsa_sign_internal + * + * Description: FIPS 204: Algorithm 7 ML-DSA.Sign_internal. + * Computes signature. Internal API. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *sig: pointer to output signature (of length + *CRYPTO_BYTES) + * - size_t *siglen: pointer to output length of signature + * - uint8_t *m: pointer to message to be signed + * - size_t mlen: length of message + * - uint8_t *pre: pointer to prefix string + * - size_t prelen: length of prefix string + * - uint8_t *rnd: pointer to random seed + * - uint8_t *sk: pointer to bit-packed secret key + * - int external_mu: indicates input message m is to be processed + *as mu + * + * Returns 0 (success) or -1 (context string too long) + **************************************************/ +int ml_dsa_sign_internal(ml_dsa_params *params, uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *pre, + size_t prelen, const uint8_t *rnd, const uint8_t *sk, + int external_mu) { unsigned int n; - uint8_t seedbuf[2*ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + 2*ML_DSA_CRHBYTES]; + uint8_t seedbuf[2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + 2 * ML_DSA_CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[ML_DSA_K_MAX], s1, y, z; @@ -196,14 +191,13 @@ int ml_dsa_sign_internal(ml_dsa_params *params, // processing of M' in the external function. However, as M' = (pre, msg), // mu = CRH(tr, M') = CRH(tr, pre, msg). if (!external_mu) { - //constuct mu = h(tr | m') when not in prehash mode + // constuct mu = h(tr | m') when not in prehash mode SHAKE_Init(&state, SHAKE256_BLOCKSIZE); SHA3_Update(&state, tr, ML_DSA_TRBYTES); SHA3_Update(&state, pre, prelen); SHA3_Update(&state, m, mlen); SHAKE_Final(mu, &state, ML_DSA_CRHBYTES); - } - else { + } else { OPENSSL_memcpy(mu, m, mlen); } @@ -248,17 +242,17 @@ int ml_dsa_sign_internal(ml_dsa_params *params, ml_dsa_polyvecl_invntt_tomont(params, &z); ml_dsa_polyvecl_add(params, &z, &z, &y); ml_dsa_polyvecl_reduce(params, &z); - if(ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { + if (ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { goto rej; } - /* FIPS 204: line 21 Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ + /* FIPS 204: line 21 Check that subtracting cs2 does not change high bits of w + * and low bits do not reveal secret information */ ml_dsa_polyveck_pointwise_poly_montgomery(params, &h, &cp, &s2); ml_dsa_polyveck_invntt_tomont(params, &h); ml_dsa_polyveck_sub(params, &w0, &w0, &h); ml_dsa_polyveck_reduce(params, &w0); - if(ml_dsa_polyveck_chknorm(params, &w0, params->gamma2 - params->beta)) { + if (ml_dsa_polyveck_chknorm(params, &w0, params->gamma2 - params->beta)) { goto rej; } @@ -266,14 +260,14 @@ int ml_dsa_sign_internal(ml_dsa_params *params, ml_dsa_polyveck_pointwise_poly_montgomery(params, &h, &cp, &t0); ml_dsa_polyveck_invntt_tomont(params, &h); ml_dsa_polyveck_reduce(params, &h); - if(ml_dsa_polyveck_chknorm(params, &h, params->gamma2)) { + if (ml_dsa_polyveck_chknorm(params, &h, params->gamma2)) { goto rej; } /* FIPS 204: line 26 Compute signer's hint */ ml_dsa_polyveck_add(params, &w0, &w0, &h); n = ml_dsa_polyveck_make_hint(params, &h, &w0, &w1); - if(n > params->omega) { + if (n > params->omega) { goto rej; } @@ -299,45 +293,41 @@ int ml_dsa_sign_internal(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_sign -* -* Description: FIPS 204: Algorithm 2 ML-DSA.Sign. -* Computes signature in hedged mode. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *ctx: pointer to contex string -* - size_t ctxlen: length of contex string -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) or -1 (context string too long) -**************************************************/ -int ml_dsa_sign(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) -{ + * Name: ml_dsa_sign + * + * Description: FIPS 204: Algorithm 2 ML-DSA.Sign. + * Computes signature in hedged mode. + * + * Arguments: - uint8_t *sig: pointer to output signature (of length + *CRYPTO_BYTES) + * - size_t *siglen: pointer to output length of signature + * - uint8_t *m: pointer to message to be signed + * - size_t mlen: length of message + * - uint8_t *ctx: pointer to contex string + * - size_t ctxlen: length of contex string + * - uint8_t *sk: pointer to bit-packed secret key + * + * Returns 0 (success) or -1 (context string too long) + **************************************************/ +int ml_dsa_sign(ml_dsa_params *params, uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *sk) { uint8_t pre[257]; uint8_t rnd[ML_DSA_RNDBYTES]; - if(ctxlen > 255) { + if (ctxlen > 255) { return -1; } /* Prepare pre = (0, ctxlen, ctx) */ pre[0] = 0; pre[1] = ctxlen; - OPENSSL_memcpy(pre + 2 , ctx, ctxlen); + OPENSSL_memcpy(pre + 2, ctx, ctxlen); if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) { return -1; } - ml_dsa_sign_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk, 0); + ml_dsa_sign_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk, + 0); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(pre, sizeof(pre)); @@ -346,26 +336,22 @@ int ml_dsa_sign(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_extmu_sign -* -* Description: FIPS 204: Algorithm 2 ML-DSA.Sign external mu variant. -* Computes signature in hedged mode. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *mu: pointer to input mu to be signed -* - size_t mulen: length of mu -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) or -1 (context string too long) -**************************************************/ -int ml_dsa_extmu_sign(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *mu, - size_t mulen, - const uint8_t *sk) -{ + * Name: ml_dsa_extmu_sign + * + * Description: FIPS 204: Algorithm 2 ML-DSA.Sign external mu variant. + * Computes signature in hedged mode. + * + * Arguments: - uint8_t *sig: pointer to output signature (of length + *CRYPTO_BYTES) + * - size_t *siglen: pointer to output length of signature + * - uint8_t *mu: pointer to input mu to be signed + * - size_t mulen: length of mu + * - uint8_t *sk: pointer to bit-packed secret key + * + * Returns 0 (success) or -1 (context string too long) + **************************************************/ +int ml_dsa_extmu_sign(ml_dsa_params *params, uint8_t *sig, size_t *siglen, + const uint8_t *mu, size_t mulen, const uint8_t *sk) { uint8_t rnd[ML_DSA_RNDBYTES]; if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) { @@ -379,74 +365,64 @@ int ml_dsa_extmu_sign(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_sign_message -* -* Description: Compute signed message. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *sm: pointer to output signed message (allocated -* array with CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *ctx: pointer to context string -* - size_t ctxlen: length of context string -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) or -1 (context string too long) -**************************************************/ -int ml_dsa_sign_message(ml_dsa_params *params, - uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) -{ + * Name: ml_dsa_sign_message + * + * Description: Compute signed message. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *sm: pointer to output signed message (allocated + * array with CRYPTO_BYTES + mlen bytes), + * can be equal to m + * - size_t *smlen: pointer to output length of signed + * message + * - const uint8_t *m: pointer to message to be signed + * - size_t mlen: length of message + * - const uint8_t *ctx: pointer to context string + * - size_t ctxlen: length of context string + * - const uint8_t *sk: pointer to bit-packed secret key + * + * Returns 0 (success) or -1 (context string too long) + **************************************************/ +int ml_dsa_sign_message(ml_dsa_params *params, uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *sk) { int ret; size_t i; - for(i = 0; i < mlen; ++i) { + for (i = 0; i < mlen; ++i) { sm[params->bytes + mlen - 1 - i] = m[mlen - 1 - i]; } - ret = ml_dsa_sign(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); + ret = + ml_dsa_sign(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); *smlen += mlen; return ret; } /************************************************* -* Name: ml_dsa_verify_internal -* -* Description: FIPS 204: Algorithm 8 ML-DSA.Verify_internal. -* Verifies signature. Internal API. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pre: pointer to prefix string -* - size_t prelen: length of prefix string -* - const uint8_t *pk: pointer to bit-packed public key -* - int external_mu: indicates input message m is to be processed as mu -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int ml_dsa_verify_internal(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *pk, - int external_mu) -{ + * Name: ml_dsa_verify_internal + * + * Description: FIPS 204: Algorithm 8 ML-DSA.Verify_internal. + * Verifies signature. Internal API. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *m: pointer to input signature + * - size_t siglen: length of signature + * - const uint8_t *m: pointer to message + * - size_t mlen: length of message + * - const uint8_t *pre: pointer to prefix string + * - size_t prelen: length of prefix string + * - const uint8_t *pk: pointer to bit-packed public key + * - int external_mu: indicates input message m is to be processed + *as mu + * + * Returns 0 if signature could be verified correctly and -1 otherwise + **************************************************/ +int ml_dsa_verify_internal(ml_dsa_params *params, const uint8_t *sig, + size_t siglen, const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, const uint8_t *pk, + int external_mu) { unsigned int i; - uint8_t buf[ML_DSA_K_MAX*ML_DSA_POLYW1_PACKEDBYTES_MAX]; + uint8_t buf[ML_DSA_K_MAX * ML_DSA_POLYW1_PACKEDBYTES_MAX]; uint8_t rho[ML_DSA_SEEDBYTES]; uint8_t mu[ML_DSA_CRHBYTES]; uint8_t tr[ML_DSA_TRBYTES]; @@ -457,20 +433,20 @@ int ml_dsa_verify_internal(ml_dsa_params *params, polyveck t1, w1, h; KECCAK1600_CTX state; - if(siglen != params->bytes) { + if (siglen != params->bytes) { return -1; } /* FIPS 204: line 1 */ ml_dsa_unpack_pk(params, rho, &t1, pk); /* FIPS 204: line 2 */ - if(ml_dsa_unpack_sig(params, c, &z, &h, sig)) { + if (ml_dsa_unpack_sig(params, c, &z, &h, sig)) { return -1; } - if(ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { + if (ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { return -1; } - if(!external_mu) { + if (!external_mu) { /* FIPS 204: line 6 Compute tr */ SHAKE256(pk, params->public_key_bytes, tr, ML_DSA_TRBYTES); /* FIPS 204: line 7 Compute mu = H(BytesToBits(tr) || M', 64) */ @@ -481,8 +457,7 @@ int ml_dsa_verify_internal(ml_dsa_params *params, SHA3_Update(&state, pre, prelen); SHA3_Update(&state, m, mlen); SHAKE_Final(mu, &state, ML_DSA_CRHBYTES); - } - else { + } else { OPENSSL_memcpy(mu, m, mlen); } @@ -513,8 +488,8 @@ int ml_dsa_verify_internal(ml_dsa_params *params, SHAKE_Absorb(&state, buf, params->k * params->poly_w1_packed_bytes); SHAKE_Final(c2, &state, params->c_tilde_bytes); - for(i = 0; i < params->c_tilde_bytes; ++i) { - if(c[i] != c2[i]) { + for (i = 0; i < params->c_tilde_bytes; ++i) { + if (c[i] != c2[i]) { return -1; } } @@ -536,81 +511,69 @@ int ml_dsa_verify_internal(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_verify -* -* Description: FIPS 204: Algorithm 3 ML-DSA.Verify. -* Verifies signature. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *ctx: pointer to context string -* - size_t ctxlen: length of context string -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int ml_dsa_verify(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) -{ + * Name: ml_dsa_verify + * + * Description: FIPS 204: Algorithm 3 ML-DSA.Verify. + * Verifies signature. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *m: pointer to input signature + * - size_t siglen: length of signature + * - const uint8_t *m: pointer to message + * - size_t mlen: length of message + * - const uint8_t *ctx: pointer to context string + * - size_t ctxlen: length of context string + * - const uint8_t *pk: pointer to bit-packed public key + * + * Returns 0 if signature could be verified correctly and -1 otherwise + **************************************************/ +int ml_dsa_verify(ml_dsa_params *params, const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *pk) { uint8_t pre[257]; - if(ctxlen > 255) { + if (ctxlen > 255) { return -1; } pre[0] = 0; pre[1] = ctxlen; - OPENSSL_memcpy(pre + 2 , ctx, ctxlen); - return ml_dsa_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk, 0); + OPENSSL_memcpy(pre + 2, ctx, ctxlen); + return ml_dsa_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, + pk, 0); } /************************************************* -* Name: ml_dsa_verify_message -* -* Description: Verify signed message. -* -* Arguments: - ml_dsa_params: parameter struct -* - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *ctx: pointer to context tring -* - size_t ctxlen: length of context string -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int ml_dsa_verify_message(ml_dsa_params *params, - uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) -{ - - if(smlen < params->bytes) { + * Name: ml_dsa_verify_message + * + * Description: Verify signed message. + * + * Arguments: - ml_dsa_params: parameter struct + * - uint8_t *m: pointer to output message (allocated + * array with smlen bytes), can be equal to sm + * - size_t *mlen: pointer to output length of message + * - const uint8_t *sm: pointer to signed message + * - size_t smlen: length of signed message + * - const uint8_t *ctx: pointer to context tring + * - size_t ctxlen: length of context string + * - const uint8_t *pk: pointer to bit-packed public key + * + * Returns 0 if signed message could be verified correctly and -1 otherwise + **************************************************/ +int ml_dsa_verify_message(ml_dsa_params *params, uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *pk) { + if (smlen < params->bytes) { goto badsig; } *mlen = smlen - params->bytes; - if(ml_dsa_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { + if (ml_dsa_verify(params, sm, params->bytes, sm + params->bytes, *mlen, ctx, + ctxlen, pk)) { goto badsig; - } - else { + } else { /* All good, copy msg, return 0 */ - for(size_t i = 0; i < *mlen; ++i) { + for (size_t i = 0; i < *mlen; ++i) { m[i] = sm[params->bytes + i]; } return 0; @@ -619,7 +582,7 @@ int ml_dsa_verify_message(ml_dsa_params *params, badsig: /* Signature verification failed */ *mlen = 0; - for(size_t i = 0; i < smlen; ++i) { + for (size_t i = 0; i < smlen; ++i) { m[i] = 0; } diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.h b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.h index 6f18bbab8a..e81b597838 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.h +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.h @@ -7,53 +7,36 @@ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); -int ml_dsa_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, +int ml_dsa_keypair_internal(ml_dsa_params *params, uint8_t *pk, uint8_t *sk, const uint8_t *seed); -int ml_dsa_sign(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int ml_dsa_extmu_sign(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *mu, size_t mulen, - const uint8_t *sk); - -int ml_dsa_sign_internal(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *rnd, - const uint8_t *sk, +int ml_dsa_sign(ml_dsa_params *params, uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *sk); + +int ml_dsa_extmu_sign(ml_dsa_params *params, uint8_t *sig, size_t *siglen, + const uint8_t *mu, size_t mulen, const uint8_t *sk); + +int ml_dsa_sign_internal(ml_dsa_params *params, uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *pre, + size_t prelen, const uint8_t *rnd, const uint8_t *sk, int external_mu); -int ml_dsa_sign_message(ml_dsa_params *params, - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int ml_dsa_verify(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); - -int ml_dsa_verify_internal(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *pk, +int ml_dsa_sign_message(ml_dsa_params *params, uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *sk); + +int ml_dsa_verify(ml_dsa_params *params, const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *pk); + +int ml_dsa_verify_internal(ml_dsa_params *params, const uint8_t *sig, + size_t siglen, const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, const uint8_t *pk, int external_mu); -int ml_dsa_verify_message(ml_dsa_params *params, - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); +int ml_dsa_verify_message(ml_dsa_params *params, uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, const uint8_t *ctx, + size_t ctxlen, const uint8_t *pk); #endif diff --git a/crypto/fipsmodule/ml_kem/ml_kem.c b/crypto/fipsmodule/ml_kem/ml_kem.c index 771a49c240..712897a846 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem.c +++ b/crypto/fipsmodule/ml_kem/ml_kem.c @@ -6,6 +6,7 @@ #include "./ml_kem_ref/kem.h" #include "./ml_kem_ref/params.h" +#include "../../internal.h" #include "./ml_kem_ref/cbd.c" #include "./ml_kem_ref/indcpa.c" #include "./ml_kem_ref/kem.c" @@ -16,23 +17,23 @@ #include "./ml_kem_ref/reduce.c" #include "./ml_kem_ref/symmetric-shake.c" #include "./ml_kem_ref/verify.c" -#include "../../internal.h" // Note: These methods currently default to using the reference code for ML_KEM. // In a future where AWS-LC has optimized options available, those can be // conditionally (or based on compile-time flags) called here, depending on // platform support. -int ml_kem_512_keypair_deterministic(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_kem_512_keypair_deterministic(uint8_t *public_key /* OUT */, + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_kem_self_test(); - return ml_kem_512_keypair_deterministic_no_self_test(public_key, secret_key, seed); + return ml_kem_512_keypair_deterministic_no_self_test(public_key, secret_key, + seed); } -int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_kem_512_keypair_deterministic_no_self_test( + uint8_t *public_key /* OUT */, uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */) { ml_kem_params params; int res; ml_kem_512_params_init(¶ms); @@ -40,14 +41,14 @@ int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key /* OUT */ #if defined(AWSLC_FIPS) /* PCT failure is the only failure condition for key generation. */ if (res != 0) { - AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); + AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); } #endif return res; } int ml_kem_512_keypair(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */) { + uint8_t *secret_key /* OUT */) { boringssl_ensure_ml_kem_self_test(); int res; ml_kem_params params; @@ -56,47 +57,48 @@ int ml_kem_512_keypair(uint8_t *public_key /* OUT */, #if defined(AWSLC_FIPS) /* PCT failure is the only failure condition for key generation. */ if (res != 0) { - AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); + AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); } #endif return res; } -int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */) { +int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_kem_self_test(); - return ml_kem_512_encapsulate_deterministic_no_self_test(ciphertext, shared_secret, public_key, seed); + return ml_kem_512_encapsulate_deterministic_no_self_test( + ciphertext, shared_secret, public_key, seed); } -int ml_kem_512_encapsulate_deterministic_no_self_test(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */) { +int ml_kem_512_encapsulate_deterministic_no_self_test( + uint8_t *ciphertext /* OUT */, uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, const uint8_t *seed /* IN */) { ml_kem_params params; ml_kem_512_params_init(¶ms); return ml_kem_enc_derand_ref(¶ms, ciphertext, shared_secret, public_key, seed); } -int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */) { +int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_512_params_init(¶ms); return ml_kem_enc_ref(¶ms, ciphertext, shared_secret, public_key); } -int ml_kem_512_decapsulate(uint8_t *shared_secret /* OUT */, - const uint8_t *ciphertext /* IN */, - const uint8_t *secret_key /* IN */) { +int ml_kem_512_decapsulate(uint8_t *shared_secret /* OUT */, + const uint8_t *ciphertext /* IN */, + const uint8_t *secret_key /* IN */) { boringssl_ensure_ml_kem_self_test(); - return ml_kem_512_decapsulate_no_self_test(shared_secret, ciphertext, secret_key); + return ml_kem_512_decapsulate_no_self_test(shared_secret, ciphertext, + secret_key); } -int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */, +int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */, const uint8_t *ciphertext /* IN */, const uint8_t *secret_key /* IN */) { ml_kem_params params; @@ -105,9 +107,9 @@ int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */, } -int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */, + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; int res; @@ -116,14 +118,14 @@ int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */, #if defined(AWSLC_FIPS) /* PCT failure is the only failure condition for key generation. */ if (res != 0) { - AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); + AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); } #endif return res; } int ml_kem_768_keypair(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */) { + uint8_t *secret_key /* OUT */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; int res; @@ -132,43 +134,44 @@ int ml_kem_768_keypair(uint8_t *public_key /* OUT */, #if defined(AWSLC_FIPS) /* PCT failure is the only failure condition for key generation. */ if (res != 0) { - AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); + AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); } #endif return res; } -int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */) { +int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_768_params_init(¶ms); - return ml_kem_enc_derand_ref(¶ms, ciphertext, shared_secret, public_key, seed); + return ml_kem_enc_derand_ref(¶ms, ciphertext, shared_secret, public_key, + seed); } -int ml_kem_768_encapsulate(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */) { +int ml_kem_768_encapsulate(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_768_params_init(¶ms); return ml_kem_enc_ref(¶ms, ciphertext, shared_secret, public_key); } -int ml_kem_768_decapsulate(uint8_t *shared_secret /* OUT */, - const uint8_t *ciphertext /* IN */, - const uint8_t *secret_key /* IN */) { +int ml_kem_768_decapsulate(uint8_t *shared_secret /* OUT */, + const uint8_t *ciphertext /* IN */, + const uint8_t *secret_key /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_768_params_init(¶ms); return ml_kem_dec_ref(¶ms, shared_secret, ciphertext, secret_key); } -int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */) { +int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */, + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; int res; @@ -177,14 +180,14 @@ int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */, #if defined(AWSLC_FIPS) /* PCT failure is the only failure condition for key generation. */ if (res != 0) { - AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); + AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); } #endif return res; } int ml_kem_1024_keypair(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */) { + uint8_t *secret_key /* OUT */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; int res; @@ -193,34 +196,35 @@ int ml_kem_1024_keypair(uint8_t *public_key /* OUT */, #if defined(AWSLC_FIPS) /* PCT failure is the only failure condition for key generation. */ if (res != 0) { - AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); + AWS_LC_FIPS_failure("ML-KEM keygen PCT failed"); } #endif return res; } -int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */) { +int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, + const uint8_t *seed /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_1024_params_init(¶ms); - return ml_kem_enc_derand_ref(¶ms, ciphertext, shared_secret, public_key, seed); + return ml_kem_enc_derand_ref(¶ms, ciphertext, shared_secret, public_key, + seed); } -int ml_kem_1024_encapsulate(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */) { +int ml_kem_1024_encapsulate(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_1024_params_init(¶ms); return ml_kem_enc_ref(¶ms, ciphertext, shared_secret, public_key); } -int ml_kem_1024_decapsulate(uint8_t *shared_secret /* OUT */, - const uint8_t *ciphertext /* IN */, - const uint8_t *secret_key /* IN */) { +int ml_kem_1024_decapsulate(uint8_t *shared_secret /* OUT */, + const uint8_t *ciphertext /* IN */, + const uint8_t *secret_key /* IN */) { boringssl_ensure_ml_kem_self_test(); ml_kem_params params; ml_kem_1024_params_init(¶ms); diff --git a/crypto/fipsmodule/ml_kem/ml_kem.h b/crypto/fipsmodule/ml_kem/ml_kem.h index 752855764f..e5894654d5 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem.h +++ b/crypto/fipsmodule/ml_kem/ml_kem.h @@ -4,100 +4,99 @@ #ifndef ML_KEM_H #define ML_KEM_H -#include #include +#include #define MLKEM512_SHARED_SECRET_LEN (32) -#define MLKEM512_KEYGEN_SEED_LEN (64) -#define MLKEM512_ENCAPS_SEED_LEN (32) -#define MLKEM512_PUBLIC_KEY_BYTES (800) -#define MLKEM512_SECRET_KEY_BYTES (1632) -#define MLKEM512_CIPHERTEXT_BYTES (768) +#define MLKEM512_KEYGEN_SEED_LEN (64) +#define MLKEM512_ENCAPS_SEED_LEN (32) +#define MLKEM512_PUBLIC_KEY_BYTES (800) +#define MLKEM512_SECRET_KEY_BYTES (1632) +#define MLKEM512_CIPHERTEXT_BYTES (768) #define MLKEM768_SHARED_SECRET_LEN (32) -#define MLKEM768_KEYGEN_SEED_LEN (64) -#define MLKEM768_ENCAPS_SEED_LEN (32) -#define MLKEM768_PUBLIC_KEY_BYTES (1184) -#define MLKEM768_SECRET_KEY_BYTES (2400) -#define MLKEM768_CIPHERTEXT_BYTES (1088) +#define MLKEM768_KEYGEN_SEED_LEN (64) +#define MLKEM768_ENCAPS_SEED_LEN (32) +#define MLKEM768_PUBLIC_KEY_BYTES (1184) +#define MLKEM768_SECRET_KEY_BYTES (2400) +#define MLKEM768_CIPHERTEXT_BYTES (1088) #define MLKEM1024_SHARED_SECRET_LEN (32) -#define MLKEM1024_KEYGEN_SEED_LEN (64) -#define MLKEM1024_ENCAPS_SEED_LEN (32) -#define MLKEM1024_PUBLIC_KEY_BYTES (1568) -#define MLKEM1024_SECRET_KEY_BYTES (3168) -#define MLKEM1024_CIPHERTEXT_BYTES (1568) +#define MLKEM1024_KEYGEN_SEED_LEN (64) +#define MLKEM1024_ENCAPS_SEED_LEN (32) +#define MLKEM1024_PUBLIC_KEY_BYTES (1568) +#define MLKEM1024_SECRET_KEY_BYTES (3168) +#define MLKEM1024_CIPHERTEXT_BYTES (1568) int ml_kem_512_keypair_deterministic(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */); + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */); -int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */); +int ml_kem_512_keypair_deterministic_no_self_test(uint8_t *public_key /* OUT */, + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */); int ml_kem_512_keypair(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */); + uint8_t *secret_key /* OUT */); -int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */); +int ml_kem_512_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, + const uint8_t *seed /* IN */); -int ml_kem_512_encapsulate_deterministic_no_self_test(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */); +int ml_kem_512_encapsulate_deterministic_no_self_test( + uint8_t *ciphertext /* OUT */, uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, const uint8_t *seed /* IN */); -int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */); +int ml_kem_512_encapsulate(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */); -int ml_kem_512_decapsulate(uint8_t *shared_secret /* OUT */, - const uint8_t *ciphertext /* IN */, - const uint8_t *secret_key /* IN */); +int ml_kem_512_decapsulate(uint8_t *shared_secret /* OUT */, + const uint8_t *ciphertext /* IN */, + const uint8_t *secret_key /* IN */); -int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */, +int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret /* OUT */, const uint8_t *ciphertext /* IN */, const uint8_t *secret_key /* IN */); int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */); + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */); int ml_kem_768_keypair(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */); + uint8_t *secret_key /* OUT */); -int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */); +int ml_kem_768_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, + const uint8_t *seed /* IN */); -int ml_kem_768_encapsulate(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */); +int ml_kem_768_encapsulate(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */); -int ml_kem_768_decapsulate(uint8_t *shared_secret /* OUT */, - const uint8_t *ciphertext /* IN */, - const uint8_t *secret_key /* IN */); +int ml_kem_768_decapsulate(uint8_t *shared_secret /* OUT */, + const uint8_t *ciphertext /* IN */, + const uint8_t *secret_key /* IN */); int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */, - const uint8_t *seed /* IN */); + uint8_t *secret_key /* OUT */, + const uint8_t *seed /* IN */); int ml_kem_1024_keypair(uint8_t *public_key /* OUT */, - uint8_t *secret_key /* OUT */); + uint8_t *secret_key /* OUT */); -int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */, - const uint8_t *seed /* IN */); +int ml_kem_1024_encapsulate_deterministic(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */, + const uint8_t *seed /* IN */); -int ml_kem_1024_encapsulate(uint8_t *ciphertext /* OUT */, - uint8_t *shared_secret /* OUT */, - const uint8_t *public_key /* IN */); +int ml_kem_1024_encapsulate(uint8_t *ciphertext /* OUT */, + uint8_t *shared_secret /* OUT */, + const uint8_t *public_key /* IN */); -int ml_kem_1024_decapsulate(uint8_t *shared_secret /* OUT */, - const uint8_t *ciphertext /* IN */, - const uint8_t *secret_key /* IN */); -#endif // ML_KEM_H +int ml_kem_1024_decapsulate(uint8_t *shared_secret /* OUT */, + const uint8_t *ciphertext /* IN */, + const uint8_t *secret_key /* IN */); +#endif // ML_KEM_H diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.c index d99a3dd59f..1b3fa33a4d 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.c @@ -1,23 +1,22 @@ -#include #include +#include -#include "params.h" #include "cbd.h" +#include "params.h" /************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) -{ + * Name: load32_littleendian + * + * Description: load 4 bytes into a 32-bit integer + * in little-endian order + * + * Arguments: - const uint8_t *x: pointer to input byte array + * + * Returns 32-bit unsigned integer loaded from x + **************************************************/ +static uint32_t load32_littleendian(const uint8_t x[4]) { uint32_t r; - r = (uint32_t)x[0]; + r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; r |= (uint32_t)x[3] << 24; @@ -25,87 +24,83 @@ static uint32_t load32_littleendian(const uint8_t x[4]) } /************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ -static uint32_t load24_littleendian(const uint8_t x[3]) -{ + * Name: load24_littleendian + * + * Description: load 3 bytes into a 32-bit integer + * in little-endian order. + * This function is only needed for Kyber-512 + * + * Arguments: - const uint8_t *x: pointer to input byte array + * + * Returns 32-bit unsigned integer loaded from x (most significant byte is zero) + **************************************************/ +static uint32_t load24_littleendian(const uint8_t x[3]) { uint32_t r; - r = (uint32_t)x[0]; + r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; return r; } /************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; + * Name: cbd2 + * + * Description: Given an array of uniformly random bytes, compute + * polynomial with coefficients distributed according to + * a centered binomial distribution with parameter eta=2 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *buf: pointer to input byte array + **************************************************/ +static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) { + unsigned int i, j; + uint32_t t, d; + int16_t a, b; - for(i=0;i>1) & 0x55555555; + for (i = 0; i < KYBER_N / 8; i++) { + t = load32_littleendian(buf + 4 * i); + d = t & 0x55555555; + d += (t >> 1) & 0x55555555; - for(j=0;j<8;j++) { - a = (d >> (4*j+0)) & 0x3; - b = (d >> (4*j+2)) & 0x3; - r->coeffs[8*i+j] = a - b; + for (j = 0; j < 8; j++) { + a = (d >> (4 * j + 0)) & 0x3; + b = (d >> (4 * j + 2)) & 0x3; + r->coeffs[8 * i + j] = a - b; } } } /************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd3(poly *r, const uint8_t buf[3*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; + * Name: cbd3 + * + * Description: Given an array of uniformly random bytes, compute + * polynomial with coefficients distributed according to + * a centered binomial distribution with parameter eta=3. + * This function is only needed for Kyber-512 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *buf: pointer to input byte array + **************************************************/ +static void cbd3(poly *r, const uint8_t buf[3 * KYBER_N / 4]) { + unsigned int i, j; + uint32_t t, d; + int16_t a, b; - for(i=0;i>1) & 0x00249249; - d += (t>>2) & 0x00249249; + for (i = 0; i < KYBER_N / 4; i++) { + t = load24_littleendian(buf + 3 * i); + d = t & 0x00249249; + d += (t >> 1) & 0x00249249; + d += (t >> 2) & 0x00249249; - for(j=0;j<4;j++) { - a = (d >> (6*j+0)) & 0x7; - b = (d >> (6*j+3)) & 0x7; - r->coeffs[4*i+j] = a - b; + for (j = 0; j < 4; j++) { + a = (d >> (6 * j + 0)) & 0x7; + b = (d >> (6 * j + 3)) & 0x7; + r->coeffs[4 * i + j] = a - b; } } } -void poly_cbd_eta1(ml_kem_params *params, poly *r, const uint8_t *buf) -{ +void poly_cbd_eta1(ml_kem_params *params, poly *r, const uint8_t *buf) { assert((params->eta1 == 2) || (params->eta1 == 3)); if (params->eta1 == 2) { cbd2(r, buf); @@ -114,8 +109,7 @@ void poly_cbd_eta1(ml_kem_params *params, poly *r, const uint8_t *buf) } } -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]) -{ +void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) { #if KYBER_ETA2 == 2 cbd2(r, buf); #else diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h index 0ed2facc27..e1aa444495 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/cbd.h @@ -9,6 +9,6 @@ void poly_cbd_eta1(ml_kem_params *params, poly *r, const uint8_t *buf); #define poly_cbd_eta2 KYBER_NAMESPACE(poly_cbd_eta2) -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]); +void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]); #endif diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c index f0002d3a3b..9481745eeb 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.c @@ -4,219 +4,214 @@ #include "../../../internal.h" -#include "params.h" #include "indcpa.h" -#include "polyvec.h" -#include "poly.h" #include "ntt.h" +#include "params.h" +#include "poly.h" +#include "polyvec.h" #include "symmetric.h" /************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(ml_kem_params *params, - uint8_t *r, - polyvec *pk, - const uint8_t *seed) -{ + * Name: pack_pk + * + * Description: Serialize the public key as concatenation of the + * serialized vector of polynomials pk + * and the public seed used to generate the matrix A. + * + * Arguments: uint8_t *r: pointer to the output serialized public key + * polyvec *pk: pointer to the input public-key polyvec + * const uint8_t *seed: pointer to the input public seed + **************************************************/ +static void pack_pk(ml_kem_params *params, uint8_t *r, polyvec *pk, + const uint8_t *seed) { polyvec_tobytes(params, r, pk); - memcpy(r+params->poly_vec_bytes, seed, KYBER_SYMBYTES); + memcpy(r + params->poly_vec_bytes, seed, KYBER_SYMBYTES); } /************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(ml_kem_params *params, - polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t *packedpk) -{ + * Name: unpack_pk + * + * Description: De-serialize public key from a byte array; + * approximate inverse of pack_pk + * + * Arguments: - polyvec *pk: pointer to output public-key polynomial vector + * - uint8_t *seed: pointer to output seed to generate matrix A + * - const uint8_t *packedpk: pointer to input serialized public + *key + **************************************************/ +static void unpack_pk(ml_kem_params *params, polyvec *pk, + uint8_t seed[KYBER_SYMBYTES], const uint8_t *packedpk) { polyvec_frombytes(params, pk, packedpk); - memcpy(seed, packedpk+params->poly_vec_bytes, KYBER_SYMBYTES); + memcpy(seed, packedpk + params->poly_vec_bytes, KYBER_SYMBYTES); } /************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(ml_kem_params *params, uint8_t *r, polyvec *sk) -{ + * Name: pack_sk + * + * Description: Serialize the secret key + * + * Arguments: - uint8_t *r: pointer to output serialized secret key + * - polyvec *sk: pointer to input vector of polynomials (secret + *key) + **************************************************/ +static void pack_sk(ml_kem_params *params, uint8_t *r, polyvec *sk) { polyvec_tobytes(params, r, sk); } /************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(ml_kem_params *params, polyvec *sk, const uint8_t *packedsk) -{ + * Name: unpack_sk + * + * Description: De-serialize the secret key; inverse of pack_sk + * + * Arguments: - polyvec *sk: pointer to output vector of polynomials (secret + *key) + * - const uint8_t *packedsk: pointer to input serialized secret + *key + **************************************************/ +static void unpack_sk(ml_kem_params *params, polyvec *sk, + const uint8_t *packedsk) { polyvec_frombytes(params, sk, packedsk); } /************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(ml_kem_params *params, uint8_t *r, polyvec *b, poly *v) -{ + * Name: pack_ciphertext + * + * Description: Serialize the ciphertext as concatenation of the + * compressed and serialized vector of polynomials b + * and the compressed and serialized polynomial v + * + * Arguments: uint8_t *r: pointer to the output serialized ciphertext + * poly *pk: pointer to the input vector of polynomials b + * poly *v: pointer to the input polynomial v + **************************************************/ +static void pack_ciphertext(ml_kem_params *params, uint8_t *r, polyvec *b, + poly *v) { polyvec_compress(params, r, b); - poly_compress(params, r+params->poly_vec_compressed_bytes, v); + poly_compress(params, r + params->poly_vec_compressed_bytes, v); } /************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(ml_kem_params *params, polyvec *b, poly *v, const uint8_t *c) -{ + * Name: unpack_ciphertext + * + * Description: De-serialize and decompress ciphertext from a byte array; + * approximate inverse of pack_ciphertext + * + * Arguments: - polyvec *b: pointer to the output vector of polynomials b + * - poly *v: pointer to the output polynomial v + * - const uint8_t *c: pointer to the input serialized ciphertext + **************************************************/ +static void unpack_ciphertext(ml_kem_params *params, polyvec *b, poly *v, + const uint8_t *c) { polyvec_decompress(params, b, c); - poly_decompress(params, v, c+params->poly_vec_compressed_bytes); + poly_decompress(params, v, c + params->poly_vec_compressed_bytes); } /************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) -{ + * Name: rej_uniform + * + * Description: Run rejection sampling on uniform random bytes to generate + * uniform random integers mod q + * + * Arguments: - int16_t *r: pointer to output buffer + * - unsigned int len: requested number of 16-bit integers (uniform + *mod q) + * - const uint8_t *buf: pointer to input buffer (assumed to be + *uniformly random bytes) + * - unsigned int buflen: length of input buffer in bytes + * + * Returns number of sampled 16-bit integers (at most len) + **************************************************/ +static unsigned int rej_uniform(int16_t *r, unsigned int len, + const uint8_t *buf, unsigned int buflen) { unsigned int ctr, pos; uint16_t val0, val1; ctr = pos = 0; - while(ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos+0] >> 0) | ((uint16_t)buf[pos+1] << 8)) & 0xFFF; - val1 = ((buf[pos+1] >> 4) | ((uint16_t)buf[pos+2] << 4)) & 0xFFF; + while (ctr < len && pos + 3 <= buflen) { + val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; + val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; pos += 3; - if(val0 < KYBER_Q) + if (val0 < KYBER_Q) r[ctr++] = val0; - if(ctr < len && val1 < KYBER_Q) + if (ctr < len && val1 < KYBER_Q) r[ctr++] = val1; } return ctr; } -#define gen_a(PARAMS,A,B) gen_matrix(PARAMS,A,B,0) -#define gen_at(PARAMS,A,B) gen_matrix(PARAMS,A,B,1) +#define gen_a(PARAMS, A, B) gen_matrix(PARAMS, A, B, 0) +#define gen_at(PARAMS, A, B) gen_matrix(PARAMS, A, B, 1) /************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) + * Name: gen_matrix + * + * Description: Deterministically generate matrix A (or the transpose of A) + * from a seed. Entries of the matrix are polynomials that look + * uniformly random. Performs rejection sampling on output of + * a XOF + * + * Arguments: - polyvec *a: pointer to ouptput matrix A + * - const uint8_t *seed: pointer to input seed + * - int transposed: boolean deciding whether A or A^T is generated + **************************************************/ +#define GEN_MATRIX_NBLOCKS \ + ((12 * KYBER_N / 8 * (1 << 12) / KYBER_Q + XOF_BLOCKBYTES) / XOF_BLOCKBYTES) // Not static for benchmarking -void gen_matrix(ml_kem_params *params, polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) -{ +void gen_matrix(ml_kem_params *params, polyvec *a, + const uint8_t seed[KYBER_SYMBYTES], int transposed) { unsigned int ctr, i, j, k; unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2]; + uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 2]; KECCAK1600_CTX ctx; - for(i=0;ik;i++) { - for(j=0;jk;j++) { - if(transposed) + for (i = 0; i < params->k; i++) { + for (j = 0; j < params->k; j++) { + if (transposed) xof_absorb(&ctx, seed, i, j); else xof_absorb(&ctx, seed, j, i); xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &ctx); - buflen = GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES; + buflen = GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES; ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - while(ctr < KYBER_N) { + while (ctr < KYBER_N) { off = buflen % 3; - for(k = 0; k < off; k++) + for (k = 0; k < off; k++) buf[k] = buf[buflen - off + k]; xof_squeezeblocks(buf + off, 1, &ctx); buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); + ctr += + rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); } } } - + // FIPS 203. Section 3.3 Destruction of intermediate values. OPENSSL_cleanse(buf, sizeof(buf)); } /************************************************* -* Name: indcpa_keypair_derand -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -* - const uint8_t *coins: pointer to input randomness -* (of length KYBER_SYMBYTES bytes) -**************************************************/ -void indcpa_keypair_derand(ml_kem_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t coins[KYBER_SYMBYTES]) -{ + * Name: indcpa_keypair_derand + * + * Description: Generates public and private key for the CPA-secure + * public-key encryption scheme underlying Kyber + * + * Arguments: - uint8_t *pk: pointer to output public key + * (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key + * (of length KYBER_INDCPA_SECRETKEYBYTES bytes) + * - const uint8_t *coins: pointer to input randomness + * (of length KYBER_SYMBYTES bytes) + **************************************************/ +void indcpa_keypair_derand(ml_kem_params *params, uint8_t *pk, uint8_t *sk, + const uint8_t coins[KYBER_SYMBYTES]) { unsigned int i; - uint8_t buf[2*KYBER_SYMBYTES]; + uint8_t buf[2 * KYBER_SYMBYTES]; const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf+KYBER_SYMBYTES; + const uint8_t *noiseseed = buf + KYBER_SYMBYTES; uint8_t nonce = 0; polyvec a[KYBER_K_MAX], e, pkpv, skpv; @@ -228,16 +223,16 @@ void indcpa_keypair_derand(ml_kem_params *params, gen_a(params, a, publicseed); - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) poly_getnoise_eta1(params, &skpv.vec[i], noiseseed, nonce++); - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) poly_getnoise_eta1(params, &e.vec[i], noiseseed, nonce++); polyvec_ntt(params, &skpv); polyvec_ntt(params, &e); // matrix-vector multiplication - for(i=0;ik;i++) { + for (i = 0; i < params->k; i++) { polyvec_basemul_acc_montgomery(params, &pkpv.vec[i], &a[i], &skpv); poly_tomont(&pkpv.vec[i]); } @@ -250,7 +245,8 @@ void indcpa_keypair_derand(ml_kem_params *params, // FIPS 203. Section 3.3 Destruction of intermediate values. OPENSSL_cleanse(buf, sizeof(buf)); - OPENSSL_cleanse(coins_with_domain_separator, sizeof(coins_with_domain_separator)); + OPENSSL_cleanse(coins_with_domain_separator, + sizeof(coins_with_domain_separator)); OPENSSL_cleanse(a, sizeof(a)); OPENSSL_cleanse(&e, sizeof(e)); OPENSSL_cleanse(&pkpv, sizeof(pkpv)); @@ -259,27 +255,22 @@ void indcpa_keypair_derand(ml_kem_params *params, /************************************************* -* Name: indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void indcpa_enc(ml_kem_params *params, - uint8_t *c, - const uint8_t *m, - const uint8_t *pk, - const uint8_t coins[KYBER_SYMBYTES]) -{ + * Name: indcpa_enc + * + * Description: Encryption function of the CPA-secure + * public-key encryption scheme underlying Kyber. + * + * Arguments: - uint8_t *c: pointer to output ciphertext + * (of length KYBER_INDCPA_BYTES bytes) + * - const uint8_t *m: pointer to input message + * (of length KYBER_INDCPA_MSGBYTES bytes) + * - const uint8_t *pk: pointer to input public key + * (of length KYBER_INDCPA_PUBLICKEYBYTES) + * - const uint8_t *coins: pointer to input random coins used as + *seed (of length KYBER_SYMBYTES) to deterministically generate all randomness + **************************************************/ +void indcpa_enc(ml_kem_params *params, uint8_t *c, const uint8_t *m, + const uint8_t *pk, const uint8_t coins[KYBER_SYMBYTES]) { unsigned int i; uint8_t seed[KYBER_SYMBYTES]; uint8_t nonce = 0; @@ -290,16 +281,16 @@ void indcpa_enc(ml_kem_params *params, poly_frommsg(&k, m); gen_at(params, at, seed); - for(i=0;ik;i++) - poly_getnoise_eta1(params, sp.vec+i, coins, nonce++); - for(i=0;ik;i++) - poly_getnoise_eta2(ep.vec+i, coins, nonce++); + for (i = 0; i < params->k; i++) + poly_getnoise_eta1(params, sp.vec + i, coins, nonce++); + for (i = 0; i < params->k; i++) + poly_getnoise_eta2(ep.vec + i, coins, nonce++); poly_getnoise_eta2(&epp, coins, nonce++); polyvec_ntt(params, &sp); // matrix-vector multiplication - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) polyvec_basemul_acc_montgomery(params, &b.vec[i], &at[i], &sp); polyvec_basemul_acc_montgomery(params, &v, &pkpv, &sp); @@ -328,23 +319,20 @@ void indcpa_enc(ml_kem_params *params, } /************************************************* -* Name: indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void indcpa_dec(ml_kem_params *params, - uint8_t *m, - const uint8_t *c, - const uint8_t *sk) -{ + * Name: indcpa_dec + * + * Description: Decryption function of the CPA-secure + * public-key encryption scheme underlying Kyber. + * + * Arguments: - uint8_t *m: pointer to output decrypted message + * (of length KYBER_INDCPA_MSGBYTES) + * - const uint8_t *c: pointer to input ciphertext + * (of length KYBER_INDCPA_BYTES) + * - const uint8_t *sk: pointer to input secret key + * (of length KYBER_INDCPA_SECRETKEYBYTES) + **************************************************/ +void indcpa_dec(ml_kem_params *params, uint8_t *m, const uint8_t *c, + const uint8_t *sk) { polyvec b, skpv; poly v, mp; diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h index d13fc48faf..3b458861cb 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/indcpa.h @@ -6,25 +6,19 @@ #include "polyvec.h" #define gen_matrix KYBER_NAMESPACE(gen_matrix) -void gen_matrix(ml_kem_params *params, polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); +void gen_matrix(ml_kem_params *params, polyvec *a, + const uint8_t seed[KYBER_SYMBYTES], int transposed); #define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand) -void indcpa_keypair_derand(ml_kem_params *params, - uint8_t *pk, - uint8_t *sk, +void indcpa_keypair_derand(ml_kem_params *params, uint8_t *pk, uint8_t *sk, const uint8_t coins[KYBER_SYMBYTES]); #define indcpa_enc KYBER_NAMESPACE(indcpa_enc) -void indcpa_enc(ml_kem_params *params, - uint8_t *c, - const uint8_t *m, - const uint8_t *pk, - const uint8_t coins[KYBER_SYMBYTES]); +void indcpa_enc(ml_kem_params *params, uint8_t *c, const uint8_t *m, + const uint8_t *pk, const uint8_t coins[KYBER_SYMBYTES]); #define indcpa_dec KYBER_NAMESPACE(indcpa_dec) -void indcpa_dec(ml_kem_params *params, - uint8_t *m, - const uint8_t *c, +void indcpa_dec(ml_kem_params *params, uint8_t *m, const uint8_t *c, const uint8_t *sk); #endif diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c index 3aaf55ef00..00e5d23ffd 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c @@ -1,21 +1,23 @@ +#include "./kem.h" #include #include #include -#include "./params.h" -#include "./kem.h" #include "./indcpa.h" -#include "./verify.h" +#include "./params.h" #include "./reduce.h" #include "./symmetric.h" +#include "./verify.h" #include "openssl/rand.h" #if defined(AWSLC_FIPS) -// FIPS 203. Pair-wise Consistency Test (PCT) required per [FIPS 140-3 IG](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf): +// FIPS 203. Pair-wise Consistency Test (PCT) required per [FIPS 140-3 +// IG](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf): // The PCT consists of applying the encapsulation key to encapsulate a shared // secret leading to ciphertext, and then applying decapsulation key to // retrieve the same shared secret. Returns 0 if the PCT passes, 1 otherwise. -static int keygen_pct(ml_kem_params *params, const uint8_t *ek, const uint8_t *dk) { +static int keygen_pct(ml_kem_params *params, const uint8_t *ek, + const uint8_t *dk) { uint8_t ct[KYBER_CIPHERTEXTBYTES_MAX]; uint8_t ss_enc[KYBER_SSBYTES]; uint8_t ss_dec[KYBER_SSBYTES]; @@ -32,31 +34,31 @@ static int keygen_pct(ml_kem_params *params, const uint8_t *ek, const uint8_t *d #endif /************************************************* -* Name: crypto_kem_keypair_derand -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* - uint8_t *coins: pointer to input randomness -* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes) -* -* Returns: - 0 on success -* - -1 upon PCT failure (if AWSLC_FIPS is set) -**************************************************/ -int crypto_kem_keypair_derand(ml_kem_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *coins) -{ + * Name: crypto_kem_keypair_derand + * + * Description: Generates public and private key + * for CCA-secure Kyber key encapsulation mechanism + * + * Arguments: - uint8_t *pk: pointer to output public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key + * (an already allocated array of KYBER_SECRETKEYBYTES bytes) + * - uint8_t *coins: pointer to input randomness + * (an already allocated array filled with 2*KYBER_SYMBYTES + *random bytes) + * + * Returns: - 0 on success + * - -1 upon PCT failure (if AWSLC_FIPS is set) + **************************************************/ +int crypto_kem_keypair_derand(ml_kem_params *params, uint8_t *pk, uint8_t *sk, + const uint8_t *coins) { indcpa_keypair_derand(params, pk, sk, coins); - memcpy(sk+params->indcpa_secret_key_bytes, pk, params->public_key_bytes); - hash_h(sk+params->secret_key_bytes-2*KYBER_SYMBYTES, pk, params->public_key_bytes); + memcpy(sk + params->indcpa_secret_key_bytes, pk, params->public_key_bytes); + hash_h(sk + params->secret_key_bytes - 2 * KYBER_SYMBYTES, pk, + params->public_key_bytes); /* Value z for pseudo-random output on reject */ - memcpy(sk+params->secret_key_bytes-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES); + memcpy(sk + params->secret_key_bytes - KYBER_SYMBYTES, coins + KYBER_SYMBYTES, + KYBER_SYMBYTES); #if defined(AWSLC_FIPS) if (keygen_pct(params, pk, sk)) { @@ -67,25 +69,22 @@ int crypto_kem_keypair_derand(ml_kem_params *params, } /************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns: - 0 on success -* - -1 upon PCT failure (if AWSLC_FIPS is set) -**************************************************/ -int crypto_kem_keypair(ml_kem_params *params, - uint8_t *pk, - uint8_t *sk) -{ - uint8_t coins[2*KYBER_SYMBYTES]; - RAND_bytes(coins, 2*KYBER_SYMBYTES); + * Name: crypto_kem_keypair + * + * Description: Generates public and private key + * for CCA-secure Kyber key encapsulation mechanism + * + * Arguments: - uint8_t *pk: pointer to output public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key + * (an already allocated array of KYBER_SECRETKEYBYTES bytes) + * + * Returns: - 0 on success + * - -1 upon PCT failure (if AWSLC_FIPS is set) + **************************************************/ +int crypto_kem_keypair(ml_kem_params *params, uint8_t *pk, uint8_t *sk) { + uint8_t coins[2 * KYBER_SYMBYTES]; + RAND_bytes(coins, 2 * KYBER_SYMBYTES); int res = crypto_kem_keypair_derand(params, pk, sk, coins); // FIPS 203. Section 3.3 Destruction of intermediate values. @@ -105,10 +104,10 @@ static int16_t centered_to_positive_representative(int16_t in) { return constant_time_select_int(mask, in, in_fixed); } -#define BYTE_ENCODE_12_IN_SIZE (256) +#define BYTE_ENCODE_12_IN_SIZE (256) #define BYTE_ENCODE_12_OUT_SIZE (32 * 12) #define BYTE_DECODE_12_OUT_SIZE (BYTE_ENCODE_12_IN_SIZE) -#define BYTE_DECODE_12_IN_SIZE (BYTE_ENCODE_12_OUT_SIZE) +#define BYTE_DECODE_12_IN_SIZE (BYTE_ENCODE_12_OUT_SIZE) // FIPS 203. Algorithm 5 ByteEncode_12 // Encodes an array of 256 12-bit integers into a byte array. @@ -125,7 +124,7 @@ static void byte_encode_12(uint8_t out[BYTE_ENCODE_12_OUT_SIZE], for (size_t i = 0; i < BYTE_ENCODE_12_IN_SIZE / 2; i++) { int16_t in0 = in[2 * i]; int16_t in1 = in[2 * i + 1]; - out[3 * i] = in0 & 0xff; + out[3 * i] = in0 & 0xff; out[3 * i + 1] = ((in0 >> 8) & 0xf) | ((in1 & 0xf) << 4); out[3 * i + 2] = (in1 >> 4) & 0xff; } @@ -143,12 +142,12 @@ static void byte_encode_12(uint8_t out[BYTE_ENCODE_12_OUT_SIZE], // Additionally we reduce the output elements mod Q as specified in FIPS 203. static void byte_decode_12(int16_t out[BYTE_DECODE_12_OUT_SIZE], const uint8_t in[BYTE_DECODE_12_IN_SIZE]) { - for(size_t i = 0; i < BYTE_DECODE_12_OUT_SIZE / 2; i++) { + for (size_t i = 0; i < BYTE_DECODE_12_OUT_SIZE / 2; i++) { // Cast to 16-bit wide uint's to avoid any issues // with shifting and implicit casting. - uint16_t in0 = (uint16_t) in[3 * i]; - uint16_t in1 = (uint16_t) in[3 * i + 1]; - uint16_t in2 = (uint16_t) in[3 * i + 2]; + uint16_t in0 = (uint16_t)in[3 * i]; + uint16_t in1 = (uint16_t)in[3 * i + 1]; + uint16_t in2 = (uint16_t)in[3 * i + 2]; // Build the output pair. uint16_t out0 = in0 | ((in1 & 0xf) << 8); @@ -174,14 +173,16 @@ static void byte_decode_12(int16_t out[BYTE_DECODE_12_OUT_SIZE], // functions to do that: `EVP_PKEY_kem_new_raw_key`, // `EVP_PKEY_kem_new_raw_secret_key`, `EVP_PKEY_kem_new_raw_public_key`. // The lengths are checked in all three functions. -static int encapsulation_key_modulus_check(ml_kem_params *params, const uint8_t *ek) { - +static int encapsulation_key_modulus_check(ml_kem_params *params, + const uint8_t *ek) { int16_t ek_decoded[ENCAPS_KEY_DECODED_MAX_SIZE]; uint8_t ek_recoded[ENCAPS_KEY_ENCODED_MAX_SIZE]; for (size_t i = 0; i < params->k; i++) { - byte_decode_12(&ek_decoded[i * BYTE_DECODE_12_OUT_SIZE], &ek[i * BYTE_DECODE_12_IN_SIZE]); - byte_encode_12(&ek_recoded[i * BYTE_ENCODE_12_OUT_SIZE], &ek_decoded[i * BYTE_ENCODE_12_IN_SIZE]); + byte_decode_12(&ek_decoded[i * BYTE_DECODE_12_OUT_SIZE], + &ek[i * BYTE_DECODE_12_IN_SIZE]); + byte_encode_12(&ek_recoded[i * BYTE_ENCODE_12_OUT_SIZE], + &ek_decoded[i * BYTE_ENCODE_12_IN_SIZE]); } return verify(ek_recoded, ek, params->k * BYTE_ENCODE_12_OUT_SIZE); @@ -195,8 +196,8 @@ static int encapsulation_key_modulus_check(ml_kem_params *params, const uint8_t // // This function implements the decapsulation key hash check. The other checks // specified in Section 7.3 are the ciphertext and the key type check. We can -// safely omit those checks here because they are done in higher level functions. -// The required lengths for all variants of ML-KEM are hard-coded in +// safely omit those checks here because they are done in higher level +// functions. The required lengths for all variants of ML-KEM are hard-coded in // fipsmodule/kem/kem.c. If a key is generated by aws-lc then it satisfies // the length requirements. If a key is generated outside of aws-lc, it has to // be imported into an `EVP_PKEY` object to be used within aws-lc. We provide @@ -204,54 +205,52 @@ static int encapsulation_key_modulus_check(ml_kem_params *params, const uint8_t // `EVP_PKEY_kem_new_raw_secret_key`, `EVP_PKEY_kem_new_raw_public_key`. // The lengths are checked in all three functions. Additionally, the ciphertext // length is checked in function pkey_kem_decapsulate in fipsmodule/evp/p_kem.c. -static int decapsulation_key_hash_check(ml_kem_params *params, const uint8_t *dk) { +static int decapsulation_key_hash_check(ml_kem_params *params, + const uint8_t *dk) { uint8_t dk_pke_hash_computed[KYBER_SYMBYTES] = {0}; hash_h(dk_pke_hash_computed, &dk[params->indcpa_secret_key_bytes], - params->indcpa_public_key_bytes); - const uint8_t *dk_pke_hash_expected = &dk[params->indcpa_secret_key_bytes + - params->indcpa_public_key_bytes]; + params->indcpa_public_key_bytes); + const uint8_t *dk_pke_hash_expected = + &dk[params->indcpa_secret_key_bytes + params->indcpa_public_key_bytes]; return verify(dk_pke_hash_computed, dk_pke_hash_expected, KYBER_SYMBYTES); } /************************************************* -* Name: crypto_kem_enc_derand -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - const uint8_t *coins: pointer to input randomness -* (an already allocated array filled with KYBER_SYMBYTES random bytes) -** -* Returns 0 (success) -**************************************************/ -int crypto_kem_enc_derand(ml_kem_params *params, - uint8_t *ct, - uint8_t *ss, - const uint8_t *pk, - const uint8_t *coins) -{ - uint8_t buf[2*KYBER_SYMBYTES]; + * Name: crypto_kem_enc_derand + * + * Description: Generates cipher text and shared + * secret for given public key + * + * Arguments: - uint8_t *ct: pointer to output cipher text + * (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) + * - uint8_t *ss: pointer to output shared secret + * (an already allocated array of KYBER_SSBYTES bytes) + * - const uint8_t *pk: pointer to input public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * - const uint8_t *coins: pointer to input randomness + * (an already allocated array filled with KYBER_SYMBYTES random + *bytes) + ** + * Returns 0 (success) + **************************************************/ +int crypto_kem_enc_derand(ml_kem_params *params, uint8_t *ct, uint8_t *ss, + const uint8_t *pk, const uint8_t *coins) { + uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; + uint8_t kr[2 * KYBER_SYMBYTES]; memcpy(buf, coins, KYBER_SYMBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf+KYBER_SYMBYTES, pk, params->public_key_bytes); - hash_g(kr, buf, 2*KYBER_SYMBYTES); + hash_h(buf + KYBER_SYMBYTES, pk, params->public_key_bytes); + hash_g(kr, buf, 2 * KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(params, ct, buf, pk, kr+KYBER_SYMBYTES); + indcpa_enc(params, ct, buf, pk, kr + KYBER_SYMBYTES); - memcpy(ss,kr,KYBER_SYMBYTES); + memcpy(ss, kr, KYBER_SYMBYTES); // FIPS 203. Section 3.3 Destruction of intermediate values. OPENSSL_cleanse(buf, sizeof(buf)); @@ -260,25 +259,22 @@ int crypto_kem_enc_derand(ml_kem_params *params, } /************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success), or 1 when the encapsulation key check fails. -**************************************************/ -int crypto_kem_enc(ml_kem_params *params, - uint8_t *ct, - uint8_t *ss, - const uint8_t *pk) -{ + * Name: crypto_kem_enc + * + * Description: Generates cipher text and shared + * secret for given public key + * + * Arguments: - uint8_t *ct: pointer to output cipher text + * (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) + * - uint8_t *ss: pointer to output shared secret + * (an already allocated array of KYBER_SSBYTES bytes) + * - const uint8_t *pk: pointer to input public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * + * Returns 0 (success), or 1 when the encapsulation key check fails. + **************************************************/ +int crypto_kem_enc(ml_kem_params *params, uint8_t *ct, uint8_t *ss, + const uint8_t *pk) { if (encapsulation_key_modulus_check(params, pk) != 0) { return 1; } @@ -293,54 +289,52 @@ int crypto_kem_enc(ml_kem_params *params, } /************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int crypto_kem_dec(ml_kem_params *params, - uint8_t *ss, - const uint8_t *ct, - const uint8_t *sk) -{ + * Name: crypto_kem_dec + * + * Description: Generates shared secret for given + * cipher text and private key + * + * Arguments: - uint8_t *ss: pointer to output shared secret + * (an already allocated array of KYBER_SSBYTES bytes) + * - const uint8_t *ct: pointer to input cipher text + * (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) + * - const uint8_t *sk: pointer to input private key + * (an already allocated array of KYBER_SECRETKEYBYTES bytes) + * + * Returns 0. + * + * On failure, ss will contain a pseudo-random value. + **************************************************/ +int crypto_kem_dec(ml_kem_params *params, uint8_t *ss, const uint8_t *ct, + const uint8_t *sk) { if (decapsulation_key_hash_check(params, sk) != 0) { return 1; } int fail; - uint8_t buf[2*KYBER_SYMBYTES]; + uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES_MAX+KYBER_SYMBYTES]; - const uint8_t *pk = sk+params->indcpa_secret_key_bytes; + uint8_t kr[2 * KYBER_SYMBYTES]; + uint8_t cmp[KYBER_CIPHERTEXTBYTES_MAX + KYBER_SYMBYTES]; + const uint8_t *pk = sk + params->indcpa_secret_key_bytes; indcpa_dec(params, buf, ct, sk); /* Multitarget countermeasure for coins + contributory KEM */ - memcpy(buf+KYBER_SYMBYTES, sk+params->secret_key_bytes-2*KYBER_SYMBYTES, KYBER_SYMBYTES); - hash_g(kr, buf, 2*KYBER_SYMBYTES); + memcpy(buf + KYBER_SYMBYTES, + sk + params->secret_key_bytes - 2 * KYBER_SYMBYTES, KYBER_SYMBYTES); + hash_g(kr, buf, 2 * KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(params, cmp, buf, pk, kr+KYBER_SYMBYTES); + indcpa_enc(params, cmp, buf, pk, kr + KYBER_SYMBYTES); fail = verify(ct, cmp, params->ciphertext_bytes); /* Compute rejection key */ - rkprf(params, ss,sk+params->secret_key_bytes-KYBER_SYMBYTES,ct); + rkprf(params, ss, sk + params->secret_key_bytes - KYBER_SYMBYTES, ct); /* Copy true key to return buffer if fail is false */ - cmov(ss,kr,KYBER_SYMBYTES,!fail); + cmov(ss, kr, KYBER_SYMBYTES, !fail); // FIPS 203. Section 3.3 Destruction of intermediate values. OPENSSL_cleanse(buf, sizeof(buf)); diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.h index 39873a5d8a..95860756cf 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.h @@ -5,18 +5,22 @@ #include "params.h" #define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand) -int crypto_kem_keypair_derand(ml_kem_params *params, uint8_t *pk, uint8_t *sk, const uint8_t *coins); +int crypto_kem_keypair_derand(ml_kem_params *params, uint8_t *pk, uint8_t *sk, + const uint8_t *coins); #define crypto_kem_keypair KYBER_NAMESPACE(keypair) int crypto_kem_keypair(ml_kem_params *params, uint8_t *pk, uint8_t *sk); #define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand) -int crypto_kem_enc_derand(ml_kem_params * params, uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins); +int crypto_kem_enc_derand(ml_kem_params *params, uint8_t *ct, uint8_t *ss, + const uint8_t *pk, const uint8_t *coins); #define crypto_kem_enc KYBER_NAMESPACE(enc) -int crypto_kem_enc(ml_kem_params * params, uint8_t *ct, uint8_t *ss, const uint8_t *pk); +int crypto_kem_enc(ml_kem_params *params, uint8_t *ct, uint8_t *ss, + const uint8_t *pk); #define crypto_kem_dec KYBER_NAMESPACE(dec) -int crypto_kem_dec(ml_kem_params * params, uint8_t *ss, const uint8_t *ct, const uint8_t *sk); +int crypto_kem_dec(ml_kem_params *params, uint8_t *ss, const uint8_t *ct, + const uint8_t *sk); #endif diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.c index 2f2eb10b2f..891472fbfe 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.c @@ -1,6 +1,6 @@ +#include "ntt.h" #include #include "params.h" -#include "ntt.h" #include "reduce.h" /* Code to generate zetas and zetas_inv used in the number-theoretic transform: @@ -37,55 +37,51 @@ void init_ntt() { */ const int16_t zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 -}; + -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, + 182, 962, -1202, -1474, 1468, 573, -1325, 264, 383, -829, 1458, + -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, 1223, + 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, + -1618, -1162, 126, 1469, -853, -90, -271, 830, 107, -1421, -247, + -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, -1103, 430, + 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, + -460, 1574, 1653, -246, 778, 1159, -147, -777, 1483, -602, 1119, + -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, 603, + 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, + -1187, -1659, -1185, -1530, -1278, 794, -1510, -854, -870, 478, -108, + -308, 996, 991, 958, -1460, 1522, 1628}; /************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ + * Name: fqmul + * + * Description: Multiplication followed by Montgomery reduction + * + * Arguments: - int16_t a: first factor + * - int16_t b: second factor + * + * Returns 16-bit integer congruent to a*b*R^{-1} mod q + **************************************************/ static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); + return montgomery_reduce((int32_t)a * b); } /************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ + * Name: ntt + * + * Description: Inplace number-theoretic transform (NTT) in Rq. + * input is in standard order, output is in bitreversed order + * + * Arguments: - int16_t r[256]: pointer to input/output vector of elements of + *Zq + **************************************************/ void ntt(int16_t r[256]) { unsigned int len, start, j, k; int16_t t, zeta; k = 1; - for(len = 128; len >= 2; len >>= 1) { - for(start = 0; start < 256; start = j + len) { + for (len = 128; len >= 2; len >>= 1) { + for (start = 0; start < 256; start = j + len) { zeta = zetas[k++]; - for(j = start; j < start + len; j++) { + for (j = start; j < start + len; j++) { t = fqmul(zeta, r[j + len]); r[j + len] = r[j] - t; r[j] = r[j] + t; @@ -95,24 +91,25 @@ void ntt(int16_t r[256]) { } /************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ + * Name: invntt_tomont + * + * Description: Inplace inverse number-theoretic transform in Rq and + * multiplication by Montgomery factor 2^16. + * Input is in bitreversed order, output is in standard order + * + * Arguments: - int16_t r[256]: pointer to input/output vector of elements of + *Zq + **************************************************/ void invntt(int16_t r[256]) { unsigned int start, len, j, k; int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 + const int16_t f = 1441; // mont^2/128 k = 127; - for(len = 2; len <= 128; len <<= 1) { - for(start = 0; start < 256; start = j + len) { + for (len = 2; len <= 128; len <<= 1) { + for (start = 0; start < 256; start = j + len) { zeta = zetas[k--]; - for(j = start; j < start + len; j++) { + for (j = start; j < start + len; j++) { t = r[j]; r[j] = barrett_reduce(t + r[j + len]); r[j + len] = r[j + len] - t; @@ -121,26 +118,26 @@ void invntt(int16_t r[256]) { } } - for(j = 0; j < 256; j++) + for (j = 0; j < 256; j++) r[j] = fqmul(r[j], f); } /************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) -{ - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); + * Name: basemul + * + * Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) + * used for multiplication of elements in Rq in NTT domain + * + * Arguments: - int16_t r[2]: pointer to the output polynomial + * - const int16_t a[2]: pointer to the first factor + * - const int16_t b[2]: pointer to the second factor + * - int16_t zeta: integer defining the reduction polynomial + **************************************************/ +void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], + int16_t zeta) { + r[0] = fqmul(a[1], b[1]); + r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); + r[1] = fqmul(a[0], b[1]); r[1] += fqmul(a[1], b[0]); } diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h index 04636ad0c5..15eab4b33f 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.h @@ -14,6 +14,7 @@ void ntt(int16_t poly[256]); void invntt(int16_t poly[256]); #define basemul KYBER_NAMESPACE(basemul) -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/params.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/params.c index bc685b1bbd..e6483d9f48 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/params.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/params.c @@ -13,7 +13,8 @@ static void ml_kem_params_init(ml_kem_params *params, size_t k) { size_t indcpa_secret_key_bytes = poly_vec_bytes; size_t indcpa_bytes = poly_vec_compressed_bytes + poly_compressed_bytes; size_t public_key_bytes = indcpa_public_key_bytes; - size_t secret_key_bytes = indcpa_secret_key_bytes + indcpa_public_key_bytes + 2*KYBER_SYMBYTES; + size_t secret_key_bytes = + indcpa_secret_key_bytes + indcpa_public_key_bytes + 2 * KYBER_SYMBYTES; size_t ciphertext_bytes = indcpa_bytes; params->k = k; @@ -38,4 +39,3 @@ void ml_kem_768_params_init(ml_kem_params *params) { void ml_kem_1024_params_init(ml_kem_params *params) { ml_kem_params_init(params, 4); } - diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h index fd796614f4..5f439719b9 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/params.h @@ -10,14 +10,14 @@ #define KYBER_N 256 #define KYBER_Q 3329 -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ +#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ +#define KYBER_SSBYTES 32 /* size in bytes of shared key */ -#define KYBER_POLYBYTES 384 +#define KYBER_POLYBYTES 384 #define KYBER_ETA2 2 -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) +#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) // Structure for ML-KEM parameters that depend on the parameter set. typedef struct { @@ -38,10 +38,11 @@ typedef struct { // for static allocation. #define KYBER_K_MAX (4) #define KYBER_ETA1_MAX (3) -#define KYBER_POLYCOMPRESSEDBYTES_MAX (160) +#define KYBER_POLYCOMPRESSEDBYTES_MAX (160) #define KYBER_POLYVECCOMPRESSEDBYTES_MAX (4 * 352) -#define KYBER_INDCPA_BYTES_MAX (KYBER_POLYVECCOMPRESSEDBYTES_MAX + KYBER_POLYCOMPRESSEDBYTES_MAX) +#define KYBER_INDCPA_BYTES_MAX \ + (KYBER_POLYVECCOMPRESSEDBYTES_MAX + KYBER_POLYCOMPRESSEDBYTES_MAX) #define KYBER_CIPHERTEXTBYTES_MAX (KYBER_INDCPA_BYTES_MAX) #define KYBER_NAMESPACE(s) ml_kem_##s##_ref diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.c index 58f92aff61..246aae53c8 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.c @@ -2,27 +2,26 @@ #include +#include "cbd.h" +#include "ntt.h" #include "params.h" #include "poly.h" -#include "ntt.h" #include "reduce.h" -#include "cbd.h" #include "symmetric.h" #include "../../../internal.h" /************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) -{ - unsigned int i,j; + * Name: poly_compress + * + * Description: Compression and subsequent serialization of a polynomial + * + * Arguments: - uint8_t *r: pointer to output byte array + * (of length KYBER_POLYCOMPRESSEDBYTES) + * - const poly *a: pointer to input polynomial + **************************************************/ +void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) { + unsigned int i, j; int32_t u; uint32_t d0; uint8_t t[8]; @@ -31,10 +30,10 @@ void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) (params->poly_compressed_bytes == 160)); if (params->poly_compressed_bytes == 128) { - for(i=0;icoeffs[8*i+j]; + u = a->coeffs[8 * i + j]; u += (u >> 15) & KYBER_Q; // t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; d0 = u << 4; @@ -43,7 +42,7 @@ void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) d0 >>= 28; t[j] = d0 & 0xf; } - + r[0] = t[0] | (t[1] << 4); r[1] = t[2] | (t[3] << 4); r[2] = t[4] | (t[5] << 4); @@ -51,10 +50,10 @@ void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) r += 4; } } else { - for(i=0;icoeffs[8*i+j]; + u = a->coeffs[8 * i + j]; u += (u >> 15) & KYBER_Q; // t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; d0 = u << 5; @@ -63,7 +62,7 @@ void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) d0 >>= 27; t[j] = d0 & 0x1f; } - + r[0] = (t[0] >> 0) | (t[1] << 5); r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); r[2] = (t[3] >> 1) | (t[4] << 4); @@ -75,32 +74,31 @@ void poly_compress(ml_kem_params *params, uint8_t *r, const poly *a) } /************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void poly_decompress(ml_kem_params *params, poly *r, const uint8_t *a) -{ + * Name: poly_decompress + * + * Description: De-serialization and subsequent decompression of a polynomial; + * approximate inverse of poly_compress + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *a: pointer to input byte array + * (of length KYBER_POLYCOMPRESSEDBYTES bytes) + **************************************************/ +void poly_decompress(ml_kem_params *params, poly *r, const uint8_t *a) { unsigned int i; assert((params->poly_compressed_bytes == 128) || (params->poly_compressed_bytes == 160)); if (params->poly_compressed_bytes == 128) { - for(i=0;icoeffs[2*i+0] = (((uint16_t)(a[0] & 15)*KYBER_Q) + 8) >> 4; - r->coeffs[2*i+1] = (((uint16_t)(a[0] >> 4)*KYBER_Q) + 8) >> 4; + for (i = 0; i < KYBER_N / 2; i++) { + r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; + r->coeffs[2 * i + 1] = (((uint16_t)(a[0] >> 4) * KYBER_Q) + 8) >> 4; a += 1; } } else { unsigned int j; uint8_t t[8]; - for(i=0;i> 0); t[1] = (a[0] >> 5) | (a[1] << 3); t[2] = (a[1] >> 2); @@ -111,104 +109,102 @@ void poly_decompress(ml_kem_params *params, poly *r, const uint8_t *a) t[7] = (a[4] >> 3); a += 5; - for(j=0;j<8;j++) - r->coeffs[8*i+j] = ((uint32_t)(t[j] & 31)*KYBER_Q + 16) >> 5; + for (j = 0; j < 8; j++) + r->coeffs[8 * i + j] = ((uint32_t)(t[j] & 31) * KYBER_Q + 16) >> 5; } } } /************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) -{ + * Name: poly_tobytes + * + * Description: Serialization of a polynomial + * + * Arguments: - uint8_t *r: pointer to output byte array + * (needs space for KYBER_POLYBYTES bytes) + * - const poly *a: pointer to input polynomial + **************************************************/ +void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) { unsigned int i; uint16_t t0, t1; - for(i=0;icoeffs[2*i]; + t0 = a->coeffs[2 * i]; t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2*i+1]; + t1 = a->coeffs[2 * i + 1]; t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3*i+0] = (t0 >> 0); - r[3*i+1] = (t0 >> 8) | (t1 << 4); - r[3*i+2] = (t1 >> 4); + r[3 * i + 0] = (t0 >> 0); + r[3 * i + 1] = (t0 >> 8) | (t1 << 4); + r[3 * i + 2] = (t1 >> 4); } } /************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) -{ + * Name: poly_frombytes + * + * Description: De-serialization of a polynomial; + * inverse of poly_tobytes + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *a: pointer to input byte array + * (of KYBER_POLYBYTES bytes) + **************************************************/ +void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { unsigned int i; - for(i=0;icoeffs[2*i] = ((a[3*i+0] >> 0) | ((uint16_t)a[3*i+1] << 8)) & 0xFFF; - r->coeffs[2*i+1] = ((a[3*i+1] >> 4) | ((uint16_t)a[3*i+2] << 4)) & 0xFFF; + for (i = 0; i < KYBER_N / 2; i++) { + r->coeffs[2 * i] = + ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; + r->coeffs[2 * i + 1] = + ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; } } /************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) -{ - unsigned int i,j; + * Name: poly_frommsg + * + * Description: Convert 32-byte message to polynomial + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *msg: pointer to input message + **************************************************/ +void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { + unsigned int i, j; crypto_word_t mask; -#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8) +#if (KYBER_INDCPA_MSGBYTES != KYBER_N / 8) #error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!" #endif - for(i=0;i> j) & 1); // We cast the result of constant_time_select_w, which is a crypto_word_t, // to int16_t. The constants must be within the range of int16_t. - OPENSSL_STATIC_ASSERT(((KYBER_Q+1)/2) <= INT16_MAX, + OPENSSL_STATIC_ASSERT(((KYBER_Q + 1) / 2) <= INT16_MAX, value_exceeds_int16_max); - r->coeffs[8*i+j] = (int16_t) constant_time_select_w(mask, - 0, ((KYBER_Q+1)/2)); + r->coeffs[8 * i + j] = + (int16_t)constant_time_select_w(mask, 0, ((KYBER_Q + 1) / 2)); } } } /************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) -{ - unsigned int i,j; + * Name: poly_tomsg + * + * Description: Convert polynomial to 32-byte message + * + * Arguments: - uint8_t *msg: pointer to output message + * - const poly *a: pointer to input polynomial + **************************************************/ +void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) { + unsigned int i, j; uint32_t t; - for(i=0;icoeffs[8*i+j]; + for (j = 0; j < 8; j++) { + t = a->coeffs[8 * i + j]; // t += ((int16_t)t >> 15) & KYBER_Q; // t = (((t << 1) + KYBER_Q/2)/KYBER_Q) & 1; t <<= 1; @@ -222,150 +218,145 @@ void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) } /************************************************* -* Name: poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta1(ml_kem_params *params, poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA1_MAX*KYBER_N/4]; + * Name: poly_getnoise_eta1 + * + * Description: Sample a polynomial deterministically from a seed and a nonce, + * with output polynomial close to centered binomial distribution + * with parameter KYBER_ETA1 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *seed: pointer to input seed + * (of length KYBER_SYMBYTES bytes) + * - uint8_t nonce: one-byte input nonce + **************************************************/ +void poly_getnoise_eta1(ml_kem_params *params, poly *r, + const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { + uint8_t buf[KYBER_ETA1_MAX * KYBER_N / 4]; prf(buf, sizeof(buf), seed, nonce); poly_cbd_eta1(params, r, buf); } /************************************************* -* Name: poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA2*KYBER_N/4]; + * Name: poly_getnoise_eta2 + * + * Description: Sample a polynomial deterministically from a seed and a nonce, + * with output polynomial close to centered binomial distribution + * with parameter KYBER_ETA2 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *seed: pointer to input seed + * (of length KYBER_SYMBYTES bytes) + * - uint8_t nonce: one-byte input nonce + **************************************************/ +void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], + uint8_t nonce) { + uint8_t buf[KYBER_ETA2 * KYBER_N / 4]; prf(buf, sizeof(buf), seed, nonce); poly_cbd_eta2(r, buf); } /************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void poly_ntt(poly *r) -{ + * Name: poly_ntt + * + * Description: Computes negacyclic number-theoretic transform (NTT) of + * a polynomial in place; + * inputs assumed to be in normal order, output in bitreversed + *order + * + * Arguments: - uint16_t *r: pointer to in/output polynomial + **************************************************/ +void poly_ntt(poly *r) { ntt(r->coeffs); poly_reduce(r); } /************************************************* -* Name: poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void poly_invntt_tomont(poly *r) -{ - invntt(r->coeffs); -} + * Name: poly_invntt_tomont + * + * Description: Computes inverse of negacyclic number-theoretic transform (NTT) + * of a polynomial in place; + * inputs assumed to be in bitreversed order, output in normal + *order + * + * Arguments: - uint16_t *a: pointer to in/output polynomial + **************************************************/ +void poly_invntt_tomont(poly *r) { invntt(r->coeffs); } /************************************************* -* Name: poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) -{ + * Name: poly_basemul_montgomery + * + * Description: Multiplication of two polynomials in NTT domain + * + * Arguments: - poly *r: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { unsigned int i; - for(i=0;icoeffs[4*i], &a->coeffs[4*i], &b->coeffs[4*i], zetas[64+i]); - basemul(&r->coeffs[4*i+2], &a->coeffs[4*i+2], &b->coeffs[4*i+2], -zetas[64+i]); + for (i = 0; i < KYBER_N / 4; i++) { + basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], + zetas[64 + i]); + basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], + -zetas[64 + i]); } } /************************************************* -* Name: poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_tomont(poly *r) -{ + * Name: poly_tomont + * + * Description: Inplace conversion of all coefficients of a polynomial + * from normal domain to Montgomery domain + * + * Arguments: - poly *r: pointer to input/output polynomial + **************************************************/ +void poly_tomont(poly *r) { unsigned int i; const int16_t f = (1ULL << 32) % KYBER_Q; - for(i=0;icoeffs[i] = montgomery_reduce((int32_t)r->coeffs[i]*f); + for (i = 0; i < KYBER_N; i++) + r->coeffs[i] = montgomery_reduce((int32_t)r->coeffs[i] * f); } /************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_reduce(poly *r) -{ + * Name: poly_reduce + * + * Description: Applies Barrett reduction to all coefficients of a polynomial + * for details of the Barrett reduction see comments in reduce.c + * + * Arguments: - poly *r: pointer to input/output polynomial + **************************************************/ +void poly_reduce(poly *r) { unsigned int i; - for(i=0;icoeffs[i] = barrett_reduce(r->coeffs[i]); } /************************************************* -* Name: poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_add(poly *r, const poly *a, const poly *b) -{ + * Name: poly_add + * + * Description: Add two polynomials; no modular reduction is performed + * + * Arguments: - poly *r: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void poly_add(poly *r, const poly *a, const poly *b) { unsigned int i; - for(i=0;icoeffs[i] = a->coeffs[i] + b->coeffs[i]; } /************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_sub(poly *r, const poly *a, const poly *b) -{ + * Name: poly_sub + * + * Description: Subtract two polynomials; no modular reduction is performed + * + * Arguments: - poly *r: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void poly_sub(poly *r, const poly *a, const poly *b) { unsigned int i; - for(i=0;icoeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h index df9b1fab14..296233973a 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/poly.h @@ -8,7 +8,7 @@ * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1] */ -typedef struct{ +typedef struct { int16_t coeffs[KYBER_N]; } poly; @@ -28,10 +28,12 @@ void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); #define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) -void poly_getnoise_eta1(ml_kem_params *params, poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); +void poly_getnoise_eta1(ml_kem_params *params, poly *r, + const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); #define poly_getnoise_eta2 KYBER_NAMESPACE(poly_getnoise_eta2) -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); +void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], + uint8_t nonce); #define poly_ntt KYBER_NAMESPACE(poly_ntt) void poly_ntt(poly *r); diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.c index 973dc8cd8b..a5dd957519 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.c @@ -1,20 +1,19 @@ +#include "polyvec.h" #include #include "params.h" #include "poly.h" -#include "polyvec.h" /************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_compress(ml_kem_params *params, uint8_t *r, const polyvec *a) -{ - unsigned int i,j,k; + * Name: polyvec_compress + * + * Description: Compress and serialize vector of polynomials + * + * Arguments: - uint8_t *r: pointer to output byte array + * (needs space for KYBER_POLYVECCOMPRESSEDBYTES) + * - const polyvec *a: pointer to input vector of polynomials + **************************************************/ +void polyvec_compress(ml_kem_params *params, uint8_t *r, const polyvec *a) { + unsigned int i, j, k; uint64_t d0; assert((params->poly_vec_compressed_bytes == params->k * 352) || @@ -22,10 +21,10 @@ void polyvec_compress(ml_kem_params *params, uint8_t *r, const polyvec *a) if (params->poly_vec_compressed_bytes == params->k * 352) { uint16_t t[8]; - for(i=0;ik;i++) { - for(j=0;jvec[i].coeffs[8*j+k]; + for (i = 0; i < params->k; i++) { + for (j = 0; j < KYBER_N / 8; j++) { + for (k = 0; k < 8; k++) { + t[k] = a->vec[i].coeffs[8 * j + k]; t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; // t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; d0 = t[k]; @@ -36,26 +35,26 @@ void polyvec_compress(ml_kem_params *params, uint8_t *r, const polyvec *a) t[k] = d0 & 0x7ff; } - r[ 0] = (t[0] >> 0); - r[ 1] = (t[0] >> 8) | (t[1] << 3); - r[ 2] = (t[1] >> 5) | (t[2] << 6); - r[ 3] = (t[2] >> 2); - r[ 4] = (t[2] >> 10) | (t[3] << 1); - r[ 5] = (t[3] >> 7) | (t[4] << 4); - r[ 6] = (t[4] >> 4) | (t[5] << 7); - r[ 7] = (t[5] >> 1); - r[ 8] = (t[5] >> 9) | (t[6] << 2); - r[ 9] = (t[6] >> 6) | (t[7] << 5); - r[10] = (t[7] >> 3); + r[0] = (t[0] >> 0); + r[1] = (t[0] >> 8) | (t[1] << 3); + r[2] = (t[1] >> 5) | (t[2] << 6); + r[3] = (t[2] >> 2); + r[4] = (t[2] >> 10) | (t[3] << 1); + r[5] = (t[3] >> 7) | (t[4] << 4); + r[6] = (t[4] >> 4) | (t[5] << 7); + r[7] = (t[5] >> 1); + r[8] = (t[5] >> 9) | (t[6] << 2); + r[9] = (t[6] >> 6) | (t[7] << 5); + r[10] = (t[7] >> 3); r += 11; } } } else { uint16_t t[4]; - for(i=0;ik;i++) { - for(j=0;jvec[i].coeffs[4*j+k]; + for (i = 0; i < params->k; i++) { + for (j = 0; j < KYBER_N / 4; j++) { + for (k = 0; k < 4; k++) { + t[k] = a->vec[i].coeffs[4 * j + k]; t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; // t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; d0 = t[k]; @@ -78,136 +77,133 @@ void polyvec_compress(ml_kem_params *params, uint8_t *r, const polyvec *a) } /************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void polyvec_decompress(ml_kem_params *params, polyvec *r, const uint8_t *a) -{ - unsigned int i,j,k; + * Name: polyvec_decompress + * + * Description: De-serialize and decompress vector of polynomials; + * approximate inverse of polyvec_compress + * + * Arguments: - polyvec *r: pointer to output vector of polynomials + * - const uint8_t *a: pointer to input byte array + * (of length KYBER_POLYVECCOMPRESSEDBYTES) + **************************************************/ +void polyvec_decompress(ml_kem_params *params, polyvec *r, const uint8_t *a) { + unsigned int i, j, k; assert((params->poly_vec_compressed_bytes == params->k * 352) || (params->poly_vec_compressed_bytes == params->k * 320)); if (params->poly_vec_compressed_bytes == params->k * 352) { uint16_t t[8]; - for(i=0;ik;i++) { - for(j=0;j> 0) | ((uint16_t)a[ 1] << 8); - t[1] = (a[1] >> 3) | ((uint16_t)a[ 2] << 5); - t[2] = (a[2] >> 6) | ((uint16_t)a[ 3] << 2) | ((uint16_t)a[4] << 10); - t[3] = (a[4] >> 1) | ((uint16_t)a[ 5] << 7); - t[4] = (a[5] >> 4) | ((uint16_t)a[ 6] << 4); - t[5] = (a[6] >> 7) | ((uint16_t)a[ 7] << 1) | ((uint16_t)a[8] << 9); - t[6] = (a[8] >> 2) | ((uint16_t)a[ 9] << 6); + for (i = 0; i < params->k; i++) { + for (j = 0; j < KYBER_N / 8; j++) { + t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); + t[1] = (a[1] >> 3) | ((uint16_t)a[2] << 5); + t[2] = (a[2] >> 6) | ((uint16_t)a[3] << 2) | ((uint16_t)a[4] << 10); + t[3] = (a[4] >> 1) | ((uint16_t)a[5] << 7); + t[4] = (a[5] >> 4) | ((uint16_t)a[6] << 4); + t[5] = (a[6] >> 7) | ((uint16_t)a[7] << 1) | ((uint16_t)a[8] << 9); + t[6] = (a[8] >> 2) | ((uint16_t)a[9] << 6); t[7] = (a[9] >> 5) | ((uint16_t)a[10] << 3); a += 11; - - for(k=0;k<8;k++) - r->vec[i].coeffs[8*j+k] = ((uint32_t)(t[k] & 0x7FF)*KYBER_Q + 1024) >> 11; + + for (k = 0; k < 8; k++) + r->vec[i].coeffs[8 * j + k] = + ((uint32_t)(t[k] & 0x7FF) * KYBER_Q + 1024) >> 11; } } } else { uint16_t t[4]; - for(i=0;ik;i++) { - for(j=0;jk; i++) { + for (j = 0; j < KYBER_N / 4; j++) { t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); a += 5; - - for(k=0;k<4;k++) - r->vec[i].coeffs[4*j+k] = ((uint32_t)(t[k] & 0x3FF)*KYBER_Q + 512) >> 10; + + for (k = 0; k < 4; k++) + r->vec[i].coeffs[4 * j + k] = + ((uint32_t)(t[k] & 0x3FF) * KYBER_Q + 512) >> 10; } } } } /************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_tobytes(ml_kem_params *params, uint8_t *r, const polyvec *a) -{ + * Name: polyvec_tobytes + * + * Description: Serialize vector of polynomials + * + * Arguments: - uint8_t *r: pointer to output byte array + * (needs space for KYBER_POLYVECBYTES) + * - const polyvec *a: pointer to input vector of polynomials + **************************************************/ +void polyvec_tobytes(ml_kem_params *params, uint8_t *r, const polyvec *a) { unsigned int i; - for(i=0;ik;i++) - poly_tobytes(r+i*KYBER_POLYBYTES, &a->vec[i]); + for (i = 0; i < params->k; i++) + poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } /************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void polyvec_frombytes(ml_kem_params *params, polyvec *r, const uint8_t *a) -{ + * Name: polyvec_frombytes + * + * Description: De-serialize vector of polynomials; + * inverse of polyvec_tobytes + * + * Arguments: - uint8_t *r: pointer to output byte array + * - const polyvec *a: pointer to input vector of polynomials + * (of length KYBER_POLYVECBYTES) + **************************************************/ +void polyvec_frombytes(ml_kem_params *params, polyvec *r, const uint8_t *a) { unsigned int i; - for(i=0;ik;i++) - poly_frombytes(&r->vec[i], a+i*KYBER_POLYBYTES); + for (i = 0; i < params->k; i++) + poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } /************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_ntt(ml_kem_params *params, polyvec *r) -{ + * Name: polyvec_ntt + * + * Description: Apply forward NTT to all elements of a vector of polynomials + * + * Arguments: - polyvec *r: pointer to in/output vector of polynomials + **************************************************/ +void polyvec_ntt(ml_kem_params *params, polyvec *r) { unsigned int i; - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) poly_ntt(&r->vec[i]); } /************************************************* -* Name: polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_invntt_tomont(ml_kem_params *params, polyvec *r) -{ + * Name: polyvec_invntt_tomont + * + * Description: Apply inverse NTT to all elements of a vector of polynomials + * and multiply by Montgomery factor 2^16 + * + * Arguments: - polyvec *r: pointer to in/output vector of polynomials + **************************************************/ +void polyvec_invntt_tomont(ml_kem_params *params, polyvec *r) { unsigned int i; - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) poly_invntt_tomont(&r->vec[i]); } /************************************************* -* Name: polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_basemul_acc_montgomery(ml_kem_params *params, poly *r, const polyvec *a, const polyvec *b) -{ + * Name: polyvec_basemul_acc_montgomery + * + * Description: Multiply elements of a and b in NTT domain, accumulate into r, + * and multiply by 2^-16. + * + * Arguments: - poly *r: pointer to output polynomial + * - const polyvec *a: pointer to first input vector of polynomials + * - const polyvec *b: pointer to second input vector of polynomials + **************************************************/ +void polyvec_basemul_acc_montgomery(ml_kem_params *params, poly *r, + const polyvec *a, const polyvec *b) { unsigned int i; poly t; poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for(i=1;ik;i++) { + for (i = 1; i < params->k; i++) { poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); poly_add(r, r, &t); } @@ -216,33 +212,32 @@ void polyvec_basemul_acc_montgomery(ml_kem_params *params, poly *r, const polyve } /************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void polyvec_reduce(ml_kem_params *params, polyvec *r) -{ + * Name: polyvec_reduce + * + * Description: Applies Barrett reduction to each coefficient + * of each element of a vector of polynomials; + * for details of the Barrett reduction see comments in reduce.c + * + * Arguments: - polyvec *r: pointer to input/output polynomial + **************************************************/ +void polyvec_reduce(ml_kem_params *params, polyvec *r) { unsigned int i; - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) poly_reduce(&r->vec[i]); } /************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_add(ml_kem_params *params, polyvec *r, const polyvec *a, const polyvec *b) -{ + * Name: polyvec_add + * + * Description: Add vectors of polynomials + * + * Arguments: - polyvec *r: pointer to output vector of polynomials + * - const polyvec *a: pointer to first input vector of polynomials + * - const polyvec *b: pointer to second input vector of polynomials + **************************************************/ +void polyvec_add(ml_kem_params *params, polyvec *r, const polyvec *a, + const polyvec *b) { unsigned int i; - for(i=0;ik;i++) + for (i = 0; i < params->k; i++) poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h index a7b57cafc6..e62e7494f0 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/polyvec.h @@ -5,7 +5,7 @@ #include "params.h" #include "poly.h" -typedef struct{ +typedef struct { poly vec[KYBER_K_MAX]; } polyvec; @@ -24,13 +24,16 @@ void polyvec_ntt(ml_kem_params *params, polyvec *r); #define polyvec_invntt_tomont KYBER_NAMESPACE(polyvec_invntt_tomont) void polyvec_invntt_tomont(ml_kem_params *params, polyvec *r); -#define polyvec_basemul_acc_montgomery KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) -void polyvec_basemul_acc_montgomery(ml_kem_params *params, poly *r, const polyvec *a, const polyvec *b); +#define polyvec_basemul_acc_montgomery \ + KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) +void polyvec_basemul_acc_montgomery(ml_kem_params *params, poly *r, + const polyvec *a, const polyvec *b); #define polyvec_reduce KYBER_NAMESPACE(polyvec_reduce) void polyvec_reduce(ml_kem_params *params, polyvec *r); #define polyvec_add KYBER_NAMESPACE(polyvec_add) -void polyvec_add(ml_kem_params *params, polyvec *r, const polyvec *a, const polyvec *b); +void polyvec_add(ml_kem_params *params, polyvec *r, const polyvec *a, + const polyvec *b); #endif diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.c index 9d8e7edf83..e2e57e4168 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.c @@ -1,42 +1,42 @@ +#include "reduce.h" #include #include "params.h" -#include "reduce.h" /************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t montgomery_reduce(int32_t a) -{ + * Name: montgomery_reduce + * + * Description: Montgomery reduction; given a 32-bit integer a, computes + * 16-bit integer congruent to a * R^-1 mod q, where R=2^16 + * + * Arguments: - int32_t a: input integer to be reduced; + * has to be in {-q2^15,...,q2^15-1} + * + * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. + **************************************************/ +int16_t montgomery_reduce(int32_t a) { int16_t t; - t = (int16_t)a*QINV; - t = (a - (int32_t)t*KYBER_Q) >> 16; + t = (int16_t)a * QINV; + t = (a - (int32_t)t * KYBER_Q) >> 16; return t; } /************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ + * Name: barrett_reduce + * + * Description: Barrett reduction; given a 16-bit integer a, computes + * centered representative congruent to a mod q in + *{-(q-1)/2,...,(q-1)/2} + * + * Arguments: - int16_t a: input integer to be reduced + * + * Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. + **************************************************/ int16_t barrett_reduce(int16_t a) { int16_t t; - const int16_t v = ((1<<26) + KYBER_Q/2)/KYBER_Q; + const int16_t v = ((1 << 26) + KYBER_Q / 2) / KYBER_Q; - t = ((int32_t)v*a + (1<<25)) >> 26; + t = ((int32_t)v * a + (1 << 25)) >> 26; t *= KYBER_Q; return a - t; } diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h index d4b6603ed6..8a24ccc637 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.h @@ -4,8 +4,8 @@ #include #include "params.h" -#define MONT -1044 // 2^16 mod q -#define QINV -3327 // q^-1 mod 2^16 +#define MONT -1044 // 2^16 mod q +#define QINV -3327 // q^-1 mod 2^16 #define montgomery_reduce KYBER_NAMESPACE(montgomery_reduce) int16_t montgomery_reduce(int32_t a); diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric-shake.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric-shake.c index 72bf98c2f2..caa7be865e 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric-shake.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric-shake.c @@ -5,25 +5,25 @@ #include "symmetric.h" /************************************************* -* Name: kyber_shake128_absorb -* -* Description: Absorb step of the SHAKE128 specialized for the Kyber context. -* -* Arguments: - KECCAK1600_CTX *ctx: pointer to (uninitialized) output Keccak state -* - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state -* - uint8_t i: additional byte of input -* - uint8_t j: additional byte of input -**************************************************/ + * Name: kyber_shake128_absorb + * + * Description: Absorb step of the SHAKE128 specialized for the Kyber context. + * + * Arguments: - KECCAK1600_CTX *ctx: pointer to (uninitialized) output Keccak + *state + * - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be + *absorbed into state + * - uint8_t i: additional byte of input + * - uint8_t j: additional byte of input + **************************************************/ void kyber_shake128_absorb(KECCAK1600_CTX *ctx, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, - uint8_t y) -{ - uint8_t extseed[KYBER_SYMBYTES+2]; + const uint8_t seed[KYBER_SYMBYTES], uint8_t x, + uint8_t y) { + uint8_t extseed[KYBER_SYMBYTES + 2]; memcpy(extseed, seed, KYBER_SYMBYTES); - extseed[KYBER_SYMBYTES+0] = x; - extseed[KYBER_SYMBYTES+1] = y; + extseed[KYBER_SYMBYTES + 0] = x; + extseed[KYBER_SYMBYTES + 1] = y; // Return code checks can be omitted // SHAKE_Init always returns 1 when called with correct block size value @@ -34,61 +34,65 @@ void kyber_shake128_absorb(KECCAK1600_CTX *ctx, } /************************************************* -* Name: kyber_shake128_squeeze -* -* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of -* SHAKE128_BLOCKSIZE bytes each. Can be called multiple times -* to keep squeezing. Assumes new block has not yet been -* started. -* -* Arguments: - uint8_t *out: pointer to output blocks -* - size_t nblocks: number of blocks to be squeezed (written to output) -* - KECCAK1600_CTX *ctx: pointer to input/output Keccak state -**************************************************/ -void kyber_shake128_squeeze(KECCAK1600_CTX *ctx, uint8_t *out, int nblocks) -{ + * Name: kyber_shake128_squeeze + * + * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of + * SHAKE128_BLOCKSIZE bytes each. Can be called multiple times + * to keep squeezing. Assumes new block has not yet been + * started. + * + * Arguments: - uint8_t *out: pointer to output blocks + * - size_t nblocks: number of blocks to be squeezed (written to + *output) + * - KECCAK1600_CTX *ctx: pointer to input/output Keccak state + **************************************************/ +void kyber_shake128_squeeze(KECCAK1600_CTX *ctx, uint8_t *out, int nblocks) { // Return code checks can be omitted - // SHAKE_Squeeze always returns 1 when |ctx->state| flag is different + // SHAKE_Squeeze always returns 1 when |ctx->state| flag is different // from |KECCAK1600_STATE_FINAL| SHAKE_Squeeze(out, ctx, nblocks * SHAKE128_BLOCKSIZE); } /************************************************* -* Name: kyber_shake256_prf -* -* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input -* and then generates outlen bytes of SHAKE256 output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: number of requested output bytes -* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) -* - uint8_t nonce: single-byte nonce (public PRF input) -**************************************************/ -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t extkey[KYBER_SYMBYTES+1]; + * Name: kyber_shake256_prf + * + * Description: Usage of SHAKE256 as a PRF, concatenates secret and public input + * and then generates outlen bytes of SHAKE256 output + * + * Arguments: - uint8_t *out: pointer to output + * - size_t outlen: number of requested output bytes + * - const uint8_t *key: pointer to the key (of length + *KYBER_SYMBYTES) + * - uint8_t nonce: single-byte nonce (public PRF input) + **************************************************/ +void kyber_shake256_prf(uint8_t *out, size_t outlen, + const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) { + uint8_t extkey[KYBER_SYMBYTES + 1]; memcpy(extkey, key, KYBER_SYMBYTES); extkey[KYBER_SYMBYTES] = nonce; // Return code checks can be omitted - // SHAKE256 never returns NULL when the internal SHAKE_Init is called with correct block size value + // SHAKE256 never returns NULL when the internal SHAKE_Init is called with + // correct block size value SHAKE256(extkey, sizeof(extkey), out, outlen); } /************************************************* -* Name: kyber_shake256_prf -* -* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input -* and then generates outlen bytes of SHAKE256 output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: number of requested output bytes -* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES) -* - uint8_t nonce: single-byte nonce (public PRF input) -**************************************************/ -void kyber_shake256_rkprf(ml_kem_params *params, uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t *input) -{ + * Name: kyber_shake256_prf + * + * Description: Usage of SHAKE256 as a PRF, concatenates secret and public input + * and then generates outlen bytes of SHAKE256 output + * + * Arguments: - uint8_t *out: pointer to output + * - size_t outlen: number of requested output bytes + * - const uint8_t *key: pointer to the key (of length + *KYBER_SYMBYTES) + * - uint8_t nonce: single-byte nonce (public PRF input) + **************************************************/ +void kyber_shake256_rkprf(ml_kem_params *params, uint8_t out[KYBER_SSBYTES], + const uint8_t key[KYBER_SYMBYTES], + const uint8_t *input) { KECCAK1600_CTX ctx; // Return code checks can be omitted @@ -98,10 +102,11 @@ void kyber_shake256_rkprf(ml_kem_params *params, uint8_t out[KYBER_SSBYTES], con // SHAKE_Absorb always returns 1 on first call of KYBER_SYMBYTES (32 bytes) SHAKE_Absorb(&ctx, key, KYBER_SYMBYTES); - // SHAKE_Absorb always returns 1 processing all data blocks that don't need pad + // SHAKE_Absorb always returns 1 processing all data blocks that don't need + // pad SHAKE_Absorb(&ctx, input, params->ciphertext_bytes); - // SHAKE_Final always returns 1 when |ctx->state| flag is set to + // SHAKE_Final always returns 1 when |ctx->state| flag is set to // |KECCAK1600_STATE_ABSORB| (no previous calls to SHAKE_Final) SHAKE_Final(out, &ctx, KYBER_SSBYTES); } diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h b/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h index 93d8b63a6f..bad935ee34 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric.h @@ -9,15 +9,17 @@ #define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb) void kyber_shake128_absorb(KECCAK1600_CTX *ctx, - const uint8_t seed[KYBER_SYMBYTES], - uint8_t x, + const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y); #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf) -void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce); +void kyber_shake256_prf(uint8_t *out, size_t outlen, + const uint8_t key[KYBER_SYMBYTES], uint8_t nonce); #define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf) -void kyber_shake256_rkprf(ml_kem_params *params, uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t *input); +void kyber_shake256_rkprf(ml_kem_params *params, uint8_t out[KYBER_SSBYTES], + const uint8_t key[KYBER_SYMBYTES], + const uint8_t *input); #define kyber_shake128_squeeze KYBER_NAMESPACE(kyber_shake128_squeeze) void kyber_shake128_squeeze(KECCAK1600_CTX *ctx, uint8_t *out, int nblocks); @@ -25,8 +27,11 @@ void kyber_shake128_squeeze(KECCAK1600_CTX *ctx, uint8_t *out, int nblocks); #define hash_h(OUT, IN, INBYTES) SHA3_256(IN, INBYTES, OUT) #define hash_g(OUT, IN, INBYTES) SHA3_512(IN, INBYTES, OUT) #define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) kyber_shake128_squeeze(STATE, OUT, OUTBLOCKS) -#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE) -#define rkprf(PARAMS, OUT, KEY, INPUT) kyber_shake256_rkprf(PARAMS, OUT, KEY, INPUT) +#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \ + kyber_shake128_squeeze(STATE, OUT, OUTBLOCKS) +#define prf(OUT, OUTBYTES, KEY, NONCE) \ + kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE) +#define rkprf(PARAMS, OUT, KEY, INPUT) \ + kyber_shake256_rkprf(PARAMS, OUT, KEY, INPUT) #endif /* SYMMETRIC_H */ diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.c index 799ba586f4..e6bcc47f76 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/verify.c @@ -1,46 +1,44 @@ +#include "verify.h" #include #include -#include "verify.h" #include "../../../internal.h" /************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int verify(const uint8_t *a, const uint8_t *b, size_t len) -{ + * Name: verify + * + * Description: Compare two arrays for equality in constant time. + * + * Arguments: const uint8_t *a: pointer to first byte array + * const uint8_t *b: pointer to second byte array + * size_t len: length of the byte arrays + * + * Returns 0 if the byte arrays are equal, 1 otherwise + **************************************************/ +int verify(const uint8_t *a, const uint8_t *b, size_t len) { size_t i; uint8_t r = 0; - for(i=0;i> 63; } /************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) -{ + * Name: cmov + * + * Description: Copy len bytes from x to r if b is 1; + * don't modify x if b is 0. Requires b to be in {0,1}; + * assumes two's complement representation of negative integers. + * Runs in constant time. + * + * Arguments: uint8_t *r: pointer to output byte array + * const uint8_t *x: pointer to input byte array + * size_t len: Amount of bytes to be copied + * uint8_t b: Condition bit; has to be in {0,1} + **************************************************/ +void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { uint8_t mask = constant_time_is_zero_8(b); - constant_time_select_array_8(r, r, (uint8_t*)x, mask, len); + constant_time_select_array_8(r, r, (uint8_t *)x, mask, len); } diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c index 0115398fba..1e25403c20 100644 --- a/crypto/fipsmodule/modes/cbc.c +++ b/crypto/fipsmodule/modes/cbc.c @@ -51,8 +51,8 @@ #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, @@ -101,8 +101,8 @@ void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, assert(in != NULL && out != NULL); - const uintptr_t inptr = (uintptr_t) in; - const uintptr_t outptr = (uintptr_t) out; + const uintptr_t inptr = (uintptr_t)in; + const uintptr_t outptr = (uintptr_t)out; // If |in| and |out| alias, |in| must be ahead. assert(inptr >= outptr || inptr + len <= outptr); diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c index eef2b70b05..81b0c20300 100644 --- a/crypto/fipsmodule/modes/ctr.c +++ b/crypto/fipsmodule/modes/ctr.c @@ -51,8 +51,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // NOTE: the IV/counter CTR mode is big-endian. The code itself @@ -65,7 +65,7 @@ static void ctr128_inc(uint8_t *counter) { do { --n; c += counter[n]; - counter[n] = (uint8_t) c; + counter[n] = (uint8_t)c; c >>= 8; } while (n); } @@ -127,7 +127,7 @@ static void ctr96_inc(uint8_t *counter) { do { --n; c += counter[n]; - counter[n] = (uint8_t) c; + counter[n] = (uint8_t)c; c >>= 8; } while (n); } diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c index 206b60c9ad..df0cb95d3a 100644 --- a/crypto/fipsmodule/modes/gcm.c +++ b/crypto/fipsmodule/modes/gcm.c @@ -53,13 +53,13 @@ #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // kSizeTWithoutLower4Bits is a mask that can be used to zero the lower four // bits of a |size_t|. -static const size_t kSizeTWithoutLower4Bits = (size_t) -16; +static const size_t kSizeTWithoutLower4Bits = (size_t)-16; #define GCM_MUL(ctx, Xi) gcm_gmult_nohw((ctx)->Xi, (ctx)->gcm_key.Htable) @@ -116,9 +116,9 @@ void gcm_init_ssse3(u128 Htable[16], const uint64_t H[2]) { uint8_t *Hbytes = (uint8_t *)Htable; for (int i = 0; i < 16; i++) { for (int j = 0; j < i; j++) { - uint8_t tmp = Hbytes[16*i + j]; - Hbytes[16*i + j] = Hbytes[16*j + i]; - Hbytes[16*j + i] = tmp; + uint8_t tmp = Hbytes[16 * i + j]; + Hbytes[16 * i + j] = Hbytes[16 * j + i]; + Hbytes[16 * j + i] = tmp; } } } @@ -162,21 +162,21 @@ static size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len, // In the case of the AEAD API, it can be used for all input lengths // but we are not identifying which API calls the code below. if (CRYPTO_is_ARMv8_GCM_8x_capable() && len >= 256) { - switch(key->rounds) { - case 10: - aesv8_gcm_8x_enc_128(in, len_blocks * 8, out, Xi, ivec, key, Htable); - break; - case 12: - aesv8_gcm_8x_enc_192(in, len_blocks * 8, out, Xi, ivec, key, Htable); - break; - case 14: - aesv8_gcm_8x_enc_256(in, len_blocks * 8, out, Xi, ivec, key, Htable); - break; - default: - // The subsequent logic after returning can process - // the input or return an error. - return 0; - break; + switch (key->rounds) { + case 10: + aesv8_gcm_8x_enc_128(in, len_blocks * 8, out, Xi, ivec, key, Htable); + break; + case 12: + aesv8_gcm_8x_enc_192(in, len_blocks * 8, out, Xi, ivec, key, Htable); + break; + case 14: + aesv8_gcm_8x_enc_256(in, len_blocks * 8, out, Xi, ivec, key, Htable); + break; + default: + // The subsequent logic after returning can process + // the input or return an error. + return 0; + break; } } else { aes_gcm_enc_kernel(in, len_blocks * 8, out, Xi, ivec, key, Htable); @@ -199,21 +199,21 @@ static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len, // In the case of the AEAD API, it can be used for all input lengths // but we are not identifying which API calls the code below. if (CRYPTO_is_ARMv8_GCM_8x_capable() && len >= 256) { - switch(key->rounds) { - case 10: - aesv8_gcm_8x_dec_128(in, len_blocks * 8, out, Xi, ivec, key, Htable); - break; - case 12: - aesv8_gcm_8x_dec_192(in, len_blocks * 8, out, Xi, ivec, key, Htable); - break; - case 14: - aesv8_gcm_8x_dec_256(in, len_blocks * 8, out, Xi, ivec, key, Htable); - break; - default: - // The subsequent logic after returning can process - // the input or return an error. - return 0; - break; + switch (key->rounds) { + case 10: + aesv8_gcm_8x_dec_128(in, len_blocks * 8, out, Xi, ivec, key, Htable); + break; + case 12: + aesv8_gcm_8x_dec_192(in, len_blocks * 8, out, Xi, ivec, key, Htable); + break; + case 14: + aesv8_gcm_8x_dec_256(in, len_blocks * 8, out, Xi, ivec, key, Htable); + break; + default: + // The subsequent logic after returning can process + // the input or return an error. + return 0; + break; } } else { aes_gcm_dec_kernel(in, len_blocks * 8, out, Xi, ivec, key, Htable); @@ -424,9 +424,9 @@ int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len) { // Process the remainder. if (len != 0) { // This is needed to avoid a compiler warning on powerpc64le using GCC 12.2: - // .../aws-lc/crypto/fipsmodule/modes/gcm.c:428:18: error: writing 1 byte into - // a region of size 0 [-Werror=stringop-overflow=] - // 428 | ctx->Xi[i] ^= aad[i]; + // .../aws-lc/crypto/fipsmodule/modes/gcm.c:428:18: error: writing 1 byte + // into a region of size 0 [-Werror=stringop-overflow=] 428 | ctx->Xi[i] ^= + // aad[i]; // | ~~~~~~~~~~~^~~~~~~~~ if (len > 16) { abort(); @@ -453,8 +453,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const AES_KEY *key, #endif uint64_t mlen = ctx->len.msg + len; - if (mlen > ((UINT64_C(1) << 36) - 32) || - (sizeof(len) == 8 && mlen < len)) { + if (mlen > ((UINT64_C(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) { return 0; } ctx->len.msg = mlen; @@ -535,8 +534,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const AES_KEY *key, #endif uint64_t mlen = ctx->len.msg + len; - if (mlen > ((UINT64_C(1) << 36) - 32) || - (sizeof(len) == 8 && mlen < len)) { + if (mlen > ((UINT64_C(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) { return 0; } ctx->len.msg = mlen; @@ -620,8 +618,7 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key, #endif uint64_t mlen = ctx->len.msg + len; - if (mlen > ((UINT64_C(1) << 36) - 32) || - (sizeof(len) == 8 && mlen < len)) { + if (mlen > ((UINT64_C(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) { return 0; } ctx->len.msg = mlen; @@ -694,8 +691,9 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key, ++ctr; CRYPTO_store_u32_be(ctx->Yi + 12, ctr); // This is needed to avoid a compiler warning on powerpc64le using GCC 12.2: - // .../aws-lc/crypto/fipsmodule/modes/gcm.c:688:18: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] - // 688 | ctx->Xi[n] ^= out[n] = in[n] ^ ctx->EKi[n]; + // .../aws-lc/crypto/fipsmodule/modes/gcm.c:688:18: error: writing 1 byte + // into a region of size 0 [-Werror=stringop-overflow=] 688 | ctx->Xi[n] ^= + // out[n] = in[n] ^ ctx->EKi[n]; // | ^~ if ((n + len) > 16) { abort(); @@ -722,8 +720,7 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key, #endif uint64_t mlen = ctx->len.msg + len; - if (mlen > ((UINT64_C(1) << 36) - 32) || - (sizeof(len) == 8 && mlen < len)) { + if (mlen > ((UINT64_C(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) { return 0; } ctx->len.msg = mlen; @@ -858,12 +855,10 @@ int crypto_gcm_clmul_enabled(void) { int crypto_gcm_avx512_enabled(void) { // This must align with ImplDispatchTest.AEAD_AES_GCM -#if defined(GHASH_ASM_X86_64) && \ - !defined(OPENSSL_WINDOWS) && \ +#if defined(GHASH_ASM_X86_64) && !defined(OPENSSL_WINDOWS) && \ !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) - // TODO(awslc): remove the Windows guard once CryptoAlg-1701 is resolved. - return (CRYPTO_is_VAES_capable() && - CRYPTO_is_AVX512_capable() && + // TODO(awslc): remove the Windows guard once CryptoAlg-1701 is resolved. + return (CRYPTO_is_VAES_capable() && CRYPTO_is_AVX512_capable() && CRYPTO_is_VPCLMULQDQ_capable()); #else return 0; diff --git a/crypto/fipsmodule/modes/gcm_nohw.c b/crypto/fipsmodule/modes/gcm_nohw.c index 4a6302824d..e290f2388b 100644 --- a/crypto/fipsmodule/modes/gcm_nohw.c +++ b/crypto/fipsmodule/modes/gcm_nohw.c @@ -143,7 +143,7 @@ static void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a, mid = _mm_and_si128(mid, _mm_setr_epi32(0, 0xffffffff, 0xffffffff, 0)); ret = _mm_xor_si128(ret, mid); memcpy(out_lo, &ret, 8); - memcpy(out_hi, ((char*)&ret) + 8, 8); + memcpy(out_hi, ((char *)&ret) + 8, 8); } #else // !BORINGSSL_HAS_UINT128 && !OPENSSL_SSE2 diff --git a/crypto/fipsmodule/modes/gcm_test.cc b/crypto/fipsmodule/modes/gcm_test.cc index d778abe51f..588f54384a 100644 --- a/crypto/fipsmodule/modes/gcm_test.cc +++ b/crypto/fipsmodule/modes/gcm_test.cc @@ -214,7 +214,7 @@ TEST(GCMTest, ABI) { } } } -#endif // !MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) +#endif // !MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) #endif // GHASH_ASM_X86_64 } #endif // GHASH_ASM_X86 || GHASH_ASM_X86_64 @@ -239,7 +239,7 @@ TEST(GCMTest, ABI) { #if defined(OPENSSL_AARCH64) && defined(HW_GCM) if (hwaes_capable() && gcm_pmull_capable()) { - static const uint8_t kKey[256/8] = {0}; + static const uint8_t kKey[256 / 8] = {0}; uint8_t iv[16] = {0}; for (size_t key_bits = 128; key_bits <= 256; key_bits += 64) { @@ -263,4 +263,5 @@ TEST(GCMTest, ABI) { } #endif // GHASH_ASM_PPC64LE } -#endif // SUPPORTS_ABI_TEST && !OPENSSL_NO_ASM && !MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX +#endif // SUPPORTS_ABI_TEST && !OPENSSL_NO_ASM && + // !MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h index 71f2d5c731..30c1b967b9 100644 --- a/crypto/fipsmodule/modes/internal.h +++ b/crypto/fipsmodule/modes/internal.h @@ -66,7 +66,7 @@ extern "C" { // The maximum permitted number of cipher blocks per data unit in XTS mode. // Reference IEEE Std 1619-2018. -#define XTS_MAX_BLOCKS_PER_DATA_UNIT (1<<20) +#define XTS_MAX_BLOCKS_PER_DATA_UNIT (1 << 20) // block128_f is the type of an AES block cipher implementation. // @@ -130,7 +130,9 @@ void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len, // can be safely copied. Additionally, |gcm_key| is split into a separate // struct. -typedef struct { uint64_t hi,lo; } u128; +typedef struct { + uint64_t hi, lo; +} u128; // gmult_func multiplies |Xi| by the GCM key and writes the result back to // |Xi|. @@ -155,7 +157,7 @@ typedef struct gcm128_key_st { // use_hw_gcm_crypt is true if this context should use platform-specific // assembly to process GCM data. - unsigned use_hw_gcm_crypt:1; + unsigned use_hw_gcm_crypt : 1; } GCM128_KEY; // GCM128_CONTEXT contains state for a single GCM operation. The structure @@ -299,7 +301,7 @@ void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]); void gcm_gmult_avx(uint8_t Xi[16], const u128 Htable[16]); void gcm_ghash_avx(uint8_t Xi[16], const u128 Htable[16], const uint8_t *in, size_t len); -#if !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) +#if !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) void gcm_init_avx512(u128 Htable[16], const uint64_t Xi[2]); void gcm_gmult_avx512(uint8_t Xi[2], const u128 Htable[16]); void gcm_ghash_avx512(uint8_t Xi[2], const u128 Htable[16], const uint8_t *in, @@ -388,8 +390,8 @@ size_t aesv8_gcm_8x_dec_256(const uint8_t *in, size_t bit_len, uint8_t *out, #define GCM_FUNCREF void gcm_init_p8(u128 Htable[16], const uint64_t Xi[2]); void gcm_gmult_p8(uint8_t Xi[16], const u128 Htable[16]); -void gcm_ghash_p8(uint8_t Xi[16], const u128 Htable[16], - const uint8_t *inp, size_t len); +void gcm_ghash_p8(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp, + size_t len); #endif #endif // OPENSSL_NO_ASM @@ -462,9 +464,9 @@ size_t CRYPTO_cts128_encrypt_block(const uint8_t *in, uint8_t *out, size_t len, // CRYPTO_xts128_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes // from |in| to |out| using the given IV in XTS mode. There's no requirement // that |len| be a multiple of any value. -size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, - const uint8_t iv[16], const uint8_t *inp, - uint8_t *out, size_t len, int enc); +size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const uint8_t iv[16], + const uint8_t *inp, uint8_t *out, size_t len, + int enc); // POLYVAL. // diff --git a/crypto/fipsmodule/modes/polyval.c b/crypto/fipsmodule/modes/polyval.c index 4e53222982..d7daa3a18d 100644 --- a/crypto/fipsmodule/modes/polyval.c +++ b/crypto/fipsmodule/modes/polyval.c @@ -17,8 +17,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // byte_reverse reverses the order of the bytes in |b->c|. @@ -39,7 +39,7 @@ static void reverse_and_mulX_ghash(uint8_t b[16]) { hi >>= 1; hi |= lo << 63; lo >>= 1; - lo ^= ((uint64_t) constant_time_select_w(carry, 0xe1, 0)) << 56; + lo ^= ((uint64_t)constant_time_select_w(carry, 0xe1, 0)) << 56; CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo)); CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi)); diff --git a/crypto/fipsmodule/modes/xts.c b/crypto/fipsmodule/modes/xts.c index f72dccadb3..93176d4761 100644 --- a/crypto/fipsmodule/modes/xts.c +++ b/crypto/fipsmodule/modes/xts.c @@ -54,25 +54,27 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" -size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, - const uint8_t iv[16], const uint8_t *inp, - uint8_t *out, size_t len, int enc) { +size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const uint8_t iv[16], + const uint8_t *inp, uint8_t *out, size_t len, + int enc) { union { uint64_t u[2]; uint8_t c[16]; } tweak, scratch; unsigned int i; - if (len < 16) return 0; + if (len < 16) + return 0; OPENSSL_memcpy(tweak.c, iv, 16); (*ctx->block2)(tweak.c, tweak.c, ctx->key2); - if (!enc && (len % 16)) len -= 16; + if (!enc && (len % 16)) + len -= 16; while (len >= 16) { OPENSSL_memcpy(scratch.c, inp, 16); @@ -86,7 +88,8 @@ size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, out += 16; len -= 16; - if (len == 0) return 1; + if (len == 0) + return 1; unsigned int carry, res; @@ -97,7 +100,7 @@ size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, res = 0x87 & (((int64_t)tweak_u1) >> 63); carry = (unsigned int)(tweak_u0 >> 63); tweak_u0 = (tweak_u0 << 1) ^ res; - tweak_u1 = (tweak_u1 << 1) | carry; + tweak_u1 = (tweak_u1 << 1) | carry; CRYPTO_store_u64_le(&tweak.u[0], tweak_u0); CRYPTO_store_u64_le(&tweak.u[1], tweak_u1); #else @@ -134,7 +137,7 @@ size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, res = 0x87 & (((int64_t)tweak_u1) >> 63); carry = (unsigned int)(tweak_u0 >> 63); tweak_u0 = (tweak_u0 << 1) ^ res; - tweak_u1 = (tweak_u1 << 1) | carry; + tweak_u1 = (tweak_u1 << 1) | carry; CRYPTO_store_u64_le(&tweak1.u[0], tweak_u0); CRYPTO_store_u64_le(&tweak1.u[1], tweak_u1); #else diff --git a/crypto/fipsmodule/modes/xts_test.cc b/crypto/fipsmodule/modes/xts_test.cc index 07f071da26..174bf0212f 100644 --- a/crypto/fipsmodule/modes/xts_test.cc +++ b/crypto/fipsmodule/modes/xts_test.cc @@ -12,16 +12,16 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -#include #include +#include #include #include #include "../../internal.h" -#include "internal.h" #include "../../test/test_util.h" +#include "internal.h" struct XTSTestCase { @@ -274,15 +274,13 @@ static const XTSTestCase kXTSTestCases[] = { // The plaintext lengths were chosen such that one or more vectors // exercise a certain path in the assembly code. // len = 44 bytes = 2 blocks + 12 bytes - { - "1338d7d3d66137abf00c8f33050cff7e0a6fa10ff2e2bd860119dfa68ee815c4" - "4aa1bfc76f2e084d81b862c05aae29711bf167fff7432a7b9c5899ab069fff0f", - "54000000000000000000000000000000", - "922489de313fceb72a5ef2594d49eeb908afec966e89f0c7fbb4f6d37a559294" - "2c53e3a65b37193d69346700", - "6f229c1b60833e2a50a041b360d991814c6ec7f3199d8b2482f5b19b64c32013" - "a679f1361a011bf37b2e1565" - }, + {"1338d7d3d66137abf00c8f33050cff7e0a6fa10ff2e2bd860119dfa68ee815c4" + "4aa1bfc76f2e084d81b862c05aae29711bf167fff7432a7b9c5899ab069fff0f", + "54000000000000000000000000000000", + "922489de313fceb72a5ef2594d49eeb908afec966e89f0c7fbb4f6d37a559294" + "2c53e3a65b37193d69346700", + "6f229c1b60833e2a50a041b360d991814c6ec7f3199d8b2482f5b19b64c32013" + "a679f1361a011bf37b2e1565"}, // len = 51 bytes = 3 blocks + 3 bytes { "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" @@ -316,29 +314,25 @@ static const XTSTestCase kXTSTestCases[] = { "474e1fd14311edb95219", }, // len = 80 bytes = 5 blocks - { - "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" - "bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0", - "9a785634120000000000000000000000", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" - "404142434445464748494a4b4c4d4e4f", - "c30ca8f2ed57307edc87e544867ac888348c208928d7406269954551cb627b5b" - "e1c241d0ff691de6b47ad81eac2b925b474e1fd14311edb95219ce64677f497b" - "8917567652e9b4ef3838baf35e400fe1" - }, + {"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" + "bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0", + "9a785634120000000000000000000000", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f", + "c30ca8f2ed57307edc87e544867ac888348c208928d7406269954551cb627b5b" + "e1c241d0ff691de6b47ad81eac2b925b474e1fd14311edb95219ce64677f497b" + "8917567652e9b4ef3838baf35e400fe1"}, // len = 87 bytes = 5 blocks + 7 bytes - { - "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" - "bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0", - "9a785634120000000000000000000000", - "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" - "404142434445464748494a4b4c4d4e4f50515253545556", - "c30ca8f2ed57307edc87e544867ac888348c208928d7406269954551cb627b5b" - "e1c241d0ff691de6b47ad81eac2b925b474e1fd14311edb95219ce64677f497b" - "a436b967e79bb8e8e4c29d1099fe1bbf8917567652e9b4" - }, + {"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" + "bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0", + "9a785634120000000000000000000000", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" + "404142434445464748494a4b4c4d4e4f50515253545556", + "c30ca8f2ed57307edc87e544867ac888348c208928d7406269954551cb627b5b" + "e1c241d0ff691de6b47ad81eac2b925b474e1fd14311edb95219ce64677f497b" + "a436b967e79bb8e8e4c29d1099fe1bbf8917567652e9b4"}, // len = 96 bytes = 6 blocks { "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" @@ -366,19 +360,17 @@ static const XTSTestCase kXTSTestCases[] = { "ffe2f16c", }, // len = 126 bytes = 7 blocks + 14 bytes - { - "6df514f7b04518669d88dfe8e22683bc09081e7c6980ad768afc144bcb75263f" - "54176c5f69b1ebf5a3b116e2e77eb4f1b21d00cfc281e64bfe69e4f7714e312f", - "e3484c0248c9d1b18b51323838a883c2", - "a67f2bba6376b12ee8267d0e58bc3d3b04893d4c520efddd602f1698d7995a7d" - "1985387cfbe9abe31028f168e42ea3e9b8e1350aef33e84f62fee73a9741b7b0" - "c6ef2dc2d9d8a5e9009751e4c5f4cd7dd50388c5367014986efcd2053d8ab604" - "79e3c652bb6b3bbb028c9fc8816d455670cd1ba63d303eab2c11b1699b67", - "25d58c11702de5d39f73e4b651814272038b579df534ee096297d7cd0c95300a" - "d87ffe0d48fb4d8e6a1d01d3333c4e52113d921dcefca066a6b264ece99acdf1" - "283c56b49bfb42a1965080f06e5953d9414a432953d50784beec734cea1ae602" - "68fddc72e4c3f3613483bc15ab95ec62c9bc9edf48a2395dad69e4786f09" - }, + {"6df514f7b04518669d88dfe8e22683bc09081e7c6980ad768afc144bcb75263f" + "54176c5f69b1ebf5a3b116e2e77eb4f1b21d00cfc281e64bfe69e4f7714e312f", + "e3484c0248c9d1b18b51323838a883c2", + "a67f2bba6376b12ee8267d0e58bc3d3b04893d4c520efddd602f1698d7995a7d" + "1985387cfbe9abe31028f168e42ea3e9b8e1350aef33e84f62fee73a9741b7b0" + "c6ef2dc2d9d8a5e9009751e4c5f4cd7dd50388c5367014986efcd2053d8ab604" + "79e3c652bb6b3bbb028c9fc8816d455670cd1ba63d303eab2c11b1699b67", + "25d58c11702de5d39f73e4b651814272038b579df534ee096297d7cd0c95300a" + "d87ffe0d48fb4d8e6a1d01d3333c4e52113d921dcefca066a6b264ece99acdf1" + "283c56b49bfb42a1965080f06e5953d9414a432953d50784beec734cea1ae602" + "68fddc72e4c3f3613483bc15ab95ec62c9bc9edf48a2395dad69e4786f09"}, // len = 128 bytes = 8 blocks { "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" @@ -598,371 +590,347 @@ static const XTSTestCase kXTSTestCases[] = { "4cd6a885857fba751416febc2cc41f2e6ea0659808172173e234f7dfd6", }, // len = 257 bytes = 16 blocks + 1 bytes - { - "aff22ec6b186ffbd4140241576ced5ae70e0783b67c0d58d0ef6dbd27ace07d5" - "0a5bd89cc096142790e00ea06e7d6685a09fa62ac1667d16cd320c51a1507c78", - "1db517955b52bfc2148028e9fdb6000b", - "83f63d5f0210b07db17fcdb8fba230185747aeb29a6d75aeed9d97eb5397f6d7" - "8e34369044e60df565daad617cde79d3252786bf95fb6d8298056dec9c64c32a" - "98f9bbdcdfc8d145a37ea61f5c1ff382477941dc74af5e0cb4ccf85030bb7bc8" - "b436a494fe75d9a1f37fc1509eb4d2e52d13c1a1c220ad76eca6c71c6142e416" - "7888aa76fd8318f002d940a08d1286ba26475be867085f53ae266f10685326e0" - "dbd056d8536ec9554709f5d41c7b8e42c3e92a2af2897ea0afedb01741d6f71c" - "a64ef5f9bcbe4e04c744d8e3bf6725825050ad42d92be3891893a0596a987610" - "e66b0aa22958a6f09c7fd45ce6f9de36498b7923b65caccfef4c2859e49e6aca" - "09", - "c98f54b11d1210f845e6c0a68baa37a274677ccc405e2ff38cd4f41fbe7f65b4" - "4d36fa9792541e8bbbceb8ecedef84bbb4fdf850ca6b4a17b50dee390063b431" - "c5fd389b14a04a399b2e0055fbeb390852861947a4d0b613e10eb469ba86f5cf" - "8d303750cfa35942d7b5ec66a5bae9ed8db2a062fd60bec11b1abea241355f7f" - "7564a7ca901ada44cd61b6266d25c7cc6118ce6b1a901ce83385701a722582f0" - "e238bf7e2a9396cf07aa7200c2cbd146738782863792652707271d0868f58f2d" - "0c45b826f61f030972fe32c6a55a0e6b39f2012e827318d623d545bf90fc68c6" - "d8c48e8fff9445248b0016897269022420c51e8472b9aa1a2350699815f62a66" - "3f" - }, + {"aff22ec6b186ffbd4140241576ced5ae70e0783b67c0d58d0ef6dbd27ace07d5" + "0a5bd89cc096142790e00ea06e7d6685a09fa62ac1667d16cd320c51a1507c78", + "1db517955b52bfc2148028e9fdb6000b", + "83f63d5f0210b07db17fcdb8fba230185747aeb29a6d75aeed9d97eb5397f6d7" + "8e34369044e60df565daad617cde79d3252786bf95fb6d8298056dec9c64c32a" + "98f9bbdcdfc8d145a37ea61f5c1ff382477941dc74af5e0cb4ccf85030bb7bc8" + "b436a494fe75d9a1f37fc1509eb4d2e52d13c1a1c220ad76eca6c71c6142e416" + "7888aa76fd8318f002d940a08d1286ba26475be867085f53ae266f10685326e0" + "dbd056d8536ec9554709f5d41c7b8e42c3e92a2af2897ea0afedb01741d6f71c" + "a64ef5f9bcbe4e04c744d8e3bf6725825050ad42d92be3891893a0596a987610" + "e66b0aa22958a6f09c7fd45ce6f9de36498b7923b65caccfef4c2859e49e6aca" + "09", + "c98f54b11d1210f845e6c0a68baa37a274677ccc405e2ff38cd4f41fbe7f65b4" + "4d36fa9792541e8bbbceb8ecedef84bbb4fdf850ca6b4a17b50dee390063b431" + "c5fd389b14a04a399b2e0055fbeb390852861947a4d0b613e10eb469ba86f5cf" + "8d303750cfa35942d7b5ec66a5bae9ed8db2a062fd60bec11b1abea241355f7f" + "7564a7ca901ada44cd61b6266d25c7cc6118ce6b1a901ce83385701a722582f0" + "e238bf7e2a9396cf07aa7200c2cbd146738782863792652707271d0868f58f2d" + "0c45b826f61f030972fe32c6a55a0e6b39f2012e827318d623d545bf90fc68c6" + "d8c48e8fff9445248b0016897269022420c51e8472b9aa1a2350699815f62a66" + "3f"}, // len = 276 bytes = 17 blocks + 4 bytes - { - "6dcc2392c5f0af2f5d84b455cd7b04abb785e0d19049fc675d625eeff162ef67" - "321369f778a33a28e50973dd3a37857177da17a5c23f7859eb12b72b6af60da7", - "85ec816504530b941554d311cc3a6a29", - "25cc3b83832aaf7595116b841fd22ba4bfad09c300145715682a263464905e89" - "5c990cdfc4bb5459cdbfddec92099051b69914b6ae6bcb1695f14bf981a982dd" - "428ebc064a115f17d03d03624693b3fc2cc7b2da327df1c76e3cc0efe542cc27" - "d1882e1b998d326aca35cc10c8800cf447becf7a3bc041a9fc0298e144640815" - "ed363086c462f08e97bd9f5f3dab54846a23fea5e3404fdf42e7c0864cc89c39" - "ffccbfc32fb051c66df026aa9c7a2e069d2dab806dfa5fafe21f352ee7d167e6" - "9e26a9cdd6fb9343ebb9ed87331c8dd0493950b633af6515ce9a43b66caa9c0a" - "d146d7a7416aeb2c24d8b457f441283d7a78f3ae2858c3f6f307ac5fb1496982" - "8f402ad0aa15fcceedb026e2f24e1f6cc6131aee", - "5451cf03fe8ed79c73f43b8595a93e4e5704856c72ad8e0ae454e021f880b26a" - "4fc1634b8fdb143bcbbf28ece2d08b34ddbd04223c507ef54c013f85be416127" - "db2e4ec5873541185ee8d345a04be6fc8c7711d4185c6999ae15e3ceb020b5ba" - "036f3a29176b369723c5d162e2e3c1ec464809995facb03c40b35d22df23b1e0" - "b16ddf322f77e88dd51b35137aafc5d63e0c939e003ed5cebf644ddb425fdb53" - "3f1f127eb08d44cf95d024e36d888033653b6dab815a3ff8ec6536ba5cd51403" - "ab938dbd6e4e63e34e6754869105dd87b0f8e53b6fa4e68834a5b15a74dae604" - "cb8e120115d5b9c66f6a7e973bcf2f418f37e19a51713577182ea38c5493ff46" - "966b2f87f3dd957226a4823848f42d943898a8c7" - }, + {"6dcc2392c5f0af2f5d84b455cd7b04abb785e0d19049fc675d625eeff162ef67" + "321369f778a33a28e50973dd3a37857177da17a5c23f7859eb12b72b6af60da7", + "85ec816504530b941554d311cc3a6a29", + "25cc3b83832aaf7595116b841fd22ba4bfad09c300145715682a263464905e89" + "5c990cdfc4bb5459cdbfddec92099051b69914b6ae6bcb1695f14bf981a982dd" + "428ebc064a115f17d03d03624693b3fc2cc7b2da327df1c76e3cc0efe542cc27" + "d1882e1b998d326aca35cc10c8800cf447becf7a3bc041a9fc0298e144640815" + "ed363086c462f08e97bd9f5f3dab54846a23fea5e3404fdf42e7c0864cc89c39" + "ffccbfc32fb051c66df026aa9c7a2e069d2dab806dfa5fafe21f352ee7d167e6" + "9e26a9cdd6fb9343ebb9ed87331c8dd0493950b633af6515ce9a43b66caa9c0a" + "d146d7a7416aeb2c24d8b457f441283d7a78f3ae2858c3f6f307ac5fb1496982" + "8f402ad0aa15fcceedb026e2f24e1f6cc6131aee", + "5451cf03fe8ed79c73f43b8595a93e4e5704856c72ad8e0ae454e021f880b26a" + "4fc1634b8fdb143bcbbf28ece2d08b34ddbd04223c507ef54c013f85be416127" + "db2e4ec5873541185ee8d345a04be6fc8c7711d4185c6999ae15e3ceb020b5ba" + "036f3a29176b369723c5d162e2e3c1ec464809995facb03c40b35d22df23b1e0" + "b16ddf322f77e88dd51b35137aafc5d63e0c939e003ed5cebf644ddb425fdb53" + "3f1f127eb08d44cf95d024e36d888033653b6dab815a3ff8ec6536ba5cd51403" + "ab938dbd6e4e63e34e6754869105dd87b0f8e53b6fa4e68834a5b15a74dae604" + "cb8e120115d5b9c66f6a7e973bcf2f418f37e19a51713577182ea38c5493ff46" + "966b2f87f3dd957226a4823848f42d943898a8c7"}, // len = 299 bytes = 18 blocks + 11 bytes - { - "de5e919626694311364505d8471a5fc5ed22e159d26efc6d5f19dab8367bdad3" - "e5e5bdda19663958dfe62753455a083d247fb908c3157f32b264f121d29640c8", - "64f64746afa04e8163bc96603c03929b", - "b5abff8f9db7b0d3892b69646c3d2cd0337316e21364637721f9d75dfc69f8b1" - "15f741b2aff185381def9c892cc8595f3b70414fd4a4c6f59d9d5299064a4a1b" - "428bcdf17d53299a42c6236e8e7ccdcaec0e19c1b2dfb64f7c09e88253329e95" - "be6b863bbeb0d50076f86e04743bce6149e722fbc6d84a42e132c5356563ca23" - "ce515e8d01338d772bfc7b9f374a008131227cf8fbc73adcf9ff115e62dc8131" - "2ddfbe2e124ba53d4720dd7f6add009c007c94fb43ced73dcee99b30c51d61f2" - "fc1f200f6bc54cb2e52931500731ec07ae8002f14ed92e1cc2ca4d87e7ae79e3" - "ce99f2395e3feb44681d946f4e8076fc0078ee4e521c6b14e6b89ccd6615b134" - "afa36d0de259514b76e5bac46531c165a9afb4fbcb1f10b2d7ac7f3dc1307270" - "d4df7eb638cf01aeb5bc73", - "292987d5a1c8cb8392c9cd1f9a9a4de5490d0284b91295cf4bbcd06376ef9513" - "d18753f1dc7ae7ed2b8f081d108de07c4752eeccfa6c1558da2a176ead5127a3" - "06d080ad4af63c13dffe291d65937b65ef370652a13e99d5e3e4698a80c04cd1" - "a78618c7b956f8422e286eae175c296d9a8aa687c9eb570cf7754b90346c5e3a" - "cfad6d073c7f85fe1b8d09dc06c6b6b2583441d6101b6c6e7520bb7ab1310c8f" - "1216cd270dd610e957e1c3d104a859ea5fe3bf11ef10a838905de4c5134bb02a" - "921a56103584f72008e1cd4f3482d399d7f029d79a27cfad399fb2c3b1bd6975" - "6af7d26ca822c239d948463e3451fb137e8274966924669ed1d6b9cab12034ff" - "ea30464b626f017e03a9b8d13efe0f1b589bfabc4eee2c38977e345ccb30d7ab" - "f7b541294e651a657663b1" - }, + {"de5e919626694311364505d8471a5fc5ed22e159d26efc6d5f19dab8367bdad3" + "e5e5bdda19663958dfe62753455a083d247fb908c3157f32b264f121d29640c8", + "64f64746afa04e8163bc96603c03929b", + "b5abff8f9db7b0d3892b69646c3d2cd0337316e21364637721f9d75dfc69f8b1" + "15f741b2aff185381def9c892cc8595f3b70414fd4a4c6f59d9d5299064a4a1b" + "428bcdf17d53299a42c6236e8e7ccdcaec0e19c1b2dfb64f7c09e88253329e95" + "be6b863bbeb0d50076f86e04743bce6149e722fbc6d84a42e132c5356563ca23" + "ce515e8d01338d772bfc7b9f374a008131227cf8fbc73adcf9ff115e62dc8131" + "2ddfbe2e124ba53d4720dd7f6add009c007c94fb43ced73dcee99b30c51d61f2" + "fc1f200f6bc54cb2e52931500731ec07ae8002f14ed92e1cc2ca4d87e7ae79e3" + "ce99f2395e3feb44681d946f4e8076fc0078ee4e521c6b14e6b89ccd6615b134" + "afa36d0de259514b76e5bac46531c165a9afb4fbcb1f10b2d7ac7f3dc1307270" + "d4df7eb638cf01aeb5bc73", + "292987d5a1c8cb8392c9cd1f9a9a4de5490d0284b91295cf4bbcd06376ef9513" + "d18753f1dc7ae7ed2b8f081d108de07c4752eeccfa6c1558da2a176ead5127a3" + "06d080ad4af63c13dffe291d65937b65ef370652a13e99d5e3e4698a80c04cd1" + "a78618c7b956f8422e286eae175c296d9a8aa687c9eb570cf7754b90346c5e3a" + "cfad6d073c7f85fe1b8d09dc06c6b6b2583441d6101b6c6e7520bb7ab1310c8f" + "1216cd270dd610e957e1c3d104a859ea5fe3bf11ef10a838905de4c5134bb02a" + "921a56103584f72008e1cd4f3482d399d7f029d79a27cfad399fb2c3b1bd6975" + "6af7d26ca822c239d948463e3451fb137e8274966924669ed1d6b9cab12034ff" + "ea30464b626f017e03a9b8d13efe0f1b589bfabc4eee2c38977e345ccb30d7ab" + "f7b541294e651a657663b1"}, // len = 314 bytes = 19 blocks + 10 bytes - { - "ed80e39253604e671080b99bcda0589d47dc51d810ce196d0f0eebb9453b6ce3" - "349634aea22ae00fd9e4fef19c8213451d2a6ea4395e3529edc8a9b9599ed8b3", - "f5bfdd462db6ea3defb89b08ee0931fd", - "f63fc5e2e87e9b2ed8d6cc44afaff8a46fd5eb9c8bd5da7a8e75827c7eb47975" - "f33e57dcbcf20a94c8d6d97785d11cf4a6079132dc6bac6ae02fe65fe35fd4d6" - "9d2bb25a1dbceee592c75d1898790c3f809d715c081dc7e94cad482f0d1c06aa" - "47b8046475f34907baa61f531f2c929fc903fcd220c3bb6d70039c7d1fa22866" - "5b2ccad01f13d7dabaf72dd923bf79ecc275bee238794fa87cec269b8e4e01e9" - "7acbb99adf91749988a172ab60eb972260560498cf54414c4067e7ceb5e9b82f" - "b471c993023d2c8ade9f353e8acd60eb236583f2b9c43ef92b26c7e00f7f10c3" - "f1d957f317837ef522b334ad809498a3f91b96b2e0d4ab0bfa73ec09f2fccde3" - "d524d7eca755e2ca08167789aa0f2ca42ac2560a9702169175029b67fe684bd3" - "8c22c03377a2fd7fb8740862833506aef75db88e5fce20d4d0bb", - "7a93f2efebbe2557ebcb22d5972ba884696ab0651fc1cfa1c5b88f8a2bc9ab78" - "17a97c0c46ffa8ac531f360700c94cad12ae081c03cd508b22123fd5d0ba4f1d" - "027d0f150b314177f3b2d6074686a1c548eaa243fb49604db2dbb3c32ecf5585" - "fcd023a72492413acd5427e3fff16a1bfee13d0be5333bda8621fb5a0f5814f5" - "04118a8b3b5dd5f40108c2baeff9ae59b84f20bd13f50e052083dfeaa80ff8c8" - "7be86dcd19930877712e6fe3442e4b80ed69467b2e208152f4f76f3c78f75934" - "4ed558d2ba69a85bd7019c8ff7900abe277bfb0d27cb921266565bb7891c77a3" - "973e8d6836ad7b8a389b27ffe70c19806810fed62fe029bf4b1d173bd297db6e" - "4ab4a9738f30a46646d386e9ade5b4ea00a5456535f7972a54dcda19f8d26e43" - "30c3d760bc4e278fa5ab8481dadde7829fde7563ece4094588f9" - }, + {"ed80e39253604e671080b99bcda0589d47dc51d810ce196d0f0eebb9453b6ce3" + "349634aea22ae00fd9e4fef19c8213451d2a6ea4395e3529edc8a9b9599ed8b3", + "f5bfdd462db6ea3defb89b08ee0931fd", + "f63fc5e2e87e9b2ed8d6cc44afaff8a46fd5eb9c8bd5da7a8e75827c7eb47975" + "f33e57dcbcf20a94c8d6d97785d11cf4a6079132dc6bac6ae02fe65fe35fd4d6" + "9d2bb25a1dbceee592c75d1898790c3f809d715c081dc7e94cad482f0d1c06aa" + "47b8046475f34907baa61f531f2c929fc903fcd220c3bb6d70039c7d1fa22866" + "5b2ccad01f13d7dabaf72dd923bf79ecc275bee238794fa87cec269b8e4e01e9" + "7acbb99adf91749988a172ab60eb972260560498cf54414c4067e7ceb5e9b82f" + "b471c993023d2c8ade9f353e8acd60eb236583f2b9c43ef92b26c7e00f7f10c3" + "f1d957f317837ef522b334ad809498a3f91b96b2e0d4ab0bfa73ec09f2fccde3" + "d524d7eca755e2ca08167789aa0f2ca42ac2560a9702169175029b67fe684bd3" + "8c22c03377a2fd7fb8740862833506aef75db88e5fce20d4d0bb", + "7a93f2efebbe2557ebcb22d5972ba884696ab0651fc1cfa1c5b88f8a2bc9ab78" + "17a97c0c46ffa8ac531f360700c94cad12ae081c03cd508b22123fd5d0ba4f1d" + "027d0f150b314177f3b2d6074686a1c548eaa243fb49604db2dbb3c32ecf5585" + "fcd023a72492413acd5427e3fff16a1bfee13d0be5333bda8621fb5a0f5814f5" + "04118a8b3b5dd5f40108c2baeff9ae59b84f20bd13f50e052083dfeaa80ff8c8" + "7be86dcd19930877712e6fe3442e4b80ed69467b2e208152f4f76f3c78f75934" + "4ed558d2ba69a85bd7019c8ff7900abe277bfb0d27cb921266565bb7891c77a3" + "973e8d6836ad7b8a389b27ffe70c19806810fed62fe029bf4b1d173bd297db6e" + "4ab4a9738f30a46646d386e9ade5b4ea00a5456535f7972a54dcda19f8d26e43" + "30c3d760bc4e278fa5ab8481dadde7829fde7563ece4094588f9"}, // len = 331 bytes = 20 blocks + 11 bytes - { - "ce86af621fe0bca7d825d43ee182ddf0604e1ff2b4de268e62843598d0cb5859" - "23a2a8e2049f541edc8682620db53dac770fb03fd27085feb336c3161badbcb9", - "33a7c85257ba910b8c6f7bb3f50ab157", - "bd368df3f92509c940d5769991d052c4771a16cfd5a8da611756140c60c6631d" - "fcf010f5161abe56ef34ef800441447c5c5a4b310225921a7ba726db6d8af969" - "7a095e90231ce71250d6925518d6d174311ca53341374dbdde74984bfe91b478" - "9b1209be2ef0d17fc663d4de3aa5526bc1f79e022fecbf0d6058595ee90dd684" - "20df434ecf14cd9677a174b146c71c07bebb0aeda7c9fb072154650b613b8f81" - "1bd2d0eae69d805e3ff50f85bc2c8d7ae797688e60639582b7fa8d18351c9a50" - "ef6a3bd507bb3346b043cc6c6f59e756f04fe450b279d269735f81a87c1bf96b" - "8534408def74d3a0b79f0c26f8f37ce8426039f4d90b5d4c6bdff4e7faed5280" - "21920d1106e0b1bd80bde378b15f61f3bf9ae898a545e41024d9f71fc6499fe8" - "dcacf9e28caaa00c67838518e3e60ca280f43b25391f365ef82d7dbf771ca753" - "c8a035544ad561b159e6ca", - "23a76bbecc4187fc27809e98d66f013c4713c42331fb74f81db7c6ce8d788abd" - "1451538cfe68bb29d82ff90427ef00c85b6f63cea97b31285ed0f0873b203ce8" - "e73d16252f7478d6e920bf079aa38fb0df55fbcf613d5f866fc70ca9bac43dd7" - "2feca0c2cc4b596e6b949e43252023504dbc543d61534435f8994efe79d00e39" - "7de079b72006bf2b3c289a5b3535af26d8ccabe239e4f0dcbb7f9dc893fc7279" - "055df2edd27bb997819e61654408d8028903cc31e350417271fe6e0128c3d6b3" - "951b58a0ea72a5101063b01397171c30e1df0eb255be3afd2ce2be2e30278d61" - "b93d7e97cc697180ea16d2bb9dfd76106d8db120e9ffafcb8182e2c869f57706" - "facfb9b53e0d80d330d7db057087251d2947a6746034b34b549ce47207334ccf" - "6c8df1492055d0464d3800df0278609ddd277e8ff1d12ee78d623e2e816fb5ec" - "9d6aa67116f98db59ede5b" - }, + {"ce86af621fe0bca7d825d43ee182ddf0604e1ff2b4de268e62843598d0cb5859" + "23a2a8e2049f541edc8682620db53dac770fb03fd27085feb336c3161badbcb9", + "33a7c85257ba910b8c6f7bb3f50ab157", + "bd368df3f92509c940d5769991d052c4771a16cfd5a8da611756140c60c6631d" + "fcf010f5161abe56ef34ef800441447c5c5a4b310225921a7ba726db6d8af969" + "7a095e90231ce71250d6925518d6d174311ca53341374dbdde74984bfe91b478" + "9b1209be2ef0d17fc663d4de3aa5526bc1f79e022fecbf0d6058595ee90dd684" + "20df434ecf14cd9677a174b146c71c07bebb0aeda7c9fb072154650b613b8f81" + "1bd2d0eae69d805e3ff50f85bc2c8d7ae797688e60639582b7fa8d18351c9a50" + "ef6a3bd507bb3346b043cc6c6f59e756f04fe450b279d269735f81a87c1bf96b" + "8534408def74d3a0b79f0c26f8f37ce8426039f4d90b5d4c6bdff4e7faed5280" + "21920d1106e0b1bd80bde378b15f61f3bf9ae898a545e41024d9f71fc6499fe8" + "dcacf9e28caaa00c67838518e3e60ca280f43b25391f365ef82d7dbf771ca753" + "c8a035544ad561b159e6ca", + "23a76bbecc4187fc27809e98d66f013c4713c42331fb74f81db7c6ce8d788abd" + "1451538cfe68bb29d82ff90427ef00c85b6f63cea97b31285ed0f0873b203ce8" + "e73d16252f7478d6e920bf079aa38fb0df55fbcf613d5f866fc70ca9bac43dd7" + "2feca0c2cc4b596e6b949e43252023504dbc543d61534435f8994efe79d00e39" + "7de079b72006bf2b3c289a5b3535af26d8ccabe239e4f0dcbb7f9dc893fc7279" + "055df2edd27bb997819e61654408d8028903cc31e350417271fe6e0128c3d6b3" + "951b58a0ea72a5101063b01397171c30e1df0eb255be3afd2ce2be2e30278d61" + "b93d7e97cc697180ea16d2bb9dfd76106d8db120e9ffafcb8182e2c869f57706" + "facfb9b53e0d80d330d7db057087251d2947a6746034b34b549ce47207334ccf" + "6c8df1492055d0464d3800df0278609ddd277e8ff1d12ee78d623e2e816fb5ec" + "9d6aa67116f98db59ede5b"}, // len = 348 bytes = 21 blocks + 12 bytes - { - "ccdeca713961d5f0fa9f3717aa335e3fd37637a08fa1e0b0299d23e22cd012b4" - "d64c1903a731de4c97c2d4817803fd2a1d9de770026492db4f61b4cd158a0fe5", - "2d2a82641223d4a12575050507b5e031", - "047e92273274f55f8ac5e99cd59e8202c80466da273a7b4caf8052b73532e839" - "b07a61e3ee5642781b2b15f0c997f2929b586cc392e80f426861f99e94e1d744" - "5b3827498e69c2aa95d79a5e6e8df009e55dcc7845dcbaad3db34bd1942316ef" - "5b3d38eaa7fa943cd12e9a3fbb8b49a1e815192df1d3da2f8626001a491609a4" - "54418efb3c22370d51d14d0c5c96ad44abc6719d994ccc1f72cc39bbe3425f37" - "84ee32c01069cd613a1a6e97b01bdb5ce24df97b99c59b0b91d4c6741725ab9b" - "13dd5b244628858143f318f30ff34ff140486cd90d07e49fdcaa13f3d0bf8ee3" - "9ce907e3118d6454807c488f6f9780b0e0ed89edf46e8cd018a0c3e85f51ccfb" - "3ad3de4c6042a0e1bee8702e80f1de60de674dd2d5daa3ee7a66d6d9b8a2d4f2" - "76b33ed6f5dfb7b4c728e24719c0a7f727f5c9fdcf6ceb49d3c1228b64f67dda" - "a9bcb09f9b6853629035aaa9f551a01c46691915d6045ea9c680342a", - "b044e504905a2a68940aea8eec020eb5bc82faabba1374429efb6bfc4d84bd7c" - "e5caef9b87708dae91268d8b67909ac537067b86f5361acd33d70130c8c2c838" - "4401e833bb5fed395135f314294e1fb6db2434b4f276cd852e69f98c41487351" - "d3fc82eb9169802b2e1a1e714125cef2ebacf4d363296e3cfa6d8488b31b6f95" - "8b64c686221df4ff989b3fda3a220648c17c1bc5dc8d5ab8e76829cb7ca8f55a" - "6a8adbb75f475974ace8b53fe4360bf03c80acc25182f3ece25cb9d194bb93c8" - "304f7aebdcad9689fd8b505089046c9e2f7e558c6a22b7a05e9cbc13f039ae0f" - "91bf0dd2dda37ddc2a03267bad9de5a7c4a279eaeabe1a5b1222aad48b99e1c3" - "19117b280fb1841aeba7403ce6b99b79b40cef584838ab5284d78c87f640a6ff" - "7fefc0a1c37727269e3440d765e2e3d736003e6d0408d2ebcabffc0d275f61e5" - "2ebeb0c06962e11a3ff932a3f32f74eddb06f26b50f88d1b9741e53f" - }, + {"ccdeca713961d5f0fa9f3717aa335e3fd37637a08fa1e0b0299d23e22cd012b4" + "d64c1903a731de4c97c2d4817803fd2a1d9de770026492db4f61b4cd158a0fe5", + "2d2a82641223d4a12575050507b5e031", + "047e92273274f55f8ac5e99cd59e8202c80466da273a7b4caf8052b73532e839" + "b07a61e3ee5642781b2b15f0c997f2929b586cc392e80f426861f99e94e1d744" + "5b3827498e69c2aa95d79a5e6e8df009e55dcc7845dcbaad3db34bd1942316ef" + "5b3d38eaa7fa943cd12e9a3fbb8b49a1e815192df1d3da2f8626001a491609a4" + "54418efb3c22370d51d14d0c5c96ad44abc6719d994ccc1f72cc39bbe3425f37" + "84ee32c01069cd613a1a6e97b01bdb5ce24df97b99c59b0b91d4c6741725ab9b" + "13dd5b244628858143f318f30ff34ff140486cd90d07e49fdcaa13f3d0bf8ee3" + "9ce907e3118d6454807c488f6f9780b0e0ed89edf46e8cd018a0c3e85f51ccfb" + "3ad3de4c6042a0e1bee8702e80f1de60de674dd2d5daa3ee7a66d6d9b8a2d4f2" + "76b33ed6f5dfb7b4c728e24719c0a7f727f5c9fdcf6ceb49d3c1228b64f67dda" + "a9bcb09f9b6853629035aaa9f551a01c46691915d6045ea9c680342a", + "b044e504905a2a68940aea8eec020eb5bc82faabba1374429efb6bfc4d84bd7c" + "e5caef9b87708dae91268d8b67909ac537067b86f5361acd33d70130c8c2c838" + "4401e833bb5fed395135f314294e1fb6db2434b4f276cd852e69f98c41487351" + "d3fc82eb9169802b2e1a1e714125cef2ebacf4d363296e3cfa6d8488b31b6f95" + "8b64c686221df4ff989b3fda3a220648c17c1bc5dc8d5ab8e76829cb7ca8f55a" + "6a8adbb75f475974ace8b53fe4360bf03c80acc25182f3ece25cb9d194bb93c8" + "304f7aebdcad9689fd8b505089046c9e2f7e558c6a22b7a05e9cbc13f039ae0f" + "91bf0dd2dda37ddc2a03267bad9de5a7c4a279eaeabe1a5b1222aad48b99e1c3" + "19117b280fb1841aeba7403ce6b99b79b40cef584838ab5284d78c87f640a6ff" + "7fefc0a1c37727269e3440d765e2e3d736003e6d0408d2ebcabffc0d275f61e5" + "2ebeb0c06962e11a3ff932a3f32f74eddb06f26b50f88d1b9741e53f"}, // len = 359 bytes = 22 blocks + 7 bytes - { - "b120b40812ac153cf5ad7235213d12186b31f83ca4523e20e8928fd1a552757b" - "046dbf1c6b475566595fc277dea167c3391f390be8b98f33cd5ac7b00eb76ae0", - "a3ac009ce53ca78a24f9436288639670", - "3028cbc0f09c7095abc24d202dc801d074016c593d13e3610d27c4958a5a06bb" - "82d17b726deb0818ae5539db1d3aab913b18ea782bced938f59dce7ff7d43a7a" - "a5b5ec12a1f42b4f49642a669ed5f7d9ede25119b02a51a5c81f24bff35f3998" - "1426abb51ad604643a2ecad804c2b1f1a4020a542c5cf9f47b1db46f7ced0791" - "13b2462e884b92c2795c9a7d1e4b6fc24d79167ad50f6e512d22c0a910c73a23" - "7a815102cce3c545405fc35eab3221f8ab37728147e1d27403921d13595837d3" - "d988d6a56c9beaacfaad0aa5df2b9e8b63100caaf1de1ef5703b08c9933f9d6c" - "c87311340efce008a9eaae89164c14795c20234efe41436e7c4b37108bd47c53" - "478e87558a675e33510cbc6758d0e0b4f00302ee44455cc19194d11c684d6fb0" - "dbf605655d6399ae6f5516c726f67c16fa7e053ec461ff55f5d0715e1ee00ef9" - "d6135f3377f8e1e64df7ae73ee2a8ae8a88f266cf026c1e6f632441412520ee8" - "656d1bdc65fdc3", - "4100e99913513a39bd379f672ac3fa13e6bab8412d3373531a801f70ea9b5e25" - "603229eac8b0af2d0619c1859bb980ee08e1d43e4c3fa206ff0928eaac063978" - "0e1e25dea0a6e4e25c8d27793425e740c1bac1bcf98986125372c12198819028" - "40b7d612adc275de1a1bbeea216458e1010cf7019a949a4a3f016edbd0b09226" - "9295e7924a2d9267c1babb021b0f0e207de84460c55cdb4abc6b2dae0960d9af" - "1a95f1dfcc83ec625bd7c42b1e17d219b15d5cc0e3e69063889f1ab18008c309" - "14b549815822b844b279324cd7cf8f596445b1abbd87ee97c13242bd11958c0d" - "45986cd54247c307224568d557d42188f39f1ce6338cb3aa3c18501095ab5316" - "db18cb23698aa57fb12728a747b2f64878bc23e260cae1d597214a817d8b0229" - "fa449b6e55aad6260b230049b4a7708a9d72d06208033b40305bacd253ec4c5b" - "e85d813d4adbd69083bcb7bcda1667d30e0315753e1801c165b7f8a8be6a0717" - "c6d5e3ce942c57" - }, + {"b120b40812ac153cf5ad7235213d12186b31f83ca4523e20e8928fd1a552757b" + "046dbf1c6b475566595fc277dea167c3391f390be8b98f33cd5ac7b00eb76ae0", + "a3ac009ce53ca78a24f9436288639670", + "3028cbc0f09c7095abc24d202dc801d074016c593d13e3610d27c4958a5a06bb" + "82d17b726deb0818ae5539db1d3aab913b18ea782bced938f59dce7ff7d43a7a" + "a5b5ec12a1f42b4f49642a669ed5f7d9ede25119b02a51a5c81f24bff35f3998" + "1426abb51ad604643a2ecad804c2b1f1a4020a542c5cf9f47b1db46f7ced0791" + "13b2462e884b92c2795c9a7d1e4b6fc24d79167ad50f6e512d22c0a910c73a23" + "7a815102cce3c545405fc35eab3221f8ab37728147e1d27403921d13595837d3" + "d988d6a56c9beaacfaad0aa5df2b9e8b63100caaf1de1ef5703b08c9933f9d6c" + "c87311340efce008a9eaae89164c14795c20234efe41436e7c4b37108bd47c53" + "478e87558a675e33510cbc6758d0e0b4f00302ee44455cc19194d11c684d6fb0" + "dbf605655d6399ae6f5516c726f67c16fa7e053ec461ff55f5d0715e1ee00ef9" + "d6135f3377f8e1e64df7ae73ee2a8ae8a88f266cf026c1e6f632441412520ee8" + "656d1bdc65fdc3", + "4100e99913513a39bd379f672ac3fa13e6bab8412d3373531a801f70ea9b5e25" + "603229eac8b0af2d0619c1859bb980ee08e1d43e4c3fa206ff0928eaac063978" + "0e1e25dea0a6e4e25c8d27793425e740c1bac1bcf98986125372c12198819028" + "40b7d612adc275de1a1bbeea216458e1010cf7019a949a4a3f016edbd0b09226" + "9295e7924a2d9267c1babb021b0f0e207de84460c55cdb4abc6b2dae0960d9af" + "1a95f1dfcc83ec625bd7c42b1e17d219b15d5cc0e3e69063889f1ab18008c309" + "14b549815822b844b279324cd7cf8f596445b1abbd87ee97c13242bd11958c0d" + "45986cd54247c307224568d557d42188f39f1ce6338cb3aa3c18501095ab5316" + "db18cb23698aa57fb12728a747b2f64878bc23e260cae1d597214a817d8b0229" + "fa449b6e55aad6260b230049b4a7708a9d72d06208033b40305bacd253ec4c5b" + "e85d813d4adbd69083bcb7bcda1667d30e0315753e1801c165b7f8a8be6a0717" + "c6d5e3ce942c57"}, // len = 370 bytes = 23 blocks + 2 bytes - { - "f4269bca3fb01715a422ab9f9dedb7b4218e8a004af9216e687cc024d55fc239" - "71e2b043f12f710d59b63011ba02b0acdabc59c9b0610ec590131b5d128d14e4", - "eec7a07920a0426a503bcb724a3a37b2", - "cab3c58bceeae8a4fc4831be5c6aa24a3143c352e306bc344188a68bc2dd3d8c" - "9103175fed0003e94834a7a49e4aeed08db22270b8dea4f9664a852828c2b5b9" - "c5cc18b2cc1c9b145043b8ef8da7bf1a59e18a11bf2f0a26798f4ea152035a17" - "d073ca9c8f65b1dfa869ce35108d4f696eda7a2e0985548214a22466a67e7e76" - "f1481280adc360562d2e8b3dbcdba72ab52158bea6ac40bb4f6421f5e39f6bd4" - "e77d559541b5eb6ee376ab9f5152ca067422c41acf05d51e69f7134c967e217e" - "fb76133c2bfeaa0e7456aec6a878cc1c9a913769960c87ff039a4c9a186d1814" - "e32b500e29fb1c9d51ca63f9423016ddc14d465759ce565d68a2f7810f0f95f2" - "3ae50063e01d0031e7642b2a944107558e4dace71b024484a53b05b44a9aa784" - "7fa7e760c4e891ac4cbcd6e0fddd358b2ae17346e3b7ca88f3cf3d3d69e4c2e8" - "8ba9485091dafcdd96d2bd94aff21fd9d3921fb74ae93f3db87c7a21603c0aec" - "e6523c772c3855c30a1257b9057692d809b2", - "74468138b84656e4292b2855019566852232e2126ad7e062b9a9320027e4067a" - "a19d70f4a338bdd30c6e08a3d42e0c4b5d75d4bda6078df47469fec4dac80b49" - "c80e0076dd1bf773919d8699455bbc905c1ba7d8e968d15ad0525ad31d080335" - "15c4e85068fe0eede28ecd3fd434e0f8db6db3d99c0c9120d060b21490e15b4c" - "23a5db14c06a02d5677f64f2e861ad7333180417d6eae190a9f5fcfbb629795a" - "c9b8d5792767ec63f7d5146aaf3294c8924c951a0b95221dc821d8bc428a7670" - "cf4c900f7d844bd0b48dfbf70f18718fe404bdd476fbf366a01a1bf69d3178b1" - "0981388a1d51c05e97cc5ae6061ea57736b22989e772fa413eb89e25357827f5" - "89d41dfbf6dc6cfeb063a2cd3cf2da200b99b4a856a8aff15f27769f9d20ceee" - "12bf2b09391d9c75d27f69417a90b198240df02fb4abb351fbd0b753f50c9349" - "59ad6b5d74d0677c792a89c3c20f22285ae56aaea231b27fc0be998320cc395c" - "42d9a1b72c80603465ca9bdb3960f0f7a534" - }, + {"f4269bca3fb01715a422ab9f9dedb7b4218e8a004af9216e687cc024d55fc239" + "71e2b043f12f710d59b63011ba02b0acdabc59c9b0610ec590131b5d128d14e4", + "eec7a07920a0426a503bcb724a3a37b2", + "cab3c58bceeae8a4fc4831be5c6aa24a3143c352e306bc344188a68bc2dd3d8c" + "9103175fed0003e94834a7a49e4aeed08db22270b8dea4f9664a852828c2b5b9" + "c5cc18b2cc1c9b145043b8ef8da7bf1a59e18a11bf2f0a26798f4ea152035a17" + "d073ca9c8f65b1dfa869ce35108d4f696eda7a2e0985548214a22466a67e7e76" + "f1481280adc360562d2e8b3dbcdba72ab52158bea6ac40bb4f6421f5e39f6bd4" + "e77d559541b5eb6ee376ab9f5152ca067422c41acf05d51e69f7134c967e217e" + "fb76133c2bfeaa0e7456aec6a878cc1c9a913769960c87ff039a4c9a186d1814" + "e32b500e29fb1c9d51ca63f9423016ddc14d465759ce565d68a2f7810f0f95f2" + "3ae50063e01d0031e7642b2a944107558e4dace71b024484a53b05b44a9aa784" + "7fa7e760c4e891ac4cbcd6e0fddd358b2ae17346e3b7ca88f3cf3d3d69e4c2e8" + "8ba9485091dafcdd96d2bd94aff21fd9d3921fb74ae93f3db87c7a21603c0aec" + "e6523c772c3855c30a1257b9057692d809b2", + "74468138b84656e4292b2855019566852232e2126ad7e062b9a9320027e4067a" + "a19d70f4a338bdd30c6e08a3d42e0c4b5d75d4bda6078df47469fec4dac80b49" + "c80e0076dd1bf773919d8699455bbc905c1ba7d8e968d15ad0525ad31d080335" + "15c4e85068fe0eede28ecd3fd434e0f8db6db3d99c0c9120d060b21490e15b4c" + "23a5db14c06a02d5677f64f2e861ad7333180417d6eae190a9f5fcfbb629795a" + "c9b8d5792767ec63f7d5146aaf3294c8924c951a0b95221dc821d8bc428a7670" + "cf4c900f7d844bd0b48dfbf70f18718fe404bdd476fbf366a01a1bf69d3178b1" + "0981388a1d51c05e97cc5ae6061ea57736b22989e772fa413eb89e25357827f5" + "89d41dfbf6dc6cfeb063a2cd3cf2da200b99b4a856a8aff15f27769f9d20ceee" + "12bf2b09391d9c75d27f69417a90b198240df02fb4abb351fbd0b753f50c9349" + "59ad6b5d74d0677c792a89c3c20f22285ae56aaea231b27fc0be998320cc395c" + "42d9a1b72c80603465ca9bdb3960f0f7a534"}, // len = 399 bytes = 24 blocks + 15 bytes - { - "53cf540aac7f2dd4fef9161811619879af7b9378ccd7ca9eb78aa39c319e11b4" - "9b904b754798d2a40cc10ccf8fe913eb4803853ff8f9abc897cda2b4fec917c0", - "5f2fc3f2b53c328134097bfeb519c66c", - "b0503a54f3d60824d4a6eee6bda2a61cd26a0f87a64108da4a83d8ff9c9e6c4d" - "efa6a1e27ca9065150f4370d97dd2a694739f0ed7af8c7c47c9fc4183e30652d" - "d6060f52b015a3000ada0da1b8370aff70faedeaf2b4af6e54738792a3ecbf79" - "f3cecba3e36fa3ed49b08e01e898015892ee4385a2f2f3f6657a88086747815a" - "154cfdf9bba0e605507506380d0791a0f5d42598c6188e2b931733fa5eb45474" - "00516dbcf153c141c8c77ad6cf0b76c4df9b5ca5b3ebd04602034060b794d4b7" - "e54173d69534185dfc9233cb9da98f7c44ec21f8d7f13ed9f47f39ab130e62f9" - "4fd6cfe40ae742067975d1161f6192634db35b24a49afd981936432c44a62594" - "7cf57886dcba8d56305e6c4fbfffb20cb20e3057a82defc16433eda8d9133c55" - "08b5dbe46f683a9fc7a7ee86a6a19358afc3af57f19f1855d205fdab183a0020" - "efdb055e443ffe0be6ec918c8d24e53ce89493d933ab2e05b12bb0c965b0ea54" - "8cefb3d02eb1db159d6ca12b918667791bfb524ea6805457ab042111b50b6541" - "fa181128c9ec3d6758df92e965f962", - "89119ff52d0dd7274f6bef39e395541f9a7db5d4bbefefd73a3126bfc9dec2fe" - "9af741c5b70a3322aa84c88ddae92c7c48ce2685950139c644eb5faad8e0d823" - "9e65b272cb4bde4562294445249a0bccfd27f06074217b45344b4ec1c83d0024" - "244a300b8fe9e6e4266c75fc8bdf219cbfa0c0286fc772e34e1742c12732251c" - "3d3c2b5425535214abe1f0aeabdd86a28d562df5c8f851a54c3517bca02029c0" - "7229b6493297b8c5173b72d7ad3732bb100d5e92ca02a3d339a6838dc7744d44" - "bedfe9696e2ed6869277c406c3b64148e2dec18c28c0db1afd557285046a851e" - "5f95ca48117900e21ae7204a01122135f0b667e12dc81476547081507fdf506e" - "7a14107a9f172c61948b92d92c6337c77bdaf6ba07691d105518b5887c22f526" - "4f3b7838f3e8b56d568d8249d28cd62457aad01b8b90a1ff4548cc02e794a12c" - "c7d8af55204bffda04dd8f53041876a3468a4d5747f57b225b4feb1fbb523103" - "30145923a945c02b6d79acf69e0c6b41408deab6ecb2f4b7fbb760372d7bdb8a" - "26f1ca0f722b377f1f9b5b1dc246d4" - }, + {"53cf540aac7f2dd4fef9161811619879af7b9378ccd7ca9eb78aa39c319e11b4" + "9b904b754798d2a40cc10ccf8fe913eb4803853ff8f9abc897cda2b4fec917c0", + "5f2fc3f2b53c328134097bfeb519c66c", + "b0503a54f3d60824d4a6eee6bda2a61cd26a0f87a64108da4a83d8ff9c9e6c4d" + "efa6a1e27ca9065150f4370d97dd2a694739f0ed7af8c7c47c9fc4183e30652d" + "d6060f52b015a3000ada0da1b8370aff70faedeaf2b4af6e54738792a3ecbf79" + "f3cecba3e36fa3ed49b08e01e898015892ee4385a2f2f3f6657a88086747815a" + "154cfdf9bba0e605507506380d0791a0f5d42598c6188e2b931733fa5eb45474" + "00516dbcf153c141c8c77ad6cf0b76c4df9b5ca5b3ebd04602034060b794d4b7" + "e54173d69534185dfc9233cb9da98f7c44ec21f8d7f13ed9f47f39ab130e62f9" + "4fd6cfe40ae742067975d1161f6192634db35b24a49afd981936432c44a62594" + "7cf57886dcba8d56305e6c4fbfffb20cb20e3057a82defc16433eda8d9133c55" + "08b5dbe46f683a9fc7a7ee86a6a19358afc3af57f19f1855d205fdab183a0020" + "efdb055e443ffe0be6ec918c8d24e53ce89493d933ab2e05b12bb0c965b0ea54" + "8cefb3d02eb1db159d6ca12b918667791bfb524ea6805457ab042111b50b6541" + "fa181128c9ec3d6758df92e965f962", + "89119ff52d0dd7274f6bef39e395541f9a7db5d4bbefefd73a3126bfc9dec2fe" + "9af741c5b70a3322aa84c88ddae92c7c48ce2685950139c644eb5faad8e0d823" + "9e65b272cb4bde4562294445249a0bccfd27f06074217b45344b4ec1c83d0024" + "244a300b8fe9e6e4266c75fc8bdf219cbfa0c0286fc772e34e1742c12732251c" + "3d3c2b5425535214abe1f0aeabdd86a28d562df5c8f851a54c3517bca02029c0" + "7229b6493297b8c5173b72d7ad3732bb100d5e92ca02a3d339a6838dc7744d44" + "bedfe9696e2ed6869277c406c3b64148e2dec18c28c0db1afd557285046a851e" + "5f95ca48117900e21ae7204a01122135f0b667e12dc81476547081507fdf506e" + "7a14107a9f172c61948b92d92c6337c77bdaf6ba07691d105518b5887c22f526" + "4f3b7838f3e8b56d568d8249d28cd62457aad01b8b90a1ff4548cc02e794a12c" + "c7d8af55204bffda04dd8f53041876a3468a4d5747f57b225b4feb1fbb523103" + "30145923a945c02b6d79acf69e0c6b41408deab6ecb2f4b7fbb760372d7bdb8a" + "26f1ca0f722b377f1f9b5b1dc246d4"}, // len = 512 bytes = 32 blocks - { - "471f9a9ee92d06701e84d8ee35773e00939620dcfe7679b4aa6eb0d6c59bec8a" - "f51000afca6d6fafc3d7775468b59e86202d34090a05e79738825de54e049b7f", - "bb20acdc5589e553935c580c430ca3ed", - "451170f56e46da349475388011c2ffcce2aca837358e8bc8eae3d42df0771a35" - "888a2af7d1042b657a63e68b25e5570791003fc68eca8e78ad62a59dd9bfd262" - "4afc591b0184807be766060c4c5d13dd5d52a4eb1c3263ca9508676ec83ad012" - "36292d37adadb29414b8a06016b43d7306e15f2314c2eda9cb5417938ee8a5c5" - "11d2fcbf7faf539367f4f37da831f1ae1250d12612becfdd13e770a1cf1566e0" - "e7639f6712f3fa79e7eef78f1fe83d31380f584acd2728e00e9882ddaee8be95" - "4b5dfc5d50f7d737e5cec604b60435ee138d38e0b560c1c3f943a1a72b5f3c77" - "bc39d40d30ab4415790b192f0f4e1d22dc560291b6c354af06f556325493a911" - "cc7d1efc296211a26d2ad27c78ef9e5445a1e5fc643aab6b2f029d8495469561" - "c3b35dec156e8f839861ff10509e65963f4a92a3843d0eb43fab38d4f1cd35b5" - "8092a195003018989118a9e2b60e78f5580a98dd47a7918752c95b449691f916" - "239aab24cbc4bc5cdc653e9273b687ccc01fa908c63a8f1903ea5d997b56af9f" - "f05ac3bb1e7f18fae5568c580d1324cd33cdd5f90764120a4f6fa3cac55269b6" - "ad2c71cbac89c691e052e9ed660eba99db9092e3f4a5ed4314910edae3779090" - "a4015c508b22e16b74ca58dad81273b4a2069797ab84dabf15e899f960298904" - "2be554b60735217cff7956d88bca8c2ed023c57ba79f3abd88d4b6e8fd3fec28", - "4df3fa60e97ddd3d9890bfc71e75f43aa2951f8b9f1eafbc7d85dcd52587af30" - "4ddcd513d4608123d797d3b734dced7c7549d54a0d18f19b3a3d8a46f1c480b8" - "4a986f47610907e764d214ee2af6831aad11daa8c55a483d7c99cdd418cb06a5" - "ee1be3f5cccefc1c5200f4320399b7430c90cf00bc901df08a20e2fbeee38e0a" - "65b4a43038ecbdfd7ecd3a8d138e862e6313fafc39453b2e610577749a1e0d11" - "7c3ec5018d3b56495d03e639c46233752371bcefb276b9b7b0623a6bf533cb72" - "016238ecc3ac227717c3c6b69b5f74ac27b2c966e552b85b67739c3540930cc0" - "e3a62d4a7362bd825d13fe1a6b68d6152ac6615eca89b3c1b8571e57b55766fb" - "a3ac11df6161dd6e5110e9047a6637349b0e49738a4ca52ba7e0f84e01a2af01" - "db63fa36bafc6e212089196b20d30b346ce865f0c1412d196e56b328cd1c2399" - "59202aeabc56aa08c847360ea1d3a5521748e853869b7a783874424c62b5da33" - "1d95880aa77ec6d04aa59b6e2e85a75a3fcc9be9537c3cf065d69537e1454024" - "4398137ae4d6cc84c5323df0b9cccf5bc51ad873847369c92e0bed692bc03b47" - "94b20ac22f672a64ecd15a69665f21233f47e6904b6cd2972ffc6aeb2961f666" - "923c13d3ab532009211c784f6a8553201907cdbf1db8176684ec59280fa20b82" - "9cfc069b2fc61d0a4c7cdcb9d7bee655cdb56932ca319152849f37b0b396674a" - }, + {"471f9a9ee92d06701e84d8ee35773e00939620dcfe7679b4aa6eb0d6c59bec8a" + "f51000afca6d6fafc3d7775468b59e86202d34090a05e79738825de54e049b7f", + "bb20acdc5589e553935c580c430ca3ed", + "451170f56e46da349475388011c2ffcce2aca837358e8bc8eae3d42df0771a35" + "888a2af7d1042b657a63e68b25e5570791003fc68eca8e78ad62a59dd9bfd262" + "4afc591b0184807be766060c4c5d13dd5d52a4eb1c3263ca9508676ec83ad012" + "36292d37adadb29414b8a06016b43d7306e15f2314c2eda9cb5417938ee8a5c5" + "11d2fcbf7faf539367f4f37da831f1ae1250d12612becfdd13e770a1cf1566e0" + "e7639f6712f3fa79e7eef78f1fe83d31380f584acd2728e00e9882ddaee8be95" + "4b5dfc5d50f7d737e5cec604b60435ee138d38e0b560c1c3f943a1a72b5f3c77" + "bc39d40d30ab4415790b192f0f4e1d22dc560291b6c354af06f556325493a911" + "cc7d1efc296211a26d2ad27c78ef9e5445a1e5fc643aab6b2f029d8495469561" + "c3b35dec156e8f839861ff10509e65963f4a92a3843d0eb43fab38d4f1cd35b5" + "8092a195003018989118a9e2b60e78f5580a98dd47a7918752c95b449691f916" + "239aab24cbc4bc5cdc653e9273b687ccc01fa908c63a8f1903ea5d997b56af9f" + "f05ac3bb1e7f18fae5568c580d1324cd33cdd5f90764120a4f6fa3cac55269b6" + "ad2c71cbac89c691e052e9ed660eba99db9092e3f4a5ed4314910edae3779090" + "a4015c508b22e16b74ca58dad81273b4a2069797ab84dabf15e899f960298904" + "2be554b60735217cff7956d88bca8c2ed023c57ba79f3abd88d4b6e8fd3fec28", + "4df3fa60e97ddd3d9890bfc71e75f43aa2951f8b9f1eafbc7d85dcd52587af30" + "4ddcd513d4608123d797d3b734dced7c7549d54a0d18f19b3a3d8a46f1c480b8" + "4a986f47610907e764d214ee2af6831aad11daa8c55a483d7c99cdd418cb06a5" + "ee1be3f5cccefc1c5200f4320399b7430c90cf00bc901df08a20e2fbeee38e0a" + "65b4a43038ecbdfd7ecd3a8d138e862e6313fafc39453b2e610577749a1e0d11" + "7c3ec5018d3b56495d03e639c46233752371bcefb276b9b7b0623a6bf533cb72" + "016238ecc3ac227717c3c6b69b5f74ac27b2c966e552b85b67739c3540930cc0" + "e3a62d4a7362bd825d13fe1a6b68d6152ac6615eca89b3c1b8571e57b55766fb" + "a3ac11df6161dd6e5110e9047a6637349b0e49738a4ca52ba7e0f84e01a2af01" + "db63fa36bafc6e212089196b20d30b346ce865f0c1412d196e56b328cd1c2399" + "59202aeabc56aa08c847360ea1d3a5521748e853869b7a783874424c62b5da33" + "1d95880aa77ec6d04aa59b6e2e85a75a3fcc9be9537c3cf065d69537e1454024" + "4398137ae4d6cc84c5323df0b9cccf5bc51ad873847369c92e0bed692bc03b47" + "94b20ac22f672a64ecd15a69665f21233f47e6904b6cd2972ffc6aeb2961f666" + "923c13d3ab532009211c784f6a8553201907cdbf1db8176684ec59280fa20b82" + "9cfc069b2fc61d0a4c7cdcb9d7bee655cdb56932ca319152849f37b0b396674a"}, // len = 523 bytes = 32 blocks + 11 bytes - { - "471f9a9ee92d06701e84d8ee35773e00939620dcfe7679b4aa6eb0d6c59bec8a" - "f51000afca6d6fafc3d7775468b59e86202d34090a05e79738825de54e049b7f", - "bb20acdc5589e553935c580c430ca3ed", - "451170f56e46da349475388011c2ffcce2aca837358e8bc8eae3d42df0771a35" - "888a2af7d1042b657a63e68b25e5570791003fc68eca8e78ad62a59dd9bfd262" - "4afc591b0184807be766060c4c5d13dd5d52a4eb1c3263ca9508676ec83ad012" - "36292d37adadb29414b8a06016b43d7306e15f2314c2eda9cb5417938ee8a5c5" - "11d2fcbf7faf539367f4f37da831f1ae1250d12612becfdd13e770a1cf1566e0" - "e7639f6712f3fa79e7eef78f1fe83d31380f584acd2728e00e9882ddaee8be95" - "4b5dfc5d50f7d737e5cec604b60435ee138d38e0b560c1c3f943a1a72b5f3c77" - "bc39d40d30ab4415790b192f0f4e1d22dc560291b6c354af06f556325493a911" - "cc7d1efc296211a26d2ad27c78ef9e5445a1e5fc643aab6b2f029d8495469561" - "c3b35dec156e8f839861ff10509e65963f4a92a3843d0eb43fab38d4f1cd35b5" - "8092a195003018989118a9e2b60e78f5580a98dd47a7918752c95b449691f916" - "239aab24cbc4bc5cdc653e9273b687ccc01fa908c63a8f1903ea5d997b56af9f" - "f05ac3bb1e7f18fae5568c580d1324cd33cdd5f90764120a4f6fa3cac55269b6" - "ad2c71cbac89c691e052e9ed660eba99db9092e3f4a5ed4314910edae3779090" - "a4015c508b22e16b74ca58dad81273b4a2069797ab84dabf15e899f960298904" - "2be554b60735217cff7956d88bca8c2ed023c57ba79f3abd88d4b6e8fd3fec28" - "2540de2c75ffa87478ff4c", - "4df3fa60e97ddd3d9890bfc71e75f43aa2951f8b9f1eafbc7d85dcd52587af30" - "4ddcd513d4608123d797d3b734dced7c7549d54a0d18f19b3a3d8a46f1c480b8" - "4a986f47610907e764d214ee2af6831aad11daa8c55a483d7c99cdd418cb06a5" - "ee1be3f5cccefc1c5200f4320399b7430c90cf00bc901df08a20e2fbeee38e0a" - "65b4a43038ecbdfd7ecd3a8d138e862e6313fafc39453b2e610577749a1e0d11" - "7c3ec5018d3b56495d03e639c46233752371bcefb276b9b7b0623a6bf533cb72" - "016238ecc3ac227717c3c6b69b5f74ac27b2c966e552b85b67739c3540930cc0" - "e3a62d4a7362bd825d13fe1a6b68d6152ac6615eca89b3c1b8571e57b55766fb" - "a3ac11df6161dd6e5110e9047a6637349b0e49738a4ca52ba7e0f84e01a2af01" - "db63fa36bafc6e212089196b20d30b346ce865f0c1412d196e56b328cd1c2399" - "59202aeabc56aa08c847360ea1d3a5521748e853869b7a783874424c62b5da33" - "1d95880aa77ec6d04aa59b6e2e85a75a3fcc9be9537c3cf065d69537e1454024" - "4398137ae4d6cc84c5323df0b9cccf5bc51ad873847369c92e0bed692bc03b47" - "94b20ac22f672a64ecd15a69665f21233f47e6904b6cd2972ffc6aeb2961f666" - "923c13d3ab532009211c784f6a8553201907cdbf1db8176684ec59280fa20b82" - "9cfc069b2fc61d0a4c7cdcb9d7bee655df0f08137ed40076a293a450b4602009" - "cdb56932ca319152849f37" - }, + {"471f9a9ee92d06701e84d8ee35773e00939620dcfe7679b4aa6eb0d6c59bec8a" + "f51000afca6d6fafc3d7775468b59e86202d34090a05e79738825de54e049b7f", + "bb20acdc5589e553935c580c430ca3ed", + "451170f56e46da349475388011c2ffcce2aca837358e8bc8eae3d42df0771a35" + "888a2af7d1042b657a63e68b25e5570791003fc68eca8e78ad62a59dd9bfd262" + "4afc591b0184807be766060c4c5d13dd5d52a4eb1c3263ca9508676ec83ad012" + "36292d37adadb29414b8a06016b43d7306e15f2314c2eda9cb5417938ee8a5c5" + "11d2fcbf7faf539367f4f37da831f1ae1250d12612becfdd13e770a1cf1566e0" + "e7639f6712f3fa79e7eef78f1fe83d31380f584acd2728e00e9882ddaee8be95" + "4b5dfc5d50f7d737e5cec604b60435ee138d38e0b560c1c3f943a1a72b5f3c77" + "bc39d40d30ab4415790b192f0f4e1d22dc560291b6c354af06f556325493a911" + "cc7d1efc296211a26d2ad27c78ef9e5445a1e5fc643aab6b2f029d8495469561" + "c3b35dec156e8f839861ff10509e65963f4a92a3843d0eb43fab38d4f1cd35b5" + "8092a195003018989118a9e2b60e78f5580a98dd47a7918752c95b449691f916" + "239aab24cbc4bc5cdc653e9273b687ccc01fa908c63a8f1903ea5d997b56af9f" + "f05ac3bb1e7f18fae5568c580d1324cd33cdd5f90764120a4f6fa3cac55269b6" + "ad2c71cbac89c691e052e9ed660eba99db9092e3f4a5ed4314910edae3779090" + "a4015c508b22e16b74ca58dad81273b4a2069797ab84dabf15e899f960298904" + "2be554b60735217cff7956d88bca8c2ed023c57ba79f3abd88d4b6e8fd3fec28" + "2540de2c75ffa87478ff4c", + "4df3fa60e97ddd3d9890bfc71e75f43aa2951f8b9f1eafbc7d85dcd52587af30" + "4ddcd513d4608123d797d3b734dced7c7549d54a0d18f19b3a3d8a46f1c480b8" + "4a986f47610907e764d214ee2af6831aad11daa8c55a483d7c99cdd418cb06a5" + "ee1be3f5cccefc1c5200f4320399b7430c90cf00bc901df08a20e2fbeee38e0a" + "65b4a43038ecbdfd7ecd3a8d138e862e6313fafc39453b2e610577749a1e0d11" + "7c3ec5018d3b56495d03e639c46233752371bcefb276b9b7b0623a6bf533cb72" + "016238ecc3ac227717c3c6b69b5f74ac27b2c966e552b85b67739c3540930cc0" + "e3a62d4a7362bd825d13fe1a6b68d6152ac6615eca89b3c1b8571e57b55766fb" + "a3ac11df6161dd6e5110e9047a6637349b0e49738a4ca52ba7e0f84e01a2af01" + "db63fa36bafc6e212089196b20d30b346ce865f0c1412d196e56b328cd1c2399" + "59202aeabc56aa08c847360ea1d3a5521748e853869b7a783874424c62b5da33" + "1d95880aa77ec6d04aa59b6e2e85a75a3fcc9be9537c3cf065d69537e1454024" + "4398137ae4d6cc84c5323df0b9cccf5bc51ad873847369c92e0bed692bc03b47" + "94b20ac22f672a64ecd15a69665f21233f47e6904b6cd2972ffc6aeb2961f666" + "923c13d3ab532009211c784f6a8553201907cdbf1db8176684ec59280fa20b82" + "9cfc069b2fc61d0a4c7cdcb9d7bee655df0f08137ed40076a293a450b4602009" + "cdb56932ca319152849f37"}, // len = 544 bytes = 34 blocks - { - "b0f0dc151095ec58d407195199de7a769a755b2bda7c52a039474db388ee3b2d" - "f04af5b44f1091da6520a660f008aa2a66778a6cc0c6d426a75298e6910364d6", - "cba24d262d789207390ecd8be26db11b", - "14f86e6190214719b2351ced9949c364ec108b19891d20c22ced4d0e5afe2a6e" - "f798cf87b916a06b4bbc58e4061c49f22cd40bb5f12b771d18c42c72c356e0ba" - "eeaf41a7c5e212109e6af4a4863d96b311a16803cce020e4a44c5667a2362190" - "e56337aa4549bae3b4af883aec1eedfec056018c362171da6ec74210fe63a1e3" - "c6d88e0b2248efd6f77710e495fee25554e3e28a045364721aa683180a24fcd0" - "fc8adc1ed2cbf4ca4205aed703902d57730fe1776245ea7cec6d95f69191c68d" - "1ba2aced6da0b7afa56587a8f5b4ff68c3e0e02526caa112373608c8c7ce55e2" - "7101d0dea2878e47ed15f0e2c9ef4b8cd02bb1f6f552082c8910f450de49334f" - "4b032eed8abc3477d1245a9a14a526e4d0d7dac529e2f1b2f2e503d02e362079" - "394e66c30a9b3bdbbf9575d33a9bb70a7291cf9b73c04e65a55136d387564dc0" - "a4b383ae4ebe890e53fee18d9999970b2a66a69e26f403cb45399fcc8fec8c33" - "9f10e1eece6afc2268ddaf0176470ca1adb33fd4a7429fed7c3eb90b2a463fca" - "5620b8248bb446f391f6f5083d01a9eab4e8be5c2a5e49a69c02b2c748f1919e" - "1149c39cfd09908eff85963c863f273b27e5975243e0f8e0e2aaa72b9b38c9ad" - "818c497e96d90c955ea3d2e5e2f9200adeb75c2297540279ffa9a49ae16e4762" - "fa91e0906aec26c98ff8ae72f1ce7ccf85d8f11c2cf3952b9c3ac67da80ddfa2" - "9ebf3309ac59d23b5180ad424e2911d30103ef2ef6845993be1f10662df009cb", - "864f5741c3d048ae75b1f0186a8eb07542e099799539f1c5e47c0643ce4de614" - "6742e685051ab2911a29ed18872ffb317731cc55af9a2ed5da2d4902a1fee005" - "8a818c8d1fc508c1c303760fcd580c2ee21e65dd094a41cd4c9fe34dbb0d75cc" - "ee2816cab10cdc1f9ed3cc1d36d75795ec299ca9357e92a782d822298db2f601" - "7cbc376141aea92cc67b6dfa8108d5d9021780fd852d38f593a30274c41379dc" - "8a34ea4ae767f811f357bf5742c86c2b46b5c059cd3c7695c70f1aca2ca2a669" - "196aff6f192af27bbfc85c55c31a5a0ece0ecc55016589c58c17ef921620347e" - "4be4c29f3333506b3303dd1759f03733169ccf7a93e2a24e6dbeeacefc382d5c" - "b00398da4b5704430b5675b82064f9b5215b0757d440a5de9422121891129f39" - "276171d1ad42f21239c6d49e17ab5fc989048dce4ffb68131e8aa674817cbed9" - "91ab240aa629d4ac29dcf407f0911dff119f8c02441fc72a8987ed46d9cde314" - "bc11f4232351386f1612ba71c3d18d432802754ca738df69c60650f309fec629" - "c3727cc0a715f55a8b623554cbd08092b833b645acfb34216b02c822e13c79d4" - "e6835cc8b5e88639a1fee056cfa654a4fbd238ac59f4b2c70060a71e0954a6b0" - "045e53711ba7043c1e5c713d5ccec41975bb3114dcbd63ec08e90074191f515f" - "e0f83bbc6990d010d6a30674d69f3d8355ca1db1b3a294b233949f4f0dc423bb" - "f02abbc2306a6791749c97045db72ead783f2e8b90127b4c12a4ab6a329d3ecd" - }, + {"b0f0dc151095ec58d407195199de7a769a755b2bda7c52a039474db388ee3b2d" + "f04af5b44f1091da6520a660f008aa2a66778a6cc0c6d426a75298e6910364d6", + "cba24d262d789207390ecd8be26db11b", + "14f86e6190214719b2351ced9949c364ec108b19891d20c22ced4d0e5afe2a6e" + "f798cf87b916a06b4bbc58e4061c49f22cd40bb5f12b771d18c42c72c356e0ba" + "eeaf41a7c5e212109e6af4a4863d96b311a16803cce020e4a44c5667a2362190" + "e56337aa4549bae3b4af883aec1eedfec056018c362171da6ec74210fe63a1e3" + "c6d88e0b2248efd6f77710e495fee25554e3e28a045364721aa683180a24fcd0" + "fc8adc1ed2cbf4ca4205aed703902d57730fe1776245ea7cec6d95f69191c68d" + "1ba2aced6da0b7afa56587a8f5b4ff68c3e0e02526caa112373608c8c7ce55e2" + "7101d0dea2878e47ed15f0e2c9ef4b8cd02bb1f6f552082c8910f450de49334f" + "4b032eed8abc3477d1245a9a14a526e4d0d7dac529e2f1b2f2e503d02e362079" + "394e66c30a9b3bdbbf9575d33a9bb70a7291cf9b73c04e65a55136d387564dc0" + "a4b383ae4ebe890e53fee18d9999970b2a66a69e26f403cb45399fcc8fec8c33" + "9f10e1eece6afc2268ddaf0176470ca1adb33fd4a7429fed7c3eb90b2a463fca" + "5620b8248bb446f391f6f5083d01a9eab4e8be5c2a5e49a69c02b2c748f1919e" + "1149c39cfd09908eff85963c863f273b27e5975243e0f8e0e2aaa72b9b38c9ad" + "818c497e96d90c955ea3d2e5e2f9200adeb75c2297540279ffa9a49ae16e4762" + "fa91e0906aec26c98ff8ae72f1ce7ccf85d8f11c2cf3952b9c3ac67da80ddfa2" + "9ebf3309ac59d23b5180ad424e2911d30103ef2ef6845993be1f10662df009cb", + "864f5741c3d048ae75b1f0186a8eb07542e099799539f1c5e47c0643ce4de614" + "6742e685051ab2911a29ed18872ffb317731cc55af9a2ed5da2d4902a1fee005" + "8a818c8d1fc508c1c303760fcd580c2ee21e65dd094a41cd4c9fe34dbb0d75cc" + "ee2816cab10cdc1f9ed3cc1d36d75795ec299ca9357e92a782d822298db2f601" + "7cbc376141aea92cc67b6dfa8108d5d9021780fd852d38f593a30274c41379dc" + "8a34ea4ae767f811f357bf5742c86c2b46b5c059cd3c7695c70f1aca2ca2a669" + "196aff6f192af27bbfc85c55c31a5a0ece0ecc55016589c58c17ef921620347e" + "4be4c29f3333506b3303dd1759f03733169ccf7a93e2a24e6dbeeacefc382d5c" + "b00398da4b5704430b5675b82064f9b5215b0757d440a5de9422121891129f39" + "276171d1ad42f21239c6d49e17ab5fc989048dce4ffb68131e8aa674817cbed9" + "91ab240aa629d4ac29dcf407f0911dff119f8c02441fc72a8987ed46d9cde314" + "bc11f4232351386f1612ba71c3d18d432802754ca738df69c60650f309fec629" + "c3727cc0a715f55a8b623554cbd08092b833b645acfb34216b02c822e13c79d4" + "e6835cc8b5e88639a1fee056cfa654a4fbd238ac59f4b2c70060a71e0954a6b0" + "045e53711ba7043c1e5c713d5ccec41975bb3114dcbd63ec08e90074191f515f" + "e0f83bbc6990d010d6a30674d69f3d8355ca1db1b3a294b233949f4f0dc423bb" + "f02abbc2306a6791749c97045db72ead783f2e8b90127b4c12a4ab6a329d3ecd"}, // Test vectors from NIST // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program // 256-bit key, 256-bit data (32 bytes, 2 blocks) @@ -1056,15 +1024,15 @@ TEST(XTSTest, TestVectors) { // Negative test for key1 = key2 TEST(XTSTest, DuplicateKey) { - // The 2 halves of the key below are identical. - // The ciphertext is not correct which does not matter since it will fail in Init. + // The ciphertext is not correct which does not matter since it will fail in + // Init. const XTSTestCase kXTSDuplicateKey = { - "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" - "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0", - "9a785634120000000000000000000000", - "000102030405060708090a0b0c0d0e0f10", - "000102030405060708090a0b0c0d0e0f10", + "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" + "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0", + "9a785634120000000000000000000000", + "000102030405060708090a0b0c0d0e0f10", + "000102030405060708090a0b0c0d0e0f10", }; const EVP_CIPHER *cipher = EVP_aes_256_xts(); @@ -1074,23 +1042,22 @@ TEST(XTSTest, DuplicateKey) { ASSERT_TRUE(DecodeHex(&iv, kXTSDuplicateKey.iv_hex)); bssl::ScopedEVP_CIPHER_CTX ctx; - ASSERT_FALSE(EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), - iv.data())); + ASSERT_FALSE( + EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data())); } // Negative test for input length TEST(XTSTest, InputTooLong) { - // The length of the input will be (wrongly) provided as larger than // XTS_MAX_BLOCKS_PER_DATA_UNIT. // The ciphertext does not correspond to the plaintext // which does not matter since it will fail on length check. const XTSTestCase kXTSWrongVector = { - "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" - "bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0", - "9a785634120000000000000000000000", - "000102030405060708090a0b0c0d0e0f10", - "000102030405060708090a0b0c0d0e0f10", + "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0" + "bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0", + "9a785634120000000000000000000000", + "000102030405060708090a0b0c0d0e0f10", + "000102030405060708090a0b0c0d0e0f10", }; const EVP_CIPHER *cipher = EVP_aes_256_xts(); @@ -1102,120 +1069,127 @@ TEST(XTSTest, InputTooLong) { ASSERT_TRUE(DecodeHex(&ciphertext, kXTSWrongVector.ciphertext_hex)); bssl::ScopedEVP_CIPHER_CTX ctx; - ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), - iv.data())); + ASSERT_TRUE( + EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data())); int len; std::vector out(plaintext.size()); ASSERT_FALSE( - EVP_EncryptUpdate(ctx.get(), out.data(), &len, plaintext.data(), - (XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) + 1)); + EVP_EncryptUpdate(ctx.get(), out.data(), &len, plaintext.data(), + (XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) + 1)); // Test Decryption ctx.Reset(); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), - iv.data())); + ASSERT_TRUE( + EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data())); ASSERT_FALSE( - EVP_DecryptUpdate(ctx.get(), out.data(), &len, ciphertext.data(), - (XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) + 1)); - + EVP_DecryptUpdate(ctx.get(), out.data(), &len, ciphertext.data(), + (XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) + 1)); } static void encrypt_and_decrypt(bssl::ScopedEVP_CIPHER_CTX &ctx_encrypt, - bssl::ScopedEVP_CIPHER_CTX &ctx_decrypt, std::vector pt, - std::vector ct_expected, bool do_tweak, - std::vector tweak) { - + bssl::ScopedEVP_CIPHER_CTX &ctx_decrypt, + std::vector pt, + std::vector ct_expected, bool do_tweak, + std::vector tweak) { int len = 0; std::vector ct_actual(pt.size()), pt_actual(pt.size()); if (do_tweak) { - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), nullptr, - nullptr, nullptr, tweak.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), nullptr, - nullptr, nullptr, tweak.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), nullptr, nullptr, nullptr, + tweak.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), nullptr, nullptr, nullptr, + tweak.data())); } ASSERT_TRUE(EVP_EncryptUpdate(ctx_encrypt.get(), ct_actual.data(), &len, - pt.data(), pt.size())); - EXPECT_EQ(len, (int) pt.size()); + pt.data(), pt.size())); + EXPECT_EQ(len, (int)pt.size()); EXPECT_EQ(Bytes(ct_expected), Bytes(ct_actual)); ASSERT_TRUE(EVP_DecryptUpdate(ctx_decrypt.get(), pt_actual.data(), &len, - ct_actual.data(), ct_actual.size())); - EXPECT_EQ(len, (int) pt.size()); + ct_actual.data(), ct_actual.size())); + EXPECT_EQ(len, (int)pt.size()); EXPECT_EQ(Bytes(pt), Bytes(pt_actual)); } // Test that XTS mode API can be used without re-initializing the entire key // context if the only thing that changes is the tweak. TEST(XTSTest, SectorTweakAPIUsage) { - - std::vector key, sectorTweak1, sectorTweak2, pt, ct1_expected, ct2_expected; + std::vector key, sectorTweak1, sectorTweak2, pt, ct1_expected, + ct2_expected; // First two test vectors in kXTSTestCases. - ASSERT_TRUE(DecodeHex(&key, "2718281828459045235360287471352662497757247093699959574966967627" - "3141592653589793238462643383279502884197169399375105820974944592")); + ASSERT_TRUE(DecodeHex( + &key, + "2718281828459045235360287471352662497757247093699959574966967627" + "3141592653589793238462643383279502884197169399375105820974944592")); ASSERT_TRUE(DecodeHex(§orTweak1, "ff000000000000000000000000000000")); ASSERT_TRUE(DecodeHex(§orTweak2, "ffff0000000000000000000000000000")); - ASSERT_TRUE(DecodeHex(&pt, "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122" - "232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445" - "464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768" - "696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b" - "8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadae" - "afb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1" - "d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4" - "f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f1011121314151617" - "18191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a" - "3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d" - "5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f80" - "8182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3" - "a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6" - "c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9" - "eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); - ASSERT_TRUE(DecodeHex(&ct1_expected, "1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e2" - "76f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3" - "095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89ae" - "ba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b" - "9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de18" - "34f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d" - "6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380a" - "d8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f6160" - "15e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47" - "bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f9" - "0c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e" - "333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e" - "9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541df" - "d269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa7" - "55c824bb5e54c4f36ffda9fcea70b9c6e693e148c151")); - ASSERT_TRUE(DecodeHex(&ct2_expected, "77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d022" - "5438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa79" - "4e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b54" - "6179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae" - "2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108" - "bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e" - "2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d74" - "4223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287" - "681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5" - "c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474a" - "fb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c6309" - "4f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf" - "308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed5" - "0cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a" - "7ab1f9868294a4f9e27b42af8100cb9d59cef9645803")); + ASSERT_TRUE(DecodeHex( + &pt, + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122" + "232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445" + "464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768" + "696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b" + "8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadae" + "afb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1" + "d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4" + "f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f1011121314151617" + "18191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a" + "3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d" + "5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f80" + "8182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3" + "a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6" + "c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9" + "eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); + ASSERT_TRUE(DecodeHex( + &ct1_expected, + "1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e2" + "76f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3" + "095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89ae" + "ba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b" + "9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de18" + "34f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d" + "6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380a" + "d8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f6160" + "15e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47" + "bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f9" + "0c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e" + "333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e" + "9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541df" + "d269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa7" + "55c824bb5e54c4f36ffda9fcea70b9c6e693e148c151")); + ASSERT_TRUE(DecodeHex( + &ct2_expected, + "77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d022" + "5438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa79" + "4e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b54" + "6179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae" + "2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108" + "bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e" + "2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d74" + "4223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287" + "681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5" + "c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474a" + "fb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c6309" + "4f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf" + "308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed5" + "0cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a" + "7ab1f9868294a4f9e27b42af8100cb9d59cef9645803")); bssl::ScopedEVP_CIPHER_CTX ctx_encrypt; bssl::ScopedEVP_CIPHER_CTX ctx_decrypt; // Firstly, encrypt and decrypt doing a full re-init for each sector. - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak1.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak1.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak1.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak1.data())); encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct1_expected, false, {}); - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak2.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak2.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak2.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak2.data())); encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct2_expected, false, {}); ctx_encrypt.Reset(); @@ -1223,16 +1197,16 @@ TEST(XTSTest, SectorTweakAPIUsage) { // Secondly, encrypt and decrypt but do not re-init the cipher structure. // Expects this to work since we are using the same cipher implementation. - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak1.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak1.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak1.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak1.data())); encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct1_expected, false, {}); - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), nullptr, - nullptr, key.data(), sectorTweak2.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), nullptr, - nullptr, key.data(), sectorTweak2.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), nullptr, nullptr, + key.data(), sectorTweak2.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), nullptr, nullptr, + key.data(), sectorTweak2.data())); encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct2_expected, false, {}); ctx_encrypt.Reset(); @@ -1241,16 +1215,16 @@ TEST(XTSTest, SectorTweakAPIUsage) { // Thirdly, encrypt and decrypt but only re-init the sector tweak. // Expects this to work since the key context does not change, only the tweak. // XTS is designed specifically to enable this kind of re-use. - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak1.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), sectorTweak1.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak1.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), sectorTweak1.data())); encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct1_expected, false, {}); - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), nullptr, - nullptr, nullptr, sectorTweak2.data())); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), nullptr, - nullptr, nullptr, sectorTweak2.data())); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), nullptr, nullptr, nullptr, + sectorTweak2.data())); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), nullptr, nullptr, nullptr, + sectorTweak2.data())); encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct2_expected, false, {}); ctx_encrypt.Reset(); @@ -1260,10 +1234,12 @@ TEST(XTSTest, SectorTweakAPIUsage) { // key init and sector tweak init separately in two different function calls. // Expects this to work since the key context does not change, only the tweak. // XTS is designed specifically to enable this kind of re-use. - ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), nullptr)); - ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), - nullptr, key.data(), nullptr)); - encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct1_expected, true, sectorTweak1); - encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct2_expected, true, sectorTweak2); + ASSERT_TRUE(EVP_EncryptInit_ex(ctx_encrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), nullptr)); + ASSERT_TRUE(EVP_DecryptInit_ex(ctx_decrypt.get(), EVP_aes_256_xts(), nullptr, + key.data(), nullptr)); + encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct1_expected, true, + sectorTweak1); + encrypt_and_decrypt(ctx_encrypt, ctx_decrypt, pt, ct2_expected, true, + sectorTweak2); } diff --git a/crypto/fipsmodule/pbkdf/pbkdf.c b/crypto/fipsmodule/pbkdf/pbkdf.c index 966a5dd204..5ecf2e85b1 100644 --- a/crypto/fipsmodule/pbkdf/pbkdf.c +++ b/crypto/fipsmodule/pbkdf/pbkdf.c @@ -9,7 +9,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -96,8 +96,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, // Compute U_1. uint8_t digest_tmp[EVP_MAX_MD_SIZE]; if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) || - !HMAC_Update(&hctx, salt, salt_len) || - !HMAC_Update(&hctx, i_buf, 4) || + !HMAC_Update(&hctx, salt, salt_len) || !HMAC_Update(&hctx, i_buf, 4) || !HMAC_Final(&hctx, digest_tmp, NULL)) { goto err; } diff --git a/crypto/fipsmodule/pbkdf/pbkdf_test.cc b/crypto/fipsmodule/pbkdf/pbkdf_test.cc index fe62c60853..7e6aa3e83b 100644 --- a/crypto/fipsmodule/pbkdf/pbkdf_test.cc +++ b/crypto/fipsmodule/pbkdf/pbkdf_test.cc @@ -68,10 +68,9 @@ TEST(PBKDFTest, RFC6070Vectors) { 0x41, 0xf0, 0xd8, 0xde, 0x89, 0x57}; const uint8_t kKey3[] = {0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d, 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3}; - const uint8_t kKey4[] = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, - 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a, - 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, - 0x38}; + const uint8_t kKey4[] = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, + 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, + 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, 0x38}; uint8_t key[sizeof(kKey4)]; static_assert(sizeof(key) >= sizeof(kKey1), "output too small"); static_assert(sizeof(key) >= sizeof(kKey2), "output too small"); @@ -89,9 +88,10 @@ TEST(PBKDFTest, RFC6070Vectors) { 4096, EVP_sha1(), sizeof(kKey3), key)); EXPECT_EQ(Bytes(kKey3), Bytes(key, sizeof(kKey3))); - ASSERT_TRUE(PKCS5_PBKDF2_HMAC("passwordPASSWORDpassword", 24, - (const uint8_t *)"saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, - 4096, EVP_sha1(), sizeof(kKey4), key)); + ASSERT_TRUE( + PKCS5_PBKDF2_HMAC("passwordPASSWORDpassword", 24, + (const uint8_t *)"saltSALTsaltSALTsaltSALTsaltSALTsalt", + 36, 4096, EVP_sha1(), sizeof(kKey4), key)); EXPECT_EQ(Bytes(kKey4), Bytes(key, sizeof(kKey4))); } diff --git a/crypto/fipsmodule/pqdsa/internal.h b/crypto/fipsmodule/pqdsa/internal.h index 390489a8f0..8bb50f26b9 100644 --- a/crypto/fipsmodule/pqdsa/internal.h +++ b/crypto/fipsmodule/pqdsa/internal.h @@ -12,43 +12,28 @@ extern "C" { // PQDSA_METHOD structure and helper functions. typedef struct { - int (*pqdsa_keygen)(uint8_t *public_key, - uint8_t *private_key); + int (*pqdsa_keygen)(uint8_t *public_key, uint8_t *private_key); - int (*pqdsa_keygen_internal)(uint8_t *public_key, - uint8_t *private_key, - const uint8_t *seed); + int (*pqdsa_keygen_internal)(uint8_t *public_key, uint8_t *private_key, + const uint8_t *seed); - int (*pqdsa_sign_message)(const uint8_t *private_key, - uint8_t *sig, - size_t *sig_len, - const uint8_t *message, - size_t message_len, - const uint8_t *ctx_string, + int (*pqdsa_sign_message)(const uint8_t *private_key, uint8_t *sig, + size_t *sig_len, const uint8_t *message, + size_t message_len, const uint8_t *ctx_string, size_t ctx_string_len); - int (*pqdsa_sign)(const uint8_t *private_key, - uint8_t *sig, - size_t *sig_len, - const uint8_t *digest, - size_t digest_len); + int (*pqdsa_sign)(const uint8_t *private_key, uint8_t *sig, size_t *sig_len, + const uint8_t *digest, size_t digest_len); - int (*pqdsa_verify_message)(const uint8_t *public_key, - const uint8_t *sig, - size_t sig_len, - const uint8_t *message, - size_t message_len, - const uint8_t *ctx_string, + int (*pqdsa_verify_message)(const uint8_t *public_key, const uint8_t *sig, + size_t sig_len, const uint8_t *message, + size_t message_len, const uint8_t *ctx_string, size_t ctx_string_len); - int (*pqdsa_verify)(const uint8_t *public_key, - const uint8_t *sig, - size_t sig_len, - const uint8_t *digest, - size_t digest_len); + int (*pqdsa_verify)(const uint8_t *public_key, const uint8_t *sig, + size_t sig_len, const uint8_t *digest, size_t digest_len); - int (*pqdsa_pack_pk_from_sk)(uint8_t *public_key, - const uint8_t *private_key); + int (*pqdsa_pack_pk_from_sk)(uint8_t *public_key, const uint8_t *private_key); } PQDSA_METHOD; // PQDSA structure and helper functions. @@ -73,9 +58,9 @@ struct pqdsa_key_st { }; int PQDSA_KEY_init(PQDSA_KEY *key, const PQDSA *pqdsa); -const PQDSA * PQDSA_find_dsa_by_nid(int nid); +const PQDSA *PQDSA_find_dsa_by_nid(int nid); const EVP_PKEY_ASN1_METHOD *PQDSA_find_asn1_by_nid(int nid); -const PQDSA *PQDSA_KEY_get0_dsa(PQDSA_KEY* key); +const PQDSA *PQDSA_KEY_get0_dsa(PQDSA_KEY *key); PQDSA_KEY *PQDSA_KEY_new(void); void PQDSA_KEY_free(PQDSA_KEY *key); int EVP_PKEY_pqdsa_set_params(EVP_PKEY *pkey, int nid); @@ -87,4 +72,4 @@ int PQDSA_KEY_set_raw_private_key(PQDSA_KEY *key, CBS *in); } // extern C #endif -#endif // AWSLC_HEADER_DSA_TEST_INTERNAL_H +#endif // AWSLC_HEADER_DSA_TEST_INTERNAL_H diff --git a/crypto/fipsmodule/pqdsa/pqdsa.c b/crypto/fipsmodule/pqdsa/pqdsa.c index 258659ecb4..32afaac0f2 100644 --- a/crypto/fipsmodule/pqdsa/pqdsa.c +++ b/crypto/fipsmodule/pqdsa/pqdsa.c @@ -1,25 +1,29 @@ // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC +#include #include #include -#include -#include "../delocate.h" #include "../../evp_extra/internal.h" +#include "../delocate.h" #include "../ml_dsa/ml_dsa.h" #include "internal.h" // ML-DSA OIDs as defined within: // https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration -//2.16.840.1.101.3.4.3.17 -static const uint8_t kOIDMLDSA44[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11}; -//2.16.840.1.101.3.4.3.18 -static const uint8_t kOIDMLDSA65[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12}; -//2.16.840.1.101.3.4.3.19 -static const uint8_t kOIDMLDSA87[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13}; - -// PQDSA functions: these are init/new/clear/free/get_sig functions for PQDSA_KEY -// These are analagous to the ec_key functions in crypto/fipsmodule/ec/ec_key.c +// 2.16.840.1.101.3.4.3.17 +static const uint8_t kOIDMLDSA44[] = {0x60, 0x86, 0x48, 0x01, 0x65, + 0x03, 0x04, 0x03, 0x11}; +// 2.16.840.1.101.3.4.3.18 +static const uint8_t kOIDMLDSA65[] = {0x60, 0x86, 0x48, 0x01, 0x65, + 0x03, 0x04, 0x03, 0x12}; +// 2.16.840.1.101.3.4.3.19 +static const uint8_t kOIDMLDSA87[] = {0x60, 0x86, 0x48, 0x01, 0x65, + 0x03, 0x04, 0x03, 0x13}; + +// PQDSA functions: these are init/new/clear/free/get_sig functions for +// PQDSA_KEY These are analagous to the ec_key functions in +// crypto/fipsmodule/ec/ec_key.c PQDSA_KEY *PQDSA_KEY_new(void) { PQDSA_KEY *ret = OPENSSL_zalloc(sizeof(PQDSA_KEY)); @@ -63,9 +67,7 @@ void PQDSA_KEY_free(PQDSA_KEY *key) { OPENSSL_free(key); } -const PQDSA *PQDSA_KEY_get0_dsa(PQDSA_KEY* key) { - return key->pqdsa; -} +const PQDSA *PQDSA_KEY_get0_dsa(PQDSA_KEY *key) { return key->pqdsa; } int PQDSA_KEY_set_raw_public_key(PQDSA_KEY *key, CBS *in) { // Check if the parsed length corresponds with the expected length. @@ -89,7 +91,7 @@ int PQDSA_KEY_set_raw_keypair_from_seed(PQDSA_KEY *key, CBS *in) { return 0; } - //allocate buffers to store key pair + // allocate buffers to store key pair uint8_t *public_key = OPENSSL_malloc(key->pqdsa->public_key_len); if (public_key == NULL) { return 0; @@ -102,8 +104,7 @@ int PQDSA_KEY_set_raw_keypair_from_seed(PQDSA_KEY *key, CBS *in) { } // attempt to generate the key from the provided seed - if (!key->pqdsa->method->pqdsa_keygen_internal(public_key, - private_key, + if (!key->pqdsa->method->pqdsa_keygen_internal(public_key, private_key, CBS_data(in))) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; @@ -137,7 +138,8 @@ int PQDSA_KEY_set_raw_private_key(PQDSA_KEY *key, CBS *in) { } // Construct the public key from the private key - if (!key->pqdsa->method->pqdsa_pack_pk_from_sk(public_key, key->private_key)) { + if (!key->pqdsa->method->pqdsa_pack_pk_from_sk(public_key, + key->private_key)) { OPENSSL_free(public_key); OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; diff --git a/crypto/fipsmodule/rand/cpu_jitter_test.cc b/crypto/fipsmodule/rand/cpu_jitter_test.cc index 13638fcd57..2a56dc9dbe 100644 --- a/crypto/fipsmodule/rand/cpu_jitter_test.cc +++ b/crypto/fipsmodule/rand/cpu_jitter_test.cc @@ -5,8 +5,8 @@ #include -#include "../../test/test_util.h" #include "../../../third_party/jitterentropy/jitterentropy.h" +#include "../../test/test_util.h" // Struct for Jitter entropy collector instance with constructor/desctructor. struct JitterEC { @@ -24,7 +24,6 @@ struct JitterEC { }; TEST(CPUJitterEntropyTest, Basic) { - // Allocate Jitter instance with default oversampling rate. JitterEC jitter_ec(0, JENT_FORCE_FIPS); @@ -39,10 +38,10 @@ TEST(CPUJitterEntropyTest, Basic) { uint8_t data0[data_len], data1[data_len]; // Draw some entropy to check if it works. - EXPECT_EQ(jent_read_entropy(jitter_ec.instance, - (char*) data0, data_len), data_len); - EXPECT_EQ(jent_read_entropy(jitter_ec.instance, - (char*) data1, data_len), data_len); + EXPECT_EQ(jent_read_entropy(jitter_ec.instance, (char *)data0, data_len), + data_len); + EXPECT_EQ(jent_read_entropy(jitter_ec.instance, (char *)data1, data_len), + data_len); // Basic check that the random data is not equal. EXPECT_NE(Bytes(data0), Bytes(data1)); @@ -56,10 +55,10 @@ TEST(CPUJitterEntropyTest, Basic) { EXPECT_EQ(jitter_ec.instance->osr, osr); // Test drawing entropy from the Jitter object that was reset. - EXPECT_EQ(jent_read_entropy(jitter_ec.instance, - (char*) data0, data_len), data_len); - EXPECT_EQ(jent_read_entropy(jitter_ec.instance, - (char*) data1, data_len), data_len); + EXPECT_EQ(jent_read_entropy(jitter_ec.instance, (char *)data0, data_len), + data_len); + EXPECT_EQ(jent_read_entropy(jitter_ec.instance, (char *)data1, data_len), + data_len); // Verify that the Jitter library version is v3.4.0. unsigned int jitter_version = 3040000; diff --git a/crypto/fipsmodule/rand/ctrdrbg.c b/crypto/fipsmodule/rand/ctrdrbg.c index a6f435b696..09e73581bf 100644 --- a/crypto/fipsmodule/rand/ctrdrbg.c +++ b/crypto/fipsmodule/rand/ctrdrbg.c @@ -14,11 +14,11 @@ #include -#include #include +#include -#include "internal.h" #include "../cipher/internal.h" +#include "internal.h" // Section references in this file refer to SP 800-90Ar1: @@ -182,7 +182,7 @@ int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len, todo = out_len; } - todo &= ~(AES_BLOCK_SIZE-1); + todo &= ~(AES_BLOCK_SIZE - 1); const size_t num_blocks = todo / AES_BLOCK_SIZE; if (drbg->ctr) { diff --git a/crypto/fipsmodule/rand/ctrdrbg_test.cc b/crypto/fipsmodule/rand/ctrdrbg_test.cc index 50f42973f0..80fb8f692b 100644 --- a/crypto/fipsmodule/rand/ctrdrbg_test.cc +++ b/crypto/fipsmodule/rand/ctrdrbg_test.cc @@ -17,9 +17,9 @@ #include #include -#include "internal.h" #include "../../test/file_test.h" #include "../../test/test_util.h" +#include "internal.h" TEST(CTRDRBGTest, Basic) { @@ -66,7 +66,7 @@ TEST(CTRDRBGTest, Allocated) { bssl::UniquePtr allocated(CTR_DRBG_new(kSeed, nullptr, 0)); ASSERT_TRUE(allocated); - allocated.reset(CTR_DRBG_new(kSeed, nullptr, 1<<20)); + allocated.reset(CTR_DRBG_new(kSeed, nullptr, 1 << 20)); ASSERT_FALSE(allocated); } diff --git a/crypto/fipsmodule/rand/fork_detect.c b/crypto/fipsmodule/rand/fork_detect.c index 536737ebd3..1735940b0d 100644 --- a/crypto/fipsmodule/rand/fork_detect.c +++ b/crypto/fipsmodule/rand/fork_detect.c @@ -21,14 +21,14 @@ #include "fork_detect.h" #if defined(OPENSSL_LINUX) +#include #include #include -#include #include -#include "../delocate.h" #include "../../internal.h" +#include "../delocate.h" #if defined(MADV_WIPEONFORK) @@ -44,7 +44,6 @@ DEFINE_BSS_GET(uint64_t, g_fork_generation) DEFINE_BSS_GET(int, g_ignore_madv_wipeonfork) static int init_fork_detect_madv_wipeonfork(void *addr, long page_size) { - // Some versions of qemu (up to at least 5.0.0-rc4, see linux-user/syscall.c) // ignore |madvise| calls and just return zero (i.e. success). But we need to // know whether MADV_WIPEONFORK actually took effect. Therefore try an invalid @@ -60,7 +59,6 @@ static int init_fork_detect_madv_wipeonfork(void *addr, long page_size) { } static void init_fork_detect(void) { - int res = 0; void *addr = MAP_FAILED; long page_size = 0; @@ -77,7 +75,7 @@ static void init_fork_detect(void) { } addr = mmap(NULL, (size_t)page_size, PROT_READ | PROT_WRITE, - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (addr == MAP_FAILED) { goto cleanup; } @@ -87,7 +85,7 @@ static void init_fork_detect(void) { goto cleanup; } - *((volatile char *) addr) = 1; + *((volatile char *)addr) = 1; *g_fork_detect_addr_bss_get() = addr; *g_fork_generation_bss_get() = 1; diff --git a/crypto/fipsmodule/rand/fork_detect_test.cc b/crypto/fipsmodule/rand/fork_detect_test.cc index 23274acfd4..bdebddace1 100644 --- a/crypto/fipsmodule/rand/fork_detect_test.cc +++ b/crypto/fipsmodule/rand/fork_detect_test.cc @@ -101,7 +101,6 @@ static void ForkInChild(std::function f) { } TEST(ForkDetect, Test) { - if (getenv("BORINGSSL_IGNORE_MADV_WIPEONFORK")) { CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing(); } diff --git a/crypto/fipsmodule/rand/internal.h b/crypto/fipsmodule/rand/internal.h index ab8fbd3d07..96a21879bb 100644 --- a/crypto/fipsmodule/rand/internal.h +++ b/crypto/fipsmodule/rand/internal.h @@ -95,9 +95,7 @@ OPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg, #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) -OPENSSL_INLINE int have_rdrand(void) { - return CRYPTO_is_RDRAND_capable(); -} +OPENSSL_INLINE int have_rdrand(void) { return CRYPTO_is_RDRAND_capable(); } // have_fast_rdrand returns true if RDRAND is supported and it's reasonably // fast. Concretely the latter is defined by whether the chip is Intel (fast) or @@ -117,13 +115,9 @@ int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len); #else // OPENSSL_X86_64 && !OPENSSL_NO_ASM -OPENSSL_INLINE int have_rdrand(void) { - return 0; -} +OPENSSL_INLINE int have_rdrand(void) { return 0; } -OPENSSL_INLINE int have_fast_rdrand(void) { - return 0; -} +OPENSSL_INLINE int have_fast_rdrand(void) { return 0; } #endif // OPENSSL_X86_64 && !OPENSSL_NO_ASM @@ -147,16 +141,17 @@ OPENSSL_EXPORT void HAZMAT_set_urandom_test_mode_for_testing(void); #elif defined(FIPS_ENTROPY_SOURCE_PASSIVE) -OPENSSL_EXPORT void RAND_module_entropy_depleted(uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN], - int *out_want_additional_input); +OPENSSL_EXPORT void RAND_module_entropy_depleted( + uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN], int *out_want_additional_input); void CRYPTO_get_seed_entropy(uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH], int *out_want_additional_input); -OPENSSL_EXPORT void RAND_load_entropy(uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN], - uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH]); +OPENSSL_EXPORT void RAND_load_entropy( + uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN], + uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH]); #endif -#endif // defined(BORINGSSL_FIPS) +#endif // defined(BORINGSSL_FIPS) #if defined(__cplusplus) } // extern C diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c index 0b76c54eb0..5fb413c43e 100644 --- a/crypto/fipsmodule/rand/rand.c +++ b/crypto/fipsmodule/rand/rand.c @@ -33,11 +33,11 @@ #include #include -#include "internal.h" -#include "fork_detect.h" -#include "snapsafe_detect.h" #include "../../internal.h" #include "../delocate.h" +#include "fork_detect.h" +#include "internal.h" +#include "snapsafe_detect.h" // It's assumed that the operating system always has an unfailing source of @@ -56,10 +56,11 @@ // that we can do about it.) // When in FIPS mode we use the CPU Jitter entropy source to seed our DRBG. -// This entropy source is very slow and can incur a cost anywhere between 10-60ms -// depending on configuration and CPU. Increasing to 2^24 will amortize the -// penalty over more requests. This is the same value used in OpenSSL 3.0 -// and meets the requirements defined in SP 800-90B for a max reseed of interval (2^48) +// This entropy source is very slow and can incur a cost anywhere between +// 10-60ms depending on configuration and CPU. Increasing to 2^24 will amortize +// the penalty over more requests. This is the same value used in OpenSSL 3.0 +// and meets the requirements defined in SP 800-90B for a max reseed of interval +// (2^48) // // CPU Jitter: https://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html // @@ -68,7 +69,8 @@ #if defined(BORINGSSL_FIPS) -#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) && defined(FIPS_ENTROPY_SOURCE_PASSIVE) +#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) && \ + defined(FIPS_ENTROPY_SOURCE_PASSIVE) #error "Only one FIPS entropy source can be enabled at a time" #endif @@ -80,14 +82,15 @@ static const unsigned kReseedInterval = 4096; #error "A FIPS entropy source must be explicitly defined" #endif -#else // defined(BORINGSSL_FIPS) +#else // defined(BORINGSSL_FIPS) -#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) || defined(FIPS_ENTROPY_SOURCE_PASSIVE) +#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) || \ + defined(FIPS_ENTROPY_SOURCE_PASSIVE) #error "A FIPS entropy source must not be defined for non-FIPS build" #endif static const unsigned kReseedInterval = 4096; -#endif // defined(BORINGSSL_FIPS) +#endif // defined(BORINGSSL_FIPS) // rand_thread_state contains the per-thread state for the RNG. @@ -116,7 +119,7 @@ struct rand_thread_state { // time as the thread state is created/destroyed. struct rand_data *jitter_ec; #endif -#endif // defined(BORINGSSL_FIPS) +#endif // defined(BORINGSSL_FIPS) }; #if defined(BORINGSSL_FIPS) @@ -137,7 +140,6 @@ static void rand_state_fips_clear(struct rand_thread_state *state) { } static void rand_state_fips_init(struct rand_thread_state *state) { - #if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) // Initialize the thread-local Jitter instance. state->jitter_ec = NULL; @@ -152,10 +154,8 @@ static void rand_state_fips_init(struct rand_thread_state *state) { } static void rand_state_fips_maybe_want_additional_input( - uint8_t additional_input[CTR_DRBG_ENTROPY_LEN], - size_t *additional_input_len, - int want_additional_input) { - + uint8_t additional_input[CTR_DRBG_ENTROPY_LEN], + size_t *additional_input_len, int want_additional_input) { *additional_input_len = 0; #if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) @@ -171,7 +171,8 @@ static void rand_state_fips_maybe_want_additional_input( // When getting entropy from the passive source in FIPS mode, we add // additional data if a CPU source has been used. if (want_additional_input == 1) { - if (CRYPTO_sysrand_if_available(additional_input, CTR_DRBG_ENTROPY_LEN) == 1) { + if (CRYPTO_sysrand_if_available(additional_input, CTR_DRBG_ENTROPY_LEN) == + 1) { *additional_input_len = CTR_DRBG_ENTROPY_LEN; } } @@ -180,9 +181,9 @@ static void rand_state_fips_maybe_want_additional_input( } // Caller must check that |state| is not null. -static void CRYPTO_fips_get_from_entropy_source(struct rand_thread_state *state, - uint8_t *out_entropy, size_t out_entropy_len, int *out_want_additional_input) { - +static void CRYPTO_fips_get_from_entropy_source( + struct rand_thread_state *state, uint8_t *out_entropy, + size_t out_entropy_len, int *out_want_additional_input) { #if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) if (state->jitter_ec == NULL) { @@ -195,9 +196,9 @@ static void CRYPTO_fips_get_from_entropy_source(struct rand_thread_state *state, for (num_tries = 1; num_tries <= JITTER_MAX_NUM_TRIES; num_tries++) { // Try to generate the required number of bytes with Jitter. // If successful break out from the loop, otherwise try again. - if (jent_read_entropy(state->jitter_ec, (char *) out_entropy, - out_entropy_len) == (ssize_t) out_entropy_len) { - break; + if (jent_read_entropy(state->jitter_ec, (char *)out_entropy, + out_entropy_len) == (ssize_t)out_entropy_len) { + break; } // If Jitter entropy failed to produce entropy we need to reset it. jent_entropy_collector_free(state->jitter_ec); @@ -225,10 +226,10 @@ static void rand_thread_state_clear_all(void); static void windows_install_rand_thread_state_clear_all(void) { atexit(&rand_thread_state_clear_all); } -__declspec(allocate(".CRT$XCU")) void(*fips_library_destructor)(void) = +__declspec(allocate(".CRT$XCU")) void (*fips_library_destructor)(void) = windows_install_rand_thread_state_clear_all; #else -static void rand_thread_state_clear_all(void) __attribute__ ((destructor)); +static void rand_thread_state_clear_all(void) __attribute__((destructor)); #endif static void rand_thread_state_clear_all(void) { @@ -242,7 +243,7 @@ static void rand_thread_state_clear_all(void) { // running will hang if they try to call |RAND_bytes|. } -#endif // defined(BORINGSSL_FIPS) +#endif // defined(BORINGSSL_FIPS) // rand_thread_state_free frees a |rand_thread_state|. This is called when a // thread exits. @@ -288,16 +289,16 @@ static void rand_thread_state_free(void *state_in) { // https://software.intel.com/content/www/us/en/develop/articles/intel-digital-random-number-generator-drng-software-implementation-guide.html #define RDRAND_MAX_RETRIES 10 -OPENSSL_STATIC_ASSERT(RDRAND_MAX_RETRIES > 0, rdrand_max_retries_must_be_positive) -#define CALL_RDRAND_WITH_RETRY(rdrand_func, fail_ret_value) \ - for (size_t tries = 0; tries < RDRAND_MAX_RETRIES; tries++) { \ - if ((rdrand_func) == 1) { \ - break; \ - } \ - else if (tries >= RDRAND_MAX_RETRIES - 1) { \ - return fail_ret_value; \ - } \ - } +OPENSSL_STATIC_ASSERT(RDRAND_MAX_RETRIES > 0, + rdrand_max_retries_must_be_positive) +#define CALL_RDRAND_WITH_RETRY(rdrand_func, fail_ret_value) \ + for (size_t tries = 0; tries < RDRAND_MAX_RETRIES; tries++) { \ + if ((rdrand_func) == 1) { \ + break; \ + } else if (tries >= RDRAND_MAX_RETRIES - 1) { \ + return fail_ret_value; \ + } \ + } // rdrand should only be called if either |have_rdrand| or |have_fast_rdrand| // returned true. @@ -319,9 +320,7 @@ static int rdrand(uint8_t *buf, const size_t len) { #else -static int rdrand(uint8_t *buf, size_t len) { - return 0; -} +static int rdrand(uint8_t *buf, size_t len) { return 0; } #endif @@ -331,8 +330,9 @@ static int rdrand(uint8_t *buf, size_t len) { // Currently, we assume that the length of externally loaded entropy has the // same length as the seed used in the ctr-drbg. -OPENSSL_STATIC_ASSERT(CTR_DRBG_ENTROPY_LEN == PASSIVE_ENTROPY_LOAD_LENGTH, - passive_entropy_load_length_different_from_ctr_drbg_seed_length) +OPENSSL_STATIC_ASSERT( + CTR_DRBG_ENTROPY_LEN == PASSIVE_ENTROPY_LOAD_LENGTH, + passive_entropy_load_length_different_from_ctr_drbg_seed_length) void RAND_load_entropy(uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN], uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH]) { @@ -362,10 +362,10 @@ static void rand_get_seed(struct rand_thread_state *state, *out_want_additional_input = 0; CRYPTO_fips_get_from_entropy_source(state, seed, CTR_DRBG_ENTROPY_LEN, - out_want_additional_input); + out_want_additional_input); } -#else // BORINGSSL_FIPS +#else // BORINGSSL_FIPS // rand_get_seed fills |seed| with entropy and sets |*out_want_additional_input| // to one if that entropy came directly from the CPU and zero otherwise. @@ -379,7 +379,7 @@ static void rand_get_seed(struct rand_thread_state *state, *out_want_additional_input = 0; } -#endif // BORINGSSL_FIPS +#endif // BORINGSSL_FIPS void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]) { @@ -454,8 +454,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, uint8_t personalization[CTR_DRBG_ENTROPY_LEN] = {0}; size_t personalization_len = 0; #if defined(BORINGSSL_FIPS) - rand_state_fips_maybe_want_additional_input(personalization, - &personalization_len, want_additional_input); + rand_state_fips_maybe_want_additional_input( + personalization, &personalization_len, want_additional_input); #endif if (!CTR_DRBG_init(&state->drbg, seed, personalization, @@ -512,11 +512,11 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, // kernel, syscalls made with |syscall| did not abort the transaction. CRYPTO_STATIC_MUTEX_lock_read(state_clear_all_lock_bss_get()); - rand_state_fips_maybe_want_additional_input(add_data_for_reseed, - &add_data_for_reseed_len, want_additional_input); + rand_state_fips_maybe_want_additional_input( + add_data_for_reseed, &add_data_for_reseed_len, want_additional_input); #endif - if (!CTR_DRBG_reseed(&state->drbg, seed, - add_data_for_reseed, add_data_for_reseed_len)) { + if (!CTR_DRBG_reseed(&state->drbg, seed, add_data_for_reseed, + add_data_for_reseed_len)) { abort(); } state->calls = 0; @@ -586,9 +586,7 @@ int RAND_priv_bytes(uint8_t *out, size_t out_len) { return RAND_bytes(out, out_len); } -int RAND_pseudo_bytes(uint8_t *buf, size_t len) { - return RAND_bytes(buf, len); -} +int RAND_pseudo_bytes(uint8_t *buf, size_t len) { return RAND_bytes(buf, len); } void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len) { if (len > 256) { diff --git a/crypto/fipsmodule/rand/snapsafe_detect.c b/crypto/fipsmodule/rand/snapsafe_detect.c index 430445d06c..cfd677a462 100644 --- a/crypto/fipsmodule/rand/snapsafe_detect.c +++ b/crypto/fipsmodule/rand/snapsafe_detect.c @@ -118,9 +118,7 @@ int CRYPTO_get_snapsafe_supported(void) { return 0; } #endif // defined(OPENSSL_LINUX) -const char* CRYPTO_get_sysgenid_path(void) { - return AWSLC_SYSGENID_PATH; -} +const char *CRYPTO_get_sysgenid_path(void) { return AWSLC_SYSGENID_PATH; } #if defined(OPENSSL_LINUX) && defined(AWSLC_SNAPSAFE_TESTING) int HAZMAT_init_sysgenid_file(void) { diff --git a/crypto/fipsmodule/rand/snapsafe_detect.h b/crypto/fipsmodule/rand/snapsafe_detect.h index db89a87297..e1b9c92092 100644 --- a/crypto/fipsmodule/rand/snapsafe_detect.h +++ b/crypto/fipsmodule/rand/snapsafe_detect.h @@ -11,7 +11,7 @@ extern "C" { #endif #if !defined(AWSLC_SYSGENID_PATH) - #define AWSLC_SYSGENID_PATH "/dev/sysgenid" +#define AWSLC_SYSGENID_PATH "/dev/sysgenid" #endif // Snapsafe-type uniqueness breaking event (ube detection). @@ -31,7 +31,7 @@ extern "C" { // presents SysGenID interface (default is `/dev/sysgenid`) but we are // is unable to initialize its use. Otherwise, it returns 1. OPENSSL_EXPORT int CRYPTO_get_snapsafe_generation( - uint32_t *snapsafe_generation_number); + uint32_t *snapsafe_generation_number); // CRYPTO_get_snapsafe_active returns 1 if the file system presents the SysGenID // interface and the libraruy has successfully initialized its use. Otherwise, diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc index 666b8e9539..c4fb6ee2ac 100644 --- a/crypto/fipsmodule/rand/snapsafe_detect_test.cc +++ b/crypto/fipsmodule/rand/snapsafe_detect_test.cc @@ -9,8 +9,8 @@ #if defined(OPENSSL_LINUX) && defined(AWSLC_SNAPSAFE_TESTING) #include -#include #include +#include #define NUMBER_OF_TEST_VALUES 5 @@ -18,8 +18,8 @@ typedef struct sgn_test_s { void *addr; } sgn_test_s; -static int init_sgn_file(void** addr); -static int init_sgn_file(void** addr) { +static int init_sgn_file(void **addr); +static int init_sgn_file(void **addr) { *addr = nullptr; // This file should've been created during test initialization @@ -33,7 +33,8 @@ static int init_sgn_file(void** addr) { return 0; } - void* my_addr = mmap(nullptr, sizeof(uint32_t), PROT_WRITE, MAP_SHARED, fd_sgn, 0); + void *my_addr = + mmap(nullptr, sizeof(uint32_t), PROT_WRITE, MAP_SHARED, fd_sgn, 0); if (my_addr == MAP_FAILED) { close(fd_sgn); return 0; @@ -46,15 +47,15 @@ static int init_sgn_file(void** addr) { return 1; } -static int init_sgn_test(sgn_test_s* sgn_test); -static int init_sgn_test(sgn_test_s* sgn_test) { +static int init_sgn_test(sgn_test_s *sgn_test); +static int init_sgn_test(sgn_test_s *sgn_test) { return init_sgn_file(&sgn_test->addr); } -static int set_sgn(const sgn_test_s* sgn_test, uint32_t val); -static int set_sgn(const sgn_test_s* sgn_test, uint32_t val) { +static int set_sgn(const sgn_test_s *sgn_test, uint32_t val); +static int set_sgn(const sgn_test_s *sgn_test, uint32_t val) { memcpy(sgn_test->addr, &val, sizeof(uint32_t)); - if(0 != msync(sgn_test->addr, sizeof(uint32_t), MS_SYNC)) { + if (0 != msync(sgn_test->addr, sizeof(uint32_t), MS_SYNC)) { return 0; } return 1; @@ -72,14 +73,14 @@ TEST(SnapsafeGenerationTest, DISABLED_SysGenIDretrievalTesting) { uint32_t current_snapsafe_gen_num = 0; ASSERT_TRUE(set_sgn(&sgn_test, 7)); ASSERT_TRUE(CRYPTO_get_snapsafe_generation(¤t_snapsafe_gen_num)); - ASSERT_EQ((uint32_t) 7, current_snapsafe_gen_num); + ASSERT_EQ((uint32_t)7, current_snapsafe_gen_num); uint32_t test_sysgenid_values[NUMBER_OF_TEST_VALUES] = { - 0x03, // 2^0 + 2 - 0x103, // 2^8 + 3 - 0x10004, // 2^16 + 4 - 0x1000005, // 2^24 + 5 - 0xFFFFFFFF // 2^32 - 1 + 0x03, // 2^0 + 2 + 0x103, // 2^8 + 3 + 0x10004, // 2^16 + 4 + 0x1000005, // 2^24 + 5 + 0xFFFFFFFF // 2^32 - 1 }; for (size_t i = 0; i < NUMBER_OF_TEST_VALUES; i++) { @@ -101,7 +102,7 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalLinux) { ASSERT_NE(0xffffffff, current_snapsafe_gen_num); } else { ASSERT_FALSE(CRYPTO_get_snapsafe_active()); - ASSERT_EQ((uint32_t) 0, current_snapsafe_gen_num); + ASSERT_EQ((uint32_t)0, current_snapsafe_gen_num); } } #else @@ -110,6 +111,6 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalNonLinux) { ASSERT_FALSE(CRYPTO_get_snapsafe_active()); uint32_t current_snapsafe_gen_num = 0xffffffff; ASSERT_TRUE(CRYPTO_get_snapsafe_generation(¤t_snapsafe_gen_num)); - ASSERT_EQ((uint32_t) 0, current_snapsafe_gen_num); + ASSERT_EQ((uint32_t)0, current_snapsafe_gen_num); } -#endif // defined(OPENSSL_LINUX) +#endif // defined(OPENSSL_LINUX) diff --git a/crypto/fipsmodule/rand/urandom.c b/crypto/fipsmodule/rand/urandom.c index 136497d1c1..6f45da765d 100644 --- a/crypto/fipsmodule/rand/urandom.c +++ b/crypto/fipsmodule/rand/urandom.c @@ -33,9 +33,9 @@ #if defined(OPENSSL_LINUX) #if defined(BORINGSSL_FIPS) #if !defined(AWS_LC_URANDOM_U32) - // On old Linux OS: unknown type name '__u32' when include . - // If '__u32' is predefined, redefine will cause compiler error. - typedef unsigned int __u32; +// On old Linux OS: unknown type name '__u32' when include . +// If '__u32' is predefined, redefine will cause compiler error. +typedef unsigned int __u32; #endif #include #include @@ -83,17 +83,17 @@ #include #endif -#include #include +#include -#include "getrandom_fillin.h" -#include "../delocate.h" #include "../../internal.h" +#include "../delocate.h" +#include "getrandom_fillin.h" #ifndef MIN -#define AWSLC_MIN(X,Y) (((X) < (Y)) ? (X) : (Y)) +#define AWSLC_MIN(X, Y) (((X) < (Y)) ? (X) : (Y)) #else -#define AWSLC_MIN(X,Y) MIN(X,Y) +#define AWSLC_MIN(X, Y) MIN(X, Y) #endif // One second in nanoseconds. @@ -107,7 +107,6 @@ // This function will be called so rarely (if ever), that we keep it as a // function call and don't care about attempting to inline it. static void handle_rare_urandom_error(long *backoff) { - // Exponential backoff. // // iteration delay @@ -123,7 +122,7 @@ static void handle_rare_urandom_error(long *backoff) { // 9 99,999,999 nsec // ... - struct timespec sleep_time = {.tv_sec = 0, .tv_nsec = 0 }; + struct timespec sleep_time = {.tv_sec = 0, .tv_nsec = 0}; // Cap backoff at 99,999,999 nsec, which is the maximum value the nanoseconds // field in |timespec| can hold. @@ -141,7 +140,6 @@ void __msan_unpoison(void *, size_t); #endif static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) { - ssize_t ret; long backoff = INITIAL_BACKOFF_DELAY; size_t retry_counter = 0; @@ -350,7 +348,9 @@ static void wait_for_entropy(void) { } #if defined(BORINGSSL_FIPS) && !defined(URANDOM_BLOCKS_FOR_ENTROPY) && \ - !(defined(OPENSSL_APPLE) || defined(OPENSSL_OPENBSD)) // On MacOS, iOS, and OpenBSD we don't use /dev/urandom. + !(defined(OPENSSL_APPLE) || \ + defined(OPENSSL_OPENBSD)) // On MacOS, iOS, and OpenBSD we don't use + // /dev/urandom. // In FIPS mode on platforms where urandom doesn't block at startup, we ensure // that the kernel has sufficient entropy before continuing. This is @@ -371,7 +371,7 @@ static void wait_for_entropy(void) { break; } - struct timespec sleep_time = {.tv_sec = 0, .tv_nsec = MILLISECONDS_250 }; + struct timespec sleep_time = {.tv_sec = 0, .tv_nsec = MILLISECONDS_250}; nanosleep(&sleep_time, &sleep_time); } #endif // BORINGSSL_FIPS && !URANDOM_BLOCKS_FOR_ENTROPY @@ -412,7 +412,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { } #endif -#if defined (USE_NR_getrandom) +#if defined(USE_NR_getrandom) if (seed) { getrandom_flags |= *extra_getrandom_flags_for_seed_bss_get(); } @@ -467,9 +467,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { return 1; } -void CRYPTO_init_sysrand(void) { - CRYPTO_once(rand_once_bss_get(), init_once); -} +void CRYPTO_init_sysrand(void) { CRYPTO_once(rand_once_bss_get(), init_once); } // CRYPTO_sysrand puts |requested| random bytes into |out|. void CRYPTO_sysrand(uint8_t *out, size_t requested) { diff --git a/crypto/fipsmodule/rand/urandom_test.cc b/crypto/fipsmodule/rand/urandom_test.cc index 91a0cfc487..d2108fdaba 100644 --- a/crypto/fipsmodule/rand/urandom_test.cc +++ b/crypto/fipsmodule/rand/urandom_test.cc @@ -23,7 +23,7 @@ #include "snapsafe_detect.h" #if defined(OPENSSL_X86_64) && !defined(BORINGSSL_SHARED_LIBRARY) && \ - !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && \ + !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && \ defined(USE_NR_getrandom) && !defined(AWSLC_SNAPSAFE_TESTING) #include @@ -36,10 +36,10 @@ #include "fork_detect.h" #include "getrandom_fillin.h" -#include -#include #include #include +#include +#include #if !defined(PTRACE_O_EXITKILL) #define PTRACE_O_EXITKILL (1 << 20) @@ -409,15 +409,12 @@ static void TestFunction() { RAND_bytes(&byte, sizeof(byte)); } -static bool have_fork_detection() { - return CRYPTO_get_fork_generation() != 0; -} +static bool have_fork_detection() { return CRYPTO_get_fork_generation() != 0; } // TestFunctionPRNGModel is a model of how the urandom.c code will behave when // |TestFunction| is run. It should return the same trace of events that // |GetTrace| will observe the real code making. static std::vector TestFunctionPRNGModel(unsigned flags) { - std::vector ret; bool urandom_probed = false; bool getrandom_ready = false; @@ -531,12 +528,12 @@ static std::vector TestFunctionPRNGModel(unsigned flags) { // source or a system source. The former is not modeled. if (!kHaveRdrand) { if (!sysrand(true, kPassiveEntropyWithWhitenFactor)) { - return ret; + return ret; } } else { // If using the CPU source, also drawing additional data for diversity. if (!sysrand(false, kPersonalizationStringLength)) { - return ret; + return ret; } } } else { @@ -569,7 +566,8 @@ static std::vector TestFunctionPRNGModel(unsigned flags) { // |TestFunctionPRNGModel| creates the entropy function call model, for // various configs. |GetTrace| records the actual entropy function calls for // each config and compares it against the model. -// Only system entropy function calls are modeled e.g. /dev/random and getrandom. +// Only system entropy function calls are modeled e.g. /dev/random and +// getrandom. TEST(URandomTest, Test) { char buf[256]; @@ -585,7 +583,7 @@ TEST(URandomTest, Test) { for (unsigned flags = 0; flags < NEXT_FLAG; flags++) { if (!has_getrandom && !(flags & NO_GETRANDOM)) { - continue; + continue; } TRACE_FLAG(NO_GETRANDOM); diff --git a/crypto/fipsmodule/rsa/blinding.c b/crypto/fipsmodule/rsa/blinding.c index 8838ad8fa1..2952bf4f73 100644 --- a/crypto/fipsmodule/rsa/blinding.c +++ b/crypto/fipsmodule/rsa/blinding.c @@ -111,17 +111,17 @@ #include #include -#include #include +#include -#include "internal.h" #include "../../internal.h" +#include "internal.h" #define BN_BLINDING_COUNTER 32 struct bn_blinding_st { - BIGNUM *A; // The base blinding factor, Montgomery-encoded. + BIGNUM *A; // The base blinding factor, Montgomery-encoded. BIGNUM *Ai; // The inverse of the blinding factor, Montgomery-encoded. unsigned counter; }; diff --git a/crypto/fipsmodule/rsa/internal.h b/crypto/fipsmodule/rsa/internal.h index 9870d02285..a6e0d9edb4 100644 --- a/crypto/fipsmodule/rsa/internal.h +++ b/crypto/fipsmodule/rsa/internal.h @@ -70,68 +70,68 @@ extern "C" { typedef struct bn_blinding_st BN_BLINDING; struct rsa_meth_st { - void *app_data; - - int (*init)(RSA *rsa); - int (*finish)(RSA *rsa); - - // size returns the size of the RSA modulus in bytes. - size_t (*size)(const RSA *rsa); - - // Set via |RSA_meth_set_sign|. The default behavior for |sign| is - // implemented in |RSA_sign|. If custom functionality is provided, |sign| - // will be invoked within |RSA_sign|. - int (*sign)(int type, const uint8_t *m, unsigned int m_length, - uint8_t *sigret, unsigned int *siglen, const RSA *rsa); - - // Set via |RSA_meth_set_priv_enc|. |sign_raw| is equivalent to the - // |priv_enc| field of OpenSSL's |RSA_METHOD| struct. The default behavior - // for |sign_raw| is implemented in |RSA_sign_raw|. If custom - // functionality is provided, |sign_raw| will be invoked within - // |RSA_sign_raw|. - int (*sign_raw)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, + void *app_data; + + int (*init)(RSA *rsa); + int (*finish)(RSA *rsa); + + // size returns the size of the RSA modulus in bytes. + size_t (*size)(const RSA *rsa); + + // Set via |RSA_meth_set_sign|. The default behavior for |sign| is + // implemented in |RSA_sign|. If custom functionality is provided, |sign| + // will be invoked within |RSA_sign|. + int (*sign)(int type, const uint8_t *m, unsigned int m_length, + uint8_t *sigret, unsigned int *siglen, const RSA *rsa); + + // Set via |RSA_meth_set_priv_enc|. |sign_raw| is equivalent to the + // |priv_enc| field of OpenSSL's |RSA_METHOD| struct. The default behavior + // for |sign_raw| is implemented in |RSA_sign_raw|. If custom + // functionality is provided, |sign_raw| will be invoked within + // |RSA_sign_raw|. + int (*sign_raw)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, + int padding); + + // Set via |RSA_meth_set_pub_dec|. |verify_raw| is equivalent to the + // |pub_dec| field of OpenSSL's |RSA_METHOD| struct. The default behavior + // for |verify_raw| is implemented in |RSA_verify_raw|. If custom + // functionality is provided, |verify_raw| will be invoked within + // |RSA_verify_raw|. + int (*verify_raw)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, int padding); - // Set via |RSA_meth_set_pub_dec|. |verify_raw| is equivalent to the - // |pub_dec| field of OpenSSL's |RSA_METHOD| struct. The default behavior - // for |verify_raw| is implemented in |RSA_verify_raw|. If custom - // functionality is provided, |verify_raw| will be invoked within - // |RSA_verify_raw|. - int (*verify_raw)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, - int padding); - - // Set via |RSA_meth_set_priv_dec|. |decrypt| is equivalent to the - // |priv_dec| field of OpenSSL's |RSA_METHOD| struct. The default behavior - // for |decrypt| is implemented in |RSA_decrypt|. If custom - // functionality is provided, |decrypt| will be invoked within - // |RSA_decrypt|. - int (*decrypt)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, - int padding); - - // Set via |RSA_meth_set_pub_enc|. |encrypt| is equivalent to the - // |pub_enc| field of OpenSSL's |RSA_METHOD| struct. The default behavior - // for |encrypt| is implemented in |RSA_encrypt|. If custom - // functionality is provided, |encrypt| will be invoked within - // |RSA_encrypt|. - int (*encrypt)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, - int padding); - - // private_transform takes a big-endian integer from |in|, calculates the - // d'th power of it, modulo the RSA modulus and writes the result as a - // big-endian integer to |out|. Both |in| and |out| are |len| bytes long and - // |len| is always equal to |RSA_size(rsa)|. If the result of the transform - // can be represented in fewer than |len| bytes, then |out| must be zero - // padded on the left. - // - // It returns one on success and zero otherwise. - // - // RSA decrypt and sign operations will call this, thus an ENGINE might wish - // to override it in order to avoid having to implement the padding - // functionality demanded by those, higher level, operations. - int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, - size_t len); - - int flags; + // Set via |RSA_meth_set_priv_dec|. |decrypt| is equivalent to the + // |priv_dec| field of OpenSSL's |RSA_METHOD| struct. The default behavior + // for |decrypt| is implemented in |RSA_decrypt|. If custom + // functionality is provided, |decrypt| will be invoked within + // |RSA_decrypt|. + int (*decrypt)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, + int padding); + + // Set via |RSA_meth_set_pub_enc|. |encrypt| is equivalent to the + // |pub_enc| field of OpenSSL's |RSA_METHOD| struct. The default behavior + // for |encrypt| is implemented in |RSA_encrypt|. If custom + // functionality is provided, |encrypt| will be invoked within + // |RSA_encrypt|. + int (*encrypt)(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, + int padding); + + // private_transform takes a big-endian integer from |in|, calculates the + // d'th power of it, modulo the RSA modulus and writes the result as a + // big-endian integer to |out|. Both |in| and |out| are |len| bytes long and + // |len| is always equal to |RSA_size(rsa)|. If the result of the transform + // can be represented in fewer than |len| bytes, then |out| must be zero + // padded on the left. + // + // It returns one on success and zero otherwise. + // + // RSA decrypt and sign operations will call this, thus an ENGINE might wish + // to override it in order to avoid having to implement the padding + // functionality demanded by those, higher level, operations. + int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in, + size_t len); + + int flags; }; struct rsa_st { @@ -185,7 +185,7 @@ struct rsa_st { // private_key_frozen is one if the key has been used for a private key // operation and may no longer be mutated. - unsigned private_key_frozen:1; + unsigned private_key_frozen : 1; }; diff --git a/crypto/fipsmodule/rsa/padding.c b/crypto/fipsmodule/rsa/padding.c index 8d2c1f1fb5..6fd58d21c3 100644 --- a/crypto/fipsmodule/rsa/padding.c +++ b/crypto/fipsmodule/rsa/padding.c @@ -66,8 +66,8 @@ #include #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len, @@ -249,8 +249,7 @@ int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash, emLen--; } // |sLen| may be -2 for the non-standard salt length recovery mode. - if (emLen < hLen + 2 || - (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) { + if (emLen < hLen + 2 || (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) { OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); goto err; } @@ -264,11 +263,11 @@ int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash, if (!DB) { goto err; } -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) { goto err; } -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED for (size_t i = 0; i < maskedDBLen; i++) { DB[i] ^= EM[i]; } @@ -395,12 +394,12 @@ int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM, if (!digest_ok) { goto err; } -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED // Generate dbMask in place then perform XOR on it if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) { goto err; } -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED p = EM; // Initial PS XORs with all zeroes which is a NOP so just update diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c index 4f26aa8287..78e42f40c0 100644 --- a/crypto/fipsmodule/rsa/rsa.c +++ b/crypto/fipsmodule/rsa/rsa.c @@ -72,7 +72,7 @@ #include #include "../../internal.h" -//#include "../../rsa_extra/internal.h" +// #include "../../rsa_extra/internal.h" #include "../bn/internal.h" #include "../delocate.h" #include "internal.h" @@ -221,7 +221,7 @@ RSA *RSA_new_method(const ENGINE *engine) { } if (rsa->meth == NULL) { - rsa->meth = (RSA_METHOD *) RSA_get_default_method(); + rsa->meth = (RSA_METHOD *)RSA_get_default_method(); } rsa->references = 1; @@ -241,8 +241,7 @@ RSA *RSA_new_method(const ENGINE *engine) { RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) { RSA *rsa = RSA_new_method(engine); - if (rsa == NULL || - !bn_dup_into(&rsa->n, n)) { + if (rsa == NULL || !bn_dup_into(&rsa->n, n)) { RSA_free(rsa); return NULL; } @@ -404,8 +403,7 @@ int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) { SET_DIT_AUTO_RESET; - if ((rsa->p == NULL && p == NULL) || - (rsa->q == NULL && q == NULL)) { + if ((rsa->p == NULL && p == NULL) || (rsa->q == NULL && q == NULL)) { return 0; } @@ -462,7 +460,7 @@ RSA_METHOD *RSA_meth_new(const char *name, int flags) { } int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) { - if(rsa == NULL || meth == NULL) { + if (rsa == NULL || meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -472,7 +470,7 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) { } const RSA_METHOD *RSA_get_method(const RSA *rsa) { - if(rsa == NULL) { + if (rsa == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return NULL; } @@ -480,15 +478,14 @@ const RSA_METHOD *RSA_get_method(const RSA *rsa) { return rsa->meth; } -void RSA_meth_free(RSA_METHOD *meth) -{ +void RSA_meth_free(RSA_METHOD *meth) { if (meth != NULL) { OPENSSL_free(meth); } } -int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) { - if(meth == NULL) { +int RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -497,8 +494,8 @@ int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) { return 1; } -int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) { - if(meth == NULL) { +int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -508,10 +505,9 @@ int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) { } int RSA_meth_set_priv_dec(RSA_METHOD *meth, - int (*priv_dec) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)) { - if(meth == NULL) { + int (*priv_dec)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -521,10 +517,9 @@ int RSA_meth_set_priv_dec(RSA_METHOD *meth, } int RSA_meth_set_priv_enc(RSA_METHOD *meth, - int (*priv_enc) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)) { - if(meth == NULL) { + int (*priv_enc)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -534,10 +529,9 @@ int RSA_meth_set_priv_enc(RSA_METHOD *meth, } int RSA_meth_set_pub_dec(RSA_METHOD *meth, - int (*pub_dec) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)) { - if(meth == NULL) { + int (*pub_dec)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -547,10 +541,9 @@ int RSA_meth_set_pub_dec(RSA_METHOD *meth, } int RSA_meth_set_pub_enc(RSA_METHOD *meth, - int (*pub_enc) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)) { - if(meth == NULL) { + int (*pub_enc)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -560,7 +553,7 @@ int RSA_meth_set_pub_enc(RSA_METHOD *meth, } int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) { - if(meth == NULL) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -569,10 +562,11 @@ int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) { return 1; } -int RSA_meth_set_sign(RSA_METHOD *meth, int (*sign) (int type, - const unsigned char *m, unsigned int m_length, unsigned char *sigret, - unsigned int *siglen, const RSA *rsa)) { - if(meth == NULL) { +int RSA_meth_set_sign(RSA_METHOD *meth, + int (*sign)(int type, const unsigned char *m, + unsigned int m_length, unsigned char *sigret, + unsigned int *siglen, const RSA *rsa)) { + if (meth == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -594,7 +588,7 @@ static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, // paradigm and OpenSSL, we initialize |out_len| based on the return value // here. int ret = rsa->meth->sign_raw((int)max_out, in, out, rsa, padding); - if(ret < 0) { + if (ret < 0) { *out_len = 0; return 0; } @@ -616,8 +610,8 @@ int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, unsigned RSA_size(const RSA *rsa) { SET_DIT_AUTO_RESET; - size_t ret = (rsa->meth && rsa->meth->size) ? - rsa->meth->size(rsa) : rsa_default_size(rsa); + size_t ret = (rsa->meth && rsa->meth->size) ? rsa->meth->size(rsa) + : rsa_default_size(rsa); // RSA modulus sizes are bounded by |BIGNUM|, which must fit in |unsigned|. // // TODO(https://crbug.com/boringssl/516): Should we make this return |size_t|? @@ -673,91 +667,94 @@ struct pkcs1_sig_prefix { // https://datatracker.ietf.org/doc/html/rfc8017#section-9.2 static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = { { - NID_md5, - MD5_DIGEST_LENGTH, - 18, - {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, + NID_md5, + MD5_DIGEST_LENGTH, + 18, + {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, }, { - NID_sha1, - SHA_DIGEST_LENGTH, - 15, - {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, - 0x00, 0x04, 0x14}, + NID_sha1, + SHA_DIGEST_LENGTH, + 15, + {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, + 0x00, 0x04, 0x14}, }, { - NID_sha224, - SHA224_DIGEST_LENGTH, - 19, - {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, + NID_sha224, + SHA224_DIGEST_LENGTH, + 19, + {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, }, { - NID_sha256, - SHA256_DIGEST_LENGTH, - 19, - {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, + NID_sha256, + SHA256_DIGEST_LENGTH, + 19, + {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, }, { - NID_sha384, - SHA384_DIGEST_LENGTH, - 19, - {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, + NID_sha384, + SHA384_DIGEST_LENGTH, + 19, + {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, }, { - NID_sha512, - SHA512_DIGEST_LENGTH, - 19, - {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, + NID_sha512, + SHA512_DIGEST_LENGTH, + 19, + {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, }, { - NID_sha512_224, - SHA512_224_DIGEST_LENGTH, - 19, - {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c}, + NID_sha512_224, + SHA512_224_DIGEST_LENGTH, + 19, + {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c}, }, { - NID_sha512_256, - SHA512_256_DIGEST_LENGTH, - 19, - {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20}, + NID_sha512_256, + SHA512_256_DIGEST_LENGTH, + 19, + {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20}, }, { - NID_sha3_224, - 28, - 19, - {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x07, 0x05, 0x00, 0x04, 0x1c}, + NID_sha3_224, + 28, + 19, + {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x07, 0x05, 0x00, 0x04, 0x1c}, }, { - NID_sha3_256, - 32, - 19, - {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x08, 0x05, 0x00, 0x04, 0x20}, + NID_sha3_256, + 32, + 19, + {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x08, 0x05, 0x00, 0x04, 0x20}, }, { - NID_sha3_384, - 48, - 19, - {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x09, 0x05, 0x00, 0x04, 0x30}, + NID_sha3_384, + 48, + 19, + {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x09, 0x05, 0x00, 0x04, 0x30}, }, { - NID_sha3_512, - 64, - 19, - {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x0a, 0x05, 0x00, 0x04, 0x40}, + NID_sha3_512, + 64, + 19, + {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x0a, 0x05, 0x00, 0x04, 0x40}, }, { - NID_undef, 0, 0, {0}, + NID_undef, + 0, + 0, + {0}, }, }; @@ -783,7 +780,6 @@ static int rsa_check_digest_size(int hash_nid, size_t digest_len) { OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE); return 0; - } int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, @@ -810,7 +806,7 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, // The length should already have been checked. assert(digest_len == sig_prefix->hash_len); - const uint8_t* prefix = sig_prefix->bytes; + const uint8_t *prefix = sig_prefix->bytes; size_t prefix_len = sig_prefix->len; size_t signed_msg_len = prefix_len + digest_len; if (signed_msg_len < prefix_len) { @@ -960,7 +956,8 @@ int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, goto out; } - // Check that no other information follows the hash value (FIPS 186-4 Section 5.5) + // Check that no other information follows the hash value (FIPS 186-4 + // Section 5.5) if (len != signed_msg_len) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE); goto out; @@ -1093,7 +1090,8 @@ void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa) { } } -int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) { +int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, + void *p2) { SET_DIT_AUTO_RESET; if (ctx != NULL && ctx->pmeth != NULL) { if (ctx->pmeth->pkey_id == EVP_PKEY_RSA || @@ -1191,52 +1189,53 @@ int is_public_component_of_rsa_key_good(const RSA *key) { // - private_crt: (n, e, d, p, q, dmp1, dmq1, iqmp), // - private_strip: (n, d). enum rsa_key_type_for_checking { - RSA_KEY_TYPE_FOR_CHECKING_PUBLIC, - RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_MIN, - RSA_KEY_TYPE_FOR_CHECKING_PRIVATE, - RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_CRT, - RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_STRIP, - RSA_KEY_TYPE_FOR_CHECKING_INVALID, + RSA_KEY_TYPE_FOR_CHECKING_PUBLIC, + RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_MIN, + RSA_KEY_TYPE_FOR_CHECKING_PRIVATE, + RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_CRT, + RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_STRIP, + RSA_KEY_TYPE_FOR_CHECKING_INVALID, }; -static enum rsa_key_type_for_checking determine_key_type_for_checking(const RSA *key) { - // The key must have the modulus n. - SET_DIT_AUTO_RESET; - if (key->n == NULL) { - return RSA_KEY_TYPE_FOR_CHECKING_INVALID; - } +static enum rsa_key_type_for_checking determine_key_type_for_checking( + const RSA *key) { + // The key must have the modulus n. + SET_DIT_AUTO_RESET; + if (key->n == NULL) { + return RSA_KEY_TYPE_FOR_CHECKING_INVALID; + } - // (n, e) - if (key->e != NULL && key->d == NULL && key->p == NULL && key->q == NULL && - key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { - return RSA_KEY_TYPE_FOR_CHECKING_PUBLIC; - } + // (n, e) + if (key->e != NULL && key->d == NULL && key->p == NULL && key->q == NULL && + key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { + return RSA_KEY_TYPE_FOR_CHECKING_PUBLIC; + } - // (n, e, d) - if (key->e != NULL && key->d != NULL && key->p == NULL && key->q == NULL && - key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { - return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_MIN; - } + // (n, e, d) + if (key->e != NULL && key->d != NULL && key->p == NULL && key->q == NULL && + key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { + return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_MIN; + } - // (n, e, d, p, q) - if (key->e != NULL && key->d != NULL && key->p != NULL && key->q != NULL && - key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { - return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE; - } + // (n, e, d, p, q) + if (key->e != NULL && key->d != NULL && key->p != NULL && key->q != NULL && + key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { + return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE; + } - // (n, e, d, p, q, dmp1, dmq1, iqmp) - if (key->e != NULL && key->d != NULL && key->p != NULL && key->q != NULL && - key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { - return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_CRT; - } + // (n, e, d, p, q, dmp1, dmq1, iqmp) + if (key->e != NULL && key->d != NULL && key->p != NULL && key->q != NULL && + key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { + return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_CRT; + } - // (n, d) - if (key->e == NULL && key->d != NULL && key->p == NULL && key->q == NULL && - key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { - return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_STRIP; - } + // (n, d) + if (key->e == NULL && key->d != NULL && key->p == NULL && key->q == NULL && + key->dmp1 == NULL && key->dmq1 == NULL && key->iqmp == NULL) { + return RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_STRIP; + } - return RSA_KEY_TYPE_FOR_CHECKING_INVALID; + return RSA_KEY_TYPE_FOR_CHECKING_INVALID; } // Performs certain checks on the given RSA key. The key can be a key pair @@ -1270,7 +1269,8 @@ static enum rsa_key_type_for_checking determine_key_type_for_checking(const RSA // the function can work with. int RSA_check_key(const RSA *key) { SET_DIT_AUTO_RESET; - enum rsa_key_type_for_checking key_type = determine_key_type_for_checking(key); + enum rsa_key_type_for_checking key_type = + determine_key_type_for_checking(key); if (key_type == RSA_KEY_TYPE_FOR_CHECKING_INVALID) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); return 0; @@ -1424,9 +1424,9 @@ static int rsa_key_fips_pairwise_consistency_test_signing(RSA *key) { int ret = 0; uint8_t msg[1] = {0}; - size_t msg_len = 1; + size_t msg_len = 1; uint8_t *sig_der = NULL; - size_t sig_len = 0; + size_t sig_len = 0; EVP_PKEY *evp_pkey = NULL; EVP_MD_CTX md_ctx; @@ -1447,8 +1447,7 @@ static int rsa_key_fips_pairwise_consistency_test_signing(RSA *key) { } sig_der = OPENSSL_malloc(sig_len); - if (!sig_der || - !EVP_DigestSign(&md_ctx, sig_der, &sig_len, msg, msg_len)) { + if (!sig_der || !EVP_DigestSign(&md_ctx, sig_der, &sig_len, msg, msg_len)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto end; } @@ -1471,20 +1470,26 @@ static int rsa_key_fips_pairwise_consistency_test_signing(RSA *key) { // This is the product of the 132 smallest odd primes, from 3 to 751, // as defined in SP 800-89 5.3.3. -static const BN_ULONG kSmallFactorsLimbs[] = { - TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f), - TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b), - TOBN(0x6b55514b, 0xbf26c483), TOBN(0x0a84d817, 0x5a144871), - TOBN(0x77d12fee, 0x9b82210a), TOBN(0xdb5b93c2, 0x97f050b3), - TOBN(0x4acad6b9, 0x4d6c026b), TOBN(0xeb7751f3, 0x54aec893), - TOBN(0xdba53368, 0x36bc85c4), TOBN(0xd85a1b28, 0x7f5ec78e), - TOBN(0x2eb072d8, 0x6b322244), TOBN(0xbba51112, 0x5e2b3aea), - TOBN(0x36ed1a6c, 0x0e2486bf), TOBN(0x5f270460, 0xec0c5727), - 0x000017b1 -}; +static const BN_ULONG kSmallFactorsLimbs[] = {TOBN(0xc4309333, 0x3ef4e3e1), + TOBN(0x71161eb6, 0xcd2d655f), + TOBN(0x95e2238c, 0x0bf94862), + TOBN(0x3eb233d3, 0x24f7912b), + TOBN(0x6b55514b, 0xbf26c483), + TOBN(0x0a84d817, 0x5a144871), + TOBN(0x77d12fee, 0x9b82210a), + TOBN(0xdb5b93c2, 0x97f050b3), + TOBN(0x4acad6b9, 0x4d6c026b), + TOBN(0xeb7751f3, 0x54aec893), + TOBN(0xdba53368, 0x36bc85c4), + TOBN(0xd85a1b28, 0x7f5ec78e), + TOBN(0x2eb072d8, 0x6b322244), + TOBN(0xbba51112, 0x5e2b3aea), + TOBN(0x36ed1a6c, 0x0e2486bf), + TOBN(0x5f270460, 0xec0c5727), + 0x000017b1}; DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { - out->d = (BN_ULONG *) kSmallFactorsLimbs; + out->d = (BN_ULONG *)kSmallFactorsLimbs; out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs); out->dmax = out->width; out->neg = 0; @@ -1502,7 +1507,8 @@ DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { int RSA_check_fips(RSA *key) { SET_DIT_AUTO_RESET; - enum rsa_key_type_for_checking key_type = determine_key_type_for_checking(key); + enum rsa_key_type_for_checking key_type = + determine_key_type_for_checking(key); // In addition to invalid key type, stripped private keys can not be checked // with this function because they lack the public component which is // necessary for both FIPS checks performed here. @@ -1526,7 +1532,7 @@ int RSA_check_fips(RSA *key) { BN_init(&small_gcd); int ret = 0; - uint8_t *sig = NULL; // used later in the pair-wise consistency test. + uint8_t *sig = NULL; // used later in the pair-wise consistency test. // Perform partial public key validation of RSA keys (SP 800-89 5.3.3). // Although this is not for primality testing, SP 800-89 cites an RSA @@ -1535,10 +1541,8 @@ int RSA_check_fips(RSA *key) { // composite, so too few iterations will cause us to reject the key, not use // an implausible one. enum bn_primality_result_t primality_result; - if (BN_num_bits(key->e) <= 16 || - BN_num_bits(key->e) > 256 || - !BN_is_odd(key->n) || - !BN_is_odd(key->e) || + if (BN_num_bits(key->e) <= 16 || BN_num_bits(key->e) > 256 || + !BN_is_odd(key->n) || !BN_is_odd(key->e) || !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) || !BN_is_one(&small_gcd) || !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n, @@ -1562,7 +1566,7 @@ int RSA_check_fips(RSA *key) { if (key_type != RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_MIN && key_type != RSA_KEY_TYPE_FOR_CHECKING_PRIVATE && key_type != RSA_KEY_TYPE_FOR_CHECKING_PRIVATE_CRT) { - goto end; + goto end; } // FIPS pair-wise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c index b23aed760c..c713bb58de 100644 --- a/crypto/fipsmodule/rsa/rsa_impl.c +++ b/crypto/fipsmodule/rsa/rsa_impl.c @@ -66,19 +66,18 @@ #include #include -#include "internal.h" -#include "../bn/internal.h" #include "../../internal.h" +#include "../bn/internal.h" #include "../delocate.h" #include "../rand/fork_detect.h" +#include "internal.h" static int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) { if (*out != NULL) { return 1; } BIGNUM *copy = BN_dup(in); - if (copy == NULL || - !bn_resize_words(copy, width)) { + if (copy == NULL || !bn_resize_words(copy, width)) { BN_free(copy); return 0; } @@ -156,9 +155,8 @@ static int freeze_private_key(RSA *rsa, BN_CTX *ctx) { // Key generation relies on this function to compute |iqmp|. if (rsa->iqmp == NULL) { BIGNUM *iqmp = BN_new(); - if (iqmp == NULL || - !bn_mod_inverse_secret_prime(iqmp, rsa->q, rsa->p, ctx, - rsa->mont_p)) { + if (iqmp == NULL || !bn_mod_inverse_secret_prime(iqmp, rsa->q, rsa->p, + ctx, rsa->mont_p)) { BN_free(iqmp); goto err; } @@ -225,9 +223,7 @@ void rsa_invalidate_key(RSA *rsa) { rsa->blinding_fork_generation = 0; } -size_t rsa_default_size(const RSA *rsa) { - return BN_num_bytes(rsa->n); -} +size_t rsa_default_size(const RSA *rsa) { return BN_num_bytes(rsa->n); } // MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per // RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and @@ -412,7 +408,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding) { - if(rsa->meth && rsa->meth->verify_raw) { + if (rsa->meth && rsa->meth->verify_raw) { // In OpenSSL, the RSA_METHOD |verify_raw| or |pub_dec| operation does // not directly take and initialize an |out_len| parameter. Instead, it // returns the size of the recovered plaintext or negative number for error. @@ -421,7 +417,7 @@ int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, // paradigm and OpenSSL, we initialize |out_len| based on the return value // here. int ret = rsa->meth->verify_raw((int)max_out, in, out, rsa, padding); - if(ret < 0) { + if (ret < 0) { *out_len = 0; return 0; } @@ -523,9 +519,8 @@ int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, return ret; } -int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, - size_t max_out, const uint8_t *in, - size_t in_len, int padding) { +int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, + const uint8_t *in, size_t in_len, int padding) { boringssl_ensure_rsa_self_test(); return rsa_verify_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, padding); @@ -638,8 +633,7 @@ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, } } - if (do_blinding && - !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) { + if (do_blinding && !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) { goto err; } @@ -682,7 +676,7 @@ static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p, return 0; } - if (// Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p. + if ( // Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p. !BN_from_montgomery(r, I, mont_p, ctx) || // Multiply by R^2 and do another Montgomery reduction to compute // I * R^-1 * R^2 * R^-1 = I mod p. @@ -719,9 +713,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { r1 = BN_CTX_get(ctx); r2 = BN_CTX_get(ctx); m1 = BN_CTX_get(ctx); - if (r1 == NULL || - r2 == NULL || - m1 == NULL) { + if (r1 == NULL || r2 == NULL || m1 == NULL) { goto err; } @@ -744,9 +736,8 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { !mod_montgomery(r2, I, p, rsa->mont_p, q, ctx) || // |m1| is the result modulo |q|. // |r0| is the result modulo |p|. - !BN_mod_exp_mont_consttime_x2(m1, r1, rsa->dmq1_fixed, q, rsa->mont_q, - r0, r2, rsa->dmp1_fixed, p, rsa->mont_p, - ctx) || + !BN_mod_exp_mont_consttime_x2(m1, r1, rsa->dmq1_fixed, q, rsa->mont_q, r0, + r2, rsa->dmp1_fixed, p, rsa->mont_p, ctx) || // Compute r0 = r0 - m1 mod p. |m1| is reduced mod |q|, not |p|, so we // just run |mod_montgomery| again for simplicity. This could be more // efficient with more cases: if |p > q|, |m1| is already reduced. If @@ -825,10 +816,12 @@ static int ensure_bignum(BIGNUM **out) { // then [] // else let (high, low) = divrem 64 x in low : bnWords high // -// showWord x = let (high, low) = divrem 32 x in printf "TOBN(0x%08x, 0x%08x)" high low +// showWord x = let (high, low) = divrem 32 x in printf "TOBN(0x%08x, 0x%08x)" +// high low // // output :: String -// output = intercalate ", " $ map showWord $ bnWords $ converge (2 ^ (pow2 `div` 2)) +// output = intercalate ", " $ map showWord $ bnWords $ converge (2 ^ (pow2 +// `div` 2)) // // To verify this number, check that n² < 2⁴⁰⁹⁵ < (n+1)², where n is value // represented here. Note the components are listed in little-endian order. Here @@ -906,7 +899,7 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, // 22.21518251065506 // >>> f(2048, 3, 8*2048) // 22.211701985875937 - if (bits >= INT_MAX/32) { + if (bits >= INT_MAX / 32) { OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); return 0; } @@ -1048,12 +1041,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, } // We need the RSA components non-NULL. - if (!ensure_bignum(&rsa->n) || - !ensure_bignum(&rsa->d) || - !ensure_bignum(&rsa->e) || - !ensure_bignum(&rsa->p) || - !ensure_bignum(&rsa->q) || - !ensure_bignum(&rsa->dmp1) || + if (!ensure_bignum(&rsa->n) || !ensure_bignum(&rsa->d) || + !ensure_bignum(&rsa->e) || !ensure_bignum(&rsa->p) || + !ensure_bignum(&rsa->q) || !ensure_bignum(&rsa->dmp1) || !ensure_bignum(&rsa->dmq1)) { goto bn_err; } @@ -1127,7 +1117,7 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, assert(BN_num_bits(pm1) == (unsigned)prime_bits); assert(BN_num_bits(qm1) == (unsigned)prime_bits); - if (// Calculate n. + if ( // Calculate n. !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) || // Calculate d mod (p-1). !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, prime_bits, ctx) || @@ -1222,13 +1212,13 @@ static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits, // Only retry on |RSA_R_TOO_MANY_ITERATIONS|. This is so a caller-induced // failure in |BN_GENCB_call| is still fatal. } while (failures < 4 && ERR_GET_LIB(err) == ERR_LIB_RSA && - ERR_GET_REASON(err) == RSA_R_TOO_MANY_ITERATIONS); + ERR_GET_REASON(err) == RSA_R_TOO_MANY_ITERATIONS); if (tmp == NULL) { goto out; } // Perform PCT test in the case of FIPS - if(check_fips && !RSA_check_fips(tmp)) { + if (check_fips && !RSA_check_fips(tmp)) { RSA_free(tmp); #if defined(AWSLC_FIPS) AWS_LC_FIPS_failure("RSA keygen checks failed"); @@ -1279,12 +1269,11 @@ int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) { BIGNUM *e = BN_new(); FIPS_service_indicator_lock_state(); - int ret = e != NULL && - BN_set_word(e, RSA_F4) && + int ret = e != NULL && BN_set_word(e, RSA_F4) && RSA_generate_key_ex_maybe_fips(rsa, bits, e, cb, /*check_fips=*/1); FIPS_service_indicator_unlock_state(); BN_free(e); - if(ret) { + if (ret) { // Approved key size check step is already done at start of function. FIPS_service_indicator_update_state(); } diff --git a/crypto/fipsmodule/self_check/fips.c b/crypto/fipsmodule/self_check/fips.c index d70f6bd965..68f24d336f 100644 --- a/crypto/fipsmodule/self_check/fips.c +++ b/crypto/fipsmodule/self_check/fips.c @@ -42,39 +42,17 @@ int FIPS_mode_set(int on) { return on == FIPS_mode(); } const char *FIPS_module_name(void) { return "AWSLCCrypto"; } -uint32_t FIPS_version(void) { - return 0; -} +uint32_t FIPS_version(void) { return 0; } int FIPS_query_algorithm_status(const char *algorithm) { #if defined(BORINGSSL_FIPS) static const char kApprovedAlgorithms[][13] = { - "AES-CBC", - "AES-CCM", - "AES-CTR", - "AES-ECB", - "AES-GCM", - "AES-KW", - "AES-KWP", - "ctrDRBG", - "ECC-SSC", - "ECDSA-sign", - "ECDSA-verify", - "FFC-SSC", - "HMAC", - "RSA-sign", - "RSA-verify", - "SHA-1", - "SHA2-224", - "SHA2-256", - "SHA2-384", - "SHA2-512", - "SHA2-512/256", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "SHAKE128", - "SHAKE256", + "AES-CBC", "AES-CCM", "AES-CTR", "AES-ECB", "AES-GCM", + "AES-KW", "AES-KWP", "ctrDRBG", "ECC-SSC", "ECDSA-sign", + "ECDSA-verify", "FFC-SSC", "HMAC", "RSA-sign", "RSA-verify", + "SHA-1", "SHA2-224", "SHA2-256", "SHA2-384", "SHA2-512", + "SHA2-512/256", "SHA3-256", "SHA3-384", "SHA3-512", "SHAKE128", + "SHAKE256", }; for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) { if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) { @@ -85,7 +63,7 @@ int FIPS_query_algorithm_status(const char *algorithm) { return 0; } -#endif // BORINGSSL_FIPS_140_3 +#endif // BORINGSSL_FIPS_140_3 #if defined(BORINGSSL_FIPS_COUNTERS) @@ -108,8 +86,7 @@ void boringssl_fips_inc_counter(enum fips_counter_t counter) { abort(); } - size_t *array = - CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS); + size_t *array = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS); if (!array) { const size_t num_bytes = sizeof(size_t) * (fips_counter_max + 1); array = OPENSSL_zalloc(num_bytes); diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c index 3a8923034f..9e673b03a2 100644 --- a/crypto/fipsmodule/self_check/self_check.c +++ b/crypto/fipsmodule/self_check/self_check.c @@ -25,8 +25,8 @@ #include #include #include -#include #include +#include #include #include #include @@ -35,6 +35,7 @@ #include #include +#include "../../curve25519_extra/internal.h" #include "../../internal.h" #include "../curve25519/internal.h" #include "../dh/internal.h" @@ -43,25 +44,27 @@ #include "../ml_kem/ml_kem.h" #include "../rand/internal.h" #include "../rsa/internal.h" -#include "../../curve25519_extra/internal.h" // This should track the biggest input/output used in self_check.c #define MAX_HEXDUMP_SIZE (MLDSA44_PRIVATE_KEY_BYTES * 2) #define ERROR_FORMAT "%s failed.\nExpected: %s\nCalculated: %s\n" // The current max is "ML-KEM-encapsulate-shared-secret\0" #define MAX_NAME 33 -#define MAX_ERROR_MSG_SIZE (( 2 * MAX_HEXDUMP_SIZE) + sizeof(ERROR_FORMAT) + MAX_NAME) - -static void hexdump(char buf[MAX_HEXDUMP_SIZE], const uint8_t *in, size_t in_len) { - assert(in_len * 2 < MAX_HEXDUMP_SIZE); - size_t pos = 0; - for (size_t i = 0; i < in_len; i++) { - pos += snprintf(buf + pos, MAX_HEXDUMP_SIZE - pos, "%02x", in[i]); - } +#define MAX_ERROR_MSG_SIZE \ + ((2 * MAX_HEXDUMP_SIZE) + sizeof(ERROR_FORMAT) + MAX_NAME) + +static void hexdump(char buf[MAX_HEXDUMP_SIZE], const uint8_t *in, + size_t in_len) { + assert(in_len * 2 < MAX_HEXDUMP_SIZE); + size_t pos = 0; + for (size_t i = 0; i < in_len; i++) { + pos += snprintf(buf + pos, MAX_HEXDUMP_SIZE - pos, "%02x", in[i]); + } } static int check_test_optional_abort(const void *expected, const void *actual, - size_t expected_len, const char *name, const bool call_fips_failure) { + size_t expected_len, const char *name, + const bool call_fips_failure) { if (OPENSSL_memcmp(actual, expected, expected_len) != 0) { assert(sizeof(name) < MAX_NAME); char expected_hex[MAX_HEXDUMP_SIZE] = {0}; @@ -71,8 +74,8 @@ static int check_test_optional_abort(const void *expected, const void *actual, hexdump(actual_hex, actual, expected_len); snprintf(error_msg, sizeof(error_msg), - "%s failed.\nExpected: %s\nCalculated: %s\n", - name, expected_hex, actual_hex); + "%s failed.\nExpected: %s\nCalculated: %s\n", name, expected_hex, + actual_hex); if (call_fips_failure) { AWS_LC_FIPS_failure(error_msg); } else { @@ -105,10 +108,9 @@ static int serialize_ecdsa_sig(uint8_t *out, size_t out_len, static ECDSA_SIG *parse_ecdsa_sig(const uint8_t *in, size_t in_len) { ECDSA_SIG *ret = ECDSA_SIG_new(); - if (!ret || // - (in_len & 1) || - BN_bin2bn(in, in_len/2, ret->r) == NULL || - BN_bin2bn(in + in_len/2, in_len/2, ret->s) == NULL) { + if (!ret || // + (in_len & 1) || BN_bin2bn(in, in_len / 2, ret->r) == NULL || + BN_bin2bn(in + in_len / 2, in_len / 2, ret->s) == NULL) { ECDSA_SIG_free(ret); ret = NULL; } @@ -232,8 +234,7 @@ static RSA *self_test_rsa_key(void) { }; RSA *rsa = RSA_new(); - if (rsa == NULL || - !set_bignum(&rsa->n, kN, sizeof(kN)) || + if (rsa == NULL || !set_bignum(&rsa->n, kN, sizeof(kN)) || !set_bignum(&rsa->e, kE, sizeof(kE)) || !set_bignum(&rsa->d, kD, sizeof(kD)) || !set_bignum(&rsa->p, kP, sizeof(kP)) || @@ -254,10 +255,8 @@ static DH *self_test_ffc_dh_key(const uint8_t *p, size_t p_len, const uint8_t *priv_key, size_t priv_key_len, const uint8_t *pub_key, size_t pub_key_len) { DH *dh = DH_new(); - if (dh == NULL || - !set_bignum(&dh->p, p, p_len) || - !set_bignum(&dh->q, q, q_len) || - !set_bignum(&dh->g, g, g_len) || + if (dh == NULL || !set_bignum(&dh->p, p, p_len) || + !set_bignum(&dh->q, q, q_len) || !set_bignum(&dh->g, g, g_len) || !set_bignum(&dh->priv_key, priv_key, priv_key_len) || !set_bignum(&dh->pub_key, pub_key, pub_key_len)) { DH_free(dh); @@ -269,7 +268,8 @@ static DH *self_test_ffc_dh_key(const uint8_t *p, size_t p_len, // domainParameterGenerationMode is FB static DH *self_test_ffc_dh_fb_key(void) { // The data is fetched from ACVP data. - // Details are available in CryptoAlg-851?selectedConversation=c0120d22-f2bd-4eae-8ae6-b04fcca86743 + // Details are available in + // CryptoAlg-851?selectedConversation=c0120d22-f2bd-4eae-8ae6-b04fcca86743 // File name: 197488/683891/testvector-request.json // Other details: "tgId": 2, "tcId": 6 static const uint8_t kDH_p[256] = { @@ -294,13 +294,11 @@ static DH *self_test_ffc_dh_fb_key(void) { 0x0e, 0x2e, 0x6e, 0x46, 0x5d, 0x1b, 0x34, 0xc0, 0x70, 0xfd, 0xa8, 0x8d, 0x82, 0x97, 0x10, 0xd4, 0x3e, 0x45, 0x16, 0x3e, 0x54, 0x42, 0x4a, 0x2a, 0x76, 0x5c, 0x6f, 0x30, 0x44, 0x1d, 0xf8, 0xc7, 0x07, 0xe2, 0xb8, 0xd9, - 0xac, 0x74, 0x73, 0x09 - }; - static const uint8_t kDH_q[28] = { - 0xcc, 0x9c, 0x34, 0x91, 0x8e, 0x8b, 0xa0, 0x86, 0x23, 0xa2, 0x76, 0x82, - 0xeb, 0xd1, 0x98, 0x5f, 0xab, 0x27, 0x56, 0x44, 0x66, 0x70, 0x50, 0xc9, - 0x35, 0xdc, 0x14, 0xc7 - }; + 0xac, 0x74, 0x73, 0x09}; + static const uint8_t kDH_q[28] = {0xcc, 0x9c, 0x34, 0x91, 0x8e, 0x8b, 0xa0, + 0x86, 0x23, 0xa2, 0x76, 0x82, 0xeb, 0xd1, + 0x98, 0x5f, 0xab, 0x27, 0x56, 0x44, 0x66, + 0x70, 0x50, 0xc9, 0x35, 0xdc, 0x14, 0xc7}; static const uint8_t kDH_g[256] = { 0x31, 0xee, 0x30, 0xb2, 0x17, 0x6f, 0x2a, 0xd1, 0x67, 0x09, 0xdf, 0x01, 0x38, 0x0b, 0x81, 0xf6, 0x7a, 0x5d, 0xee, 0x06, 0xd0, 0xed, 0x20, 0x0e, @@ -323,13 +321,11 @@ static DH *self_test_ffc_dh_fb_key(void) { 0x6c, 0x52, 0xde, 0x5d, 0xf0, 0x4a, 0x58, 0x3b, 0x8e, 0xde, 0xf1, 0xc0, 0x42, 0x63, 0x1e, 0x4d, 0xcf, 0x26, 0x44, 0x9e, 0x50, 0x98, 0x03, 0xbc, 0x5b, 0xfc, 0xef, 0x07, 0x3d, 0xae, 0xf7, 0xda, 0x9d, 0x76, 0x8a, 0x8d, - 0xa8, 0xb4, 0xe9, 0x79 - }; + 0xa8, 0xb4, 0xe9, 0x79}; const uint8_t kDH_private_key[28] = { - 0x75, 0x89, 0x8a, 0xbe, 0xc3, 0xc9, 0xc8, 0x7b, 0x04, 0x49, 0x47, 0xf6, - 0xc5, 0x1f, 0x9f, 0x71, 0x7f, 0x4a, 0x1d, 0x7c, 0xc3, 0x9a, 0xae, 0xcd, - 0x83, 0x53, 0xba, 0x25 - }; + 0x75, 0x89, 0x8a, 0xbe, 0xc3, 0xc9, 0xc8, 0x7b, 0x04, 0x49, + 0x47, 0xf6, 0xc5, 0x1f, 0x9f, 0x71, 0x7f, 0x4a, 0x1d, 0x7c, + 0xc3, 0x9a, 0xae, 0xcd, 0x83, 0x53, 0xba, 0x25}; const uint8_t kDH_public_key[256] = { 0x80, 0xbc, 0xbe, 0xf0, 0xad, 0x46, 0xfe, 0x97, 0x79, 0x4b, 0xd1, 0x49, 0x00, 0x04, 0xf0, 0x7f, 0x32, 0xac, 0x56, 0x17, 0x6b, 0xea, 0x84, 0xb5, @@ -352,13 +348,11 @@ static DH *self_test_ffc_dh_fb_key(void) { 0x4f, 0x04, 0x17, 0x8a, 0x12, 0x69, 0x83, 0x9c, 0xd6, 0x8b, 0x78, 0x58, 0xfa, 0x2c, 0x6b, 0xeb, 0xe8, 0x47, 0xf8, 0x14, 0x0e, 0x33, 0x7a, 0x95, 0xce, 0x34, 0x0f, 0x68, 0x32, 0x44, 0x76, 0xf6, 0xe8, 0x2e, 0x89, 0x72, - 0x11, 0x49, 0x04, 0x12 - }; - return self_test_ffc_dh_key(kDH_p, sizeof(kDH_p), - kDH_q, sizeof(kDH_q), - kDH_g, sizeof(kDH_g), - kDH_private_key, sizeof(kDH_private_key), - kDH_public_key, sizeof(kDH_public_key)); + 0x11, 0x49, 0x04, 0x12}; + return self_test_ffc_dh_key(kDH_p, sizeof(kDH_p), kDH_q, sizeof(kDH_q), kDH_g, + sizeof(kDH_g), kDH_private_key, + sizeof(kDH_private_key), kDH_public_key, + sizeof(kDH_public_key)); } static EC_KEY *self_test_ecdsa_key(void) { @@ -485,7 +479,8 @@ static int boringssl_self_test_rsa(void) { unsigned sig_len; if (!rsa_digestsign_no_self_test(EVP_sha256(), kRSASignPlaintext, - sizeof(kRSASignPlaintext),output, &sig_len, rsa_key) || + sizeof(kRSASignPlaintext), output, &sig_len, + rsa_key) || !check_test(kRSASignSignature, output, sizeof(kRSASignSignature), "RSA-sign KAT")) { goto err; @@ -522,9 +517,9 @@ static int boringssl_self_test_rsa(void) { 0x90, 0x6e, 0x18, 0xe2, 0x9e, 0x2a, 0x94, 0x04, 0x5a, 0xe9, 0x21, 0x8b, 0xc6, 0xc8, 0xda, 0x74, }; - if (!rsa_digestverify_no_self_test(EVP_sha256(), kRSAVerifyPlaintext, - sizeof(kRSAVerifyPlaintext), kRSAVerifySignature, - sizeof(kRSAVerifySignature), rsa_key)) { + if (!rsa_digestverify_no_self_test( + EVP_sha256(), kRSAVerifyPlaintext, sizeof(kRSAVerifyPlaintext), + kRSAVerifySignature, sizeof(kRSAVerifySignature), rsa_key)) { AWS_LC_FIPS_failure("RSA-verify KAT failed"); goto err; } @@ -571,8 +566,9 @@ static int boringssl_self_test_ecc(void) { uint8_t ecdsa_k[32] = {0}; ecdsa_k[31] = 42; - sig = ecdsa_digestsign_no_self_test(EVP_sha256(),kECDSASignPlaintext, sizeof - (kECDSASignPlaintext), ec_key, ecdsa_k, sizeof(ecdsa_k)); + sig = ecdsa_digestsign_no_self_test(EVP_sha256(), kECDSASignPlaintext, + sizeof(kECDSASignPlaintext), ec_key, + ecdsa_k, sizeof(ecdsa_k)); uint8_t ecdsa_sign_output[64]; if (sig == NULL || @@ -599,9 +595,9 @@ static int boringssl_self_test_ecc(void) { ECDSA_SIG_free(sig); sig = parse_ecdsa_sig(kECDSAVerifySig, sizeof(kECDSAVerifySig)); - if (!sig || - !ecdsa_digestverify_no_self_test(EVP_sha256(), kECDSAVerifyPlaintext, - sizeof(kECDSAVerifyPlaintext), sig, ec_key)) { + if (!sig || !ecdsa_digestverify_no_self_test( + EVP_sha256(), kECDSAVerifyPlaintext, + sizeof(kECDSAVerifyPlaintext), sig, ec_key)) { AWS_LC_FIPS_failure("ECDSA-verify KAT failed"); goto err; } @@ -724,28 +720,261 @@ static int boringssl_self_test_ffdh(void) { // File name: 197488/683891/testvector-request.json // Other details: "tgId": 2, "tcId": 6 const uint8_t kDH_fb_peer_public[256] = { - 0x8f, 0xbc, 0x50, 0x66, 0x4b, 0x2c, 0x9e, 0x2e, 0x7d, 0x4c, 0x64, 0x1a, - 0xe2, 0xd4, 0xd2, 0xcc, 0x6a, 0xcf, 0xe6, 0xbd, 0xf3, 0x3d, 0x39, 0xf2, - 0x1d, 0xe4, 0xc3, 0x45, 0xb4, 0x51, 0x7a, 0xbd, 0x9e, 0x7d, 0x49, 0xf2, - 0xbd, 0x03, 0x4d, 0x54, 0xf3, 0x97, 0x84, 0xfe, 0x07, 0x31, 0x98, 0x0e, - 0x78, 0x5f, 0xe8, 0x5d, 0xf4, 0x6a, 0xf4, 0xf9, 0xef, 0x25, 0x6b, 0x3e, - 0x1a, 0xb2, 0x0a, 0x42, 0xec, 0x19, 0xad, 0xe9, 0x68, 0xa9, 0x8f, 0xfd, - 0x51, 0xd4, 0x95, 0x88, 0x09, 0x83, 0x28, 0xc8, 0xd6, 0x54, 0x05, 0xd1, - 0xc3, 0x75, 0xb2, 0xbf, 0x03, 0xdd, 0x5f, 0x01, 0x18, 0x6b, 0xbb, 0x8d, - 0x49, 0x75, 0x2d, 0x0d, 0xdf, 0x62, 0x0b, 0xbf, 0x70, 0xbc, 0x58, 0x25, - 0xdb, 0x37, 0xde, 0xb2, 0xea, 0xd5, 0x11, 0x57, 0xc1, 0x83, 0x26, 0x53, - 0x5d, 0x61, 0x42, 0xf9, 0xbf, 0x51, 0xf8, 0x38, 0x93, 0x7f, 0x2d, 0xdd, - 0x5f, 0x57, 0xab, 0x41, 0xf2, 0xda, 0x88, 0xe8, 0x9d, 0x0d, 0xca, 0x5d, - 0x54, 0xe6, 0x79, 0xdf, 0xe2, 0x63, 0x8a, 0x62, 0x9f, 0x48, 0x1c, 0xc3, - 0x09, 0x80, 0x32, 0x46, 0x9c, 0x76, 0xe1, 0xf3, 0xa5, 0xa8, 0x4d, 0xac, - 0xb0, 0x2e, 0x42, 0x3c, 0x1d, 0x68, 0xf2, 0x88, 0xad, 0xd7, 0x3e, 0xa7, - 0xac, 0x4c, 0x13, 0x91, 0xc1, 0x43, 0xce, 0xa5, 0x20, 0x38, 0x7d, 0x8c, - 0x05, 0x2c, 0x96, 0xd2, 0xd6, 0x2a, 0x75, 0xc1, 0xf0, 0x15, 0xa1, 0x5c, - 0xed, 0x80, 0xf9, 0x2e, 0x47, 0x11, 0x2c, 0x15, 0x6d, 0x97, 0x6f, 0x7a, - 0x2e, 0x73, 0xf7, 0x1f, 0xc8, 0x89, 0xd9, 0x34, 0x62, 0x8a, 0xdc, 0xae, - 0xe2, 0xdf, 0xda, 0x03, 0x6d, 0xce, 0x8a, 0xe2, 0x02, 0xf3, 0xd9, 0xb7, - 0x86, 0xf5, 0x3d, 0x5f, 0x28, 0xeb, 0x74, 0x81, 0xd0, 0x40, 0x6e, 0xa6, - 0x90, 0x1f, 0x97, + 0x8f, + 0xbc, + 0x50, + 0x66, + 0x4b, + 0x2c, + 0x9e, + 0x2e, + 0x7d, + 0x4c, + 0x64, + 0x1a, + 0xe2, + 0xd4, + 0xd2, + 0xcc, + 0x6a, + 0xcf, + 0xe6, + 0xbd, + 0xf3, + 0x3d, + 0x39, + 0xf2, + 0x1d, + 0xe4, + 0xc3, + 0x45, + 0xb4, + 0x51, + 0x7a, + 0xbd, + 0x9e, + 0x7d, + 0x49, + 0xf2, + 0xbd, + 0x03, + 0x4d, + 0x54, + 0xf3, + 0x97, + 0x84, + 0xfe, + 0x07, + 0x31, + 0x98, + 0x0e, + 0x78, + 0x5f, + 0xe8, + 0x5d, + 0xf4, + 0x6a, + 0xf4, + 0xf9, + 0xef, + 0x25, + 0x6b, + 0x3e, + 0x1a, + 0xb2, + 0x0a, + 0x42, + 0xec, + 0x19, + 0xad, + 0xe9, + 0x68, + 0xa9, + 0x8f, + 0xfd, + 0x51, + 0xd4, + 0x95, + 0x88, + 0x09, + 0x83, + 0x28, + 0xc8, + 0xd6, + 0x54, + 0x05, + 0xd1, + 0xc3, + 0x75, + 0xb2, + 0xbf, + 0x03, + 0xdd, + 0x5f, + 0x01, + 0x18, + 0x6b, + 0xbb, + 0x8d, + 0x49, + 0x75, + 0x2d, + 0x0d, + 0xdf, + 0x62, + 0x0b, + 0xbf, + 0x70, + 0xbc, + 0x58, + 0x25, + 0xdb, + 0x37, + 0xde, + 0xb2, + 0xea, + 0xd5, + 0x11, + 0x57, + 0xc1, + 0x83, + 0x26, + 0x53, + 0x5d, + 0x61, + 0x42, + 0xf9, + 0xbf, + 0x51, + 0xf8, + 0x38, + 0x93, + 0x7f, + 0x2d, + 0xdd, + 0x5f, + 0x57, + 0xab, + 0x41, + 0xf2, + 0xda, + 0x88, + 0xe8, + 0x9d, + 0x0d, + 0xca, + 0x5d, + 0x54, + 0xe6, + 0x79, + 0xdf, + 0xe2, + 0x63, + 0x8a, + 0x62, + 0x9f, + 0x48, + 0x1c, + 0xc3, + 0x09, + 0x80, + 0x32, + 0x46, + 0x9c, + 0x76, + 0xe1, + 0xf3, + 0xa5, + 0xa8, + 0x4d, + 0xac, + 0xb0, + 0x2e, + 0x42, + 0x3c, + 0x1d, + 0x68, + 0xf2, + 0x88, + 0xad, + 0xd7, + 0x3e, + 0xa7, + 0xac, + 0x4c, + 0x13, + 0x91, + 0xc1, + 0x43, + 0xce, + 0xa5, + 0x20, + 0x38, + 0x7d, + 0x8c, + 0x05, + 0x2c, + 0x96, + 0xd2, + 0xd6, + 0x2a, + 0x75, + 0xc1, + 0xf0, + 0x15, + 0xa1, + 0x5c, + 0xed, + 0x80, + 0xf9, + 0x2e, + 0x47, + 0x11, + 0x2c, + 0x15, + 0x6d, + 0x97, + 0x6f, + 0x7a, + 0x2e, + 0x73, + 0xf7, + 0x1f, + 0xc8, + 0x89, + 0xd9, + 0x34, + 0x62, + 0x8a, + 0xdc, + 0xae, + 0xe2, + 0xdf, + 0xda, + 0x03, + 0x6d, + 0xce, + 0x8a, + 0xe2, + 0x02, + 0xf3, + 0xd9, + 0xb7, + 0x86, + 0xf5, + 0x3d, + 0x5f, + 0x28, + 0xeb, + 0x74, + 0x81, + 0xd0, + 0x40, + 0x6e, + 0xa6, + 0x90, + 0x1f, + 0x97, #if !defined(BORINGSSL_FIPS_BREAK_FFC_DH) 0xbe #else @@ -753,28 +982,28 @@ static int boringssl_self_test_ffdh(void) { #endif }; const uint8_t kDH_fb_z[256] = { - 0x8a, 0x03, 0x41, 0x31, 0x59, 0xda, 0x27, 0xff, 0x91, 0x0b, 0xd9, 0x46, - 0x08, 0x8f, 0x08, 0x67, 0x89, 0xa2, 0x0a, 0xac, 0x32, 0x9e, 0x8f, 0x05, - 0xde, 0x0d, 0x4f, 0xb8, 0x35, 0xf8, 0x5f, 0x56, 0x6f, 0x51, 0x75, 0xfd, - 0xa2, 0x50, 0x5e, 0x5e, 0x92, 0x42, 0x89, 0xd1, 0x6c, 0xe2, 0xab, 0x13, - 0x15, 0xd9, 0x72, 0x22, 0x66, 0x2e, 0x64, 0x83, 0x7d, 0x21, 0x51, 0x2b, - 0x8d, 0x79, 0xe5, 0x53, 0x4b, 0x7d, 0xf6, 0x6c, 0x8d, 0x13, 0x8a, 0xcc, - 0x9b, 0xed, 0x8d, 0xe9, 0x25, 0xd7, 0x31, 0x9b, 0x49, 0x0b, 0xc2, 0x5e, - 0x5e, 0xa7, 0x48, 0xb8, 0xf9, 0x66, 0xbc, 0x4e, 0x1e, 0x5b, 0xfe, 0x08, - 0x1f, 0x5f, 0x29, 0xdf, 0xfa, 0x27, 0x08, 0xad, 0x40, 0xff, 0x07, 0xd8, - 0xb6, 0xe8, 0x7e, 0x03, 0xc2, 0xe2, 0xdd, 0x29, 0xb1, 0x8d, 0x4b, 0x68, - 0x51, 0x94, 0xb9, 0x72, 0xb2, 0x49, 0x20, 0xa1, 0x80, 0x16, 0x09, 0x20, - 0x83, 0xa6, 0x13, 0x70, 0x0a, 0x42, 0x62, 0x8c, 0xd6, 0x1e, 0x9f, 0x64, - 0x18, 0x41, 0x48, 0x49, 0xe5, 0xcb, 0x3b, 0xd2, 0x86, 0x48, 0x92, 0x83, - 0x69, 0xc9, 0xa9, 0x99, 0xe6, 0xc7, 0xdc, 0x08, 0xee, 0xdc, 0x64, 0x43, - 0x42, 0xb7, 0x49, 0x39, 0x4b, 0x0d, 0x3a, 0xfc, 0x73, 0x63, 0xa7, 0x65, - 0x61, 0x9e, 0x45, 0xfd, 0x72, 0x0f, 0x6c, 0xef, 0x1a, 0x1d, 0xa7, 0xdc, - 0x81, 0xfd, 0x03, 0x62, 0x2a, 0x55, 0xbf, 0x88, 0x09, 0xf7, 0x1e, 0xd9, - 0xbc, 0xdd, 0x62, 0x33, 0xe7, 0xa0, 0xd5, 0xfa, 0x55, 0xca, 0xa0, 0xb8, - 0x47, 0xc7, 0xf4, 0xbc, 0x15, 0x98, 0x7d, 0x63, 0xf4, 0x71, 0xc0, 0x25, - 0x34, 0x96, 0x0f, 0xb5, 0xeb, 0xa9, 0x2e, 0x0c, 0xbf, 0x12, 0x99, 0xc0, - 0xbd, 0x0e, 0x65, 0xa3, 0xad, 0x77, 0x75, 0xc5, 0x99, 0xeb, 0x30, 0xe9, - 0x65, 0x90, 0xbc, 0x7e, + 0x8a, 0x03, 0x41, 0x31, 0x59, 0xda, 0x27, 0xff, 0x91, 0x0b, 0xd9, 0x46, + 0x08, 0x8f, 0x08, 0x67, 0x89, 0xa2, 0x0a, 0xac, 0x32, 0x9e, 0x8f, 0x05, + 0xde, 0x0d, 0x4f, 0xb8, 0x35, 0xf8, 0x5f, 0x56, 0x6f, 0x51, 0x75, 0xfd, + 0xa2, 0x50, 0x5e, 0x5e, 0x92, 0x42, 0x89, 0xd1, 0x6c, 0xe2, 0xab, 0x13, + 0x15, 0xd9, 0x72, 0x22, 0x66, 0x2e, 0x64, 0x83, 0x7d, 0x21, 0x51, 0x2b, + 0x8d, 0x79, 0xe5, 0x53, 0x4b, 0x7d, 0xf6, 0x6c, 0x8d, 0x13, 0x8a, 0xcc, + 0x9b, 0xed, 0x8d, 0xe9, 0x25, 0xd7, 0x31, 0x9b, 0x49, 0x0b, 0xc2, 0x5e, + 0x5e, 0xa7, 0x48, 0xb8, 0xf9, 0x66, 0xbc, 0x4e, 0x1e, 0x5b, 0xfe, 0x08, + 0x1f, 0x5f, 0x29, 0xdf, 0xfa, 0x27, 0x08, 0xad, 0x40, 0xff, 0x07, 0xd8, + 0xb6, 0xe8, 0x7e, 0x03, 0xc2, 0xe2, 0xdd, 0x29, 0xb1, 0x8d, 0x4b, 0x68, + 0x51, 0x94, 0xb9, 0x72, 0xb2, 0x49, 0x20, 0xa1, 0x80, 0x16, 0x09, 0x20, + 0x83, 0xa6, 0x13, 0x70, 0x0a, 0x42, 0x62, 0x8c, 0xd6, 0x1e, 0x9f, 0x64, + 0x18, 0x41, 0x48, 0x49, 0xe5, 0xcb, 0x3b, 0xd2, 0x86, 0x48, 0x92, 0x83, + 0x69, 0xc9, 0xa9, 0x99, 0xe6, 0xc7, 0xdc, 0x08, 0xee, 0xdc, 0x64, 0x43, + 0x42, 0xb7, 0x49, 0x39, 0x4b, 0x0d, 0x3a, 0xfc, 0x73, 0x63, 0xa7, 0x65, + 0x61, 0x9e, 0x45, 0xfd, 0x72, 0x0f, 0x6c, 0xef, 0x1a, 0x1d, 0xa7, 0xdc, + 0x81, 0xfd, 0x03, 0x62, 0x2a, 0x55, 0xbf, 0x88, 0x09, 0xf7, 0x1e, 0xd9, + 0xbc, 0xdd, 0x62, 0x33, 0xe7, 0xa0, 0xd5, 0xfa, 0x55, 0xca, 0xa0, 0xb8, + 0x47, 0xc7, 0xf4, 0xbc, 0x15, 0x98, 0x7d, 0x63, 0xf4, 0x71, 0xc0, 0x25, + 0x34, 0x96, 0x0f, 0xb5, 0xeb, 0xa9, 0x2e, 0x0c, 0xbf, 0x12, 0x99, 0xc0, + 0xbd, 0x0e, 0x65, 0xa3, 0xad, 0x77, 0x75, 0xc5, 0x99, 0xeb, 0x30, 0xe9, + 0x65, 0x90, 0xbc, 0x7e, }; ffdhe2048_value = BN_new(); @@ -819,13 +1048,12 @@ static int boringssl_self_test_ml_kem(void) { int ret = 0; static const uint8_t kKeyGenEKSeed[MLKEM512_KEYGEN_SEED_LEN] = { - 0xf8, 0x8c, 0xb2, 0x5f, 0x89, 0xa3, 0x55, 0x5f, 0xae, 0xc6, 0x71, 0xa1, - 0xdf, 0xc6, 0xf6, 0x1d, 0x60, 0xd0, 0x62, 0x22, 0x7d, 0x6a, 0x8f, 0xf6, - 0x2b, 0x3c, 0x6d, 0x7b, 0xd6, 0x14, 0x0f, 0x66, 0x24, 0xc0, 0x84, 0xa6, - 0x4d, 0xa7, 0x4c, 0x63, 0x32, 0x7e, 0x11, 0x77, 0x58, 0xaa, 0x33, 0x8a, - 0x02, 0xe4, 0x43, 0x74, 0x10, 0xb8, 0xf9, 0xf2, 0x00, 0x88, 0xa1, 0x29, - 0xc1, 0x68, 0x3d, 0xe7 - }; + 0xf8, 0x8c, 0xb2, 0x5f, 0x89, 0xa3, 0x55, 0x5f, 0xae, 0xc6, 0x71, + 0xa1, 0xdf, 0xc6, 0xf6, 0x1d, 0x60, 0xd0, 0x62, 0x22, 0x7d, 0x6a, + 0x8f, 0xf6, 0x2b, 0x3c, 0x6d, 0x7b, 0xd6, 0x14, 0x0f, 0x66, 0x24, + 0xc0, 0x84, 0xa6, 0x4d, 0xa7, 0x4c, 0x63, 0x32, 0x7e, 0x11, 0x77, + 0x58, 0xaa, 0x33, 0x8a, 0x02, 0xe4, 0x43, 0x74, 0x10, 0xb8, 0xf9, + 0xf2, 0x00, 0x88, 0xa1, 0x29, 0xc1, 0x68, 0x3d, 0xe7}; static const uint8_t kKeyGenEK[MLKEM512_PUBLIC_KEY_BYTES] = { 0xa7, 0xcc, 0x68, 0xf8, 0xd0, 0x21, 0x10, 0xca, 0x57, 0x20, 0x22, 0x3b, 0x9e, 0x2a, 0x89, 0x87, 0xc8, 0xa2, 0x48, 0x35, 0xa2, 0x0d, 0xab, 0xcb, @@ -900,7 +1128,7 @@ static int boringssl_self_test_ml_kem(void) { if (ml_kem_512_keypair_deterministic_no_self_test( keygen_encaps, keygen_decaps, kKeyGenEKSeed) || !check_test(kKeyGenEK, keygen_encaps, sizeof(keygen_encaps), - "ML-KEM-keyGen-encaps")) { + "ML-KEM-keyGen-encaps")) { goto err; } @@ -916,8 +1144,7 @@ static int boringssl_self_test_ml_kem(void) { 0x95, 0x36, 0x77, 0x30, 0x11, 0x64, 0xd1, 0x5d, 0x20, 0xd7, 0x1b, 0x07, 0x4b, 0xff, 0x80, 0x44, 0x44, 0x5e, 0x11, 0x66, 0x0b, 0x1b, 0x6b, 0x26, 0xdf, 0x24, 0x2b, 0x8f, 0xc0, 0x2b, 0x9e, 0x8d, 0xf5, - 0x38, 0xdb, 0x17, 0xa6, 0x39, 0xd7, 0xc4, 0x61, 0x32 -}; + 0x38, 0xdb, 0x17, 0xa6, 0x39, 0xd7, 0xc4, 0x61, 0x32}; static const uint8_t kKeyGenDK[MLKEM512_SECRET_KEY_BYTES] = { 0x88, 0xc1, 0x2c, 0xea, 0xa6, 0xcb, 0x91, 0xf5, 0x89, 0xac, 0xb8, 0x6d, 0x91, 0x3c, 0x7a, 0x60, 0xf7, 0xcd, 0xab, 0xe3, 0xb7, 0xb5, 0x90, 0x09, @@ -1487,10 +1714,10 @@ static int boringssl_self_test_ml_kem(void) { 0xab, 0xe3, 0x2e, 0x84, 0x49, 0x99, 0xb4, 0x47, 0x7c, 0x99, 0x8a, 0x9f, 0xb3, 0xc9, 0xba, 0xbb, 0xe8, 0x3c, 0x6e, 0xc6, 0x13, 0x74, 0x0c, 0x2b, 0x04, 0x75, 0xec, 0xb7, 0x32, 0xde, 0x51, 0x64, 0x38, 0x68, 0xeb, 0xb7}; - static const uint8_t kDecapSharedSecretRejection[MLKEM512_SHARED_SECRET_LEN] = { - 0x98, 0xed, 0x60, 0x0f, 0xfd, 0x9e, 0x01, 0x9f, 0x35, 0x0e, 0x0a, - 0x15, 0xd4, 0x69, 0x5b, 0xa0, 0x96, 0xce, 0x2b, 0x32, 0xc3, 0x75, - 0x24, 0x4f, 0x79, 0xa5, 0x74, 0xda, 0x06, 0xb4, 0xb1, 0xbd}; + static const uint8_t kDecapSharedSecretRejection[MLKEM512_SHARED_SECRET_LEN] = + {0x98, 0xed, 0x60, 0x0f, 0xfd, 0x9e, 0x01, 0x9f, 0x35, 0x0e, 0x0a, + 0x15, 0xd4, 0x69, 0x5b, 0xa0, 0x96, 0xce, 0x2b, 0x32, 0xc3, 0x75, + 0x24, 0x4f, 0x79, 0xa5, 0x74, 0xda, 0x06, 0xb4, 0xb1, 0xbd}; if (ml_kem_512_decapsulate_no_self_test(shared_secret, kDecapCiphertext, kDecapDK) || @@ -1512,571 +1739,571 @@ static int boringssl_self_test_ml_kem(void) { static int boringssl_self_test_ml_dsa(void) { int ret = 0; - // Examples kMLDSAKeyGenSeed, kMLDSAKeyGenPublicKey, kMLDSAKeyGenPrivateKey from + // Examples kMLDSAKeyGenSeed, kMLDSAKeyGenPublicKey, kMLDSAKeyGenPrivateKey + // from // https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-keyGen-FIPS204/prompt.json#L15 const uint8_t kMLDSAKeyGenSeed[MLDSA44_KEYGEN_SEED_BYTES] = { - 0x4B, 0xE7, 0xA0, 0x1A, 0x99, 0xA5, 0xE5, 0xBC, 0xFE, 0x3C, 0x06, - 0x78, 0x5D, 0x8E, 0x4E, 0xC6, 0x64, 0x08, 0x22, 0x27, 0xD8, 0x67, - 0x04, 0xE9, 0xE4, 0x48, 0x62, 0x62, 0x3A, 0x05, 0xC8, 0xB3 -}; + 0x4B, 0xE7, 0xA0, 0x1A, 0x99, 0xA5, 0xE5, 0xBC, 0xFE, 0x3C, 0x06, + 0x78, 0x5D, 0x8E, 0x4E, 0xC6, 0x64, 0x08, 0x22, 0x27, 0xD8, 0x67, + 0x04, 0xE9, 0xE4, 0x48, 0x62, 0x62, 0x3A, 0x05, 0xC8, 0xB3}; // https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-keyGen-FIPS204/expectedResults.json#L13 const uint8_t kMLDSAKeyGenPublicKey[MLDSA44_PUBLIC_KEY_BYTES] = { - 0xad, 0xb0, 0xb3, 0x34, 0x64, 0x81, 0x60, 0x91, 0xf2, 0xa9, 0x59, 0x77, - 0xc6, 0x7f, 0x08, 0x5f, 0xdc, 0x24, 0xb3, 0x78, 0x54, 0xd4, 0xdb, 0x0a, - 0x57, 0x7a, 0xe9, 0x40, 0x1e, 0x40, 0x81, 0x48, 0xd8, 0x91, 0x7d, 0x21, - 0xaa, 0x49, 0x6b, 0xb1, 0x3c, 0x60, 0xb2, 0x95, 0xcb, 0x0a, 0x94, 0x23, - 0x22, 0xa0, 0x39, 0x97, 0x98, 0x28, 0xf4, 0x6a, 0x00, 0xa4, 0xe7, 0xde, - 0xeb, 0xa2, 0xbc, 0x06, 0x52, 0x16, 0xd9, 0x7d, 0x93, 0xfd, 0x6b, 0xc1, - 0xcd, 0x87, 0xdd, 0x38, 0x3f, 0x18, 0x96, 0x3c, 0xe5, 0xcf, 0xdd, 0x71, - 0xb5, 0x1d, 0xf0, 0x80, 0x86, 0xf1, 0x41, 0x5e, 0xa5, 0x12, 0xaf, 0xae, - 0x38, 0xce, 0x16, 0xe5, 0x17, 0x14, 0x2d, 0x3a, 0xe3, 0xed, 0xd3, 0x94, - 0x96, 0x70, 0x56, 0x79, 0x46, 0x6a, 0xa9, 0xcc, 0x3f, 0xfa, 0x14, 0x07, - 0x1d, 0xc5, 0x62, 0x44, 0xfd, 0x1c, 0xa4, 0xec, 0xa5, 0xa1, 0x40, 0x5d, - 0x5f, 0x1f, 0xc1, 0x2f, 0x3c, 0x5e, 0xca, 0xcc, 0x4b, 0x9b, 0x02, 0x1b, - 0xca, 0x72, 0x01, 0xc4, 0xea, 0x0d, 0x67, 0x00, 0x99, 0xb7, 0xbb, 0xd5, - 0x07, 0x07, 0x16, 0x4f, 0x3f, 0x39, 0x55, 0x69, 0x99, 0x0b, 0xc6, 0xe7, - 0xe3, 0x04, 0x24, 0xb3, 0x7a, 0xb0, 0x62, 0x1d, 0xb2, 0x95, 0x4e, 0x59, - 0x96, 0xb1, 0x56, 0x70, 0xdc, 0x4c, 0xe0, 0x3a, 0x14, 0x97, 0xe4, 0x04, - 0x65, 0xa4, 0xc3, 0x26, 0xf1, 0xe0, 0x65, 0xe2, 0xbf, 0xdf, 0x1a, 0x11, - 0xad, 0xba, 0x11, 0x93, 0x52, 0x27, 0x88, 0xee, 0xa0, 0x06, 0xb8, 0xb1, - 0xab, 0x29, 0x6a, 0xe1, 0xb1, 0x74, 0xc9, 0x56, 0xae, 0x95, 0x55, 0x18, - 0x02, 0x74, 0x29, 0x4c, 0xdc, 0x19, 0xcb, 0x4e, 0xef, 0xf2, 0xaa, 0xe1, - 0x26, 0x0a, 0xb1, 0xe0, 0x3c, 0x7c, 0xcf, 0x8d, 0x8a, 0x6d, 0xf4, 0x2b, - 0xa6, 0x7e, 0xea, 0x32, 0x28, 0xe9, 0xe8, 0x31, 0x98, 0x21, 0xfb, 0x06, - 0x53, 0x8c, 0x71, 0x06, 0x1b, 0x5e, 0x1d, 0x79, 0x27, 0x48, 0x16, 0x15, - 0x2a, 0x4f, 0x18, 0x8f, 0xe3, 0x97, 0x43, 0xd8, 0x6a, 0xde, 0xd0, 0xd4, - 0xe9, 0x02, 0x0d, 0x5d, 0xba, 0x05, 0x96, 0x52, 0x1e, 0x8e, 0x6a, 0x2d, - 0x50, 0x81, 0x1e, 0x6e, 0x98, 0x9a, 0xe0, 0xd3, 0x5b, 0x4d, 0x40, 0x0a, - 0x4a, 0x4c, 0x5c, 0x88, 0x31, 0x32, 0xf6, 0xf3, 0xdb, 0xd3, 0xf6, 0x51, - 0x7e, 0xcb, 0x27, 0x74, 0x59, 0x24, 0x89, 0x7f, 0xc1, 0x14, 0x1c, 0xbf, - 0xec, 0x4c, 0xdd, 0x4e, 0x87, 0x1e, 0x2d, 0x30, 0x2a, 0xe9, 0x56, 0x43, - 0xd3, 0x82, 0xca, 0xee, 0xf0, 0xde, 0xd3, 0xf1, 0xf0, 0x64, 0x67, 0x68, - 0xab, 0x18, 0x29, 0x7e, 0xee, 0xc4, 0x79, 0x6c, 0xf8, 0xa5, 0x96, 0x4f, - 0x21, 0xd5, 0x5b, 0x7b, 0x3c, 0x11, 0x17, 0x84, 0x3b, 0x1f, 0xae, 0x74, - 0xd8, 0x49, 0x63, 0x02, 0x18, 0x1e, 0xe6, 0x82, 0xd0, 0x76, 0xe7, 0x85, - 0x8b, 0x13, 0xbe, 0x61, 0x2e, 0xdb, 0xb2, 0x63, 0x5f, 0xfd, 0x51, 0xf3, - 0x96, 0x41, 0x40, 0x89, 0x0f, 0x10, 0x15, 0xc3, 0x2e, 0x3f, 0xfb, 0xdf, - 0xb0, 0xc7, 0x6e, 0x16, 0x31, 0x69, 0x12, 0x2b, 0x35, 0xf9, 0x1e, 0x1e, - 0x29, 0xc5, 0xb9, 0xc9, 0x2d, 0xc4, 0x0d, 0xc7, 0x38, 0xfb, 0x7a, 0xa4, - 0x49, 0x32, 0xb9, 0x37, 0xca, 0xfa, 0x03, 0xed, 0xd7, 0xe7, 0x11, 0xee, - 0xb1, 0x9a, 0x82, 0x80, 0x34, 0xec, 0x39, 0x81, 0xa2, 0x95, 0x03, 0x83, - 0xf6, 0xc6, 0xf7, 0x34, 0xbc, 0xff, 0xe6, 0x8d, 0x39, 0xb7, 0x1d, 0x7f, - 0x55, 0xfe, 0x35, 0xe4, 0xe2, 0x29, 0x9c, 0x0a, 0x9e, 0xdc, 0x40, 0xb6, - 0x6d, 0xb4, 0x1f, 0x7b, 0xca, 0x34, 0x11, 0x62, 0xde, 0x03, 0x50, 0xb5, - 0x4e, 0x72, 0x0b, 0x9a, 0x1a, 0xae, 0x0d, 0x99, 0xdb, 0x0a, 0x58, 0xd0, - 0x52, 0xb6, 0x9e, 0xe1, 0xa3, 0x02, 0x27, 0x43, 0x9b, 0xdf, 0xd8, 0xc1, - 0xd4, 0xfd, 0xbe, 0xb4, 0x69, 0x1f, 0x9c, 0xbd, 0x5b, 0xb6, 0x2b, 0x47, - 0xcb, 0x0e, 0x78, 0x2b, 0xf3, 0x10, 0xe2, 0x78, 0x7b, 0x3c, 0x25, 0x5b, - 0x67, 0x70, 0x8c, 0x5c, 0x7c, 0x75, 0x1f, 0x48, 0xbb, 0x79, 0x70, 0x69, - 0xc2, 0x90, 0x49, 0x3b, 0xb8, 0x56, 0x10, 0x72, 0xea, 0x17, 0xb1, 0x45, - 0xd2, 0x6b, 0x07, 0x20, 0x9e, 0x29, 0x2f, 0xa5, 0xed, 0x76, 0xca, 0xa3, - 0x1b, 0x2d, 0x7d, 0xb4, 0x5d, 0xdb, 0x09, 0x6d, 0x44, 0xcd, 0xa1, 0x3e, - 0xcd, 0x03, 0xe3, 0x54, 0x7b, 0x52, 0x1d, 0xc3, 0x0c, 0xe2, 0x7d, 0x66, - 0xa2, 0x88, 0xb4, 0x05, 0x97, 0x01, 0x59, 0x8d, 0x0a, 0xd3, 0x8a, 0x33, - 0x13, 0x0e, 0xbc, 0x49, 0x2b, 0xa0, 0x25, 0xd9, 0x3c, 0x58, 0xe8, 0xbd, - 0x11, 0x87, 0x3b, 0x37, 0xad, 0xb1, 0xb3, 0x90, 0x66, 0xfe, 0x83, 0xea, - 0xd6, 0x45, 0xae, 0x6b, 0x04, 0xf7, 0x58, 0x47, 0x0c, 0x16, 0x3a, 0xd9, - 0x6a, 0xed, 0xa9, 0x20, 0x84, 0x20, 0xc6, 0xe9, 0xc2, 0x74, 0xef, 0xbb, - 0x85, 0x35, 0x63, 0xe1, 0xcb, 0x36, 0x60, 0xd2, 0x75, 0xf8, 0x5b, 0xb5, - 0x51, 0xa2, 0x88, 0x8a, 0x1e, 0xf0, 0x5a, 0xaf, 0x32, 0x1f, 0x65, 0xd4, - 0xeb, 0x15, 0xda, 0xdc, 0x93, 0xc7, 0x6a, 0x4b, 0x52, 0xd0, 0xc3, 0x4f, - 0x55, 0x65, 0x92, 0x82, 0x49, 0x68, 0x20, 0x0e, 0xbd, 0xe6, 0x52, 0x74, - 0x07, 0x27, 0xe0, 0xcb, 0x0a, 0x6d, 0xe0, 0x28, 0x0f, 0xcd, 0x82, 0xcd, - 0x49, 0x6a, 0x1f, 0x5b, 0xaf, 0x95, 0x65, 0x7b, 0xa3, 0xc1, 0x09, 0x1f, - 0xcc, 0x36, 0xbf, 0x7e, 0xbe, 0x77, 0xfc, 0x34, 0x88, 0x9e, 0xa4, 0x38, - 0xa0, 0x7e, 0x92, 0xac, 0xea, 0xe4, 0x53, 0xc8, 0xee, 0xd9, 0x3d, 0x9a, - 0x70, 0xe8, 0x2c, 0xa3, 0xb8, 0xd0, 0x6e, 0xc9, 0xea, 0xdb, 0x5e, 0xaf, - 0x8b, 0x49, 0x1b, 0x66, 0x5b, 0x39, 0x03, 0xb8, 0xc8, 0x61, 0x3a, 0x24, - 0x07, 0xa6, 0xe5, 0xf3, 0x5f, 0x44, 0x67, 0x8b, 0x19, 0x35, 0x66, 0x3b, - 0xba, 0x75, 0x61, 0x09, 0x6c, 0x2e, 0x3d, 0x50, 0x2e, 0xf0, 0xf7, 0xa2, - 0x45, 0xa5, 0x22, 0x52, 0x28, 0x00, 0x16, 0xc0, 0xb7, 0x4e, 0x3b, 0x05, - 0xd9, 0x3a, 0xea, 0x24, 0xca, 0xeb, 0xa4, 0xd5, 0x95, 0xc3, 0x14, 0x34, - 0xd9, 0x9b, 0x46, 0xf5, 0xb5, 0xef, 0x4d, 0x3a, 0x3a, 0x62, 0x5e, 0xdd, - 0x7e, 0xb9, 0x5d, 0xcd, 0x27, 0xc8, 0x28, 0x94, 0x96, 0x99, 0xc5, 0xe5, - 0x67, 0xd7, 0xa8, 0x51, 0x26, 0x19, 0xe1, 0x4e, 0xcc, 0x6e, 0x1c, 0x47, - 0xca, 0x65, 0x67, 0x21, 0x1d, 0x12, 0x11, 0xfc, 0x6b, 0x94, 0x9b, 0x83, - 0x78, 0x3c, 0x7c, 0xb4, 0x17, 0x62, 0x16, 0x7b, 0xf9, 0x60, 0xe9, 0x35, - 0xfd, 0x85, 0x3e, 0x9e, 0xd3, 0xbb, 0xec, 0xcb, 0x75, 0xe8, 0xdf, 0xb4, - 0xe3, 0x5f, 0x85, 0x45, 0x66, 0xdc, 0xdb, 0x30, 0x0e, 0xb0, 0xd5, 0x1b, - 0x6c, 0x22, 0xe6, 0xeb, 0x1d, 0x85, 0x03, 0x0d, 0xaa, 0x5a, 0x2f, 0xe2, - 0xbb, 0xcc, 0x7c, 0x27, 0x45, 0x79, 0x08, 0x60, 0xad, 0x48, 0x03, 0x3d, - 0xa0, 0x38, 0x42, 0x10, 0x51, 0xd1, 0x61, 0x73, 0x9f, 0x52, 0x4b, 0xb1, - 0xc7, 0x16, 0x25, 0x06, 0x23, 0xa5, 0x7f, 0x64, 0xcb, 0x25, 0x06, 0xdf, - 0x49, 0xc6, 0x65, 0x37, 0xc2, 0xa4, 0x6c, 0xd0, 0xa6, 0x8d, 0x00, 0x17, - 0xbb, 0x33, 0xcb, 0xa4, 0xcf, 0x37, 0x35, 0x12, 0x91, 0xd2, 0x08, 0x03, - 0x37, 0x68, 0xc8, 0x67, 0x99, 0xe0, 0x16, 0xa9, 0x60, 0xe6, 0x82, 0x46, - 0x70, 0xfb, 0xff, 0x10, 0x61, 0x08, 0x7d, 0xa8, 0xfb, 0x74, 0xf9, 0x77, - 0x11, 0x02, 0x39, 0xde, 0xd4, 0x8c, 0xfc, 0x86, 0xa4, 0xfc, 0x4b, 0xae, - 0xf2, 0x20, 0xf0, 0x5a, 0xeb, 0x0c, 0xe3, 0x43, 0x57, 0xd7, 0xd3, 0x1d, - 0x20, 0x38, 0x8f, 0xaa, 0x30, 0x7f, 0x2d, 0x97, 0xf5, 0x93, 0xb9, 0xe2, - 0x87, 0x32, 0x2a, 0x9c, 0x32, 0x9e, 0x04, 0x32, 0x85, 0x22, 0xea, 0x79, - 0xaa, 0xc3, 0x1c, 0xf2, 0x76, 0x5f, 0xb3, 0x34, 0xab, 0xd9, 0xa1, 0x76, - 0x4d, 0xa3, 0x55, 0x09, 0x68, 0xfa, 0x69, 0x3c, 0xb8, 0x48, 0x52, 0x26, - 0x81, 0x70, 0x02, 0x28, 0x81, 0xcc, 0x38, 0x87, 0x45, 0xa5, 0x4a, 0x50, - 0x0f, 0xac, 0xb2, 0xb8, 0xdf, 0x36, 0x38, 0x3e, 0x21, 0x9b, 0x99, 0x17, - 0x7c, 0x3a, 0xf5, 0x1b, 0x1e, 0x33, 0xaf, 0x78, 0x3e, 0xfe, 0xae, 0x04, - 0xa0, 0xf9, 0x84, 0x5d, 0x79, 0xaa, 0x4a, 0x4d, 0xd9, 0xdd, 0xe5, 0xca, - 0xf7, 0xd5, 0x2d, 0x77, 0x9d, 0x59, 0xd1, 0x8f, 0x0e, 0x0e, 0x2b, 0x44, - 0xb6, 0x34, 0xa5, 0xd6, 0x30, 0xbe, 0x81, 0x98, 0xad, 0x8b, 0x20, 0x12, - 0xc5, 0x2a, 0x7b, 0x89, 0xf1, 0x33, 0xf0, 0x9c, 0x3e, 0x8d, 0x21, 0xf0, - 0xad, 0x11, 0x37, 0xaf, 0x09, 0x58, 0x93, 0xb9, 0x66, 0xff, 0xc0, 0x7e, - 0x89, 0x56, 0x58, 0x5f, 0xf5, 0xc1, 0x0b, 0x12, 0x3c, 0x6a, 0x4a, 0x5c, - 0x33, 0x67, 0xd8, 0x98, 0xac, 0xb1, 0x28, 0x91, 0x5f, 0xe7, 0x10, 0xdf, - 0x75, 0xfa, 0x23, 0xb4, 0x00, 0x5c, 0xaf, 0xfe, 0xe5, 0x18, 0xc1, 0x42, - 0x04, 0x03, 0x52, 0x3f, 0x0d, 0x7e, 0xb0, 0x36, 0x96, 0xbd, 0x21, 0x28, - 0x2e, 0xb0, 0xb1, 0xc1, 0x8a, 0x68, 0xf7, 0x0f, 0x66, 0x83, 0x7a, 0x58, - 0x45, 0x31, 0x90, 0xa0, 0x6a, 0xd0, 0xf6, 0xe2, 0xc2, 0x8c, 0x88, 0x18, - 0x35, 0x48, 0xc7, 0x02, 0x6e, 0x2e, 0xcc, 0x8a, 0x5d, 0xc5, 0x60, 0x6b, - 0xbb, 0x36, 0x79, 0xf2, 0x49, 0xb7, 0xa2, 0xef, 0x79, 0xfe, 0x70, 0x44, - 0x1c, 0x03, 0xfe, 0x0b, 0x54, 0x10, 0x16, 0xda, 0x53, 0xae, 0xdc, 0x40, - 0xcb, 0x69, 0xa4, 0xc9, 0x52, 0xcd, 0x07, 0x5a, 0x89, 0xd5, 0x03, 0x23, - 0x80, 0xe4, 0xa1, 0xc3 - }; + 0xad, 0xb0, 0xb3, 0x34, 0x64, 0x81, 0x60, 0x91, 0xf2, 0xa9, 0x59, 0x77, + 0xc6, 0x7f, 0x08, 0x5f, 0xdc, 0x24, 0xb3, 0x78, 0x54, 0xd4, 0xdb, 0x0a, + 0x57, 0x7a, 0xe9, 0x40, 0x1e, 0x40, 0x81, 0x48, 0xd8, 0x91, 0x7d, 0x21, + 0xaa, 0x49, 0x6b, 0xb1, 0x3c, 0x60, 0xb2, 0x95, 0xcb, 0x0a, 0x94, 0x23, + 0x22, 0xa0, 0x39, 0x97, 0x98, 0x28, 0xf4, 0x6a, 0x00, 0xa4, 0xe7, 0xde, + 0xeb, 0xa2, 0xbc, 0x06, 0x52, 0x16, 0xd9, 0x7d, 0x93, 0xfd, 0x6b, 0xc1, + 0xcd, 0x87, 0xdd, 0x38, 0x3f, 0x18, 0x96, 0x3c, 0xe5, 0xcf, 0xdd, 0x71, + 0xb5, 0x1d, 0xf0, 0x80, 0x86, 0xf1, 0x41, 0x5e, 0xa5, 0x12, 0xaf, 0xae, + 0x38, 0xce, 0x16, 0xe5, 0x17, 0x14, 0x2d, 0x3a, 0xe3, 0xed, 0xd3, 0x94, + 0x96, 0x70, 0x56, 0x79, 0x46, 0x6a, 0xa9, 0xcc, 0x3f, 0xfa, 0x14, 0x07, + 0x1d, 0xc5, 0x62, 0x44, 0xfd, 0x1c, 0xa4, 0xec, 0xa5, 0xa1, 0x40, 0x5d, + 0x5f, 0x1f, 0xc1, 0x2f, 0x3c, 0x5e, 0xca, 0xcc, 0x4b, 0x9b, 0x02, 0x1b, + 0xca, 0x72, 0x01, 0xc4, 0xea, 0x0d, 0x67, 0x00, 0x99, 0xb7, 0xbb, 0xd5, + 0x07, 0x07, 0x16, 0x4f, 0x3f, 0x39, 0x55, 0x69, 0x99, 0x0b, 0xc6, 0xe7, + 0xe3, 0x04, 0x24, 0xb3, 0x7a, 0xb0, 0x62, 0x1d, 0xb2, 0x95, 0x4e, 0x59, + 0x96, 0xb1, 0x56, 0x70, 0xdc, 0x4c, 0xe0, 0x3a, 0x14, 0x97, 0xe4, 0x04, + 0x65, 0xa4, 0xc3, 0x26, 0xf1, 0xe0, 0x65, 0xe2, 0xbf, 0xdf, 0x1a, 0x11, + 0xad, 0xba, 0x11, 0x93, 0x52, 0x27, 0x88, 0xee, 0xa0, 0x06, 0xb8, 0xb1, + 0xab, 0x29, 0x6a, 0xe1, 0xb1, 0x74, 0xc9, 0x56, 0xae, 0x95, 0x55, 0x18, + 0x02, 0x74, 0x29, 0x4c, 0xdc, 0x19, 0xcb, 0x4e, 0xef, 0xf2, 0xaa, 0xe1, + 0x26, 0x0a, 0xb1, 0xe0, 0x3c, 0x7c, 0xcf, 0x8d, 0x8a, 0x6d, 0xf4, 0x2b, + 0xa6, 0x7e, 0xea, 0x32, 0x28, 0xe9, 0xe8, 0x31, 0x98, 0x21, 0xfb, 0x06, + 0x53, 0x8c, 0x71, 0x06, 0x1b, 0x5e, 0x1d, 0x79, 0x27, 0x48, 0x16, 0x15, + 0x2a, 0x4f, 0x18, 0x8f, 0xe3, 0x97, 0x43, 0xd8, 0x6a, 0xde, 0xd0, 0xd4, + 0xe9, 0x02, 0x0d, 0x5d, 0xba, 0x05, 0x96, 0x52, 0x1e, 0x8e, 0x6a, 0x2d, + 0x50, 0x81, 0x1e, 0x6e, 0x98, 0x9a, 0xe0, 0xd3, 0x5b, 0x4d, 0x40, 0x0a, + 0x4a, 0x4c, 0x5c, 0x88, 0x31, 0x32, 0xf6, 0xf3, 0xdb, 0xd3, 0xf6, 0x51, + 0x7e, 0xcb, 0x27, 0x74, 0x59, 0x24, 0x89, 0x7f, 0xc1, 0x14, 0x1c, 0xbf, + 0xec, 0x4c, 0xdd, 0x4e, 0x87, 0x1e, 0x2d, 0x30, 0x2a, 0xe9, 0x56, 0x43, + 0xd3, 0x82, 0xca, 0xee, 0xf0, 0xde, 0xd3, 0xf1, 0xf0, 0x64, 0x67, 0x68, + 0xab, 0x18, 0x29, 0x7e, 0xee, 0xc4, 0x79, 0x6c, 0xf8, 0xa5, 0x96, 0x4f, + 0x21, 0xd5, 0x5b, 0x7b, 0x3c, 0x11, 0x17, 0x84, 0x3b, 0x1f, 0xae, 0x74, + 0xd8, 0x49, 0x63, 0x02, 0x18, 0x1e, 0xe6, 0x82, 0xd0, 0x76, 0xe7, 0x85, + 0x8b, 0x13, 0xbe, 0x61, 0x2e, 0xdb, 0xb2, 0x63, 0x5f, 0xfd, 0x51, 0xf3, + 0x96, 0x41, 0x40, 0x89, 0x0f, 0x10, 0x15, 0xc3, 0x2e, 0x3f, 0xfb, 0xdf, + 0xb0, 0xc7, 0x6e, 0x16, 0x31, 0x69, 0x12, 0x2b, 0x35, 0xf9, 0x1e, 0x1e, + 0x29, 0xc5, 0xb9, 0xc9, 0x2d, 0xc4, 0x0d, 0xc7, 0x38, 0xfb, 0x7a, 0xa4, + 0x49, 0x32, 0xb9, 0x37, 0xca, 0xfa, 0x03, 0xed, 0xd7, 0xe7, 0x11, 0xee, + 0xb1, 0x9a, 0x82, 0x80, 0x34, 0xec, 0x39, 0x81, 0xa2, 0x95, 0x03, 0x83, + 0xf6, 0xc6, 0xf7, 0x34, 0xbc, 0xff, 0xe6, 0x8d, 0x39, 0xb7, 0x1d, 0x7f, + 0x55, 0xfe, 0x35, 0xe4, 0xe2, 0x29, 0x9c, 0x0a, 0x9e, 0xdc, 0x40, 0xb6, + 0x6d, 0xb4, 0x1f, 0x7b, 0xca, 0x34, 0x11, 0x62, 0xde, 0x03, 0x50, 0xb5, + 0x4e, 0x72, 0x0b, 0x9a, 0x1a, 0xae, 0x0d, 0x99, 0xdb, 0x0a, 0x58, 0xd0, + 0x52, 0xb6, 0x9e, 0xe1, 0xa3, 0x02, 0x27, 0x43, 0x9b, 0xdf, 0xd8, 0xc1, + 0xd4, 0xfd, 0xbe, 0xb4, 0x69, 0x1f, 0x9c, 0xbd, 0x5b, 0xb6, 0x2b, 0x47, + 0xcb, 0x0e, 0x78, 0x2b, 0xf3, 0x10, 0xe2, 0x78, 0x7b, 0x3c, 0x25, 0x5b, + 0x67, 0x70, 0x8c, 0x5c, 0x7c, 0x75, 0x1f, 0x48, 0xbb, 0x79, 0x70, 0x69, + 0xc2, 0x90, 0x49, 0x3b, 0xb8, 0x56, 0x10, 0x72, 0xea, 0x17, 0xb1, 0x45, + 0xd2, 0x6b, 0x07, 0x20, 0x9e, 0x29, 0x2f, 0xa5, 0xed, 0x76, 0xca, 0xa3, + 0x1b, 0x2d, 0x7d, 0xb4, 0x5d, 0xdb, 0x09, 0x6d, 0x44, 0xcd, 0xa1, 0x3e, + 0xcd, 0x03, 0xe3, 0x54, 0x7b, 0x52, 0x1d, 0xc3, 0x0c, 0xe2, 0x7d, 0x66, + 0xa2, 0x88, 0xb4, 0x05, 0x97, 0x01, 0x59, 0x8d, 0x0a, 0xd3, 0x8a, 0x33, + 0x13, 0x0e, 0xbc, 0x49, 0x2b, 0xa0, 0x25, 0xd9, 0x3c, 0x58, 0xe8, 0xbd, + 0x11, 0x87, 0x3b, 0x37, 0xad, 0xb1, 0xb3, 0x90, 0x66, 0xfe, 0x83, 0xea, + 0xd6, 0x45, 0xae, 0x6b, 0x04, 0xf7, 0x58, 0x47, 0x0c, 0x16, 0x3a, 0xd9, + 0x6a, 0xed, 0xa9, 0x20, 0x84, 0x20, 0xc6, 0xe9, 0xc2, 0x74, 0xef, 0xbb, + 0x85, 0x35, 0x63, 0xe1, 0xcb, 0x36, 0x60, 0xd2, 0x75, 0xf8, 0x5b, 0xb5, + 0x51, 0xa2, 0x88, 0x8a, 0x1e, 0xf0, 0x5a, 0xaf, 0x32, 0x1f, 0x65, 0xd4, + 0xeb, 0x15, 0xda, 0xdc, 0x93, 0xc7, 0x6a, 0x4b, 0x52, 0xd0, 0xc3, 0x4f, + 0x55, 0x65, 0x92, 0x82, 0x49, 0x68, 0x20, 0x0e, 0xbd, 0xe6, 0x52, 0x74, + 0x07, 0x27, 0xe0, 0xcb, 0x0a, 0x6d, 0xe0, 0x28, 0x0f, 0xcd, 0x82, 0xcd, + 0x49, 0x6a, 0x1f, 0x5b, 0xaf, 0x95, 0x65, 0x7b, 0xa3, 0xc1, 0x09, 0x1f, + 0xcc, 0x36, 0xbf, 0x7e, 0xbe, 0x77, 0xfc, 0x34, 0x88, 0x9e, 0xa4, 0x38, + 0xa0, 0x7e, 0x92, 0xac, 0xea, 0xe4, 0x53, 0xc8, 0xee, 0xd9, 0x3d, 0x9a, + 0x70, 0xe8, 0x2c, 0xa3, 0xb8, 0xd0, 0x6e, 0xc9, 0xea, 0xdb, 0x5e, 0xaf, + 0x8b, 0x49, 0x1b, 0x66, 0x5b, 0x39, 0x03, 0xb8, 0xc8, 0x61, 0x3a, 0x24, + 0x07, 0xa6, 0xe5, 0xf3, 0x5f, 0x44, 0x67, 0x8b, 0x19, 0x35, 0x66, 0x3b, + 0xba, 0x75, 0x61, 0x09, 0x6c, 0x2e, 0x3d, 0x50, 0x2e, 0xf0, 0xf7, 0xa2, + 0x45, 0xa5, 0x22, 0x52, 0x28, 0x00, 0x16, 0xc0, 0xb7, 0x4e, 0x3b, 0x05, + 0xd9, 0x3a, 0xea, 0x24, 0xca, 0xeb, 0xa4, 0xd5, 0x95, 0xc3, 0x14, 0x34, + 0xd9, 0x9b, 0x46, 0xf5, 0xb5, 0xef, 0x4d, 0x3a, 0x3a, 0x62, 0x5e, 0xdd, + 0x7e, 0xb9, 0x5d, 0xcd, 0x27, 0xc8, 0x28, 0x94, 0x96, 0x99, 0xc5, 0xe5, + 0x67, 0xd7, 0xa8, 0x51, 0x26, 0x19, 0xe1, 0x4e, 0xcc, 0x6e, 0x1c, 0x47, + 0xca, 0x65, 0x67, 0x21, 0x1d, 0x12, 0x11, 0xfc, 0x6b, 0x94, 0x9b, 0x83, + 0x78, 0x3c, 0x7c, 0xb4, 0x17, 0x62, 0x16, 0x7b, 0xf9, 0x60, 0xe9, 0x35, + 0xfd, 0x85, 0x3e, 0x9e, 0xd3, 0xbb, 0xec, 0xcb, 0x75, 0xe8, 0xdf, 0xb4, + 0xe3, 0x5f, 0x85, 0x45, 0x66, 0xdc, 0xdb, 0x30, 0x0e, 0xb0, 0xd5, 0x1b, + 0x6c, 0x22, 0xe6, 0xeb, 0x1d, 0x85, 0x03, 0x0d, 0xaa, 0x5a, 0x2f, 0xe2, + 0xbb, 0xcc, 0x7c, 0x27, 0x45, 0x79, 0x08, 0x60, 0xad, 0x48, 0x03, 0x3d, + 0xa0, 0x38, 0x42, 0x10, 0x51, 0xd1, 0x61, 0x73, 0x9f, 0x52, 0x4b, 0xb1, + 0xc7, 0x16, 0x25, 0x06, 0x23, 0xa5, 0x7f, 0x64, 0xcb, 0x25, 0x06, 0xdf, + 0x49, 0xc6, 0x65, 0x37, 0xc2, 0xa4, 0x6c, 0xd0, 0xa6, 0x8d, 0x00, 0x17, + 0xbb, 0x33, 0xcb, 0xa4, 0xcf, 0x37, 0x35, 0x12, 0x91, 0xd2, 0x08, 0x03, + 0x37, 0x68, 0xc8, 0x67, 0x99, 0xe0, 0x16, 0xa9, 0x60, 0xe6, 0x82, 0x46, + 0x70, 0xfb, 0xff, 0x10, 0x61, 0x08, 0x7d, 0xa8, 0xfb, 0x74, 0xf9, 0x77, + 0x11, 0x02, 0x39, 0xde, 0xd4, 0x8c, 0xfc, 0x86, 0xa4, 0xfc, 0x4b, 0xae, + 0xf2, 0x20, 0xf0, 0x5a, 0xeb, 0x0c, 0xe3, 0x43, 0x57, 0xd7, 0xd3, 0x1d, + 0x20, 0x38, 0x8f, 0xaa, 0x30, 0x7f, 0x2d, 0x97, 0xf5, 0x93, 0xb9, 0xe2, + 0x87, 0x32, 0x2a, 0x9c, 0x32, 0x9e, 0x04, 0x32, 0x85, 0x22, 0xea, 0x79, + 0xaa, 0xc3, 0x1c, 0xf2, 0x76, 0x5f, 0xb3, 0x34, 0xab, 0xd9, 0xa1, 0x76, + 0x4d, 0xa3, 0x55, 0x09, 0x68, 0xfa, 0x69, 0x3c, 0xb8, 0x48, 0x52, 0x26, + 0x81, 0x70, 0x02, 0x28, 0x81, 0xcc, 0x38, 0x87, 0x45, 0xa5, 0x4a, 0x50, + 0x0f, 0xac, 0xb2, 0xb8, 0xdf, 0x36, 0x38, 0x3e, 0x21, 0x9b, 0x99, 0x17, + 0x7c, 0x3a, 0xf5, 0x1b, 0x1e, 0x33, 0xaf, 0x78, 0x3e, 0xfe, 0xae, 0x04, + 0xa0, 0xf9, 0x84, 0x5d, 0x79, 0xaa, 0x4a, 0x4d, 0xd9, 0xdd, 0xe5, 0xca, + 0xf7, 0xd5, 0x2d, 0x77, 0x9d, 0x59, 0xd1, 0x8f, 0x0e, 0x0e, 0x2b, 0x44, + 0xb6, 0x34, 0xa5, 0xd6, 0x30, 0xbe, 0x81, 0x98, 0xad, 0x8b, 0x20, 0x12, + 0xc5, 0x2a, 0x7b, 0x89, 0xf1, 0x33, 0xf0, 0x9c, 0x3e, 0x8d, 0x21, 0xf0, + 0xad, 0x11, 0x37, 0xaf, 0x09, 0x58, 0x93, 0xb9, 0x66, 0xff, 0xc0, 0x7e, + 0x89, 0x56, 0x58, 0x5f, 0xf5, 0xc1, 0x0b, 0x12, 0x3c, 0x6a, 0x4a, 0x5c, + 0x33, 0x67, 0xd8, 0x98, 0xac, 0xb1, 0x28, 0x91, 0x5f, 0xe7, 0x10, 0xdf, + 0x75, 0xfa, 0x23, 0xb4, 0x00, 0x5c, 0xaf, 0xfe, 0xe5, 0x18, 0xc1, 0x42, + 0x04, 0x03, 0x52, 0x3f, 0x0d, 0x7e, 0xb0, 0x36, 0x96, 0xbd, 0x21, 0x28, + 0x2e, 0xb0, 0xb1, 0xc1, 0x8a, 0x68, 0xf7, 0x0f, 0x66, 0x83, 0x7a, 0x58, + 0x45, 0x31, 0x90, 0xa0, 0x6a, 0xd0, 0xf6, 0xe2, 0xc2, 0x8c, 0x88, 0x18, + 0x35, 0x48, 0xc7, 0x02, 0x6e, 0x2e, 0xcc, 0x8a, 0x5d, 0xc5, 0x60, 0x6b, + 0xbb, 0x36, 0x79, 0xf2, 0x49, 0xb7, 0xa2, 0xef, 0x79, 0xfe, 0x70, 0x44, + 0x1c, 0x03, 0xfe, 0x0b, 0x54, 0x10, 0x16, 0xda, 0x53, 0xae, 0xdc, 0x40, + 0xcb, 0x69, 0xa4, 0xc9, 0x52, 0xcd, 0x07, 0x5a, 0x89, 0xd5, 0x03, 0x23, + 0x80, 0xe4, 0xa1, 0xc3}; // https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-keyGen-FIPS204/expectedResults.json#L14 const uint8_t kMLDSAKeyGenPrivateKey[MLDSA44_PRIVATE_KEY_BYTES] = { - 0xad, 0xb0, 0xb3, 0x34, 0x64, 0x81, 0x60, 0x91, 0xf2, 0xa9, 0x59, 0x77, - 0xc6, 0x7f, 0x08, 0x5f, 0xdc, 0x24, 0xb3, 0x78, 0x54, 0xd4, 0xdb, 0x0a, - 0x57, 0x7a, 0xe9, 0x40, 0x1e, 0x40, 0x81, 0x48, 0xcf, 0x19, 0x5e, 0x6d, - 0x8d, 0xd3, 0x98, 0x71, 0x3e, 0x8f, 0x31, 0x7a, 0x5c, 0xb4, 0xd4, 0xf0, - 0x0b, 0x2b, 0x41, 0xf3, 0xa9, 0x58, 0x8a, 0x8f, 0xa4, 0xb8, 0x95, 0xd8, - 0xd8, 0xd1, 0xc9, 0xa1, 0x1f, 0xb7, 0x2b, 0x86, 0xf9, 0xb4, 0xa7, 0x51, - 0x32, 0x56, 0x7b, 0xe2, 0xc4, 0x5e, 0x87, 0x3d, 0x6b, 0x5d, 0x4a, 0x8b, - 0x8c, 0x59, 0xf4, 0x6f, 0x2d, 0xb8, 0x1b, 0x08, 0x57, 0x14, 0x4d, 0xb5, - 0x41, 0x6b, 0x07, 0x1d, 0xf2, 0xa8, 0xf7, 0x7d, 0x43, 0x7d, 0x47, 0xc3, - 0xbf, 0xe1, 0x1f, 0x16, 0xfe, 0xef, 0xe6, 0xc4, 0x70, 0xf4, 0x67, 0x62, - 0xc8, 0x81, 0xad, 0x19, 0xc0, 0x88, 0x4b, 0xb3, 0x02, 0x44, 0x26, 0x88, - 0x98, 0x69, 0x13, 0x45, 0x86, 0xd3, 0xb0, 0x41, 0xd3, 0x28, 0x46, 0x60, - 0xc2, 0x28, 0x18, 0x23, 0x02, 0x54, 0x28, 0x52, 0x03, 0x81, 0x0d, 0x04, - 0x87, 0x50, 0x20, 0x26, 0x22, 0x84, 0x12, 0x8e, 0x1c, 0x46, 0x2a, 0x20, - 0x03, 0x45, 0x48, 0x38, 0x29, 0x11, 0x90, 0x10, 0x80, 0x40, 0x50, 0x19, - 0xb3, 0x85, 0x08, 0x48, 0x48, 0xcc, 0x04, 0x90, 0x04, 0x88, 0x60, 0x89, - 0xa4, 0x89, 0x22, 0x05, 0x0a, 0x19, 0x87, 0x68, 0x51, 0x32, 0x2a, 0xa0, - 0x04, 0x41, 0x54, 0x22, 0x4e, 0xe3, 0x40, 0x29, 0x04, 0x41, 0x10, 0x02, - 0x13, 0x70, 0xdb, 0xa2, 0x69, 0xe1, 0x18, 0x72, 0xc4, 0x36, 0x26, 0x19, - 0x02, 0x66, 0x22, 0x96, 0x0d, 0x98, 0x84, 0x25, 0xc1, 0x02, 0x6e, 0x24, - 0x23, 0x31, 0x40, 0xb8, 0x70, 0x8a, 0x18, 0x09, 0x1c, 0x10, 0x68, 0x4c, - 0x12, 0x02, 0x09, 0xb7, 0x28, 0x59, 0x84, 0x0c, 0x01, 0x86, 0x4d, 0xc0, - 0x42, 0x62, 0xda, 0x84, 0x6d, 0x09, 0x26, 0x70, 0x8c, 0x16, 0x6e, 0xe2, - 0x44, 0x25, 0x51, 0x38, 0x68, 0xc2, 0x84, 0x25, 0x08, 0x39, 0x91, 0x90, - 0x88, 0x04, 0xa3, 0x46, 0x66, 0x03, 0x11, 0x02, 0x02, 0xc8, 0x64, 0x02, - 0x49, 0x24, 0x50, 0x92, 0x29, 0x20, 0x95, 0x81, 0xe4, 0x48, 0x61, 0x8c, - 0x48, 0x08, 0xe3, 0x18, 0x2d, 0x1c, 0xb8, 0x29, 0x42, 0xa2, 0x6c, 0x14, - 0xa2, 0x45, 0x48, 0x10, 0x71, 0x0b, 0x15, 0x44, 0x22, 0x48, 0x84, 0x58, - 0x42, 0x20, 0x18, 0x97, 0x69, 0x0a, 0xb5, 0x30, 0xd3, 0x30, 0x0c, 0xdc, - 0x20, 0x2c, 0x61, 0x36, 0x02, 0x14, 0x33, 0x8e, 0xe4, 0x88, 0x24, 0x13, - 0xb0, 0x44, 0x01, 0x06, 0x28, 0x13, 0x32, 0x4c, 0x13, 0x35, 0x4d, 0xc9, - 0xa8, 0x8d, 0xd0, 0x32, 0x2d, 0x0a, 0x11, 0x72, 0x0a, 0x24, 0x50, 0xc2, - 0x80, 0x49, 0x0a, 0xa7, 0x10, 0x23, 0x23, 0x6e, 0xdb, 0xb4, 0x41, 0xc8, - 0x96, 0x6c, 0x49, 0x44, 0x21, 0x18, 0x10, 0x20, 0x09, 0x28, 0x69, 0x64, - 0x18, 0x09, 0x18, 0x37, 0x6c, 0xc0, 0x12, 0x6e, 0xa2, 0x80, 0x8c, 0x0b, - 0x15, 0x80, 0x4b, 0xb6, 0x6c, 0x14, 0xb2, 0x41, 0x43, 0xa0, 0x84, 0x5c, - 0x38, 0x50, 0x03, 0x02, 0x8e, 0xa1, 0xc8, 0x0d, 0x1a, 0x12, 0x0e, 0x9a, - 0x20, 0x84, 0x00, 0x33, 0x01, 0x90, 0xa2, 0x05, 0x08, 0x15, 0x00, 0x02, - 0xa2, 0x11, 0x90, 0x48, 0x06, 0x19, 0x04, 0x08, 0xc3, 0x98, 0x91, 0x1c, - 0xb8, 0x00, 0x8a, 0x42, 0x65, 0xe2, 0x48, 0x40, 0x01, 0xa0, 0x01, 0x62, - 0x22, 0x84, 0x1b, 0x32, 0x28, 0x08, 0x38, 0x24, 0x09, 0x45, 0x6e, 0x03, - 0x35, 0x11, 0x14, 0x95, 0x80, 0xa1, 0x20, 0x51, 0x51, 0x34, 0x72, 0x03, - 0x92, 0x05, 0x61, 0x32, 0x71, 0xc1, 0x44, 0x02, 0xc4, 0x00, 0x90, 0x09, - 0x15, 0x8e, 0x48, 0xa0, 0x88, 0x00, 0xb8, 0x71, 0x52, 0xb0, 0x29, 0x02, - 0x28, 0x2e, 0x52, 0x96, 0x89, 0x1a, 0x21, 0x0d, 0x11, 0xa2, 0x2d, 0x64, - 0x26, 0x71, 0x8c, 0x00, 0x12, 0xc0, 0x26, 0x62, 0xe0, 0x30, 0x11, 0x98, - 0x36, 0x44, 0x61, 0xc2, 0x4c, 0x04, 0x30, 0x6c, 0xe0, 0x18, 0x4e, 0x0c, - 0xc2, 0x25, 0x9a, 0x30, 0x22, 0xe4, 0x88, 0x24, 0xd2, 0xc8, 0x60, 0xca, - 0xb8, 0x8c, 0x12, 0x46, 0x04, 0x64, 0x36, 0x6e, 0x18, 0xc8, 0x2d, 0x5b, - 0x34, 0x89, 0x8a, 0x22, 0x6a, 0x11, 0xb0, 0x30, 0x13, 0x84, 0x81, 0x04, - 0x11, 0x31, 0x62, 0xb4, 0x09, 0xe4, 0x22, 0x2c, 0x4b, 0x20, 0x2d, 0x0a, - 0x03, 0x70, 0xda, 0xc2, 0x61, 0xe1, 0x30, 0x8a, 0x9c, 0x96, 0x88, 0x03, - 0x45, 0x6e, 0x41, 0x24, 0x0d, 0x5c, 0x04, 0x00, 0x4c, 0x32, 0x4a, 0xe0, - 0x12, 0x4a, 0x1c, 0x25, 0x0a, 0x84, 0x36, 0x48, 0x90, 0x98, 0x2c, 0xc2, - 0xb4, 0x44, 0xc3, 0x48, 0x52, 0xcb, 0x96, 0x08, 0x54, 0x34, 0x28, 0x23, - 0x25, 0x26, 0x24, 0xb9, 0x51, 0x18, 0x37, 0x70, 0xe2, 0xc8, 0x64, 0x18, - 0xc6, 0x28, 0xc0, 0x42, 0x8d, 0xd9, 0xa6, 0x08, 0xa3, 0x30, 0x0e, 0x00, - 0xb4, 0x61, 0xca, 0xc2, 0x00, 0x4a, 0x32, 0x24, 0xcc, 0xc4, 0x2c, 0xd1, - 0x24, 0x46, 0x14, 0x10, 0x82, 0x09, 0xb2, 0x09, 0x89, 0x32, 0x28, 0x54, - 0x12, 0x66, 0x58, 0xc8, 0x69, 0xc2, 0x26, 0x49, 0x60, 0x96, 0x01, 0xd9, - 0x34, 0x60, 0x10, 0xc0, 0x51, 0x59, 0x44, 0x2c, 0x81, 0xc2, 0x69, 0x03, - 0x00, 0x8d, 0x9b, 0xc6, 0x40, 0x64, 0x40, 0x2e, 0xd8, 0x44, 0x0a, 0xe3, - 0x14, 0x25, 0xd3, 0x42, 0x32, 0x43, 0x22, 0x46, 0x09, 0xa2, 0x69, 0x94, - 0x24, 0x88, 0x8a, 0xc4, 0x8d, 0x04, 0x41, 0x11, 0x5b, 0x94, 0x11, 0x1c, - 0x33, 0x86, 0xa4, 0xa4, 0x61, 0x1a, 0xb5, 0x4c, 0x91, 0x22, 0x0e, 0x22, - 0xb6, 0x64, 0x22, 0x97, 0x68, 0x43, 0x38, 0x2e, 0xe1, 0xb4, 0x11, 0x63, - 0x90, 0x85, 0x52, 0xc0, 0x28, 0xe4, 0x44, 0x29, 0x5a, 0x26, 0x66, 0x01, - 0x06, 0x25, 0x80, 0x46, 0x61, 0x04, 0xa4, 0x2c, 0x94, 0x04, 0x52, 0x10, - 0x08, 0x24, 0x01, 0x05, 0x0d, 0x18, 0x24, 0x26, 0x18, 0x30, 0x84, 0x4b, - 0x04, 0x2d, 0xa0, 0xb4, 0x00, 0xd4, 0xb4, 0x90, 0xc3, 0x08, 0x46, 0x22, - 0xb1, 0x31, 0x14, 0x49, 0x71, 0xd3, 0x34, 0x61, 0x48, 0x02, 0x65, 0x00, - 0xa1, 0x20, 0x04, 0x44, 0x85, 0x11, 0x01, 0x4d, 0x84, 0xc2, 0x30, 0x61, - 0xc2, 0x89, 0x03, 0x46, 0x00, 0x22, 0xb2, 0x45, 0x93, 0xa0, 0x2d, 0x18, - 0x46, 0x48, 0x0b, 0x34, 0x88, 0x5c, 0xa2, 0x84, 0xc8, 0xa0, 0x64, 0x88, - 0xa4, 0x80, 0x12, 0x98, 0x21, 0x1b, 0x49, 0x6a, 0xd8, 0x33, 0x5f, 0xa7, - 0x9b, 0xf4, 0xec, 0x5f, 0xea, 0x39, 0xf1, 0xac, 0x7b, 0x7c, 0x58, 0x54, - 0xf0, 0xfb, 0x19, 0x85, 0xf4, 0x3d, 0x70, 0x7f, 0x56, 0x7c, 0xe1, 0x23, - 0x29, 0xe4, 0x3a, 0xbd, 0xaa, 0x9e, 0xd4, 0xc4, 0xb3, 0x9b, 0x63, 0x20, - 0xca, 0x70, 0xeb, 0xa0, 0x9a, 0x15, 0x97, 0x71, 0x7b, 0x72, 0xed, 0x5b, - 0x0a, 0xef, 0xd4, 0x6b, 0x7c, 0x5c, 0xbd, 0x56, 0xd8, 0x1c, 0x3a, 0x7a, - 0x6a, 0x9d, 0x35, 0xef, 0x4e, 0x5b, 0x87, 0xa9, 0xfb, 0xfd, 0x9b, 0x38, - 0x4c, 0x6b, 0x7f, 0x43, 0xec, 0x29, 0x63, 0x72, 0x37, 0x9b, 0x97, 0x05, - 0x78, 0x8b, 0xc7, 0xaa, 0x36, 0x68, 0x85, 0x96, 0xa8, 0x56, 0xc0, 0x24, - 0xfa, 0xb2, 0x40, 0x91, 0xf1, 0xb2, 0xad, 0x8d, 0xf6, 0x4f, 0xba, 0xba, - 0xc1, 0x8e, 0xff, 0x62, 0x61, 0xa9, 0x1b, 0x45, 0x48, 0x96, 0xd2, 0x3c, - 0xeb, 0x52, 0xef, 0x22, 0xd9, 0x3f, 0x2b, 0xf6, 0xd6, 0xec, 0x40, 0xce, - 0xe7, 0xfc, 0x83, 0x12, 0xd7, 0x87, 0xac, 0x9d, 0x45, 0xc6, 0xb2, 0xc1, - 0xc5, 0x2f, 0xdd, 0xea, 0x9a, 0x40, 0xdb, 0x0a, 0xf6, 0x32, 0x79, 0x2e, - 0x19, 0xe9, 0x8e, 0x04, 0xec, 0x44, 0x23, 0x52, 0xc9, 0x88, 0xac, 0x86, - 0xe1, 0xbb, 0x7d, 0x3f, 0x63, 0xa4, 0x12, 0xf9, 0xc7, 0xea, 0xb1, 0x74, - 0x63, 0xd1, 0x16, 0x31, 0x5d, 0x16, 0x07, 0x4c, 0x8e, 0x6c, 0xe0, 0x13, - 0x20, 0x03, 0x5b, 0x0a, 0x63, 0x51, 0x18, 0x6f, 0x3c, 0x7e, 0x17, 0xe0, - 0x91, 0x37, 0xce, 0x76, 0x3a, 0xd7, 0xc7, 0xbe, 0x49, 0x54, 0x1b, 0x74, - 0x05, 0xbb, 0xb8, 0xc7, 0x02, 0x6a, 0x5f, 0xa9, 0x77, 0xba, 0xe1, 0xb6, - 0x5b, 0x94, 0x86, 0x9e, 0xfe, 0xf0, 0x1b, 0x77, 0xcf, 0x17, 0x3e, 0x46, - 0x9a, 0x30, 0xda, 0x18, 0x2b, 0xd7, 0x66, 0x2a, 0xf0, 0x48, 0x18, 0xbd, - 0x62, 0x35, 0x24, 0xd5, 0x60, 0x0f, 0x23, 0xfd, 0x58, 0x68, 0xfa, 0x42, - 0xa4, 0x5f, 0x39, 0x67, 0x2e, 0x40, 0x1e, 0x2c, 0xf3, 0x36, 0xf4, 0x13, - 0x22, 0xf8, 0x23, 0x68, 0x4e, 0x6b, 0x87, 0x99, 0xb5, 0x5f, 0xb9, 0x6e, - 0xf9, 0x2f, 0x41, 0x0e, 0x23, 0xdd, 0xa7, 0x72, 0x48, 0xde, 0x65, 0x9f, - 0x70, 0x32, 0x28, 0xf9, 0x9c, 0x8a, 0xdf, 0x04, 0x52, 0x3c, 0x88, 0x10, - 0x57, 0x34, 0x49, 0x54, 0xa8, 0x1f, 0xdb, 0xae, 0x00, 0x0f, 0xae, 0x48, - 0x4c, 0xd8, 0x96, 0xc4, 0xe6, 0x54, 0x3c, 0xae, 0x00, 0x5a, 0x0e, 0x3d, - 0xf5, 0x1e, 0x37, 0xc0, 0x40, 0x1d, 0x10, 0x6e, 0x50, 0xdb, 0xa1, 0x41, - 0x68, 0xb5, 0x49, 0x6a, 0x3d, 0x6d, 0xaa, 0xb2, 0xe0, 0x10, 0xc2, 0xdc, - 0xe2, 0x15, 0x55, 0x3d, 0x10, 0x34, 0x7a, 0x95, 0x81, 0x98, 0x8d, 0x9e, - 0xdc, 0x25, 0x83, 0xfc, 0x10, 0x35, 0x0e, 0xc5, 0xef, 0x05, 0x18, 0xb3, - 0xfa, 0x9b, 0x54, 0x70, 0x2d, 0x93, 0xf2, 0xa9, 0x38, 0x06, 0x97, 0xe4, - 0x26, 0xc2, 0xa0, 0x17, 0xc1, 0xdb, 0xed, 0x69, 0x25, 0xc4, 0x4a, 0x77, - 0x50, 0x99, 0x95, 0xfe, 0x39, 0x0c, 0xab, 0xf2, 0x13, 0xd0, 0x13, 0xf2, - 0xcb, 0x9e, 0xbd, 0x9e, 0x09, 0xf9, 0xa0, 0x94, 0x98, 0x03, 0xde, 0x28, - 0x5c, 0x9c, 0x2e, 0x6a, 0x02, 0xcf, 0xfe, 0x7a, 0xea, 0xf0, 0x13, 0xea, - 0xab, 0x9b, 0x4e, 0x82, 0xe5, 0xd7, 0x5b, 0xbf, 0x8e, 0x0b, 0x84, 0x74, - 0xff, 0x63, 0xb2, 0xe7, 0xbe, 0xc2, 0xf1, 0xaa, 0x54, 0xef, 0xa0, 0xc1, - 0x94, 0xb6, 0x8f, 0xd4, 0x92, 0x46, 0x36, 0xd0, 0xe1, 0x88, 0xa3, 0x1e, - 0x32, 0xa4, 0x26, 0x5b, 0x24, 0x8f, 0xc9, 0x52, 0x5e, 0xd9, 0x46, 0x2f, - 0x9b, 0xf0, 0x4b, 0x86, 0xb4, 0x43, 0xbf, 0x5f, 0x86, 0xae, 0x66, 0x64, - 0x7e, 0x46, 0x36, 0x46, 0xd0, 0x2d, 0x0d, 0x8c, 0xe2, 0x01, 0xe0, 0xc2, - 0xce, 0x4a, 0x36, 0x23, 0xd0, 0xd1, 0x93, 0xa6, 0x64, 0x46, 0x34, 0xfe, - 0xba, 0x47, 0xa8, 0x55, 0x98, 0x9f, 0xcc, 0x8f, 0x3d, 0xcb, 0x81, 0xc5, - 0xf0, 0x5d, 0x9a, 0x0f, 0xe2, 0xe0, 0xe4, 0xdc, 0x09, 0x4a, 0x62, 0x1f, - 0x9f, 0xf4, 0x3f, 0x1f, 0x3e, 0x9a, 0x8f, 0x98, 0xcf, 0xd4, 0xe3, 0xc2, - 0x2f, 0x5f, 0xd7, 0xa0, 0xdc, 0x78, 0x8a, 0x13, 0x2e, 0x6f, 0x03, 0x42, - 0x7d, 0x29, 0x1e, 0xf9, 0xd6, 0x8a, 0xf3, 0xf3, 0xb6, 0x69, 0xa7, 0x65, - 0x63, 0x2d, 0xac, 0x5a, 0xa3, 0x8d, 0x57, 0x35, 0xca, 0x37, 0x0d, 0x4e, - 0xbc, 0xa8, 0xf0, 0x6f, 0x0f, 0x59, 0xd6, 0xc0, 0xd7, 0x49, 0x7d, 0x95, - 0x1f, 0x96, 0x68, 0xb5, 0x34, 0x03, 0x7b, 0x02, 0x7f, 0xa5, 0xa2, 0xfc, - 0x46, 0xdf, 0x7a, 0xf2, 0x3b, 0xe5, 0x61, 0x6d, 0xb2, 0x0a, 0xba, 0xce, - 0x02, 0xea, 0x19, 0xbe, 0x4b, 0x5d, 0xe6, 0x4e, 0x09, 0xa7, 0x1a, 0x7f, - 0x90, 0x72, 0x6e, 0x38, 0xb5, 0xa9, 0x68, 0xd7, 0xe5, 0x1f, 0x15, 0x46, - 0x6d, 0xa0, 0xaa, 0xc9, 0xb7, 0x4c, 0xd5, 0x0c, 0x54, 0x38, 0x19, 0xd0, - 0xce, 0xbe, 0x87, 0x98, 0x64, 0xd1, 0x45, 0x9e, 0x48, 0x08, 0x14, 0x5f, - 0x5f, 0x29, 0x52, 0x10, 0x16, 0xbb, 0x62, 0xb0, 0x5d, 0x8f, 0x71, 0x7b, - 0x12, 0x50, 0xcc, 0xef, 0x8a, 0x4c, 0x02, 0x96, 0x29, 0x2a, 0x86, 0x62, - 0x49, 0x9d, 0x94, 0xf7, 0xc3, 0xff, 0x83, 0xd7, 0xe1, 0x7d, 0x8d, 0x14, - 0x18, 0xec, 0x3f, 0x68, 0x43, 0xeb, 0xcb, 0xeb, 0xb9, 0x60, 0xf9, 0xf6, - 0x61, 0xe4, 0x56, 0xda, 0xdc, 0x48, 0x43, 0x72, 0x9d, 0x3f, 0xb3, 0x96, - 0xd8, 0xe8, 0x4e, 0xe1, 0x24, 0x56, 0x72, 0x32, 0x1e, 0x4d, 0x4c, 0x59, - 0x45, 0x4b, 0x53, 0x08, 0x44, 0x39, 0xd7, 0x66, 0x20, 0x42, 0xec, 0x1b, - 0xd2, 0x93, 0x05, 0x2e, 0x6a, 0x44, 0x46, 0x1b, 0xd3, 0x53, 0xcf, 0x32, - 0xa4, 0xb9, 0xfd, 0x4e, 0x95, 0x43, 0x45, 0x54, 0xce, 0xa0, 0x92, 0x2c, - 0xf0, 0xd5, 0x0b, 0x5f, 0x71, 0x8d, 0xe7, 0xb2, 0xf0, 0x1d, 0xe1, 0x89, - 0xef, 0xb8, 0x35, 0xf4, 0xb2, 0x9a, 0xb6, 0x2b, 0x99, 0xdc, 0x76, 0xcc, - 0xbe, 0xc2, 0x02, 0xa4, 0x82, 0x0d, 0xf9, 0x2a, 0x82, 0x03, 0x13, 0x87, - 0x9f, 0x8a, 0xf1, 0x9b, 0xfe, 0xe5, 0xb4, 0x57, 0xbf, 0x29, 0x87, 0xbe, - 0x48, 0x6c, 0xf3, 0xe8, 0x19, 0xa4, 0xfc, 0xe6, 0x7e, 0x64, 0xc6, 0xab, - 0xb4, 0xdd, 0x98, 0x11, 0xa5, 0xbd, 0x82, 0xbe, 0x73, 0x27, 0x43, 0xc5, - 0x2b, 0x1f, 0x84, 0xaf, 0x1b, 0x44, 0x14, 0x5c, 0x68, 0xa9, 0x6a, 0x06, - 0xed, 0xf5, 0xcf, 0xb7, 0xad, 0xc5, 0xbe, 0xc5, 0x5e, 0x60, 0xf6, 0x87, - 0x0b, 0xd1, 0x0d, 0xff, 0x60, 0x3b, 0x10, 0xe3, 0xf4, 0x54, 0xc0, 0xc9, - 0x7f, 0xb3, 0x37, 0xb1, 0x2c, 0x5d, 0xe0, 0x69, 0x38, 0xf6, 0x5d, 0x46, - 0x53, 0xf7, 0xd1, 0xed, 0xdd, 0x28, 0x1e, 0x4d, 0xdb, 0x1b, 0x7a, 0x5e, - 0x47, 0x53, 0x77, 0x69, 0x85, 0xee, 0x72, 0x15, 0x17, 0x62, 0x08, 0xb5, - 0x1c, 0x1d, 0x01, 0x38, 0xaf, 0x1d, 0x6a, 0x53, 0x54, 0x1f, 0x31, 0x29, - 0x51, 0x21, 0xaf, 0x68, 0x2d, 0x6f, 0xc0, 0x9f, 0x33, 0x5b, 0x88, 0x10, - 0x84, 0x07, 0xad, 0x78, 0x20, 0x94, 0xa7, 0xab, 0xc6, 0x64, 0xae, 0x1c, - 0x6b, 0x98, 0x1b, 0xf5, 0xd6, 0x46, 0xa0, 0xcb, 0xee, 0xaa, 0xa1, 0x7b, - 0x23, 0x53, 0xca, 0xf3, 0x1e, 0x4e, 0x1c, 0x72, 0x6e, 0x34, 0x0f, 0xf4, - 0x1c, 0xfc, 0x9e, 0x04, 0xbc, 0x77, 0x0a, 0xb7, 0xcc, 0x2e, 0xb0, 0x7f, - 0x01, 0x0b, 0x42, 0x98, 0x29, 0x2e, 0xfe, 0xac, 0xa1, 0x93, 0x34, 0x7c, - 0xd0, 0xbf, 0x18, 0x37, 0x04, 0x74, 0xd0, 0xdc, 0xd9, 0x5f, 0x5e, 0xb4, - 0x5e, 0x6a, 0xfd, 0x49, 0x36, 0xf8, 0x25, 0x1a, 0x1b, 0x19, 0x52, 0x1e, - 0xd7, 0xb2, 0x26, 0x79, 0xb5, 0x3c, 0x33, 0x1f, 0xa1, 0x48, 0x50, 0xd8, - 0x77, 0xaa, 0x12, 0xbe, 0xbc, 0x68, 0x90, 0x3f, 0x8c, 0x17, 0xc4, 0x6f, - 0x75, 0x47, 0x03, 0x8d, 0x22, 0xcd, 0xa0, 0xd6, 0x0c, 0x91, 0x2f, 0xb9, - 0xdc, 0xb0, 0xe4, 0xe8, 0xfb, 0x65, 0x6b, 0x90, 0xc4, 0x1f, 0x38, 0x20, - 0xb9, 0x09, 0x38, 0x26, 0xb0, 0x90, 0x41, 0x31, 0x85, 0x93, 0x4d, 0xbc, - 0x92, 0xfa, 0x2d, 0x20, 0x9f, 0x96, 0xbc, 0x58, 0xb1, 0x00, 0x86, 0x8c, - 0x24, 0xf8, 0x84, 0x5c, 0xb3, 0x2f, 0x28, 0x87, 0xee, 0x58, 0x26, 0xf6, - 0xb8, 0x8b, 0x47, 0xe6, 0x2b, 0x55, 0xe5, 0x39, 0x89, 0xaf, 0x38, 0x5c, - 0x1d, 0xc0, 0x68, 0x15, 0xa4, 0xf3, 0xe7, 0x3c, 0x69, 0x56, 0x94, 0xb7, - 0x64, 0x16, 0x64, 0x56, 0xe4, 0x6b, 0x4c, 0x05, 0x0a, 0x61, 0x22, 0x9a, - 0x87, 0xb3, 0x3d, 0xba, 0x7e, 0x56, 0xca, 0x77, 0xd8, 0x52, 0xcc, 0x58, - 0xba, 0xd1, 0x01, 0x08, 0x5a, 0x58, 0xc5, 0x58, 0x89, 0xa6, 0x1c, 0x09, - 0xb7, 0x5b, 0xcc, 0xd4, 0x2c, 0x80, 0x63, 0xc7, 0xaa, 0xc1, 0x32, 0x5c, - 0x9f, 0xca, 0x8f, 0x6e, 0xe4, 0x67, 0x3b, 0x08, 0x56, 0xc3, 0x3a, 0xa6, - 0x8c, 0x0e, 0x76, 0x9e, 0xbc, 0xaa, 0xc4, 0x70, 0x87, 0xd6, 0x21, 0x17, - 0xc0, 0xf5, 0xd1, 0xca, 0xd2, 0x16, 0xfe, 0x1d, 0x6c, 0xa3, 0xc4, 0x6d, - 0x94, 0xc1, 0x3e, 0xef, 0xb8, 0x11, 0x16, 0xe2, 0xa4, 0x94, 0x32, 0x4f, - 0xaf, 0x22, 0x3a, 0xba, 0x50, 0x38, 0x04, 0xc7, 0x36, 0x8c, 0xcd, 0xfc, - 0x94, 0x2e, 0x13, 0x09, 0xca, 0x8c, 0xf5, 0x5e, 0x4d, 0x3f, 0x77, 0xf9, - 0xa6, 0x5d, 0x84, 0x6a, 0x00, 0x3d, 0xd7, 0x9e, 0x91, 0xa3, 0x6f, 0x9a, - 0x86, 0xbe, 0xda, 0x5c, 0xac, 0xf6, 0xf8, 0xa8, 0xd3, 0x58, 0x26, 0xd3, - 0xab, 0x6e, 0x93, 0xd8, 0x6f, 0xab, 0xac, 0x91, 0x4e, 0x84, 0x00, 0x6d, - 0x62, 0x38, 0xa9, 0x9b, 0xde, 0xfb, 0xff, 0x93, 0x90, 0xa4, 0x55, 0xac, - 0xd8, 0x68, 0x11, 0x41, 0xb4, 0xa6, 0xea, 0x64, 0x41, 0xe6, 0x2e, 0x43, - 0x6c, 0xbb, 0x65, 0xbb, 0x10, 0x30, 0xab, 0xf3, 0xc5, 0x9e, 0xd1, 0x42, - 0xe2, 0xe2, 0x25, 0x44, 0x69, 0x3e, 0xb3, 0x4b, 0xbf, 0x0b, 0x12, 0xef, - 0xbf, 0x01, 0xbf, 0x65, 0x60, 0xf1, 0xa5, 0x59, 0xd2, 0xca, 0x9f, 0xdb, - 0x9d, 0x8c, 0x96, 0xff, 0x42, 0x1c, 0xc1, 0xcf, 0x34, 0xb4, 0xfb, 0xdc, - 0x85, 0xe8, 0xbb, 0x04, 0x53, 0xdd, 0x66, 0x78, 0xac, 0xf4, 0x00, 0xc3, - 0x1b, 0x3b, 0x40, 0xa2, 0xd8, 0xbd, 0x86, 0x39, 0xba, 0xbc, 0x12, 0xab, - 0xf9, 0xa3, 0x36, 0x59, 0x59, 0xf4, 0x6b, 0x8e, 0xf0, 0x66, 0x68, 0xf3, - 0x62, 0xc7, 0xea, 0xfa, 0x89, 0xc6, 0xc2, 0xc5, 0x25, 0xc7, 0xe9, 0xe5, - 0x84, 0x0b, 0x45, 0x26, 0xfd, 0x1f, 0xe9, 0x57, 0x5b, 0x3a, 0x44, 0x19, - 0x5f, 0x5d, 0xd3, 0x17, 0x92, 0x49, 0x0e, 0x76, 0xe2, 0x54, 0xc6, 0x13, - 0x1a, 0x98, 0xdd, 0x77, 0xf8, 0xd6, 0xac, 0x74, 0x9a, 0xc8, 0x2a, 0x98, - 0x38, 0x2a, 0x48, 0x82, 0xc4, 0x2a, 0xd7, 0xc6, 0x3d, 0xf2, 0x20, 0xda, - 0x0f, 0xbc, 0x46, 0x81, 0x5a, 0x21, 0xc4, 0x9f, 0x2a, 0xd1, 0x43, 0xb7, - 0x6f, 0x78, 0x9e, 0x02, 0xb6, 0x38, 0x21, 0x00, 0xde, 0xab, 0xdc, 0xcd, - 0xef, 0xc6, 0xe7, 0x4b, 0x87, 0x72, 0x4b, 0x95, 0x82, 0xde, 0xeb, 0x98, - 0xe2, 0xda, 0x6f, 0x31, 0x62, 0xd2, 0xd5, 0x68, 0xf3, 0x73, 0xc8, 0x7e, - 0x7b, 0x38, 0xf8, 0x58, 0xb7, 0x12, 0x19, 0x52, 0xd7, 0x8b, 0xb0, 0xc5, - 0x9a, 0x18, 0xd7, 0x60, 0x32, 0xd8, 0x28, 0x22, 0x15, 0x63, 0x4f, 0x73, - 0x1c, 0x86, 0x7f, 0x8a, 0xbd, 0xd1, 0x20, 0x03, 0xbd, 0x4c, 0xc1, 0xdc, - 0x75, 0x72, 0x78, 0x5a, 0xf6, 0x15, 0x35, 0xed, 0xad, 0x9e, 0x4f, 0x25, - 0x76, 0x9a, 0x40, 0xe3, 0x91, 0x7b, 0x27, 0x26, 0x59, 0xd1, 0x34, 0x8a, - 0xb8, 0xe6, 0x12, 0x42, 0xed, 0x8b, 0x97, 0xd5, 0x11, 0xd5, 0x79, 0x15, - 0xe5, 0x83, 0x67, 0x13, 0x69, 0xb6, 0x08, 0x8b, 0x4b, 0x4f, 0x88, 0x23, - 0xf6, 0x10, 0xd1, 0xb5, 0xc1, 0x57, 0x8e, 0x3f, 0xf4, 0x5d, 0xab, 0x7c, - 0xc4, 0x7d, 0x58, 0x9a, 0x68, 0x0a, 0x1d, 0xe6, 0x0a, 0xb9, 0xb5, 0x1f, - 0x1a, 0x53, 0x1f, 0xba, 0x56, 0xed, 0x21, 0xb3, 0xb5, 0xee, 0xee, 0x4f, - 0x75, 0x35, 0xf3, 0x06, 0xd5, 0x83, 0x23, 0x68, 0x7e, 0x20, 0x36, 0x14, - 0xdc, 0x64, 0xa6, 0x89 - }; + 0xad, 0xb0, 0xb3, 0x34, 0x64, 0x81, 0x60, 0x91, 0xf2, 0xa9, 0x59, 0x77, + 0xc6, 0x7f, 0x08, 0x5f, 0xdc, 0x24, 0xb3, 0x78, 0x54, 0xd4, 0xdb, 0x0a, + 0x57, 0x7a, 0xe9, 0x40, 0x1e, 0x40, 0x81, 0x48, 0xcf, 0x19, 0x5e, 0x6d, + 0x8d, 0xd3, 0x98, 0x71, 0x3e, 0x8f, 0x31, 0x7a, 0x5c, 0xb4, 0xd4, 0xf0, + 0x0b, 0x2b, 0x41, 0xf3, 0xa9, 0x58, 0x8a, 0x8f, 0xa4, 0xb8, 0x95, 0xd8, + 0xd8, 0xd1, 0xc9, 0xa1, 0x1f, 0xb7, 0x2b, 0x86, 0xf9, 0xb4, 0xa7, 0x51, + 0x32, 0x56, 0x7b, 0xe2, 0xc4, 0x5e, 0x87, 0x3d, 0x6b, 0x5d, 0x4a, 0x8b, + 0x8c, 0x59, 0xf4, 0x6f, 0x2d, 0xb8, 0x1b, 0x08, 0x57, 0x14, 0x4d, 0xb5, + 0x41, 0x6b, 0x07, 0x1d, 0xf2, 0xa8, 0xf7, 0x7d, 0x43, 0x7d, 0x47, 0xc3, + 0xbf, 0xe1, 0x1f, 0x16, 0xfe, 0xef, 0xe6, 0xc4, 0x70, 0xf4, 0x67, 0x62, + 0xc8, 0x81, 0xad, 0x19, 0xc0, 0x88, 0x4b, 0xb3, 0x02, 0x44, 0x26, 0x88, + 0x98, 0x69, 0x13, 0x45, 0x86, 0xd3, 0xb0, 0x41, 0xd3, 0x28, 0x46, 0x60, + 0xc2, 0x28, 0x18, 0x23, 0x02, 0x54, 0x28, 0x52, 0x03, 0x81, 0x0d, 0x04, + 0x87, 0x50, 0x20, 0x26, 0x22, 0x84, 0x12, 0x8e, 0x1c, 0x46, 0x2a, 0x20, + 0x03, 0x45, 0x48, 0x38, 0x29, 0x11, 0x90, 0x10, 0x80, 0x40, 0x50, 0x19, + 0xb3, 0x85, 0x08, 0x48, 0x48, 0xcc, 0x04, 0x90, 0x04, 0x88, 0x60, 0x89, + 0xa4, 0x89, 0x22, 0x05, 0x0a, 0x19, 0x87, 0x68, 0x51, 0x32, 0x2a, 0xa0, + 0x04, 0x41, 0x54, 0x22, 0x4e, 0xe3, 0x40, 0x29, 0x04, 0x41, 0x10, 0x02, + 0x13, 0x70, 0xdb, 0xa2, 0x69, 0xe1, 0x18, 0x72, 0xc4, 0x36, 0x26, 0x19, + 0x02, 0x66, 0x22, 0x96, 0x0d, 0x98, 0x84, 0x25, 0xc1, 0x02, 0x6e, 0x24, + 0x23, 0x31, 0x40, 0xb8, 0x70, 0x8a, 0x18, 0x09, 0x1c, 0x10, 0x68, 0x4c, + 0x12, 0x02, 0x09, 0xb7, 0x28, 0x59, 0x84, 0x0c, 0x01, 0x86, 0x4d, 0xc0, + 0x42, 0x62, 0xda, 0x84, 0x6d, 0x09, 0x26, 0x70, 0x8c, 0x16, 0x6e, 0xe2, + 0x44, 0x25, 0x51, 0x38, 0x68, 0xc2, 0x84, 0x25, 0x08, 0x39, 0x91, 0x90, + 0x88, 0x04, 0xa3, 0x46, 0x66, 0x03, 0x11, 0x02, 0x02, 0xc8, 0x64, 0x02, + 0x49, 0x24, 0x50, 0x92, 0x29, 0x20, 0x95, 0x81, 0xe4, 0x48, 0x61, 0x8c, + 0x48, 0x08, 0xe3, 0x18, 0x2d, 0x1c, 0xb8, 0x29, 0x42, 0xa2, 0x6c, 0x14, + 0xa2, 0x45, 0x48, 0x10, 0x71, 0x0b, 0x15, 0x44, 0x22, 0x48, 0x84, 0x58, + 0x42, 0x20, 0x18, 0x97, 0x69, 0x0a, 0xb5, 0x30, 0xd3, 0x30, 0x0c, 0xdc, + 0x20, 0x2c, 0x61, 0x36, 0x02, 0x14, 0x33, 0x8e, 0xe4, 0x88, 0x24, 0x13, + 0xb0, 0x44, 0x01, 0x06, 0x28, 0x13, 0x32, 0x4c, 0x13, 0x35, 0x4d, 0xc9, + 0xa8, 0x8d, 0xd0, 0x32, 0x2d, 0x0a, 0x11, 0x72, 0x0a, 0x24, 0x50, 0xc2, + 0x80, 0x49, 0x0a, 0xa7, 0x10, 0x23, 0x23, 0x6e, 0xdb, 0xb4, 0x41, 0xc8, + 0x96, 0x6c, 0x49, 0x44, 0x21, 0x18, 0x10, 0x20, 0x09, 0x28, 0x69, 0x64, + 0x18, 0x09, 0x18, 0x37, 0x6c, 0xc0, 0x12, 0x6e, 0xa2, 0x80, 0x8c, 0x0b, + 0x15, 0x80, 0x4b, 0xb6, 0x6c, 0x14, 0xb2, 0x41, 0x43, 0xa0, 0x84, 0x5c, + 0x38, 0x50, 0x03, 0x02, 0x8e, 0xa1, 0xc8, 0x0d, 0x1a, 0x12, 0x0e, 0x9a, + 0x20, 0x84, 0x00, 0x33, 0x01, 0x90, 0xa2, 0x05, 0x08, 0x15, 0x00, 0x02, + 0xa2, 0x11, 0x90, 0x48, 0x06, 0x19, 0x04, 0x08, 0xc3, 0x98, 0x91, 0x1c, + 0xb8, 0x00, 0x8a, 0x42, 0x65, 0xe2, 0x48, 0x40, 0x01, 0xa0, 0x01, 0x62, + 0x22, 0x84, 0x1b, 0x32, 0x28, 0x08, 0x38, 0x24, 0x09, 0x45, 0x6e, 0x03, + 0x35, 0x11, 0x14, 0x95, 0x80, 0xa1, 0x20, 0x51, 0x51, 0x34, 0x72, 0x03, + 0x92, 0x05, 0x61, 0x32, 0x71, 0xc1, 0x44, 0x02, 0xc4, 0x00, 0x90, 0x09, + 0x15, 0x8e, 0x48, 0xa0, 0x88, 0x00, 0xb8, 0x71, 0x52, 0xb0, 0x29, 0x02, + 0x28, 0x2e, 0x52, 0x96, 0x89, 0x1a, 0x21, 0x0d, 0x11, 0xa2, 0x2d, 0x64, + 0x26, 0x71, 0x8c, 0x00, 0x12, 0xc0, 0x26, 0x62, 0xe0, 0x30, 0x11, 0x98, + 0x36, 0x44, 0x61, 0xc2, 0x4c, 0x04, 0x30, 0x6c, 0xe0, 0x18, 0x4e, 0x0c, + 0xc2, 0x25, 0x9a, 0x30, 0x22, 0xe4, 0x88, 0x24, 0xd2, 0xc8, 0x60, 0xca, + 0xb8, 0x8c, 0x12, 0x46, 0x04, 0x64, 0x36, 0x6e, 0x18, 0xc8, 0x2d, 0x5b, + 0x34, 0x89, 0x8a, 0x22, 0x6a, 0x11, 0xb0, 0x30, 0x13, 0x84, 0x81, 0x04, + 0x11, 0x31, 0x62, 0xb4, 0x09, 0xe4, 0x22, 0x2c, 0x4b, 0x20, 0x2d, 0x0a, + 0x03, 0x70, 0xda, 0xc2, 0x61, 0xe1, 0x30, 0x8a, 0x9c, 0x96, 0x88, 0x03, + 0x45, 0x6e, 0x41, 0x24, 0x0d, 0x5c, 0x04, 0x00, 0x4c, 0x32, 0x4a, 0xe0, + 0x12, 0x4a, 0x1c, 0x25, 0x0a, 0x84, 0x36, 0x48, 0x90, 0x98, 0x2c, 0xc2, + 0xb4, 0x44, 0xc3, 0x48, 0x52, 0xcb, 0x96, 0x08, 0x54, 0x34, 0x28, 0x23, + 0x25, 0x26, 0x24, 0xb9, 0x51, 0x18, 0x37, 0x70, 0xe2, 0xc8, 0x64, 0x18, + 0xc6, 0x28, 0xc0, 0x42, 0x8d, 0xd9, 0xa6, 0x08, 0xa3, 0x30, 0x0e, 0x00, + 0xb4, 0x61, 0xca, 0xc2, 0x00, 0x4a, 0x32, 0x24, 0xcc, 0xc4, 0x2c, 0xd1, + 0x24, 0x46, 0x14, 0x10, 0x82, 0x09, 0xb2, 0x09, 0x89, 0x32, 0x28, 0x54, + 0x12, 0x66, 0x58, 0xc8, 0x69, 0xc2, 0x26, 0x49, 0x60, 0x96, 0x01, 0xd9, + 0x34, 0x60, 0x10, 0xc0, 0x51, 0x59, 0x44, 0x2c, 0x81, 0xc2, 0x69, 0x03, + 0x00, 0x8d, 0x9b, 0xc6, 0x40, 0x64, 0x40, 0x2e, 0xd8, 0x44, 0x0a, 0xe3, + 0x14, 0x25, 0xd3, 0x42, 0x32, 0x43, 0x22, 0x46, 0x09, 0xa2, 0x69, 0x94, + 0x24, 0x88, 0x8a, 0xc4, 0x8d, 0x04, 0x41, 0x11, 0x5b, 0x94, 0x11, 0x1c, + 0x33, 0x86, 0xa4, 0xa4, 0x61, 0x1a, 0xb5, 0x4c, 0x91, 0x22, 0x0e, 0x22, + 0xb6, 0x64, 0x22, 0x97, 0x68, 0x43, 0x38, 0x2e, 0xe1, 0xb4, 0x11, 0x63, + 0x90, 0x85, 0x52, 0xc0, 0x28, 0xe4, 0x44, 0x29, 0x5a, 0x26, 0x66, 0x01, + 0x06, 0x25, 0x80, 0x46, 0x61, 0x04, 0xa4, 0x2c, 0x94, 0x04, 0x52, 0x10, + 0x08, 0x24, 0x01, 0x05, 0x0d, 0x18, 0x24, 0x26, 0x18, 0x30, 0x84, 0x4b, + 0x04, 0x2d, 0xa0, 0xb4, 0x00, 0xd4, 0xb4, 0x90, 0xc3, 0x08, 0x46, 0x22, + 0xb1, 0x31, 0x14, 0x49, 0x71, 0xd3, 0x34, 0x61, 0x48, 0x02, 0x65, 0x00, + 0xa1, 0x20, 0x04, 0x44, 0x85, 0x11, 0x01, 0x4d, 0x84, 0xc2, 0x30, 0x61, + 0xc2, 0x89, 0x03, 0x46, 0x00, 0x22, 0xb2, 0x45, 0x93, 0xa0, 0x2d, 0x18, + 0x46, 0x48, 0x0b, 0x34, 0x88, 0x5c, 0xa2, 0x84, 0xc8, 0xa0, 0x64, 0x88, + 0xa4, 0x80, 0x12, 0x98, 0x21, 0x1b, 0x49, 0x6a, 0xd8, 0x33, 0x5f, 0xa7, + 0x9b, 0xf4, 0xec, 0x5f, 0xea, 0x39, 0xf1, 0xac, 0x7b, 0x7c, 0x58, 0x54, + 0xf0, 0xfb, 0x19, 0x85, 0xf4, 0x3d, 0x70, 0x7f, 0x56, 0x7c, 0xe1, 0x23, + 0x29, 0xe4, 0x3a, 0xbd, 0xaa, 0x9e, 0xd4, 0xc4, 0xb3, 0x9b, 0x63, 0x20, + 0xca, 0x70, 0xeb, 0xa0, 0x9a, 0x15, 0x97, 0x71, 0x7b, 0x72, 0xed, 0x5b, + 0x0a, 0xef, 0xd4, 0x6b, 0x7c, 0x5c, 0xbd, 0x56, 0xd8, 0x1c, 0x3a, 0x7a, + 0x6a, 0x9d, 0x35, 0xef, 0x4e, 0x5b, 0x87, 0xa9, 0xfb, 0xfd, 0x9b, 0x38, + 0x4c, 0x6b, 0x7f, 0x43, 0xec, 0x29, 0x63, 0x72, 0x37, 0x9b, 0x97, 0x05, + 0x78, 0x8b, 0xc7, 0xaa, 0x36, 0x68, 0x85, 0x96, 0xa8, 0x56, 0xc0, 0x24, + 0xfa, 0xb2, 0x40, 0x91, 0xf1, 0xb2, 0xad, 0x8d, 0xf6, 0x4f, 0xba, 0xba, + 0xc1, 0x8e, 0xff, 0x62, 0x61, 0xa9, 0x1b, 0x45, 0x48, 0x96, 0xd2, 0x3c, + 0xeb, 0x52, 0xef, 0x22, 0xd9, 0x3f, 0x2b, 0xf6, 0xd6, 0xec, 0x40, 0xce, + 0xe7, 0xfc, 0x83, 0x12, 0xd7, 0x87, 0xac, 0x9d, 0x45, 0xc6, 0xb2, 0xc1, + 0xc5, 0x2f, 0xdd, 0xea, 0x9a, 0x40, 0xdb, 0x0a, 0xf6, 0x32, 0x79, 0x2e, + 0x19, 0xe9, 0x8e, 0x04, 0xec, 0x44, 0x23, 0x52, 0xc9, 0x88, 0xac, 0x86, + 0xe1, 0xbb, 0x7d, 0x3f, 0x63, 0xa4, 0x12, 0xf9, 0xc7, 0xea, 0xb1, 0x74, + 0x63, 0xd1, 0x16, 0x31, 0x5d, 0x16, 0x07, 0x4c, 0x8e, 0x6c, 0xe0, 0x13, + 0x20, 0x03, 0x5b, 0x0a, 0x63, 0x51, 0x18, 0x6f, 0x3c, 0x7e, 0x17, 0xe0, + 0x91, 0x37, 0xce, 0x76, 0x3a, 0xd7, 0xc7, 0xbe, 0x49, 0x54, 0x1b, 0x74, + 0x05, 0xbb, 0xb8, 0xc7, 0x02, 0x6a, 0x5f, 0xa9, 0x77, 0xba, 0xe1, 0xb6, + 0x5b, 0x94, 0x86, 0x9e, 0xfe, 0xf0, 0x1b, 0x77, 0xcf, 0x17, 0x3e, 0x46, + 0x9a, 0x30, 0xda, 0x18, 0x2b, 0xd7, 0x66, 0x2a, 0xf0, 0x48, 0x18, 0xbd, + 0x62, 0x35, 0x24, 0xd5, 0x60, 0x0f, 0x23, 0xfd, 0x58, 0x68, 0xfa, 0x42, + 0xa4, 0x5f, 0x39, 0x67, 0x2e, 0x40, 0x1e, 0x2c, 0xf3, 0x36, 0xf4, 0x13, + 0x22, 0xf8, 0x23, 0x68, 0x4e, 0x6b, 0x87, 0x99, 0xb5, 0x5f, 0xb9, 0x6e, + 0xf9, 0x2f, 0x41, 0x0e, 0x23, 0xdd, 0xa7, 0x72, 0x48, 0xde, 0x65, 0x9f, + 0x70, 0x32, 0x28, 0xf9, 0x9c, 0x8a, 0xdf, 0x04, 0x52, 0x3c, 0x88, 0x10, + 0x57, 0x34, 0x49, 0x54, 0xa8, 0x1f, 0xdb, 0xae, 0x00, 0x0f, 0xae, 0x48, + 0x4c, 0xd8, 0x96, 0xc4, 0xe6, 0x54, 0x3c, 0xae, 0x00, 0x5a, 0x0e, 0x3d, + 0xf5, 0x1e, 0x37, 0xc0, 0x40, 0x1d, 0x10, 0x6e, 0x50, 0xdb, 0xa1, 0x41, + 0x68, 0xb5, 0x49, 0x6a, 0x3d, 0x6d, 0xaa, 0xb2, 0xe0, 0x10, 0xc2, 0xdc, + 0xe2, 0x15, 0x55, 0x3d, 0x10, 0x34, 0x7a, 0x95, 0x81, 0x98, 0x8d, 0x9e, + 0xdc, 0x25, 0x83, 0xfc, 0x10, 0x35, 0x0e, 0xc5, 0xef, 0x05, 0x18, 0xb3, + 0xfa, 0x9b, 0x54, 0x70, 0x2d, 0x93, 0xf2, 0xa9, 0x38, 0x06, 0x97, 0xe4, + 0x26, 0xc2, 0xa0, 0x17, 0xc1, 0xdb, 0xed, 0x69, 0x25, 0xc4, 0x4a, 0x77, + 0x50, 0x99, 0x95, 0xfe, 0x39, 0x0c, 0xab, 0xf2, 0x13, 0xd0, 0x13, 0xf2, + 0xcb, 0x9e, 0xbd, 0x9e, 0x09, 0xf9, 0xa0, 0x94, 0x98, 0x03, 0xde, 0x28, + 0x5c, 0x9c, 0x2e, 0x6a, 0x02, 0xcf, 0xfe, 0x7a, 0xea, 0xf0, 0x13, 0xea, + 0xab, 0x9b, 0x4e, 0x82, 0xe5, 0xd7, 0x5b, 0xbf, 0x8e, 0x0b, 0x84, 0x74, + 0xff, 0x63, 0xb2, 0xe7, 0xbe, 0xc2, 0xf1, 0xaa, 0x54, 0xef, 0xa0, 0xc1, + 0x94, 0xb6, 0x8f, 0xd4, 0x92, 0x46, 0x36, 0xd0, 0xe1, 0x88, 0xa3, 0x1e, + 0x32, 0xa4, 0x26, 0x5b, 0x24, 0x8f, 0xc9, 0x52, 0x5e, 0xd9, 0x46, 0x2f, + 0x9b, 0xf0, 0x4b, 0x86, 0xb4, 0x43, 0xbf, 0x5f, 0x86, 0xae, 0x66, 0x64, + 0x7e, 0x46, 0x36, 0x46, 0xd0, 0x2d, 0x0d, 0x8c, 0xe2, 0x01, 0xe0, 0xc2, + 0xce, 0x4a, 0x36, 0x23, 0xd0, 0xd1, 0x93, 0xa6, 0x64, 0x46, 0x34, 0xfe, + 0xba, 0x47, 0xa8, 0x55, 0x98, 0x9f, 0xcc, 0x8f, 0x3d, 0xcb, 0x81, 0xc5, + 0xf0, 0x5d, 0x9a, 0x0f, 0xe2, 0xe0, 0xe4, 0xdc, 0x09, 0x4a, 0x62, 0x1f, + 0x9f, 0xf4, 0x3f, 0x1f, 0x3e, 0x9a, 0x8f, 0x98, 0xcf, 0xd4, 0xe3, 0xc2, + 0x2f, 0x5f, 0xd7, 0xa0, 0xdc, 0x78, 0x8a, 0x13, 0x2e, 0x6f, 0x03, 0x42, + 0x7d, 0x29, 0x1e, 0xf9, 0xd6, 0x8a, 0xf3, 0xf3, 0xb6, 0x69, 0xa7, 0x65, + 0x63, 0x2d, 0xac, 0x5a, 0xa3, 0x8d, 0x57, 0x35, 0xca, 0x37, 0x0d, 0x4e, + 0xbc, 0xa8, 0xf0, 0x6f, 0x0f, 0x59, 0xd6, 0xc0, 0xd7, 0x49, 0x7d, 0x95, + 0x1f, 0x96, 0x68, 0xb5, 0x34, 0x03, 0x7b, 0x02, 0x7f, 0xa5, 0xa2, 0xfc, + 0x46, 0xdf, 0x7a, 0xf2, 0x3b, 0xe5, 0x61, 0x6d, 0xb2, 0x0a, 0xba, 0xce, + 0x02, 0xea, 0x19, 0xbe, 0x4b, 0x5d, 0xe6, 0x4e, 0x09, 0xa7, 0x1a, 0x7f, + 0x90, 0x72, 0x6e, 0x38, 0xb5, 0xa9, 0x68, 0xd7, 0xe5, 0x1f, 0x15, 0x46, + 0x6d, 0xa0, 0xaa, 0xc9, 0xb7, 0x4c, 0xd5, 0x0c, 0x54, 0x38, 0x19, 0xd0, + 0xce, 0xbe, 0x87, 0x98, 0x64, 0xd1, 0x45, 0x9e, 0x48, 0x08, 0x14, 0x5f, + 0x5f, 0x29, 0x52, 0x10, 0x16, 0xbb, 0x62, 0xb0, 0x5d, 0x8f, 0x71, 0x7b, + 0x12, 0x50, 0xcc, 0xef, 0x8a, 0x4c, 0x02, 0x96, 0x29, 0x2a, 0x86, 0x62, + 0x49, 0x9d, 0x94, 0xf7, 0xc3, 0xff, 0x83, 0xd7, 0xe1, 0x7d, 0x8d, 0x14, + 0x18, 0xec, 0x3f, 0x68, 0x43, 0xeb, 0xcb, 0xeb, 0xb9, 0x60, 0xf9, 0xf6, + 0x61, 0xe4, 0x56, 0xda, 0xdc, 0x48, 0x43, 0x72, 0x9d, 0x3f, 0xb3, 0x96, + 0xd8, 0xe8, 0x4e, 0xe1, 0x24, 0x56, 0x72, 0x32, 0x1e, 0x4d, 0x4c, 0x59, + 0x45, 0x4b, 0x53, 0x08, 0x44, 0x39, 0xd7, 0x66, 0x20, 0x42, 0xec, 0x1b, + 0xd2, 0x93, 0x05, 0x2e, 0x6a, 0x44, 0x46, 0x1b, 0xd3, 0x53, 0xcf, 0x32, + 0xa4, 0xb9, 0xfd, 0x4e, 0x95, 0x43, 0x45, 0x54, 0xce, 0xa0, 0x92, 0x2c, + 0xf0, 0xd5, 0x0b, 0x5f, 0x71, 0x8d, 0xe7, 0xb2, 0xf0, 0x1d, 0xe1, 0x89, + 0xef, 0xb8, 0x35, 0xf4, 0xb2, 0x9a, 0xb6, 0x2b, 0x99, 0xdc, 0x76, 0xcc, + 0xbe, 0xc2, 0x02, 0xa4, 0x82, 0x0d, 0xf9, 0x2a, 0x82, 0x03, 0x13, 0x87, + 0x9f, 0x8a, 0xf1, 0x9b, 0xfe, 0xe5, 0xb4, 0x57, 0xbf, 0x29, 0x87, 0xbe, + 0x48, 0x6c, 0xf3, 0xe8, 0x19, 0xa4, 0xfc, 0xe6, 0x7e, 0x64, 0xc6, 0xab, + 0xb4, 0xdd, 0x98, 0x11, 0xa5, 0xbd, 0x82, 0xbe, 0x73, 0x27, 0x43, 0xc5, + 0x2b, 0x1f, 0x84, 0xaf, 0x1b, 0x44, 0x14, 0x5c, 0x68, 0xa9, 0x6a, 0x06, + 0xed, 0xf5, 0xcf, 0xb7, 0xad, 0xc5, 0xbe, 0xc5, 0x5e, 0x60, 0xf6, 0x87, + 0x0b, 0xd1, 0x0d, 0xff, 0x60, 0x3b, 0x10, 0xe3, 0xf4, 0x54, 0xc0, 0xc9, + 0x7f, 0xb3, 0x37, 0xb1, 0x2c, 0x5d, 0xe0, 0x69, 0x38, 0xf6, 0x5d, 0x46, + 0x53, 0xf7, 0xd1, 0xed, 0xdd, 0x28, 0x1e, 0x4d, 0xdb, 0x1b, 0x7a, 0x5e, + 0x47, 0x53, 0x77, 0x69, 0x85, 0xee, 0x72, 0x15, 0x17, 0x62, 0x08, 0xb5, + 0x1c, 0x1d, 0x01, 0x38, 0xaf, 0x1d, 0x6a, 0x53, 0x54, 0x1f, 0x31, 0x29, + 0x51, 0x21, 0xaf, 0x68, 0x2d, 0x6f, 0xc0, 0x9f, 0x33, 0x5b, 0x88, 0x10, + 0x84, 0x07, 0xad, 0x78, 0x20, 0x94, 0xa7, 0xab, 0xc6, 0x64, 0xae, 0x1c, + 0x6b, 0x98, 0x1b, 0xf5, 0xd6, 0x46, 0xa0, 0xcb, 0xee, 0xaa, 0xa1, 0x7b, + 0x23, 0x53, 0xca, 0xf3, 0x1e, 0x4e, 0x1c, 0x72, 0x6e, 0x34, 0x0f, 0xf4, + 0x1c, 0xfc, 0x9e, 0x04, 0xbc, 0x77, 0x0a, 0xb7, 0xcc, 0x2e, 0xb0, 0x7f, + 0x01, 0x0b, 0x42, 0x98, 0x29, 0x2e, 0xfe, 0xac, 0xa1, 0x93, 0x34, 0x7c, + 0xd0, 0xbf, 0x18, 0x37, 0x04, 0x74, 0xd0, 0xdc, 0xd9, 0x5f, 0x5e, 0xb4, + 0x5e, 0x6a, 0xfd, 0x49, 0x36, 0xf8, 0x25, 0x1a, 0x1b, 0x19, 0x52, 0x1e, + 0xd7, 0xb2, 0x26, 0x79, 0xb5, 0x3c, 0x33, 0x1f, 0xa1, 0x48, 0x50, 0xd8, + 0x77, 0xaa, 0x12, 0xbe, 0xbc, 0x68, 0x90, 0x3f, 0x8c, 0x17, 0xc4, 0x6f, + 0x75, 0x47, 0x03, 0x8d, 0x22, 0xcd, 0xa0, 0xd6, 0x0c, 0x91, 0x2f, 0xb9, + 0xdc, 0xb0, 0xe4, 0xe8, 0xfb, 0x65, 0x6b, 0x90, 0xc4, 0x1f, 0x38, 0x20, + 0xb9, 0x09, 0x38, 0x26, 0xb0, 0x90, 0x41, 0x31, 0x85, 0x93, 0x4d, 0xbc, + 0x92, 0xfa, 0x2d, 0x20, 0x9f, 0x96, 0xbc, 0x58, 0xb1, 0x00, 0x86, 0x8c, + 0x24, 0xf8, 0x84, 0x5c, 0xb3, 0x2f, 0x28, 0x87, 0xee, 0x58, 0x26, 0xf6, + 0xb8, 0x8b, 0x47, 0xe6, 0x2b, 0x55, 0xe5, 0x39, 0x89, 0xaf, 0x38, 0x5c, + 0x1d, 0xc0, 0x68, 0x15, 0xa4, 0xf3, 0xe7, 0x3c, 0x69, 0x56, 0x94, 0xb7, + 0x64, 0x16, 0x64, 0x56, 0xe4, 0x6b, 0x4c, 0x05, 0x0a, 0x61, 0x22, 0x9a, + 0x87, 0xb3, 0x3d, 0xba, 0x7e, 0x56, 0xca, 0x77, 0xd8, 0x52, 0xcc, 0x58, + 0xba, 0xd1, 0x01, 0x08, 0x5a, 0x58, 0xc5, 0x58, 0x89, 0xa6, 0x1c, 0x09, + 0xb7, 0x5b, 0xcc, 0xd4, 0x2c, 0x80, 0x63, 0xc7, 0xaa, 0xc1, 0x32, 0x5c, + 0x9f, 0xca, 0x8f, 0x6e, 0xe4, 0x67, 0x3b, 0x08, 0x56, 0xc3, 0x3a, 0xa6, + 0x8c, 0x0e, 0x76, 0x9e, 0xbc, 0xaa, 0xc4, 0x70, 0x87, 0xd6, 0x21, 0x17, + 0xc0, 0xf5, 0xd1, 0xca, 0xd2, 0x16, 0xfe, 0x1d, 0x6c, 0xa3, 0xc4, 0x6d, + 0x94, 0xc1, 0x3e, 0xef, 0xb8, 0x11, 0x16, 0xe2, 0xa4, 0x94, 0x32, 0x4f, + 0xaf, 0x22, 0x3a, 0xba, 0x50, 0x38, 0x04, 0xc7, 0x36, 0x8c, 0xcd, 0xfc, + 0x94, 0x2e, 0x13, 0x09, 0xca, 0x8c, 0xf5, 0x5e, 0x4d, 0x3f, 0x77, 0xf9, + 0xa6, 0x5d, 0x84, 0x6a, 0x00, 0x3d, 0xd7, 0x9e, 0x91, 0xa3, 0x6f, 0x9a, + 0x86, 0xbe, 0xda, 0x5c, 0xac, 0xf6, 0xf8, 0xa8, 0xd3, 0x58, 0x26, 0xd3, + 0xab, 0x6e, 0x93, 0xd8, 0x6f, 0xab, 0xac, 0x91, 0x4e, 0x84, 0x00, 0x6d, + 0x62, 0x38, 0xa9, 0x9b, 0xde, 0xfb, 0xff, 0x93, 0x90, 0xa4, 0x55, 0xac, + 0xd8, 0x68, 0x11, 0x41, 0xb4, 0xa6, 0xea, 0x64, 0x41, 0xe6, 0x2e, 0x43, + 0x6c, 0xbb, 0x65, 0xbb, 0x10, 0x30, 0xab, 0xf3, 0xc5, 0x9e, 0xd1, 0x42, + 0xe2, 0xe2, 0x25, 0x44, 0x69, 0x3e, 0xb3, 0x4b, 0xbf, 0x0b, 0x12, 0xef, + 0xbf, 0x01, 0xbf, 0x65, 0x60, 0xf1, 0xa5, 0x59, 0xd2, 0xca, 0x9f, 0xdb, + 0x9d, 0x8c, 0x96, 0xff, 0x42, 0x1c, 0xc1, 0xcf, 0x34, 0xb4, 0xfb, 0xdc, + 0x85, 0xe8, 0xbb, 0x04, 0x53, 0xdd, 0x66, 0x78, 0xac, 0xf4, 0x00, 0xc3, + 0x1b, 0x3b, 0x40, 0xa2, 0xd8, 0xbd, 0x86, 0x39, 0xba, 0xbc, 0x12, 0xab, + 0xf9, 0xa3, 0x36, 0x59, 0x59, 0xf4, 0x6b, 0x8e, 0xf0, 0x66, 0x68, 0xf3, + 0x62, 0xc7, 0xea, 0xfa, 0x89, 0xc6, 0xc2, 0xc5, 0x25, 0xc7, 0xe9, 0xe5, + 0x84, 0x0b, 0x45, 0x26, 0xfd, 0x1f, 0xe9, 0x57, 0x5b, 0x3a, 0x44, 0x19, + 0x5f, 0x5d, 0xd3, 0x17, 0x92, 0x49, 0x0e, 0x76, 0xe2, 0x54, 0xc6, 0x13, + 0x1a, 0x98, 0xdd, 0x77, 0xf8, 0xd6, 0xac, 0x74, 0x9a, 0xc8, 0x2a, 0x98, + 0x38, 0x2a, 0x48, 0x82, 0xc4, 0x2a, 0xd7, 0xc6, 0x3d, 0xf2, 0x20, 0xda, + 0x0f, 0xbc, 0x46, 0x81, 0x5a, 0x21, 0xc4, 0x9f, 0x2a, 0xd1, 0x43, 0xb7, + 0x6f, 0x78, 0x9e, 0x02, 0xb6, 0x38, 0x21, 0x00, 0xde, 0xab, 0xdc, 0xcd, + 0xef, 0xc6, 0xe7, 0x4b, 0x87, 0x72, 0x4b, 0x95, 0x82, 0xde, 0xeb, 0x98, + 0xe2, 0xda, 0x6f, 0x31, 0x62, 0xd2, 0xd5, 0x68, 0xf3, 0x73, 0xc8, 0x7e, + 0x7b, 0x38, 0xf8, 0x58, 0xb7, 0x12, 0x19, 0x52, 0xd7, 0x8b, 0xb0, 0xc5, + 0x9a, 0x18, 0xd7, 0x60, 0x32, 0xd8, 0x28, 0x22, 0x15, 0x63, 0x4f, 0x73, + 0x1c, 0x86, 0x7f, 0x8a, 0xbd, 0xd1, 0x20, 0x03, 0xbd, 0x4c, 0xc1, 0xdc, + 0x75, 0x72, 0x78, 0x5a, 0xf6, 0x15, 0x35, 0xed, 0xad, 0x9e, 0x4f, 0x25, + 0x76, 0x9a, 0x40, 0xe3, 0x91, 0x7b, 0x27, 0x26, 0x59, 0xd1, 0x34, 0x8a, + 0xb8, 0xe6, 0x12, 0x42, 0xed, 0x8b, 0x97, 0xd5, 0x11, 0xd5, 0x79, 0x15, + 0xe5, 0x83, 0x67, 0x13, 0x69, 0xb6, 0x08, 0x8b, 0x4b, 0x4f, 0x88, 0x23, + 0xf6, 0x10, 0xd1, 0xb5, 0xc1, 0x57, 0x8e, 0x3f, 0xf4, 0x5d, 0xab, 0x7c, + 0xc4, 0x7d, 0x58, 0x9a, 0x68, 0x0a, 0x1d, 0xe6, 0x0a, 0xb9, 0xb5, 0x1f, + 0x1a, 0x53, 0x1f, 0xba, 0x56, 0xed, 0x21, 0xb3, 0xb5, 0xee, 0xee, 0x4f, + 0x75, 0x35, 0xf3, 0x06, 0xd5, 0x83, 0x23, 0x68, 0x7e, 0x20, 0x36, 0x14, + 0xdc, 0x64, 0xa6, 0x89}; static const uint8_t kMLDSASignPlaintext[32] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; // ISO/IEC 19790:2012 Section 7.10.3.3 15. page 84 Requires the randomization // parameter rnd be fixed for the “hedged” algorithms (e.g., all zeros). static const uint8_t kMLDSASigGenSeed[MLDSA44_SIGNATURE_SEED_BYTES] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; static const uint8_t kMLDSASignSignature[MLDSA44_SIGNATURE_BYTES] = { - 0x4e, 0xfb, 0x3a, 0xbe, 0x8a, 0xc4, 0x7b, 0x40, 0xd4, 0xb1, 0xd5, 0x99, - 0x61, 0xee, 0x65, 0x8b, 0xa7, 0xc2, 0xa2, 0x12, 0x36, 0xe0, 0xc0, 0x27, - 0x96, 0x6e, 0xac, 0x19, 0xb0, 0xb4, 0x15, 0xc9, 0x82, 0x4a, 0xf9, 0x49, - 0x55, 0x23, 0x3a, 0x6a, 0x32, 0x1b, 0xa6, 0x63, 0x70, 0xbf, 0x13, 0x13, - 0xbe, 0xc0, 0x1b, 0xeb, 0xce, 0x2a, 0x7c, 0x63, 0x91, 0x83, 0x3f, 0xef, - 0x3e, 0xcd, 0x58, 0xb2, 0x13, 0xbb, 0xb7, 0x23, 0xde, 0xdd, 0x0c, 0x04, - 0xb3, 0x36, 0x44, 0xa5, 0xa4, 0x49, 0x4b, 0x47, 0x52, 0x8c, 0x61, 0x6f, - 0xbf, 0x40, 0x75, 0xac, 0xf0, 0x4f, 0xb5, 0xd8, 0x53, 0xba, 0xda, 0xa2, - 0x5d, 0x24, 0x06, 0x51, 0x05, 0x6d, 0x3c, 0x3c, 0xfd, 0xaf, 0xba, 0xea, - 0x8f, 0x09, 0x96, 0x23, 0x4c, 0xcd, 0xbc, 0x03, 0x3f, 0x3e, 0xd2, 0x9d, - 0x2b, 0xcb, 0x86, 0x10, 0xbd, 0xd7, 0x28, 0x56, 0x1b, 0xde, 0x8a, 0x4c, - 0xd7, 0xa0, 0x36, 0x1b, 0x63, 0x0d, 0xe7, 0x1a, 0xe1, 0x0d, 0xb5, 0x0d, - 0x2c, 0xaf, 0x61, 0xdc, 0x39, 0x36, 0x58, 0xc8, 0xc4, 0xfe, 0x82, 0x2a, - 0x0b, 0x8b, 0x2d, 0x17, 0xeb, 0xbc, 0x1f, 0x9b, 0xc5, 0x94, 0x7b, 0xed, - 0x10, 0xee, 0x69, 0xff, 0xb4, 0xc6, 0x6f, 0x59, 0xaf, 0x4d, 0xa8, 0x9e, - 0xfd, 0x0c, 0xf5, 0xc7, 0x22, 0xf6, 0x68, 0x7b, 0x9c, 0x1d, 0x52, 0x8e, - 0xe3, 0xb8, 0xb6, 0x75, 0xe0, 0x1e, 0x9e, 0xef, 0x50, 0x93, 0x59, 0x05, - 0x39, 0xf9, 0x76, 0x82, 0x60, 0xbc, 0xc8, 0xfd, 0xc0, 0xb7, 0xf0, 0xd4, - 0x96, 0xb1, 0xd9, 0x81, 0x26, 0x0f, 0xda, 0x2f, 0x6c, 0xae, 0xcd, 0x70, - 0x25, 0xa7, 0x69, 0x03, 0x51, 0x16, 0xa9, 0xdb, 0x27, 0xa0, 0x4c, 0x4d, - 0x75, 0x89, 0x43, 0xa9, 0x31, 0x2b, 0x77, 0xb9, 0xd4, 0x5c, 0x38, 0x6d, - 0xc5, 0x25, 0x0b, 0x18, 0x20, 0xfe, 0x44, 0x3b, 0x07, 0xf3, 0xef, 0x6d, - 0xdb, 0xa6, 0x7e, 0x09, 0xef, 0xee, 0x9c, 0x59, 0x01, 0x6b, 0xd0, 0x76, - 0xf1, 0x2a, 0x2c, 0xde, 0x6e, 0x38, 0x6a, 0xb6, 0x90, 0xbd, 0x41, 0x7b, - 0xf1, 0x23, 0xc5, 0x28, 0x2e, 0xa9, 0x3a, 0x5f, 0xe8, 0x6a, 0x0d, 0x93, - 0xfa, 0x6b, 0x3e, 0xc1, 0x60, 0xdf, 0x64, 0x2f, 0x81, 0xf8, 0x77, 0x82, - 0x25, 0x13, 0x8c, 0xd2, 0xf7, 0x7a, 0x01, 0x3c, 0xc6, 0x72, 0x73, 0xfe, - 0x2a, 0x48, 0x18, 0x9d, 0x36, 0x0c, 0xcd, 0xe0, 0x80, 0xc2, 0x29, 0x2e, - 0x21, 0x00, 0xac, 0x81, 0x5b, 0xdb, 0x33, 0xbb, 0x50, 0xc5, 0x6f, 0xeb, - 0x49, 0x63, 0xdd, 0xef, 0x80, 0xbc, 0x2d, 0xd3, 0xe4, 0xe0, 0x69, 0xaf, - 0x8d, 0xda, 0x54, 0x06, 0x45, 0x5b, 0x69, 0x91, 0x3e, 0x4f, 0xfc, 0x1f, - 0xab, 0x0c, 0xf3, 0xdc, 0xf4, 0x7a, 0x06, 0xde, 0x64, 0x3b, 0x08, 0x7c, - 0xc9, 0x2c, 0x0d, 0xe1, 0xbd, 0xdc, 0x61, 0x9b, 0x88, 0x3a, 0x8e, 0x77, - 0xd3, 0x83, 0xbc, 0x70, 0xf6, 0x98, 0xd3, 0x72, 0xe2, 0x7e, 0x0e, 0x8d, - 0xea, 0x3a, 0x3b, 0x26, 0x1b, 0x8e, 0xae, 0x49, 0x8c, 0x25, 0x14, 0xe4, - 0x05, 0xcd, 0x9c, 0x2c, 0xdb, 0x39, 0xe9, 0x2f, 0x16, 0xf5, 0x71, 0xe2, - 0x87, 0xc9, 0xd1, 0xd3, 0x7a, 0xbf, 0x1d, 0xbf, 0x98, 0x6c, 0xb1, 0x3c, - 0xf8, 0xf4, 0xd6, 0x19, 0xb1, 0x39, 0x45, 0xc1, 0xb4, 0xa5, 0x37, 0x2e, - 0x98, 0x55, 0xbf, 0xc2, 0x3a, 0x36, 0x95, 0x3d, 0xe9, 0xc0, 0xda, 0xdc, - 0xa1, 0x50, 0x67, 0x43, 0x0d, 0xab, 0x9a, 0xf8, 0x98, 0xb0, 0x3e, 0x8c, - 0x4e, 0x8f, 0xf0, 0xa7, 0x2a, 0xd9, 0x36, 0xaa, 0xe0, 0xe2, 0x09, 0x48, - 0xab, 0x9b, 0x5d, 0xba, 0x6d, 0xab, 0xfc, 0xb5, 0x46, 0x6f, 0xb3, 0x30, - 0xfb, 0x6f, 0x60, 0x2b, 0x28, 0x21, 0xea, 0xf9, 0x49, 0xc6, 0xc4, 0xe0, - 0x5f, 0xb6, 0x2f, 0xa0, 0x65, 0x4c, 0x02, 0x98, 0x04, 0x56, 0x10, 0x8e, - 0xac, 0x4a, 0xc7, 0x34, 0x7c, 0x82, 0x2f, 0x46, 0x70, 0x86, 0xaa, 0xc0, - 0x1c, 0x38, 0x51, 0xb0, 0x61, 0xbc, 0x8c, 0x60, 0x45, 0x67, 0x48, 0x3b, - 0x04, 0x43, 0xdf, 0x4b, 0xa1, 0x4c, 0xc2, 0xcc, 0x67, 0x19, 0x8a, 0x90, - 0x77, 0x58, 0xea, 0x56, 0x0a, 0xd4, 0x86, 0xad, 0xcc, 0x01, 0x8d, 0x48, - 0x28, 0x6e, 0x9a, 0x7c, 0x4b, 0x26, 0x8b, 0x27, 0x85, 0xbd, 0x7f, 0xd4, - 0x9e, 0x3b, 0x53, 0x20, 0xb8, 0x9f, 0xf6, 0x37, 0x8b, 0x14, 0x44, 0x0c, - 0x9c, 0x5b, 0x71, 0xc5, 0x9f, 0xfc, 0x53, 0x7d, 0x52, 0xb0, 0x5f, 0xa7, - 0xbd, 0x29, 0x6e, 0xcf, 0xf0, 0xe8, 0x85, 0x01, 0xa8, 0xa4, 0xb2, 0x78, - 0x5b, 0x8a, 0x60, 0xfa, 0x74, 0x18, 0x6f, 0x62, 0x67, 0xed, 0xaa, 0x01, - 0x63, 0xdb, 0x72, 0x3e, 0xbd, 0x3d, 0x69, 0x0c, 0x63, 0xf2, 0x88, 0x30, - 0x52, 0xe1, 0xa1, 0x28, 0xcd, 0x7c, 0xee, 0x54, 0x39, 0x21, 0xec, 0x78, - 0xc1, 0x18, 0x9d, 0xe7, 0x54, 0xf8, 0x62, 0x7e, 0x35, 0xe7, 0xa3, 0x43, - 0x06, 0x11, 0xd3, 0xa3, 0x78, 0x87, 0x9d, 0x35, 0x56, 0x9b, 0xb4, 0xf7, - 0x49, 0x85, 0x4e, 0x55, 0x7d, 0xef, 0xfd, 0x97, 0xc6, 0x52, 0xc9, 0xdf, - 0x22, 0xe3, 0x1f, 0x12, 0x03, 0xae, 0x85, 0x4f, 0x3b, 0x76, 0x84, 0xda, - 0x49, 0xaf, 0x61, 0xa4, 0x67, 0xec, 0x7f, 0x8e, 0x1f, 0xa5, 0xeb, 0x4f, - 0xea, 0x00, 0xbd, 0xfd, 0xa9, 0xdf, 0x4f, 0x07, 0x1d, 0xf8, 0xd5, 0x1e, - 0x67, 0x25, 0xe9, 0xcf, 0x25, 0xc8, 0x82, 0x41, 0x82, 0x52, 0xb2, 0xc3, - 0xae, 0x00, 0xaa, 0x1b, 0x2c, 0xbc, 0x52, 0x75, 0x41, 0x8d, 0xaa, 0xa9, - 0x65, 0x97, 0xb4, 0x8e, 0x63, 0xf3, 0xdf, 0x98, 0xbe, 0xc7, 0x88, 0x65, - 0x10, 0x03, 0xa9, 0x50, 0x41, 0xeb, 0xf0, 0x2f, 0x62, 0xc9, 0x59, 0x81, - 0xad, 0xca, 0x03, 0xa1, 0xa1, 0x83, 0x2e, 0xb9, 0xb6, 0xd1, 0x42, 0x5b, - 0x43, 0x62, 0x14, 0xd1, 0x00, 0x9b, 0x2c, 0xe5, 0x38, 0x8a, 0x57, 0x3c, - 0x41, 0x60, 0xe8, 0xaf, 0xb9, 0xb1, 0xcb, 0xcd, 0xbc, 0x0d, 0x16, 0xc9, - 0x15, 0x91, 0x97, 0x5c, 0xce, 0xc4, 0xb1, 0x13, 0x1b, 0xcc, 0xe9, 0x8e, - 0xac, 0x23, 0x91, 0x11, 0x4f, 0x48, 0x0b, 0x6c, 0x75, 0xaf, 0x4d, 0x07, - 0xd5, 0x49, 0xd2, 0xa1, 0x7f, 0xf3, 0x86, 0x63, 0x35, 0x80, 0x9e, 0x7b, - 0x9b, 0x26, 0x65, 0x71, 0x5d, 0x10, 0xfe, 0x01, 0xea, 0x43, 0x42, 0xf5, - 0xb6, 0x20, 0x0d, 0x9b, 0x85, 0x61, 0x32, 0x4d, 0x11, 0xc7, 0xd9, 0x26, - 0x67, 0xfc, 0xe0, 0xee, 0xa7, 0x30, 0xda, 0x5d, 0xea, 0x93, 0x34, 0x8c, - 0xc6, 0x84, 0xf6, 0xac, 0x35, 0xc6, 0x90, 0xf1, 0x7d, 0x8d, 0x0f, 0xc9, - 0x9c, 0xf7, 0x0f, 0x5d, 0x74, 0xb7, 0x7a, 0x08, 0xf9, 0xb8, 0xaf, 0xd1, - 0xa6, 0xab, 0x95, 0x0f, 0x6d, 0xab, 0x88, 0x0f, 0x88, 0xa3, 0x9a, 0x16, - 0x77, 0x91, 0x41, 0x44, 0x3e, 0x79, 0xa4, 0x09, 0x9a, 0x90, 0xff, 0x6e, - 0xc4, 0x12, 0x70, 0xd5, 0x2a, 0x79, 0xf4, 0xcd, 0x0a, 0x66, 0xb7, 0xbb, - 0x7d, 0x92, 0xed, 0x00, 0x75, 0x9a, 0x9d, 0xa4, 0x8a, 0x17, 0x1b, 0xc2, - 0xfd, 0x6d, 0x1d, 0xe3, 0xa9, 0x14, 0x1f, 0x6c, 0x61, 0x4c, 0xa9, 0x7e, - 0x96, 0x96, 0xa4, 0x4a, 0xe3, 0x26, 0xd0, 0xca, 0x1d, 0x09, 0x1a, 0xab, - 0xb0, 0x30, 0xa8, 0x82, 0x46, 0x75, 0x23, 0x9a, 0xea, 0xd6, 0xcd, 0xbf, - 0x6b, 0x9d, 0xe0, 0xc3, 0x71, 0xc9, 0x25, 0xf4, 0xc4, 0x12, 0x24, 0x9d, - 0x31, 0x20, 0x01, 0x03, 0xcf, 0x67, 0xec, 0x76, 0x13, 0x1a, 0xd2, 0xbf, - 0xbe, 0x7b, 0xf3, 0x0a, 0x31, 0xde, 0x81, 0x86, 0x60, 0x0d, 0x11, 0xbd, - 0x35, 0x73, 0x0a, 0x69, 0x96, 0xca, 0xc1, 0x0e, 0xc1, 0x22, 0x4b, 0x71, - 0xc1, 0x2b, 0xcf, 0x1f, 0xf8, 0x5a, 0x2a, 0xc2, 0xf9, 0x39, 0x0a, 0xda, - 0xd7, 0x54, 0xe0, 0xeb, 0xb1, 0xf6, 0x15, 0x3b, 0x8c, 0xf2, 0xfc, 0x06, - 0x64, 0x8a, 0xcf, 0x26, 0x10, 0xdb, 0x11, 0xd0, 0xa1, 0x6e, 0x8d, 0x25, - 0xdc, 0x79, 0x97, 0x9e, 0x9d, 0xe6, 0xb2, 0xdc, 0x23, 0x61, 0x11, 0xf8, - 0x5f, 0x76, 0xe9, 0xdf, 0x24, 0x99, 0xd5, 0x19, 0x3d, 0x3d, 0xaf, 0x13, - 0x10, 0x2d, 0xd9, 0xe4, 0x3e, 0xb5, 0x1a, 0x16, 0x6f, 0xfd, 0x98, 0x23, - 0xff, 0x8d, 0x88, 0xe1, 0xfd, 0xbd, 0xcf, 0xcb, 0xea, 0x17, 0x71, 0xa1, - 0x20, 0x2d, 0x97, 0xf4, 0xb6, 0x6c, 0x1a, 0x8d, 0x91, 0x0c, 0xb6, 0x6f, - 0x5f, 0x40, 0x5f, 0x8c, 0x78, 0x6b, 0x79, 0xe9, 0xdf, 0x8e, 0x1d, 0xf6, - 0x4f, 0x87, 0x1f, 0xbd, 0xd9, 0x5c, 0xa3, 0xf8, 0x65, 0x6b, 0x70, 0x4c, - 0xee, 0x55, 0xf2, 0x2b, 0x29, 0x9d, 0x64, 0x66, 0xef, 0x5a, 0x05, 0x44, - 0xab, 0xe9, 0xfb, 0x9e, 0xf8, 0xe9, 0x45, 0x8a, 0x3f, 0xb7, 0x5f, 0x32, - 0x8c, 0x8a, 0x36, 0xaf, 0xa3, 0x3f, 0x2b, 0xa6, 0xa8, 0x0d, 0xfd, 0x34, - 0xcf, 0x59, 0x2e, 0x3c, 0xa2, 0x17, 0x47, 0x83, 0x45, 0x6a, 0xcd, 0xcf, - 0xb5, 0x58, 0x9c, 0xcd, 0x36, 0x2e, 0x09, 0xb0, 0xe9, 0xd3, 0x10, 0x6b, - 0xc8, 0xfd, 0x91, 0x03, 0xeb, 0x3d, 0xcc, 0xe8, 0x26, 0x9f, 0xfa, 0xab, - 0x78, 0x88, 0x4c, 0x3a, 0x95, 0x57, 0x0f, 0x0b, 0x67, 0xd8, 0x63, 0xc5, - 0x6f, 0x68, 0x95, 0xa7, 0xb6, 0xe0, 0x40, 0x9e, 0x51, 0xc4, 0xd4, 0x20, - 0x47, 0x02, 0x6d, 0xf4, 0x73, 0x06, 0xbf, 0x45, 0x92, 0x83, 0xb4, 0xd6, - 0x3f, 0x4a, 0xe7, 0xa5, 0x54, 0x7c, 0x1c, 0x47, 0x8a, 0xbe, 0xa8, 0x35, - 0x37, 0x8f, 0x0f, 0x5e, 0xfa, 0xb6, 0x65, 0xc8, 0x17, 0x90, 0x08, 0xb7, - 0x1f, 0xc1, 0x6b, 0xa3, 0xd5, 0x0c, 0x6f, 0x17, 0xa2, 0x5e, 0x12, 0x85, - 0x9c, 0xb2, 0xd4, 0x87, 0x6f, 0xe4, 0x95, 0xfe, 0x21, 0xb7, 0x92, 0x03, - 0x42, 0x36, 0xdb, 0x25, 0x40, 0x24, 0xde, 0x98, 0xe4, 0x1f, 0x43, 0x98, - 0x95, 0xdb, 0xb0, 0x8a, 0x7d, 0xa7, 0x86, 0x77, 0xd0, 0xd0, 0x71, 0x54, - 0x94, 0x9d, 0x78, 0xc7, 0x66, 0x9e, 0xa1, 0x69, 0xfa, 0x1a, 0xdd, 0x0d, - 0x9b, 0xc2, 0xd3, 0x79, 0x32, 0x3c, 0x24, 0x39, 0xbf, 0x1f, 0xbb, 0x14, - 0x4b, 0x71, 0x27, 0xfc, 0xed, 0x84, 0x2b, 0x31, 0x67, 0xd9, 0x9d, 0x38, - 0x2a, 0xa8, 0x5c, 0x7b, 0x35, 0x0b, 0x84, 0x80, 0xb2, 0x22, 0x34, 0x91, - 0x79, 0xfe, 0xba, 0x54, 0xbd, 0x5f, 0x73, 0xe5, 0x5a, 0xc7, 0x00, 0x0b, - 0xdf, 0x58, 0x38, 0x40, 0xc0, 0xfd, 0xe5, 0xaf, 0x27, 0xfa, 0x3c, 0xa5, - 0x73, 0xc3, 0xf8, 0xee, 0xca, 0x5b, 0x9e, 0x63, 0x5b, 0x00, 0x8b, 0xec, - 0x30, 0xbf, 0x87, 0xf6, 0x4d, 0x41, 0x73, 0xde, 0xf5, 0x8f, 0x3a, 0x8f, - 0x2c, 0x32, 0xaa, 0xca, 0x6e, 0x2f, 0xb8, 0x75, 0x8f, 0xa6, 0x47, 0xb0, - 0x05, 0xc7, 0xa7, 0x40, 0x53, 0xb0, 0x18, 0xcb, 0xd8, 0x42, 0x9d, 0x01, - 0xfd, 0xdf, 0xdd, 0x25, 0xe3, 0x8f, 0xfe, 0x84, 0xad, 0x6f, 0xf7, 0xff, - 0x09, 0x1b, 0x6c, 0x0b, 0x83, 0x40, 0xd5, 0xca, 0xe3, 0x37, 0xca, 0x68, - 0xe8, 0x99, 0x6a, 0xc0, 0xaf, 0xb1, 0xe1, 0xf6, 0xdf, 0xe0, 0xa3, 0x29, - 0x0b, 0x6c, 0x95, 0xdc, 0xb9, 0x85, 0xd1, 0xb5, 0xb4, 0xce, 0xbe, 0x2c, - 0xa6, 0x60, 0x9d, 0xfe, 0x04, 0x68, 0x66, 0xd7, 0x10, 0xe7, 0xd8, 0x38, - 0x67, 0xbb, 0x67, 0x42, 0x60, 0x9d, 0xc8, 0xb6, 0x07, 0x04, 0x88, 0x23, - 0x0e, 0xab, 0x2c, 0x13, 0xa2, 0x0a, 0xfb, 0x67, 0x2a, 0x4e, 0x66, 0x2f, - 0xee, 0x88, 0xc6, 0x81, 0x07, 0x5c, 0x0d, 0x7e, 0xe6, 0xa7, 0x48, 0xbc, - 0xf3, 0x5f, 0x11, 0x78, 0x5e, 0x41, 0x21, 0xde, 0x68, 0xb2, 0x2c, 0x0a, - 0x54, 0xa3, 0x8f, 0xd5, 0x6e, 0x56, 0xe5, 0x18, 0x58, 0xc2, 0x62, 0x84, - 0x11, 0xd2, 0x20, 0x33, 0x33, 0x30, 0xa4, 0x50, 0x80, 0xfa, 0x68, 0xc4, - 0x07, 0x23, 0x70, 0xb4, 0xbc, 0x40, 0x34, 0x85, 0x03, 0x40, 0xcc, 0xc1, - 0x58, 0x25, 0xb4, 0x5f, 0x23, 0x54, 0x97, 0xa4, 0xf6, 0xf5, 0x14, 0xa6, - 0xd3, 0x94, 0x84, 0x15, 0x7d, 0x06, 0x60, 0x5e, 0x81, 0xb1, 0x23, 0x59, - 0x98, 0x2d, 0xad, 0xc9, 0xb8, 0xbc, 0x6a, 0xa7, 0x62, 0xf0, 0x2e, 0x1e, - 0x7e, 0x21, 0x9d, 0x74, 0x13, 0x90, 0x38, 0x1f, 0xa9, 0x27, 0xcb, 0x35, - 0x37, 0x3c, 0x28, 0x3e, 0xb7, 0x75, 0x34, 0xed, 0x9b, 0xf6, 0x34, 0xea, - 0x35, 0xa1, 0x13, 0xf0, 0x51, 0xfd, 0xd8, 0x52, 0x7b, 0xd4, 0xe0, 0x65, - 0x0b, 0x31, 0x10, 0xed, 0x0a, 0x6e, 0xf0, 0x9f, 0x73, 0x0a, 0xb2, 0xf9, - 0x47, 0xd2, 0x34, 0xe6, 0xbc, 0x07, 0x9d, 0x57, 0x72, 0x80, 0x43, 0x2c, - 0xa5, 0x6b, 0x57, 0xa8, 0x74, 0x43, 0xa5, 0x71, 0x91, 0xb7, 0xb9, 0xd7, - 0x93, 0xad, 0xda, 0x1f, 0x9c, 0x08, 0x2f, 0xa6, 0xca, 0x38, 0xba, 0x98, - 0x47, 0xcb, 0xe7, 0xb5, 0xbc, 0x23, 0x9c, 0x83, 0xb8, 0x06, 0xd6, 0x0f, - 0x2b, 0x74, 0xc9, 0xa5, 0xf3, 0x47, 0x58, 0x3f, 0x2a, 0x93, 0xed, 0xf9, - 0x90, 0xb3, 0x37, 0xe3, 0x59, 0xb8, 0xe2, 0x59, 0x76, 0x38, 0x62, 0xdf, - 0x5c, 0x74, 0xfd, 0x73, 0x3c, 0x29, 0x93, 0xe3, 0x1d, 0x17, 0xda, 0x53, - 0x43, 0xdf, 0x7b, 0x58, 0xf8, 0x59, 0xf1, 0xe7, 0xab, 0x3f, 0x05, 0x6d, - 0x0d, 0xb7, 0xbd, 0xf1, 0x25, 0x95, 0x30, 0xc4, 0xbf, 0x4f, 0xc7, 0x23, - 0x55, 0x4d, 0xe7, 0xdc, 0xb0, 0x1f, 0x34, 0x20, 0xfc, 0x6b, 0xec, 0x4d, - 0x3c, 0x18, 0x78, 0xd4, 0x28, 0xba, 0x5e, 0x93, 0xff, 0x2a, 0xd1, 0x7e, - 0xc7, 0x22, 0x29, 0xb3, 0xf0, 0xb2, 0x47, 0x18, 0xef, 0xaa, 0xbd, 0x27, - 0xd2, 0xca, 0xf6, 0x4e, 0xb5, 0x86, 0x78, 0xa0, 0xe5, 0xb5, 0xf5, 0x1e, - 0x4d, 0x1c, 0x3d, 0x5f, 0x2f, 0x72, 0xb1, 0x5c, 0x13, 0xea, 0x13, 0xf9, - 0x87, 0x20, 0x3e, 0x84, 0x3f, 0x6c, 0x6b, 0x3e, 0xf3, 0xdf, 0xfc, 0x6b, - 0xc3, 0x51, 0x72, 0x4e, 0xe0, 0x23, 0x81, 0x8c, 0x95, 0x07, 0x74, 0x94, - 0x6f, 0x52, 0xff, 0x02, 0x2d, 0x60, 0x5b, 0xd7, 0x5b, 0x12, 0x70, 0xdc, - 0x94, 0x0f, 0x31, 0xf8, 0xc0, 0x73, 0xed, 0x8a, 0x95, 0x0e, 0x7f, 0x97, - 0x3d, 0x2b, 0x47, 0x93, 0xa5, 0xb8, 0xec, 0x4a, 0xd9, 0xae, 0x87, 0x71, - 0xd5, 0xae, 0x87, 0x77, 0x94, 0xb7, 0xc8, 0x22, 0x91, 0xb4, 0x50, 0xe8, - 0x77, 0xd6, 0x6f, 0xcb, 0x99, 0x8b, 0xfd, 0xa8, 0xed, 0xd3, 0x35, 0x08, - 0xd2, 0x95, 0x61, 0x0b, 0x03, 0xff, 0x7b, 0x7f, 0x02, 0x57, 0x6e, 0xa9, - 0x58, 0x3d, 0xa2, 0xf0, 0xb6, 0x17, 0x09, 0x22, 0x31, 0xd4, 0x2d, 0xb7, - 0xd6, 0xad, 0xd1, 0xdf, 0xd6, 0x05, 0xc8, 0x52, 0x93, 0xc4, 0x81, 0x98, - 0xc7, 0x20, 0x7f, 0x60, 0xed, 0xe3, 0xdd, 0x91, 0xbe, 0x38, 0xeb, 0xe2, - 0x86, 0x4f, 0x51, 0xf5, 0x55, 0xdc, 0xbd, 0x7e, 0x8a, 0xaa, 0x11, 0x4e, - 0x1e, 0x73, 0x72, 0x21, 0x3a, 0xeb, 0xa4, 0x67, 0x1c, 0xf9, 0x43, 0x2a, - 0x7e, 0xbe, 0x7c, 0x3a, 0x6c, 0x54, 0xf7, 0xb4, 0xb7, 0xb6, 0x2e, 0xfe, - 0x4f, 0x4b, 0xc0, 0x27, 0x99, 0xba, 0x3b, 0x17, 0x7d, 0x13, 0x82, 0x30, - 0x7d, 0x95, 0xb7, 0x1e, 0x53, 0x27, 0x7a, 0x14, 0x01, 0xef, 0x0c, 0xe2, - 0x99, 0xb0, 0x26, 0x7b, 0x16, 0xd1, 0x2a, 0x21, 0xeb, 0x0e, 0x8b, 0x1b, - 0x1d, 0x45, 0x03, 0x6b, 0x09, 0x50, 0xcd, 0xe6, 0x60, 0xbb, 0x21, 0xd5, - 0xa6, 0xf8, 0x2f, 0xb4, 0x53, 0x78, 0xc8, 0x13, 0x15, 0x38, 0x0e, 0x42, - 0xd3, 0x9a, 0x95, 0xfb, 0x97, 0xbe, 0xb9, 0x77, 0x9d, 0x1d, 0x36, 0xf3, - 0xb4, 0x27, 0x31, 0xdd, 0xf5, 0xb4, 0xa1, 0xa1, 0xae, 0x2a, 0x9b, 0xfd, - 0xd8, 0x4a, 0x57, 0x71, 0xbd, 0xcc, 0x00, 0xb6, 0x15, 0xd1, 0x36, 0x15, - 0x05, 0x2a, 0xea, 0x4a, 0xcc, 0x18, 0x85, 0x58, 0x9c, 0x40, 0x19, 0x72, - 0x38, 0x32, 0x07, 0x84, 0x40, 0xae, 0x9a, 0xee, 0xe4, 0x15, 0xb1, 0xfc, - 0x9f, 0xce, 0xed, 0x45, 0xd4, 0x03, 0xf8, 0x81, 0x62, 0x10, 0x4b, 0x25, - 0x76, 0x95, 0x57, 0x4e, 0xaa, 0x60, 0xec, 0x88, 0x9b, 0x56, 0x51, 0x75, - 0x96, 0x16, 0xfc, 0x22, 0x24, 0xfc, 0xa7, 0x37, 0x6b, 0x13, 0x8a, 0x02, - 0x9f, 0x93, 0x2c, 0x6b, 0x38, 0x96, 0x78, 0xbb, 0x69, 0x76, 0x12, 0x35, - 0x33, 0x65, 0x83, 0x59, 0x84, 0xae, 0x76, 0xc7, 0x4d, 0x13, 0xda, 0xb1, - 0x7b, 0x88, 0x42, 0xb5, 0x07, 0xd4, 0x24, 0x0b, 0xa1, 0x81, 0x69, 0x3c, - 0x9f, 0xc8, 0x03, 0x01, 0x5e, 0xbf, 0xc0, 0x1b, 0xa1, 0x83, 0xbc, 0xfe, - 0x4f, 0x6b, 0x7a, 0x03, 0x33, 0x25, 0x9f, 0xb9, 0x39, 0x21, 0x9c, 0x1d, - 0x2f, 0xc0, 0x89, 0x1a, 0xac, 0x8d, 0x0f, 0x1e, 0x0d, 0x7e, 0x2f, 0x5a, - 0x1e, 0xf2, 0xa3, 0xb3, 0xed, 0x3e, 0x1c, 0xb2, 0x14, 0x5f, 0x16, 0xf1, - 0x14, 0x7f, 0x4e, 0x88, 0x9c, 0xb0, 0xc7, 0xa7, 0x2b, 0x42, 0xfb, 0xb5, - 0xe8, 0x42, 0xc3, 0x5c, 0x73, 0x54, 0x85, 0x67, 0x89, 0xfc, 0x6c, 0x8a, - 0xe4, 0xcd, 0x9b, 0x2d, 0x4e, 0xa4, 0x65, 0x46, 0xd5, 0x9c, 0xfc, 0xe3, - 0xdc, 0x17, 0xeb, 0xed, 0xa8, 0x97, 0xfc, 0x4d, 0x4d, 0x81, 0xb4, 0xcf, - 0xaa, 0xb6, 0x27, 0xe0, 0xe2, 0x17, 0x2b, 0xd4, 0xb6, 0xec, 0x43, 0x26, - 0x8e, 0x07, 0x18, 0xe6, 0x20, 0xfa, 0x26, 0x95, 0x68, 0x90, 0x93, 0x97, - 0xb5, 0xc2, 0xc5, 0xf6, 0xf7, 0xf9, 0xfb, 0x28, 0x44, 0x6d, 0x70, 0x75, - 0x99, 0xb5, 0xc0, 0xc1, 0xd2, 0xd7, 0xdf, 0xfc, 0xfd, 0x01, 0x07, 0x09, - 0x16, 0x3b, 0x4c, 0x4f, 0x55, 0x63, 0x79, 0x7a, 0x88, 0x8b, 0x94, 0x9a, - 0xad, 0xc4, 0xc7, 0xd4, 0xf3, 0x16, 0x36, 0x5b, 0x95, 0xab, 0xdc, 0xe4, - 0xf5, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0b, 0x19, 0x2d, 0x36 - }; + 0x4e, 0xfb, 0x3a, 0xbe, 0x8a, 0xc4, 0x7b, 0x40, 0xd4, 0xb1, 0xd5, 0x99, + 0x61, 0xee, 0x65, 0x8b, 0xa7, 0xc2, 0xa2, 0x12, 0x36, 0xe0, 0xc0, 0x27, + 0x96, 0x6e, 0xac, 0x19, 0xb0, 0xb4, 0x15, 0xc9, 0x82, 0x4a, 0xf9, 0x49, + 0x55, 0x23, 0x3a, 0x6a, 0x32, 0x1b, 0xa6, 0x63, 0x70, 0xbf, 0x13, 0x13, + 0xbe, 0xc0, 0x1b, 0xeb, 0xce, 0x2a, 0x7c, 0x63, 0x91, 0x83, 0x3f, 0xef, + 0x3e, 0xcd, 0x58, 0xb2, 0x13, 0xbb, 0xb7, 0x23, 0xde, 0xdd, 0x0c, 0x04, + 0xb3, 0x36, 0x44, 0xa5, 0xa4, 0x49, 0x4b, 0x47, 0x52, 0x8c, 0x61, 0x6f, + 0xbf, 0x40, 0x75, 0xac, 0xf0, 0x4f, 0xb5, 0xd8, 0x53, 0xba, 0xda, 0xa2, + 0x5d, 0x24, 0x06, 0x51, 0x05, 0x6d, 0x3c, 0x3c, 0xfd, 0xaf, 0xba, 0xea, + 0x8f, 0x09, 0x96, 0x23, 0x4c, 0xcd, 0xbc, 0x03, 0x3f, 0x3e, 0xd2, 0x9d, + 0x2b, 0xcb, 0x86, 0x10, 0xbd, 0xd7, 0x28, 0x56, 0x1b, 0xde, 0x8a, 0x4c, + 0xd7, 0xa0, 0x36, 0x1b, 0x63, 0x0d, 0xe7, 0x1a, 0xe1, 0x0d, 0xb5, 0x0d, + 0x2c, 0xaf, 0x61, 0xdc, 0x39, 0x36, 0x58, 0xc8, 0xc4, 0xfe, 0x82, 0x2a, + 0x0b, 0x8b, 0x2d, 0x17, 0xeb, 0xbc, 0x1f, 0x9b, 0xc5, 0x94, 0x7b, 0xed, + 0x10, 0xee, 0x69, 0xff, 0xb4, 0xc6, 0x6f, 0x59, 0xaf, 0x4d, 0xa8, 0x9e, + 0xfd, 0x0c, 0xf5, 0xc7, 0x22, 0xf6, 0x68, 0x7b, 0x9c, 0x1d, 0x52, 0x8e, + 0xe3, 0xb8, 0xb6, 0x75, 0xe0, 0x1e, 0x9e, 0xef, 0x50, 0x93, 0x59, 0x05, + 0x39, 0xf9, 0x76, 0x82, 0x60, 0xbc, 0xc8, 0xfd, 0xc0, 0xb7, 0xf0, 0xd4, + 0x96, 0xb1, 0xd9, 0x81, 0x26, 0x0f, 0xda, 0x2f, 0x6c, 0xae, 0xcd, 0x70, + 0x25, 0xa7, 0x69, 0x03, 0x51, 0x16, 0xa9, 0xdb, 0x27, 0xa0, 0x4c, 0x4d, + 0x75, 0x89, 0x43, 0xa9, 0x31, 0x2b, 0x77, 0xb9, 0xd4, 0x5c, 0x38, 0x6d, + 0xc5, 0x25, 0x0b, 0x18, 0x20, 0xfe, 0x44, 0x3b, 0x07, 0xf3, 0xef, 0x6d, + 0xdb, 0xa6, 0x7e, 0x09, 0xef, 0xee, 0x9c, 0x59, 0x01, 0x6b, 0xd0, 0x76, + 0xf1, 0x2a, 0x2c, 0xde, 0x6e, 0x38, 0x6a, 0xb6, 0x90, 0xbd, 0x41, 0x7b, + 0xf1, 0x23, 0xc5, 0x28, 0x2e, 0xa9, 0x3a, 0x5f, 0xe8, 0x6a, 0x0d, 0x93, + 0xfa, 0x6b, 0x3e, 0xc1, 0x60, 0xdf, 0x64, 0x2f, 0x81, 0xf8, 0x77, 0x82, + 0x25, 0x13, 0x8c, 0xd2, 0xf7, 0x7a, 0x01, 0x3c, 0xc6, 0x72, 0x73, 0xfe, + 0x2a, 0x48, 0x18, 0x9d, 0x36, 0x0c, 0xcd, 0xe0, 0x80, 0xc2, 0x29, 0x2e, + 0x21, 0x00, 0xac, 0x81, 0x5b, 0xdb, 0x33, 0xbb, 0x50, 0xc5, 0x6f, 0xeb, + 0x49, 0x63, 0xdd, 0xef, 0x80, 0xbc, 0x2d, 0xd3, 0xe4, 0xe0, 0x69, 0xaf, + 0x8d, 0xda, 0x54, 0x06, 0x45, 0x5b, 0x69, 0x91, 0x3e, 0x4f, 0xfc, 0x1f, + 0xab, 0x0c, 0xf3, 0xdc, 0xf4, 0x7a, 0x06, 0xde, 0x64, 0x3b, 0x08, 0x7c, + 0xc9, 0x2c, 0x0d, 0xe1, 0xbd, 0xdc, 0x61, 0x9b, 0x88, 0x3a, 0x8e, 0x77, + 0xd3, 0x83, 0xbc, 0x70, 0xf6, 0x98, 0xd3, 0x72, 0xe2, 0x7e, 0x0e, 0x8d, + 0xea, 0x3a, 0x3b, 0x26, 0x1b, 0x8e, 0xae, 0x49, 0x8c, 0x25, 0x14, 0xe4, + 0x05, 0xcd, 0x9c, 0x2c, 0xdb, 0x39, 0xe9, 0x2f, 0x16, 0xf5, 0x71, 0xe2, + 0x87, 0xc9, 0xd1, 0xd3, 0x7a, 0xbf, 0x1d, 0xbf, 0x98, 0x6c, 0xb1, 0x3c, + 0xf8, 0xf4, 0xd6, 0x19, 0xb1, 0x39, 0x45, 0xc1, 0xb4, 0xa5, 0x37, 0x2e, + 0x98, 0x55, 0xbf, 0xc2, 0x3a, 0x36, 0x95, 0x3d, 0xe9, 0xc0, 0xda, 0xdc, + 0xa1, 0x50, 0x67, 0x43, 0x0d, 0xab, 0x9a, 0xf8, 0x98, 0xb0, 0x3e, 0x8c, + 0x4e, 0x8f, 0xf0, 0xa7, 0x2a, 0xd9, 0x36, 0xaa, 0xe0, 0xe2, 0x09, 0x48, + 0xab, 0x9b, 0x5d, 0xba, 0x6d, 0xab, 0xfc, 0xb5, 0x46, 0x6f, 0xb3, 0x30, + 0xfb, 0x6f, 0x60, 0x2b, 0x28, 0x21, 0xea, 0xf9, 0x49, 0xc6, 0xc4, 0xe0, + 0x5f, 0xb6, 0x2f, 0xa0, 0x65, 0x4c, 0x02, 0x98, 0x04, 0x56, 0x10, 0x8e, + 0xac, 0x4a, 0xc7, 0x34, 0x7c, 0x82, 0x2f, 0x46, 0x70, 0x86, 0xaa, 0xc0, + 0x1c, 0x38, 0x51, 0xb0, 0x61, 0xbc, 0x8c, 0x60, 0x45, 0x67, 0x48, 0x3b, + 0x04, 0x43, 0xdf, 0x4b, 0xa1, 0x4c, 0xc2, 0xcc, 0x67, 0x19, 0x8a, 0x90, + 0x77, 0x58, 0xea, 0x56, 0x0a, 0xd4, 0x86, 0xad, 0xcc, 0x01, 0x8d, 0x48, + 0x28, 0x6e, 0x9a, 0x7c, 0x4b, 0x26, 0x8b, 0x27, 0x85, 0xbd, 0x7f, 0xd4, + 0x9e, 0x3b, 0x53, 0x20, 0xb8, 0x9f, 0xf6, 0x37, 0x8b, 0x14, 0x44, 0x0c, + 0x9c, 0x5b, 0x71, 0xc5, 0x9f, 0xfc, 0x53, 0x7d, 0x52, 0xb0, 0x5f, 0xa7, + 0xbd, 0x29, 0x6e, 0xcf, 0xf0, 0xe8, 0x85, 0x01, 0xa8, 0xa4, 0xb2, 0x78, + 0x5b, 0x8a, 0x60, 0xfa, 0x74, 0x18, 0x6f, 0x62, 0x67, 0xed, 0xaa, 0x01, + 0x63, 0xdb, 0x72, 0x3e, 0xbd, 0x3d, 0x69, 0x0c, 0x63, 0xf2, 0x88, 0x30, + 0x52, 0xe1, 0xa1, 0x28, 0xcd, 0x7c, 0xee, 0x54, 0x39, 0x21, 0xec, 0x78, + 0xc1, 0x18, 0x9d, 0xe7, 0x54, 0xf8, 0x62, 0x7e, 0x35, 0xe7, 0xa3, 0x43, + 0x06, 0x11, 0xd3, 0xa3, 0x78, 0x87, 0x9d, 0x35, 0x56, 0x9b, 0xb4, 0xf7, + 0x49, 0x85, 0x4e, 0x55, 0x7d, 0xef, 0xfd, 0x97, 0xc6, 0x52, 0xc9, 0xdf, + 0x22, 0xe3, 0x1f, 0x12, 0x03, 0xae, 0x85, 0x4f, 0x3b, 0x76, 0x84, 0xda, + 0x49, 0xaf, 0x61, 0xa4, 0x67, 0xec, 0x7f, 0x8e, 0x1f, 0xa5, 0xeb, 0x4f, + 0xea, 0x00, 0xbd, 0xfd, 0xa9, 0xdf, 0x4f, 0x07, 0x1d, 0xf8, 0xd5, 0x1e, + 0x67, 0x25, 0xe9, 0xcf, 0x25, 0xc8, 0x82, 0x41, 0x82, 0x52, 0xb2, 0xc3, + 0xae, 0x00, 0xaa, 0x1b, 0x2c, 0xbc, 0x52, 0x75, 0x41, 0x8d, 0xaa, 0xa9, + 0x65, 0x97, 0xb4, 0x8e, 0x63, 0xf3, 0xdf, 0x98, 0xbe, 0xc7, 0x88, 0x65, + 0x10, 0x03, 0xa9, 0x50, 0x41, 0xeb, 0xf0, 0x2f, 0x62, 0xc9, 0x59, 0x81, + 0xad, 0xca, 0x03, 0xa1, 0xa1, 0x83, 0x2e, 0xb9, 0xb6, 0xd1, 0x42, 0x5b, + 0x43, 0x62, 0x14, 0xd1, 0x00, 0x9b, 0x2c, 0xe5, 0x38, 0x8a, 0x57, 0x3c, + 0x41, 0x60, 0xe8, 0xaf, 0xb9, 0xb1, 0xcb, 0xcd, 0xbc, 0x0d, 0x16, 0xc9, + 0x15, 0x91, 0x97, 0x5c, 0xce, 0xc4, 0xb1, 0x13, 0x1b, 0xcc, 0xe9, 0x8e, + 0xac, 0x23, 0x91, 0x11, 0x4f, 0x48, 0x0b, 0x6c, 0x75, 0xaf, 0x4d, 0x07, + 0xd5, 0x49, 0xd2, 0xa1, 0x7f, 0xf3, 0x86, 0x63, 0x35, 0x80, 0x9e, 0x7b, + 0x9b, 0x26, 0x65, 0x71, 0x5d, 0x10, 0xfe, 0x01, 0xea, 0x43, 0x42, 0xf5, + 0xb6, 0x20, 0x0d, 0x9b, 0x85, 0x61, 0x32, 0x4d, 0x11, 0xc7, 0xd9, 0x26, + 0x67, 0xfc, 0xe0, 0xee, 0xa7, 0x30, 0xda, 0x5d, 0xea, 0x93, 0x34, 0x8c, + 0xc6, 0x84, 0xf6, 0xac, 0x35, 0xc6, 0x90, 0xf1, 0x7d, 0x8d, 0x0f, 0xc9, + 0x9c, 0xf7, 0x0f, 0x5d, 0x74, 0xb7, 0x7a, 0x08, 0xf9, 0xb8, 0xaf, 0xd1, + 0xa6, 0xab, 0x95, 0x0f, 0x6d, 0xab, 0x88, 0x0f, 0x88, 0xa3, 0x9a, 0x16, + 0x77, 0x91, 0x41, 0x44, 0x3e, 0x79, 0xa4, 0x09, 0x9a, 0x90, 0xff, 0x6e, + 0xc4, 0x12, 0x70, 0xd5, 0x2a, 0x79, 0xf4, 0xcd, 0x0a, 0x66, 0xb7, 0xbb, + 0x7d, 0x92, 0xed, 0x00, 0x75, 0x9a, 0x9d, 0xa4, 0x8a, 0x17, 0x1b, 0xc2, + 0xfd, 0x6d, 0x1d, 0xe3, 0xa9, 0x14, 0x1f, 0x6c, 0x61, 0x4c, 0xa9, 0x7e, + 0x96, 0x96, 0xa4, 0x4a, 0xe3, 0x26, 0xd0, 0xca, 0x1d, 0x09, 0x1a, 0xab, + 0xb0, 0x30, 0xa8, 0x82, 0x46, 0x75, 0x23, 0x9a, 0xea, 0xd6, 0xcd, 0xbf, + 0x6b, 0x9d, 0xe0, 0xc3, 0x71, 0xc9, 0x25, 0xf4, 0xc4, 0x12, 0x24, 0x9d, + 0x31, 0x20, 0x01, 0x03, 0xcf, 0x67, 0xec, 0x76, 0x13, 0x1a, 0xd2, 0xbf, + 0xbe, 0x7b, 0xf3, 0x0a, 0x31, 0xde, 0x81, 0x86, 0x60, 0x0d, 0x11, 0xbd, + 0x35, 0x73, 0x0a, 0x69, 0x96, 0xca, 0xc1, 0x0e, 0xc1, 0x22, 0x4b, 0x71, + 0xc1, 0x2b, 0xcf, 0x1f, 0xf8, 0x5a, 0x2a, 0xc2, 0xf9, 0x39, 0x0a, 0xda, + 0xd7, 0x54, 0xe0, 0xeb, 0xb1, 0xf6, 0x15, 0x3b, 0x8c, 0xf2, 0xfc, 0x06, + 0x64, 0x8a, 0xcf, 0x26, 0x10, 0xdb, 0x11, 0xd0, 0xa1, 0x6e, 0x8d, 0x25, + 0xdc, 0x79, 0x97, 0x9e, 0x9d, 0xe6, 0xb2, 0xdc, 0x23, 0x61, 0x11, 0xf8, + 0x5f, 0x76, 0xe9, 0xdf, 0x24, 0x99, 0xd5, 0x19, 0x3d, 0x3d, 0xaf, 0x13, + 0x10, 0x2d, 0xd9, 0xe4, 0x3e, 0xb5, 0x1a, 0x16, 0x6f, 0xfd, 0x98, 0x23, + 0xff, 0x8d, 0x88, 0xe1, 0xfd, 0xbd, 0xcf, 0xcb, 0xea, 0x17, 0x71, 0xa1, + 0x20, 0x2d, 0x97, 0xf4, 0xb6, 0x6c, 0x1a, 0x8d, 0x91, 0x0c, 0xb6, 0x6f, + 0x5f, 0x40, 0x5f, 0x8c, 0x78, 0x6b, 0x79, 0xe9, 0xdf, 0x8e, 0x1d, 0xf6, + 0x4f, 0x87, 0x1f, 0xbd, 0xd9, 0x5c, 0xa3, 0xf8, 0x65, 0x6b, 0x70, 0x4c, + 0xee, 0x55, 0xf2, 0x2b, 0x29, 0x9d, 0x64, 0x66, 0xef, 0x5a, 0x05, 0x44, + 0xab, 0xe9, 0xfb, 0x9e, 0xf8, 0xe9, 0x45, 0x8a, 0x3f, 0xb7, 0x5f, 0x32, + 0x8c, 0x8a, 0x36, 0xaf, 0xa3, 0x3f, 0x2b, 0xa6, 0xa8, 0x0d, 0xfd, 0x34, + 0xcf, 0x59, 0x2e, 0x3c, 0xa2, 0x17, 0x47, 0x83, 0x45, 0x6a, 0xcd, 0xcf, + 0xb5, 0x58, 0x9c, 0xcd, 0x36, 0x2e, 0x09, 0xb0, 0xe9, 0xd3, 0x10, 0x6b, + 0xc8, 0xfd, 0x91, 0x03, 0xeb, 0x3d, 0xcc, 0xe8, 0x26, 0x9f, 0xfa, 0xab, + 0x78, 0x88, 0x4c, 0x3a, 0x95, 0x57, 0x0f, 0x0b, 0x67, 0xd8, 0x63, 0xc5, + 0x6f, 0x68, 0x95, 0xa7, 0xb6, 0xe0, 0x40, 0x9e, 0x51, 0xc4, 0xd4, 0x20, + 0x47, 0x02, 0x6d, 0xf4, 0x73, 0x06, 0xbf, 0x45, 0x92, 0x83, 0xb4, 0xd6, + 0x3f, 0x4a, 0xe7, 0xa5, 0x54, 0x7c, 0x1c, 0x47, 0x8a, 0xbe, 0xa8, 0x35, + 0x37, 0x8f, 0x0f, 0x5e, 0xfa, 0xb6, 0x65, 0xc8, 0x17, 0x90, 0x08, 0xb7, + 0x1f, 0xc1, 0x6b, 0xa3, 0xd5, 0x0c, 0x6f, 0x17, 0xa2, 0x5e, 0x12, 0x85, + 0x9c, 0xb2, 0xd4, 0x87, 0x6f, 0xe4, 0x95, 0xfe, 0x21, 0xb7, 0x92, 0x03, + 0x42, 0x36, 0xdb, 0x25, 0x40, 0x24, 0xde, 0x98, 0xe4, 0x1f, 0x43, 0x98, + 0x95, 0xdb, 0xb0, 0x8a, 0x7d, 0xa7, 0x86, 0x77, 0xd0, 0xd0, 0x71, 0x54, + 0x94, 0x9d, 0x78, 0xc7, 0x66, 0x9e, 0xa1, 0x69, 0xfa, 0x1a, 0xdd, 0x0d, + 0x9b, 0xc2, 0xd3, 0x79, 0x32, 0x3c, 0x24, 0x39, 0xbf, 0x1f, 0xbb, 0x14, + 0x4b, 0x71, 0x27, 0xfc, 0xed, 0x84, 0x2b, 0x31, 0x67, 0xd9, 0x9d, 0x38, + 0x2a, 0xa8, 0x5c, 0x7b, 0x35, 0x0b, 0x84, 0x80, 0xb2, 0x22, 0x34, 0x91, + 0x79, 0xfe, 0xba, 0x54, 0xbd, 0x5f, 0x73, 0xe5, 0x5a, 0xc7, 0x00, 0x0b, + 0xdf, 0x58, 0x38, 0x40, 0xc0, 0xfd, 0xe5, 0xaf, 0x27, 0xfa, 0x3c, 0xa5, + 0x73, 0xc3, 0xf8, 0xee, 0xca, 0x5b, 0x9e, 0x63, 0x5b, 0x00, 0x8b, 0xec, + 0x30, 0xbf, 0x87, 0xf6, 0x4d, 0x41, 0x73, 0xde, 0xf5, 0x8f, 0x3a, 0x8f, + 0x2c, 0x32, 0xaa, 0xca, 0x6e, 0x2f, 0xb8, 0x75, 0x8f, 0xa6, 0x47, 0xb0, + 0x05, 0xc7, 0xa7, 0x40, 0x53, 0xb0, 0x18, 0xcb, 0xd8, 0x42, 0x9d, 0x01, + 0xfd, 0xdf, 0xdd, 0x25, 0xe3, 0x8f, 0xfe, 0x84, 0xad, 0x6f, 0xf7, 0xff, + 0x09, 0x1b, 0x6c, 0x0b, 0x83, 0x40, 0xd5, 0xca, 0xe3, 0x37, 0xca, 0x68, + 0xe8, 0x99, 0x6a, 0xc0, 0xaf, 0xb1, 0xe1, 0xf6, 0xdf, 0xe0, 0xa3, 0x29, + 0x0b, 0x6c, 0x95, 0xdc, 0xb9, 0x85, 0xd1, 0xb5, 0xb4, 0xce, 0xbe, 0x2c, + 0xa6, 0x60, 0x9d, 0xfe, 0x04, 0x68, 0x66, 0xd7, 0x10, 0xe7, 0xd8, 0x38, + 0x67, 0xbb, 0x67, 0x42, 0x60, 0x9d, 0xc8, 0xb6, 0x07, 0x04, 0x88, 0x23, + 0x0e, 0xab, 0x2c, 0x13, 0xa2, 0x0a, 0xfb, 0x67, 0x2a, 0x4e, 0x66, 0x2f, + 0xee, 0x88, 0xc6, 0x81, 0x07, 0x5c, 0x0d, 0x7e, 0xe6, 0xa7, 0x48, 0xbc, + 0xf3, 0x5f, 0x11, 0x78, 0x5e, 0x41, 0x21, 0xde, 0x68, 0xb2, 0x2c, 0x0a, + 0x54, 0xa3, 0x8f, 0xd5, 0x6e, 0x56, 0xe5, 0x18, 0x58, 0xc2, 0x62, 0x84, + 0x11, 0xd2, 0x20, 0x33, 0x33, 0x30, 0xa4, 0x50, 0x80, 0xfa, 0x68, 0xc4, + 0x07, 0x23, 0x70, 0xb4, 0xbc, 0x40, 0x34, 0x85, 0x03, 0x40, 0xcc, 0xc1, + 0x58, 0x25, 0xb4, 0x5f, 0x23, 0x54, 0x97, 0xa4, 0xf6, 0xf5, 0x14, 0xa6, + 0xd3, 0x94, 0x84, 0x15, 0x7d, 0x06, 0x60, 0x5e, 0x81, 0xb1, 0x23, 0x59, + 0x98, 0x2d, 0xad, 0xc9, 0xb8, 0xbc, 0x6a, 0xa7, 0x62, 0xf0, 0x2e, 0x1e, + 0x7e, 0x21, 0x9d, 0x74, 0x13, 0x90, 0x38, 0x1f, 0xa9, 0x27, 0xcb, 0x35, + 0x37, 0x3c, 0x28, 0x3e, 0xb7, 0x75, 0x34, 0xed, 0x9b, 0xf6, 0x34, 0xea, + 0x35, 0xa1, 0x13, 0xf0, 0x51, 0xfd, 0xd8, 0x52, 0x7b, 0xd4, 0xe0, 0x65, + 0x0b, 0x31, 0x10, 0xed, 0x0a, 0x6e, 0xf0, 0x9f, 0x73, 0x0a, 0xb2, 0xf9, + 0x47, 0xd2, 0x34, 0xe6, 0xbc, 0x07, 0x9d, 0x57, 0x72, 0x80, 0x43, 0x2c, + 0xa5, 0x6b, 0x57, 0xa8, 0x74, 0x43, 0xa5, 0x71, 0x91, 0xb7, 0xb9, 0xd7, + 0x93, 0xad, 0xda, 0x1f, 0x9c, 0x08, 0x2f, 0xa6, 0xca, 0x38, 0xba, 0x98, + 0x47, 0xcb, 0xe7, 0xb5, 0xbc, 0x23, 0x9c, 0x83, 0xb8, 0x06, 0xd6, 0x0f, + 0x2b, 0x74, 0xc9, 0xa5, 0xf3, 0x47, 0x58, 0x3f, 0x2a, 0x93, 0xed, 0xf9, + 0x90, 0xb3, 0x37, 0xe3, 0x59, 0xb8, 0xe2, 0x59, 0x76, 0x38, 0x62, 0xdf, + 0x5c, 0x74, 0xfd, 0x73, 0x3c, 0x29, 0x93, 0xe3, 0x1d, 0x17, 0xda, 0x53, + 0x43, 0xdf, 0x7b, 0x58, 0xf8, 0x59, 0xf1, 0xe7, 0xab, 0x3f, 0x05, 0x6d, + 0x0d, 0xb7, 0xbd, 0xf1, 0x25, 0x95, 0x30, 0xc4, 0xbf, 0x4f, 0xc7, 0x23, + 0x55, 0x4d, 0xe7, 0xdc, 0xb0, 0x1f, 0x34, 0x20, 0xfc, 0x6b, 0xec, 0x4d, + 0x3c, 0x18, 0x78, 0xd4, 0x28, 0xba, 0x5e, 0x93, 0xff, 0x2a, 0xd1, 0x7e, + 0xc7, 0x22, 0x29, 0xb3, 0xf0, 0xb2, 0x47, 0x18, 0xef, 0xaa, 0xbd, 0x27, + 0xd2, 0xca, 0xf6, 0x4e, 0xb5, 0x86, 0x78, 0xa0, 0xe5, 0xb5, 0xf5, 0x1e, + 0x4d, 0x1c, 0x3d, 0x5f, 0x2f, 0x72, 0xb1, 0x5c, 0x13, 0xea, 0x13, 0xf9, + 0x87, 0x20, 0x3e, 0x84, 0x3f, 0x6c, 0x6b, 0x3e, 0xf3, 0xdf, 0xfc, 0x6b, + 0xc3, 0x51, 0x72, 0x4e, 0xe0, 0x23, 0x81, 0x8c, 0x95, 0x07, 0x74, 0x94, + 0x6f, 0x52, 0xff, 0x02, 0x2d, 0x60, 0x5b, 0xd7, 0x5b, 0x12, 0x70, 0xdc, + 0x94, 0x0f, 0x31, 0xf8, 0xc0, 0x73, 0xed, 0x8a, 0x95, 0x0e, 0x7f, 0x97, + 0x3d, 0x2b, 0x47, 0x93, 0xa5, 0xb8, 0xec, 0x4a, 0xd9, 0xae, 0x87, 0x71, + 0xd5, 0xae, 0x87, 0x77, 0x94, 0xb7, 0xc8, 0x22, 0x91, 0xb4, 0x50, 0xe8, + 0x77, 0xd6, 0x6f, 0xcb, 0x99, 0x8b, 0xfd, 0xa8, 0xed, 0xd3, 0x35, 0x08, + 0xd2, 0x95, 0x61, 0x0b, 0x03, 0xff, 0x7b, 0x7f, 0x02, 0x57, 0x6e, 0xa9, + 0x58, 0x3d, 0xa2, 0xf0, 0xb6, 0x17, 0x09, 0x22, 0x31, 0xd4, 0x2d, 0xb7, + 0xd6, 0xad, 0xd1, 0xdf, 0xd6, 0x05, 0xc8, 0x52, 0x93, 0xc4, 0x81, 0x98, + 0xc7, 0x20, 0x7f, 0x60, 0xed, 0xe3, 0xdd, 0x91, 0xbe, 0x38, 0xeb, 0xe2, + 0x86, 0x4f, 0x51, 0xf5, 0x55, 0xdc, 0xbd, 0x7e, 0x8a, 0xaa, 0x11, 0x4e, + 0x1e, 0x73, 0x72, 0x21, 0x3a, 0xeb, 0xa4, 0x67, 0x1c, 0xf9, 0x43, 0x2a, + 0x7e, 0xbe, 0x7c, 0x3a, 0x6c, 0x54, 0xf7, 0xb4, 0xb7, 0xb6, 0x2e, 0xfe, + 0x4f, 0x4b, 0xc0, 0x27, 0x99, 0xba, 0x3b, 0x17, 0x7d, 0x13, 0x82, 0x30, + 0x7d, 0x95, 0xb7, 0x1e, 0x53, 0x27, 0x7a, 0x14, 0x01, 0xef, 0x0c, 0xe2, + 0x99, 0xb0, 0x26, 0x7b, 0x16, 0xd1, 0x2a, 0x21, 0xeb, 0x0e, 0x8b, 0x1b, + 0x1d, 0x45, 0x03, 0x6b, 0x09, 0x50, 0xcd, 0xe6, 0x60, 0xbb, 0x21, 0xd5, + 0xa6, 0xf8, 0x2f, 0xb4, 0x53, 0x78, 0xc8, 0x13, 0x15, 0x38, 0x0e, 0x42, + 0xd3, 0x9a, 0x95, 0xfb, 0x97, 0xbe, 0xb9, 0x77, 0x9d, 0x1d, 0x36, 0xf3, + 0xb4, 0x27, 0x31, 0xdd, 0xf5, 0xb4, 0xa1, 0xa1, 0xae, 0x2a, 0x9b, 0xfd, + 0xd8, 0x4a, 0x57, 0x71, 0xbd, 0xcc, 0x00, 0xb6, 0x15, 0xd1, 0x36, 0x15, + 0x05, 0x2a, 0xea, 0x4a, 0xcc, 0x18, 0x85, 0x58, 0x9c, 0x40, 0x19, 0x72, + 0x38, 0x32, 0x07, 0x84, 0x40, 0xae, 0x9a, 0xee, 0xe4, 0x15, 0xb1, 0xfc, + 0x9f, 0xce, 0xed, 0x45, 0xd4, 0x03, 0xf8, 0x81, 0x62, 0x10, 0x4b, 0x25, + 0x76, 0x95, 0x57, 0x4e, 0xaa, 0x60, 0xec, 0x88, 0x9b, 0x56, 0x51, 0x75, + 0x96, 0x16, 0xfc, 0x22, 0x24, 0xfc, 0xa7, 0x37, 0x6b, 0x13, 0x8a, 0x02, + 0x9f, 0x93, 0x2c, 0x6b, 0x38, 0x96, 0x78, 0xbb, 0x69, 0x76, 0x12, 0x35, + 0x33, 0x65, 0x83, 0x59, 0x84, 0xae, 0x76, 0xc7, 0x4d, 0x13, 0xda, 0xb1, + 0x7b, 0x88, 0x42, 0xb5, 0x07, 0xd4, 0x24, 0x0b, 0xa1, 0x81, 0x69, 0x3c, + 0x9f, 0xc8, 0x03, 0x01, 0x5e, 0xbf, 0xc0, 0x1b, 0xa1, 0x83, 0xbc, 0xfe, + 0x4f, 0x6b, 0x7a, 0x03, 0x33, 0x25, 0x9f, 0xb9, 0x39, 0x21, 0x9c, 0x1d, + 0x2f, 0xc0, 0x89, 0x1a, 0xac, 0x8d, 0x0f, 0x1e, 0x0d, 0x7e, 0x2f, 0x5a, + 0x1e, 0xf2, 0xa3, 0xb3, 0xed, 0x3e, 0x1c, 0xb2, 0x14, 0x5f, 0x16, 0xf1, + 0x14, 0x7f, 0x4e, 0x88, 0x9c, 0xb0, 0xc7, 0xa7, 0x2b, 0x42, 0xfb, 0xb5, + 0xe8, 0x42, 0xc3, 0x5c, 0x73, 0x54, 0x85, 0x67, 0x89, 0xfc, 0x6c, 0x8a, + 0xe4, 0xcd, 0x9b, 0x2d, 0x4e, 0xa4, 0x65, 0x46, 0xd5, 0x9c, 0xfc, 0xe3, + 0xdc, 0x17, 0xeb, 0xed, 0xa8, 0x97, 0xfc, 0x4d, 0x4d, 0x81, 0xb4, 0xcf, + 0xaa, 0xb6, 0x27, 0xe0, 0xe2, 0x17, 0x2b, 0xd4, 0xb6, 0xec, 0x43, 0x26, + 0x8e, 0x07, 0x18, 0xe6, 0x20, 0xfa, 0x26, 0x95, 0x68, 0x90, 0x93, 0x97, + 0xb5, 0xc2, 0xc5, 0xf6, 0xf7, 0xf9, 0xfb, 0x28, 0x44, 0x6d, 0x70, 0x75, + 0x99, 0xb5, 0xc0, 0xc1, 0xd2, 0xd7, 0xdf, 0xfc, 0xfd, 0x01, 0x07, 0x09, + 0x16, 0x3b, 0x4c, 0x4f, 0x55, 0x63, 0x79, 0x7a, 0x88, 0x8b, 0x94, 0x9a, + 0xad, 0xc4, 0xc7, 0xd4, 0xf3, 0x16, 0x36, 0x5b, 0x95, 0xab, 0xdc, 0xe4, + 0xf5, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x19, 0x2d, 0x36}; // Keygen uint8_t public_key[MLDSA44_PUBLIC_KEY_BYTES] = {0}; uint8_t private_key[MLDSA44_PRIVATE_KEY_BYTES] = {0}; - if (!ml_dsa_44_keypair_internal_no_self_test(public_key, private_key, kMLDSAKeyGenSeed) || - !check_test(kMLDSAKeyGenPublicKey, public_key, sizeof(public_key), "ML-DSA keyGen public") || - !check_test(kMLDSAKeyGenPrivateKey, private_key, sizeof(private_key), "ML-DSA keyGen private")) { + if (!ml_dsa_44_keypair_internal_no_self_test(public_key, private_key, + kMLDSAKeyGenSeed) || + !check_test(kMLDSAKeyGenPublicKey, public_key, sizeof(public_key), + "ML-DSA keyGen public") || + !check_test(kMLDSAKeyGenPrivateKey, private_key, sizeof(private_key), + "ML-DSA keyGen private")) { goto err; } @@ -2085,21 +2312,24 @@ static int boringssl_self_test_ml_dsa(void) { size_t sig_len = MLDSA44_SIGNATURE_BYTES; size_t mlen_int = 32; - if (!ml_dsa_44_sign_internal_no_self_test(private_key, signature, &sig_len, kMLDSASignPlaintext, - mlen_int, NULL, 0, kMLDSASigGenSeed) || - !check_test(kMLDSASignSignature, signature, sizeof(signature), "ML-DSA SigGen signature")) { + if (!ml_dsa_44_sign_internal_no_self_test(private_key, signature, &sig_len, + kMLDSASignPlaintext, mlen_int, NULL, + 0, kMLDSASigGenSeed) || + !check_test(kMLDSASignSignature, signature, sizeof(signature), + "ML-DSA SigGen signature")) { goto err; } // Verify - if (!ml_dsa_44_verify_internal_no_self_test(public_key, kMLDSASignSignature, sig_len, kMLDSASignPlaintext, + if (!ml_dsa_44_verify_internal_no_self_test(public_key, kMLDSASignSignature, + sig_len, kMLDSASignPlaintext, mlen_int, NULL, 0)) { goto err; - } + } - ret = 1; - err: - return ret; + ret = 1; +err: + return ret; } static int boringssl_self_test_eddsa(void) { @@ -2123,39 +2353,40 @@ static int boringssl_self_test_eddsa(void) { static const uint8_t kEd25519SignMessage[32] = { - 0x19, 0x61, 0xd1, 0xd5, 0x2d, 0x8c, 0x04, 0x5f, 0xdf, 0xc1, 0xc6, 0x82, - 0xb3, 0x5f, 0x07, 0xaa, 0xe1, 0xd3, 0xb6, 0xe5, 0x48, 0x63, 0x98, 0x30, - 0xee, 0xd9, 0x29, 0xbc, 0x12, 0x2d, 0x79, 0x9f}; + 0x19, 0x61, 0xd1, 0xd5, 0x2d, 0x8c, 0x04, 0x5f, 0xdf, 0xc1, 0xc6, + 0x82, 0xb3, 0x5f, 0x07, 0xaa, 0xe1, 0xd3, 0xb6, 0xe5, 0x48, 0x63, + 0x98, 0x30, 0xee, 0xd9, 0x29, 0xbc, 0x12, 0x2d, 0x79, 0x9f}; static const uint8_t kEd25519SignSignature[ED25519_SIGNATURE_LEN] = { - 0xa8, 0x81, 0xe8, 0xd9, 0x5d, 0xdb, 0xd5, 0xd1, 0x47, 0x60, 0xaf, 0x4e, - 0xcf, 0xce, 0x45, 0x96, 0xf7, 0x2e, 0x04, 0xd7, 0xee, 0xcc, 0xb9, 0xc6, - 0xa1, 0x93, 0xe2, 0x4d, 0xd7, 0x35, 0xb1, 0x3c, 0x18, 0xa5, 0x34, 0xc7, - 0x79, 0x31, 0x45, 0x46, 0x9d, 0xd1, 0x6f, 0x0c, 0x5e, 0x03, 0x71, 0xa3, - 0xfb, 0x85, 0x06, 0x35, 0x97, 0xc0, 0x92, 0x45, 0x97, 0xcb, 0x42, 0x75, - 0x60, 0xdb, 0x2a, 0x0b}; + 0xa8, 0x81, 0xe8, 0xd9, 0x5d, 0xdb, 0xd5, 0xd1, 0x47, 0x60, 0xaf, + 0x4e, 0xcf, 0xce, 0x45, 0x96, 0xf7, 0x2e, 0x04, 0xd7, 0xee, 0xcc, + 0xb9, 0xc6, 0xa1, 0x93, 0xe2, 0x4d, 0xd7, 0x35, 0xb1, 0x3c, 0x18, + 0xa5, 0x34, 0xc7, 0x79, 0x31, 0x45, 0x46, 0x9d, 0xd1, 0x6f, 0x0c, + 0x5e, 0x03, 0x71, 0xa3, 0xfb, 0x85, 0x06, 0x35, 0x97, 0xc0, 0x92, + 0x45, 0x97, 0xcb, 0x42, 0x75, 0x60, 0xdb, 0x2a, 0x0b}; if (!ED25519_sign_no_self_test(ed25519_out_sig, kEd25519SignMessage, sizeof(kEd25519SignMessage), ed25519_private_key) || - !check_test(kEd25519SignSignature, ed25519_out_sig, - ED25519_SIGNATURE_LEN, "ED25519-sign")) { + !check_test(kEd25519SignSignature, ed25519_out_sig, ED25519_SIGNATURE_LEN, + "ED25519-sign")) { AWS_LC_FIPS_failure("ED25519-sign failed"); goto err; } static const uint8_t kEd25519VerifyMessage[32] = { - 0x71, 0x3a, 0x7a, 0xde, 0x3d, 0x9e, 0x10, 0x9f, 0x9f, 0xc1, 0x9b, 0xc3, - 0x24, 0xe0, 0x41, 0x72, 0xee, 0x7e, 0x4d, 0x4a, 0xc6, 0x36, 0x69, 0xb7, - 0xbc, 0xdb, 0xd6, 0xd2, 0xde, 0x87, 0xdf, 0x0e}; + 0x71, 0x3a, 0x7a, 0xde, 0x3d, 0x9e, 0x10, 0x9f, 0x9f, 0xc1, 0x9b, + 0xc3, 0x24, 0xe0, 0x41, 0x72, 0xee, 0x7e, 0x4d, 0x4a, 0xc6, 0x36, + 0x69, 0xb7, 0xbc, 0xdb, 0xd6, 0xd2, 0xde, 0x87, 0xdf, 0x0e}; static const uint8_t kEd25519VerifySignature[ED25519_SIGNATURE_LEN] = { - 0x44, 0xf2, 0x38, 0xf7, 0xea, 0x71, 0x54, 0xce, 0xdd, 0x95, 0x63, 0x11, - 0x44, 0x07, 0x8f, 0xfe, 0xc6, 0x55, 0x93, 0x8f, 0x73, 0xe2, 0x96, 0x76, - 0x72, 0x8b, 0x40, 0x0f, 0x8f, 0x46, 0xc8, 0x04, 0x8d, 0x5b, 0xf3, 0xab, - 0x12, 0x43, 0x42, 0xeb, 0xae, 0x54, 0xb6, 0xe0, 0x4f, 0x3f, 0x16, 0x7b, - 0x5e, 0xe8, 0xbd, 0xcf, 0xec, 0x9b, 0xe6, 0xff, 0x65, 0xbc, 0xc6, 0x9a, - 0x78, 0x89, 0x67, 0x0a}; - if (!ED25519_verify_no_self_test(kEd25519VerifyMessage, sizeof(kEd25519VerifyMessage), - kEd25519VerifySignature, kEd25519PublicKey)) { + 0x44, 0xf2, 0x38, 0xf7, 0xea, 0x71, 0x54, 0xce, 0xdd, 0x95, 0x63, + 0x11, 0x44, 0x07, 0x8f, 0xfe, 0xc6, 0x55, 0x93, 0x8f, 0x73, 0xe2, + 0x96, 0x76, 0x72, 0x8b, 0x40, 0x0f, 0x8f, 0x46, 0xc8, 0x04, 0x8d, + 0x5b, 0xf3, 0xab, 0x12, 0x43, 0x42, 0xeb, 0xae, 0x54, 0xb6, 0xe0, + 0x4f, 0x3f, 0x16, 0x7b, 0x5e, 0xe8, 0xbd, 0xcf, 0xec, 0x9b, 0xe6, + 0xff, 0x65, 0xbc, 0xc6, 0x9a, 0x78, 0x89, 0x67, 0x0a}; + if (!ED25519_verify_no_self_test( + kEd25519VerifyMessage, sizeof(kEd25519VerifyMessage), + kEd25519VerifySignature, kEd25519PublicKey)) { AWS_LC_FIPS_failure("ED25519-verify failed"); goto err; } @@ -2171,32 +2402,27 @@ static int boringssl_self_test_hasheddsa(void) { static const uint8_t kEd25519PrivateKey[ED25519_PRIVATE_KEY_SEED_LEN] = { 0xc3, 0x53, 0x7a, 0x4f, 0x31, 0x5e, 0xc5, 0x8f, 0x5d, 0xe4, 0xc2, 0x8d, 0xc5, 0x32, 0x7c, 0x79, 0xfb, 0x40, 0x7c, 0xb6, 0x70, 0xbe, - 0x05, 0xf1, 0x1b, 0x0f, 0x70, 0x06, 0x40, 0x70, 0x21, 0x27 - }; + 0x05, 0xf1, 0x1b, 0x0f, 0x70, 0x06, 0x40, 0x70, 0x21, 0x27}; static const uint8_t kEd25519PublicKey[ED25519_PUBLIC_KEY_LEN] = { 0x63, 0x36, 0xa6, 0x15, 0xdf, 0x2d, 0xe9, 0x3b, 0x8d, 0xab, 0x78, 0xe9, 0x7b, 0x82, 0x7b, 0x2d, 0x5c, 0xeb, 0xeb, 0xd7, 0xfa, 0xa7, - 0x7e, 0x3d, 0x97, 0xea, 0xf3, 0x6b, 0x12, 0xf7, 0x22, 0xe3 - }; + 0x7e, 0x3d, 0x97, 0xea, 0xf3, 0x6b, 0x12, 0xf7, 0x22, 0xe3}; static const uint8_t kEd25519Context[32] = { - 0x76, 0x34, 0x2c, 0x15, 0xb7, 0x11, 0x97, 0x5d, 0x86, 0xd0, 0x11, 0xdd, - 0x28, 0xec, 0x76, 0xf9, 0xb9, 0xe7, 0x2a, 0xb1, 0x5a, 0x50, 0x15, 0xb0, - 0xdd, 0xca, 0xfa, 0x8f, 0xed, 0x54, 0x80, 0x66 - }; + 0x76, 0x34, 0x2c, 0x15, 0xb7, 0x11, 0x97, 0x5d, 0x86, 0xd0, 0x11, + 0xdd, 0x28, 0xec, 0x76, 0xf9, 0xb9, 0xe7, 0x2a, 0xb1, 0x5a, 0x50, + 0x15, 0xb0, 0xdd, 0xca, 0xfa, 0x8f, 0xed, 0x54, 0x80, 0x66}; static const uint8_t kEd25519SignMessage[32] = { - 0xf9, 0xbf, 0xec, 0x63, 0xc4, 0xe0, 0x73, 0xfa, 0x97, 0x1a, 0x80, 0x49, - 0x91, 0x47, 0xd0, 0x0a, 0xcd, 0x26, 0xaa, 0xe1, 0xff, 0x03, 0x64, 0xdb, - 0x20, 0xf8, 0xa7, 0xa4, 0x95, 0x4d, 0xb3, 0x87 - }; + 0xf9, 0xbf, 0xec, 0x63, 0xc4, 0xe0, 0x73, 0xfa, 0x97, 0x1a, 0x80, + 0x49, 0x91, 0x47, 0xd0, 0x0a, 0xcd, 0x26, 0xaa, 0xe1, 0xff, 0x03, + 0x64, 0xdb, 0x20, 0xf8, 0xa7, 0xa4, 0x95, 0x4d, 0xb3, 0x87}; static const uint8_t kEd25519SignSignature[ED25519_SIGNATURE_LEN] = { - 0x0b, 0x93, 0x3d, 0x3f, 0x59, 0x00, 0xe3, 0xa1, 0xe5, 0x39, 0x47, 0xce, - 0x97, 0x32, 0xc7, 0x01, 0x40, 0x37, 0xe9, 0xc9, 0x4b, 0x71, 0xcd, 0x3a, - 0xfb, 0x60, 0x46, 0xaa, 0x29, 0xfe, 0xa9, 0xbb, 0xd8, 0x1c, 0x50, 0x54, - 0x10, 0x64, 0xc6, 0x59, 0xd0, 0x07, 0x5f, 0xb3, 0x8c, 0x8b, 0x42, 0x0f, - 0x81, 0x48, 0x68, 0x2d, 0xc9, 0xf8, 0x38, 0x43, 0x55, 0x10, 0x5c, 0x39, - 0x70, 0xd2, 0x06, 0x09 -}; + 0x0b, 0x93, 0x3d, 0x3f, 0x59, 0x00, 0xe3, 0xa1, 0xe5, 0x39, 0x47, + 0xce, 0x97, 0x32, 0xc7, 0x01, 0x40, 0x37, 0xe9, 0xc9, 0x4b, 0x71, + 0xcd, 0x3a, 0xfb, 0x60, 0x46, 0xaa, 0x29, 0xfe, 0xa9, 0xbb, 0xd8, + 0x1c, 0x50, 0x54, 0x10, 0x64, 0xc6, 0x59, 0xd0, 0x07, 0x5f, 0xb3, + 0x8c, 0x8b, 0x42, 0x0f, 0x81, 0x48, 0x68, 0x2d, 0xc9, 0xf8, 0x38, + 0x43, 0x55, 0x10, 0x5c, 0x39, 0x70, 0xd2, 0x06, 0x09}; uint8_t ed25519_private_key[ED25519_PRIVATE_KEY_LEN] = {0}; OPENSSL_memcpy(ed25519_private_key, kEd25519PrivateKey, @@ -2208,26 +2434,26 @@ static int boringssl_self_test_hasheddsa(void) { if (!ED25519ph_sign_no_self_test( &ed25519_out_sig[0], kEd25519SignMessage, sizeof(kEd25519SignMessage), ed25519_private_key, kEd25519Context, sizeof(kEd25519Context)) || - !check_test(kEd25519SignSignature, ed25519_out_sig, - ED25519_SIGNATURE_LEN, "ED25519ph-sign")) { + !check_test(kEd25519SignSignature, ed25519_out_sig, ED25519_SIGNATURE_LEN, + "ED25519ph-sign")) { goto err; } static const uint8_t kEd25519VerifyMessage[32] = { - 0x36, 0xc7, 0xf4, 0x5a, 0x29, 0xa6, 0x84, 0xa8, 0x01, 0x37, 0x53, 0xb1, - 0xc6, 0x10, 0x09, 0x79, 0x1f, 0xbc, 0x6e, 0xd4, 0xaf, 0x81, 0x31, 0xaa, - 0x4b, 0xc2, 0x76, 0x3d, 0x7f, 0xd5, 0xf7, 0x50 - }; + 0x36, 0xc7, 0xf4, 0x5a, 0x29, 0xa6, 0x84, 0xa8, 0x01, 0x37, 0x53, + 0xb1, 0xc6, 0x10, 0x09, 0x79, 0x1f, 0xbc, 0x6e, 0xd4, 0xaf, 0x81, + 0x31, 0xaa, 0x4b, 0xc2, 0x76, 0x3d, 0x7f, 0xd5, 0xf7, 0x50}; static const uint8_t kEd25519VerifySignature[ED25519_SIGNATURE_LEN] = { - 0x10, 0x1b, 0xcc, 0xa2, 0x56, 0xef, 0x62, 0x0b, 0xb0, 0x87, 0x59, 0x2e, - 0x91, 0x73, 0x36, 0xd8, 0x54, 0x2b, 0x71, 0x72, 0x8e, 0x2a, 0x27, 0x48, - 0xc5, 0x5c, 0x71, 0x9b, 0x82, 0x5d, 0xad, 0x45, 0x21, 0xbf, 0xb3, 0x75, - 0x62, 0x4b, 0x27, 0xff, 0xf8, 0x1c, 0xbf, 0x71, 0x65, 0xe5, 0xba, 0x4a, - 0x98, 0xe8, 0xc4, 0x51, 0xb3, 0xc3, 0xc2, 0xfa, 0x23, 0x27, 0x8f, 0x2b, - 0xb7, 0x45, 0x81, 0x07 -}; - if (!ED25519ph_verify_no_self_test(kEd25519VerifyMessage, sizeof(kEd25519VerifyMessage), - kEd25519VerifySignature, kEd25519PublicKey, kEd25519Context, sizeof(kEd25519Context))) { + 0x10, 0x1b, 0xcc, 0xa2, 0x56, 0xef, 0x62, 0x0b, 0xb0, 0x87, 0x59, + 0x2e, 0x91, 0x73, 0x36, 0xd8, 0x54, 0x2b, 0x71, 0x72, 0x8e, 0x2a, + 0x27, 0x48, 0xc5, 0x5c, 0x71, 0x9b, 0x82, 0x5d, 0xad, 0x45, 0x21, + 0xbf, 0xb3, 0x75, 0x62, 0x4b, 0x27, 0xff, 0xf8, 0x1c, 0xbf, 0x71, + 0x65, 0xe5, 0xba, 0x4a, 0x98, 0xe8, 0xc4, 0x51, 0xb3, 0xc3, 0xc2, + 0xfa, 0x23, 0x27, 0x8f, 0x2b, 0xb7, 0x45, 0x81, 0x07}; + if (!ED25519ph_verify_no_self_test( + kEd25519VerifyMessage, sizeof(kEd25519VerifyMessage), + kEd25519VerifySignature, kEd25519PublicKey, kEd25519Context, + sizeof(kEd25519Context))) { AWS_LC_FIPS_failure("ED25519ph-verify failed"); goto err; } @@ -2391,28 +2617,24 @@ int boringssl_self_test_hmac_sha256(void) { } static int boringssl_self_test_hkdf_sha256(void) { - static const uint8_t kHKDF_ikm_tc1[] = { // RFC 5869 Test Case 1 - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b - }; - static const uint8_t kHKDF_salt_tc1[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c - }; - static const uint8_t kHKDF_info_tc1[] = { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 - }; + static const uint8_t kHKDF_ikm_tc1[] = { + // RFC 5869 Test Case 1 + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b}; + static const uint8_t kHKDF_salt_tc1[] = {0x00, 0x01, 0x02, 0x03, 0x04, + 0x05, 0x06, 0x07, 0x08, 0x09, + 0x0a, 0x0b, 0x0c}; + static const uint8_t kHKDF_info_tc1[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, + 0xf5, 0xf6, 0xf7, 0xf8, 0xf9}; static const uint8_t kHKDF_okm_tc1_sha256[] = { - 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64, - 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, - 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08, - 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 - }; + 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, + 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, + 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, + 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65}; uint8_t output[sizeof(kHKDF_okm_tc1_sha256)]; - HKDF(output, sizeof(output), EVP_sha256(), - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), + HKDF(output, sizeof(output), EVP_sha256(), kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), kHKDF_info_tc1, sizeof(kHKDF_info_tc1)); return check_test(kHKDF_okm_tc1_sha256, output, sizeof(output), "HKDF-SHA-256 KAT"); @@ -2424,14 +2646,14 @@ static int boringssl_self_test_sha3_256(void) { // Msg = d83c721ee51b060c5a41438a8221e040 // MD = b87d9e4722edd3918729ded9a6d03af8256998ee088a1ae662ef4bcaff142a96 static const uint8_t kInput[16] = { - 0xd8, 0x3c, 0x72, 0x1e, 0xe5, 0x1b, 0x06, 0x0c, - 0x5a, 0x41, 0x43, 0x8a, 0x82, 0x21, 0xe0, 0x40, -}; + 0xd8, 0x3c, 0x72, 0x1e, 0xe5, 0x1b, 0x06, 0x0c, + 0x5a, 0x41, 0x43, 0x8a, 0x82, 0x21, 0xe0, 0x40, + }; static const uint8_t kPlaintextSHA3_256[SHA3_256_DIGEST_LENGTH] = { - 0xb8, 0x7d, 0x9e, 0x47, 0x22, 0xed, 0xd3, 0x91, 0x87, 0x29, 0xde, - 0xd9, 0xa6, 0xd0, 0x3a, 0xf8, 0x25, 0x69, 0x98, 0xee, 0x08, 0x8a, - 0x1a, 0xe6, 0x62, 0xef, 0x4b, 0xca, 0xff, 0x14, 0x2a, 0x96, -}; + 0xb8, 0x7d, 0x9e, 0x47, 0x22, 0xed, 0xd3, 0x91, 0x87, 0x29, 0xde, + 0xd9, 0xa6, 0xd0, 0x3a, 0xf8, 0x25, 0x69, 0x98, 0xee, 0x08, 0x8a, + 0x1a, 0xe6, 0x62, 0xef, 0x4b, 0xca, 0xff, 0x14, 0x2a, 0x96, + }; uint8_t output[SHA3_256_DIGEST_LENGTH]; // SHA3-256 KAT @@ -2559,7 +2781,8 @@ static int boringssl_self_test_fast(void) { NULL, 0) || !check_test(kAESGCMDecPlaintext, output, sizeof(kAESGCMDecPlaintext), "AES-GCM-decrypt KAT")) { - AWS_LC_FIPS_failure("AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed"); + AWS_LC_FIPS_failure( + "AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed"); goto err; } @@ -2573,13 +2796,11 @@ static int boringssl_self_test_fast(void) { 0x09, 0x11, 0x6d, 0x1a, 0xfd, 0x0f, 0x1e, 0x11, 0xe3, 0xcb, }; SHA1(kSHA1Input, sizeof(kSHA1Input), output); - if (!check_test(kSHA1Digest, output, sizeof(kSHA1Digest), - "SHA-1 KAT")) { + if (!check_test(kSHA1Digest, output, sizeof(kSHA1Digest), "SHA-1 KAT")) { goto err; } - if (!boringssl_self_test_sha512() || - !boringssl_self_test_sha3_256() || + if (!boringssl_self_test_sha512() || !boringssl_self_test_sha3_256() || !boringssl_self_test_hkdf_sha256()) { goto err; } @@ -2673,19 +2894,17 @@ static int boringssl_self_test_fast(void) { // PBKDF2 KAT - password/salt data from RFC 6070, derived key generated by // Python's cryptography module static const uint8_t kPBKDF2Password[] = { - 'p', 'a', 's', 's', 'w', 'o', 'r', 'd', 'P', 'A', 'S', 'S', 'W', 'O', 'R', - 'D', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' - }; + 'p', 'a', 's', 's', 'w', 'o', 'r', 'd', 'P', 'A', 'S', 'S', + 'W', 'O', 'R', 'D', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; static const uint8_t kPBKDF2Salt[] = { - 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', - 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', - 'L', 'T', 's', 'a', 'l', 't' - }; + 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', + 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', + 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't'}; const unsigned kPBKDF2Iterations = 2; static const uint8_t kPBKDF2DerivedKey[] = { - 0x13, 0xdc, 0x8a, 0x7c, 0x13, 0xd3, 0x72, 0xc9, 0x03, 0x82, 0x82, 0x2d, - 0x2d, 0xc4, 0x92, 0xf2, 0xed, 0x52, 0x46, 0x7f, 0xb7, 0x82, 0x8e, 0xa8, - 0x64 // 25 bytes + 0x13, 0xdc, 0x8a, 0x7c, 0x13, 0xd3, 0x72, 0xc9, 0x03, 0x82, 0x82, 0x2d, + 0x2d, 0xc4, 0x92, 0xf2, 0xed, 0x52, 0x46, 0x7f, 0xb7, 0x82, 0x8e, 0xa8, + 0x64 // 25 bytes }; uint8_t pbkdf2_output[sizeof(kPBKDF2DerivedKey)]; if (!PKCS5_PBKDF2_HMAC((const char *)kPBKDF2Password, sizeof(kPBKDF2Password), @@ -2743,27 +2962,24 @@ static int boringssl_self_test_fast(void) { // KBKDF counter HMAC-SHA-256 static const uint8_t kKBKDF_ctr_hmac_secret[] = { - 0xdd, 0x1d, 0x91, 0xb7, 0xd9, 0x0b, 0x2b, 0xd3, 0x13, 0x85, 0x33, 0xce, - 0x92, 0xb2, 0x72, 0xfb, 0xf8, 0xa3, 0x69, 0x31, 0x6a, 0xef, 0xe2, 0x42, - 0xe6, 0x59, 0xcc, 0x0a, 0xe2, 0x38, 0xaf, 0xe0 - }; + 0xdd, 0x1d, 0x91, 0xb7, 0xd9, 0x0b, 0x2b, 0xd3, 0x13, 0x85, 0x33, + 0xce, 0x92, 0xb2, 0x72, 0xfb, 0xf8, 0xa3, 0x69, 0x31, 0x6a, 0xef, + 0xe2, 0x42, 0xe6, 0x59, 0xcc, 0x0a, 0xe2, 0x38, 0xaf, 0xe0}; static const uint8_t kKBKDF_ctr_hmac_info[] = { - 0x01, 0x32, 0x2b, 0x96, 0xb3, 0x0a, 0xcd, 0x19, 0x79, 0x79, 0x44, 0x4e, - 0x46, 0x8e, 0x1c, 0x5c, 0x68, 0x59, 0xbf, 0x1b, 0x1c, 0xf9, 0x51, 0xb7, - 0xe7, 0x25, 0x30, 0x3e, 0x23, 0x7e, 0x46, 0xb8, 0x64, 0xa1, 0x45, 0xfa, - 0xb2, 0x5e, 0x51, 0x7b, 0x08, 0xf8, 0x68, 0x3d, 0x03, 0x15, 0xbb, 0x29, - 0x11, 0xd8, 0x0a, 0x0e, 0x8a, 0xba, 0x17, 0xf3, 0xb4, 0x13, 0xfa, 0xac - }; + 0x01, 0x32, 0x2b, 0x96, 0xb3, 0x0a, 0xcd, 0x19, 0x79, 0x79, 0x44, 0x4e, + 0x46, 0x8e, 0x1c, 0x5c, 0x68, 0x59, 0xbf, 0x1b, 0x1c, 0xf9, 0x51, 0xb7, + 0xe7, 0x25, 0x30, 0x3e, 0x23, 0x7e, 0x46, 0xb8, 0x64, 0xa1, 0x45, 0xfa, + 0xb2, 0x5e, 0x51, 0x7b, 0x08, 0xf8, 0x68, 0x3d, 0x03, 0x15, 0xbb, 0x29, + 0x11, 0xd8, 0x0a, 0x0e, 0x8a, 0xba, 0x17, 0xf3, 0xb4, 0x13, 0xfa, 0xac}; static const uint8_t kKBKDF_ctr_hmac_output[] = { - 0x10, 0x62, 0x13, 0x42, 0xbf, 0xb0, 0xfd, 0x40, 0x04, 0x6c, 0x0e, 0x29, - 0xf2, 0xcf, 0xdb, 0xf0 - }; + 0x10, 0x62, 0x13, 0x42, 0xbf, 0xb0, 0xfd, 0x40, + 0x04, 0x6c, 0x0e, 0x29, 0xf2, 0xcf, 0xdb, 0xf0}; uint8_t kbkdf_ctr_hmac_output[sizeof(kKBKDF_ctr_hmac_output)]; if (!KBKDF_ctr_hmac(kbkdf_ctr_hmac_output, sizeof(kbkdf_ctr_hmac_output), - EVP_sha256(), - kKBKDF_ctr_hmac_secret, sizeof(kKBKDF_ctr_hmac_secret), - kKBKDF_ctr_hmac_info, sizeof(kKBKDF_ctr_hmac_info)) || + EVP_sha256(), kKBKDF_ctr_hmac_secret, + sizeof(kKBKDF_ctr_hmac_secret), kKBKDF_ctr_hmac_info, + sizeof(kKBKDF_ctr_hmac_info)) || !check_test(kKBKDF_ctr_hmac_output, kbkdf_ctr_hmac_output, sizeof(kbkdf_ctr_hmac_output), "KBKDF-CTR-HMAC-SHA-256 KAT")) { @@ -2781,12 +2997,9 @@ static int boringssl_self_test_fast(void) { int BORINGSSL_self_test(void) { if (!boringssl_self_test_fast() || // When requested to run self tests, also run the lazy tests. - !boringssl_self_test_rsa() || - !boringssl_self_test_ecc() || - !boringssl_self_test_ffdh() || - !boringssl_self_test_ml_kem() || - !boringssl_self_test_ml_dsa() || - !boringssl_self_test_eddsa() || + !boringssl_self_test_rsa() || !boringssl_self_test_ecc() || + !boringssl_self_test_ffdh() || !boringssl_self_test_ml_kem() || + !boringssl_self_test_ml_dsa() || !boringssl_self_test_eddsa() || !boringssl_self_test_hasheddsa()) { return 0; } @@ -2795,7 +3008,5 @@ int BORINGSSL_self_test(void) { } #if defined(BORINGSSL_FIPS) -int boringssl_self_test_startup(void) { - return boringssl_self_test_fast(); -} +int boringssl_self_test_startup(void) { return boringssl_self_test_fast(); } #endif diff --git a/crypto/fipsmodule/service_indicator/internal.h b/crypto/fipsmodule/service_indicator/internal.h index 58fc1dd0b0..a1f220988c 100644 --- a/crypto/fipsmodule/service_indicator/internal.h +++ b/crypto/fipsmodule/service_indicator/internal.h @@ -46,7 +46,7 @@ void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx); void EVP_PKEY_keygen_verify_service_indicator(const EVP_PKEY *pkey); void HMAC_verify_service_indicator(const EVP_MD *evp_md); void HKDF_verify_service_indicator(const EVP_MD *evp_md, const uint8_t *salt, - size_t salt_len, size_t info_len); + size_t salt_len, size_t info_len); void HKDFExpand_verify_service_indicator(const EVP_MD *evp_md); void PBKDF2_verify_service_indicator(const EVP_MD *evp_md, size_t password_len, size_t salt_len, unsigned iterations); @@ -55,17 +55,18 @@ void TLSKDF_verify_service_indicator(const EVP_MD *dgst, const char *label, size_t label_len); void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst); void SSKDF_hmac_verify_service_indicator(const EVP_MD *dgst); -void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, size_t secret_len); -void EVP_PKEY_encapsulate_verify_service_indicator(const EVP_PKEY_CTX* ctx); -void EVP_PKEY_decapsulate_verify_service_indicator(const EVP_PKEY_CTX* ctx); +void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, + size_t secret_len); +void EVP_PKEY_encapsulate_verify_service_indicator(const EVP_PKEY_CTX *ctx); +void EVP_PKEY_decapsulate_verify_service_indicator(const EVP_PKEY_CTX *ctx); #else // Service indicator functions are no-ops in non-FIPS builds. -OPENSSL_INLINE void FIPS_service_indicator_update_state(void) { } -OPENSSL_INLINE void FIPS_service_indicator_lock_state(void) { } -OPENSSL_INLINE void FIPS_service_indicator_unlock_state(void) { } +OPENSSL_INLINE void FIPS_service_indicator_update_state(void) {} +OPENSSL_INLINE void FIPS_service_indicator_lock_state(void) {} +OPENSSL_INLINE void FIPS_service_indicator_unlock_state(void) {} // Service indicator check functions listed below are optimized to not do extra // checks, when not in FIPS mode. Arguments are cast with |OPENSSL_UNUSED| in an @@ -101,10 +102,8 @@ OPENSSL_INLINE void HMAC_verify_service_indicator( OPENSSL_UNUSED const EVP_MD *evp_md) {} OPENSSL_INLINE void HKDF_verify_service_indicator( - OPENSSL_UNUSED const EVP_MD *evp_md, - OPENSSL_UNUSED const uint8_t *salt, - OPENSSL_UNUSED size_t salt_len, - OPENSSL_UNUSED size_t info_len) {} + OPENSSL_UNUSED const EVP_MD *evp_md, OPENSSL_UNUSED const uint8_t *salt, + OPENSSL_UNUSED size_t salt_len, OPENSSL_UNUSED size_t info_len) {} OPENSSL_INLINE void HKDFExpand_verify_service_indicator( OPENSSL_UNUSED const EVP_MD *evp_md) {} @@ -117,8 +116,7 @@ OPENSSL_INLINE void SSHKDF_verify_service_indicator( OPENSSL_UNUSED const EVP_MD *evp_md) {} OPENSSL_INLINE void TLSKDF_verify_service_indicator( - OPENSSL_UNUSED const EVP_MD *dgst, - OPENSSL_UNUSED const char *label, + OPENSSL_UNUSED const EVP_MD *dgst, OPENSSL_UNUSED const char *label, OPENSSL_UNUSED size_t label_len) {} OPENSSL_INLINE void SSKDF_digest_verify_service_indicator( @@ -127,13 +125,16 @@ OPENSSL_INLINE void SSKDF_digest_verify_service_indicator( OPENSSL_INLINE void SSKDF_hmac_verify_service_indicator( OPENSSL_UNUSED const EVP_MD *dgst) {} -OPENSSL_INLINE void KBKDF_ctr_hmac_verify_service_indicator(OPENSSL_UNUSED const EVP_MD *dgst, size_t secret_len) {} +OPENSSL_INLINE void KBKDF_ctr_hmac_verify_service_indicator( + OPENSSL_UNUSED const EVP_MD *dgst, size_t secret_len) {} -OPENSSL_INLINE void EVP_PKEY_encapsulate_verify_service_indicator(OPENSSL_UNUSED const EVP_PKEY_CTX* ctx) {} +OPENSSL_INLINE void EVP_PKEY_encapsulate_verify_service_indicator( + OPENSSL_UNUSED const EVP_PKEY_CTX *ctx) {} -OPENSSL_INLINE void EVP_PKEY_decapsulate_verify_service_indicator(OPENSSL_UNUSED const EVP_PKEY_CTX* ctx) {} +OPENSSL_INLINE void EVP_PKEY_decapsulate_verify_service_indicator( + OPENSSL_UNUSED const EVP_PKEY_CTX *ctx) {} -#endif // AWSLC_FIPS +#endif // AWSLC_FIPS // is_fips_build is similar to |FIPS_mode| but returns 1 including in the case // of #if defined(OPENSSL_ASAN) diff --git a/crypto/fipsmodule/service_indicator/service_indicator.c b/crypto/fipsmodule/service_indicator/service_indicator.c index b060c22846..3f6f3916c5 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator.c +++ b/crypto/fipsmodule/service_indicator/service_indicator.c @@ -183,7 +183,8 @@ static int is_md_fips_approved_for_signing(int md_type, int pkey_type) { return 1; // [TODO] SHAKE is only approved for signing with RSA PSS - // if (pkey_type == EVP_PKEY_RSA_PSS) // This will be needed when SHAKE is added + // if (pkey_type == EVP_PKEY_RSA_PSS) // This will be needed when SHAKE is + // added // return 1; //} default: @@ -209,7 +210,8 @@ static int is_md_fips_approved_for_verifying(int md_type, int pkey_type) { return 1; // [TODO] SHAKE is only approved for signing with RSA PSS - // if (pkey_type == EVP_PKEY_RSA_PSS) // This will be needed when SHAKE is added + // if (pkey_type == EVP_PKEY_RSA_PSS) // This will be needed when SHAKE is + // added // return 1; //} default: @@ -232,7 +234,7 @@ static int custom_meth_invoked(const EVP_PKEY_CTX *ctx) { if (ctx->operation == EVP_PKEY_OP_VERIFY) { return meth->verify_raw ? 1 : 0; } - if(ctx->operation == EVP_PKEY_OP_SIGN) { + if (ctx->operation == EVP_PKEY_OP_SIGN) { // There are cases where custom |sign| functionality may be set but // not |sign_raw|. This check is more conservative and fails if // custom functionality is provided for either function pointer. @@ -260,14 +262,15 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, int (*md_ok)(int md_type, int pkey_type)) { if (EVP_MD_CTX_md(ctx) == NULL) { - if(ctx->pctx->pkey->type == EVP_PKEY_ED25519) { + if (ctx->pctx->pkey->type == EVP_PKEY_ED25519) { // FIPS 186-5: //. 7.6 EdDSA Signature Generation // 7.7 EdDSA Signature Verification FIPS_service_indicator_update_state(); return; } - // All other signature schemes without a prehash are currently never FIPS approved. + // All other signature schemes without a prehash are currently never FIPS + // approved. goto err; } @@ -305,14 +308,16 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, } } - // The approved RSA key sizes for signing are key sizes >= 2048 bits and bits % 2 == 0. + // The approved RSA key sizes for signing are key sizes >= 2048 bits and + // bits % 2 == 0. size_t n_bits = RSA_bits(ctx->pctx->pkey->pkey.rsa); // Check if the MD type and the RSA key size are approved. Also checking if // custom operations from |pkey.rsa->meth| were invoked. if (md_ok(md_type, pkey_type) && - ((rsa_1024_ok && n_bits == 1024) || (n_bits >= 2048 && n_bits % 2 == 0)) - && !custom_meth_invoked(pctx)) { + ((rsa_1024_ok && n_bits == 1024) || + (n_bits >= 2048 && n_bits % 2 == 0)) && + !custom_meth_invoked(pctx)) { FIPS_service_indicator_update_state(); } } else if (pkey_type == EVP_PKEY_EC) { @@ -553,14 +558,15 @@ void TLSKDF_verify_service_indicator(const EVP_MD *dgst, const char *label, } } -// "Whenever a hash function is employed (including as the primitive used by HMAC), an -// approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash -// functions" +// "Whenever a hash function is employed (including as the primitive used by +// HMAC), an approved hash function shall be used. FIPS 180 and FIPS 202 specify +// approved hash functions" // // * FIPS 180 covers the SHA-1 and SHA-2* family of algorithms // * FIPS 202 covers the SHA3-* family of algorithms // -// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC Algorithms +// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC +// Algorithms // https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst) { switch (dgst->type) { @@ -582,14 +588,16 @@ void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst) { } } -// "Whenever a hash function is employed (including as the primitive used by HMAC), an -// approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash -// functions" +// "Whenever a hash function is employed (including as the primitive used by +// HMAC), an approved hash function shall be used. FIPS 180 and FIPS 202 specify +// approved hash functions" // // * FIPS 180 covers the SHA-1 and SHA-2* family of algorithms -// * FIPS 202 covers the SHA3-* family of algorithms (Note: AWS-LC does not currently support SHA-3 with HMAC) +// * FIPS 202 covers the SHA3-* family of algorithms (Note: AWS-LC does not +// currently support SHA-3 with HMAC) // -// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC Algorithms +// Sourced from NIST.SP.800-56Cr2 Section 7: Selecting Hash Functions and MAC +// Algorithms // https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf void SSKDF_hmac_verify_service_indicator(const EVP_MD *dgst) { switch (dgst->type) { @@ -607,15 +615,18 @@ void SSKDF_hmac_verify_service_indicator(const EVP_MD *dgst) { } } -// "For key derivation, this Recommendation approves the use of the keyed-Hash Message -// Authentication Code (HMAC) specified in FIPS 198-1". +// "For key derivation, this Recommendation approves the use of the keyed-Hash +// Message Authentication Code (HMAC) specified in FIPS 198-1". -// * FIPS 198-1 references FIPS 180-3 which covers the SHA-1 and SHA-2* family of algorithms -// * NIST also provides ACVP vectors for SHA3-* family of algorithms but our HMAC does not support this +// * FIPS 198-1 references FIPS 180-3 which covers the SHA-1 and SHA-2* family +// of algorithms +// * NIST also provides ACVP vectors for SHA3-* family of algorithms but our +// HMAC does not support this // // Sourced from NIST SP 800-108r1-upd1 Section 3: Pseudorandom Function (PRF) // https://doi.org/10.6028/NIST.SP.800-108r1-upd1 -void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, size_t secret_len) { +void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, + size_t secret_len) { switch (dgst->type) { case NID_sha1: case NID_sha224: @@ -624,7 +635,8 @@ void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, size_t secret_l case NID_sha512: case NID_sha512_224: case NID_sha512_256: - // SP 800-131Ar1, Section 8: "The length of the key-derivation key shall be at least 112 bits.” + // SP 800-131Ar1, Section 8: "The length of the key-derivation key shall + // be at least 112 bits.” if (secret_len >= 14) { FIPS_service_indicator_update_state(); } @@ -634,7 +646,7 @@ void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, size_t secret_l } } -void EVP_PKEY_encapsulate_verify_service_indicator(const EVP_PKEY_CTX* ctx) { +void EVP_PKEY_encapsulate_verify_service_indicator(const EVP_PKEY_CTX *ctx) { if (ctx->pkey->type == EVP_PKEY_KEM) { const KEM *kem = KEM_KEY_get0_kem(ctx->pkey->pkey.kem_key); switch (kem->nid) { @@ -649,7 +661,7 @@ void EVP_PKEY_encapsulate_verify_service_indicator(const EVP_PKEY_CTX* ctx) { } } -void EVP_PKEY_decapsulate_verify_service_indicator(const EVP_PKEY_CTX* ctx) { +void EVP_PKEY_decapsulate_verify_service_indicator(const EVP_PKEY_CTX *ctx) { if (ctx->pkey->type == EVP_PKEY_KEM) { const KEM *kem = KEM_KEY_get0_kem(ctx->pkey->pkey.kem_key); switch (kem->nid) { diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc index 6b18a7e0b5..5327f92301 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc +++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc @@ -15,11 +15,12 @@ #include #include #include -#include #include +#include +#include #include -#include #include +#include #include #include #include @@ -27,24 +28,24 @@ #include #include #include -#include #include "../../test/abi_test.h" #include "../../test/test_util.h" #include "../bn/internal.h" +#include "../ec/internal.h" #include "../hmac/internal.h" #include "../rand/internal.h" -#include "../sha/internal.h" #include "../rsa/internal.h" -#include "../ec/internal.h" +#include "../sha/internal.h" -static const uint8_t kAESKey[16] = { - 'A','W','S','-','L','C','C','r','y','p','t','o',' ','K', 'e','y'}; +static const uint8_t kAESKey[16] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r', + 'y', 'p', 't', 'o', ' ', 'K', 'e', 'y'}; static const uint8_t kPlaintext[64] = { - 'A','W','S','-','L','C','C','r','y','p','t','o','M','o','d','u','l','e', - ' ','F','I','P','S',' ','K','A','T',' ','E','n','c','r','y','p','t','i', - 'o','n',' ','a','n','d',' ','D','e','c','r','y','p','t','i','o','n',' ', - 'P','l','a','i','n','t','e','x','t','!'}; + 'A', 'W', 'S', '-', 'L', 'C', 'C', 'r', 'y', 'p', 't', 'o', 'M', + 'o', 'd', 'u', 'l', 'e', ' ', 'F', 'I', 'P', 'S', ' ', 'K', 'A', + 'T', ' ', 'E', 'n', 'c', 'r', 'y', 'p', 't', 'i', 'o', 'n', ' ', + 'a', 'n', 'd', ' ', 'D', 'e', 'c', 'r', 'y', 'p', 't', 'i', 'o', + 'n', ' ', 'P', 'l', 'a', 'i', 'n', 't', 'e', 'x', 't', '!'}; #if defined(AWSLC_FIPS) @@ -77,15 +78,14 @@ class TestWithNoErrors : public testing::TestWithParam { } }; -static const uint8_t kAESKey_192[24] = { - 'A','W','S','-','L','C','C','r','y','p','t','o',' ','1', '9','2', '-','b', - 'i','t',' ','K','e','y' -}; +static const uint8_t kAESKey_192[24] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r', + 'y', 'p', 't', 'o', ' ', '1', '9', '2', + '-', 'b', 'i', 't', ' ', 'K', 'e', 'y'}; -static const uint8_t kAESKey_256[32] = { - 'A','W','S','-','L','C','C','r','y','p','t','o',' ','2', '5','6', '-','b', - 'i','t',' ','L','o','n','g',' ','K','e','y','!','!','!' -}; +static const uint8_t kAESKey_256[32] = {'A', 'W', 'S', '-', 'L', 'C', 'C', 'r', + 'y', 'p', 't', 'o', ' ', '2', '5', '6', + '-', 'b', 'i', 't', ' ', 'L', 'o', 'n', + 'g', ' ', 'K', 'e', 'y', '!', '!', '!'}; static const uint8_t kAESIV[AES_BLOCK_SIZE] = {0}; @@ -111,7 +111,8 @@ static bssl::UniquePtr GetDH() { } static void DoCipherFinal(EVP_CIPHER_CTX *ctx, std::vector *out, - bssl::Span in, FIPSStatus expect_approved) { + bssl::Span in, + FIPSStatus expect_approved) { FIPSStatus approved = AWSLC_NOT_APPROVED; size_t max_out = in.size(); if (EVP_CIPHER_CTX_encrypting(ctx)) { @@ -122,8 +123,8 @@ static void DoCipherFinal(EVP_CIPHER_CTX *ctx, std::vector *out, size_t total = 0; int len = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_CipherUpdate(ctx, out->data(), &len, in.data(), in.size())); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_CipherUpdate(ctx, out->data(), &len, in.data(), in.size())); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); total += static_cast(len); // Check if the overall service is approved by checking |EVP_CipherFinal_ex|, @@ -282,30 +283,26 @@ static const uint8_t kAESCMACOutput[16] = {0xe7, 0x32, 0x43, 0xb4, 0xae, 0x79, // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program static const uint8_t kAESXTSKey_256[64] = { - 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, - 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, - 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, - 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, - 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, - 0x2c, 0xf4, 0x1b, 0x08 -}; + 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, + 0x2f, 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, + 0xd0, 0xc7, 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, + 0xe1, 0x3f, 0xfd, 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, + 0xcd, 0xa5, 0x8d, 0xa3, 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, + 0x58, 0x31, 0x8e, 0xea, 0x39, 0x2c, 0xf4, 0x1b, 0x08}; -static const uint8_t kAESXTSIV_256[16] = { - 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, - 0xa9, 0xf8, 0x75, 0x64 -}; +static const uint8_t kAESXTSIV_256[16] = {0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, + 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, + 0xa9, 0xf8, 0x75, 0x64}; static const uint8_t kAESXTSPlaintext_256[32] = { - 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, - 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, - 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e -}; + 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, + 0xe8, 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, + 0x57, 0xe3, 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e}; static const uint8_t kAESXTSCiphertext_256[32] = { - 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, - 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, - 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb -}; + 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, + 0x34, 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, + 0xf3, 0x6a, 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb}; const uint8_t kDHOutput[2048 / 8] = { 0x83, 0xf0, 0xd8, 0x4f, 0xdb, 0xe7, 0x65, 0xb6, 0x80, 0x6f, 0xa3, 0x22, @@ -368,9 +365,9 @@ static const uint8_t kOutput_sha512[SHA512_DIGEST_LENGTH] = { 0xf8, 0x73, 0xb9, 0xe4, 0x18, 0xa8, 0xc2, 0xf0, 0xe5}; static const uint8_t kOutput_sha512_224[SHA512_224_DIGEST_LENGTH] = { - 0xbf, 0xee, 0x89, 0x08, 0x8c, 0x9a, 0x4e, 0xa4, 0x79, 0x22, 0x6e, - 0x17, 0x9f, 0x41, 0x53, 0x06, 0xc9, 0x1e, 0x58, 0x75, 0x22, 0xfd, - 0x89, 0x0a, 0xe2, 0xbf, 0x35, 0x8e}; + 0xbf, 0xee, 0x89, 0x08, 0x8c, 0x9a, 0x4e, 0xa4, 0x79, 0x22, + 0x6e, 0x17, 0x9f, 0x41, 0x53, 0x06, 0xc9, 0x1e, 0x58, 0x75, + 0x22, 0xfd, 0x89, 0x0a, 0xe2, 0xbf, 0x35, 0x8e}; static const uint8_t kOutput_sha512_256[SHA512_256_DIGEST_LENGTH] = { 0x1a, 0x78, 0x68, 0x6b, 0x69, 0x6d, 0x28, 0x14, 0x6b, 0x37, 0x11, @@ -378,14 +375,14 @@ static const uint8_t kOutput_sha512_256[SHA512_256_DIGEST_LENGTH] = { 0x08, 0x95, 0x0b, 0x0f, 0xc9, 0x88, 0x44, 0x12, 0x01, 0x6a}; static const uint8_t kOutput_sha3_224[SHA3_224_DIGEST_LENGTH] = { - 0xd4, 0x7e, 0x2d, 0xca, 0xf9, 0x36, 0x7a, 0x73, 0x2f, 0x9b, 0x42, 0x46, - 0x25, 0x49, 0x29, 0x68, 0xfa, 0x2c, 0xc7, 0xd0, 0xb0, 0x11, 0x1c, 0x86, - 0xa6, 0xc0, 0xa1, 0x29}; + 0xd4, 0x7e, 0x2d, 0xca, 0xf9, 0x36, 0x7a, 0x73, 0x2f, 0x9b, + 0x42, 0x46, 0x25, 0x49, 0x29, 0x68, 0xfa, 0x2c, 0xc7, 0xd0, + 0xb0, 0x11, 0x1c, 0x86, 0xa6, 0xc0, 0xa1, 0x29}; static const uint8_t kOutput_sha3_256[SHA3_256_DIGEST_LENGTH] = { - 0x4a, 0x95, 0x1c, 0x1e, 0xd1, 0x58, 0x5f, 0xa3, 0xcf, 0x77, 0x24, 0x73, - 0x7b, 0xd2, 0x28, 0x55, 0x9f, 0xa5, 0xe8, 0xc6, 0x58, 0x99, 0xe3, 0xb1, - 0x88, 0x17, 0xd6, 0xc4, 0x1d, 0x3e, 0xa8, 0x4c}; + 0x4a, 0x95, 0x1c, 0x1e, 0xd1, 0x58, 0x5f, 0xa3, 0xcf, 0x77, 0x24, + 0x73, 0x7b, 0xd2, 0x28, 0x55, 0x9f, 0xa5, 0xe8, 0xc6, 0x58, 0x99, + 0xe3, 0xb1, 0x88, 0x17, 0xd6, 0xc4, 0x1d, 0x3e, 0xa8, 0x4c}; static const uint8_t kOutput_sha3_384[SHA3_384_DIGEST_LENGTH] = { 0x19, 0x97, 0xad, 0xa6, 0x45, 0x40, 0x3d, 0x10, 0xda, 0xe6, 0xd4, 0xfd, @@ -394,32 +391,32 @@ static const uint8_t kOutput_sha3_384[SHA3_384_DIGEST_LENGTH] = { 0xb1, 0xb3, 0x4a, 0x1d, 0xd9, 0x69, 0x58, 0x25, 0x5b, 0xd0, 0xb6, 0xad}; static const uint8_t kOutput_sha3_512[SHA3_512_DIGEST_LENGTH] = { - 0x36, 0xe5, 0xa2, 0x70, 0xa4, 0xd1, 0xc3, 0x76, 0xc6, 0x44, 0xe6, 0x00, - 0x49, 0xae, 0x7d, 0x83, 0x21, 0xdc, 0xab, 0x2e, 0xa2, 0xe3, 0x96, 0xc2, - 0xeb, 0xe6, 0x61, 0x14, 0x95, 0xd6, 0x6a, 0xf2, 0xf0, 0xa0, 0x4e, 0x93, - 0x14, 0x2f, 0x02, 0x6a, 0xdb, 0xae, 0xbd, 0x76, 0x4e, 0xb9, 0x52, 0x88, - 0x85, 0x3c, 0x64, 0xa1, 0x56, 0x6f, 0xeb, 0x76, 0x25, 0x9a, 0x4a, 0x44, - 0x23, 0xf7, 0xcf, 0x46}; + 0x36, 0xe5, 0xa2, 0x70, 0xa4, 0xd1, 0xc3, 0x76, 0xc6, 0x44, 0xe6, + 0x00, 0x49, 0xae, 0x7d, 0x83, 0x21, 0xdc, 0xab, 0x2e, 0xa2, 0xe3, + 0x96, 0xc2, 0xeb, 0xe6, 0x61, 0x14, 0x95, 0xd6, 0x6a, 0xf2, 0xf0, + 0xa0, 0x4e, 0x93, 0x14, 0x2f, 0x02, 0x6a, 0xdb, 0xae, 0xbd, 0x76, + 0x4e, 0xb9, 0x52, 0x88, 0x85, 0x3c, 0x64, 0xa1, 0x56, 0x6f, 0xeb, + 0x76, 0x25, 0x9a, 0x4a, 0x44, 0x23, 0xf7, 0xcf, 0x46}; // NOTE: SHAKE is a variable-length XOF; this number is chosen somewhat // arbitrarily for testing. static const size_t SHAKE_OUTPUT_LENGTH = 64; static const uint8_t kOutput_shake128[SHAKE_OUTPUT_LENGTH] = { - 0x22, 0xfe, 0x51, 0xb7, 0x9c, 0x28, 0x1c, 0x0e, 0xfc, 0x66, 0x58, 0x6a, - 0xa1, 0x60, 0x85, 0x0b, 0xe6, 0xeb, 0x20, 0x0b, 0xdb, 0x0c, 0xe7, 0xfe, - 0x49, 0x51, 0xcd, 0xc2, 0x92, 0x3f, 0xfc, 0xf8, 0xcb, 0x4b, 0x19, 0xce, - 0x80, 0x9f, 0x1f, 0xbf, 0x10, 0xf1, 0x74, 0x38, 0x7a, 0x19, 0xd0, 0xca, - 0x52, 0xf2, 0xf3, 0xd0, 0x77, 0x08, 0xe2, 0x1e, 0x20, 0x2d, 0x57, 0x25, - 0x8b, 0xd5, 0xca, 0x66}; + 0x22, 0xfe, 0x51, 0xb7, 0x9c, 0x28, 0x1c, 0x0e, 0xfc, 0x66, 0x58, + 0x6a, 0xa1, 0x60, 0x85, 0x0b, 0xe6, 0xeb, 0x20, 0x0b, 0xdb, 0x0c, + 0xe7, 0xfe, 0x49, 0x51, 0xcd, 0xc2, 0x92, 0x3f, 0xfc, 0xf8, 0xcb, + 0x4b, 0x19, 0xce, 0x80, 0x9f, 0x1f, 0xbf, 0x10, 0xf1, 0x74, 0x38, + 0x7a, 0x19, 0xd0, 0xca, 0x52, 0xf2, 0xf3, 0xd0, 0x77, 0x08, 0xe2, + 0x1e, 0x20, 0x2d, 0x57, 0x25, 0x8b, 0xd5, 0xca, 0x66}; static const uint8_t kOutput_shake256[SHAKE_OUTPUT_LENGTH] = { - 0xfc, 0xd1, 0x32, 0xd0, 0x02, 0x43, 0x7c, 0x31, 0xb2, 0x78, 0xdf, 0x34, - 0x74, 0xc8, 0x9b, 0x77, 0x08, 0x14, 0x9d, 0xde, 0x69, 0x79, 0xb5, 0x58, - 0x98, 0x01, 0x69, 0xaa, 0x64, 0x11, 0x04, 0xbe, 0xa2, 0x5f, 0xf1, 0x29, - 0x9b, 0x94, 0x03, 0x4a, 0x1e, 0x82, 0xf0, 0x9e, 0xee, 0x9b, 0xa0, 0xe3, - 0xe1, 0x5f, 0x9c, 0x13, 0xb7, 0x52, 0xef, 0x3c, 0x96, 0xf3, 0xf8, 0xf3, - 0x1f, 0x59, 0x7e, 0x41}; + 0xfc, 0xd1, 0x32, 0xd0, 0x02, 0x43, 0x7c, 0x31, 0xb2, 0x78, 0xdf, + 0x34, 0x74, 0xc8, 0x9b, 0x77, 0x08, 0x14, 0x9d, 0xde, 0x69, 0x79, + 0xb5, 0x58, 0x98, 0x01, 0x69, 0xaa, 0x64, 0x11, 0x04, 0xbe, 0xa2, + 0x5f, 0xf1, 0x29, 0x9b, 0x94, 0x03, 0x4a, 0x1e, 0x82, 0xf0, 0x9e, + 0xee, 0x9b, 0xa0, 0xe3, 0xe1, 0x5f, 0x9c, 0x13, 0xb7, 0x52, 0xef, + 0x3c, 0x96, 0xf3, 0xf8, 0xf3, 0x1f, 0x59, 0x7e, 0x41}; static const uint8_t kHMACOutput_sha1[SHA_DIGEST_LENGTH] = { 0x34, 0xac, 0x50, 0x9b, 0xa9, 0x4c, 0x39, 0xef, 0x45, 0xa0, @@ -450,9 +447,9 @@ static const uint8_t kHMACOutput_sha512[SHA512_DIGEST_LENGTH] = { 0xbf, 0x9b, 0x99, 0x8c, 0xf0, 0x37, 0xe6, 0x3d, 0x40}; static const uint8_t kHMACOutput_sha512_224[SHA512_224_DIGEST_LENGTH] = { - 0xb7, 0x55, 0xfb, 0x59, 0x58, 0xa0, 0xf9, 0xa8, 0x94, 0xc2, 0x91, - 0x6b, 0xd3, 0xfc, 0xa2, 0xbc, 0xd2, 0x91, 0x09, 0xcb, 0x22, 0x0c, - 0x04, 0xc9, 0x21, 0xc1, 0x96, 0x62}; + 0xb7, 0x55, 0xfb, 0x59, 0x58, 0xa0, 0xf9, 0xa8, 0x94, 0xc2, + 0x91, 0x6b, 0xd3, 0xfc, 0xa2, 0xbc, 0xd2, 0x91, 0x09, 0xcb, + 0x22, 0x0c, 0x04, 0xc9, 0x21, 0xc1, 0x96, 0x62}; static const uint8_t kHMACOutput_sha512_256[SHA512_256_DIGEST_LENGTH] = { 0x9c, 0x95, 0x9c, 0x03, 0xc9, 0x8c, 0x90, 0xee, 0x7a, 0xff, 0xed, @@ -557,26 +554,22 @@ static const uint8_t kTLSOutput1_sha512[32] = { static const uint8_t kTLSOutput2_mdsha1[32] = { 0x21, 0x72, 0x18, 0xbe, 0x5a, 0xdc, 0xf7, 0x29, 0x1e, 0x81, 0x15, 0x46, 0x8d, 0x7f, 0x7e, 0x93, 0xac, 0xe5, 0x45, 0x26, 0x1a, 0x17, - 0x7c, 0x3a, 0xd4, 0x17, 0xaa, 0xe6, 0xfc, 0x15, 0x55, 0x69 -}; + 0x7c, 0x3a, 0xd4, 0x17, 0xaa, 0xe6, 0xfc, 0x15, 0x55, 0x69}; static const uint8_t kTLSOutput2_sha256[32] = { 0xfc, 0xa0, 0x34, 0x55, 0x73, 0x01, 0x22, 0x19, 0x93, 0x40, 0x56, 0x09, 0xfc, 0x8e, 0x42, 0xe4, 0x1a, 0x0c, 0xfa, 0x55, 0xaf, 0x19, - 0xbb, 0x38, 0x64, 0x63, 0x4b, 0xfb, 0x79, 0x19, 0x8a, 0xfc -}; + 0xbb, 0x38, 0x64, 0x63, 0x4b, 0xfb, 0x79, 0x19, 0x8a, 0xfc}; static const uint8_t kTLSOutput2_sha384[32] = { 0xc5, 0x37, 0xd2, 0x5e, 0x6d, 0xaf, 0x50, 0xd2, 0x1e, 0xe6, 0xd6, 0x26, 0x50, 0xbc, 0x36, 0xb3, 0xc5, 0xf9, 0x1c, 0x8f, 0x59, 0xfd, - 0xf9, 0x0e, 0xcb, 0xe4, 0x0b, 0xa9, 0xaf, 0xa5, 0x48, 0x01 -}; + 0xf9, 0x0e, 0xcb, 0xe4, 0x0b, 0xa9, 0xaf, 0xa5, 0x48, 0x01}; static const uint8_t kTLSOutput2_sha512[32] = { 0x12, 0xfe, 0x4f, 0xd9, 0x98, 0x64, 0x27, 0x3f, 0x82, 0xbb, 0xde, 0x87, 0x1b, 0x43, 0x01, 0xc2, 0x6c, 0x9b, 0xaa, 0x89, 0xd0, 0x47, - 0x3d, 0x56, 0xa8, 0xf5, 0x9f, 0x2e, 0x8d, 0xbb, 0x77, 0x57 -}; + 0x3d, 0x56, 0xa8, 0xf5, 0x9f, 0x2e, 0x8d, 0xbb, 0x77, 0x57}; static const uint8_t kAESGCMCiphertext_128[64 + 16] = { 0x38, 0x71, 0xcb, 0x61, 0x70, 0x60, 0x13, 0x8b, 0x2f, 0x91, 0x09, 0x7f, @@ -609,7 +602,7 @@ static const uint8_t kAESGCMCiphertext_256[64 + 16] = { }; static const struct AEADTestVector { - const char* name; + const char *name; const EVP_AEAD *aead; const uint8_t *key; const int key_length; @@ -746,15 +739,17 @@ TEST_P(AEADServiceIndicatorTest, EVP_AEAD) { // |EVP_AEAD_CTX_seal| and |EVP_AEAD_CTX_open| for approval at the end. // |EVP_AEAD_CTX_init| should not be approved because the function does not // indicate that a service has been fully completed yet. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), test.aead, test.key, - test.key_length, 0, nullptr))); + test.key_length, 0, nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_AEAD_CTX_seal(aead_ctx.get(), encrypt_output.data(), - &out_len, encrypt_output.size(), nonce.data(), - EVP_AEAD_nonce_length(test.aead), kPlaintext, - sizeof(kPlaintext), nullptr, 0))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_AEAD_CTX_seal( + aead_ctx.get(), encrypt_output.data(), &out_len, + encrypt_output.size(), nonce.data(), EVP_AEAD_nonce_length(test.aead), + kPlaintext, sizeof(kPlaintext), nullptr, 0))); EXPECT_EQ(approved, test.expect_approved); encrypt_output.resize(out_len); if (test.expected_ciphertext) { @@ -762,14 +757,15 @@ TEST_P(AEADServiceIndicatorTest, EVP_AEAD) { Bytes(encrypt_output)); } - CALL_SERVICE_AND_CHECK_APPROVED(approved, ASSERT_TRUE( - EVP_AEAD_CTX_open(aead_ctx.get(), decrypt_output.data(),&out_len, - decrypt_output.size(), nonce.data(), nonce.size(), - encrypt_output.data(), out_len, nullptr, 0))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_AEAD_CTX_open( + aead_ctx.get(), decrypt_output.data(), &out_len, + decrypt_output.size(), nonce.data(), nonce.size(), + encrypt_output.data(), out_len, nullptr, 0))); // Decryption doesn't have nonce uniqueness requirements and so is always // approved for approved key lengths. - EXPECT_EQ(approved, test.key_length != 24 ? AWSLC_APPROVED - : AWSLC_NOT_APPROVED); + EXPECT_EQ(approved, + test.key_length != 24 ? AWSLC_APPROVED : AWSLC_NOT_APPROVED); decrypt_output.resize(out_len); EXPECT_EQ(Bytes(kPlaintext), Bytes(decrypt_output)); @@ -777,10 +773,10 @@ TEST_P(AEADServiceIndicatorTest, EVP_AEAD) { // functions should fail and return |AWSLC_NOT_APPROVED|. if (test.test_repeat_nonce) { CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_FALSE( - EVP_AEAD_CTX_seal(aead_ctx.get(), encrypt_output.data(), &out_len, - encrypt_output.size(), nonce.data(), nonce.size(), - kPlaintext, sizeof(kPlaintext), nullptr, 0))); + approved, ASSERT_FALSE(EVP_AEAD_CTX_seal( + aead_ctx.get(), encrypt_output.data(), &out_len, + encrypt_output.size(), nonce.data(), nonce.size(), + kPlaintext, sizeof(kPlaintext), nullptr, 0))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); EXPECT_TRUE( ErrorEquals(ERR_get_error(), ERR_LIB_CIPHER, CIPHER_R_INVALID_NONCE)); @@ -990,9 +986,10 @@ static void TestOperation(const EVP_CIPHER *cipher, bool encrypt, bssl::ScopedEVP_CIPHER_CTX ctx; // Test running the EVP_Cipher interfaces one by one directly, and check // |EVP_EncryptFinal_ex| and |EVP_DecryptFinal_ex| for approval at the end. - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr, - encrypt ? 1 : 0))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, + nullptr, encrypt ? 1 : 0))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); if (iv.size() > 0) { // IV specified for the test, so the context's IV length should match. @@ -1004,9 +1001,10 @@ static void TestOperation(const EVP_CIPHER *cipher, bool encrypt, } ASSERT_TRUE(EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size())); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, key.data(), - iv.data(), encrypt ? 1 : 0))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, key.data(), + iv.data(), encrypt ? 1 : 0))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); ASSERT_TRUE(EVP_CIPHER_CTX_set_padding(ctx.get(), 0)); std::vector encrypt_result; @@ -1016,9 +1014,10 @@ static void TestOperation(const EVP_CIPHER *cipher, bool encrypt, // Test using the one-shot |EVP_Cipher| function for approval. bssl::ScopedEVP_CIPHER_CTX ctx2; uint8_t output[256]; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_CipherInit_ex(ctx2.get(), cipher, nullptr, key.data(), - iv.data(), encrypt ? 1 : 0))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_CipherInit_ex(ctx2.get(), cipher, nullptr, key.data(), + iv.data(), encrypt ? 1 : 0))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); CALL_SERVICE_AND_CHECK_APPROVED( approved, EVP_Cipher(ctx2.get(), output, in.data(), in.size())); @@ -1185,21 +1184,25 @@ TEST_P(EVPMDServiceIndicatorTest, EVP_Digests) { // |EVP_DigestFinal_ex| for approval at the end. |EVP_DigestInit_ex| and // |EVP_DigestUpdate| should not be approved, because the functions do not // indicate that a service has been fully completed yet. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test.func(), nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestFinal_ex(ctx.get(), digest.data(), &digest_len))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, digest_len), Bytes(digest)); // Test using the one-shot |EVP_Digest| function for approval. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_Digest(kPlaintext, sizeof(kPlaintext), digest.data(), - &digest_len, test.func(), nullptr))); + &digest_len, test.func(), nullptr))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, test.length), Bytes(digest)); @@ -1260,30 +1263,34 @@ TEST_P(EVPXOFServiceIndicatorTest, EVP_Xofs) { // |EVP_DigestFinalXOF| for approval at the end. |EVP_DigestInit_ex| and // |EVP_DigestUpdate| should not be approved, because the functions do not // indicate that a service has been fully completed yet. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), test.func(), nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestUpdate(ctx.get(), kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); EXPECT_TRUE(EVP_MD_flags(ctx->digest) & EVP_MD_FLAG_XOF); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestFinalXOF(ctx.get(), digest.data(), test.length))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, test.length), Bytes(digest)); // Test using the one-shot |EVP_Digest| function for approval. unsigned digest_len = test.length; - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_Digest(kPlaintext, sizeof(kPlaintext), digest.data(), - &digest_len, test.func(), nullptr))); + &digest_len, test.func(), nullptr))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, test.length), Bytes(digest)); // Test using the one-shot API for approval. CALL_SERVICE_AND_CHECK_APPROVED( - approved, - test.one_shot_func(kPlaintext, sizeof(kPlaintext), digest.data(), test.length)); + approved, test.one_shot_func(kPlaintext, sizeof(kPlaintext), + digest.data(), test.length)); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, test.length), Bytes(digest)); } @@ -1296,14 +1303,13 @@ static const struct HMACTestVector { // expected to be approved or not. const FIPSStatus expect_approved; } kHMACTestVectors[] = { - { EVP_sha1, kHMACOutput_sha1, AWSLC_APPROVED }, - { EVP_sha224, kHMACOutput_sha224, AWSLC_APPROVED }, - { EVP_sha256, kHMACOutput_sha256, AWSLC_APPROVED }, - { EVP_sha384, kHMACOutput_sha384, AWSLC_APPROVED }, - { EVP_sha512, kHMACOutput_sha512, AWSLC_APPROVED }, - { EVP_sha512_224, kHMACOutput_sha512_224, AWSLC_APPROVED }, - { EVP_sha512_256, kHMACOutput_sha512_256, AWSLC_APPROVED } -}; + {EVP_sha1, kHMACOutput_sha1, AWSLC_APPROVED}, + {EVP_sha224, kHMACOutput_sha224, AWSLC_APPROVED}, + {EVP_sha256, kHMACOutput_sha256, AWSLC_APPROVED}, + {EVP_sha384, kHMACOutput_sha384, AWSLC_APPROVED}, + {EVP_sha512, kHMACOutput_sha512, AWSLC_APPROVED}, + {EVP_sha512_224, kHMACOutput_sha512_224, AWSLC_APPROVED}, + {EVP_sha512_256, kHMACOutput_sha512_256, AWSLC_APPROVED}}; class HMACServiceIndicatorTest : public TestWithNoErrors {}; @@ -1333,14 +1339,15 @@ TEST_P(HMACServiceIndicatorTest, HMACTest) { unsigned mac_len; bssl::ScopedHMAC_CTX ctx; CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE( - HMAC_Init_ex(ctx.get(), kHMACKey, sizeof(kHMACKey), digest, nullptr))); + approved, ASSERT_TRUE(HMAC_Init_ex(ctx.get(), kHMACKey, sizeof(kHMACKey), + digest, nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(HMAC_Update(ctx.get(), kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(HMAC_Final(ctx.get(), mac.data(), &mac_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(HMAC_Final(ctx.get(), mac.data(), &mac_len))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, expected_mac_len), Bytes(mac.data(), mac_len)); @@ -1348,7 +1355,7 @@ TEST_P(HMACServiceIndicatorTest, HMACTest) { // Test using the one-shot API for approval. CALL_SERVICE_AND_CHECK_APPROVED( approved, ASSERT_TRUE(HMAC(digest, kHMACKey, sizeof(kHMACKey), kPlaintext, - sizeof(kPlaintext), mac.data(), &mac_len))); + sizeof(kPlaintext), mac.data(), &mac_len))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, expected_mac_len), Bytes(mac.data(), mac_len)); @@ -1368,15 +1375,15 @@ TEST_P(HMACServiceIndicatorTest, HMACTest) { uint8_t precomputed_key[HMAC_MAX_PRECOMPUTED_KEY_SIZE]; size_t precomputed_key_len = HMAC_MAX_PRECOMPUTED_KEY_SIZE; CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE( - HMAC_Init_ex(ctx.get(), kHMACKey, sizeof(kHMACKey), digest, nullptr))); + approved, ASSERT_TRUE(HMAC_Init_ex(ctx.get(), kHMACKey, sizeof(kHMACKey), + digest, nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); CALL_SERVICE_AND_CHECK_APPROVED( approved, ASSERT_TRUE(HMAC_set_precomputed_key_export(ctx.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(HMAC_get_precomputed_key( - ctx.get(), precomputed_key, &precomputed_key_len))); + approved, ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key, + &precomputed_key_len))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); // Second, use the precomputed key to compute the hash ctx.Reset(); @@ -1384,84 +1391,73 @@ TEST_P(HMACServiceIndicatorTest, HMACTest) { approved, ASSERT_TRUE(HMAC_Init_from_precomputed_key( ctx.get(), precomputed_key, precomputed_key_len, digest))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(HMAC_Update(ctx.get(), kPlaintext, sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(HMAC_Update(ctx.get(), kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(HMAC_Final(ctx.get(), mac.data(), &mac_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(HMAC_Final(ctx.get(), mac.data(), &mac_len))); EXPECT_EQ(approved, test.expect_approved); EXPECT_EQ(Bytes(test.expected_digest, expected_mac_len), Bytes(mac.data(), mac_len)); } -const uint8_t kHKDF_ikm_tc1[] = { // RFC 5869 Test Case 1 - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b -}; -const uint8_t kHKDF_salt_tc1[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c -}; -const uint8_t kHKDF_info_tc1[] = { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 -}; -const uint8_t kHKDF_okm_tc1_md5[] = { // Used for negative testing only. - 0xb2, 0x22, 0xc9, 0xdb, 0x38, 0xd1, 0x7b, 0x2f, 0xea, 0x8b, 0x3b, 0xb5, - 0x11, 0xc0, 0xd6, 0xd8, 0x60, 0x49, 0xef, 0x48, 0x1b, 0xa7, 0x06, 0x5c, - 0xa5, 0xc6, 0x42, 0x26, 0x18, 0xed, 0x9c, 0xc9, 0x14, 0x49, 0x00, 0xe2, - 0xc7, 0x2b, 0x6a, 0x86, 0x3a, 0x31 -}; +const uint8_t kHKDF_ikm_tc1[] = { // RFC 5869 Test Case 1 + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b}; +const uint8_t kHKDF_salt_tc1[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c}; +const uint8_t kHKDF_info_tc1[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, + 0xf5, 0xf6, 0xf7, 0xf8, 0xf9}; +const uint8_t kHKDF_okm_tc1_md5[] = { // Used for negative testing only. + 0xb2, 0x22, 0xc9, 0xdb, 0x38, 0xd1, 0x7b, 0x2f, 0xea, 0x8b, 0x3b, + 0xb5, 0x11, 0xc0, 0xd6, 0xd8, 0x60, 0x49, 0xef, 0x48, 0x1b, 0xa7, + 0x06, 0x5c, 0xa5, 0xc6, 0x42, 0x26, 0x18, 0xed, 0x9c, 0xc9, 0x14, + 0x49, 0x00, 0xe2, 0xc7, 0x2b, 0x6a, 0x86, 0x3a, 0x31}; const uint8_t kHKDF_okm_tc1_sha1[] = { - 0xd6, 0x00, 0x0f, 0xfb, 0x5b, 0x50, 0xbd, 0x39, 0x70, 0xb2, 0x60, 0x01, - 0x77, 0x98, 0xfb, 0x9c, 0x8d, 0xf9, 0xce, 0x2e, 0x2c, 0x16, 0xb6, 0xcd, - 0x70, 0x9c, 0xca, 0x07, 0xdc, 0x3c, 0xf9, 0xcf, 0x26, 0xd6, 0xc6, 0xd7, - 0x50, 0xd0, 0xaa, 0xf5, 0xac, 0x94 -}; + 0xd6, 0x00, 0x0f, 0xfb, 0x5b, 0x50, 0xbd, 0x39, 0x70, 0xb2, 0x60, + 0x01, 0x77, 0x98, 0xfb, 0x9c, 0x8d, 0xf9, 0xce, 0x2e, 0x2c, 0x16, + 0xb6, 0xcd, 0x70, 0x9c, 0xca, 0x07, 0xdc, 0x3c, 0xf9, 0xcf, 0x26, + 0xd6, 0xc6, 0xd7, 0x50, 0xd0, 0xaa, 0xf5, 0xac, 0x94}; const uint8_t kHKDF_okm_tc1_sha224[] = { - 0x2f, 0x21, 0xcd, 0x7c, 0xbc, 0x81, 0x8c, 0xa5, 0xc5, 0x61, 0xb9, 0x33, - 0x72, 0x8e, 0x2e, 0x08, 0xe1, 0x54, 0xa8, 0x7e, 0x14, 0x32, 0x39, 0x9a, - 0x82, 0x0d, 0xee, 0x13, 0xaa, 0x22, 0x2d, 0x0c, 0xee, 0x61, 0x52, 0xfa, - 0x53, 0x9a, 0xb7, 0x0f, 0x8e, 0x80 -}; + 0x2f, 0x21, 0xcd, 0x7c, 0xbc, 0x81, 0x8c, 0xa5, 0xc5, 0x61, 0xb9, + 0x33, 0x72, 0x8e, 0x2e, 0x08, 0xe1, 0x54, 0xa8, 0x7e, 0x14, 0x32, + 0x39, 0x9a, 0x82, 0x0d, 0xee, 0x13, 0xaa, 0x22, 0x2d, 0x0c, 0xee, + 0x61, 0x52, 0xfa, 0x53, 0x9a, 0xb7, 0x0f, 0x8e, 0x80}; const uint8_t kHKDF_okm_tc1_sha256[] = { - 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64, - 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, - 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08, - 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 -}; + 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, + 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, + 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, + 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65}; const uint8_t kHKDF_okm_tc1_sha384[] = { - 0x9b, 0x50, 0x97, 0xa8, 0x60, 0x38, 0xb8, 0x05, 0x30, 0x90, 0x76, 0xa4, - 0x4b, 0x3a, 0x9f, 0x38, 0x06, 0x3e, 0x25, 0xb5, 0x16, 0xdc, 0xbf, 0x36, - 0x9f, 0x39, 0x4c, 0xfa, 0xb4, 0x36, 0x85, 0xf7, 0x48, 0xb6, 0x45, 0x77, - 0x63, 0xe4, 0xf0, 0x20, 0x4f, 0xc5 -}; + 0x9b, 0x50, 0x97, 0xa8, 0x60, 0x38, 0xb8, 0x05, 0x30, 0x90, 0x76, + 0xa4, 0x4b, 0x3a, 0x9f, 0x38, 0x06, 0x3e, 0x25, 0xb5, 0x16, 0xdc, + 0xbf, 0x36, 0x9f, 0x39, 0x4c, 0xfa, 0xb4, 0x36, 0x85, 0xf7, 0x48, + 0xb6, 0x45, 0x77, 0x63, 0xe4, 0xf0, 0x20, 0x4f, 0xc5}; const uint8_t kHKDF_okm_tc1_sha512[] = { - 0x83, 0x23, 0x90, 0x08, 0x6c, 0xda, 0x71, 0xfb, 0x47, 0x62, 0x5b, 0xb5, - 0xce, 0xb1, 0x68, 0xe4, 0xc8, 0xe2, 0x6a, 0x1a, 0x16, 0xed, 0x34, 0xd9, - 0xfc, 0x7f, 0xe9, 0x2c, 0x14, 0x81, 0x57, 0x93, 0x38, 0xda, 0x36, 0x2c, - 0xb8, 0xd9, 0xf9, 0x25, 0xd7, 0xcb -}; + 0x83, 0x23, 0x90, 0x08, 0x6c, 0xda, 0x71, 0xfb, 0x47, 0x62, 0x5b, + 0xb5, 0xce, 0xb1, 0x68, 0xe4, 0xc8, 0xe2, 0x6a, 0x1a, 0x16, 0xed, + 0x34, 0xd9, 0xfc, 0x7f, 0xe9, 0x2c, 0x14, 0x81, 0x57, 0x93, 0x38, + 0xda, 0x36, 0x2c, 0xb8, 0xd9, 0xf9, 0x25, 0xd7, 0xcb}; const uint8_t kHKDF_okm_tc1_sha512_224[] = { 0xf8, 0xd9, 0x56, 0xe1, 0x52, 0xb0, 0xfb, 0xa8, 0x31, 0xba, 0xc4, 0x00, 0xf1, 0xa5, 0xaf, 0x54, 0x98, 0x2b, 0x91, 0xdb, 0x3d, 0x96, 0xae, 0x21, 0xa7, 0x56, 0x55, 0xef, 0xf1, 0x72, 0x5f, 0x92, 0x8e, - 0x49, 0x1c, 0x63, 0xf3, 0xae, 0xdb, 0x40, 0x82, 0x96 -}; + 0x49, 0x1c, 0x63, 0xf3, 0xae, 0xdb, 0x40, 0x82, 0x96}; const uint8_t kHKDF_okm_tc1_sha512_256[] = { 0x78, 0x9a, 0x93, 0xe5, 0x67, 0xa1, 0x86, 0x1d, 0xe4, 0x49, 0x34, 0x2b, 0x2d, 0x67, 0x4c, 0x0d, 0xf7, 0x37, 0xfd, 0x8a, 0xdc, 0xe2, 0xa8, 0xe1, 0x84, 0x32, 0x37, 0xc1, 0x93, 0x8a, 0xc4, 0x13, 0x04, - 0x4b, 0x49, 0x6c, 0xe2, 0x67, 0xa1, 0x98, 0xeb, 0xe3 -}; + 0x4b, 0x49, 0x6c, 0xe2, 0x67, 0xa1, 0x98, 0xeb, 0xe3}; -const uint8_t kHKDF_ikm_tc2[] = { // RFC 5869 Test Case 2 +const uint8_t kHKDF_ikm_tc2[] = { // RFC 5869 Test Case 2 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, - 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f -}; + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f}; const uint8_t kHKDF_salt_tc2[] = { 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, @@ -1469,8 +1465,7 @@ const uint8_t kHKDF_salt_tc2[] = { 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, - 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf -}; + 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf}; const uint8_t kHKDF_info_tc2[] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, @@ -1478,8 +1473,7 @@ const uint8_t kHKDF_info_tc2[] = { 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, - 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff -}; + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}; const uint8_t kHKDF_okm_tc2_sha1[] = { 0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7, 0xc9, 0xf1, 0x2c, 0xd5, 0x91, 0x2a, 0x06, 0xeb, 0xff, 0x6a, 0xdc, 0xae, 0x89, 0x9d, 0x92, 0x19, @@ -1487,8 +1481,7 @@ const uint8_t kHKDF_okm_tc2_sha1[] = { 0xe5, 0xad, 0x79, 0xf3, 0xf3, 0x34, 0xb3, 0xb2, 0x02, 0xb2, 0x17, 0x3c, 0x48, 0x6e, 0xa3, 0x7c, 0xe3, 0xd3, 0x97, 0xed, 0x03, 0x4c, 0x7f, 0x9d, 0xfe, 0xb1, 0x5c, 0x5e, 0x92, 0x73, 0x36, 0xd0, 0x44, 0x1f, 0x4c, 0x43, - 0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4 -}; + 0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4}; const uint8_t kHKDF_okm_tc2_sha224[] = { 0x3e, 0x49, 0x70, 0x3c, 0x24, 0x3a, 0x38, 0x94, 0x91, 0x63, 0x49, 0xb5, 0x2a, 0x8f, 0x55, 0xc7, 0xc1, 0x60, 0x45, 0x2f, 0x97, 0xb2, 0x87, 0x0f, @@ -1496,8 +1489,7 @@ const uint8_t kHKDF_okm_tc2_sha224[] = { 0x20, 0x72, 0x31, 0x15, 0x8d, 0xcb, 0x03, 0xd0, 0xc7, 0xd4, 0x27, 0xcb, 0x2b, 0x7e, 0x06, 0x01, 0x79, 0x45, 0x9f, 0x9d, 0xaf, 0xfe, 0xe0, 0x5e, 0x87, 0x05, 0x11, 0x3f, 0x7b, 0xc4, 0x5b, 0x4f, 0x45, 0x26, 0x01, 0xd8, - 0x84, 0xdf, 0x6d, 0xfd, 0x4f, 0xf9, 0xda, 0xcf, 0xde, 0x69 -}; + 0x84, 0xdf, 0x6d, 0xfd, 0x4f, 0xf9, 0xda, 0xcf, 0xde, 0x69}; const uint8_t kHKDF_okm_tc2_sha256[] = { 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8, @@ -1505,8 +1497,7 @@ const uint8_t kHKDF_okm_tc2_sha256[] = { 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09, 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, - 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 -}; + 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87}; const uint8_t kHKDF_okm_tc2_sha384[] = { 0x48, 0x4c, 0xa0, 0x52, 0xb8, 0xcc, 0x72, 0x4f, 0xd1, 0xc4, 0xec, 0x64, 0xd5, 0x7b, 0x4e, 0x81, 0x8c, 0x7e, 0x25, 0xa8, 0xe0, 0xf4, 0x56, 0x9e, @@ -1514,8 +1505,7 @@ const uint8_t kHKDF_okm_tc2_sha384[] = { 0xc8, 0x32, 0x85, 0x6b, 0xf4, 0xe4, 0xfb, 0xc1, 0x79, 0x67, 0xd5, 0x49, 0x75, 0x32, 0x4a, 0x94, 0x98, 0x7f, 0x7f, 0x41, 0x83, 0x58, 0x17, 0xd8, 0x99, 0x4f, 0xdb, 0xd6, 0xf4, 0xc0, 0x9c, 0x55, 0x00, 0xdc, 0xa2, 0x4a, - 0x56, 0x22, 0x2f, 0xea, 0x53, 0xd8, 0x96, 0x7a, 0x8b, 0x2e -}; + 0x56, 0x22, 0x2f, 0xea, 0x53, 0xd8, 0x96, 0x7a, 0x8b, 0x2e}; const uint8_t kHKDF_okm_tc2_sha512[] = { 0xce, 0x6c, 0x97, 0x19, 0x28, 0x05, 0xb3, 0x46, 0xe6, 0x16, 0x1e, 0x82, 0x1e, 0xd1, 0x65, 0x67, 0x3b, 0x84, 0xf4, 0x00, 0xa2, 0xb5, 0x14, 0xb2, @@ -1523,251 +1513,254 @@ const uint8_t kHKDF_okm_tc2_sha512[] = { 0xbd, 0x1c, 0x83, 0x88, 0x44, 0x11, 0x37, 0xb3, 0xce, 0x28, 0xf1, 0x6a, 0xa6, 0x4b, 0xa3, 0x3b, 0xa4, 0x66, 0xb2, 0x4d, 0xf6, 0xcf, 0xcb, 0x02, 0x1e, 0xcf, 0xf2, 0x35, 0xf6, 0xa2, 0x05, 0x6c, 0xe3, 0xaf, 0x1d, 0xe4, - 0x4d, 0x57, 0x20, 0x97, 0xa8, 0x50, 0x5d, 0x9e, 0x7a, 0x93 -}; + 0x4d, 0x57, 0x20, 0x97, 0xa8, 0x50, 0x5d, 0x9e, 0x7a, 0x93}; const uint8_t kHKDF_okm_tc2_sha512_224[] = { 0xb2, 0xfd, 0x77, 0xf9, 0xcf, 0xb6, 0xda, 0x40, 0x10, 0x23, 0x8b, 0xa6, 0x21, 0x7a, 0x1b, 0xc7, 0xb7, 0x70, 0xa3, 0x85, 0x28, 0x4b, 0x8e, 0x54, 0xd6, 0x8d, 0x40, 0x8c, 0xce, 0x4a, 0x42, 0xc3, 0xc5, - 0xde, 0x16, 0x91, 0x59, 0x93, 0x1e, 0x13, 0x24, 0x8b -}; + 0xde, 0x16, 0x91, 0x59, 0x93, 0x1e, 0x13, 0x24, 0x8b}; const uint8_t kHKDF_okm_tc2_sha512_256[] = { 0x9f, 0xde, 0x11, 0xa4, 0x63, 0x48, 0xac, 0x1a, 0xba, 0xdf, 0xd2, 0xff, 0xb6, 0x0d, 0x85, 0x26, 0x58, 0x3f, 0xc8, 0x3e, 0x08, 0xb8, 0x8a, 0x6e, 0xdc, 0x2d, 0xc6, 0x95, 0xad, 0x61, 0x5d, 0xe3, 0xbe, - 0x8e, 0xd2, 0xe1, 0xfe, 0x5b, 0xc8, 0x38, 0xf7, 0x13 -}; + 0x8e, 0xd2, 0xe1, 0xfe, 0x5b, 0xc8, 0x38, 0xf7, 0x13}; -const uint8_t kHKDF_ikm_tc3[] = { // RFC 5869 Test Case 3 - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b -}; -const uint8_t kHKDF_salt_tc3[] = {0}; // No salt -const uint8_t kHKDF_info_tc3[] = {0}; // No info +const uint8_t kHKDF_ikm_tc3[] = { // RFC 5869 Test Case 3 + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b}; +const uint8_t kHKDF_salt_tc3[] = {0}; // No salt +const uint8_t kHKDF_info_tc3[] = {0}; // No info const uint8_t kHKDF_okm_tc3_sha1[] = { - 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5, 0x52, 0x98, - 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, 0xa3, 0x06, - 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea, 0x00, 0x03, 0x3d, - 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18 -}; + 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5, 0x52, + 0x98, 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, + 0xa3, 0x06, 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea, + 0x00, 0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18}; const uint8_t kHKDF_okm_tc3_sha224[] = { - 0x2a, 0x26, 0x80, 0x83, 0xea, 0x78, 0x7e, 0x06, 0x60, 0x4a, 0x58, 0x45, - 0xf1, 0xa5, 0x35, 0x44, 0xdd, 0x78, 0x47, 0xbd, 0x6f, 0xb7, 0x4a, 0xdf, - 0xcc, 0x11, 0x78, 0xba, 0xac, 0x5a, 0x0f, 0xe7, 0x40, 0x76, 0xf8, 0x93, - 0x59, 0x71, 0xc0, 0x0c, 0x2b, 0x19 -}; + 0x2a, 0x26, 0x80, 0x83, 0xea, 0x78, 0x7e, 0x06, 0x60, 0x4a, 0x58, + 0x45, 0xf1, 0xa5, 0x35, 0x44, 0xdd, 0x78, 0x47, 0xbd, 0x6f, 0xb7, + 0x4a, 0xdf, 0xcc, 0x11, 0x78, 0xba, 0xac, 0x5a, 0x0f, 0xe7, 0x40, + 0x76, 0xf8, 0x93, 0x59, 0x71, 0xc0, 0x0c, 0x2b, 0x19}; const uint8_t kHKDF_okm_tc3_sha256[] = { - 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80, 0x2a, - 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e, - 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, 0x20, 0x13, 0x95, - 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 -}; + 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80, + 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, + 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, + 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8}; const uint8_t kHKDF_okm_tc3_sha384[] = { - 0xc8, 0xc9, 0x6e, 0x71, 0x0f, 0x89, 0xb0, 0xd7, 0x99, 0x0b, 0xca, 0x68, - 0xbc, 0xde, 0xc8, 0xcf, 0x85, 0x40, 0x62, 0xe5, 0x4c, 0x73, 0xa7, 0xab, - 0xc7, 0x43, 0xfa, 0xde, 0x9b, 0x24, 0x2d, 0xaa, 0xcc, 0x1c, 0xea, 0x56, - 0x70, 0x41, 0x5b, 0x52, 0x84, 0x9c -}; + 0xc8, 0xc9, 0x6e, 0x71, 0x0f, 0x89, 0xb0, 0xd7, 0x99, 0x0b, 0xca, + 0x68, 0xbc, 0xde, 0xc8, 0xcf, 0x85, 0x40, 0x62, 0xe5, 0x4c, 0x73, + 0xa7, 0xab, 0xc7, 0x43, 0xfa, 0xde, 0x9b, 0x24, 0x2d, 0xaa, 0xcc, + 0x1c, 0xea, 0x56, 0x70, 0x41, 0x5b, 0x52, 0x84, 0x9c}; const uint8_t kHKDF_okm_tc3_sha512[] = { - 0xf5, 0xfa, 0x02, 0xb1, 0x82, 0x98, 0xa7, 0x2a, 0x8c, 0x23, 0x89, 0x8a, - 0x87, 0x03, 0x47, 0x2c, 0x6e, 0xb1, 0x79, 0xdc, 0x20, 0x4c, 0x03, 0x42, - 0x5c, 0x97, 0x0e, 0x3b, 0x16, 0x4b, 0xf9, 0x0f, 0xff, 0x22, 0xd0, 0x48, - 0x36, 0xd0, 0xe2, 0x34, 0x3b, 0xac -}; + 0xf5, 0xfa, 0x02, 0xb1, 0x82, 0x98, 0xa7, 0x2a, 0x8c, 0x23, 0x89, + 0x8a, 0x87, 0x03, 0x47, 0x2c, 0x6e, 0xb1, 0x79, 0xdc, 0x20, 0x4c, + 0x03, 0x42, 0x5c, 0x97, 0x0e, 0x3b, 0x16, 0x4b, 0xf9, 0x0f, 0xff, + 0x22, 0xd0, 0x48, 0x36, 0xd0, 0xe2, 0x34, 0x3b, 0xac}; const uint8_t kHKDF_okm_tc3_sha512_224[] = { 0x7c, 0x21, 0xff, 0xc6, 0x05, 0x69, 0x03, 0xdd, 0x09, 0xf1, 0x31, 0xd3, 0x36, 0xb4, 0x20, 0x41, 0x5f, 0x17, 0xb0, 0x50, 0x3b, 0xa3, 0x23, 0x55, 0xe6, 0x79, 0xaf, 0x0f, 0x6e, 0xb6, 0x44, 0x39, 0x20, - 0x77, 0x94, 0x40, 0x09, 0x43, 0xb5, 0x3a, 0x17, 0x83 -}; + 0x77, 0x94, 0x40, 0x09, 0x43, 0xb5, 0x3a, 0x17, 0x83}; const uint8_t kHKDF_okm_tc3_sha512_256[] = { 0xfa, 0x6f, 0xf4, 0x5b, 0x2f, 0xc4, 0xf0, 0xf4, 0x98, 0x83, 0xd9, 0xc4, 0xc9, 0xf9, 0xed, 0xfb, 0x53, 0xce, 0xbb, 0x3f, 0x9f, 0xaa, 0xc5, 0x71, 0x31, 0x9c, 0x7b, 0xd1, 0x7d, 0x37, 0x1a, 0x0a, 0xbc, - 0xa6, 0x5d, 0x85, 0xeb, 0x3d, 0x41, 0x49, 0x51, 0x58 -}; - -const uint8_t kHKDF_ikm_tc4[] = { // RFC 5869 Test Case 4 - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b -}; -const uint8_t kHKDF_salt_tc4[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c -}; -const uint8_t kHKDF_info_tc4[] = { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 -}; + 0xa6, 0x5d, 0x85, 0xeb, 0x3d, 0x41, 0x49, 0x51, 0x58}; + +const uint8_t kHKDF_ikm_tc4[] = { // RFC 5869 Test Case 4 + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b}; +const uint8_t kHKDF_salt_tc4[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c}; +const uint8_t kHKDF_info_tc4[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, + 0xf5, 0xf6, 0xf7, 0xf8, 0xf9}; const uint8_t kHKDF_okm_tc4_sha1[] = { - 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06, 0x8b, 0x56, - 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, 0x09, 0x15, - 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, 0x2e, 0x42, 0x24, - 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96 -}; + 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06, 0x8b, + 0x56, 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, + 0x09, 0x15, 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, + 0x2e, 0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96}; const uint8_t kHKDF_okm_tc4_sha224[] = { - 0x7f, 0xc8, 0xae, 0x03, 0x35, 0xed, 0x46, 0x8c, 0xef, 0x56, 0xbe, 0x09, - 0x1f, 0x64, 0x78, 0xa1, 0xaa, 0xe8, 0x4c, 0x0d, 0xa5, 0x4c, 0xe5, 0x17, - 0x6a, 0xa3, 0x89, 0x46, 0xc7, 0x9e, 0x21, 0x0e, 0xa3, 0x2a, 0x44, 0x87, - 0xe2, 0x13, 0x84, 0x05, 0xc3, 0x40 -}; + 0x7f, 0xc8, 0xae, 0x03, 0x35, 0xed, 0x46, 0x8c, 0xef, 0x56, 0xbe, + 0x09, 0x1f, 0x64, 0x78, 0xa1, 0xaa, 0xe8, 0x4c, 0x0d, 0xa5, 0x4c, + 0xe5, 0x17, 0x6a, 0xa3, 0x89, 0x46, 0xc7, 0x9e, 0x21, 0x0e, 0xa3, + 0x2a, 0x44, 0x87, 0xe2, 0x13, 0x84, 0x05, 0xc3, 0x40}; const uint8_t kHKDF_okm_tc4_sha256[] = { - 0x58, 0xdc, 0xe1, 0x0d, 0x58, 0x01, 0xcd, 0xfd, 0xa8, 0x31, 0x72, 0x6b, - 0xfe, 0xbc, 0xb7, 0x43, 0xd1, 0x4a, 0x7e, 0xe8, 0x3a, 0xa0, 0x57, 0xa9, - 0x3d, 0x59, 0xb0, 0xa1, 0x31, 0x7f, 0xf0, 0x9d, 0x10, 0x5c, 0xce, 0xcf, - 0x53, 0x56, 0x92, 0xb1, 0x4d, 0xd5 -}; + 0x58, 0xdc, 0xe1, 0x0d, 0x58, 0x01, 0xcd, 0xfd, 0xa8, 0x31, 0x72, + 0x6b, 0xfe, 0xbc, 0xb7, 0x43, 0xd1, 0x4a, 0x7e, 0xe8, 0x3a, 0xa0, + 0x57, 0xa9, 0x3d, 0x59, 0xb0, 0xa1, 0x31, 0x7f, 0xf0, 0x9d, 0x10, + 0x5c, 0xce, 0xcf, 0x53, 0x56, 0x92, 0xb1, 0x4d, 0xd5}; const uint8_t kHKDF_okm_tc4_sha384[] = { - 0xfb, 0x7e, 0x67, 0x43, 0xeb, 0x42, 0xcd, 0xe9, 0x6f, 0x1b, 0x70, 0x77, - 0x89, 0x52, 0xab, 0x75, 0x48, 0xca, 0xfe, 0x53, 0x24, 0x9f, 0x7f, 0xfe, - 0x14, 0x97, 0xa1, 0x63, 0x5b, 0x20, 0x1f, 0xf1, 0x85, 0xb9, 0x3e, 0x95, - 0x19, 0x92, 0xd8, 0x58, 0xf1, 0x1a -}; + 0xfb, 0x7e, 0x67, 0x43, 0xeb, 0x42, 0xcd, 0xe9, 0x6f, 0x1b, 0x70, + 0x77, 0x89, 0x52, 0xab, 0x75, 0x48, 0xca, 0xfe, 0x53, 0x24, 0x9f, + 0x7f, 0xfe, 0x14, 0x97, 0xa1, 0x63, 0x5b, 0x20, 0x1f, 0xf1, 0x85, + 0xb9, 0x3e, 0x95, 0x19, 0x92, 0xd8, 0x58, 0xf1, 0x1a}; const uint8_t kHKDF_okm_tc4_sha512[] = { - 0x74, 0x13, 0xe8, 0x99, 0x7e, 0x02, 0x06, 0x10, 0xfb, 0xf6, 0x82, 0x3f, - 0x2c, 0xe1, 0x4b, 0xff, 0x01, 0x87, 0x5d, 0xb1, 0xca, 0x55, 0xf6, 0x8c, - 0xfc, 0xf3, 0x95, 0x4d, 0xc8, 0xaf, 0xf5, 0x35, 0x59, 0xbd, 0x5e, 0x30, - 0x28, 0xb0, 0x80, 0xf7, 0xc0, 0x68 -}; + 0x74, 0x13, 0xe8, 0x99, 0x7e, 0x02, 0x06, 0x10, 0xfb, 0xf6, 0x82, + 0x3f, 0x2c, 0xe1, 0x4b, 0xff, 0x01, 0x87, 0x5d, 0xb1, 0xca, 0x55, + 0xf6, 0x8c, 0xfc, 0xf3, 0x95, 0x4d, 0xc8, 0xaf, 0xf5, 0x35, 0x59, + 0xbd, 0x5e, 0x30, 0x28, 0xb0, 0x80, 0xf7, 0xc0, 0x68}; const uint8_t kHKDF_okm_tc4_sha512_224[] = { 0x80, 0x86, 0x34, 0xf8, 0x71, 0x34, 0xbc, 0xb6, 0x9b, 0xfb, 0xd2, 0x17, 0x2c, 0x91, 0xd2, 0x2b, 0x6b, 0xdf, 0x11, 0x63, 0x4f, 0x66, 0x4e, 0x60, 0x45, 0x03, 0xac, 0x55, 0x90, 0x7c, 0x71, 0x16, 0x5e, - 0xbe, 0xfe, 0x17, 0xce, 0xf1, 0xef, 0xe8, 0x23, 0xa3 -}; + 0xbe, 0xfe, 0x17, 0xce, 0xf1, 0xef, 0xe8, 0x23, 0xa3}; const uint8_t kHKDF_okm_tc4_sha512_256[] = { 0xce, 0xa7, 0x08, 0xf9, 0xe8, 0x3b, 0x5b, 0x33, 0x39, 0x59, 0x9b, 0xcf, 0x6b, 0x97, 0x08, 0xde, 0x5e, 0xdf, 0x23, 0xab, 0xb5, 0x95, 0xfc, 0xbb, 0xcc, 0xb5, 0xf5, 0x18, 0x70, 0x1e, 0x7b, 0x72, 0x07, - 0x74, 0xa8, 0xef, 0xa7, 0x9b, 0x99, 0x46, 0xb3, 0x1f -}; + 0x74, 0xa8, 0xef, 0xa7, 0x9b, 0x99, 0x46, 0xb3, 0x1f}; // RFC Test Case 5 repeats the inputs from RFC 5869 Test Case 2; RFC Test Case 6 // repeats the inputs from RFC 5869 Test Case 3. -const uint8_t kHKDF_ikm_tc7[] = { // RFC 5869 Test Case 7 - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c -}; +const uint8_t kHKDF_ikm_tc7[] = { // RFC 5869 Test Case 7 + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c}; // Salt for Test Case 7 is not specified (NULL). HKDF will use HashLen 0x00 // bytes instead. -const uint8_t kHKDF_info_tc7[] = {0}; // No info +const uint8_t kHKDF_info_tc7[] = {0}; // No info const uint8_t kHKDF_okm_tc7_sha1[] = { - 0x2c, 0x91, 0x11, 0x72, 0x04, 0xd7, 0x45, 0xf3, 0x50, 0x0d, 0x63, 0x6a, - 0x62, 0xf6, 0x4f, 0x0a, 0xb3, 0xba, 0xe5, 0x48, 0xaa, 0x53, 0xd4, 0x23, - 0xb0, 0xd1, 0xf2, 0x7e, 0xbb, 0xa6, 0xf5, 0xe5, 0x67, 0x3a, 0x08, 0x1d, - 0x70, 0xcc, 0xe7, 0xac, 0xfc, 0x48 -}; + 0x2c, 0x91, 0x11, 0x72, 0x04, 0xd7, 0x45, 0xf3, 0x50, 0x0d, 0x63, + 0x6a, 0x62, 0xf6, 0x4f, 0x0a, 0xb3, 0xba, 0xe5, 0x48, 0xaa, 0x53, + 0xd4, 0x23, 0xb0, 0xd1, 0xf2, 0x7e, 0xbb, 0xa6, 0xf5, 0xe5, 0x67, + 0x3a, 0x08, 0x1d, 0x70, 0xcc, 0xe7, 0xac, 0xfc, 0x48}; const uint8_t kHKDF_okm_tc7_sha224[] = { - 0xca, 0x84, 0x01, 0xe6, 0x45, 0xb3, 0xa5, 0x8e, 0x00, 0x99, 0x28, 0x57, - 0xfe, 0x00, 0x38, 0xcb, 0x1b, 0xf8, 0xdc, 0x51, 0xed, 0xf0, 0x52, 0x33, - 0x6c, 0x08, 0xf3, 0xbe, 0xd6, 0x82, 0xc8, 0x3e, 0x77, 0x80, 0x3c, 0xdd, - 0x16, 0xd1, 0x56, 0xbb, 0x8a, 0x30 -}; + 0xca, 0x84, 0x01, 0xe6, 0x45, 0xb3, 0xa5, 0x8e, 0x00, 0x99, 0x28, + 0x57, 0xfe, 0x00, 0x38, 0xcb, 0x1b, 0xf8, 0xdc, 0x51, 0xed, 0xf0, + 0x52, 0x33, 0x6c, 0x08, 0xf3, 0xbe, 0xd6, 0x82, 0xc8, 0x3e, 0x77, + 0x80, 0x3c, 0xdd, 0x16, 0xd1, 0x56, 0xbb, 0x8a, 0x30}; const uint8_t kHKDF_okm_tc7_sha256[] = { - 0x59, 0x68, 0x99, 0x17, 0x9a, 0xb1, 0xbc, 0x00, 0xa7, 0xc0, 0x37, 0x86, - 0xff, 0x43, 0xee, 0x53, 0x50, 0x04, 0xbe, 0x2b, 0xb9, 0xbe, 0x68, 0xbc, - 0x14, 0x06, 0x63, 0x6f, 0x54, 0xbd, 0x33, 0x8a, 0x66, 0xa2, 0x37, 0xba, - 0x2a, 0xcb, 0xce, 0xe3, 0xc9, 0xa7 -}; + 0x59, 0x68, 0x99, 0x17, 0x9a, 0xb1, 0xbc, 0x00, 0xa7, 0xc0, 0x37, + 0x86, 0xff, 0x43, 0xee, 0x53, 0x50, 0x04, 0xbe, 0x2b, 0xb9, 0xbe, + 0x68, 0xbc, 0x14, 0x06, 0x63, 0x6f, 0x54, 0xbd, 0x33, 0x8a, 0x66, + 0xa2, 0x37, 0xba, 0x2a, 0xcb, 0xce, 0xe3, 0xc9, 0xa7}; const uint8_t kHKDF_okm_tc7_sha384[] = { - 0x6a, 0xd7, 0xc7, 0x26, 0xc8, 0x40, 0x09, 0x54, 0x6a, 0x76, 0xe0, 0x54, - 0x5d, 0xf2, 0x66, 0x78, 0x7e, 0x2b, 0x2c, 0xd6, 0xca, 0x43, 0x73, 0xa1, - 0xf3, 0x14, 0x50, 0xa7, 0xbd, 0xf9, 0x48, 0x2b, 0xfa, 0xb8, 0x11, 0xf5, - 0x54, 0x20, 0x0e, 0xad, 0x8f, 0x53 -}; + 0x6a, 0xd7, 0xc7, 0x26, 0xc8, 0x40, 0x09, 0x54, 0x6a, 0x76, 0xe0, + 0x54, 0x5d, 0xf2, 0x66, 0x78, 0x7e, 0x2b, 0x2c, 0xd6, 0xca, 0x43, + 0x73, 0xa1, 0xf3, 0x14, 0x50, 0xa7, 0xbd, 0xf9, 0x48, 0x2b, 0xfa, + 0xb8, 0x11, 0xf5, 0x54, 0x20, 0x0e, 0xad, 0x8f, 0x53}; const uint8_t kHKDF_okm_tc7_sha512[] = { - 0x14, 0x07, 0xd4, 0x60, 0x13, 0xd9, 0x8b, 0xc6, 0xde, 0xce, 0xfc, 0xfe, - 0xe5, 0x5f, 0x0f, 0x90, 0xb0, 0xc7, 0xf6, 0x3d, 0x68, 0xeb, 0x1a, 0x80, - 0xea, 0xf0, 0x7e, 0x95, 0x3c, 0xfc, 0x0a, 0x3a, 0x52, 0x40, 0xa1, 0x55, - 0xd6, 0xe4, 0xda, 0xa9, 0x65, 0xbb -}; + 0x14, 0x07, 0xd4, 0x60, 0x13, 0xd9, 0x8b, 0xc6, 0xde, 0xce, 0xfc, + 0xfe, 0xe5, 0x5f, 0x0f, 0x90, 0xb0, 0xc7, 0xf6, 0x3d, 0x68, 0xeb, + 0x1a, 0x80, 0xea, 0xf0, 0x7e, 0x95, 0x3c, 0xfc, 0x0a, 0x3a, 0x52, + 0x40, 0xa1, 0x55, 0xd6, 0xe4, 0xda, 0xa9, 0x65, 0xbb}; const uint8_t kHKDF_okm_tc7_sha512_224[] = { 0xb2, 0xf0, 0x98, 0x31, 0x2a, 0xd3, 0xfe, 0xee, 0x46, 0xe9, 0x0f, 0x1b, 0x90, 0x6a, 0x20, 0xa1, 0xab, 0xee, 0x95, 0xbb, 0xcd, 0xf8, 0x16, 0x30, 0xc7, 0x1c, 0x2b, 0x46, 0xc6, 0xc6, 0x15, 0xbe, 0x23, - 0x54, 0x38, 0x2f, 0x42, 0x56, 0x4d, 0xee, 0x56, 0x4d -}; + 0x54, 0x38, 0x2f, 0x42, 0x56, 0x4d, 0xee, 0x56, 0x4d}; const uint8_t kHKDF_okm_tc7_sha512_256[] = { 0x6e, 0x15, 0x36, 0x0b, 0x08, 0x47, 0xd9, 0xef, 0x32, 0xa4, 0xa8, 0x0d, 0x5e, 0x1f, 0x58, 0xce, 0xb3, 0xe9, 0x01, 0xf9, 0x29, 0x80, 0x4e, 0xcf, 0x01, 0x6a, 0x8c, 0xf3, 0x59, 0x18, 0xb5, 0xdb, 0x99, - 0x8d, 0x1f, 0x09, 0x1e, 0x83, 0x67, 0xa1, 0x82, 0x62 -}; + 0x8d, 0x1f, 0x09, 0x1e, 0x83, 0x67, 0xa1, 0x82, 0x62}; static const struct HKDFTestVector { - // func is the hash function for HMAC to test. - const EVP_MD *(*func)(void); - const uint8_t *ikm; // Initial Keying Material - const size_t ikm_size; - const uint8_t *salt; // Salt - const size_t salt_size; - const uint8_t *info; // "Other Info", the sequel to Salt. - const size_t info_size; - const uint8_t *expected_output; // Expected Output Keying Material - const uint8_t output_len; - const FIPSStatus expect_approved; + // func is the hash function for HMAC to test. + const EVP_MD *(*func)(void); + const uint8_t *ikm; // Initial Keying Material + const size_t ikm_size; + const uint8_t *salt; // Salt + const size_t salt_size; + const uint8_t *info; // "Other Info", the sequel to Salt. + const size_t info_size; + const uint8_t *expected_output; // Expected Output Keying Material + const uint8_t output_len; + const FIPSStatus expect_approved; } kHKDFTestVectors[] = { // RFC 5869 Test Case 1 { EVP_md5, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_md5, sizeof(kHKDF_okm_tc1_md5), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_md5, + sizeof(kHKDF_okm_tc1_md5), AWSLC_NOT_APPROVED, }, { EVP_sha1, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha1, sizeof(kHKDF_okm_tc1_sha1), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha1, + sizeof(kHKDF_okm_tc1_sha1), AWSLC_APPROVED, }, { EVP_sha224, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha224, sizeof(kHKDF_okm_tc1_sha224), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha224, + sizeof(kHKDF_okm_tc1_sha224), AWSLC_APPROVED, }, { EVP_sha256, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha256, sizeof(kHKDF_okm_tc1_sha256), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha256, + sizeof(kHKDF_okm_tc1_sha256), AWSLC_APPROVED, }, { EVP_sha384, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha384, sizeof(kHKDF_okm_tc1_sha384), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha384, + sizeof(kHKDF_okm_tc1_sha384), AWSLC_APPROVED, }, { EVP_sha512, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha512, sizeof(kHKDF_okm_tc1_sha512), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha512, + sizeof(kHKDF_okm_tc1_sha512), AWSLC_APPROVED, }, { EVP_sha512_224, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha512_224, sizeof(kHKDF_okm_tc1_sha512_224), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha512_224, + sizeof(kHKDF_okm_tc1_sha512_224), AWSLC_APPROVED, }, { EVP_sha512_256, - kHKDF_ikm_tc1, sizeof(kHKDF_ikm_tc1), - kHKDF_salt_tc1, sizeof(kHKDF_salt_tc1), - kHKDF_info_tc1, sizeof(kHKDF_info_tc1), - kHKDF_okm_tc1_sha512_256, sizeof(kHKDF_okm_tc1_sha512_256), + kHKDF_ikm_tc1, + sizeof(kHKDF_ikm_tc1), + kHKDF_salt_tc1, + sizeof(kHKDF_salt_tc1), + kHKDF_info_tc1, + sizeof(kHKDF_info_tc1), + kHKDF_okm_tc1_sha512_256, + sizeof(kHKDF_okm_tc1_sha512_256), AWSLC_APPROVED, }, @@ -1775,58 +1768,86 @@ static const struct HKDFTestVector { // RFC 5869 Test Case 2 { EVP_sha1, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha1, sizeof(kHKDF_okm_tc2_sha1), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha1, + sizeof(kHKDF_okm_tc2_sha1), AWSLC_APPROVED, }, { EVP_sha224, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha224, sizeof(kHKDF_okm_tc2_sha224), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha224, + sizeof(kHKDF_okm_tc2_sha224), AWSLC_APPROVED, }, { EVP_sha256, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha256, sizeof(kHKDF_okm_tc2_sha256), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha256, + sizeof(kHKDF_okm_tc2_sha256), AWSLC_APPROVED, }, { EVP_sha384, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha384, sizeof(kHKDF_okm_tc2_sha384), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha384, + sizeof(kHKDF_okm_tc2_sha384), AWSLC_APPROVED, }, { EVP_sha512, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha512, sizeof(kHKDF_okm_tc2_sha512), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha512, + sizeof(kHKDF_okm_tc2_sha512), AWSLC_APPROVED, }, { EVP_sha512_224, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha512_224, sizeof(kHKDF_okm_tc2_sha512_224), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha512_224, + sizeof(kHKDF_okm_tc2_sha512_224), AWSLC_APPROVED, }, { EVP_sha512_256, - kHKDF_ikm_tc2, sizeof(kHKDF_ikm_tc2), - kHKDF_salt_tc2, sizeof(kHKDF_salt_tc2), - kHKDF_info_tc2, sizeof(kHKDF_info_tc2), - kHKDF_okm_tc2_sha512_256, sizeof(kHKDF_okm_tc2_sha512_256), + kHKDF_ikm_tc2, + sizeof(kHKDF_ikm_tc2), + kHKDF_salt_tc2, + sizeof(kHKDF_salt_tc2), + kHKDF_info_tc2, + sizeof(kHKDF_info_tc2), + kHKDF_okm_tc2_sha512_256, + sizeof(kHKDF_okm_tc2_sha512_256), AWSLC_APPROVED, }, @@ -1836,116 +1857,172 @@ static const struct HKDFTestVector { // C, thus the hard-coded sizes in this section. { EVP_sha1, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_info_tc3, 0, - kHKDF_okm_tc3_sha1, sizeof(kHKDF_okm_tc3_sha1), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_info_tc3, + 0, + kHKDF_okm_tc3_sha1, + sizeof(kHKDF_okm_tc3_sha1), AWSLC_NOT_APPROVED, }, { EVP_sha224, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_info_tc3, 0, - kHKDF_okm_tc3_sha224, sizeof(kHKDF_okm_tc3_sha224), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_info_tc3, + 0, + kHKDF_okm_tc3_sha224, + sizeof(kHKDF_okm_tc3_sha224), AWSLC_NOT_APPROVED, }, { EVP_sha256, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_info_tc3, 0, - kHKDF_okm_tc3_sha256, sizeof(kHKDF_okm_tc3_sha256), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_info_tc3, + 0, + kHKDF_okm_tc3_sha256, + sizeof(kHKDF_okm_tc3_sha256), AWSLC_NOT_APPROVED, }, { EVP_sha384, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_info_tc3, 0, - kHKDF_okm_tc3_sha384, sizeof(kHKDF_okm_tc3_sha384), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_info_tc3, + 0, + kHKDF_okm_tc3_sha384, + sizeof(kHKDF_okm_tc3_sha384), AWSLC_NOT_APPROVED, }, { EVP_sha512, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_info_tc3, 0, - kHKDF_okm_tc3_sha512, sizeof(kHKDF_okm_tc3_sha512), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_info_tc3, + 0, + kHKDF_okm_tc3_sha512, + sizeof(kHKDF_okm_tc3_sha512), AWSLC_NOT_APPROVED, }, { EVP_sha512_224, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_info_tc3, 0, - kHKDF_okm_tc3_sha512_224, sizeof(kHKDF_okm_tc3_sha512_224), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_info_tc3, + 0, + kHKDF_okm_tc3_sha512_224, + sizeof(kHKDF_okm_tc3_sha512_224), AWSLC_NOT_APPROVED, }, { EVP_sha512_256, - kHKDF_ikm_tc3, sizeof(kHKDF_ikm_tc3), - kHKDF_salt_tc3, 0, - kHKDF_salt_tc3, 0, - kHKDF_okm_tc3_sha512_256, sizeof(kHKDF_okm_tc3_sha512_256), + kHKDF_ikm_tc3, + sizeof(kHKDF_ikm_tc3), + kHKDF_salt_tc3, + 0, + kHKDF_salt_tc3, + 0, + kHKDF_okm_tc3_sha512_256, + sizeof(kHKDF_okm_tc3_sha512_256), AWSLC_NOT_APPROVED, }, // RFC 5869 Test Case 4 { EVP_sha1, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha1, sizeof(kHKDF_okm_tc4_sha1), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha1, + sizeof(kHKDF_okm_tc4_sha1), AWSLC_APPROVED, }, { EVP_sha224, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha224, sizeof(kHKDF_okm_tc4_sha224), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha224, + sizeof(kHKDF_okm_tc4_sha224), AWSLC_APPROVED, }, { EVP_sha256, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha256, sizeof(kHKDF_okm_tc4_sha256), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha256, + sizeof(kHKDF_okm_tc4_sha256), AWSLC_APPROVED, }, { EVP_sha384, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha384, sizeof(kHKDF_okm_tc4_sha384), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha384, + sizeof(kHKDF_okm_tc4_sha384), AWSLC_APPROVED, }, { EVP_sha512, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha512, sizeof(kHKDF_okm_tc4_sha512), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha512, + sizeof(kHKDF_okm_tc4_sha512), AWSLC_APPROVED, }, { EVP_sha512_224, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha512_224, sizeof(kHKDF_okm_tc4_sha512_224), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha512_224, + sizeof(kHKDF_okm_tc4_sha512_224), AWSLC_APPROVED, }, { EVP_sha512_256, - kHKDF_ikm_tc4, sizeof(kHKDF_ikm_tc4), - kHKDF_salt_tc4, sizeof(kHKDF_salt_tc4), - kHKDF_info_tc4, sizeof(kHKDF_info_tc4), - kHKDF_okm_tc4_sha512_256, sizeof(kHKDF_okm_tc4_sha512_256), + kHKDF_ikm_tc4, + sizeof(kHKDF_ikm_tc4), + kHKDF_salt_tc4, + sizeof(kHKDF_salt_tc4), + kHKDF_info_tc4, + sizeof(kHKDF_info_tc4), + kHKDF_okm_tc4_sha512_256, + sizeof(kHKDF_okm_tc4_sha512_256), AWSLC_APPROVED, }, @@ -1957,58 +2034,86 @@ static const struct HKDFTestVector { // Info is a zero-length array, thus the hard-coded length. { EVP_sha1, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha1, sizeof(kHKDF_okm_tc7_sha1), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha1, + sizeof(kHKDF_okm_tc7_sha1), AWSLC_NOT_APPROVED, }, { EVP_sha224, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha224, sizeof(kHKDF_okm_tc7_sha224), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha224, + sizeof(kHKDF_okm_tc7_sha224), AWSLC_NOT_APPROVED, }, { EVP_sha256, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha256, sizeof(kHKDF_okm_tc7_sha256), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha256, + sizeof(kHKDF_okm_tc7_sha256), AWSLC_NOT_APPROVED, }, { EVP_sha384, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha384, sizeof(kHKDF_okm_tc7_sha384), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha384, + sizeof(kHKDF_okm_tc7_sha384), AWSLC_NOT_APPROVED, }, { EVP_sha512, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha512, sizeof(kHKDF_okm_tc7_sha512), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha512, + sizeof(kHKDF_okm_tc7_sha512), AWSLC_NOT_APPROVED, }, { EVP_sha512_224, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha512_224, sizeof(kHKDF_okm_tc7_sha512_224), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha512_224, + sizeof(kHKDF_okm_tc7_sha512_224), AWSLC_NOT_APPROVED, }, { EVP_sha512_256, - kHKDF_ikm_tc7, sizeof(kHKDF_ikm_tc7), - NULL, 0, - kHKDF_info_tc7, 0, - kHKDF_okm_tc7_sha512_256, sizeof(kHKDF_okm_tc7_sha512_256), + kHKDF_ikm_tc7, + sizeof(kHKDF_ikm_tc7), + NULL, + 0, + kHKDF_info_tc7, + 0, + kHKDF_okm_tc7_sha512_256, + sizeof(kHKDF_okm_tc7_sha512_256), AWSLC_NOT_APPROVED, }, }; @@ -2028,18 +2133,18 @@ TEST_P(HKDF_ServiceIndicatorTest, HKDFTest) { FIPSStatus approved = AWSLC_NOT_APPROVED; - uint8_t output[sizeof(kHKDF_okm_tc2_sha256)]; // largest test output size + uint8_t output[sizeof(kHKDF_okm_tc2_sha256)]; // largest test output size CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(HKDF(output, test.output_len, test.func(), - test.ikm, test.ikm_size, - test.salt, test.salt_size, - test.info, test.info_size))); + approved, ASSERT_TRUE(HKDF(output, test.output_len, test.func(), test.ikm, + test.ikm_size, test.salt, test.salt_size, + test.info, test.info_size))); EXPECT_EQ(Bytes(test.expected_output, test.output_len), Bytes(output, test.output_len)); EXPECT_EQ(approved, test.expect_approved); } -class EVP_HKDF_ServiceIndicatorTest : public TestWithNoErrors {}; +class EVP_HKDF_ServiceIndicatorTest : public TestWithNoErrors { +}; INSTANTIATE_TEST_SUITE_P(All, EVP_HKDF_ServiceIndicatorTest, testing::ValuesIn(kHKDFTestVectors)); @@ -2049,22 +2154,22 @@ TEST_P(EVP_HKDF_ServiceIndicatorTest, EVP_HKDFTest) { FIPSStatus approved = AWSLC_NOT_APPROVED; - uint8_t output[sizeof(kHKDF_okm_tc2_sha256)]; // largest test output size + uint8_t output[sizeof(kHKDF_okm_tc2_sha256)]; // largest test output size EVP_PKEY_CTX *pctx; size_t outlen = test.output_len; pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); EXPECT_NE(pctx, nullptr); EXPECT_TRUE(EVP_PKEY_derive_init(pctx)); - EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, - EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND)); + EXPECT_TRUE( + EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND)); EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(pctx, test.func())); EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_key(pctx, test.ikm, test.ikm_size)); EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_salt(pctx, test.salt, test.salt_size)); EXPECT_TRUE(EVP_PKEY_CTX_add1_hkdf_info(pctx, test.info, test.info_size)); CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); + approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); EXPECT_EQ(outlen, test.output_len); EXPECT_EQ(Bytes(test.expected_output, test.output_len), Bytes(output, test.output_len)); @@ -2086,15 +2191,14 @@ TEST(EVP_HKDF_ServiceIndicatorTest, EVP_HKDF_Extract) { pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); EXPECT_NE(pctx, nullptr); EXPECT_TRUE(EVP_PKEY_derive_init(pctx)); - EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, - EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)); + EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)); EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(pctx, test.func())); EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_key(pctx, test.ikm, test.ikm_size)); EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_salt(pctx, test.salt, test.salt_size)); EXPECT_TRUE(EVP_PKEY_CTX_add1_hkdf_info(pctx, test.info, test.info_size)); CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); + approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); if (pctx != NULL) { @@ -2105,50 +2209,52 @@ TEST(EVP_HKDF_ServiceIndicatorTest, EVP_HKDF_Extract) { // Test only HKDF's Expand phase, which is approved as a "KBKDF in Feedback // Mode" per NIST SP800-108r1. TEST(EVP_HKDF_ServiceIndicatorTest, EVP_HKDF_Expand) { - const HKDFTestVector &test = kHKDFTestVectors[EVP_HKDF_TEST_EXTRACT_EXPAND]; - FIPSStatus approved = AWSLC_NOT_APPROVED; - uint8_t output[sizeof(kHKDF_okm_tc2_sha256)]; // largest test output size - EVP_PKEY_CTX *pctx; - size_t outlen = test.output_len; - - // Positive test; HKDF_Expand() with an allowed hash (SHA256) is approved. - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - EXPECT_NE(pctx, nullptr); - EXPECT_TRUE(EVP_PKEY_derive_init(pctx)); - EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, - EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)); - EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(pctx, test.func())); - EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_key(pctx, test.ikm, test.ikm_size)); - EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_salt(pctx, test.salt, test.salt_size)); - EXPECT_TRUE(EVP_PKEY_CTX_add1_hkdf_info(pctx, test.info, test.info_size)); + const HKDFTestVector &test = kHKDFTestVectors[EVP_HKDF_TEST_EXTRACT_EXPAND]; + FIPSStatus approved = AWSLC_NOT_APPROVED; + uint8_t output[sizeof(kHKDF_okm_tc2_sha256)]; // largest test output size + EVP_PKEY_CTX *pctx; + size_t outlen = test.output_len; - CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); - EXPECT_EQ(approved, AWSLC_APPROVED); + // Positive test; HKDF_Expand() with an allowed hash (SHA256) is approved. + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + EXPECT_NE(pctx, nullptr); + EXPECT_TRUE(EVP_PKEY_derive_init(pctx)); + EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)); + EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(pctx, test.func())); + EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_key(pctx, test.ikm, test.ikm_size)); + EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_salt(pctx, test.salt, test.salt_size)); + EXPECT_TRUE(EVP_PKEY_CTX_add1_hkdf_info(pctx, test.info, test.info_size)); - if (pctx != NULL) { - EVP_PKEY_CTX_free(pctx); - } + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); + EXPECT_EQ(approved, AWSLC_APPROVED); - // Negative test; HKDF_Expand() with a disallowed hash (MD5). - const HKDFTestVector &bad_test = kHKDFTestVectors[EVP_HKDF_TEST_EXTRACT_EXPAND_FAIL]; - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - EXPECT_NE(pctx, nullptr); - EXPECT_TRUE(EVP_PKEY_derive_init(pctx)); - EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, - EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)); - EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(pctx, bad_test.func())); - EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_key(pctx, bad_test.ikm, bad_test.ikm_size)); - EXPECT_TRUE(EVP_PKEY_CTX_set1_hkdf_salt(pctx, bad_test.salt, bad_test.salt_size)); - EXPECT_TRUE(EVP_PKEY_CTX_add1_hkdf_info(pctx, bad_test.info, bad_test.info_size)); + if (pctx != NULL) { + EVP_PKEY_CTX_free(pctx); + } - CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); - EXPECT_EQ(approved, AWSLC_NOT_APPROVED); + // Negative test; HKDF_Expand() with a disallowed hash (MD5). + const HKDFTestVector &bad_test = + kHKDFTestVectors[EVP_HKDF_TEST_EXTRACT_EXPAND_FAIL]; + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + EXPECT_NE(pctx, nullptr); + EXPECT_TRUE(EVP_PKEY_derive_init(pctx)); + EXPECT_TRUE(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)); + EXPECT_TRUE(EVP_PKEY_CTX_set_hkdf_md(pctx, bad_test.func())); + EXPECT_TRUE( + EVP_PKEY_CTX_set1_hkdf_key(pctx, bad_test.ikm, bad_test.ikm_size)); + EXPECT_TRUE( + EVP_PKEY_CTX_set1_hkdf_salt(pctx, bad_test.salt, bad_test.salt_size)); + EXPECT_TRUE( + EVP_PKEY_CTX_add1_hkdf_info(pctx, bad_test.info, bad_test.info_size)); - if (pctx != NULL) { - EVP_PKEY_CTX_free(pctx); - } + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_derive(pctx, output, &outlen))); + EXPECT_EQ(approved, AWSLC_NOT_APPROVED); + + if (pctx != NULL) { + EVP_PKEY_CTX_free(pctx); + } } // RSA tests are not parameterized with the |kRSATestVectors| as key @@ -2158,12 +2264,14 @@ TEST(ServiceIndicatorTest, RSAKeyGen) { bssl::UniquePtr rsa(RSA_new()); ASSERT_TRUE(rsa); - // |RSA_generate_key_fips| may only be used for bits >= 2048 && bits % 128 == 0 + // |RSA_generate_key_fips| may only be used for bits >= 2048 && bits % 128 == + // 0 for (const size_t bits : {512, 1024, 2520, 3071}) { SCOPED_TRACE(bits); rsa.reset(RSA_new()); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EXPECT_FALSE(RSA_generate_key_fips(rsa.get(), bits, nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); } @@ -2174,8 +2282,8 @@ TEST(ServiceIndicatorTest, RSAKeyGen) { SCOPED_TRACE(bits); rsa.reset(RSA_new()); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EXPECT_TRUE( RSA_generate_key_fips(rsa.get(), bits, nullptr))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EXPECT_TRUE(RSA_generate_key_fips(rsa.get(), bits, nullptr))); EXPECT_EQ(approved, AWSLC_APPROVED); EXPECT_EQ(bits, RSA_bits(rsa.get())); } @@ -2234,157 +2342,157 @@ struct RSATestVector { }; struct RSATestVector kRSATestVectors[] = { // RSA test cases that are not approved in any case. - { 512, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED }, + {512, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED}, // PSS with hashLen == saltLen is not possible for 512-bit modulus. - { 1024, &EVP_md5, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED }, - { 1536, &EVP_sha256, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED }, - { 1536, &EVP_sha512, true, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED }, - { 2048, &EVP_md5, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED }, - { 4096, &EVP_md5, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED }, + {1024, &EVP_md5, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED}, + {1536, &EVP_sha256, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED}, + {1536, &EVP_sha512, true, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED}, + {2048, &EVP_md5, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED}, + {4096, &EVP_md5, false, AWSLC_NOT_APPROVED, AWSLC_NOT_APPROVED}, // RSA test cases that are approved. - { 1024, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha224, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha256, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha384, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha512, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha512_224, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha512_256, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha3_224, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha3_256, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha3_384, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - - { 1024, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha224, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha256, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha384, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha512_224, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha512_256, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha3_224, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha3_256, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 1024, &EVP_sha3_384, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, + {1024, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha224, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha256, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha384, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha512, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha512_224, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha512_256, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha3_224, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha3_256, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha3_384, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + + {1024, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha224, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha256, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha384, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha512_224, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha512_256, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha3_224, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha3_256, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {1024, &EVP_sha3_384, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, // PSS with hashLen == saltLen is not possible for 1024-bit modulus and // SHA-512. This means we can't test it here because the API won't work. - { 2048, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 2048, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 2048, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 3072, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 3072, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 3072, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 4096, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 4096, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 4096, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 6144, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 6144, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 6144, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 8192, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED }, - - { 8192, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED }, - { 8192, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED }, + {2048, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + + {2048, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {2048, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + + {3072, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + + {3072, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {3072, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + + {4096, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + + {4096, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {4096, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + + {6144, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + + {6144, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {6144, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + + {8192, &EVP_sha1, false, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha512_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha512_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_224, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_256, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_384, false, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_512, false, AWSLC_APPROVED, AWSLC_APPROVED}, + + {8192, &EVP_sha1, true, AWSLC_NOT_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha512, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha512_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha512_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_224, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_256, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_384, true, AWSLC_APPROVED, AWSLC_APPROVED}, + {8192, &EVP_sha3_512, true, AWSLC_APPROVED, AWSLC_APPROVED}, }; class RSAServiceIndicatorTest : public TestWithNoErrors {}; @@ -2442,12 +2550,12 @@ TEST_P(RSAServiceIndicatorTest, RSASigGen) { bssl::UniquePtr pkey(EVP_PKEY_new()); ASSERT_TRUE(pkey); RSA *rsa = nullptr; - if(test.use_pss) { + if (test.use_pss) { AssignRSAPSSKey(pkey.get(), test.key_size); } else { rsa = GetRSAKey(test.key_size); ASSERT_TRUE(EVP_PKEY_set1_RSA(pkey.get(), rsa)); - } + } // Test running the EVP_DigestSign interfaces one by one directly, and check // |EVP_DigestSignFinal| for approval at the end. |EVP_DigestSignInit|, and @@ -2457,12 +2565,13 @@ TEST_P(RSAServiceIndicatorTest, RSASigGen) { bssl::ScopedEVP_MD_CTX md_ctx; EVP_PKEY_CTX *pctx = nullptr; size_t sig_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pctx, test.func(), - nullptr, pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pctx, test.func(), + nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); if (test.use_pss) { - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); CALL_SERVICE_AND_CHECK_APPROVED( @@ -2477,8 +2586,8 @@ TEST_P(RSAServiceIndicatorTest, RSASigGen) { // |EVP_DigestSignFinal| should not return an approval check because no crypto // is being done when |nullptr| is inputted in the |*out_sig| field. CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), nullptr, - &sig_len))); + approved, + ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), nullptr, &sig_len))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); std::vector signature(sig_len); // The second call performs the actual operation. @@ -2512,7 +2621,8 @@ TEST_P(RSAServiceIndicatorTest, RSASigGen) { EXPECT_EQ(approved, AWSLC_NOT_APPROVED); // Now test using the one-shot |EVP_DigestSign| function for approval. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), oneshot_output.data(), &sig_len, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, test.sig_gen_expect_approved); @@ -2525,7 +2635,8 @@ TEST_P(RSAServiceIndicatorTest, RSASigGen) { pkey.get())); ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)); ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 10)); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), oneshot_output.data(), &sig_len, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); @@ -2539,12 +2650,12 @@ TEST_P(RSAServiceIndicatorTest, RSASigVer) { ASSERT_TRUE(pkey); RSA *rsa = nullptr; - if(test.use_pss) { + if (test.use_pss) { AssignRSAPSSKey(pkey.get(), test.key_size); } else { rsa = GetRSAKey(test.key_size); ASSERT_TRUE(EVP_PKEY_set1_RSA(pkey.get(), rsa)); - } + } std::vector signature; size_t sig_len; @@ -2570,41 +2681,43 @@ TEST_P(RSAServiceIndicatorTest, RSASigVer) { // indicate an entire service has been done. FIPSStatus approved = AWSLC_NOT_APPROVED; md_ctx.Reset(); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), &pctx, test.func(), - nullptr, pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyInit( + md_ctx.get(), &pctx, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); if (test.use_pss) { - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)); } - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyFinal(md_ctx.get(), signature.data(), - signature.size()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyFinal( + md_ctx.get(), signature.data(), signature.size()))); EXPECT_EQ(approved, test.sig_ver_expect_approved); // Test using the one-shot |EVP_DigestVerify| function for approval. md_ctx.Reset(); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), &pctx, test.func(), - nullptr, pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyInit( + md_ctx.get(), &pctx, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); if (test.use_pss) { - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)); } - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), signature.data(), - signature.size(), kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), signature.data(), + signature.size(), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, test.sig_ver_expect_approved); } @@ -2620,12 +2733,12 @@ TEST_P(RSAServiceIndicatorTest, ManualRSASignVerify) { ASSERT_TRUE(pkey); RSA *rsa = nullptr; - if(test.use_pss) { + if (test.use_pss) { AssignRSAPSSKey(pkey.get(), test.key_size); } else { rsa = GetRSAKey(test.key_size); ASSERT_TRUE(EVP_PKEY_set1_RSA(pkey.get(), rsa)); - } + } bssl::ScopedEVP_MD_CTX ctx; ASSERT_TRUE(EVP_DigestInit(ctx.get(), test.func())); @@ -2636,21 +2749,21 @@ TEST_P(RSAServiceIndicatorTest, ManualRSASignVerify) { ASSERT_TRUE(EVP_PKEY_sign_init(pctx.get())); ASSERT_TRUE(EVP_PKEY_CTX_set_signature_md(pctx.get(), test.func())); if (test.use_pss) { - ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx.get(), - RSA_PKCS1_PSS_PADDING)); + ASSERT_TRUE( + EVP_PKEY_CTX_set_rsa_padding(pctx.get(), RSA_PKCS1_PSS_PADDING)); ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx.get(), -1)); } EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get()); // Determine the size of the signature. size_t sig_len = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len))); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); std::vector sig; sig.resize(sig_len); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_DigestSignFinal(ctx.get(), sig.data(), &sig_len)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_DigestSignFinal(ctx.get(), sig.data(), &sig_len)); ASSERT_EQ(approved, test.sig_gen_expect_approved); sig.resize(sig_len); @@ -2659,8 +2772,8 @@ TEST_P(RSAServiceIndicatorTest, ManualRSASignVerify) { ASSERT_TRUE(EVP_PKEY_CTX_set_signature_md(pctx.get(), test.func())); EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get()); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_DigestVerifyFinal(ctx.get(), sig.data(), sig_len)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_DigestVerifyFinal(ctx.get(), sig.data(), sig_len)); ASSERT_EQ(approved, test.sig_ver_expect_approved); } @@ -2671,7 +2784,7 @@ static int custom_sign(int max_out, const uint8_t *in, uint8_t *out, RSA *rsa, static int custom_finish(RSA *rsa) { const RSA_METHOD *meth = RSA_get_method(rsa); - RSA_meth_free((RSA_METHOD *) meth); + RSA_meth_free((RSA_METHOD *)meth); return 1; } @@ -2684,7 +2797,7 @@ TEST_P(RSAServiceIndicatorTest, RSAMethod) { ASSERT_TRUE(pkey); RSA *rsa = nullptr; - if(test.use_pss) { + if (test.use_pss) { AssignRSAPSSKey(pkey.get(), test.key_size); } else { rsa = GetRSAKey(test.key_size); @@ -2708,22 +2821,22 @@ TEST_P(RSAServiceIndicatorTest, RSAMethod) { ASSERT_TRUE(EVP_PKEY_sign_init(pctx.get())); ASSERT_TRUE(EVP_PKEY_CTX_set_signature_md(pctx.get(), test.func())); if (test.use_pss) { - ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx.get(), - RSA_PKCS1_PSS_PADDING)); + ASSERT_TRUE( + EVP_PKEY_CTX_set_rsa_padding(pctx.get(), RSA_PKCS1_PSS_PADDING)); ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx.get(), -1)); } EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get()); // Determine the size of the signature. size_t sig_len = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len))); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); std::vector sig; sig.resize(sig_len); // Custom sign will be called, never approved - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_DigestSignFinal(ctx.get(), sig.data(), &sig_len)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_DigestSignFinal(ctx.get(), sig.data(), &sig_len)); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); sig.resize(sig_len); @@ -2905,8 +3018,8 @@ TEST_P(ECDSAServiceIndicatorTest, ECDSAKeyCheck) { ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_keygen_init(ctx.get())); ASSERT_TRUE(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx.get(), test.nid)); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_PKEY_keygen(ctx.get(), &raw))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_keygen(ctx.get(), &raw))); EXPECT_EQ(approved, test.key_check_expect_approved); EVP_PKEY_free(raw); @@ -2937,38 +3050,39 @@ TEST_P(ECDSAServiceIndicatorTest, ECDSASigGen) { // |EVP_DigestSignUpdate| should not be approved because they do not indicate // an entire service has been done. CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, - test.func(), nullptr, - pkey.get()))); + approved, ASSERT_TRUE(EVP_DigestSignInit( + md_ctx.get(), nullptr, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignUpdate(md_ctx.get(), kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignUpdate(md_ctx.get(), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); // Determine the size of the signature. The first call of // |EVP_DigestSignFinal| should not return an approval check because no crypto // is being done when |nullptr| is given as the |out_sig| field. size_t max_sig_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), nullptr, &max_sig_len))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); std::vector signature(max_sig_len); // The second call performs the actual operation. size_t sig_len = max_sig_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), signature.data(), - &sig_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), signature.data(), + &sig_len))); ASSERT_LE(sig_len, signature.size()); EXPECT_EQ(approved, test.sig_gen_expect_approved); // Test using the one-shot |EVP_DigestSign| function for approval. md_ctx.Reset(); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, test.func(), - nullptr, pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignInit( + md_ctx.get(), nullptr, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); sig_len = max_sig_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), signature.data(), &sig_len, kPlaintext, sizeof(kPlaintext)))); ASSERT_LE(sig_len, signature.size()); @@ -3010,29 +3124,29 @@ TEST_P(ECDSAServiceIndicatorTest, ECDSASigVer) { // |EVP_DigestVerifyUpdate| should not be approved because they do not // indicate an entire service has been done. md_ctx.Reset(); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), nullptr, test.func(), - nullptr, pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyInit( + md_ctx.get(), nullptr, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyUpdate(md_ctx.get(), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyFinal(md_ctx.get(), signature.data(), - signature.size()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyFinal( + md_ctx.get(), signature.data(), signature.size()))); EXPECT_EQ(approved, test.sig_ver_expect_approved); // Test using the one-shot |EVP_DigestVerify| function for approval. md_ctx.Reset(); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerifyInit(md_ctx.get(), nullptr, test.func(), - nullptr, pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyInit( + md_ctx.get(), nullptr, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), signature.data(), - signature.size(), kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), signature.data(), + signature.size(), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, test.sig_ver_expect_approved); } @@ -3065,13 +3179,14 @@ TEST_P(ECDSAServiceIndicatorTest, ManualECDSASignVerify) { EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get()); // Determine the size of the signature. size_t sig_len = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), nullptr, &sig_len))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); std::vector sig; sig.resize(sig_len); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(ctx.get(), sig.data(), &sig_len))); EXPECT_EQ(approved, test.sig_gen_expect_approved); sig.resize(sig_len); @@ -3081,7 +3196,8 @@ TEST_P(ECDSAServiceIndicatorTest, ManualECDSASignVerify) { ASSERT_TRUE(EVP_PKEY_CTX_set_signature_md(pctx.get(), test.func())); EVP_MD_CTX_set_pkey_ctx(ctx.get(), pctx.get()); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestVerifyFinal(ctx.get(), sig.data(), sig_len))); EXPECT_EQ(approved, test.sig_ver_expect_approved); } @@ -3089,7 +3205,6 @@ TEST_P(ECDSAServiceIndicatorTest, ManualECDSASignVerify) { static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) { - ECDSA_SIG *ret = ECDSA_do_sign(dgst, dgstlen, ec); if (!ret) { *siglen = 0; @@ -3099,8 +3214,7 @@ static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, CBB cbb; CBB_init_fixed(&cbb, sig, ECDSA_size(ec)); size_t len; - if (!ECDSA_SIG_marshal(&cbb, ret) || - !CBB_finish(&cbb, nullptr, &len)) { + if (!ECDSA_SIG_marshal(&cbb, ret) || !CBB_finish(&cbb, nullptr, &len)) { ECDSA_SIG_free(ret); OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); *siglen = 0; @@ -3110,16 +3224,15 @@ static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, *siglen = (unsigned)len; // To track whether custom implementation was called - EC_KEY_set_ex_data(ec, 0, (void*)"ecdsa_sign"); + EC_KEY_set_ex_data(ec, 0, (void *)"ecdsa_sign"); ECDSA_SIG_free(ret); return 1; } -static void ecdsa_finish(EC_KEY *ec) -{ +static void ecdsa_finish(EC_KEY *ec) { const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec); - EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth); + EC_KEY_METHOD_free((EC_KEY_METHOD *)ec_meth); } TEST_P(ECDSAServiceIndicatorTest, ECKeyMethod) { @@ -3151,33 +3264,30 @@ TEST_P(ECDSAServiceIndicatorTest, ECKeyMethod) { // |EVP_DigestSignUpdate| should not be approved because they do not indicate // an entire service has been done. CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), nullptr, - test.func(), nullptr, - pkey.get()))); + approved, ASSERT_TRUE(EVP_DigestSignInit( + md_ctx.get(), nullptr, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignUpdate(md_ctx.get(), - kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignUpdate(md_ctx.get(), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); // Determine the size of the signature. The first call of // |EVP_DigestSignFinal| should not return an approval check because no crypto // is being done when |nullptr| is given as the |out_sig| field. size_t max_sig_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), - nullptr, - &max_sig_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), nullptr, &max_sig_len))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); std::vector signature(max_sig_len); // The second call performs the actual operation and should not return an // approval because custom sign functionality is defined. size_t sig_len = max_sig_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), - signature.data(), - &sig_len))); - ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(eckey.get(), 0)), "ecdsa_sign"); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignFinal(md_ctx.get(), signature.data(), + &sig_len))); + ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(eckey.get(), 0)), + "ecdsa_sign"); ASSERT_LE(sig_len, signature.size()); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); @@ -3185,24 +3295,21 @@ TEST_P(ECDSAServiceIndicatorTest, ECKeyMethod) { // Test using the one-shot |EVP_DigestSign| function for approval. It should // not return an approval because custom sign functionality is defined. md_ctx.Reset(); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), - nullptr, - test.func(), - nullptr, - pkey.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_DigestSignInit( + md_ctx.get(), nullptr, test.func(), nullptr, pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); sig_len = max_sig_len; - EC_KEY_set_ex_data(eckey.get(), 0, (void*) ""); - ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(eckey.get(), 0)), ""); + EC_KEY_set_ex_data(eckey.get(), 0, (void *)""); + ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(eckey.get(), 0)), + ""); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), - signature.data(), - &sig_len, - kPlaintext, - sizeof(kPlaintext)))); - ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(eckey.get(), 0)), "ecdsa_sign"); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), signature.data(), &sig_len, + kPlaintext, sizeof(kPlaintext)))); + ASSERT_STREQ(static_cast(EC_KEY_get_ex_data(eckey.get(), 0)), + "ecdsa_sign"); ASSERT_LE(sig_len, signature.size()); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); @@ -3221,30 +3328,30 @@ static const struct ECDHTestVector kECDHTestVectors[] = { // |EC_GROUP_new_by_curve_name|. // |ECDH_compute_key_fips| fails directly when an invalid hash length is // inputted. - { NID_secp224r1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp224r1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp224r1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp224r1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED }, - - { NID_X9_62_prime256v1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_X9_62_prime256v1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_X9_62_prime256v1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_X9_62_prime256v1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED }, - - { NID_secp384r1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp384r1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp384r1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp384r1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED }, - - { NID_secp521r1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp521r1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp521r1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED }, - { NID_secp521r1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED }, - - { NID_secp256k1, SHA224_DIGEST_LENGTH, AWSLC_NOT_APPROVED }, - { NID_secp256k1, SHA256_DIGEST_LENGTH, AWSLC_NOT_APPROVED }, - { NID_secp256k1, SHA384_DIGEST_LENGTH, AWSLC_NOT_APPROVED }, - { NID_secp256k1, SHA512_DIGEST_LENGTH, AWSLC_NOT_APPROVED }, + {NID_secp224r1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp224r1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp224r1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp224r1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED}, + + {NID_X9_62_prime256v1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_X9_62_prime256v1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_X9_62_prime256v1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_X9_62_prime256v1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED}, + + {NID_secp384r1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp384r1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp384r1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp384r1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED}, + + {NID_secp521r1, SHA224_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp521r1, SHA256_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp521r1, SHA384_DIGEST_LENGTH, AWSLC_APPROVED}, + {NID_secp521r1, SHA512_DIGEST_LENGTH, AWSLC_APPROVED}, + + {NID_secp256k1, SHA224_DIGEST_LENGTH, AWSLC_NOT_APPROVED}, + {NID_secp256k1, SHA256_DIGEST_LENGTH, AWSLC_NOT_APPROVED}, + {NID_secp256k1, SHA384_DIGEST_LENGTH, AWSLC_NOT_APPROVED}, + {NID_secp256k1, SHA512_DIGEST_LENGTH, AWSLC_NOT_APPROVED}, }; class ECDH_ServiceIndicatorTest : public TestWithNoErrors {}; @@ -3279,10 +3386,10 @@ TEST_P(ECDH_ServiceIndicatorTest, ECDH) { // Test that |ECDH_compute_key_fips| has service indicator approval as // expected. std::vector digest(test.digest_length); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(ECDH_compute_key_fips(digest.data(), digest.size(), - EC_KEY_get0_public_key(peer_key.get()), - our_key.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(ECDH_compute_key_fips( + digest.data(), digest.size(), + EC_KEY_get0_public_key(peer_key.get()), our_key.get()))); EXPECT_EQ(approved, test.expect_approved); // Test running the EVP_PKEY_derive interfaces one by one directly, and check @@ -3296,10 +3403,11 @@ TEST_P(ECDH_ServiceIndicatorTest, ECDH) { bssl::UniquePtr peer_pkey(EVP_PKEY_new()); ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(peer_pkey.get(), peer_key.get())); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_PKEY_derive_init(our_ctx.get()))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_derive_init(our_ctx.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_derive_set_peer(our_ctx.get(), peer_pkey.get()))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); // Determine the size of the output key. The first call of |EVP_PKEY_derive| @@ -3310,12 +3418,11 @@ TEST_P(ECDH_ServiceIndicatorTest, ECDH) { approved, ASSERT_TRUE(EVP_PKEY_derive(our_ctx.get(), nullptr, &out_len))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); std::vector derive_output(out_len); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_PKEY_derive(our_ctx.get(), derive_output.data(), - &out_len))); - EXPECT_EQ(approved, kEVPDeriveSetsServiceIndicator - ? test.expect_approved - : AWSLC_NOT_APPROVED); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(EVP_PKEY_derive(our_ctx.get(), derive_output.data(), + &out_len))); + EXPECT_EQ(approved, kEVPDeriveSetsServiceIndicator ? test.expect_approved + : AWSLC_NOT_APPROVED); } static const struct KDFTestVector { @@ -3346,8 +3453,7 @@ static const struct KDFTestVector { {EVP_sha512, kTLSLabel, sizeof(kTLSLabel), kTLSOutput1_sha512, AWSLC_NOT_APPROVED}, {EVP_sha512, extendedMasterSecretLabel, sizeof(extendedMasterSecretLabel), - kTLSOutput2_sha512, AWSLC_APPROVED} -}; + kTLSOutput2_sha512, AWSLC_APPROVED}}; class KDF_ServiceIndicatorTest : public TestWithNoErrors {}; @@ -3361,10 +3467,10 @@ TEST_P(KDF_ServiceIndicatorTest, TLSKDF) { uint8_t output[32]; CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(CRYPTO_tls1_prf(test.func(), output, sizeof(output), - kTLSSecret, sizeof(kTLSSecret), test.label, - test.label_len, kTLSSeed1, sizeof(kTLSSeed1), - kTLSSeed2, sizeof(kTLSSeed2)))); + approved, ASSERT_TRUE(CRYPTO_tls1_prf( + test.func(), output, sizeof(output), kTLSSecret, + sizeof(kTLSSecret), test.label, test.label_len, kTLSSeed1, + sizeof(kTLSSeed1), kTLSSeed2, sizeof(kTLSSeed2)))); EXPECT_EQ(Bytes(test.expected_output, sizeof(output)), Bytes(output, sizeof(output))); EXPECT_EQ(approved, test.expect_approved); @@ -3377,153 +3483,150 @@ TEST_P(KDF_ServiceIndicatorTest, TLSKDF) { // Set 2 - long password/salt; APPROVED for FIPS // Set 3 - Not included, it's another short password/salt test, to ensure the // password/salt are being handled as byte buffers rather than strings. -static const uint8_t kPBKDF2Password1[] = { - 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' -}; +static const uint8_t kPBKDF2Password1[] = {'p', 'a', 's', 's', + 'w', 'o', 'r', 'd'}; static const uint8_t kPBKDF2Salt1[] = {'s', 'a', 'l', 't'}; static const uint8_t kPBKDF2Password2[] = { - 'p', 'a', 's', 's', 'w', 'o', 'r', 'd', 'P', 'A', 'S', 'S', 'W', 'O', 'R', - 'D', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' -}; + 'p', 'a', 's', 's', 'w', 'o', 'r', 'd', 'P', 'A', 'S', 'S', + 'W', 'O', 'R', 'D', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}; static const uint8_t kPBKDF2Salt2[] = { - 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', - 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', - 'L', 'T', 's', 'a', 'l', 't' -}; + 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', + 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', + 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't'}; static const uint8_t kPBKDF2DerivedKey1SHA1[] = { - 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71, 0xf3, 0xa9, 0xb5, 0x24, - 0xaf, 0x60, 0x12, 0x06, 0x2f, 0xe0, 0x37, 0xa6 // 20 bytes + 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71, 0xf3, 0xa9, + 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06, 0x2f, 0xe0, 0x37, 0xa6 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey2SHA1[] = { - 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c, 0xcd, 0x1e, 0xd9, 0x2a, - 0xce, 0x1d, 0x41, 0xf0, 0xd8, 0xde, 0x89, 0x57 // 20 bytes + 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c, 0xcd, 0x1e, + 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0, 0xd8, 0xde, 0x89, 0x57 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey3SHA1[] = { - 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a, 0xbe, 0xad, 0x49, 0xd9, - 0x26, 0xf7, 0x21, 0xd0, 0x65, 0xa4, 0x29, 0xc1 // 20 bytes + 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a, 0xbe, 0xad, + 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0, 0x65, 0xa4, 0x29, 0xc1 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey4SHA1[] = { - 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4, 0xe9, 0x94, 0x5b, 0x3d, - 0x6b, 0xa2, 0x15, 0x8c, 0x26, 0x34, 0xe9, 0x84 // 20 bytes + 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4, 0xe9, 0x94, + 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c, 0x26, 0x34, 0xe9, 0x84 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey5SHA1[] = { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, - 0x38 // 25 bytes + 0x38 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey6SHA1[] = { 0xac, 0xf8, 0xb4, 0x67, 0x41, 0xc7, 0xf3, 0xd1, 0xa0, 0xc0, 0x08, 0xbe, 0x9b, 0x23, 0x96, 0x78, 0xbd, 0x93, 0xda, 0x4a, 0x30, 0xd4, 0xfb, 0xf0, - 0x33 // 25 bytes + 0x33 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey1SHA224[] = { - 0x3c, 0x19, 0x8c, 0xbd, 0xb9, 0x46, 0x4b, 0x78, 0x57, 0x96, 0x6b, 0xd0, - 0x5b, 0x7b, 0xc9, 0x2b, 0xc1, 0xcc, 0x4e, 0x6e // 20 bytes + 0x3c, 0x19, 0x8c, 0xbd, 0xb9, 0x46, 0x4b, 0x78, 0x57, 0x96, + 0x6b, 0xd0, 0x5b, 0x7b, 0xc9, 0x2b, 0xc1, 0xcc, 0x4e, 0x6e // 20 bytes }; static const uint8_t kPBKDF2DerivedKey2SHA224[] = { - 0x93, 0x20, 0x0f, 0xfa, 0x96, 0xc5, 0x77, 0x6d, 0x38, 0xfa, 0x10, 0xab, - 0xdf, 0x8f, 0x5b, 0xfc, 0x00, 0x54, 0xb9, 0x71 // 20 bytes + 0x93, 0x20, 0x0f, 0xfa, 0x96, 0xc5, 0x77, 0x6d, 0x38, 0xfa, + 0x10, 0xab, 0xdf, 0x8f, 0x5b, 0xfc, 0x00, 0x54, 0xb9, 0x71 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey3SHA224[] = { - 0x21, 0x8c, 0x45, 0x3b, 0xf9, 0x06, 0x35, 0xbd, 0x0a, 0x21, 0xa7, 0x5d, - 0x17, 0x27, 0x03, 0xff, 0x61, 0x08, 0xef, 0x60 // 20 bytes + 0x21, 0x8c, 0x45, 0x3b, 0xf9, 0x06, 0x35, 0xbd, 0x0a, 0x21, + 0xa7, 0x5d, 0x17, 0x27, 0x03, 0xff, 0x61, 0x08, 0xef, 0x60 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey4SHA224[] = { - 0xb4, 0x99, 0x25, 0x18, 0x4c, 0xb4, 0xb5, 0x59, 0xf3, 0x65, 0xe9, 0x4f, - 0xca, 0xfc, 0xd4, 0xcd, 0xb9, 0xf7, 0xae, 0xf4 // 20 bytes + 0xb4, 0x99, 0x25, 0x18, 0x4c, 0xb4, 0xb5, 0x59, 0xf3, 0x65, + 0xe9, 0x4f, 0xca, 0xfc, 0xd4, 0xcd, 0xb9, 0xf7, 0xae, 0xf4 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey5SHA224[] = { 0x05, 0x6c, 0x4b, 0xa4, 0x38, 0xde, 0xd9, 0x1f, 0xc1, 0x4e, 0x05, 0x94, 0xe6, 0xf5, 0x2b, 0x87, 0xe1, 0xf3, 0x69, 0x0c, 0x0d, 0xc0, 0xfb, 0xc0, - 0x57 // 25 bytes + 0x57 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey6SHA224[] = { 0x0f, 0x51, 0xe7, 0x77, 0x07, 0x88, 0x5e, 0x09, 0x20, 0xd7, 0x46, 0x6c, 0x8f, 0xdf, 0xd6, 0x07, 0x38, 0x31, 0xde, 0xfe, 0x01, 0x29, 0x22, 0xbf, - 0x47 // 25 bytes + 0x47 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey1SHA256[] = { - 0x12, 0x0f, 0xb6, 0xcf, 0xfc, 0xf8, 0xb3, 0x2c, 0x43, 0xe7, 0x22, 0x52, - 0x56, 0xc4, 0xf8, 0x37, 0xa8, 0x65, 0x48, 0xc9 // 20 bytes + 0x12, 0x0f, 0xb6, 0xcf, 0xfc, 0xf8, 0xb3, 0x2c, 0x43, 0xe7, + 0x22, 0x52, 0x56, 0xc4, 0xf8, 0x37, 0xa8, 0x65, 0x48, 0xc9 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey2SHA256[] = { - 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, 0x2d, 0x0a, 0xdf, 0xf9, - 0x28, 0xf0, 0x6d, 0xd0, 0x2a, 0x30, 0x3f, 0x8e // 20 bytes + 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, 0x2d, 0x0a, + 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, 0x2a, 0x30, 0x3f, 0x8e // 20 bytes }; static const uint8_t kPBKDF2DerivedKey3SHA256[] = { - 0xc5, 0xe4, 0x78, 0xd5, 0x92, 0x88, 0xc8, 0x41, 0xaa, 0x53, 0x0d, 0xb6, - 0x84, 0x5c, 0x4c, 0x8d, 0x96, 0x28, 0x93, 0xa0 // 20 bytes + 0xc5, 0xe4, 0x78, 0xd5, 0x92, 0x88, 0xc8, 0x41, 0xaa, 0x53, + 0x0d, 0xb6, 0x84, 0x5c, 0x4c, 0x8d, 0x96, 0x28, 0x93, 0xa0 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey4SHA256[] = { - 0xcf, 0x81, 0xc6, 0x6f, 0xe8, 0xcf, 0xc0, 0x4d, 0x1f, 0x31, 0xec, 0xb6, - 0x5d, 0xab, 0x40, 0x89, 0xf7, 0xf1, 0x79, 0xe8 // 20 bytes + 0xcf, 0x81, 0xc6, 0x6f, 0xe8, 0xcf, 0xc0, 0x4d, 0x1f, 0x31, + 0xec, 0xb6, 0x5d, 0xab, 0x40, 0x89, 0xf7, 0xf1, 0x79, 0xe8 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey5SHA256[] = { 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, - 0x1c // 25 bytes + 0x1c // 25 bytes }; static const uint8_t kPBKDF2DerivedKey6SHA256[] = { 0x09, 0x3e, 0x1a, 0xd8, 0x63, 0x30, 0x71, 0x9c, 0x17, 0xcf, 0xb0, 0x53, 0x3e, 0x1f, 0xc8, 0x51, 0x29, 0x71, 0x54, 0x28, 0x5d, 0xf7, 0x8e, 0x41, - 0xaa // 25 bytes + 0xaa // 25 bytes }; static const uint8_t kPBKDF2DerivedKey1SHA384[] = { - 0xc0, 0xe1, 0x4f, 0x06, 0xe4, 0x9e, 0x32, 0xd7, 0x3f, 0x9f, 0x52, 0xdd, - 0xf1, 0xd0, 0xc5, 0xc7, 0x19, 0x16, 0x09, 0x23 // 20 bytes + 0xc0, 0xe1, 0x4f, 0x06, 0xe4, 0x9e, 0x32, 0xd7, 0x3f, 0x9f, + 0x52, 0xdd, 0xf1, 0xd0, 0xc5, 0xc7, 0x19, 0x16, 0x09, 0x23 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey2SHA384[] = { - 0x54, 0xf7, 0x75, 0xc6, 0xd7, 0x90, 0xf2, 0x19, 0x30, 0x45, 0x91, 0x62, - 0xfc, 0x53, 0x5d, 0xbf, 0x04, 0xa9, 0x39, 0x18 // 20 bytes + 0x54, 0xf7, 0x75, 0xc6, 0xd7, 0x90, 0xf2, 0x19, 0x30, 0x45, + 0x91, 0x62, 0xfc, 0x53, 0x5d, 0xbf, 0x04, 0xa9, 0x39, 0x18 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey3SHA384[] = { - 0x55, 0x97, 0x26, 0xbe, 0x38, 0xdb, 0x12, 0x5b, 0xc8, 0x5e, 0xd7, 0x89, - 0x5f, 0x6e, 0x3c, 0xf5, 0x74, 0xc7, 0xa0, 0x1c // 20 bytes + 0x55, 0x97, 0x26, 0xbe, 0x38, 0xdb, 0x12, 0x5b, 0xc8, 0x5e, + 0xd7, 0x89, 0x5f, 0x6e, 0x3c, 0xf5, 0x74, 0xc7, 0xa0, 0x1c // 20 bytes }; static const uint8_t kPBKDF2DerivedKey4SHA384[] = { - 0xa7, 0xfd, 0xb3, 0x49, 0xba, 0x2b, 0xfa, 0x6b, 0xf6, 0x47, 0xbb, 0x01, - 0x61, 0xba, 0xe1, 0x32, 0x0d, 0xf2, 0x7e, 0x64 // 20 bytes + 0xa7, 0xfd, 0xb3, 0x49, 0xba, 0x2b, 0xfa, 0x6b, 0xf6, 0x47, + 0xbb, 0x01, 0x61, 0xba, 0xe1, 0x32, 0x0d, 0xf2, 0x7e, 0x64 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey5SHA384[] = { 0x81, 0x91, 0x43, 0xad, 0x66, 0xdf, 0x9a, 0x55, 0x25, 0x59, 0xb9, 0xe1, 0x31, 0xc5, 0x2a, 0xe6, 0xc5, 0xc1, 0xb0, 0xee, 0xd1, 0x8f, 0x4d, 0x28, - 0x3b // 25 bytes + 0x3b // 25 bytes }; static const uint8_t kPBKDF2DerivedKey6SHA384[] = { 0xd6, 0xb7, 0x36, 0x38, 0xe3, 0x59, 0xee, 0x39, 0xae, 0x1b, 0x5c, 0x24, 0xb2, 0x5c, 0x56, 0x14, 0x5b, 0x57, 0xb1, 0x75, 0xdc, 0x6f, 0x75, 0xb8, - 0x12 // 25 bytes + 0x12 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey1SHA512[] = { - 0x86, 0x7f, 0x70, 0xcf, 0x1a, 0xde, 0x02, 0xcf, 0xf3, 0x75, 0x25, 0x99, - 0xa3, 0xa5, 0x3d, 0xc4, 0xaf, 0x34, 0xc7, 0xa6 // 20 bytes + 0x86, 0x7f, 0x70, 0xcf, 0x1a, 0xde, 0x02, 0xcf, 0xf3, 0x75, + 0x25, 0x99, 0xa3, 0xa5, 0x3d, 0xc4, 0xaf, 0x34, 0xc7, 0xa6 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey2SHA512[] = { - 0xe1, 0xd9, 0xc1, 0x6a, 0xa6, 0x81, 0x70, 0x8a, 0x45, 0xf5, 0xc7, 0xc4, - 0xe2, 0x15, 0xce, 0xb6, 0x6e, 0x01, 0x1a, 0x2e // 20 bytes + 0xe1, 0xd9, 0xc1, 0x6a, 0xa6, 0x81, 0x70, 0x8a, 0x45, 0xf5, + 0xc7, 0xc4, 0xe2, 0x15, 0xce, 0xb6, 0x6e, 0x01, 0x1a, 0x2e // 20 bytes }; static const uint8_t kPBKDF2DerivedKey3SHA512[] = { - 0xd1, 0x97, 0xb1, 0xb3, 0x3d, 0xb0, 0x14, 0x3e, 0x01, 0x8b, 0x12, 0xf3, - 0xd1, 0xd1, 0x47, 0x9e, 0x6c, 0xde, 0xbd, 0xcc // 20 bytes + 0xd1, 0x97, 0xb1, 0xb3, 0x3d, 0xb0, 0x14, 0x3e, 0x01, 0x8b, + 0x12, 0xf3, 0xd1, 0xd1, 0x47, 0x9e, 0x6c, 0xde, 0xbd, 0xcc // 20 bytes }; static const uint8_t kPBKDF2DerivedKey4SHA512[] = { - 0x61, 0x80, 0xa3, 0xce, 0xab, 0xab, 0x45, 0xcc, 0x39, 0x64, 0x11, 0x2c, - 0x81, 0x1e, 0x01, 0x31, 0xbc, 0xa9, 0x3a, 0x35 // 20 bytes + 0x61, 0x80, 0xa3, 0xce, 0xab, 0xab, 0x45, 0xcc, 0x39, 0x64, + 0x11, 0x2c, 0x81, 0x1e, 0x01, 0x31, 0xbc, 0xa9, 0x3a, 0x35 // 20 bytes }; static const uint8_t kPBKDF2DerivedKey5SHA512[] = { 0x8c, 0x05, 0x11, 0xf4, 0xc6, 0xe5, 0x97, 0xc6, 0xac, 0x63, 0x15, 0xd8, 0xf0, 0x36, 0x2e, 0x22, 0x5f, 0x3c, 0x50, 0x14, 0x95, 0xba, 0x23, 0xb8, - 0x68 // 25 bytes + 0x68 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey6SHA512[] = { 0x14, 0xe8, 0xb0, 0x63, 0x43, 0xf9, 0x04, 0xc6, 0xa8, 0x55, 0xcb, 0xe0, 0x7b, 0xaf, 0xe6, 0xf8, 0xac, 0x13, 0x8f, 0xcb, 0x91, 0x2d, 0xbd, 0x33, - 0x49 // 25 bytes + 0x49 // 25 bytes }; static const uint8_t kPBKDF2DerivedKey1SHA512_224[] = { @@ -3559,8 +3662,8 @@ static const uint8_t kPBKDF2DerivedKey6SHA512_224[] = { }; static const uint8_t kPBKDF2DerivedKey1SHA512_256[] = { - 0x4b, 0x6a, 0x63, 0x11, 0x7d, 0x3e, 0xc0, 0x03, 0x26, 0x24, 0x61, - 0x60, 0x82, 0xc1, 0xc1, 0x91, 0x2f, 0x56, 0xfa, 0x5f // 20 bytes + 0x4b, 0x6a, 0x63, 0x11, 0x7d, 0x3e, 0xc0, 0x03, 0x26, 0x24, + 0x61, 0x60, 0x82, 0xc1, 0xc1, 0x91, 0x2f, 0x56, 0xfa, 0x5f // 20 bytes }; @@ -3588,376 +3691,166 @@ static const uint8_t kPBKDF2DerivedKey5SHA512_256[] = { static const uint8_t kPBKDF2DerivedKey6SHA512_256[] = { 0x4d, 0x68, 0xef, 0xc6, 0x80, 0xd2, 0x30, 0x5d, 0x23, 0x44, 0x9c, 0x92, 0xc4, 0x3b, 0x5b, 0xb7, 0x7f, 0x75, - 0x03, 0x4d, 0x95, 0xc5, 0x48, 0xaa, 0x44 // 25 bytes + 0x03, 0x4d, 0x95, 0xc5, 0x48, 0xaa, 0x44 // 25 bytes }; static const struct PBKDF2TestVector { - // func is the hash function for PBKDF2 to test. - const EVP_MD *(*func)(); - const uint8_t *password; - const size_t password_len; - const uint8_t *salt; - const size_t salt_len; - const unsigned iterations; - const size_t output_len; - const uint8_t *expected_output; - const FIPSStatus expect_approved; + // func is the hash function for PBKDF2 to test. + const EVP_MD *(*func)(); + const uint8_t *password; + const size_t password_len; + const uint8_t *salt; + const size_t salt_len; + const unsigned iterations; + const size_t output_len; + const uint8_t *expected_output; + const FIPSStatus expect_approved; } kPBKDF2TestVectors[] = { // SHA1 outputs - { - EVP_sha1, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA1), kPBKDF2DerivedKey1SHA1, - AWSLC_NOT_APPROVED - }, - { - EVP_sha1, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA1), kPBKDF2DerivedKey2SHA1, - AWSLC_NOT_APPROVED - }, - { - EVP_sha1, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA1), kPBKDF2DerivedKey3SHA1, - AWSLC_NOT_APPROVED - }, - { - EVP_sha1, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA1), kPBKDF2DerivedKey4SHA1, - AWSLC_NOT_APPROVED - }, - { - EVP_sha1, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA1), kPBKDF2DerivedKey5SHA1, - AWSLC_APPROVED - }, - { - EVP_sha1, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA1), kPBKDF2DerivedKey6SHA1, - AWSLC_NOT_APPROVED - }, + {EVP_sha1, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA1), + kPBKDF2DerivedKey1SHA1, AWSLC_NOT_APPROVED}, + {EVP_sha1, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA1), + kPBKDF2DerivedKey2SHA1, AWSLC_NOT_APPROVED}, + {EVP_sha1, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA1), + kPBKDF2DerivedKey3SHA1, AWSLC_NOT_APPROVED}, + {EVP_sha1, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA1), + kPBKDF2DerivedKey4SHA1, AWSLC_NOT_APPROVED}, + {EVP_sha1, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA1), + kPBKDF2DerivedKey5SHA1, AWSLC_APPROVED}, + {EVP_sha1, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA1), + kPBKDF2DerivedKey6SHA1, AWSLC_NOT_APPROVED}, // SHA224 outputs from // https://github.com/brycx/Test-Vector-Generation/pull/1 - { - EVP_sha224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA224), kPBKDF2DerivedKey1SHA224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA224), kPBKDF2DerivedKey2SHA224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA224), kPBKDF2DerivedKey3SHA224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA224), kPBKDF2DerivedKey4SHA224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha224, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA224), kPBKDF2DerivedKey5SHA224, - AWSLC_APPROVED - }, - { - EVP_sha224, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA224), kPBKDF2DerivedKey6SHA224, - AWSLC_NOT_APPROVED - }, + {EVP_sha224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA224), + kPBKDF2DerivedKey1SHA224, AWSLC_NOT_APPROVED}, + {EVP_sha224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA224), + kPBKDF2DerivedKey2SHA224, AWSLC_NOT_APPROVED}, + {EVP_sha224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA224), + kPBKDF2DerivedKey3SHA224, AWSLC_NOT_APPROVED}, + {EVP_sha224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA224), + kPBKDF2DerivedKey4SHA224, AWSLC_NOT_APPROVED}, + {EVP_sha224, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA224), + kPBKDF2DerivedKey5SHA224, AWSLC_APPROVED}, + {EVP_sha224, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA224), + kPBKDF2DerivedKey6SHA224, AWSLC_NOT_APPROVED}, // SHA256 outputs from // https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - { - EVP_sha256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA256), kPBKDF2DerivedKey1SHA256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA256), kPBKDF2DerivedKey2SHA256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA256), kPBKDF2DerivedKey3SHA256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA256), kPBKDF2DerivedKey4SHA256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha256, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA256), kPBKDF2DerivedKey5SHA256, - AWSLC_APPROVED - }, - { - EVP_sha256, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA256), kPBKDF2DerivedKey6SHA256, - AWSLC_NOT_APPROVED - }, + {EVP_sha256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA256), + kPBKDF2DerivedKey1SHA256, AWSLC_NOT_APPROVED}, + {EVP_sha256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA256), + kPBKDF2DerivedKey2SHA256, AWSLC_NOT_APPROVED}, + {EVP_sha256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA256), + kPBKDF2DerivedKey3SHA256, AWSLC_NOT_APPROVED}, + {EVP_sha256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA256), + kPBKDF2DerivedKey4SHA256, AWSLC_NOT_APPROVED}, + {EVP_sha256, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA256), + kPBKDF2DerivedKey5SHA256, AWSLC_APPROVED}, + {EVP_sha256, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA256), + kPBKDF2DerivedKey6SHA256, AWSLC_NOT_APPROVED}, // SHA384 outputs from // https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - { - EVP_sha384, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA384), kPBKDF2DerivedKey1SHA384, - AWSLC_NOT_APPROVED - }, - { - EVP_sha384, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA384), kPBKDF2DerivedKey2SHA384, - AWSLC_NOT_APPROVED - }, - { - EVP_sha384, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA384), kPBKDF2DerivedKey3SHA384, - AWSLC_NOT_APPROVED - }, - { - EVP_sha384, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA384), kPBKDF2DerivedKey4SHA384, - AWSLC_NOT_APPROVED - }, - { - EVP_sha384, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA384), kPBKDF2DerivedKey5SHA384, - AWSLC_APPROVED - }, - { - EVP_sha384, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA384), kPBKDF2DerivedKey6SHA384, - AWSLC_NOT_APPROVED - }, + {EVP_sha384, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA384), + kPBKDF2DerivedKey1SHA384, AWSLC_NOT_APPROVED}, + {EVP_sha384, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA384), + kPBKDF2DerivedKey2SHA384, AWSLC_NOT_APPROVED}, + {EVP_sha384, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA384), + kPBKDF2DerivedKey3SHA384, AWSLC_NOT_APPROVED}, + {EVP_sha384, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA384), + kPBKDF2DerivedKey4SHA384, AWSLC_NOT_APPROVED}, + {EVP_sha384, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA384), + kPBKDF2DerivedKey5SHA384, AWSLC_APPROVED}, + {EVP_sha384, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA384), + kPBKDF2DerivedKey6SHA384, AWSLC_NOT_APPROVED}, // SHA512 outputs from // https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - { - EVP_sha512, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA512), kPBKDF2DerivedKey1SHA512, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA512), kPBKDF2DerivedKey2SHA512, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA512), kPBKDF2DerivedKey3SHA512, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA512), kPBKDF2DerivedKey4SHA512, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA512), kPBKDF2DerivedKey5SHA512, - AWSLC_APPROVED - }, - { - EVP_sha512, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA512), kPBKDF2DerivedKey6SHA512, - AWSLC_NOT_APPROVED - }, + {EVP_sha512, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA512), + kPBKDF2DerivedKey1SHA512, AWSLC_NOT_APPROVED}, + {EVP_sha512, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA512), + kPBKDF2DerivedKey2SHA512, AWSLC_NOT_APPROVED}, + {EVP_sha512, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA512), + kPBKDF2DerivedKey3SHA512, AWSLC_NOT_APPROVED}, + {EVP_sha512, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA512), + kPBKDF2DerivedKey4SHA512, AWSLC_NOT_APPROVED}, + {EVP_sha512, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA512), + kPBKDF2DerivedKey5SHA512, AWSLC_APPROVED}, + {EVP_sha512, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA512), + kPBKDF2DerivedKey6SHA512, AWSLC_NOT_APPROVED}, // SHA512_224 using // https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - { - EVP_sha512_224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA512_224), kPBKDF2DerivedKey1SHA512_224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA512_224), kPBKDF2DerivedKey2SHA512_224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA512_224), kPBKDF2DerivedKey3SHA512_224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_224, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA512_224), kPBKDF2DerivedKey4SHA512_224, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_224, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA512_224), kPBKDF2DerivedKey5SHA512_224, - AWSLC_APPROVED - }, - { - EVP_sha512_224, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA512_224), kPBKDF2DerivedKey6SHA512_224, - AWSLC_NOT_APPROVED - }, + {EVP_sha512_224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA512_224), + kPBKDF2DerivedKey1SHA512_224, AWSLC_NOT_APPROVED}, + {EVP_sha512_224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA512_224), + kPBKDF2DerivedKey2SHA512_224, AWSLC_NOT_APPROVED}, + {EVP_sha512_224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA512_224), + kPBKDF2DerivedKey3SHA512_224, AWSLC_NOT_APPROVED}, + {EVP_sha512_224, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA512_224), + kPBKDF2DerivedKey4SHA512_224, AWSLC_NOT_APPROVED}, + {EVP_sha512_224, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA512_224), + kPBKDF2DerivedKey5SHA512_224, AWSLC_APPROVED}, + {EVP_sha512_224, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA512_224), + kPBKDF2DerivedKey6SHA512_224, AWSLC_NOT_APPROVED}, // SHA512_256 using // https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - { - EVP_sha512_256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 1, - sizeof(kPBKDF2DerivedKey1SHA512_256), kPBKDF2DerivedKey1SHA512_256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 2, - sizeof(kPBKDF2DerivedKey2SHA512_256), kPBKDF2DerivedKey2SHA512_256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 4096, - sizeof(kPBKDF2DerivedKey3SHA512_256), kPBKDF2DerivedKey3SHA512_256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_256, - kPBKDF2Password1, sizeof(kPBKDF2Password1), - kPBKDF2Salt1, sizeof(kPBKDF2Salt1), - 16777216, - sizeof(kPBKDF2DerivedKey4SHA512_256), kPBKDF2DerivedKey4SHA512_256, - AWSLC_NOT_APPROVED - }, - { - EVP_sha512_256, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 4096, - sizeof(kPBKDF2DerivedKey5SHA512_256), kPBKDF2DerivedKey5SHA512_256, - AWSLC_APPROVED - }, - { - EVP_sha512_256, - kPBKDF2Password2, sizeof(kPBKDF2Password2), - kPBKDF2Salt2, sizeof(kPBKDF2Salt2), - 999, - sizeof(kPBKDF2DerivedKey6SHA512_256), kPBKDF2DerivedKey6SHA512_256, - AWSLC_NOT_APPROVED - }, + {EVP_sha512_256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 1, sizeof(kPBKDF2DerivedKey1SHA512_256), + kPBKDF2DerivedKey1SHA512_256, AWSLC_NOT_APPROVED}, + {EVP_sha512_256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 2, sizeof(kPBKDF2DerivedKey2SHA512_256), + kPBKDF2DerivedKey2SHA512_256, AWSLC_NOT_APPROVED}, + {EVP_sha512_256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 4096, sizeof(kPBKDF2DerivedKey3SHA512_256), + kPBKDF2DerivedKey3SHA512_256, AWSLC_NOT_APPROVED}, + {EVP_sha512_256, kPBKDF2Password1, sizeof(kPBKDF2Password1), kPBKDF2Salt1, + sizeof(kPBKDF2Salt1), 16777216, sizeof(kPBKDF2DerivedKey4SHA512_256), + kPBKDF2DerivedKey4SHA512_256, AWSLC_NOT_APPROVED}, + {EVP_sha512_256, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 4096, sizeof(kPBKDF2DerivedKey5SHA512_256), + kPBKDF2DerivedKey5SHA512_256, AWSLC_APPROVED}, + {EVP_sha512_256, kPBKDF2Password2, sizeof(kPBKDF2Password2), kPBKDF2Salt2, + sizeof(kPBKDF2Salt2), 999, sizeof(kPBKDF2DerivedKey6SHA512_256), + kPBKDF2DerivedKey6SHA512_256, AWSLC_NOT_APPROVED}, }; class PBKDF2_ServiceIndicatorTest : public TestWithNoErrors { @@ -3971,14 +3864,13 @@ TEST_P(PBKDF2_ServiceIndicatorTest, PBKDF2) { FIPSStatus approved = AWSLC_NOT_APPROVED; - uint8_t output[sizeof(kPBKDF2DerivedKey5SHA1)]; // largest test vector output size + uint8_t output[sizeof( + kPBKDF2DerivedKey5SHA1)]; // largest test vector output size CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(PKCS5_PBKDF2_HMAC((const char *)test.password, - test.password_len, - test.salt, test.salt_len, - test.iterations, - test.func(), test.output_len, - output))); + approved, ASSERT_TRUE(PKCS5_PBKDF2_HMAC( + (const char *)test.password, test.password_len, test.salt, + test.salt_len, test.iterations, test.func(), + test.output_len, output))); EXPECT_EQ(Bytes(test.expected_output, test.output_len), Bytes(output, test.output_len)); EXPECT_EQ(approved, test.expect_approved); @@ -3999,19 +3891,15 @@ const uint8_t kSSHKDFkeySHA1[] = { 0x7c, 0xea, 0xd6, 0x3b, 0x36, 0x6b, 0x1c, 0x28, 0x6e, 0x6c, 0x48, 0x11, 0xa9, 0xf1, 0x4c, 0x27, 0xae, 0xa1, 0x4c, 0x51, 0x71, 0xd4, 0x9b, 0x78, 0xc0, 0x6e, 0x37, 0x35, 0xd3, 0x6e, 0x6a, 0x3b, 0xe3, 0x21, 0xdd, 0x5f, - 0xc8, 0x23, 0x08, 0xf3, 0x4e, 0xe1, 0xcb, 0x17, 0xfb, 0xa9, 0x4a, 0x59 -}; -const uint8_t kSSHKDFxcghashSHA1[] = { - 0xa4, 0xeb, 0xd4, 0x59, 0x34, 0xf5, 0x67, 0x92, 0xb5, 0x11, 0x2d, 0xcd, - 0x75, 0xa1, 0x07, 0x5f, 0xdc, 0x88, 0x92, 0x45 -}; -const uint8_t kSSHKDFsessionSHA1[] = { - 0xa4, 0xeb, 0xd4, 0x59, 0x34, 0xf5, 0x67, 0x92, 0xb5, 0x11, 0x2d, 0xcd, - 0x75, 0xa1, 0x07, 0x5f, 0xdc, 0x88, 0x92, 0x45 -}; -const uint8_t kSSHKDFexpectedSHA1[] = { - 0xe2, 0xf6, 0x27, 0xc0, 0xb4, 0x3f, 0x1a, 0xc1 -}; + 0xc8, 0x23, 0x08, 0xf3, 0x4e, 0xe1, 0xcb, 0x17, 0xfb, 0xa9, 0x4a, 0x59}; +const uint8_t kSSHKDFxcghashSHA1[] = {0xa4, 0xeb, 0xd4, 0x59, 0x34, 0xf5, 0x67, + 0x92, 0xb5, 0x11, 0x2d, 0xcd, 0x75, 0xa1, + 0x07, 0x5f, 0xdc, 0x88, 0x92, 0x45}; +const uint8_t kSSHKDFsessionSHA1[] = {0xa4, 0xeb, 0xd4, 0x59, 0x34, 0xf5, 0x67, + 0x92, 0xb5, 0x11, 0x2d, 0xcd, 0x75, 0xa1, + 0x07, 0x5f, 0xdc, 0x88, 0x92, 0x45}; +const uint8_t kSSHKDFexpectedSHA1[] = {0xe2, 0xf6, 0x27, 0xc0, + 0xb4, 0x3f, 0x1a, 0xc1}; const uint8_t kSSHKDFkeySHA224[] = { 0x00, 0x00, 0x00, 0x81, 0x00, 0x8d, 0xe6, 0x0d, 0xf0, 0x19, 0xc2, 0x39, @@ -4025,21 +3913,17 @@ const uint8_t kSSHKDFkeySHA224[] = { 0xdc, 0xd2, 0x56, 0xbf, 0xe8, 0x17, 0x13, 0x02, 0xa8, 0x1c, 0xe1, 0x3f, 0x47, 0xf7, 0x37, 0x5d, 0xb8, 0x0a, 0x6b, 0xbf, 0x8c, 0xe7, 0xd8, 0xf9, 0x6e, 0x03, 0xfc, 0x62, 0x75, 0xfd, 0x5d, 0xac, 0xfb, 0xdd, 0x16, 0x67, - 0x92 -}; + 0x92}; const uint8_t kSSHKDFxcghashSHA224[] = { - 0xe6, 0x9f, 0xbb, 0xee, 0x90, 0xf0, 0xcb, 0x7c, 0x57, 0x99, 0x6c, 0x6f, - 0x3f, 0x9e, 0xc4, 0xc7, 0xde, 0x9f, 0x0c, 0x43, 0xb7, 0xc9, 0x93, 0xec, - 0x3e, 0xc1, 0xd4, 0xca -}; + 0xe6, 0x9f, 0xbb, 0xee, 0x90, 0xf0, 0xcb, 0x7c, 0x57, 0x99, + 0x6c, 0x6f, 0x3f, 0x9e, 0xc4, 0xc7, 0xde, 0x9f, 0x0c, 0x43, + 0xb7, 0xc9, 0x93, 0xec, 0x3e, 0xc1, 0xd4, 0xca}; const uint8_t kSSHKDFsessionSHA224[] = { - 0xe6, 0x9f, 0xbb, 0xee, 0x90, 0xf0, 0xcb, 0x7c, 0x57, 0x99, 0x6c, 0x6f, - 0x3f, 0x9e, 0xc4, 0xc7, 0xde, 0x9f, 0x0c, 0x43, 0xb7, 0xc9, 0x93, 0xec, - 0x3e, 0xc1, 0xd4, 0xca -}; -const uint8_t kSSHKDFexpectedSHA224[] = { - 0x9f, 0xff, 0x6c, 0x6a, 0x6d, 0x1f, 0x5c, 0x31 -}; + 0xe6, 0x9f, 0xbb, 0xee, 0x90, 0xf0, 0xcb, 0x7c, 0x57, 0x99, + 0x6c, 0x6f, 0x3f, 0x9e, 0xc4, 0xc7, 0xde, 0x9f, 0x0c, 0x43, + 0xb7, 0xc9, 0x93, 0xec, 0x3e, 0xc1, 0xd4, 0xca}; +const uint8_t kSSHKDFexpectedSHA224[] = {0x9f, 0xff, 0x6c, 0x6a, + 0x6d, 0x1f, 0x5c, 0x31}; static const uint8_t kSSHKDFkeySHA256[] = { 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a, @@ -4053,21 +3937,17 @@ static const uint8_t kSSHKDFkeySHA256[] = { 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08, 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43, 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14, - 0x4e -}; + 0x4e}; static const uint8_t kSSHKDFxcghashSHA256[] = { - 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, - 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, - 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 -}; + 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, + 0x23, 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, + 0x4a, 0xa7, 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42}; static const uint8_t kSSHKDFsessionSHA256[] = { - 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, - 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, - 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 -}; -static const uint8_t kSSHKDFexpectedSHA256[] = { - 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6 -}; + 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, + 0x23, 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, + 0x4a, 0xa7, 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42}; +static const uint8_t kSSHKDFexpectedSHA256[] = {0x41, 0xff, 0x2e, 0xad, + 0x16, 0x83, 0xf1, 0xe6}; const uint8_t kSSHKDFkeySHA384[] = { 0x00, 0x00, 0x00, 0x81, 0x00, 0x94, 0x14, 0x56, 0xbd, 0x72, 0x26, 0x7a, @@ -4081,23 +3961,19 @@ const uint8_t kSSHKDFkeySHA384[] = { 0xac, 0xcf, 0xc5, 0x8a, 0x49, 0xfc, 0x34, 0xb1, 0x98, 0xe0, 0x28, 0x5b, 0x31, 0x03, 0x2a, 0xc9, 0xf0, 0x69, 0x07, 0xde, 0xf1, 0x96, 0xf5, 0x74, 0x8b, 0xd3, 0x2c, 0xe2, 0x2a, 0x53, 0x83, 0xa1, 0xbb, 0xdb, 0xd3, 0x1f, - 0x24 -}; + 0x24}; const uint8_t kSSHKDFxcghashSHA384[] = { 0xe0, 0xde, 0xe8, 0x0c, 0xcc, 0x16, 0x28, 0x84, 0x39, 0x39, 0x30, 0xad, 0x20, 0x73, 0xd9, 0x21, 0x20, 0xc8, 0x04, 0x25, 0x41, 0x62, 0x44, 0x6b, 0x7d, 0x04, 0x8f, 0x85, 0xa1, 0xa4, 0xdd, 0x7b, 0x63, 0x6a, 0x09, 0xb6, - 0x92, 0x52, 0xb8, 0x09, 0x52, 0xa0, 0x58, 0x1e, 0x94, 0x90, 0xee, 0x5a -}; + 0x92, 0x52, 0xb8, 0x09, 0x52, 0xa0, 0x58, 0x1e, 0x94, 0x90, 0xee, 0x5a}; const uint8_t kSSHKDFsessionSHA384[] = { 0xe0, 0xde, 0xe8, 0x0c, 0xcc, 0x16, 0x28, 0x84, 0x39, 0x39, 0x30, 0xad, 0x20, 0x73, 0xd9, 0x21, 0x20, 0xc8, 0x04, 0x25, 0x41, 0x62, 0x44, 0x6b, 0x7d, 0x04, 0x8f, 0x85, 0xa1, 0xa4, 0xdd, 0x7b, 0x63, 0x6a, 0x09, 0xb6, - 0x92, 0x52, 0xb8, 0x09, 0x52, 0xa0, 0x58, 0x1e, 0x94, 0x90, 0xee, 0x5a -}; -const uint8_t kSSHKDFexpectedSHA384[] = { - 0xd3, 0x1c, 0x16, 0xf6, 0x7b, 0x17, 0xbc, 0x69 -}; + 0x92, 0x52, 0xb8, 0x09, 0x52, 0xa0, 0x58, 0x1e, 0x94, 0x90, 0xee, 0x5a}; +const uint8_t kSSHKDFexpectedSHA384[] = {0xd3, 0x1c, 0x16, 0xf6, + 0x7b, 0x17, 0xbc, 0x69}; const uint8_t kSSHKDFkeySHA512[] = { 0x00, 0x00, 0x00, 0x80, 0x57, 0x53, 0x08, 0xca, 0x39, 0x57, 0x98, 0xbb, @@ -4110,102 +3986,63 @@ const uint8_t kSSHKDFkeySHA512[] = { 0xf8, 0x54, 0xf8, 0x6d, 0xe7, 0x1a, 0x68, 0xb1, 0x69, 0x3f, 0xe8, 0xff, 0xa1, 0xc5, 0x9c, 0xe7, 0xe9, 0xf9, 0x22, 0x3d, 0xeb, 0xad, 0xa2, 0x56, 0x6d, 0x2b, 0x0e, 0x56, 0x78, 0xa4, 0x8b, 0xfb, 0x53, 0x0e, 0x7b, 0xee, - 0x42, 0xbd, 0x2a, 0xc7, 0x30, 0x4a, 0x0a, 0x5a, 0xe3, 0x39, 0xa2, 0xcd -}; + 0x42, 0xbd, 0x2a, 0xc7, 0x30, 0x4a, 0x0a, 0x5a, 0xe3, 0x39, 0xa2, 0xcd}; const uint8_t kSSHKDFxcghashSHA512[] = { - 0xa4, 0x12, 0x5a, 0xa9, 0x89, 0x80, 0x92, 0xca, 0x50, 0xc3, 0xc1, 0x63, - 0x1c, 0x03, 0xdc, 0xbc, 0x9d, 0xf9, 0x5c, 0xeb, 0xb4, 0x09, 0x88, 0x1e, - 0x58, 0x01, 0x08, 0xb6, 0xcc, 0x47, 0x04, 0xb7, 0x6c, 0xc7, 0x7b, 0x87, - 0x95, 0xfd, 0x59, 0x40, 0x56, 0x1e, 0x32, 0x24, 0xcc, 0x75, 0x84, 0x85, - 0x18, 0x99, 0x2b, 0xd8, 0xd9, 0xb7, 0x0f, 0xe0, 0xfc, 0x97, 0x7a, 0x47, - 0x60, 0x63, 0xc8, 0xbf -}; + 0xa4, 0x12, 0x5a, 0xa9, 0x89, 0x80, 0x92, 0xca, 0x50, 0xc3, 0xc1, + 0x63, 0x1c, 0x03, 0xdc, 0xbc, 0x9d, 0xf9, 0x5c, 0xeb, 0xb4, 0x09, + 0x88, 0x1e, 0x58, 0x01, 0x08, 0xb6, 0xcc, 0x47, 0x04, 0xb7, 0x6c, + 0xc7, 0x7b, 0x87, 0x95, 0xfd, 0x59, 0x40, 0x56, 0x1e, 0x32, 0x24, + 0xcc, 0x75, 0x84, 0x85, 0x18, 0x99, 0x2b, 0xd8, 0xd9, 0xb7, 0x0f, + 0xe0, 0xfc, 0x97, 0x7a, 0x47, 0x60, 0x63, 0xc8, 0xbf}; const uint8_t kSSHKDFsessionSHA512[] = { - 0xa4, 0x12, 0x5a, 0xa9, 0x89, 0x80, 0x92, 0xca, 0x50, 0xc3, 0xc1, 0x63, - 0x1c, 0x03, 0xdc, 0xbc, 0x9d, 0xf9, 0x5c, 0xeb, 0xb4, 0x09, 0x88, 0x1e, - 0x58, 0x01, 0x08, 0xb6, 0xcc, 0x47, 0x04, 0xb7, 0x6c, 0xc7, 0x7b, 0x87, - 0x95, 0xfd, 0x59, 0x40, 0x56, 0x1e, 0x32, 0x24, 0xcc, 0x75, 0x84, 0x85, - 0x18, 0x99, 0x2b, 0xd8, 0xd9, 0xb7, 0x0f, 0xe0, 0xfc, 0x97, 0x7a, 0x47, - 0x60, 0x63, 0xc8, 0xbf -}; -const uint8_t kSSHKDFexpectedSHA512[] = { - 0x0e, 0x26, 0x93, 0xad, 0xe0, 0x52, 0x4a, 0xf8 -}; + 0xa4, 0x12, 0x5a, 0xa9, 0x89, 0x80, 0x92, 0xca, 0x50, 0xc3, 0xc1, + 0x63, 0x1c, 0x03, 0xdc, 0xbc, 0x9d, 0xf9, 0x5c, 0xeb, 0xb4, 0x09, + 0x88, 0x1e, 0x58, 0x01, 0x08, 0xb6, 0xcc, 0x47, 0x04, 0xb7, 0x6c, + 0xc7, 0x7b, 0x87, 0x95, 0xfd, 0x59, 0x40, 0x56, 0x1e, 0x32, 0x24, + 0xcc, 0x75, 0x84, 0x85, 0x18, 0x99, 0x2b, 0xd8, 0xd9, 0xb7, 0x0f, + 0xe0, 0xfc, 0x97, 0x7a, 0x47, 0x60, 0x63, 0xc8, 0xbf}; +const uint8_t kSSHKDFexpectedSHA512[] = {0x0e, 0x26, 0x93, 0xad, + 0xe0, 0x52, 0x4a, 0xf8}; static const struct SSHKDFTestVector { - // func is the hash function for PBKDF2 to test. - const EVP_MD *(*func)(); - const uint8_t *key; - const size_t key_len; - const uint8_t *xcghash; - const size_t xcghash_len; - const uint8_t *session_id; - const size_t session_id_len; - const char type; - const size_t output_len; - const uint8_t *expected_output; - const FIPSStatus expect_approved; + // func is the hash function for PBKDF2 to test. + const EVP_MD *(*func)(); + const uint8_t *key; + const size_t key_len; + const uint8_t *xcghash; + const size_t xcghash_len; + const uint8_t *session_id; + const size_t session_id_len; + const char type; + const size_t output_len; + const uint8_t *expected_output; + const FIPSStatus expect_approved; } kSSHKDFTestVectors[] = { - { - EVP_sha1, - kSSHKDFkeySHA1, sizeof(kSSHKDFkeySHA1), - kSSHKDFxcghashSHA1, sizeof(kSSHKDFxcghashSHA1), - kSSHKDFsessionSHA1, sizeof(kSSHKDFsessionSHA1), - kSSHKDFtype, - sizeof(kSSHKDFexpectedSHA1), - kSSHKDFexpectedSHA1, - AWSLC_APPROVED - }, - { - EVP_sha224, - kSSHKDFkeySHA224, sizeof(kSSHKDFkeySHA224), - kSSHKDFxcghashSHA224, sizeof(kSSHKDFxcghashSHA224), - kSSHKDFsessionSHA224, sizeof(kSSHKDFsessionSHA224), - kSSHKDFtype, - sizeof(kSSHKDFexpectedSHA224), - kSSHKDFexpectedSHA224, - AWSLC_APPROVED - }, - { - EVP_sha256, - kSSHKDFkeySHA256, sizeof(kSSHKDFkeySHA256), - kSSHKDFxcghashSHA256, sizeof(kSSHKDFxcghashSHA256), - kSSHKDFsessionSHA256, sizeof(kSSHKDFsessionSHA256), - kSSHKDFtype, - sizeof(kSSHKDFexpectedSHA256), - kSSHKDFexpectedSHA256, - AWSLC_APPROVED - }, - { - EVP_sha384, - kSSHKDFkeySHA384, sizeof(kSSHKDFkeySHA384), - kSSHKDFxcghashSHA384, sizeof(kSSHKDFxcghashSHA384), - kSSHKDFsessionSHA384, sizeof(kSSHKDFsessionSHA384), - kSSHKDFtype, - sizeof(kSSHKDFexpectedSHA384), - kSSHKDFexpectedSHA384, - AWSLC_APPROVED - }, - { - EVP_sha512, - kSSHKDFkeySHA512, sizeof(kSSHKDFkeySHA512), - kSSHKDFxcghashSHA512, sizeof(kSSHKDFxcghashSHA512), - kSSHKDFsessionSHA512, sizeof(kSSHKDFsessionSHA512), - kSSHKDFtype, - sizeof(kSSHKDFexpectedSHA512), - kSSHKDFexpectedSHA512, - AWSLC_APPROVED - }, - { - EVP_md5, - kSSHKDFkeySHA256, sizeof(kSSHKDFkeySHA256), - kSSHKDFxcghashSHA256, sizeof(kSSHKDFxcghashSHA256), - kSSHKDFsessionSHA256, sizeof(kSSHKDFsessionSHA256), - kSSHKDFtype, - sizeof(kSSHKDFexpectedSHA256), - kSSHKDFexpectedSHA256, // Not actually, that's the SHA-256 data. - AWSLC_NOT_APPROVED - }, + {EVP_sha1, kSSHKDFkeySHA1, sizeof(kSSHKDFkeySHA1), kSSHKDFxcghashSHA1, + sizeof(kSSHKDFxcghashSHA1), kSSHKDFsessionSHA1, sizeof(kSSHKDFsessionSHA1), + kSSHKDFtype, sizeof(kSSHKDFexpectedSHA1), kSSHKDFexpectedSHA1, + AWSLC_APPROVED}, + {EVP_sha224, kSSHKDFkeySHA224, sizeof(kSSHKDFkeySHA224), + kSSHKDFxcghashSHA224, sizeof(kSSHKDFxcghashSHA224), kSSHKDFsessionSHA224, + sizeof(kSSHKDFsessionSHA224), kSSHKDFtype, sizeof(kSSHKDFexpectedSHA224), + kSSHKDFexpectedSHA224, AWSLC_APPROVED}, + {EVP_sha256, kSSHKDFkeySHA256, sizeof(kSSHKDFkeySHA256), + kSSHKDFxcghashSHA256, sizeof(kSSHKDFxcghashSHA256), kSSHKDFsessionSHA256, + sizeof(kSSHKDFsessionSHA256), kSSHKDFtype, sizeof(kSSHKDFexpectedSHA256), + kSSHKDFexpectedSHA256, AWSLC_APPROVED}, + {EVP_sha384, kSSHKDFkeySHA384, sizeof(kSSHKDFkeySHA384), + kSSHKDFxcghashSHA384, sizeof(kSSHKDFxcghashSHA384), kSSHKDFsessionSHA384, + sizeof(kSSHKDFsessionSHA384), kSSHKDFtype, sizeof(kSSHKDFexpectedSHA384), + kSSHKDFexpectedSHA384, AWSLC_APPROVED}, + {EVP_sha512, kSSHKDFkeySHA512, sizeof(kSSHKDFkeySHA512), + kSSHKDFxcghashSHA512, sizeof(kSSHKDFxcghashSHA512), kSSHKDFsessionSHA512, + sizeof(kSSHKDFsessionSHA512), kSSHKDFtype, sizeof(kSSHKDFexpectedSHA512), + kSSHKDFexpectedSHA512, AWSLC_APPROVED}, + {EVP_md5, kSSHKDFkeySHA256, sizeof(kSSHKDFkeySHA256), kSSHKDFxcghashSHA256, + sizeof(kSSHKDFxcghashSHA256), kSSHKDFsessionSHA256, + sizeof(kSSHKDFsessionSHA256), kSSHKDFtype, sizeof(kSSHKDFexpectedSHA256), + kSSHKDFexpectedSHA256, // Not actually, that's the SHA-256 data. + AWSLC_NOT_APPROVED}, }; class SSHKDF_ServiceIndicatorTest : public TestWithNoErrors { @@ -4215,21 +4052,21 @@ INSTANTIATE_TEST_SUITE_P(All, SSHKDF_ServiceIndicatorTest, testing::ValuesIn(kSSHKDFTestVectors)); TEST_P(SSHKDF_ServiceIndicatorTest, SSHKDF) { - const SSHKDFTestVector &test = GetParam(); + const SSHKDFTestVector &test = GetParam(); - FIPSStatus approved = AWSLC_NOT_APPROVED; - uint8_t output[sizeof(kSSHKDFexpectedSHA512)]; // largest test vector output size - CALL_SERVICE_AND_CHECK_APPROVED( - approved, ASSERT_TRUE(SSHKDF(test.func(), test.key, test.key_len, - test.xcghash, test.xcghash_len, - test.session_id, test.session_id_len, - test.type, - output, test.output_len))); - if (test.expect_approved) { - EXPECT_EQ(Bytes(test.expected_output, test.output_len), - Bytes(output, test.output_len)); - } - EXPECT_EQ(approved, test.expect_approved); + FIPSStatus approved = AWSLC_NOT_APPROVED; + uint8_t + output[sizeof(kSSHKDFexpectedSHA512)]; // largest test vector output size + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(SSHKDF(test.func(), test.key, test.key_len, test.xcghash, + test.xcghash_len, test.session_id, test.session_id_len, + test.type, output, test.output_len))); + if (test.expect_approved) { + EXPECT_EQ(Bytes(test.expected_output, test.output_len), + Bytes(output, test.output_len)); + } + EXPECT_EQ(approved, test.expect_approved); } TEST(ServiceIndicatorTest, CMAC) { @@ -4242,25 +4079,26 @@ TEST(ServiceIndicatorTest, CMAC) { // |CMAC_Final| for approval at the end. |CMAC_Init| and |CMAC_Update| // should not be approved, because the functions do not indicate that a // service has been fully completed yet. - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(CMAC_Init(ctx.get(), kAESKey, sizeof(kAESKey), - EVP_aes_128_cbc(), nullptr))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CMAC_Init(ctx.get(), kAESKey, sizeof(kAESKey), + EVP_aes_128_cbc(), nullptr))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CMAC_Update(ctx.get(), kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); uint8_t mac[16]; size_t out_len; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(CMAC_Final(ctx.get(), mac, &out_len))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CMAC_Final(ctx.get(), mac, &out_len))); EXPECT_EQ(approved, AWSLC_APPROVED); EXPECT_EQ(Bytes(kAESCMACOutput), Bytes(mac)); // Test using the one-shot API for approval. - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(AES_CMAC(mac, kAESKey, sizeof(kAESKey), kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(AES_CMAC(mac, kAESKey, sizeof(kAESKey), kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(Bytes(kAESCMACOutput), Bytes(mac)); EXPECT_EQ(approved, AWSLC_APPROVED); } @@ -4277,8 +4115,9 @@ TEST(ServiceIndicatorTest, BasicTest) { int num = 0; uint64_t counter_before, counter_after; - ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), EVP_aead_aes_128_gcm_randnonce(), - kAESKey, sizeof(kAESKey), 0, nullptr)); + ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), + EVP_aead_aes_128_gcm_randnonce(), kAESKey, + sizeof(kAESKey), 0, nullptr)); // Because the service indicator gets initialised in // |FIPS_service_indicator_update_state|, which is called by all approved // services, the self_test run at the beginning would have updated it more @@ -4293,69 +4132,69 @@ TEST(ServiceIndicatorTest, BasicTest) { EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), nullptr, 0, kPlaintext, sizeof(kPlaintext), nullptr, 0); counter_after = FIPS_service_indicator_after_call(); - ASSERT_EQ(counter_after, counter_before+1); + ASSERT_EQ(counter_after, counter_before + 1); // Call an approved service. - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), - nullptr, 0, kPlaintext, sizeof(kPlaintext), nullptr, 0)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, + sizeof(output), nullptr, 0, kPlaintext, + sizeof(kPlaintext), nullptr, 0)); ASSERT_EQ(approved, AWSLC_APPROVED); // Call an approved service in a macro. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_EQ(EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), nullptr, 0, kPlaintext, - sizeof(kPlaintext), nullptr, 0), 1)); + sizeof(kPlaintext), nullptr, 0), + 1)); ASSERT_EQ(approved, AWSLC_APPROVED); // Call an approved service and compare expected return value. int return_val = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - return_val = EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, - sizeof(output), nullptr, 0, kPlaintext, - sizeof(kPlaintext), nullptr, 0)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, return_val = EVP_AEAD_CTX_seal( + aead_ctx.get(), output, &out_len, sizeof(output), nullptr, + 0, kPlaintext, sizeof(kPlaintext), nullptr, 0)); ASSERT_EQ(return_val, 1); ASSERT_EQ(approved, AWSLC_APPROVED); // Call an approved service wrapped in an if statement. return_val = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - if(EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), - nullptr, 0, kPlaintext, sizeof(kPlaintext), nullptr, 0) == 1) - { - return_val = 1; - } - ); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + if (EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), + nullptr, 0, kPlaintext, sizeof(kPlaintext), nullptr, + 0) == 1) { return_val = 1; }); ASSERT_EQ(return_val, 1); ASSERT_EQ(approved, AWSLC_APPROVED); // Fail an approved service on purpose. return_val = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - return_val = EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, 0, - nullptr, 0, kPlaintext, sizeof(kPlaintext), - nullptr, 0)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, return_val = EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, + 0, nullptr, 0, kPlaintext, + sizeof(kPlaintext), nullptr, 0)); ASSERT_EQ(return_val, 0); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); // Fail an approved service on purpose while wrapped in an if statement. return_val = 0; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - if(EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, 0, - nullptr, 0, kPlaintext, sizeof(kPlaintext), nullptr, 0) == 1) - { - return_val = 1; - } - ); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + if (EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, 0, nullptr, 0, + kPlaintext, sizeof(kPlaintext), nullptr, 0) == 1) { + return_val = 1; + }); ASSERT_EQ(return_val, 0); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); // Call a non-approved service. memcpy(aes_iv, kAESIV, sizeof(kAESIV)); ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - AES_ofb128_encrypt(kPlaintext, ofb_output, sizeof(kPlaintext), &aes_key, - aes_iv, &num)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, AES_ofb128_encrypt(kPlaintext, ofb_output, sizeof(kPlaintext), + &aes_key, aes_iv, &num)); EXPECT_EQ(Bytes(kAESOFBCiphertext), Bytes(ofb_output)); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); } @@ -4370,11 +4209,12 @@ TEST(ServiceIndicatorTest, SHA) { MD4_CTX md4_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, ASSERT_TRUE(MD4_Init(&md4_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(MD4_Update(&md4_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(MD4_Final(digest.data(), &md4_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(MD4_Final(digest.data(), &md4_ctx))); EXPECT_EQ(Bytes(kOutput_md4), Bytes(digest)); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); @@ -4382,11 +4222,12 @@ TEST(ServiceIndicatorTest, SHA) { MD5_CTX md5_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, ASSERT_TRUE(MD5_Init(&md5_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(MD5_Update(&md5_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(MD5_Final(digest.data(), &md5_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(MD5_Final(digest.data(), &md5_ctx))); EXPECT_EQ(Bytes(kOutput_md5), Bytes(digest)); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); @@ -4394,91 +4235,96 @@ TEST(ServiceIndicatorTest, SHA) { SHA_CTX sha_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, ASSERT_TRUE(SHA1_Init(&sha_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA1_Update(&sha_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA1_Final(digest.data(), &sha_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA1_Final(digest.data(), &sha_ctx))); EXPECT_EQ(Bytes(kOutput_sha1), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); digest.resize(SHA224_DIGEST_LENGTH); SHA256_CTX sha224_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA224_Init(&sha224_ctx))); + ASSERT_TRUE(SHA224_Init(&sha224_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA224_Update(&sha224_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA224_Final(digest.data(), &sha224_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA224_Final(digest.data(), &sha224_ctx))); EXPECT_EQ(Bytes(kOutput_sha224), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); digest.resize(SHA256_DIGEST_LENGTH); SHA256_CTX sha256_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA256_Init(&sha256_ctx))); + ASSERT_TRUE(SHA256_Init(&sha256_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA256_Update(&sha256_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA256_Final(digest.data(), &sha256_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA256_Final(digest.data(), &sha256_ctx))); EXPECT_EQ(Bytes(kOutput_sha256), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); digest.resize(SHA384_DIGEST_LENGTH); SHA512_CTX sha384_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA384_Init(&sha384_ctx))); + ASSERT_TRUE(SHA384_Init(&sha384_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA384_Update(&sha384_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA384_Final(digest.data(), &sha384_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA384_Final(digest.data(), &sha384_ctx))); EXPECT_EQ(Bytes(kOutput_sha384), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); digest.resize(SHA512_DIGEST_LENGTH); SHA512_CTX sha512_ctx; CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_Init(&sha512_ctx))); + ASSERT_TRUE(SHA512_Init(&sha512_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_Update(&sha512_ctx, kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_Final(digest.data(), &sha512_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_Final(digest.data(), &sha512_ctx))); EXPECT_EQ(Bytes(kOutput_sha512), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); digest.resize(SHA512_224_DIGEST_LENGTH); SHA512_CTX sha512_224_ctx; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_224_Init(&sha512_224_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_224_Init(&sha512_224_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_224_Update(&sha512_224_ctx, kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_224_Update(&sha512_224_ctx, kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_224_Final(digest.data(), &sha512_224_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_224_Final(digest.data(), &sha512_224_ctx))); EXPECT_EQ(Bytes(kOutput_sha512_224), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); digest.resize(SHA512_256_DIGEST_LENGTH); SHA512_CTX sha512_256_ctx; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_256_Init(&sha512_256_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_256_Init(&sha512_256_ctx))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_256_Update(&sha512_256_ctx, kPlaintext, - sizeof(kPlaintext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_256_Update(&sha512_256_ctx, kPlaintext, + sizeof(kPlaintext)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(SHA512_256_Final(digest.data(), &sha512_256_ctx))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(SHA512_256_Final(digest.data(), &sha512_256_ctx))); EXPECT_EQ(Bytes(kOutput_sha512_256), Bytes(digest)); EXPECT_EQ(approved, AWSLC_APPROVED); } @@ -4772,9 +4618,9 @@ TEST(ServiceIndicatorTest, AESKW) { // AES-KW Decryption KAT ASSERT_TRUE(AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0); CALL_SERVICE_AND_CHECK_APPROVED( - approved, outlen = AES_unwrap_key(&aes_key, nullptr, output, - kAESKWCiphertext, - sizeof(kAESKWCiphertext))); + approved, + outlen = AES_unwrap_key(&aes_key, nullptr, output, kAESKWCiphertext, + sizeof(kAESKWCiphertext))); ASSERT_EQ(outlen, sizeof(kPlaintext)); EXPECT_EQ(Bytes(kPlaintext), Bytes(output, sizeof(kPlaintext))); EXPECT_EQ(approved, AWSLC_APPROVED); @@ -4789,7 +4635,8 @@ TEST(ServiceIndicatorTest, AESKWP) { // AES-KWP Encryption KAT ASSERT_TRUE(AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(AES_wrap_key_padded(&aes_key, output, &outlen, sizeof(output), kPlaintext, sizeof(kPlaintext)))); EXPECT_EQ(Bytes(kAESKWPCiphertext), Bytes(output, outlen)); @@ -4797,22 +4644,19 @@ TEST(ServiceIndicatorTest, AESKWP) { // AES-KWP Decryption KAT ASSERT_TRUE(AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) == 0); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(AES_unwrap_key_padded(&aes_key, output, &outlen, - sizeof(output), kAESKWPCiphertext, - sizeof(kAESKWPCiphertext)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(AES_unwrap_key_padded( + &aes_key, output, &outlen, sizeof(output), + kAESKWPCiphertext, sizeof(kAESKWPCiphertext)))); EXPECT_EQ(Bytes(kPlaintext), Bytes(output, outlen)); EXPECT_EQ(approved, AWSLC_APPROVED); } TEST(ServiceIndicatorTest, AESXTS) { FIPSStatus approved = AWSLC_NOT_APPROVED; - std::vector key( - kAESXTSKey_256, - kAESXTSKey_256 + sizeof(kAESXTSKey_256)); - std::vector iv( - kAESXTSIV_256, - kAESXTSIV_256 + sizeof(kAESXTSIV_256)); + std::vector key(kAESXTSKey_256, + kAESXTSKey_256 + sizeof(kAESXTSKey_256)); + std::vector iv(kAESXTSIV_256, kAESXTSIV_256 + sizeof(kAESXTSIV_256)); std::vector plaintext( kAESXTSPlaintext_256, kAESXTSPlaintext_256 + sizeof(kAESXTSPlaintext_256)); @@ -4821,16 +4665,18 @@ TEST(ServiceIndicatorTest, AESXTS) { kAESXTSCiphertext_256 + sizeof(kAESXTSCiphertext_256)); bssl::ScopedEVP_CIPHER_CTX ctx; - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), EVP_aes_256_xts(), nullptr, - key.data(), iv.data(), 1))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), EVP_aes_256_xts(), nullptr, + key.data(), iv.data(), 1))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); ASSERT_LE(EVP_CIPHER_CTX_iv_length(ctx.get()), iv.size()); ASSERT_TRUE(EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size())); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), EVP_aes_256_xts(), nullptr, - key.data(), iv.data(), 1))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), EVP_aes_256_xts(), nullptr, + key.data(), iv.data(), 1))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); ASSERT_TRUE(EVP_CIPHER_CTX_set_padding(ctx.get(), 0)); std::vector encrypt_result; @@ -4843,9 +4689,9 @@ TEST(ServiceIndicatorTest, AESXTS) { int len = 0; // Result should be fully encrypted during |EVP_CipherUpdate| for AES-XTS. - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_CipherUpdate(ctx.get(), encrypt_result.data(), &len, - plaintext.data(), plaintext.size())); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_CipherUpdate(ctx.get(), encrypt_result.data(), &len, + plaintext.data(), plaintext.size())); ASSERT_EQ(approved, AWSLC_NOT_APPROVED); total += static_cast(len); encrypt_result.resize(total); @@ -4853,8 +4699,9 @@ TEST(ServiceIndicatorTest, AESXTS) { // Ensure |EVP_CipherFinal_ex| is a no-op, but only |*Final| functions // should indicate service indicator approval. - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_CipherFinal_ex(ctx.get(), encrypt_result.data() + total, &len)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, + EVP_CipherFinal_ex(ctx.get(), encrypt_result.data() + total, &len)); EXPECT_EQ(Bytes(encrypt_result), Bytes(ciphertext)); EXPECT_EQ(0, len); @@ -4868,8 +4715,9 @@ TEST(ServiceIndicatorTest, FFDH) { bssl::UniquePtr dh(GetDH()); uint8_t dh_out[sizeof(kDHOutput)]; ASSERT_EQ(DH_size(dh.get()), static_cast(sizeof(dh_out))); - CALL_SERVICE_AND_CHECK_APPROVED(approved, ASSERT_EQ(DH_compute_key_padded( - dh_out, DH_get0_priv_key(dh.get()), dh.get()), + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_EQ(DH_compute_key_padded( + dh_out, DH_get0_priv_key(dh.get()), dh.get()), static_cast(sizeof(dh_out)))); EXPECT_EQ(Bytes(kDHOutput), Bytes(dh_out)); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); @@ -4884,21 +4732,24 @@ TEST(ServiceIndicatorTest, DRBG) { // at the end since it indicates a service is being done. |CTR_DRBG_init| and // |CTR_DRBG_reseed| should not be approved, because the functions do not // indicate that a service has been fully completed yet. - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization, sizeof(kDRBGPersonalization)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD, sizeof(kDRBGAD)))); EXPECT_EQ(approved, AWSLC_APPROVED); EXPECT_EQ(Bytes(kDRBGOutput), Bytes(output)); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - ASSERT_TRUE(CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, - sizeof(kDRBGAD)))); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, + sizeof(kDRBGAD)))); EXPECT_EQ(approved, AWSLC_NOT_APPROVED); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + CALL_SERVICE_AND_CHECK_APPROVED( + approved, ASSERT_TRUE(CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD, sizeof(kDRBGAD)))); EXPECT_EQ(approved, AWSLC_APPROVED); @@ -4957,11 +4808,12 @@ static const struct SSKDFDigestTestVector { AWSLC_APPROVED, }, { - &EVP_md5, - AWSLC_NOT_APPROVED, + &EVP_md5, + AWSLC_NOT_APPROVED, }}; -class SSKDFDigestIndicatorTest : public TestWithNoErrors {}; +class SSKDFDigestIndicatorTest + : public TestWithNoErrors {}; INSTANTIATE_TEST_SUITE_P(All, SSKDFDigestIndicatorTest, testing::ValuesIn(kSSKDFDigestTestVectors)); @@ -5034,8 +4886,8 @@ TEST_P(SSKDFHmacIndicatorTest, SSKDF) { const uint8_t secret[21] = {'A', 'W', 'S', '-', 'L', 'C', ' ', 'S', 'S', 'K', 'D', 'F', '-', 'H', 'M', 'A', 'C', ' ', 'K', 'E', 'Y'}; - const uint8_t info[17] = {'A', 'W', 'S', '-', 'L', 'C', ' ', 'S', 'S', 'K', - 'D', 'F', '-', 'H', 'M', 'A', 'C'}; + const uint8_t info[17] = {'A', 'W', 'S', '-', 'L', 'C', ' ', 'S', 'S', + 'K', 'D', 'F', '-', 'H', 'M', 'A', 'C'}; const uint8_t salt[22] = {'A', 'W', 'S', '-', 'L', 'C', ' ', 'S', 'S', 'K', 'D', 'F', '-', 'H', 'M', 'A', 'C', ' ', 'S', 'A', 'L', 'T'}; @@ -5086,7 +4938,8 @@ static const struct KBKDFCtrHmacTestVector { AWSLC_NOT_APPROVED, }}; -class KBKDFCtrHmacIndicatorTest : public TestWithNoErrors {}; +class KBKDFCtrHmacIndicatorTest + : public TestWithNoErrors {}; INSTANTIATE_TEST_SUITE_P(All, KBKDFCtrHmacIndicatorTest, testing::ValuesIn(kKBKDFCtrHmacTestVectors)); @@ -5257,8 +5110,8 @@ TEST(ServiceIndicatorTest, ED25519SigGenVerify) { approved = AWSLC_NOT_APPROVED; CALL_SERVICE_AND_CHECK_APPROVED( approved, - ASSERT_TRUE(ED25519ph_sign_digest(&signature[0], digest, - private_key, &CONTEXT[0], sizeof(CONTEXT)))); + ASSERT_TRUE(ED25519ph_sign_digest(&signature[0], digest, private_key, + &CONTEXT[0], sizeof(CONTEXT)))); ASSERT_EQ(AWSLC_APPROVED, approved); approved = AWSLC_NOT_APPROVED; @@ -5305,7 +5158,7 @@ TEST(ServiceIndicatorTest, AWSLCVersionString) { // |AWSLC_APPROVED|, but the direct calls to |FIPS_service_indicator_xxx| // will not indicate an approved state. TEST(ServiceIndicatorTest, BasicTest) { - // Reset and check the initial state and counter. + // Reset and check the initial state and counter. FIPSStatus approved = AWSLC_NOT_APPROVED; uint64_t before = FIPS_service_indicator_before_call(); ASSERT_EQ(before, (uint64_t)0); @@ -5318,19 +5171,21 @@ TEST(ServiceIndicatorTest, BasicTest) { ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), EVP_aead_aes_128_gcm_randnonce(), kAESKey, sizeof(kAESKey), 0, nullptr)); - CALL_SERVICE_AND_CHECK_APPROVED(approved, - EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), - nullptr, 0, kPlaintext, sizeof(kPlaintext), nullptr, 0)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, + sizeof(output), nullptr, 0, kPlaintext, + sizeof(kPlaintext), nullptr, 0)); // Macro should return true, to ensure FIPS/Non-FIPS compatibility. ASSERT_EQ(approved, AWSLC_APPROVED); // Call a non-approved service. - ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), EVP_aead_aes_128_gcm(), - kAESKey, sizeof(kAESKey), 0, nullptr)); - CALL_SERVICE_AND_CHECK_APPROVED(approved, + ASSERT_TRUE(EVP_AEAD_CTX_init(aead_ctx.get(), EVP_aead_aes_128_gcm(), kAESKey, + sizeof(kAESKey), 0, nullptr)); + CALL_SERVICE_AND_CHECK_APPROVED( + approved, EVP_AEAD_CTX_seal(aead_ctx.get(), output, &out_len, sizeof(output), nonce, - EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), kPlaintext, - sizeof(kPlaintext), nullptr, 0)); + EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), + kPlaintext, sizeof(kPlaintext), nullptr, 0)); ASSERT_EQ(approved, AWSLC_APPROVED); } @@ -5341,4 +5196,4 @@ TEST(ServiceIndicatorTest, BasicTest) { TEST(ServiceIndicatorTest, AWSLCVersionString) { ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.46.1"); } -#endif // AWSLC_FIPS +#endif // AWSLC_FIPS diff --git a/crypto/fipsmodule/sha/internal.h b/crypto/fipsmodule/sha/internal.h index 73d389cb61..f81fb52260 100644 --- a/crypto/fipsmodule/sha/internal.h +++ b/crypto/fipsmodule/sha/internal.h @@ -72,14 +72,14 @@ extern "C" { #define SHA3_MAX_BLOCKSIZE SHAKE128_BLOCKSIZE // Define state flag values for Keccak-based functions -#define KECCAK1600_STATE_ABSORB 0 +#define KECCAK1600_STATE_ABSORB 0 // KECCAK1600_STATE_SQUEEZE is set when |SHAKE_Squeeze| is called. -// It remains set while |SHAKE_Squeeze| is called repeatedly to output +// It remains set while |SHAKE_Squeeze| is called repeatedly to output // chunks of the XOF output. -#define KECCAK1600_STATE_SQUEEZE 1 -// KECCAK1600_STATE_FINAL is set once |SHAKE_Final| is called +#define KECCAK1600_STATE_SQUEEZE 1 +// KECCAK1600_STATE_FINAL is set once |SHAKE_Final| is called // so that |SHAKE_Squeeze| cannot be called anymore. -#define KECCAK1600_STATE_FINAL 2 +#define KECCAK1600_STATE_FINAL 2 typedef struct keccak_st KECCAK1600_CTX; @@ -87,12 +87,13 @@ typedef struct keccak_st KECCAK1600_CTX; // block size bytes to fit any SHA3/SHAKE block length. struct keccak_st { uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS]; - size_t block_size; // cached ctx->digest->block_size - size_t md_size; // output length, variable in XOF (SHAKE) - size_t buf_load; // used bytes in below buffer - uint8_t buf[SHA3_MAX_BLOCKSIZE]; // should have at least the max data block size bytes - uint8_t pad; // padding character - uint8_t state; // denotes the keccak phase (absorb, squeeze, final) + size_t block_size; // cached ctx->digest->block_size + size_t md_size; // output length, variable in XOF (SHAKE) + size_t buf_load; // used bytes in below buffer + uint8_t buf[SHA3_MAX_BLOCKSIZE]; // should have at least the max data block + // size bytes + uint8_t pad; // padding character + uint8_t state; // denotes the keccak phase (absorb, squeeze, final) }; // Define SHA{n}[_{variant}]_ASM if sha{n}_block_data_order[_{variant}] is @@ -102,7 +103,7 @@ struct keccak_st { #define SHA1_ALTIVEC void sha1_block_data_order(uint32_t *state, const uint8_t *data, - size_t num_blocks); + size_t num_blocks); #elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) @@ -331,8 +332,9 @@ void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *data, // SHAy=SHA512 otherwise. // This function returns one on success and zero on error. // This function is for internal use only and should never be directly called. -OPENSSL_EXPORT int SHA1_Init_from_state( - SHA_CTX *sha, const uint8_t h[SHA1_CHAINING_LENGTH], uint64_t n); +OPENSSL_EXPORT int SHA1_Init_from_state(SHA_CTX *sha, + const uint8_t h[SHA1_CHAINING_LENGTH], + uint64_t n); OPENSSL_EXPORT int SHA224_Init_from_state( SHA256_CTX *sha, const uint8_t h[SHA224_CHAINING_LENGTH], uint64_t n); OPENSSL_EXPORT int SHA256_Init_from_state( @@ -355,16 +357,21 @@ OPENSSL_EXPORT int SHA512_256_Init_from_state( // |SHAx_Init_from_state| for the definition of SHAy. // This function returns one on success and zero on error. // This function is for internal use only and should never be directly called. -OPENSSL_EXPORT int SHA1_get_state( - SHA_CTX *ctx, uint8_t out_h[SHA1_CHAINING_LENGTH], uint64_t *out_n); -OPENSSL_EXPORT int SHA224_get_state( - SHA256_CTX *ctx, uint8_t out_h[SHA224_CHAINING_LENGTH], uint64_t *out_n); -OPENSSL_EXPORT int SHA256_get_state( - SHA256_CTX *ctx, uint8_t out_h[SHA256_CHAINING_LENGTH], uint64_t *out_n); -OPENSSL_EXPORT int SHA384_get_state( - SHA512_CTX *ctx, uint8_t out_h[SHA384_CHAINING_LENGTH], uint64_t *out_n); -OPENSSL_EXPORT int SHA512_get_state( - SHA512_CTX *ctx, uint8_t out_h[SHA512_CHAINING_LENGTH], uint64_t *out_n); +OPENSSL_EXPORT int SHA1_get_state(SHA_CTX *ctx, + uint8_t out_h[SHA1_CHAINING_LENGTH], + uint64_t *out_n); +OPENSSL_EXPORT int SHA224_get_state(SHA256_CTX *ctx, + uint8_t out_h[SHA224_CHAINING_LENGTH], + uint64_t *out_n); +OPENSSL_EXPORT int SHA256_get_state(SHA256_CTX *ctx, + uint8_t out_h[SHA256_CHAINING_LENGTH], + uint64_t *out_n); +OPENSSL_EXPORT int SHA384_get_state(SHA512_CTX *ctx, + uint8_t out_h[SHA384_CHAINING_LENGTH], + uint64_t *out_n); +OPENSSL_EXPORT int SHA512_get_state(SHA512_CTX *ctx, + uint8_t out_h[SHA512_CHAINING_LENGTH], + uint64_t *out_n); OPENSSL_EXPORT int SHA512_224_get_state( SHA512_CTX *ctx, uint8_t out_h[SHA512_224_CHAINING_LENGTH], uint64_t *out_n); @@ -372,29 +379,29 @@ OPENSSL_EXPORT int SHA512_256_get_state( SHA512_CTX *ctx, uint8_t out_h[SHA512_256_CHAINING_LENGTH], uint64_t *out_n); -// SHA3_224 writes the digest of |len| bytes from |data| to |out| and returns |out|. -// There must be at least |SHA3_224_DIGEST_LENGTH| bytes of space in |out|. -// On failure |SHA3_224| returns NULL. +// SHA3_224 writes the digest of |len| bytes from |data| to |out| and returns +// |out|. There must be at least |SHA3_224_DIGEST_LENGTH| bytes of space in +// |out|. On failure |SHA3_224| returns NULL. OPENSSL_EXPORT uint8_t *SHA3_224(const uint8_t *data, size_t len, uint8_t out[SHA3_224_DIGEST_LENGTH]); -// SHA3_256 writes the digest of |len| bytes from |data| to |out| and returns |out|. -// There must be at least |SHA3_256_DIGEST_LENGTH| bytes of space in |out|. -// On failure |SHA3_256| returns NULL. +// SHA3_256 writes the digest of |len| bytes from |data| to |out| and returns +// |out|. There must be at least |SHA3_256_DIGEST_LENGTH| bytes of space in +// |out|. On failure |SHA3_256| returns NULL. OPENSSL_EXPORT uint8_t *SHA3_256(const uint8_t *data, size_t len, uint8_t out[SHA3_256_DIGEST_LENGTH]); -// SHA3_384 writes the digest of |len| bytes from |data| to |out| and returns |out|. -// There must be at least |SHA3_384_DIGEST_LENGTH| bytes of space in |out|. -// On failure |SHA3_384| returns NULL. +// SHA3_384 writes the digest of |len| bytes from |data| to |out| and returns +// |out|. There must be at least |SHA3_384_DIGEST_LENGTH| bytes of space in +// |out|. On failure |SHA3_384| returns NULL. OPENSSL_EXPORT uint8_t *SHA3_384(const uint8_t *data, size_t len, uint8_t out[SHA3_384_DIGEST_LENGTH]); -// SHA3_512 writes the digest of |len| bytes from |data| to |out| and returns |out|. -// There must be at least |SHA3_512_DIGEST_LENGTH| bytes of space in |out|. -// On failure |SHA3_512| returns NULL. +// SHA3_512 writes the digest of |len| bytes from |data| to |out| and returns +// |out|. There must be at least |SHA3_512_DIGEST_LENGTH| bytes of space in +// |out|. On failure |SHA3_512| returns NULL. OPENSSL_EXPORT uint8_t *SHA3_512(const uint8_t *data, size_t len, - uint8_t out[SHA3_512_DIGEST_LENGTH]); + uint8_t out[SHA3_512_DIGEST_LENGTH]); // SHAKE128 writes the |out_len| bytes output from |in_len| bytes |data| // to |out| and returns |out| on success and NULL on failure. @@ -406,53 +413,55 @@ OPENSSL_EXPORT uint8_t *SHAKE128(const uint8_t *data, const size_t in_len, OPENSSL_EXPORT uint8_t *SHAKE256(const uint8_t *data, const size_t in_len, uint8_t *out, size_t out_len); -// SHA3_Init initialises |ctx| fields through |FIPS202_Init| and +// SHA3_Init initialises |ctx| fields through |FIPS202_Init| and // returns 1 on success and 0 on failure. OPENSSL_EXPORT int SHA3_Init(KECCAK1600_CTX *ctx, size_t bitlen); - // SHA3_Update check |ctx| pointer and |len| value, calls |FIPS202_Update| - // and returns 1 on success and 0 on failure. +// SHA3_Update check |ctx| pointer and |len| value, calls |FIPS202_Update| +// and returns 1 on success and 0 on failure. int SHA3_Update(KECCAK1600_CTX *ctx, const void *data, size_t len); -// SHA3_Final pads the last data block and absorbs it through |FIPS202_Finalize|. -// It then calls |Keccak1600_Squeeze| and returns 1 on success -// and 0 on failure. +// SHA3_Final pads the last data block and absorbs it through +// |FIPS202_Finalize|. It then calls |Keccak1600_Squeeze| and returns 1 on +// success and 0 on failure. int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx); -// SHAKE_Init initialises |ctx| fields through |FIPS202_Init| and +// SHAKE_Init initialises |ctx| fields through |FIPS202_Init| and // returns 1 on success and 0 on failure. int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size); -// SHAKE_Absorb checks |ctx| pointer and |len| values. It updates and absorbs +// SHAKE_Absorb checks |ctx| pointer and |len| values. It updates and absorbs // input blocks via |FIPS202_Update|. -int SHAKE_Absorb(KECCAK1600_CTX *ctx, const void *data, - size_t len); +int SHAKE_Absorb(KECCAK1600_CTX *ctx, const void *data, size_t len); -// SHAKE_Squeeze pads the last data block and absorbs it through -// |FIPS202_Finalize| on first call. It writes |len| bytes of incremental -// XOF output to |md| and returns 1 on success and 0 on failure. It can be +// SHAKE_Squeeze pads the last data block and absorbs it through +// |FIPS202_Finalize| on first call. It writes |len| bytes of incremental +// XOF output to |md| and returns 1 on success and 0 on failure. It can be // called multiple times. int SHAKE_Squeeze(uint8_t *md, KECCAK1600_CTX *ctx, size_t len); -// SHAKE_Final writes |len| bytes of finalized extendible output to |md|, returns 1 on -// success and 0 on failure. It should be called once to finalize absorb and -// squeeze phases. Incremental XOF output should be generated via |SHAKE_Squeeze|. +// SHAKE_Final writes |len| bytes of finalized extendible output to |md|, +// returns 1 on success and 0 on failure. It should be called once to finalize +// absorb and squeeze phases. Incremental XOF output should be generated via +// |SHAKE_Squeeze|. int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len); // Keccak1600_Absorb processes the largest multiple of |r| (block size) out of // |len| bytes and returns the remaining number of bytes. size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], - const uint8_t *data, size_t len, size_t r); - -// Keccak1600_Squeeze generates |out| value of |len| bytes (per call). It can be called -// multiple times when used as eXtendable Output Function. |padded| indicates -// whether it is the first call to Keccak1600_Squeeze; i.e., if the current block has -// been already processed and padded right after the last call to Keccak1600_Absorb. -// Squeezes full blocks of |r| bytes each. When performing multiple squeezes, any -// left over bytes from previous squeezes are not consumed, and |len| must be a -// multiple of the block size (except on the final squeeze). -OPENSSL_EXPORT void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], - uint8_t *out, size_t len, size_t r, int padded); + const uint8_t *data, size_t len, size_t r); + +// Keccak1600_Squeeze generates |out| value of |len| bytes (per call). It can be +// called multiple times when used as eXtendable Output Function. |padded| +// indicates whether it is the first call to Keccak1600_Squeeze; i.e., if the +// current block has been already processed and padded right after the last call +// to Keccak1600_Absorb. Squeezes full blocks of |r| bytes each. When performing +// multiple squeezes, any left over bytes from previous squeezes are not +// consumed, and |len| must be a multiple of the block size (except on the final +// squeeze). +OPENSSL_EXPORT void Keccak1600_Squeeze( + uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], uint8_t *out, size_t len, + size_t r, int padded); #if defined(__cplusplus) } // extern "C" diff --git a/crypto/fipsmodule/sha/keccak1600.c b/crypto/fipsmodule/sha/keccak1600.c index f39a668810..50ca61fe8e 100644 --- a/crypto/fipsmodule/sha/keccak1600.c +++ b/crypto/fipsmodule/sha/keccak1600.c @@ -9,27 +9,26 @@ #include -#if defined(__x86_64__) || defined(__aarch64__) || \ - defined(__mips64) || defined(__ia64) || defined(__loongarch_lp64) || \ +#if defined(__x86_64__) || defined(__aarch64__) || defined(__mips64) || \ + defined(__ia64) || defined(__loongarch_lp64) || \ (defined(__VMS) && !defined(__vax)) - // These are available even in ILP32 flavours, but even then they are - // capable of performing 64-bit operations as efficiently as in *P64. - // Since it's not given that we can use sizeof(void *), just shunt it. -# define BIT_INTERLEAVE (0) +// These are available even in ILP32 flavours, but even then they are +// capable of performing 64-bit operations as efficiently as in *P64. +// Since it's not given that we can use sizeof(void *), just shunt it. +#define BIT_INTERLEAVE (0) #else -# define BIT_INTERLEAVE (sizeof(void *) < 8) +#define BIT_INTERLEAVE (sizeof(void *) < 8) #endif #if !defined(KECCAK1600_ASM) static const uint8_t rhotates[KECCAK1600_ROWS][KECCAK1600_ROWS] = { - { 0, 1, 62, 28, 27 }, - { 36, 44, 6, 55, 20 }, - { 3, 10, 43, 25, 39 }, - { 41, 45, 15, 21, 8 }, - { 18, 2, 61, 56, 14 } -}; + {0, 1, 62, 28, 27}, + {36, 44, 6, 55, 20}, + {3, 10, 43, 25, 39}, + {41, 45, 15, 21, 8}, + {18, 2, 61, 56, 14}}; static const uint64_t iotas[] = { BIT_INTERLEAVE ? 0x0000000000000001ULL : 0x0000000000000001ULL, @@ -55,360 +54,389 @@ static const uint64_t iotas[] = { BIT_INTERLEAVE ? 0x8000808800000001ULL : 0x8000000080008081ULL, BIT_INTERLEAVE ? 0x8000008800000000ULL : 0x8000000000008080ULL, BIT_INTERLEAVE ? 0x0000800000000001ULL : 0x0000000080000001ULL, - BIT_INTERLEAVE ? 0x8000808200000000ULL : 0x8000000080008008ULL -}; + BIT_INTERLEAVE ? 0x8000808200000000ULL : 0x8000000080008008ULL}; -#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ (defined(__x86_64) && !defined(__BMI__)) || defined(_M_X64) || \ - defined(__mips) || defined(__riscv) || defined(__s390__) || defined(__loongarch__) || \ - defined(__EMSCRIPTEN__) + defined(__mips) || defined(__riscv) || defined(__s390__) || \ + defined(__loongarch__) || defined(__EMSCRIPTEN__) - // These platforms don't support "logical and with complement" instruction. -# define KECCAK_COMPLEMENTING_TRANSFORM +// These platforms don't support "logical and with complement" instruction. +#define KECCAK_COMPLEMENTING_TRANSFORM #endif #define ROL32(a, offset) (((a) << (offset)) | ((a) >> ((32 - (offset)) & 31))) -static uint64_t ROL64(uint64_t val, int offset) -{ - if (offset == 0) { - return val; - } else if (!BIT_INTERLEAVE) { - return (val << offset) | (val >> (64-offset)); - } else { - uint32_t hi = (uint32_t)(val >> 32), lo = (uint32_t)val; - - if ((offset & 1) != 0) { - uint32_t tmp = hi; - - offset >>= 1; - hi = ROL32(lo, offset); - lo = ROL32(tmp, offset + 1); - } else { - offset >>= 1; - lo = ROL32(lo, offset); - hi = ROL32(hi, offset); - } +static uint64_t ROL64(uint64_t val, int offset) { + if (offset == 0) { + return val; + } else if (!BIT_INTERLEAVE) { + return (val << offset) | (val >> (64 - offset)); + } else { + uint32_t hi = (uint32_t)(val >> 32), lo = (uint32_t)val; - return ((uint64_t)hi << 32) | lo; - } -} - - // KECCAK_2X: - // This is the default implementation used in OpenSSL and the most efficient; - // the other implementations were removed from this file. - // This implementation is a variant of KECCAK_1X (see OpenSSL) - // This implementation allows to take temporary storage - // out of round procedure and simplify references to it by alternating - // it with actual data (see round loop below). - // It ensures best compiler interpretation to assembly and provides best - // instruction per processed byte ratio at minimal round unroll factor. -static void Round(uint64_t R[KECCAK1600_ROWS][KECCAK1600_ROWS], uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], size_t i) -{ - uint64_t C[KECCAK1600_ROWS], D[KECCAK1600_ROWS]; + if ((offset & 1) != 0) { + uint32_t tmp = hi; - assert(i < (sizeof(iotas) / sizeof(iotas[0]))); - - C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0]; - C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1]; - C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2]; - C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3]; - C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4]; + offset >>= 1; + hi = ROL32(lo, offset); + lo = ROL32(tmp, offset + 1); + } else { + offset >>= 1; + lo = ROL32(lo, offset); + hi = ROL32(hi, offset); + } - D[0] = ROL64(C[1], 1) ^ C[4]; - D[1] = ROL64(C[2], 1) ^ C[0]; - D[2] = ROL64(C[3], 1) ^ C[1]; - D[3] = ROL64(C[4], 1) ^ C[2]; - D[4] = ROL64(C[0], 1) ^ C[3]; + return ((uint64_t)hi << 32) | lo; + } +} - C[0] = A[0][0] ^ D[0]; - C[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]); - C[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]); - C[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]); - C[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]); +// KECCAK_2X: +// This is the default implementation used in OpenSSL and the most efficient; +// the other implementations were removed from this file. +// This implementation is a variant of KECCAK_1X (see OpenSSL) +// This implementation allows to take temporary storage +// out of round procedure and simplify references to it by alternating +// it with actual data (see round loop below). +// It ensures best compiler interpretation to assembly and provides best +// instruction per processed byte ratio at minimal round unroll factor. +static void Round(uint64_t R[KECCAK1600_ROWS][KECCAK1600_ROWS], + uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], size_t i) { + uint64_t C[KECCAK1600_ROWS], D[KECCAK1600_ROWS]; + + assert(i < (sizeof(iotas) / sizeof(iotas[0]))); + + C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0]; + C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1]; + C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2]; + C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3]; + C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4]; + + D[0] = ROL64(C[1], 1) ^ C[4]; + D[1] = ROL64(C[2], 1) ^ C[0]; + D[2] = ROL64(C[3], 1) ^ C[1]; + D[3] = ROL64(C[4], 1) ^ C[2]; + D[4] = ROL64(C[0], 1) ^ C[3]; + + C[0] = A[0][0] ^ D[0]; + C[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]); + C[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]); + C[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]); + C[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]); #ifdef KECCAK_COMPLEMENTING_TRANSFORM - R[0][0] = C[0] ^ ( C[1] | C[2]) ^ iotas[i]; - R[0][1] = C[1] ^ (~C[2] | C[3]); - R[0][2] = C[2] ^ ( C[3] & C[4]); - R[0][3] = C[3] ^ ( C[4] | C[0]); - R[0][4] = C[4] ^ ( C[0] & C[1]); + R[0][0] = C[0] ^ (C[1] | C[2]) ^ iotas[i]; + R[0][1] = C[1] ^ (~C[2] | C[3]); + R[0][2] = C[2] ^ (C[3] & C[4]); + R[0][3] = C[3] ^ (C[4] | C[0]); + R[0][4] = C[4] ^ (C[0] & C[1]); #else - R[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i]; - R[0][1] = C[1] ^ (~C[2] & C[3]); - R[0][2] = C[2] ^ (~C[3] & C[4]); - R[0][3] = C[3] ^ (~C[4] & C[0]); - R[0][4] = C[4] ^ (~C[0] & C[1]); + R[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i]; + R[0][1] = C[1] ^ (~C[2] & C[3]); + R[0][2] = C[2] ^ (~C[3] & C[4]); + R[0][3] = C[3] ^ (~C[4] & C[0]); + R[0][4] = C[4] ^ (~C[0] & C[1]); #endif - C[0] = ROL64(A[0][3] ^ D[3], rhotates[0][3]); - C[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]); - C[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]); - C[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]); - C[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]); + C[0] = ROL64(A[0][3] ^ D[3], rhotates[0][3]); + C[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]); + C[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]); + C[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]); + C[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]); #ifdef KECCAK_COMPLEMENTING_TRANSFORM - R[1][0] = C[0] ^ (C[1] | C[2]); - R[1][1] = C[1] ^ (C[2] & C[3]); - R[1][2] = C[2] ^ (C[3] | ~C[4]); - R[1][3] = C[3] ^ (C[4] | C[0]); - R[1][4] = C[4] ^ (C[0] & C[1]); + R[1][0] = C[0] ^ (C[1] | C[2]); + R[1][1] = C[1] ^ (C[2] & C[3]); + R[1][2] = C[2] ^ (C[3] | ~C[4]); + R[1][3] = C[3] ^ (C[4] | C[0]); + R[1][4] = C[4] ^ (C[0] & C[1]); #else - R[1][0] = C[0] ^ (~C[1] & C[2]); - R[1][1] = C[1] ^ (~C[2] & C[3]); - R[1][2] = C[2] ^ (~C[3] & C[4]); - R[1][3] = C[3] ^ (~C[4] & C[0]); - R[1][4] = C[4] ^ (~C[0] & C[1]); + R[1][0] = C[0] ^ (~C[1] & C[2]); + R[1][1] = C[1] ^ (~C[2] & C[3]); + R[1][2] = C[2] ^ (~C[3] & C[4]); + R[1][3] = C[3] ^ (~C[4] & C[0]); + R[1][4] = C[4] ^ (~C[0] & C[1]); #endif - C[0] = ROL64(A[0][1] ^ D[1], rhotates[0][1]); - C[1] = ROL64(A[1][2] ^ D[2], rhotates[1][2]); - C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]); - C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]); - C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]); + C[0] = ROL64(A[0][1] ^ D[1], rhotates[0][1]); + C[1] = ROL64(A[1][2] ^ D[2], rhotates[1][2]); + C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]); + C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]); + C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]); #ifdef KECCAK_COMPLEMENTING_TRANSFORM - R[2][0] = C[0] ^ ( C[1] | C[2]); - R[2][1] = C[1] ^ ( C[2] & C[3]); - R[2][2] = C[2] ^ (~C[3] & C[4]); - R[2][3] = ~C[3] ^ ( C[4] | C[0]); - R[2][4] = C[4] ^ ( C[0] & C[1]); + R[2][0] = C[0] ^ (C[1] | C[2]); + R[2][1] = C[1] ^ (C[2] & C[3]); + R[2][2] = C[2] ^ (~C[3] & C[4]); + R[2][3] = ~C[3] ^ (C[4] | C[0]); + R[2][4] = C[4] ^ (C[0] & C[1]); #else - R[2][0] = C[0] ^ (~C[1] & C[2]); - R[2][1] = C[1] ^ (~C[2] & C[3]); - R[2][2] = C[2] ^ (~C[3] & C[4]); - R[2][3] = C[3] ^ (~C[4] & C[0]); - R[2][4] = C[4] ^ (~C[0] & C[1]); + R[2][0] = C[0] ^ (~C[1] & C[2]); + R[2][1] = C[1] ^ (~C[2] & C[3]); + R[2][2] = C[2] ^ (~C[3] & C[4]); + R[2][3] = C[3] ^ (~C[4] & C[0]); + R[2][4] = C[4] ^ (~C[0] & C[1]); #endif - C[0] = ROL64(A[0][4] ^ D[4], rhotates[0][4]); - C[1] = ROL64(A[1][0] ^ D[0], rhotates[1][0]); - C[2] = ROL64(A[2][1] ^ D[1], rhotates[2][1]); - C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]); - C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]); + C[0] = ROL64(A[0][4] ^ D[4], rhotates[0][4]); + C[1] = ROL64(A[1][0] ^ D[0], rhotates[1][0]); + C[2] = ROL64(A[2][1] ^ D[1], rhotates[2][1]); + C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]); + C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]); #ifdef KECCAK_COMPLEMENTING_TRANSFORM - R[3][0] = C[0] ^ ( C[1] & C[2]); - R[3][1] = C[1] ^ ( C[2] | C[3]); - R[3][2] = C[2] ^ (~C[3] | C[4]); - R[3][3] = ~C[3] ^ ( C[4] & C[0]); - R[3][4] = C[4] ^ ( C[0] | C[1]); + R[3][0] = C[0] ^ (C[1] & C[2]); + R[3][1] = C[1] ^ (C[2] | C[3]); + R[3][2] = C[2] ^ (~C[3] | C[4]); + R[3][3] = ~C[3] ^ (C[4] & C[0]); + R[3][4] = C[4] ^ (C[0] | C[1]); #else - R[3][0] = C[0] ^ (~C[1] & C[2]); - R[3][1] = C[1] ^ (~C[2] & C[3]); - R[3][2] = C[2] ^ (~C[3] & C[4]); - R[3][3] = C[3] ^ (~C[4] & C[0]); - R[3][4] = C[4] ^ (~C[0] & C[1]); + R[3][0] = C[0] ^ (~C[1] & C[2]); + R[3][1] = C[1] ^ (~C[2] & C[3]); + R[3][2] = C[2] ^ (~C[3] & C[4]); + R[3][3] = C[3] ^ (~C[4] & C[0]); + R[3][4] = C[4] ^ (~C[0] & C[1]); #endif - C[0] = ROL64(A[0][2] ^ D[2], rhotates[0][2]); - C[1] = ROL64(A[1][3] ^ D[3], rhotates[1][3]); - C[2] = ROL64(A[2][4] ^ D[4], rhotates[2][4]); - C[3] = ROL64(A[3][0] ^ D[0], rhotates[3][0]); - C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]); + C[0] = ROL64(A[0][2] ^ D[2], rhotates[0][2]); + C[1] = ROL64(A[1][3] ^ D[3], rhotates[1][3]); + C[2] = ROL64(A[2][4] ^ D[4], rhotates[2][4]); + C[3] = ROL64(A[3][0] ^ D[0], rhotates[3][0]); + C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]); #ifdef KECCAK_COMPLEMENTING_TRANSFORM - R[4][0] = C[0] ^ (~C[1] & C[2]); - R[4][1] = ~C[1] ^ ( C[2] | C[3]); - R[4][2] = C[2] ^ ( C[3] & C[4]); - R[4][3] = C[3] ^ ( C[4] | C[0]); - R[4][4] = C[4] ^ ( C[0] & C[1]); + R[4][0] = C[0] ^ (~C[1] & C[2]); + R[4][1] = ~C[1] ^ (C[2] | C[3]); + R[4][2] = C[2] ^ (C[3] & C[4]); + R[4][3] = C[3] ^ (C[4] | C[0]); + R[4][4] = C[4] ^ (C[0] & C[1]); #else - R[4][0] = C[0] ^ (~C[1] & C[2]); - R[4][1] = C[1] ^ (~C[2] & C[3]); - R[4][2] = C[2] ^ (~C[3] & C[4]); - R[4][3] = C[3] ^ (~C[4] & C[0]); - R[4][4] = C[4] ^ (~C[0] & C[1]); + R[4][0] = C[0] ^ (~C[1] & C[2]); + R[4][1] = C[1] ^ (~C[2] & C[3]); + R[4][2] = C[2] ^ (~C[3] & C[4]); + R[4][3] = C[3] ^ (~C[4] & C[0]); + R[4][4] = C[4] ^ (~C[0] & C[1]); #endif } -static void KeccakF1600(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS]) -{ - uint64_t T[KECCAK1600_ROWS][KECCAK1600_ROWS]; - size_t i; +static void KeccakF1600(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS]) { + uint64_t T[KECCAK1600_ROWS][KECCAK1600_ROWS]; + size_t i; #ifdef KECCAK_COMPLEMENTING_TRANSFORM - A[0][1] = ~A[0][1]; - A[0][2] = ~A[0][2]; - A[1][3] = ~A[1][3]; - A[2][2] = ~A[2][2]; - A[3][2] = ~A[3][2]; - A[4][0] = ~A[4][0]; + A[0][1] = ~A[0][1]; + A[0][2] = ~A[0][2]; + A[1][3] = ~A[1][3]; + A[2][2] = ~A[2][2]; + A[3][2] = ~A[3][2]; + A[4][0] = ~A[4][0]; #endif - for (i = 0; i < 24; i += 2) { - Round(T, A, i); - Round(A, T, i + 1); - } + for (i = 0; i < 24; i += 2) { + Round(T, A, i); + Round(A, T, i + 1); + } #ifdef KECCAK_COMPLEMENTING_TRANSFORM - A[0][1] = ~A[0][1]; - A[0][2] = ~A[0][2]; - A[1][3] = ~A[1][3]; - A[2][2] = ~A[2][2]; - A[3][2] = ~A[3][2]; - A[4][0] = ~A[4][0]; + A[0][1] = ~A[0][1]; + A[0][2] = ~A[0][2]; + A[1][3] = ~A[1][3]; + A[2][2] = ~A[2][2]; + A[3][2] = ~A[3][2]; + A[4][0] = ~A[4][0]; #endif } -static uint64_t BitInterleave(uint64_t Ai) -{ - if (BIT_INTERLEAVE) { - uint32_t hi = (uint32_t)(Ai >> 32), lo = (uint32_t)Ai; - uint32_t t0, t1; - - t0 = lo & 0x55555555; - t0 |= t0 >> 1; t0 &= 0x33333333; - t0 |= t0 >> 2; t0 &= 0x0f0f0f0f; - t0 |= t0 >> 4; t0 &= 0x00ff00ff; - t0 |= t0 >> 8; t0 &= 0x0000ffff; - - t1 = hi & 0x55555555; - t1 |= t1 >> 1; t1 &= 0x33333333; - t1 |= t1 >> 2; t1 &= 0x0f0f0f0f; - t1 |= t1 >> 4; t1 &= 0x00ff00ff; - t1 |= t1 >> 8; t1 <<= 16; - - lo &= 0xaaaaaaaa; - lo |= lo << 1; lo &= 0xcccccccc; - lo |= lo << 2; lo &= 0xf0f0f0f0; - lo |= lo << 4; lo &= 0xff00ff00; - lo |= lo << 8; lo >>= 16; - - hi &= 0xaaaaaaaa; - hi |= hi << 1; hi &= 0xcccccccc; - hi |= hi << 2; hi &= 0xf0f0f0f0; - hi |= hi << 4; hi &= 0xff00ff00; - hi |= hi << 8; hi &= 0xffff0000; - - Ai = ((uint64_t)(hi | lo) << 32) | (t1 | t0); - } - - return Ai; +static uint64_t BitInterleave(uint64_t Ai) { + if (BIT_INTERLEAVE) { + uint32_t hi = (uint32_t)(Ai >> 32), lo = (uint32_t)Ai; + uint32_t t0, t1; + + t0 = lo & 0x55555555; + t0 |= t0 >> 1; + t0 &= 0x33333333; + t0 |= t0 >> 2; + t0 &= 0x0f0f0f0f; + t0 |= t0 >> 4; + t0 &= 0x00ff00ff; + t0 |= t0 >> 8; + t0 &= 0x0000ffff; + + t1 = hi & 0x55555555; + t1 |= t1 >> 1; + t1 &= 0x33333333; + t1 |= t1 >> 2; + t1 &= 0x0f0f0f0f; + t1 |= t1 >> 4; + t1 &= 0x00ff00ff; + t1 |= t1 >> 8; + t1 <<= 16; + + lo &= 0xaaaaaaaa; + lo |= lo << 1; + lo &= 0xcccccccc; + lo |= lo << 2; + lo &= 0xf0f0f0f0; + lo |= lo << 4; + lo &= 0xff00ff00; + lo |= lo << 8; + lo >>= 16; + + hi &= 0xaaaaaaaa; + hi |= hi << 1; + hi &= 0xcccccccc; + hi |= hi << 2; + hi &= 0xf0f0f0f0; + hi |= hi << 4; + hi &= 0xff00ff00; + hi |= hi << 8; + hi &= 0xffff0000; + + Ai = ((uint64_t)(hi | lo) << 32) | (t1 | t0); + } + + return Ai; } -static uint64_t BitDeinterleave(uint64_t Ai) -{ - if (BIT_INTERLEAVE) { - uint32_t hi = (uint32_t)(Ai >> 32), lo = (uint32_t)Ai; - uint32_t t0, t1; - - t0 = lo & 0x0000ffff; - t0 |= t0 << 8; t0 &= 0x00ff00ff; - t0 |= t0 << 4; t0 &= 0x0f0f0f0f; - t0 |= t0 << 2; t0 &= 0x33333333; - t0 |= t0 << 1; t0 &= 0x55555555; - - t1 = hi << 16; - t1 |= t1 >> 8; t1 &= 0xff00ff00; - t1 |= t1 >> 4; t1 &= 0xf0f0f0f0; - t1 |= t1 >> 2; t1 &= 0xcccccccc; - t1 |= t1 >> 1; t1 &= 0xaaaaaaaa; - - lo >>= 16; - lo |= lo << 8; lo &= 0x00ff00ff; - lo |= lo << 4; lo &= 0x0f0f0f0f; - lo |= lo << 2; lo &= 0x33333333; - lo |= lo << 1; lo &= 0x55555555; - - hi &= 0xffff0000; - hi |= hi >> 8; hi &= 0xff00ff00; - hi |= hi >> 4; hi &= 0xf0f0f0f0; - hi |= hi >> 2; hi &= 0xcccccccc; - hi |= hi >> 1; hi &= 0xaaaaaaaa; - - Ai = ((uint64_t)(hi | lo) << 32) | (t1 | t0); - } - - return Ai; +static uint64_t BitDeinterleave(uint64_t Ai) { + if (BIT_INTERLEAVE) { + uint32_t hi = (uint32_t)(Ai >> 32), lo = (uint32_t)Ai; + uint32_t t0, t1; + + t0 = lo & 0x0000ffff; + t0 |= t0 << 8; + t0 &= 0x00ff00ff; + t0 |= t0 << 4; + t0 &= 0x0f0f0f0f; + t0 |= t0 << 2; + t0 &= 0x33333333; + t0 |= t0 << 1; + t0 &= 0x55555555; + + t1 = hi << 16; + t1 |= t1 >> 8; + t1 &= 0xff00ff00; + t1 |= t1 >> 4; + t1 &= 0xf0f0f0f0; + t1 |= t1 >> 2; + t1 &= 0xcccccccc; + t1 |= t1 >> 1; + t1 &= 0xaaaaaaaa; + + lo >>= 16; + lo |= lo << 8; + lo &= 0x00ff00ff; + lo |= lo << 4; + lo &= 0x0f0f0f0f; + lo |= lo << 2; + lo &= 0x33333333; + lo |= lo << 1; + lo &= 0x55555555; + + hi &= 0xffff0000; + hi |= hi >> 8; + hi &= 0xff00ff00; + hi |= hi >> 4; + hi &= 0xf0f0f0f0; + hi |= hi >> 2; + hi &= 0xcccccccc; + hi |= hi >> 1; + hi &= 0xaaaaaaaa; + + Ai = ((uint64_t)(hi | lo) << 32) | (t1 | t0); + } + + return Ai; } - // Keccak1600_Absorb can be called multiple times; at each invocation the - // largest multiple of |r| out of |len| bytes are processed. The - // remaining amount of bytes is returned. This is done to spare caller - // trouble of calculating the largest multiple of |r|. |r| can be viewed - // as blocksize. It is commonly (1600 - 256*n)/8, e.g. 168, 136, 104, - // 72, but can also be (1600 - 448)/8 = 144. All this means that message - // padding and intermediate sub-block buffering, byte- or bitwise, is - // caller's responsibility. -size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *inp, size_t len, - size_t r) -{ - uint64_t *A_flat = (uint64_t *)A; - size_t i, w = r / 8; - - assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0); - - while (len >= r) { - for (i = 0; i < w; i++) { - uint64_t Ai = (uint64_t)inp[0] | (uint64_t)inp[1] << 8 | - (uint64_t)inp[2] << 16 | (uint64_t)inp[3] << 24 | - (uint64_t)inp[4] << 32 | (uint64_t)inp[5] << 40 | - (uint64_t)inp[6] << 48 | (uint64_t)inp[7] << 56; - inp += 8; - - A_flat[i] ^= BitInterleave(Ai); - } - KeccakF1600(A); - len -= r; +// Keccak1600_Absorb can be called multiple times; at each invocation the +// largest multiple of |r| out of |len| bytes are processed. The +// remaining amount of bytes is returned. This is done to spare caller +// trouble of calculating the largest multiple of |r|. |r| can be viewed +// as blocksize. It is commonly (1600 - 256*n)/8, e.g. 168, 136, 104, +// 72, but can also be (1600 - 448)/8 = 144. All this means that message +// padding and intermediate sub-block buffering, byte- or bitwise, is +// caller's responsibility. +size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], + const uint8_t *inp, size_t len, size_t r) { + uint64_t *A_flat = (uint64_t *)A; + size_t i, w = r / 8; + + assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0); + + while (len >= r) { + for (i = 0; i < w; i++) { + uint64_t Ai = (uint64_t)inp[0] | (uint64_t)inp[1] << 8 | + (uint64_t)inp[2] << 16 | (uint64_t)inp[3] << 24 | + (uint64_t)inp[4] << 32 | (uint64_t)inp[5] << 40 | + (uint64_t)inp[6] << 48 | (uint64_t)inp[7] << 56; + inp += 8; + + A_flat[i] ^= BitInterleave(Ai); } + KeccakF1600(A); + len -= r; + } - return len; + return len; } -void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], uint8_t *out, size_t len, size_t r, int padded) -// Keccak1600_Squeeze can be called multiple times to incrementally +void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], + uint8_t *out, size_t len, size_t r, int padded) +// Keccak1600_Squeeze can be called multiple times to incrementally { - uint64_t *A_flat = (uint64_t *)A; - size_t i, w = r / 8; + uint64_t *A_flat = (uint64_t *)A; + size_t i, w = r / 8; - assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0); + assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0); - while (len != 0) { - if (padded) { - KeccakF1600(A); - } - padded = 1; - for (i = 0; i < w && len != 0; i++) { - uint64_t Ai = BitDeinterleave(A_flat[i]); - - if (len < 8) { - for (i = 0; i < len; i++) { - *out++ = (uint8_t)Ai; - Ai >>= 8; - } - return; - } - - out[0] = (uint8_t)(Ai); - out[1] = (uint8_t)(Ai >> 8); - out[2] = (uint8_t)(Ai >> 16); - out[3] = (uint8_t)(Ai >> 24); - out[4] = (uint8_t)(Ai >> 32); - out[5] = (uint8_t)(Ai >> 40); - out[6] = (uint8_t)(Ai >> 48); - out[7] = (uint8_t)(Ai >> 56); - out += 8; - len -= 8; + while (len != 0) { + if (padded) { + KeccakF1600(A); + } + padded = 1; + for (i = 0; i < w && len != 0; i++) { + uint64_t Ai = BitDeinterleave(A_flat[i]); + + if (len < 8) { + for (i = 0; i < len; i++) { + *out++ = (uint8_t)Ai; + Ai >>= 8; } + return; + } + + out[0] = (uint8_t)(Ai); + out[1] = (uint8_t)(Ai >> 8); + out[2] = (uint8_t)(Ai >> 16); + out[3] = (uint8_t)(Ai >> 24); + out[4] = (uint8_t)(Ai >> 32); + out[5] = (uint8_t)(Ai >> 40); + out[6] = (uint8_t)(Ai >> 48); + out[7] = (uint8_t)(Ai >> 56); + out += 8; + len -= 8; } + } } #else -size_t Keccak1600_Absorb_hw(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *inp, size_t len, - size_t r); +size_t Keccak1600_Absorb_hw(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], + const uint8_t *inp, size_t len, size_t r); -size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *inp, size_t len, - size_t r) { - return Keccak1600_Absorb_hw(A, inp, len, r); +size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], + const uint8_t *inp, size_t len, size_t r) { + return Keccak1600_Absorb_hw(A, inp, len, r); } -size_t Keccak1600_Squeeze_hw(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *out, size_t len, - size_t r, int padded); +size_t Keccak1600_Squeeze_hw(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], + const uint8_t *out, size_t len, size_t r, + int padded); -void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], uint8_t *out, size_t len, size_t r, int padded) { - Keccak1600_Squeeze_hw(A, out, len, r, padded); +void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], + uint8_t *out, size_t len, size_t r, int padded) { + Keccak1600_Squeeze_hw(A, out, len, r, padded); } -#endif // !KECCAK1600_ASM +#endif // !KECCAK1600_ASM diff --git a/crypto/fipsmodule/sha/sha1-altivec.c b/crypto/fipsmodule/sha/sha1-altivec.c index ab3645ff91..7998b8ef3d 100644 --- a/crypto/fipsmodule/sha/sha1-altivec.c +++ b/crypto/fipsmodule/sha/sha1-altivec.c @@ -104,8 +104,8 @@ static const vec_uint32_t K_60_79_x_4 = {K_60_79, K_60_79, K_60_79, K_60_79}; static vec_uint32_t sched_00_15(vec_uint32_t *pre_added, const void *data, vec_uint32_t k) { const vector unsigned char unaligned_data = - vec_vsx_ld(0, (const unsigned char*) data); - const vec_uint32_t v = (vec_uint32_t) unaligned_data; + vec_vsx_ld(0, (const unsigned char *)data); + const vec_uint32_t v = (vec_uint32_t)unaligned_data; const vec_uint32_t w = vec_perm(v, v, k_swap_endianness); vec_st(w + k, 0, pre_added); return w; diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c index c1b2dcb9a8..06a4e69034 100644 --- a/crypto/fipsmodule/sha/sha1.c +++ b/crypto/fipsmodule/sha/sha1.c @@ -101,11 +101,10 @@ uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) { // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA_CTX ctx; - const int ok = SHA1_Init(&ctx) && - SHA1_Update(&ctx, data, len) && - SHA1_Final(out, &ctx); + const int ok = + SHA1_Init(&ctx) && SHA1_Update(&ctx, data, len) && SHA1_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -227,13 +226,13 @@ int SHA1_get_state(SHA_CTX *ctx, uint8_t out_h[SHA1_CHAINING_LENGTH], #endif /* Originally X was an array. As it's automatic it's natural -* to expect RISC compiler to accomodate at least part of it in -* the register bank, isn't it? Unfortunately not all compilers -* "find" this expectation reasonable:-( On order to make such -* compilers generate better code I replace X[] with a bunch of -* X0, X1, etc. See the function body below... -* */ -#define X(i) XX##i + * to expect RISC compiler to accomodate at least part of it in + * the register bank, isn't it? Unfortunately not all compilers + * "find" this expectation reasonable:-( On order to make such + * compilers generate better code I replace X[] with a bunch of + * X0, X1, etc. See the function body below... + * */ +#define X(i) XX##i #if !defined(SHA1_ASM) && !defined(SHA1_ALTIVEC) @@ -241,8 +240,8 @@ int SHA1_get_state(SHA_CTX *ctx, uint8_t out_h[SHA1_CHAINING_LENGTH], static void sha1_block_data_order_nohw(uint32_t state[5], const uint8_t *data, size_t num) { register uint32_t A, B, C, D, E, T; - uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, - XX11, XX12, XX13, XX14, XX15; + uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, + XX13, XX14, XX15; A = state[0]; B = state[1]; diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c index f36fb8b716..ff7e803a7a 100644 --- a/crypto/fipsmodule/sha/sha256.c +++ b/crypto/fipsmodule/sha/sha256.c @@ -93,7 +93,7 @@ int SHA256_Init(SHA256_CTX *sha) { return 1; } -OPENSSL_STATIC_ASSERT(SHA256_CHAINING_LENGTH==SHA224_CHAINING_LENGTH, +OPENSSL_STATIC_ASSERT(SHA256_CHAINING_LENGTH == SHA224_CHAINING_LENGTH, sha256_and_sha224_have_same_chaining_length) // sha256_init_from_state_impl is the implementation of @@ -102,7 +102,7 @@ OPENSSL_STATIC_ASSERT(SHA256_CHAINING_LENGTH==SHA224_CHAINING_LENGTH, static int sha256_init_from_state_impl(SHA256_CTX *sha, int md_len, const uint8_t h[SHA256_CHAINING_LENGTH], uint64_t n) { - if(n % ((uint64_t) SHA256_CBLOCK * 8) != 0) { + if (n % ((uint64_t)SHA256_CBLOCK * 8) != 0) { // n is not a multiple of the block size in bits, so it fails return 0; } @@ -140,11 +140,10 @@ uint8_t *SHA224(const uint8_t *data, size_t len, // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA256_CTX ctx; - const int ok = SHA224_Init(&ctx) && - SHA224_Update(&ctx, data, len) && + const int ok = SHA224_Init(&ctx) && SHA224_Update(&ctx, data, len) && SHA224_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -157,11 +156,10 @@ uint8_t *SHA256(const uint8_t *data, size_t len, // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA256_CTX ctx; - const int ok = SHA256_Init(&ctx) && - SHA256_Update(&ctx, data, len) && + const int ok = SHA256_Init(&ctx) && SHA256_Update(&ctx, data, len) && SHA256_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -285,14 +283,14 @@ static const uint32_t K256[64] = { h += T1; \ } while (0) -#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \ - do { \ - s0 = X[(i + 1) & 0x0f]; \ - s0 = sigma0(s0); \ - s1 = X[(i + 14) & 0x0f]; \ - s1 = sigma1(s1); \ - T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \ - ROUND_00_15(i, a, b, c, d, e, f, g, h); \ +#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \ + do { \ + s0 = X[(i + 1) & 0x0f]; \ + s0 = sigma0(s0); \ + s1 = X[(i + 14) & 0x0f]; \ + s1 = sigma1(s1); \ + T1 = X[(i)&0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \ + ROUND_00_15(i, a, b, c, d, e, f, g, h); \ } while (0) static void sha256_block_data_order_nohw(uint32_t state[8], const uint8_t *data, diff --git a/crypto/fipsmodule/sha/sha3.c b/crypto/fipsmodule/sha/sha3.c index 16b098023a..f4fef63608 100644 --- a/crypto/fipsmodule/sha/sha3.c +++ b/crypto/fipsmodule/sha/sha3.c @@ -7,16 +7,15 @@ * https://www.openssl.org/source/license.html */ -#include "internal.h" #include +#include "internal.h" uint8_t *SHA3_224(const uint8_t *data, size_t len, uint8_t out[SHA3_224_DIGEST_LENGTH]) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; int ok = (SHA3_Init(&ctx, SHA3_224_DIGEST_BITLENGTH) && - SHA3_Update(&ctx, data, len) && - SHA3_Final(out, &ctx)); + SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); OPENSSL_cleanse(&ctx, sizeof(ctx)); FIPS_service_indicator_unlock_state(); @@ -32,8 +31,7 @@ uint8_t *SHA3_256(const uint8_t *data, size_t len, FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; int ok = (SHA3_Init(&ctx, SHA3_256_DIGEST_BITLENGTH) && - SHA3_Update(&ctx, data, len) && - SHA3_Final(out, &ctx)); + SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); OPENSSL_cleanse(&ctx, sizeof(ctx)); FIPS_service_indicator_unlock_state(); @@ -49,8 +47,7 @@ uint8_t *SHA3_384(const uint8_t *data, size_t len, FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; int ok = (SHA3_Init(&ctx, SHA3_384_DIGEST_BITLENGTH) && - SHA3_Update(&ctx, data, len) && - SHA3_Final(out, &ctx)); + SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); OPENSSL_cleanse(&ctx, sizeof(ctx)); FIPS_service_indicator_unlock_state(); @@ -66,8 +63,7 @@ uint8_t *SHA3_512(const uint8_t *data, size_t len, FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; int ok = (SHA3_Init(&ctx, SHA3_512_DIGEST_BITLENGTH) && - SHA3_Update(&ctx, data, len) && - SHA3_Final(out, &ctx)); + SHA3_Update(&ctx, data, len) && SHA3_Final(out, &ctx)); OPENSSL_cleanse(&ctx, sizeof(ctx)); FIPS_service_indicator_unlock_state(); @@ -78,12 +74,13 @@ uint8_t *SHA3_512(const uint8_t *data, size_t len, return out; } -uint8_t *SHAKE128(const uint8_t *data, const size_t in_len, uint8_t *out, size_t out_len) { +uint8_t *SHAKE128(const uint8_t *data, const size_t in_len, uint8_t *out, + size_t out_len) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; - int ok = (SHAKE_Init(&ctx, SHAKE128_BLOCKSIZE) && - SHAKE_Absorb(&ctx, data, in_len) && - SHAKE_Final(out, &ctx, out_len)); + int ok = + (SHAKE_Init(&ctx, SHAKE128_BLOCKSIZE) && + SHAKE_Absorb(&ctx, data, in_len) && SHAKE_Final(out, &ctx, out_len)); OPENSSL_cleanse(&ctx, sizeof(ctx)); FIPS_service_indicator_unlock_state(); @@ -94,12 +91,13 @@ uint8_t *SHAKE128(const uint8_t *data, const size_t in_len, uint8_t *out, size_t return out; } -uint8_t *SHAKE256(const uint8_t *data, const size_t in_len, uint8_t *out, size_t out_len) { +uint8_t *SHAKE256(const uint8_t *data, const size_t in_len, uint8_t *out, + size_t out_len) { FIPS_service_indicator_lock_state(); KECCAK1600_CTX ctx; - int ok = (SHAKE_Init(&ctx, SHAKE256_BLOCKSIZE) && - SHAKE_Absorb(&ctx, data, in_len) && - SHAKE_Final(out, &ctx, out_len)); + int ok = + (SHAKE_Init(&ctx, SHAKE256_BLOCKSIZE) && + SHAKE_Absorb(&ctx, data, in_len) && SHAKE_Final(out, &ctx, out_len)); OPENSSL_cleanse(&ctx, sizeof(ctx)); FIPS_service_indicator_unlock_state(); if (ok == 0) { @@ -109,36 +107,37 @@ uint8_t *SHAKE256(const uint8_t *data, const size_t in_len, uint8_t *out, size_t return out; } -// FIPS202 APIs manage internal input/output buffer on top of Keccak1600 API layer +// FIPS202 APIs manage internal input/output buffer on top of Keccak1600 API +// layer static void FIPS202_Reset(KECCAK1600_CTX *ctx) { OPENSSL_memset(ctx->A, 0, sizeof(ctx->A)); ctx->buf_load = 0; ctx->state = KECCAK1600_STATE_ABSORB; } -static int FIPS202_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t block_size, size_t bit_len) { - if (pad != SHA3_PAD_CHAR && - pad != SHAKE_PAD_CHAR) { +static int FIPS202_Init(KECCAK1600_CTX *ctx, uint8_t pad, size_t block_size, + size_t bit_len) { + if (pad != SHA3_PAD_CHAR && pad != SHAKE_PAD_CHAR) { return 0; } - + if (block_size <= sizeof(ctx->buf)) { - FIPS202_Reset(ctx); - ctx->block_size = block_size; - ctx->md_size = bit_len / 8; - ctx->pad = pad; - return 1; - } - return 0; + FIPS202_Reset(ctx); + ctx->block_size = block_size; + ctx->md_size = bit_len / 8; + ctx->pad = pad; + return 1; + } + return 0; } static int FIPS202_Update(KECCAK1600_CTX *ctx, const void *data, size_t len) { - uint8_t *data_ptr_copy = (uint8_t *) data; + uint8_t *data_ptr_copy = (uint8_t *)data; size_t block_size = ctx->block_size; size_t num, rem; - if (ctx->state == KECCAK1600_STATE_SQUEEZE || - ctx->state == KECCAK1600_STATE_FINAL ) { + if (ctx->state == KECCAK1600_STATE_SQUEEZE || + ctx->state == KECCAK1600_STATE_FINAL) { return 0; } @@ -158,7 +157,7 @@ static int FIPS202_Update(KECCAK1600_CTX *ctx, const void *data, size_t len) { // leaving the rest for later processing. OPENSSL_memcpy(ctx->buf + num, data_ptr_copy, rem); data_ptr_copy += rem, len -= rem; - if (Keccak1600_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0 ) { + if (Keccak1600_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0) { return 0; } ctx->buf_load = 0; @@ -167,8 +166,7 @@ static int FIPS202_Update(KECCAK1600_CTX *ctx, const void *data, size_t len) { if (len >= block_size) { rem = Keccak1600_Absorb(ctx->A, data_ptr_copy, len, block_size); - } - else { + } else { rem = len; } @@ -181,13 +179,14 @@ static int FIPS202_Update(KECCAK1600_CTX *ctx, const void *data, size_t len) { } // FIPS202_Finalize processes padding and absorb of last input block -// This function should be called once to finalize absorb and initiate squeeze phase +// This function should be called once to finalize absorb and initiate squeeze +// phase static int FIPS202_Finalize(uint8_t *md, KECCAK1600_CTX *ctx) { size_t block_size = ctx->block_size; size_t num = ctx->buf_load; - if (ctx->state == KECCAK1600_STATE_SQUEEZE || - ctx->state == KECCAK1600_STATE_FINAL ) { + if (ctx->state == KECCAK1600_STATE_SQUEEZE || + ctx->state == KECCAK1600_STATE_FINAL) { return 0; } @@ -201,7 +200,7 @@ static int FIPS202_Finalize(uint8_t *md, KECCAK1600_CTX *ctx) { if (Keccak1600_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0) { return 0; } - + // ctx->buf is processed, ctx->buf_load is guaranteed to be zero ctx->buf_load = 0; @@ -214,11 +213,11 @@ int SHA3_Init(KECCAK1600_CTX *ctx, size_t bit_len) { return 0; } - if (bit_len != SHA3_224_DIGEST_BITLENGTH && - bit_len != SHA3_256_DIGEST_BITLENGTH && - bit_len != SHA3_384_DIGEST_BITLENGTH && + if (bit_len != SHA3_224_DIGEST_BITLENGTH && + bit_len != SHA3_256_DIGEST_BITLENGTH && + bit_len != SHA3_384_DIGEST_BITLENGTH && bit_len != SHA3_512_DIGEST_BITLENGTH) { - return 0; + return 0; } // |block_size| depends on the SHA3 |bit_len| output (digest) length return FIPS202_Init(ctx, SHA3_PAD_CHAR, SHA3_BLOCKSIZE(bit_len), bit_len); @@ -256,7 +255,7 @@ int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx) { Keccak1600_Squeeze(ctx->A, md, ctx->md_size, ctx->block_size, ctx->state); ctx->state = KECCAK1600_STATE_FINAL; - + FIPS_service_indicator_update_state(); return 1; } @@ -266,9 +265,8 @@ int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size) { return 0; } - if (block_size != SHAKE128_BLOCKSIZE && - block_size != SHAKE256_BLOCKSIZE) { - return 0; + if (block_size != SHAKE128_BLOCKSIZE && block_size != SHAKE256_BLOCKSIZE) { + return 0; } // |block_size| depends on the SHAKE security level // The output length |bit_len| is initialized to 0 @@ -343,6 +341,6 @@ int SHAKE_Squeeze(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { Keccak1600_Squeeze(ctx->A, md, len, ctx->block_size, ctx->state); ctx->state = KECCAK1600_STATE_SQUEEZE; - //FIPS_service_indicator_update_state(); + // FIPS_service_indicator_update_state(); return 1; } diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c index a5d0bab5c6..57cb6f9fde 100644 --- a/crypto/fipsmodule/sha/sha512.c +++ b/crypto/fipsmodule/sha/sha512.c @@ -60,8 +60,8 @@ #include -#include "internal.h" #include "../../internal.h" +#include "internal.h" // The 32-bit hash algorithms share a common byte-order neutral collector and @@ -141,11 +141,11 @@ int SHA512_256_Init(SHA512_CTX *sha) { return 1; } -OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH==SHA384_CHAINING_LENGTH, +OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH == SHA384_CHAINING_LENGTH, sha512_and_sha384_have_same_chaining_length) -OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH==SHA512_224_CHAINING_LENGTH, +OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH == SHA512_224_CHAINING_LENGTH, sha512_and_sha512_224_have_same_chaining_length) -OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH==SHA512_256_CHAINING_LENGTH, +OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH == SHA512_256_CHAINING_LENGTH, sha512_and_sha512_256_have_same_chaining_length) // sha512_init_from_state_impl is the implementation of @@ -154,7 +154,7 @@ OPENSSL_STATIC_ASSERT(SHA512_CHAINING_LENGTH==SHA512_256_CHAINING_LENGTH, static int sha512_init_from_state_impl(SHA512_CTX *sha, int md_len, const uint8_t h[SHA512_CHAINING_LENGTH], uint64_t n) { - if(n % ((uint64_t) SHA512_CBLOCK * 8) != 0) { + if (n % ((uint64_t)SHA512_CBLOCK * 8) != 0) { // n is not a multiple of the block size in bits, so it fails return 0; } @@ -187,14 +187,14 @@ int SHA512_Init_from_state(SHA512_CTX *sha, } int SHA512_224_Init_from_state(SHA512_CTX *sha, - const uint8_t h[SHA512_224_CHAINING_LENGTH], - uint64_t n) { + const uint8_t h[SHA512_224_CHAINING_LENGTH], + uint64_t n) { return sha512_init_from_state_impl(sha, SHA512_224_DIGEST_LENGTH, h, n); } int SHA512_256_Init_from_state(SHA512_CTX *sha, - const uint8_t h[SHA512_256_CHAINING_LENGTH], - uint64_t n) { + const uint8_t h[SHA512_256_CHAINING_LENGTH], + uint64_t n) { return sha512_init_from_state_impl(sha, SHA512_256_DIGEST_LENGTH, h, n); } @@ -204,11 +204,10 @@ uint8_t *SHA384(const uint8_t *data, size_t len, // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA512_CTX ctx; - const int ok = SHA384_Init(&ctx) && - SHA384_Update(&ctx, data, len) && + const int ok = SHA384_Init(&ctx) && SHA384_Update(&ctx, data, len) && SHA384_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -221,11 +220,10 @@ uint8_t *SHA512(const uint8_t *data, size_t len, // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA512_CTX ctx; - const int ok = SHA512_Init(&ctx) && - SHA512_Update(&ctx, data, len) && + const int ok = SHA512_Init(&ctx) && SHA512_Update(&ctx, data, len) && SHA512_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -238,11 +236,10 @@ uint8_t *SHA512_224(const uint8_t *data, size_t len, // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA512_CTX ctx; - const int ok = SHA512_224_Init(&ctx) && - SHA512_224_Update(&ctx, data, len) && + const int ok = SHA512_224_Init(&ctx) && SHA512_224_Update(&ctx, data, len) && SHA512_224_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -255,11 +252,10 @@ uint8_t *SHA512_256(const uint8_t *data, size_t len, // updating the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); SHA512_CTX ctx; - const int ok = SHA512_256_Init(&ctx) && - SHA512_256_Update(&ctx, data, len) && + const int ok = SHA512_256_Init(&ctx) && SHA512_256_Update(&ctx, data, len) && SHA512_256_Final(out, &ctx); FIPS_service_indicator_unlock_state(); - if(ok) { + if (ok) { FIPS_service_indicator_update_state(); } OPENSSL_cleanse(&ctx, sizeof(ctx)); @@ -448,13 +444,15 @@ int SHA512_get_state(SHA512_CTX *ctx, uint8_t out_h[SHA512_CHAINING_LENGTH], return sha512_get_state_impl(ctx, out_h, out_n); } -int SHA512_224_get_state(SHA512_CTX *ctx, uint8_t out_h[SHA512_224_CHAINING_LENGTH], - uint64_t *out_n) { +int SHA512_224_get_state(SHA512_CTX *ctx, + uint8_t out_h[SHA512_224_CHAINING_LENGTH], + uint64_t *out_n) { return sha512_get_state_impl(ctx, out_h, out_n); } -int SHA512_256_get_state(SHA512_CTX *ctx, uint8_t out_h[SHA512_256_CHAINING_LENGTH], - uint64_t *out_n) { +int SHA512_256_get_state(SHA512_CTX *ctx, + uint8_t out_h[SHA512_256_CHAINING_LENGTH], + uint64_t *out_n) { return sha512_get_state_impl(ctx, out_h, out_n); } @@ -585,14 +583,14 @@ static void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in, h += T1; \ } while (0) -#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) \ - do { \ - s0 = X[(j + 1) & 0x0f]; \ - s0 = sigma0(s0); \ - s1 = X[(j + 14) & 0x0f]; \ - s1 = sigma1(s1); \ - T1 = X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \ - ROUND_00_15(i + j, a, b, c, d, e, f, g, h); \ +#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) \ + do { \ + s0 = X[(j + 1) & 0x0f]; \ + s0 = sigma0(s0); \ + s1 = X[(j + 14) & 0x0f]; \ + s1 = sigma1(s1); \ + T1 = X[(j)&0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \ + ROUND_00_15(i + j, a, b, c, d, e, f, g, h); \ } while (0) static void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in, @@ -602,7 +600,6 @@ static void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in, int i; while (num--) { - a = state[0]; b = state[1]; c = state[2]; diff --git a/crypto/fipsmodule/sha/sha_test.cc b/crypto/fipsmodule/sha/sha_test.cc index e8854fd8bf..e47833611b 100644 --- a/crypto/fipsmodule/sha/sha_test.cc +++ b/crypto/fipsmodule/sha/sha_test.cc @@ -127,4 +127,4 @@ TEST(SHATest, SHA512ABI) { } } -#endif // defined(SUPPORTS_ABI_TEST) && !defined(SHA1_ALTIVEC) +#endif // defined(SUPPORTS_ABI_TEST) && !defined(SHA1_ALTIVEC) diff --git a/crypto/fipsmodule/sshkdf/sshkdf.c b/crypto/fipsmodule/sshkdf/sshkdf.c index a12d1fafdd..80dce104a9 100644 --- a/crypto/fipsmodule/sshkdf/sshkdf.c +++ b/crypto/fipsmodule/sshkdf/sshkdf.c @@ -11,16 +11,13 @@ #include #include -#include "../service_indicator/internal.h" #include "../../internal.h" +#include "../service_indicator/internal.h" -int SSHKDF(const EVP_MD *evp_md, - const uint8_t *key, size_t key_len, +int SSHKDF(const EVP_MD *evp_md, const uint8_t *key, size_t key_len, const uint8_t *xcghash, size_t xcghash_len, - const uint8_t *session_id, size_t session_id_len, - char type, - uint8_t *out, size_t out_len) -{ + const uint8_t *session_id, size_t session_id_len, char type, + uint8_t *out, size_t out_len) { SET_DIT_AUTO_RESET; EVP_MD_CTX *md = NULL; uint8_t digest[EVP_MAX_MD_SIZE]; diff --git a/crypto/fipsmodule/sshkdf/sshkdf_test.cc b/crypto/fipsmodule/sshkdf/sshkdf_test.cc index ae107b19ea..6d840da68b 100644 --- a/crypto/fipsmodule/sshkdf/sshkdf_test.cc +++ b/crypto/fipsmodule/sshkdf/sshkdf_test.cc @@ -12,60 +12,56 @@ #include "../../test/test_util.h" TEST(SSHKDFTest, SSHKDF_INPUT_INSANITY) { - uint8_t not_empty[] = {'t', 'e', 's', 't'}; - size_t not_empty_len = sizeof(not_empty); - uint8_t output[] = {0}; - size_t output_len = sizeof(output); - const EVP_MD *md = EVP_sha256(); // Not actually used. - - ASSERT_FALSE(SSHKDF(nullptr, not_empty, not_empty_len, - not_empty, not_empty_len, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - - ASSERT_FALSE(SSHKDF(md, nullptr, not_empty_len, - not_empty, not_empty_len, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - ASSERT_FALSE(SSHKDF(md, not_empty, 0, - not_empty, not_empty_len, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - - ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, - nullptr, not_empty_len, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, - not_empty, 0, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - - ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, - not_empty, not_empty_len, nullptr, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, - not_empty, not_empty_len, not_empty, 0, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, output_len)); - - ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, - not_empty, not_empty_len, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV - 1, - output, output_len)); - ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, - not_empty, not_empty_len, not_empty, not_empty_len, - EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI + 1, - output, output_len)); + uint8_t not_empty[] = {'t', 'e', 's', 't'}; + size_t not_empty_len = sizeof(not_empty); + uint8_t output[] = {0}; + size_t output_len = sizeof(output); + const EVP_MD *md = EVP_sha256(); // Not actually used. + + ASSERT_FALSE(SSHKDF(nullptr, not_empty, not_empty_len, not_empty, + not_empty_len, not_empty, not_empty_len, + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, output, + output_len)); + + ASSERT_FALSE(SSHKDF(md, nullptr, not_empty_len, not_empty, not_empty_len, + not_empty, not_empty_len, + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, output, + output_len)); + ASSERT_FALSE(SSHKDF(md, not_empty, 0, not_empty, not_empty_len, not_empty, + not_empty_len, EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, + output, output_len)); + + ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, nullptr, not_empty_len, + not_empty, not_empty_len, + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, output, + output_len)); + ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, not_empty, 0, not_empty, + not_empty_len, EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, + output, output_len)); + + ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, not_empty, not_empty_len, + nullptr, not_empty_len, + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, output, + output_len)); + ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, not_empty, not_empty_len, + not_empty, 0, EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, + output, output_len)); + + ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, not_empty, not_empty_len, + not_empty, not_empty_len, + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV - 1, output, + output_len)); + ASSERT_FALSE(SSHKDF(md, not_empty, not_empty_len, not_empty, not_empty_len, + not_empty, not_empty_len, + EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI + 1, output, + output_len)); } -static void RunTest(FileTest *t) -{ +static void RunTest(FileTest *t) { std::string count; std::vector key, xcghash, session_id, initial_iv_c2s, initial_iv_s2c, - encryption_key_c2s, encryption_key_s2c, integrity_key_c2s, - integrity_key_s2c; + encryption_key_c2s, encryption_key_s2c, integrity_key_c2s, + integrity_key_s2c; t->IgnoreAllUnusedInstructions(); @@ -90,7 +86,8 @@ static void RunTest(FileTest *t) std::string iv_len_str, encryption_key_len_str; ASSERT_TRUE(t->GetInstruction(&iv_len_str, "IV length")); unsigned long iv_len = std::stoul(iv_len_str) / 8; - ASSERT_TRUE(t->GetInstruction(&encryption_key_len_str, "encryption key length")); + ASSERT_TRUE( + t->GetInstruction(&encryption_key_len_str, "encryption key length")); unsigned long encryption_key_len = std::stoul(encryption_key_len_str) / 8; ASSERT_TRUE(t->GetAttribute(&count, "COUNT")); @@ -99,10 +96,14 @@ static void RunTest(FileTest *t) ASSERT_TRUE(t->GetBytes(&session_id, "session_id")); ASSERT_TRUE(t->GetBytes(&initial_iv_c2s, "Initial IV (client to server)")); ASSERT_TRUE(t->GetBytes(&initial_iv_s2c, "Initial IV (server to client)")); - ASSERT_TRUE(t->GetBytes(&encryption_key_c2s, "Encryption key (client to server)")); - ASSERT_TRUE(t->GetBytes(&encryption_key_s2c, "Encryption key (server to client)")); - ASSERT_TRUE(t->GetBytes(&integrity_key_c2s, "Integrity key (client to server)")); - ASSERT_TRUE(t->GetBytes(&integrity_key_s2c, "Integrity key (server to client)")); + ASSERT_TRUE( + t->GetBytes(&encryption_key_c2s, "Encryption key (client to server)")); + ASSERT_TRUE( + t->GetBytes(&encryption_key_s2c, "Encryption key (server to client)")); + ASSERT_TRUE( + t->GetBytes(&integrity_key_c2s, "Integrity key (client to server)")); + ASSERT_TRUE( + t->GetBytes(&integrity_key_s2c, "Integrity key (server to client)")); // The CAVP test data shows its work, repeatedly. Ignore these. t->IgnoreAttribute("K || H || K1"); @@ -141,18 +142,18 @@ static void RunTest(FileTest *t) uint8_t *output = static_cast(new uint8_t[iv_len]); ASSERT_TRUE(SSHKDF(md, key.data(), key.size(), xcghash.data(), xcghash.size(), - session_id.data(), session_id.size(), - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, - output, iv_len)); + session_id.data(), session_id.size(), + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV, output, + iv_len)); EXPECT_EQ(Bytes(initial_iv_c2s.data(), initial_iv_c2s.size()), - Bytes(output, iv_len)); + Bytes(output, iv_len)); ASSERT_TRUE(SSHKDF(md, key.data(), key.size(), xcghash.data(), xcghash.size(), - session_id.data(), session_id.size(), - EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI, - output, iv_len)); + session_id.data(), session_id.size(), + EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI, output, + iv_len)); EXPECT_EQ(Bytes(initial_iv_s2c.data(), initial_iv_s2c.size()), - Bytes(output, iv_len)); + Bytes(output, iv_len)); delete[] output; output = NULL; @@ -161,18 +162,18 @@ static void RunTest(FileTest *t) output = static_cast(new uint8_t[encryption_key_len]); ASSERT_TRUE(SSHKDF(md, key.data(), key.size(), xcghash.data(), xcghash.size(), - session_id.data(), session_id.size(), - EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV, - output, encryption_key_len)); + session_id.data(), session_id.size(), + EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV, output, + encryption_key_len)); EXPECT_EQ(Bytes(encryption_key_c2s.data(), encryption_key_c2s.size()), - Bytes(output, encryption_key_len)); + Bytes(output, encryption_key_len)); ASSERT_TRUE(SSHKDF(md, key.data(), key.size(), xcghash.data(), xcghash.size(), - session_id.data(), session_id.size(), - EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI, - output, encryption_key_len)); + session_id.data(), session_id.size(), + EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI, output, + encryption_key_len)); EXPECT_EQ(Bytes(encryption_key_s2c.data(), encryption_key_s2c.size()), - Bytes(output, encryption_key_len)); + Bytes(output, encryption_key_len)); delete[] output; output = NULL; @@ -181,18 +182,18 @@ static void RunTest(FileTest *t) output = static_cast(new uint8_t[integrity_key_len]); ASSERT_TRUE(SSHKDF(md, key.data(), key.size(), xcghash.data(), xcghash.size(), - session_id.data(), session_id.size(), - EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV, - output, integrity_key_len)); + session_id.data(), session_id.size(), + EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV, output, + integrity_key_len)); EXPECT_EQ(Bytes(integrity_key_c2s.data(), integrity_key_c2s.size()), - Bytes(output, integrity_key_len)); + Bytes(output, integrity_key_len)); ASSERT_TRUE(SSHKDF(md, key.data(), key.size(), xcghash.data(), xcghash.size(), - session_id.data(), session_id.size(), - EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI, - output, integrity_key_len)); + session_id.data(), session_id.size(), + EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI, output, + integrity_key_len)); EXPECT_EQ(Bytes(integrity_key_s2c.data(), integrity_key_s2c.size()), - Bytes(output, integrity_key_len)); + Bytes(output, integrity_key_len)); delete[] output; output = NULL; diff --git a/crypto/fipsmodule/tls/kdf.c b/crypto/fipsmodule/tls/kdf.c index 4089fd34af..7625d66702 100644 --- a/crypto/fipsmodule/tls/kdf.c +++ b/crypto/fipsmodule/tls/kdf.c @@ -63,8 +63,7 @@ // section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and // |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to // form the seed parameter. It returns true on success and false on failure. -static int tls1_P_hash(uint8_t *out, size_t out_len, - const EVP_MD *md, +static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, const uint8_t *secret, size_t secret_len, const char *label, size_t label_len, const uint8_t *seed1, size_t seed1_len, @@ -81,21 +80,19 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) || !HMAC_CTX_copy_ex(&ctx, &ctx_init) || - !HMAC_Update(&ctx, (const uint8_t *) label, label_len) || + !HMAC_Update(&ctx, (const uint8_t *)label, label_len) || !HMAC_Update(&ctx, seed1, seed1_len) || - !HMAC_Update(&ctx, seed2, seed2_len) || - !HMAC_Final(&ctx, A1, &A1_len)) { + !HMAC_Update(&ctx, seed2, seed2_len) || !HMAC_Final(&ctx, A1, &A1_len)) { goto err; } for (;;) { unsigned len_u; uint8_t hmac[EVP_MAX_MD_SIZE]; - if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) || - !HMAC_Update(&ctx, A1, A1_len) || + if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) || !HMAC_Update(&ctx, A1, A1_len) || // Save a copy of |ctx| to compute the next A1 value below. (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) || - !HMAC_Update(&ctx, (const uint8_t *) label, label_len) || + !HMAC_Update(&ctx, (const uint8_t *)label, label_len) || !HMAC_Update(&ctx, seed1, seed1_len) || !HMAC_Update(&ctx, seed2, seed2_len) || !HMAC_Final(&ctx, hmac, &len_u)) { @@ -134,11 +131,9 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, return ret; } -int CRYPTO_tls1_prf(const EVP_MD *digest, - uint8_t *out, size_t out_len, - const uint8_t *secret, size_t secret_len, - const char *label, size_t label_len, - const uint8_t *seed1, size_t seed1_len, +int CRYPTO_tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, + const uint8_t *secret, size_t secret_len, const char *label, + size_t label_len, const uint8_t *seed1, size_t seed1_len, const uint8_t *seed2, size_t seed2_len) { // We have to avoid the underlying HMAC services updating the indicator state, // so we lock the state here. @@ -168,10 +163,10 @@ int CRYPTO_tls1_prf(const EVP_MD *digest, } ret = tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len, - seed1, seed1_len, seed2, seed2_len); + seed1, seed1_len, seed2, seed2_len); end: FIPS_service_indicator_unlock_state(); - if(ret) { + if (ret) { TLSKDF_verify_service_indicator(original_digest, label, label_len); } return ret; diff --git a/crypto/hmac_extra/hmac_test.cc b/crypto/hmac_extra/hmac_test.cc index 03a528f119..3afbea598b 100644 --- a/crypto/hmac_extra/hmac_test.cc +++ b/crypto/hmac_extra/hmac_test.cc @@ -115,7 +115,6 @@ static size_t GetPrecomputedKeySize(const std::string &name) { static void RunHMACTestEVP(const std::vector &key, const std::vector &msg, const std::vector &tag, const EVP_MD *md) { - bssl::UniquePtr pkey_mac( EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, nullptr, key.data(), key.size())); ASSERT_TRUE(pkey_mac); @@ -125,12 +124,11 @@ static void RunHMACTestEVP(const std::vector &key, ASSERT_TRUE(EVP_PKEY_keygen_init(ctx.get())); auto hexkey = EncodeHex(key); ASSERT_TRUE(EVP_PKEY_CTX_ctrl_str(ctx.get(), "hexkey", hexkey.data())); - EVP_PKEY* my_pkey = NULL; + EVP_PKEY *my_pkey = NULL; ASSERT_TRUE(EVP_PKEY_keygen(ctx.get(), &my_pkey)); bssl::UniquePtr pkey_gen(my_pkey); ASSERT_TRUE(pkey_gen); for (const auto pkey : {pkey_mac.get(), pkey_gen.get()}) { - bssl::ScopedEVP_MD_CTX copy, mctx; size_t len; std::vector actual; @@ -167,8 +165,8 @@ static void RunHMACTestEVP(const std::vector &key, ASSERT_TRUE( EVP_DigestSign(mctx.get(), nullptr, &len, msg.data(), msg.size())); actual.resize(len); - ASSERT_TRUE( - EVP_DigestSign(mctx.get(), actual.data(), &len, msg.data(), msg.size())); + ASSERT_TRUE(EVP_DigestSign(mctx.get(), actual.data(), &len, msg.data(), + msg.size())); actual.resize(len); EXPECT_EQ(Bytes(tag), Bytes(actual.data(), tag.size())); @@ -216,12 +214,13 @@ static void RunHMACTestEVP(const std::vector &key, &retrieved_key_len)); EXPECT_EQ(key.size(), retrieved_key_len); retrieved_key.resize(retrieved_key_len); - EXPECT_TRUE(EVP_PKEY_get_raw_private_key(raw_pkey.get(), retrieved_key.data(), - &retrieved_key_len)); + EXPECT_TRUE(EVP_PKEY_get_raw_private_key( + raw_pkey.get(), retrieved_key.data(), &retrieved_key_len)); retrieved_key.resize(retrieved_key_len); EXPECT_EQ(Bytes(retrieved_key), Bytes(key)); - // Test retrieving key with a buffer length that's too small. This should fail + // Test retrieving key with a buffer length that's too small. This should + // fail if (!key.empty()) { size_t short_key_len = retrieved_key_len - 1; EXPECT_FALSE(EVP_PKEY_get_raw_private_key( @@ -251,14 +250,16 @@ TEST(HMACTest, TestVectors) { ASSERT_TRUE(HMAC(digest, key.data(), key.size(), input.data(), input.size(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Test using the one-shot API with precompute ASSERT_TRUE(HMAC_with_precompute(digest, key.data(), key.size(), input.data(), input.size(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Test using HMAC_CTX. bssl::ScopedHMAC_CTX ctx; @@ -267,30 +268,35 @@ TEST(HMACTest, TestVectors) { ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer uint8_t precomputed_key[HMAC_MAX_PRECOMPUTED_KEY_SIZE]; // Test that the precomputed key cannot be exported without calling // HMAC_set_precomputed_key_export size_t precomputed_key_len_out = HMAC_MAX_PRECOMPUTED_KEY_SIZE; - ASSERT_TRUE(HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); - ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key, &precomputed_key_len_out)); + ASSERT_TRUE( + HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); + ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key, + &precomputed_key_len_out)); // Test that the precomputed key cannot be exported if ctx not initialized // and the precomputed_key_export flag cannot be set bssl::ScopedHMAC_CTX ctx2; ASSERT_FALSE(HMAC_set_precomputed_key_export(ctx2.get())); precomputed_key_len_out = HMAC_MAX_PRECOMPUTED_KEY_SIZE; - ASSERT_FALSE(HMAC_get_precomputed_key(ctx2.get(), precomputed_key, &precomputed_key_len_out)); + ASSERT_FALSE(HMAC_get_precomputed_key(ctx2.get(), precomputed_key, + &precomputed_key_len_out)); // Get the precomputed key length for later use - // And test the precomputed key size is at most HMAC_MAX_PRECOMPUTED_KEY_SIZE - // and is equal to HMAC_xxx_PRECOMPUTED_KEY_SIZE, where xxx is the digest name + // And test the precomputed key size is at most + // HMAC_MAX_PRECOMPUTED_KEY_SIZE and is equal to + // HMAC_xxx_PRECOMPUTED_KEY_SIZE, where xxx is the digest name ASSERT_TRUE(HMAC_set_precomputed_key_export(ctx.get())); size_t precomputed_key_len; HMAC_get_precomputed_key(ctx.get(), nullptr, &precomputed_key_len); - ASSERT_LE(precomputed_key_len, (size_t) HMAC_MAX_PRECOMPUTED_KEY_SIZE); + ASSERT_LE(precomputed_key_len, (size_t)HMAC_MAX_PRECOMPUTED_KEY_SIZE); ASSERT_EQ(GetPrecomputedKeySize(digest_str), precomputed_key_len); // Test that at this point, the context cannot be used with HMAC_Update @@ -299,119 +305,155 @@ TEST(HMACTest, TestVectors) { // Export the precomputed key for later use precomputed_key_len_out = HMAC_MAX_PRECOMPUTED_KEY_SIZE; - ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key, &precomputed_key_len_out)); + ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key, + &precomputed_key_len_out)); ASSERT_EQ(precomputed_key_len, precomputed_key_len_out); // Test that at this point, the context can be used with HMAC_Update ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Test that an HMAC_CTX may be reset with the same key. ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, digest, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Same test but with HMAC_Init_from_precomputed_key ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, 0, digest)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Test that an HMAC_CTX may be reset with the same key and a null md ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Same test but using the Init_from_precomputed_key instead ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, 0, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer - // Some callers will call init multiple times and we need to ensure that doesn't break anything - ASSERT_TRUE(HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); + // Some callers will call init multiple times and we need to ensure that + // doesn't break anything + ASSERT_TRUE( + HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Same test but using a mix of Init_ex and Init_from_precomputed_key - ASSERT_TRUE(HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); + ASSERT_TRUE( + HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, 0, nullptr)); ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr)); ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, 0, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Test that the HMAC_CTX can be reset using the precomputed key - ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, precomputed_key_len, nullptr)); + ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, + precomputed_key_len, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Same test but starting from an empty context ctx.Reset(); - ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, precomputed_key_len, digest)); + ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, + precomputed_key_len, digest)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer - // Some callers will call init_from_precomputed_key multiple times and we need to ensure that doesn't break anything - ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, precomputed_key_len, nullptr)); + // Some callers will call init_from_precomputed_key multiple times and we + // need to ensure that doesn't break anything + ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, + precomputed_key_len, nullptr)); ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, 0, nullptr)); ASSERT_TRUE(HMAC_Update(ctx.get(), input.data(), input.size())); ASSERT_TRUE(HMAC_Final(ctx.get(), mac.get(), &mac_len)); EXPECT_EQ(Bytes(output), Bytes(mac.get(), mac_len)); - OPENSSL_memset(mac.get(), 0, expected_mac_len); // Clear the prior correct answer + OPENSSL_memset(mac.get(), 0, + expected_mac_len); // Clear the prior correct answer // Test that we get an error if the out_len is not large enough or is null uint8_t precomputed_key2[HMAC_MAX_PRECOMPUTED_KEY_SIZE]; size_t precomputed_key_len_out2; - ASSERT_TRUE(HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); + ASSERT_TRUE( + HMAC_Init_ex(ctx.get(), key.data(), key.size(), digest, nullptr)); ASSERT_TRUE(HMAC_set_precomputed_key_export(ctx.get())); - ASSERT_TRUE(HMAC_set_precomputed_key_export(ctx.get())); // testing we can set it twice - precomputed_key_len_out2 = precomputed_key_len - 1; // slightly too short - ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, &precomputed_key_len_out2)); - precomputed_key_len_out2 = 0; // 0-size should also fail - ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, &precomputed_key_len_out2)); - ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, nullptr)); - - // Test that we get the same precompute_key the second time we correctly call HMAC_get_precomputed_key - precomputed_key_len_out2 = precomputed_key_len; // testing with the out_len is the exact value - ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, &precomputed_key_len_out2)); + ASSERT_TRUE(HMAC_set_precomputed_key_export( + ctx.get())); // testing we can set it twice + precomputed_key_len_out2 = precomputed_key_len - 1; // slightly too short + ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, + &precomputed_key_len_out2)); + precomputed_key_len_out2 = 0; // 0-size should also fail + ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, + &precomputed_key_len_out2)); + ASSERT_FALSE( + HMAC_get_precomputed_key(ctx.get(), precomputed_key2, nullptr)); + + // Test that we get the same precompute_key the second time we correctly + // call HMAC_get_precomputed_key + precomputed_key_len_out2 = + precomputed_key_len; // testing with the out_len is the exact value + ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, + &precomputed_key_len_out2)); ASSERT_EQ(precomputed_key_len, precomputed_key_len_out2); - ASSERT_EQ(Bytes(precomputed_key, precomputed_key_len), Bytes(precomputed_key2, precomputed_key_len)); - OPENSSL_memset(precomputed_key2, 0, HMAC_MAX_PRECOMPUTED_KEY_SIZE); // Clear the prior correct answer - - // Test that at this point, the context cannot be used to re-export the precomputed key + ASSERT_EQ(Bytes(precomputed_key, precomputed_key_len), + Bytes(precomputed_key2, precomputed_key_len)); + OPENSSL_memset( + precomputed_key2, 0, + HMAC_MAX_PRECOMPUTED_KEY_SIZE); // Clear the prior correct answer + + // Test that at this point, the context cannot be used to re-export the + // precomputed key precomputed_key_len_out2 = HMAC_MAX_PRECOMPUTED_KEY_SIZE; - ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, &precomputed_key_len_out2)); - // Check that precomputed_key_len_out2 and precomputed_key2 were not modified and are still their original value + ASSERT_FALSE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, + &precomputed_key_len_out2)); + // Check that precomputed_key_len_out2 and precomputed_key2 were not + // modified and are still their original value uint8_t zero_precomputed_key[HMAC_MAX_PRECOMPUTED_KEY_SIZE]; OPENSSL_memset(zero_precomputed_key, 0, HMAC_MAX_PRECOMPUTED_KEY_SIZE); ASSERT_EQ((size_t)HMAC_MAX_PRECOMPUTED_KEY_SIZE, precomputed_key_len_out2); - ASSERT_EQ(Bytes(zero_precomputed_key, HMAC_MAX_PRECOMPUTED_KEY_SIZE), Bytes(precomputed_key2, HMAC_MAX_PRECOMPUTED_KEY_SIZE)); + ASSERT_EQ(Bytes(zero_precomputed_key, HMAC_MAX_PRECOMPUTED_KEY_SIZE), + Bytes(precomputed_key2, HMAC_MAX_PRECOMPUTED_KEY_SIZE)); // Same but initializing the ctx using the precompute key in the first place ctx.Reset(); - ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, precomputed_key_len, digest)); + ASSERT_TRUE(HMAC_Init_from_precomputed_key(ctx.get(), precomputed_key, + precomputed_key_len, digest)); ASSERT_TRUE(HMAC_set_precomputed_key_export(ctx.get())); - ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, &precomputed_key_len_out2)); + ASSERT_TRUE(HMAC_get_precomputed_key(ctx.get(), precomputed_key2, + &precomputed_key_len_out2)); ASSERT_EQ(precomputed_key_len, precomputed_key_len_out2); - ASSERT_EQ(Bytes(precomputed_key, precomputed_key_len), Bytes(precomputed_key2, precomputed_key_len)); + ASSERT_EQ(Bytes(precomputed_key, precomputed_key_len), + Bytes(precomputed_key2, precomputed_key_len)); // Test feeding the input in byte by byte. ASSERT_TRUE(HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr)); @@ -426,12 +468,14 @@ TEST(HMACTest, TestVectors) { // Test that initializing without the precomputed_key does not work ctx.Reset(); - ASSERT_FALSE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, precomputed_key_len, digest)); + ASSERT_FALSE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, + precomputed_key_len, digest)); // Test that initializing with the wrong precomputed_key_len does not work ctx.Reset(); ASSERT_FALSE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, 1, digest)); - ASSERT_FALSE(HMAC_Init_from_precomputed_key(ctx.get(), nullptr, precomputed_key_len+1, digest)); + ASSERT_FALSE(HMAC_Init_from_precomputed_key( + ctx.get(), nullptr, precomputed_key_len + 1, digest)); }); } @@ -492,13 +536,15 @@ TEST(HMACTest, WycheproofSHA512) { } TEST(HMACTest, WycheproofSHA512_224) { - RunWycheproofTest("third_party/wycheproof_testvectors/hmac_sha512_224_test.txt", - EVP_sha512_224()); + RunWycheproofTest( + "third_party/wycheproof_testvectors/hmac_sha512_224_test.txt", + EVP_sha512_224()); } TEST(HMACTest, WycheproofSHA512_256) { - RunWycheproofTest("third_party/wycheproof_testvectors/hmac_sha512_256_test.txt", - EVP_sha512_256()); + RunWycheproofTest( + "third_party/wycheproof_testvectors/hmac_sha512_256_test.txt", + EVP_sha512_256()); } TEST(HMACTest, EVP_DigestVerify) { @@ -531,14 +577,14 @@ TEST(HMACTest, HandlesNullOutputParameters) { // make key and input valid const uint8_t key[32] = {0}; const uint8_t input[16] = {0}; - + // Test one-shot API with out and out_len as NULL ASSERT_FALSE(HMAC(digest, &key[0], sizeof(key), &input[0], sizeof(input), - nullptr,nullptr)); + nullptr, nullptr)); unsigned mac_len; // Test one-shot API with only out as NULL ASSERT_FALSE(HMAC(digest, &key[0], sizeof(key), &input[0], sizeof(input), - nullptr, &mac_len)); + nullptr, &mac_len)); // Test HMAC_ctx ASSERT_TRUE(HMAC_Init_ex(ctx.get(), &key[0], sizeof(key), digest, nullptr)); diff --git a/crypto/hpke/hpke.c b/crypto/hpke/hpke.c index bd4c22bbee..44926bc62b 100644 --- a/crypto/hpke/hpke.c +++ b/crypto/hpke/hpke.c @@ -111,8 +111,7 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key, const uint8_t *info, size_t info_len) { // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info) CBB labeled_info; - int ok = CBB_init(&labeled_info, 0) && - CBB_add_u16(&labeled_info, out_len) && + int ok = CBB_init(&labeled_info, 0) && CBB_add_u16(&labeled_info, out_len) && add_label_string(&labeled_info, kHpkeVersionId) && CBB_add_bytes(&labeled_info, suite_id, suite_id_len) && add_label_string(&labeled_info, label) && @@ -396,7 +395,7 @@ int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out, } int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out, - size_t *out_len, size_t max_out) { + size_t *out_len, size_t max_out) { if (max_out < key->kem->private_key_len) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); return 0; @@ -559,7 +558,7 @@ EVP_HPKE_CTX *EVP_HPKE_CTX_new(void) { return NULL; } // NO-OP: struct already zeroed - //EVP_HPKE_CTX_zero(ctx); + // EVP_HPKE_CTX_zero(ctx); return ctx; } diff --git a/crypto/hpke/hpke_test.cc b/crypto/hpke/hpke_test.cc index ce68adc601..90faef9866 100644 --- a/crypto/hpke/hpke_test.cc +++ b/crypto/hpke/hpke_test.cc @@ -272,8 +272,7 @@ bool HPKETestVector::ReadFromFileTest(FileTest *t) { if (!FileTestReadInt(t, &mode, "mode") || !FileTestReadInt(t, &kdf_id_, "kdf_id") || !FileTestReadInt(t, &aead_id_, "aead_id") || - !t->GetBytes(&info_, "info") || - !t->GetBytes(&secret_key_r_, "skRm") || + !t->GetBytes(&info_, "info") || !t->GetBytes(&secret_key_r_, "skRm") || !t->GetBytes(&public_key_r_, "pkRm") || !t->GetBytes(&secret_key_e_, "skEm") || !t->GetBytes(&public_key_e_, "pkEm")) { @@ -351,8 +350,7 @@ TEST(HPKETest, RoundTrip) { // Generate the sender's keypair, for auth modes. ScopedEVP_HPKE_KEY sender_key; - ASSERT_TRUE( - EVP_HPKE_KEY_generate(sender_key.get(), kem)); + ASSERT_TRUE(EVP_HPKE_KEY_generate(sender_key.get(), kem)); uint8_t public_key_s[X25519_PUBLIC_VALUE_LEN]; size_t public_key_s_len; ASSERT_TRUE(EVP_HPKE_KEY_public_key(sender_key.get(), public_key_s, diff --git a/crypto/hrss/hrss.c b/crypto/hrss/hrss.c index e05fef4851..11ea9309b3 100644 --- a/crypto/hrss/hrss.c +++ b/crypto/hrss/hrss.c @@ -193,7 +193,7 @@ static inline vec_t vec_broadcast_bit(vec_t a) { // boundary. But, I can't find any information about |uint16x8_t| should // necessarily be aligned to a 16-byte boundary. We verify 16-byte alignment in // |poly_mul_vec()|, so try to force alignment here. -typedef uint16x8_t vec_t __attribute__ ((aligned (16))); +typedef uint16x8_t vec_t __attribute__((aligned(16))); // These functions perform the same actions as the SSE2 function of the same // name, above. @@ -229,9 +229,7 @@ static inline vec_t vec_merge_3_5(vec_t left, vec_t right) { return vextq_u16(left, right, 5); } -static inline uint16_t vec_get_word(vec_t v, unsigned i) { - return v[i]; -} +static inline uint16_t vec_get_word(vec_t v, unsigned i) { return v[i]; } #if !defined(OPENSSL_AARCH64) @@ -317,20 +315,13 @@ static void poly2_zero(struct poly2 *p) { static crypto_word_t word_reverse(crypto_word_t in) { #if defined(OPENSSL_64_BIT) static const crypto_word_t kMasks[6] = { - UINT64_C(0x5555555555555555), - UINT64_C(0x3333333333333333), - UINT64_C(0x0f0f0f0f0f0f0f0f), - UINT64_C(0x00ff00ff00ff00ff), - UINT64_C(0x0000ffff0000ffff), - UINT64_C(0x00000000ffffffff), + UINT64_C(0x5555555555555555), UINT64_C(0x3333333333333333), + UINT64_C(0x0f0f0f0f0f0f0f0f), UINT64_C(0x00ff00ff00ff00ff), + UINT64_C(0x0000ffff0000ffff), UINT64_C(0x00000000ffffffff), }; #else static const crypto_word_t kMasks[5] = { - 0x55555555, - 0x33333333, - 0x0f0f0f0f, - 0x00ff00ff, - 0x0000ffff, + 0x55555555, 0x33333333, 0x0f0f0f0f, 0x00ff00ff, 0x0000ffff, }; #endif @@ -365,12 +356,12 @@ static void poly2_reverse_700(struct poly2 *out, const struct poly2 *in) { t.v[i] = word_reverse(in->v[i]); } - static const size_t shift = BITS_PER_WORD - ((N-1) % BITS_PER_WORD); - for (size_t i = 0; i < WORDS_PER_POLY-1; i++) { - out->v[i] = t.v[WORDS_PER_POLY-1-i] >> shift; - out->v[i] |= t.v[WORDS_PER_POLY-2-i] << (BITS_PER_WORD - shift); + static const size_t shift = BITS_PER_WORD - ((N - 1) % BITS_PER_WORD); + for (size_t i = 0; i < WORDS_PER_POLY - 1; i++) { + out->v[i] = t.v[WORDS_PER_POLY - 1 - i] >> shift; + out->v[i] |= t.v[WORDS_PER_POLY - 2 - i] << (BITS_PER_WORD - shift); } - out->v[WORDS_PER_POLY-1] = t.v[0] >> shift; + out->v[WORDS_PER_POLY - 1] = t.v[0] >> shift; } // poly2_cswap exchanges the values of |a| and |b| if |swap| is all ones. @@ -805,15 +796,14 @@ static void poly3_invert_vec(struct poly3 *out, const struct poly3 *in) { int delta = 1; - for (size_t i = 0; i < (2*(N-1)) - 1; i++) { + for (size_t i = 0; i < (2 * (N - 1)) - 1; i++) { poly3_vec_lshift1(v_s, v_a); const crypto_word_t delta_sign_bit = (delta >> (sizeof(delta) * 8 - 1)) & 1; const crypto_word_t delta_is_non_negative = delta_sign_bit - 1; const crypto_word_t delta_is_non_zero = ~constant_time_is_zero_w(delta); const vec_t g_has_constant_term = vec_broadcast_bit(g_a[0]); - const vec_t mask_w = - {delta_is_non_negative & delta_is_non_zero}; + const vec_t mask_w = {delta_is_non_negative & delta_is_non_zero}; const vec_t mask = vec_broadcast_bit(mask_w) & g_has_constant_term; const vec_t c_a = vec_broadcast_bit(f_a[0] & g_a[0]); @@ -825,7 +815,7 @@ static void poly3_invert_vec(struct poly3 *out, const struct poly3 *in) { // This is necessary because older versions of GCC, such as version 4.1.2, // do not support accessing individual elements of the __m128i type alignas(16) uint64_t mask_tmp[2]; - _mm_store_si128((void*) mask_tmp, mask); + _mm_store_si128((void *)mask_tmp, mask); delta = constant_time_select_int(lsb_to_all(mask_tmp[0]), -delta, delta); #else delta = constant_time_select_int(lsb_to_all(mask[0]), -delta, delta); @@ -876,7 +866,7 @@ void HRSS_poly3_invert(struct poly3 *out, const struct poly3 *in) { poly3_reverse_700(&g, in); int delta = 1; - for (size_t i = 0; i < (2*(N-1)) - 1; i++) { + for (size_t i = 0; i < (2 * (N - 1)) - 1; i++) { poly3_lshift1(&v); const crypto_word_t delta_sign_bit = (delta >> (sizeof(delta) * 8 - 1)) & 1; @@ -925,7 +915,7 @@ void HRSS_poly3_invert(struct poly3 *out, const struct poly3 *in) { // Coefficients are ordered little-endian, thus the coefficient of x^0 is the // first element of the array. struct poly { - alignas(16) uint16_t v[N+3]; + alignas(16) uint16_t v[N + 3]; }; #if defined(HRSS_HAVE_VECTOR_UNIT) @@ -935,12 +925,10 @@ struct poly_vec { vec_t vectors[VECS_PER_POLY]; }; -static void poly_vec2poly(struct poly *p, const struct poly_vec *pv) -{ +static void poly_vec2poly(struct poly *p, const struct poly_vec *pv) { OPENSSL_memcpy(p, pv, sizeof(*p)); } -static void poly2poly_vec(struct poly_vec *pv, const struct poly *p) -{ +static void poly2poly_vec(struct poly_vec *pv, const struct poly *p) { OPENSSL_memcpy(pv, p, sizeof(*p)); } #endif @@ -1260,7 +1248,8 @@ static void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, vec_t *const prod = scratch->u.vec.prod; vec_t *const aux_scratch = scratch->u.vec.scratch; - poly_mul_vec_aux(prod, aux_scratch, x_vec.vectors, y_vec.vectors, VECS_PER_POLY); + poly_mul_vec_aux(prod, aux_scratch, x_vec.vectors, y_vec.vectors, + VECS_PER_POLY); // |prod| needs to be reduced mod (𝑥^n - 1), which just involves adding the // upper-half to the lower-half. However, N is 701, which isn't a multiple of @@ -1292,7 +1281,7 @@ static void poly_mul_novec_aux(uint16_t *out, uint16_t *scratch, OPENSSL_memset(out, 0, sizeof(uint16_t) * n * 2); for (size_t i = 0; i < n; i++) { for (size_t j = 0; j < n; j++) { - out[i + j] += (unsigned) a[i] * b[j]; + out[i + j] += (unsigned)a[i] * b[j]; } } @@ -1360,7 +1349,7 @@ static void poly_mul(struct POLY_MUL_SCRATCH *scratch, struct poly *r, #endif #if defined(HRSS_HAVE_VECTOR_UNIT) - if (vec_capable()) { + if (vec_capable()) { poly_mul_vec(scratch, r, a, b); } else #endif @@ -1589,7 +1578,7 @@ static void poly_invert_mod2(struct poly *out, const struct poly *in) { poly2_reverse_700(&g, &g); int delta = 1; - for (size_t i = 0; i < (2*(N-1)) - 1; i++) { + for (size_t i = 0; i < (2 * (N - 1)) - 1; i++) { poly2_lshift1(&v); const crypto_word_t delta_sign_bit = (delta >> (sizeof(delta) * 8 - 1)) & 1; @@ -1754,7 +1743,7 @@ static void poly_marshal_mod3(uint8_t out[HRSS_POLY3_BYTES], const uint16_t *coeffs = in->v; // Only 700 coefficients are marshaled because in[700] must be zero. - assert(coeffs[N-1] == 0); + assert(coeffs[N - 1] == 0); for (size_t i = 0; i < HRSS_POLY3_BYTES; i++) { const uint16_t coeffs0 = mod3_from_modQ(coeffs[0]); @@ -1777,8 +1766,7 @@ static void poly_marshal_mod3(uint8_t out[HRSS_POLY3_BYTES], // function uses that freedom to implement a flatter distribution of values. static void poly_short_sample(struct poly *out, const uint8_t in[HRSS_SAMPLE_BYTES]) { - OPENSSL_STATIC_ASSERT(HRSS_SAMPLE_BYTES == N - 1, - HRSS_SAMPLE_BYTES_incorrect) + OPENSSL_STATIC_ASSERT(HRSS_SAMPLE_BYTES == N - 1, HRSS_SAMPLE_BYTES_incorrect) for (size_t i = 0; i < N - 1; i++) { uint16_t v = mod3(in[i]); // Map {0, 1, 2} -> {0, 1, 0xffff} @@ -1799,15 +1787,15 @@ static void poly_short_sample_plus(struct poly *out, // because |sum| is bound by +/- (N-2), and N < 2^15 so it works out. uint16_t sum = 0; for (unsigned i = 0; i < N - 2; i++) { - sum += (unsigned) out->v[i] * out->v[i + 1]; + sum += (unsigned)out->v[i] * out->v[i + 1]; } // If the sum is negative, flip the sign of even-positioned coefficients. (See // page 8 of [HRSS].) - sum = ((int16_t) sum) >> 15; + sum = ((int16_t)sum) >> 15; const uint16_t scale = sum | (~sum & 1); for (unsigned i = 0; i < N; i += 2) { - out->v[i] = (unsigned) out->v[i] * scale; + out->v[i] = (unsigned)out->v[i] * scale; } poly_assert_normalized(out); } @@ -1904,7 +1892,7 @@ static void poly_lift(struct poly *out, const struct poly *a) { // Note that s0 + s1 + s2 = 0. out->v[0] += s0; - out->v[1] -= (s0 + s2); // = s1 + out->v[1] -= (s0 + s2); // = s1 out->v[2] += s2; // Calculate the remaining inner products by taking advantage of the @@ -2001,7 +1989,7 @@ int HRSS_generate_key( // The private key output is randomised in case it's later passed to // |HRSS_encap|. memset(out_pub, 0, sizeof(struct HRSS_public_key)); - RAND_bytes((uint8_t*) out_priv, sizeof(struct HRSS_private_key)); + RAND_bytes((uint8_t *)out_priv, sizeof(struct HRSS_private_key)); return 0; } @@ -2098,8 +2086,8 @@ int HRSS_encap(uint8_t out_ciphertext[POLY_BYTES], uint8_t out_shared_key[32], } int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], - const struct HRSS_private_key *in_priv, - const uint8_t *ciphertext, size_t ciphertext_len) { + const struct HRSS_private_key *in_priv, + const uint8_t *ciphertext, size_t ciphertext_len) { const struct private_key *priv = private_key_from_external((struct HRSS_private_key *)in_priv); diff --git a/crypto/hrss/hrss_test.cc b/crypto/hrss/hrss_test.cc index 8bcbc9e94e..f5c25bc694 100644 --- a/crypto/hrss/hrss_test.cc +++ b/crypto/hrss/hrss_test.cc @@ -67,15 +67,17 @@ TEST(HRSS, Poly3Invert) { p.s.v[0] = 1; p.a.v[0] = 1; HRSS_poly3_invert(&inverse, &p); - EXPECT_EQ(Bytes(reinterpret_cast(&p), sizeof(p)), - Bytes(reinterpret_cast(&inverse), sizeof(inverse))); + EXPECT_EQ( + Bytes(reinterpret_cast(&p), sizeof(p)), + Bytes(reinterpret_cast(&inverse), sizeof(inverse))); // The inverse of 1 is 1. p.s.v[0] = 0; p.a.v[0] = 1; HRSS_poly3_invert(&inverse, &p); - EXPECT_EQ(Bytes(reinterpret_cast(&p), sizeof(p)), - Bytes(reinterpret_cast(&inverse), sizeof(inverse))); + EXPECT_EQ( + Bytes(reinterpret_cast(&p), sizeof(p)), + Bytes(reinterpret_cast(&inverse), sizeof(inverse))); for (size_t i = 0; i < 500; i++) { poly3 r; @@ -123,10 +125,10 @@ TEST(HRSS, Poly3UnreducedInput) { // Check that x^700 × 1 gives -x^699 - x^698 … -1. poly3 x700; memset(&x700, 0, sizeof(x700)); - x700.a.v[WORDS_PER_POLY-1] = UINT64_C(1) << (BITS_IN_LAST_WORD - 1); + x700.a.v[WORDS_PER_POLY - 1] = UINT64_C(1) << (BITS_IN_LAST_WORD - 1); HRSS_poly3_mul(&result, &one, &x700); - for (size_t i = 0; i < WORDS_PER_POLY-1; i++) { + for (size_t i = 0; i < WORDS_PER_POLY - 1; i++) { EXPECT_EQ(CONSTTIME_TRUE_W, result.s.v[i]); EXPECT_EQ(CONSTTIME_TRUE_W, result.a.v[i]); } @@ -190,7 +192,7 @@ TEST(HRSS, Random) { EXPECT_EQ(Bytes(shared_key), Bytes(shared_key2)); uint32_t offset; - RAND_bytes((uint8_t*) &offset, sizeof(offset)); + RAND_bytes((uint8_t *)&offset, sizeof(offset)); uint8_t bit; RAND_bytes(&bit, sizeof(bit)); ciphertext[offset % sizeof(ciphertext)] ^= (1 << (bit & 7)); @@ -494,12 +496,13 @@ TEST(HRSS, ABI) { OPENSSL_STATIC_ASSERT(sizeof(kCanary) % 32 == 0, needed_for_alignment) memset(kCanary, 42, sizeof(kCanary)); - stack_align_type buffer_scratch[32 + sizeof(kCanary) + POLY_MUL_RQ_SCRATCH_SPACE + sizeof(kCanary)]; - uint8_t *aligned_scratch = (uint8_t *) align_pointer(buffer_scratch, 32); + stack_align_type buffer_scratch[32 + sizeof(kCanary) + + POLY_MUL_RQ_SCRATCH_SPACE + sizeof(kCanary)]; + uint8_t *aligned_scratch = (uint8_t *)align_pointer(buffer_scratch, 32); OPENSSL_memcpy(aligned_scratch, kCanary, sizeof(kCanary)); - OPENSSL_memcpy(aligned_scratch + sizeof(kCanary) + POLY_MUL_RQ_SCRATCH_SPACE, kCanary, - sizeof(kCanary)); + OPENSSL_memcpy(aligned_scratch + sizeof(kCanary) + POLY_MUL_RQ_SCRATCH_SPACE, + kCanary, sizeof(kCanary)); // The function should not touch more than |POLY_MUL_RQ_SCRATCH_SPACE| bytes // of |scratch|. diff --git a/crypto/hrss/internal.h b/crypto/hrss/internal.h index 5d679f87dc..5e9ea9c3ff 100644 --- a/crypto/hrss/internal.h +++ b/crypto/hrss/internal.h @@ -16,8 +16,8 @@ #define OPENSSL_HEADER_HRSS_INTERNAL_H #include -#include "../internal.h" #include "../fipsmodule/cpucap/internal.h" +#include "../internal.h" #if defined(__cplusplus) extern "C" { @@ -46,7 +46,7 @@ OPENSSL_EXPORT void HRSS_poly3_invert(struct poly3 *out, // explicit permission for this and signed a CLA.) However it's 57KB of object // code, so it's not used if |OPENSSL_SMALL| is defined. #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \ - defined(OPENSSL_X86_64) && defined(OPENSSL_LINUX) && \ + defined(OPENSSL_X86_64) && defined(OPENSSL_LINUX) && \ !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX) #define POLY_RQ_MUL_ASM // POLY_MUL_RQ_SCRATCH_SPACE is the number of bytes of scratch space needed diff --git a/crypto/impl_dispatch_test.cc b/crypto/impl_dispatch_test.cc index fa27997a85..0f08cd3eba 100644 --- a/crypto/impl_dispatch_test.cc +++ b/crypto/impl_dispatch_test.cc @@ -22,15 +22,15 @@ #include #include -#include #include +#include #include -#include "internal.h" +#include "fipsmodule/bn/rsaz_exp.h" #include "fipsmodule/cpucap/internal.h" #include "fipsmodule/modes/internal.h" -#include "fipsmodule/bn/rsaz_exp.h" +#include "internal.h" #include "test/file_test.h" @@ -43,19 +43,18 @@ class ImplDispatchTest : public ::testing::Test { aes_vpaes_ = CRYPTO_is_SSSE3_capable(); ifma_avx512 = CRYPTO_is_AVX512IFMA_capable(); sha_ext_ = -// TODO(CryptoAlg-2137): sha_ext_ isn't enabled on Windows Debug Builds with newer -// 32-bit Intel processors. +// TODO(CryptoAlg-2137): sha_ext_ isn't enabled on Windows Debug Builds with +// newer 32-bit Intel processors. #if !(defined(OPENSSL_WINDOWS) && defined(OPENSSL_X86) && !defined(NDEBUG)) - CRYPTO_is_SHAEXT_capable(); + CRYPTO_is_SHAEXT_capable(); #else - false; + false; #endif vaes_vpclmulqdq_ = #if !defined(OPENSSL_WINDOWS) - // crypto_gcm_avx512_enabled excludes Windows - CRYPTO_is_AVX512_capable() && - CRYPTO_is_VAES_capable() && + // crypto_gcm_avx512_enabled excludes Windows + CRYPTO_is_AVX512_capable() && CRYPTO_is_VAES_capable() && CRYPTO_is_VPCLMULQDQ_capable(); #else false; @@ -72,13 +71,13 @@ class ImplDispatchTest : public ::testing::Test { true; #else false; -#endif // MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX +#endif // MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX is_assembler_too_old_avx512 = #if defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) true; #else false; -#endif // MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX +#endif // MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX #elif defined(OPENSSL_AARCH64) aes_hw_ = CRYPTO_is_ARMv8_AES_capable(); aes_vpaes_ = CRYPTO_is_NEON_capable(); @@ -100,7 +99,7 @@ class ImplDispatchTest : public ::testing::Test { f(); - for (const auto& flag : flags) { + for (const auto &flag : flags) { SCOPED_TRACE(flag.first); ASSERT_LT(flag.first, sizeof(BORINGSSL_function_hit)); EXPECT_EQ(flag.second, BORINGSSL_function_hit[flag.first] == 1); @@ -123,16 +122,16 @@ class ImplDispatchTest : public ::testing::Test { bool is_assembler_too_old = false; bool is_assembler_too_old_avx512 = false; bool ifma_avx512 = false; -#else // AARCH64 +#else // AARCH64 bool aes_gcm_pmull_ = false; bool aes_gcm_8x_ = false; bool sha_512_ext_ = false; #endif - }; -#if !defined(OPENSSL_NO_ASM) && (defined(OPENSSL_X86) || \ - defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ + defined(OPENSSL_AARCH64)) constexpr size_t kFlag_aes_hw_ctr32_encrypt_blocks = 0; constexpr size_t kFlag_aes_hw_encrypt = 1; @@ -144,7 +143,7 @@ constexpr size_t kFlag_sha256_hw = 6; constexpr size_t kFlag_aesni_gcm_encrypt = 2; constexpr size_t kFlag_aes_gcm_encrypt_avx512 = 7; constexpr size_t kFlag_RSAZ_mod_exp_avx512_x2 = 8; -#else // AARCH64 +#else // AARCH64 constexpr size_t kFlag_aes_gcm_enc_kernel = 2; constexpr size_t kFlag_aesv8_gcm_8x_enc_128 = 7; constexpr size_t kFlag_sha512_hw = 8; @@ -153,27 +152,27 @@ constexpr size_t kFlag_sha512_hw = 8; TEST_F(ImplDispatchTest, AEAD_AES_GCM) { AssertFunctionsHit( { - {kFlag_aes_hw_encrypt, aes_hw_}, - {kFlag_aes_hw_set_encrypt_key, aes_hw_}, - {kFlag_vpaes_encrypt, aes_vpaes_ && !aes_hw_}, - {kFlag_vpaes_set_encrypt_key, aes_vpaes_ && !aes_hw_}, + {kFlag_aes_hw_encrypt, aes_hw_}, + {kFlag_aes_hw_set_encrypt_key, aes_hw_}, + {kFlag_vpaes_encrypt, aes_vpaes_ && !aes_hw_}, + {kFlag_vpaes_set_encrypt_key, aes_vpaes_ && !aes_hw_}, #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) - {kFlag_aes_hw_ctr32_encrypt_blocks, aes_hw_ && - (is_assembler_too_old || !vaes_vpclmulqdq_)}, - {kFlag_aesni_gcm_encrypt, - is_x86_64_ && aes_hw_ && avx_movbe_ && - !is_assembler_too_old && !vaes_vpclmulqdq_}, - {kFlag_aes_gcm_encrypt_avx512, - is_x86_64_ && aes_hw_ && - !is_assembler_too_old_avx512 && - vaes_vpclmulqdq_}, -#else // AARCH64 - {kFlag_aes_hw_ctr32_encrypt_blocks, aes_hw_ && - !aes_gcm_pmull_ && !aes_gcm_8x_}, - {kFlag_aes_gcm_enc_kernel, aes_hw_ && - aes_gcm_pmull_ && !aes_gcm_8x_}, - {kFlag_aesv8_gcm_8x_enc_128, aes_hw_ && - aes_gcm_pmull_ && aes_gcm_8x_} + {kFlag_aes_hw_ctr32_encrypt_blocks, + aes_hw_ && (is_assembler_too_old || !vaes_vpclmulqdq_)}, + {kFlag_aesni_gcm_encrypt, is_x86_64_ && aes_hw_ && avx_movbe_ && + !is_assembler_too_old && + !vaes_vpclmulqdq_}, + {kFlag_aes_gcm_encrypt_avx512, is_x86_64_ && aes_hw_ && + !is_assembler_too_old_avx512 && + vaes_vpclmulqdq_}, +#else // AARCH64 + {kFlag_aes_hw_ctr32_encrypt_blocks, + aes_hw_ && !aes_gcm_pmull_ && !aes_gcm_8x_}, + {kFlag_aes_gcm_enc_kernel, + aes_hw_ && aes_gcm_pmull_ && !aes_gcm_8x_}, + { + kFlag_aesv8_gcm_8x_enc_128, aes_hw_ &&aes_gcm_pmull_ &&aes_gcm_8x_ + } #endif }, [] { @@ -246,7 +245,7 @@ TEST_F(ImplDispatchTest, SHA512) { SHA512(in, 32, out); }); } -#endif // OPENSSL_AARCH64 +#endif // OPENSSL_AARCH64 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) @@ -272,66 +271,63 @@ static bssl::UniquePtr GetBIGNUM(FileTest *t, const char *attr) { TEST_F(ImplDispatchTest, BN_mod_exp_mont_consttime_x2) { FileTestGTest( - "crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt", - [&](FileTest *t) { - AssertFunctionsHit( - { - {kFlag_RSAZ_mod_exp_avx512_x2, - is_x86_64_ && - !is_assembler_too_old_avx512 && - ifma_avx512}, - }, - [&]() { - BN_CTX *ctx = BN_CTX_new(); - BN_CTX_start(ctx); - bssl::UniquePtr a1 = GetBIGNUM(t, "A1"); - bssl::UniquePtr e1 = GetBIGNUM(t, "E1"); - bssl::UniquePtr m1 = GetBIGNUM(t, "M1"); - bssl::UniquePtr mod_exp1 = GetBIGNUM(t, "ModExp1"); - ASSERT_TRUE(a1); - ASSERT_TRUE(e1); - ASSERT_TRUE(m1); - ASSERT_TRUE(mod_exp1); - - bssl::UniquePtr a2 = GetBIGNUM(t, "A2"); - bssl::UniquePtr e2 = GetBIGNUM(t, "E2"); - bssl::UniquePtr m2 = GetBIGNUM(t, "M2"); - bssl::UniquePtr mod_exp2 = GetBIGNUM(t, "ModExp2"); - ASSERT_TRUE(a2); - ASSERT_TRUE(e2); - ASSERT_TRUE(m2); - ASSERT_TRUE(mod_exp2); - - bssl::UniquePtr ret1(BN_new()); - ASSERT_TRUE(ret1); - - bssl::UniquePtr ret2(BN_new()); - ASSERT_TRUE(ret2); - - ASSERT_TRUE(BN_nnmod(a1.get(), a1.get(), m1.get(), ctx)); - ASSERT_TRUE(BN_nnmod(a2.get(), a2.get(), m2.get(), ctx)); - - BN_MONT_CTX *mont1 = NULL; - BN_MONT_CTX *mont2 = NULL; - - ASSERT_TRUE(mont1 = BN_MONT_CTX_new()); - ASSERT_TRUE(BN_MONT_CTX_set(mont1, m1.get(), ctx)); - ASSERT_TRUE(mont2 = BN_MONT_CTX_new()); - ASSERT_TRUE(BN_MONT_CTX_set(mont2, m2.get(), ctx)); - - BN_mod_exp_mont_consttime_x2(ret1.get(), a1.get(), e1.get(), m1.get(), mont1, - ret2.get(), a2.get(), e2.get(), m2.get(), mont2, - ctx); - - BN_MONT_CTX_free(mont1); - BN_MONT_CTX_free(mont2); - BN_CTX_end(ctx); - BN_CTX_free(ctx); + "crypto/fipsmodule/bn/test/mod_exp_x2_tests.txt", [&](FileTest *t) { + AssertFunctionsHit( + { + {kFlag_RSAZ_mod_exp_avx512_x2, + is_x86_64_ && !is_assembler_too_old_avx512 && ifma_avx512}, + }, + [&]() { + BN_CTX *ctx = BN_CTX_new(); + BN_CTX_start(ctx); + bssl::UniquePtr a1 = GetBIGNUM(t, "A1"); + bssl::UniquePtr e1 = GetBIGNUM(t, "E1"); + bssl::UniquePtr m1 = GetBIGNUM(t, "M1"); + bssl::UniquePtr mod_exp1 = GetBIGNUM(t, "ModExp1"); + ASSERT_TRUE(a1); + ASSERT_TRUE(e1); + ASSERT_TRUE(m1); + ASSERT_TRUE(mod_exp1); + + bssl::UniquePtr a2 = GetBIGNUM(t, "A2"); + bssl::UniquePtr e2 = GetBIGNUM(t, "E2"); + bssl::UniquePtr m2 = GetBIGNUM(t, "M2"); + bssl::UniquePtr mod_exp2 = GetBIGNUM(t, "ModExp2"); + ASSERT_TRUE(a2); + ASSERT_TRUE(e2); + ASSERT_TRUE(m2); + ASSERT_TRUE(mod_exp2); + + bssl::UniquePtr ret1(BN_new()); + ASSERT_TRUE(ret1); + + bssl::UniquePtr ret2(BN_new()); + ASSERT_TRUE(ret2); + + ASSERT_TRUE(BN_nnmod(a1.get(), a1.get(), m1.get(), ctx)); + ASSERT_TRUE(BN_nnmod(a2.get(), a2.get(), m2.get(), ctx)); + + BN_MONT_CTX *mont1 = NULL; + BN_MONT_CTX *mont2 = NULL; + + ASSERT_TRUE(mont1 = BN_MONT_CTX_new()); + ASSERT_TRUE(BN_MONT_CTX_set(mont1, m1.get(), ctx)); + ASSERT_TRUE(mont2 = BN_MONT_CTX_new()); + ASSERT_TRUE(BN_MONT_CTX_set(mont2, m2.get(), ctx)); + + BN_mod_exp_mont_consttime_x2( + ret1.get(), a1.get(), e1.get(), m1.get(), mont1, ret2.get(), + a2.get(), e2.get(), m2.get(), mont2, ctx); + + BN_MONT_CTX_free(mont1); + BN_MONT_CTX_free(mont2); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + }); }); - }); } -#endif // x86[_64] +#endif // x86[_64] #endif // !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64 || OPENSSL_AARCH64) diff --git a/crypto/internal.h b/crypto/internal.h index 5a59c1e11f..cc0d3e247c 100644 --- a/crypto/internal.h +++ b/crypto/internal.h @@ -133,8 +133,8 @@ #define alignas(x) __declspec(align(x)) #define alignof __alignof #elif !defined(AWS_LC_STDALIGN_AVAILABLE) -#define alignas(x) __attribute__ ((aligned (x))) -#define alignof(x) __alignof__ (x) +#define alignas(x) __attribute__((aligned(x))) +#define alignof(x) __alignof__(x) #else #include #endif @@ -185,18 +185,18 @@ typedef __uint128_t uint128_t; #elif defined(__cplusplus) && __cplusplus >= 201103L && defined(__GNUC__) && \ __GNUC__ >= 7 #define OPENSSL_FALLTHROUGH [[gnu::fallthrough]] -#elif defined(__GNUC__) && __GNUC__ >= 7 // gcc 7 -#define OPENSSL_FALLTHROUGH __attribute__ ((fallthrough)) +#elif defined(__GNUC__) && __GNUC__ >= 7 // gcc 7 +#define OPENSSL_FALLTHROUGH __attribute__((fallthrough)) #elif defined(__clang__) #if __has_attribute(fallthrough) && __clang_major__ >= 5 // Clang 3.5, at least, complains about "error: declaration does not declare // anything", possibily because we put a semicolon after this macro in // practice. Thus limit it to >= Clang 5, which does work. -#define OPENSSL_FALLTHROUGH __attribute__ ((fallthrough)) -#else // clang versions that do not support fallthrough. +#define OPENSSL_FALLTHROUGH __attribute__((fallthrough)) +#else // clang versions that do not support fallthrough. #define OPENSSL_FALLTHROUGH #endif -#else // C++11 on gcc 6, and all other cases +#else // C++11 on gcc 6, and all other cases #define OPENSSL_FALLTHROUGH #endif @@ -378,7 +378,7 @@ static inline crypto_word_t constant_time_lt_w(crypto_word_t a, // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b)))) // (check-sat) // (get-model) - return constant_time_msb_w(a^((a^b)|((a-b)^a))); + return constant_time_msb_w(a ^ ((a ^ b) | ((a - b) ^ a))); } // constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit @@ -409,9 +409,8 @@ static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) { // // (declare-fun a () (_ BitVec 32)) // - // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000)))) - // (check-sat) - // (get-model) + // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a + // #x00000000)))) (check-sat) (get-model) return constant_time_msb_w(~a & (a - 1)); } @@ -476,37 +475,46 @@ static inline int constant_time_select_int(crypto_word_t mask, int a, int b) { // constant_time_select_array_w applies |constant_time_select_w| on each // corresponding pair of elements of a and b. -static inline void constant_time_select_array_w( - crypto_word_t *c, crypto_word_t *a, crypto_word_t *b, - crypto_word_t mask, size_t len) { +static inline void constant_time_select_array_w(crypto_word_t *c, + crypto_word_t *a, + crypto_word_t *b, + crypto_word_t mask, + size_t len) { for (size_t i = 0; i < len; i++) { c[i] = constant_time_select_w(mask, a[i], b[i]); } } -static inline void constant_time_select_array_8( - uint8_t *c, uint8_t *a, uint8_t *b, uint8_t mask, size_t len) { +static inline void constant_time_select_array_8(uint8_t *c, uint8_t *a, + uint8_t *b, uint8_t mask, + size_t len) { for (size_t i = 0; i < len; i++) { c[i] = constant_time_select_8(mask, a[i], b[i]); } } // constant_time_select_entry_from_table_w selects the idx-th entry from table. -static inline void constant_time_select_entry_from_table_w( - crypto_word_t *out, crypto_word_t *table, - size_t idx, size_t num_entries, size_t entry_size) { +static inline void constant_time_select_entry_from_table_w(crypto_word_t *out, + crypto_word_t *table, + size_t idx, + size_t num_entries, + size_t entry_size) { for (size_t i = 0; i < num_entries; i++) { crypto_word_t mask = constant_time_eq_w(i, idx); - constant_time_select_array_w(out, &table[i * entry_size], out, mask, entry_size); + constant_time_select_array_w(out, &table[i * entry_size], out, mask, + entry_size); } } -static inline void constant_time_select_entry_from_table_8( - uint8_t *out, uint8_t *table, size_t idx, - size_t num_entries, size_t entry_size) { +static inline void constant_time_select_entry_from_table_8(uint8_t *out, + uint8_t *table, + size_t idx, + size_t num_entries, + size_t entry_size) { for (size_t i = 0; i < num_entries; i++) { uint8_t mask = (uint8_t)(constant_time_eq_w(i, idx)); - constant_time_select_array_8(out, &table[i * entry_size], out, mask, entry_size); + constant_time_select_array_8(out, &table[i * entry_size], out, mask, + entry_size); } } @@ -548,7 +556,7 @@ static inline crypto_word_t constant_time_declassify_w(crypto_word_t v) { static inline int constant_time_declassify_int(int v) { OPENSSL_STATIC_ASSERT(sizeof(uint32_t) == sizeof(int), - int_is_not_the_same_size_as_uint32_t); + int_is_not_the_same_size_as_uint32_t); // See comment above. CONSTTIME_DECLASSIFY(&v, sizeof(v)); return value_barrier_u32(v); @@ -646,17 +654,20 @@ OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count); struct CRYPTO_STATIC_MUTEX { char padding; // Empty structs have different sizes in C and C++. }; -#define CRYPTO_STATIC_MUTEX_INIT { 0 } +#define CRYPTO_STATIC_MUTEX_INIT \ + { 0 } #elif defined(OPENSSL_WINDOWS_THREADS) struct CRYPTO_STATIC_MUTEX { SRWLOCK lock; }; -#define CRYPTO_STATIC_MUTEX_INIT { SRWLOCK_INIT } +#define CRYPTO_STATIC_MUTEX_INIT \ + { SRWLOCK_INIT } #elif defined(OPENSSL_PTHREADS) struct CRYPTO_STATIC_MUTEX { pthread_rwlock_t lock; }; -#define CRYPTO_STATIC_MUTEX_INIT { PTHREAD_RWLOCK_INITIALIZER } +#define CRYPTO_STATIC_MUTEX_INIT \ + { PTHREAD_RWLOCK_INITIALIZER } #else #error "Unknown threading library" #endif @@ -798,9 +809,10 @@ typedef struct { uint8_t num_reserved; } CRYPTO_EX_DATA_CLASS; -#define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_STATIC_MUTEX_INIT, NULL, 0} +#define CRYPTO_EX_DATA_CLASS_INIT \ + { CRYPTO_STATIC_MUTEX_INIT, NULL, 0 } #define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \ - {CRYPTO_STATIC_MUTEX_INIT, NULL, 1} + { CRYPTO_STATIC_MUTEX_INIT, NULL, 1 } // CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes // it to |*out_index|. Each class of object should provide a wrapper function @@ -857,21 +869,13 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3)) #include OPENSSL_MSVC_PRAGMA(warning(pop)) #pragma intrinsic(_byteswap_uint64, _byteswap_ulong, _byteswap_ushort) -static inline uint16_t CRYPTO_bswap2(uint16_t x) { - return _byteswap_ushort(x); -} +static inline uint16_t CRYPTO_bswap2(uint16_t x) { return _byteswap_ushort(x); } -static inline uint32_t CRYPTO_bswap4(uint32_t x) { - return _byteswap_ulong(x); -} +static inline uint32_t CRYPTO_bswap4(uint32_t x) { return _byteswap_ulong(x); } -static inline uint64_t CRYPTO_bswap8(uint64_t x) { - return _byteswap_uint64(x); -} +static inline uint64_t CRYPTO_bswap8(uint64_t x) { return _byteswap_uint64(x); } #else -static inline uint16_t CRYPTO_bswap2(uint16_t x) { - return (x >> 8) | (x << 8); -} +static inline uint16_t CRYPTO_bswap2(uint16_t x) { return (x >> 8) | (x << 8); } static inline uint32_t CRYPTO_bswap4(uint32_t x) { x = (x >> 16) | (x << 16); @@ -1019,7 +1023,6 @@ static inline void CRYPTO_store_u32_le(void *out, uint32_t v) { v = CRYPTO_bswap4(v); #endif OPENSSL_memcpy(out, &v, sizeof(v)); - } static inline uint32_t CRYPTO_load_u32_be(const void *in) { @@ -1033,12 +1036,10 @@ static inline uint32_t CRYPTO_load_u32_be(const void *in) { } static inline void CRYPTO_store_u32_be(void *out, uint32_t v) { - #if !defined(OPENSSL_BIG_ENDIAN) v = CRYPTO_bswap4(v); #endif OPENSSL_memcpy(out, &v, sizeof(v)); - } static inline uint64_t CRYPTO_load_u64_le(const void *in) { @@ -1056,7 +1057,6 @@ static inline void CRYPTO_store_u64_le(void *out, uint64_t v) { v = CRYPTO_bswap8(v); #endif OPENSSL_memcpy(out, &v, sizeof(v)); - } static inline uint64_t CRYPTO_load_u64_be(const void *ptr) { @@ -1075,11 +1075,9 @@ static inline void CRYPTO_store_u64_be(void *out, uint64_t v) { v = CRYPTO_bswap8(v); #endif OPENSSL_memcpy(out, &v, sizeof(v)); - } static inline crypto_word_t CRYPTO_load_word_le(const void *in) { - crypto_word_t v; OPENSSL_memcpy(&v, in, sizeof(v)); #if defined(OPENSSL_BIG_ENDIAN) @@ -1090,13 +1088,10 @@ static inline crypto_word_t CRYPTO_load_word_le(const void *in) { } static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) { - - #if defined(OPENSSL_BIG_ENDIAN) v = CRYPTO_bswap_word(v); #endif OPENSSL_memcpy(out, &v, sizeof(v)); - } static inline crypto_word_t CRYPTO_load_word_be(const void *in) { @@ -1273,9 +1268,9 @@ static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow, // fails. If the library is built in FIPS mode it prevents any further // cryptographic operations by the current process. #if defined(_MSC_VER) -__declspec(noreturn) void AWS_LC_FIPS_failure(const char* message); +__declspec(noreturn) void AWS_LC_FIPS_failure(const char *message); #else -void AWS_LC_FIPS_failure(const char* message) __attribute__((noreturn)); +void AWS_LC_FIPS_failure(const char *message) __attribute__((noreturn)); #endif // boringssl_self_test_startup runs all startup self tests and returns one on @@ -1331,14 +1326,14 @@ OPENSSL_INLINE void boringssl_ensure_eddsa_self_test(void) {} OPENSSL_INLINE void boringssl_ensure_hasheddsa_self_test(void) {} // Outside of FIPS mode AWS_LC_FIPS_failure simply logs the message to stderr -void AWS_LC_FIPS_failure(const char* message); +void AWS_LC_FIPS_failure(const char *message); #endif // FIPS // boringssl_self_test_sha256 performs a SHA-256 KAT int boringssl_self_test_sha256(void); - // boringssl_self_test_hmac_sha256 performs an HMAC-SHA-256 KAT +// boringssl_self_test_hmac_sha256 performs an HMAC-SHA-256 KAT int boringssl_self_test_hmac_sha256(void); #if defined(BORINGSSL_FIPS_COUNTERS) @@ -1353,9 +1348,7 @@ OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { return value != NULL && strcmp(value, test) == 0; } #else -OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { - return 0; -} +OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { return 0; } #endif // BORINGSSL_FIPS_BREAK_TESTS #if defined(BORINGSSL_DISPATCH_TEST) @@ -1403,11 +1396,11 @@ OPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format, // If |cond| is false |action| is invoked, otherwise nothing happens. #define __AWS_LC_ENSURE(cond, action) \ - do { \ - if (!(cond)) { \ - action; \ - } \ - } while (0) + do { \ + if (!(cond)) { \ + action; \ + } \ + } while (0) #define AWS_LC_ERROR 0 #define AWS_LC_SUCCESS 1 @@ -1417,8 +1410,10 @@ OPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format, // // NOTE: this macro should only be used with functions that return 0 (for error) // and 1 (for success). -#define GUARD_PTR(ptr) __AWS_LC_ENSURE((ptr) != NULL, OPENSSL_PUT_ERROR(CRYPTO, ERR_R_PASSED_NULL_PARAMETER); \ - return AWS_LC_ERROR) +#define GUARD_PTR(ptr) \ + __AWS_LC_ENSURE((ptr) != NULL, \ + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_PASSED_NULL_PARAMETER); \ + return AWS_LC_ERROR) #if defined(__cplusplus) } // extern C diff --git a/crypto/kyber/kem_kyber.c b/crypto/kyber/kem_kyber.c index 85a8d691b0..7c7dfdd594 100644 --- a/crypto/kyber/kem_kyber.c +++ b/crypto/kyber/kem_kyber.c @@ -1,10 +1,10 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC +#include "kem_kyber.h" #include "../evp_extra/internal.h" #include "../fipsmodule/evp/internal.h" #include "../fipsmodule/kem/internal.h" -#include "kem_kyber.h" #include "pqcrystals_kyber_ref_common/api.h" // Legacy KEM drivers for kyber. @@ -14,11 +14,11 @@ static int kyber512r3_keygen_deterministic(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed) { - return pqcrystals_kyber512_ref_keypair_derand(public_key, secret_key, seed) == 0; + return pqcrystals_kyber512_ref_keypair_derand(public_key, secret_key, seed) == + 0; } -static int kyber512r3_keygen(uint8_t *public_key, - uint8_t *secret_key) { +static int kyber512r3_keygen(uint8_t *public_key, uint8_t *secret_key) { return pqcrystals_kyber512_ref_keypair(public_key, secret_key) == 0; } @@ -26,37 +26,38 @@ static int kyber512r3_encaps_deterministic(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key, const uint8_t *seed) { - return pqcrystals_kyber512_ref_enc_derand(ciphertext, shared_secret, public_key, seed) == 0; + return pqcrystals_kyber512_ref_enc_derand(ciphertext, shared_secret, + public_key, seed) == 0; } -static int kyber512r3_encaps(uint8_t *ciphertext, - uint8_t *shared_secret, +static int kyber512r3_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { - return pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key) == 0; + return pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key) == + 0; } -static int kyber512r3_decaps(uint8_t *shared_secret, - const uint8_t *ciphertext, +static int kyber512r3_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { - return pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key) == 0; + return pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key) == + 0; } static const KEM_METHOD kem_kyber512r3_method = { - kyber512r3_keygen_deterministic, - kyber512r3_keygen, - kyber512r3_encaps_deterministic, - kyber512r3_encaps, - kyber512r3_decaps, + kyber512r3_keygen_deterministic, + kyber512r3_keygen, + kyber512r3_encaps_deterministic, + kyber512r3_encaps, + kyber512r3_decaps, }; static int kyber768r3_keygen_deterministic(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed) { - return pqcrystals_kyber768_ref_keypair_derand(public_key, secret_key, seed) == 0; + return pqcrystals_kyber768_ref_keypair_derand(public_key, secret_key, seed) == + 0; } -static int kyber768r3_keygen(uint8_t *public_key, - uint8_t *secret_key) { +static int kyber768r3_keygen(uint8_t *public_key, uint8_t *secret_key) { return pqcrystals_kyber768_ref_keypair(public_key, secret_key) == 0; } @@ -64,37 +65,38 @@ static int kyber768r3_encaps_deterministic(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key, const uint8_t *seed) { - return pqcrystals_kyber768_ref_enc_derand(ciphertext, shared_secret, public_key, seed) == 0; + return pqcrystals_kyber768_ref_enc_derand(ciphertext, shared_secret, + public_key, seed) == 0; } -static int kyber768r3_encaps(uint8_t *ciphertext, - uint8_t *shared_secret, +static int kyber768r3_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { - return pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key) == 0; + return pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key) == + 0; } -static int kyber768r3_decaps(uint8_t *shared_secret, - const uint8_t *ciphertext, +static int kyber768r3_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { - return pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key) == 0; + return pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key) == + 0; } static const KEM_METHOD kem_kyber768r3_method = { - kyber768r3_keygen_deterministic, - kyber768r3_keygen, - kyber768r3_encaps_deterministic, - kyber768r3_encaps, - kyber768r3_decaps, + kyber768r3_keygen_deterministic, + kyber768r3_keygen, + kyber768r3_encaps_deterministic, + kyber768r3_encaps, + kyber768r3_decaps, }; static int kyber1024r3_keygen_deterministic(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed) { - return pqcrystals_kyber1024_ref_keypair_derand(public_key, secret_key, seed) == 0; + return pqcrystals_kyber1024_ref_keypair_derand(public_key, secret_key, + seed) == 0; } -static int kyber1024r3_keygen(uint8_t *public_key, - uint8_t *secret_key) { +static int kyber1024r3_keygen(uint8_t *public_key, uint8_t *secret_key) { return pqcrystals_kyber1024_ref_keypair(public_key, secret_key) == 0; } @@ -102,27 +104,28 @@ static int kyber1024r3_encaps_deterministic(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key, const uint8_t *seed) { - return pqcrystals_kyber1024_ref_enc_derand(ciphertext, shared_secret, public_key, seed) == 0; + return pqcrystals_kyber1024_ref_enc_derand(ciphertext, shared_secret, + public_key, seed) == 0; } -static int kyber1024r3_encaps(uint8_t *ciphertext, - uint8_t *shared_secret, +static int kyber1024r3_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { - return pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key) == 0; + return pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key) == + 0; } -static int kyber1024r3_decaps(uint8_t *shared_secret, - const uint8_t *ciphertext, +static int kyber1024r3_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key) { - return pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key) == 0; + return pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key) == + 0; } static const KEM_METHOD kem_kyber1024r3_method = { - kyber1024r3_keygen_deterministic, - kyber1024r3_keygen, - kyber1024r3_encaps_deterministic, - kyber1024r3_encaps, - kyber1024r3_decaps, + kyber1024r3_keygen_deterministic, + kyber1024r3_keygen, + kyber1024r3_encaps_deterministic, + kyber1024r3_encaps, + kyber1024r3_decaps, }; // The KEM parameters listed below are taken from corresponding specifications. @@ -134,56 +137,52 @@ static const KEM_METHOD kem_kyber1024r3_method = { // https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf. // OIDs will maintain placeholder values until implementation is deleted. -static const uint8_t kOIDKyber512r3[] = {0xff, 0xff, 0xff, 0xff}; -static const uint8_t kOIDKyber768r3[] = {0xff, 0xff, 0xff, 0xff}; -static const uint8_t kOIDKyber1024r3[] = {0xff, 0xff, 0xff, 0xff}; +static const uint8_t kOIDKyber512r3[] = {0xff, 0xff, 0xff, 0xff}; +static const uint8_t kOIDKyber768r3[] = {0xff, 0xff, 0xff, 0xff}; +static const uint8_t kOIDKyber1024r3[] = {0xff, 0xff, 0xff, 0xff}; static const KEM legacy_kem_kyber512_r3 = { - NID_KYBER512_R3, // kem.nid - kOIDKyber512r3, // kem.oid - sizeof(kOIDKyber512r3), // kem.oid_len - "Kyber512 Round-3", // kem.comment - KYBER512_R3_PUBLIC_KEY_BYTES, // kem.public_key_len - KYBER512_R3_SECRET_KEY_BYTES, // kem.secret_key_len - KYBER512_R3_CIPHERTEXT_BYTES, // kem.ciphertext_len - KYBER_R3_SHARED_SECRET_LEN, // kem.shared_secret_len - KYBER_R3_KEYGEN_SEED_LEN, // kem.keygen_seed_len - KYBER_R3_ENCAPS_SEED_LEN, // kem.encaps_seed_len - &kem_kyber512r3_method, // kem.method + NID_KYBER512_R3, // kem.nid + kOIDKyber512r3, // kem.oid + sizeof(kOIDKyber512r3), // kem.oid_len + "Kyber512 Round-3", // kem.comment + KYBER512_R3_PUBLIC_KEY_BYTES, // kem.public_key_len + KYBER512_R3_SECRET_KEY_BYTES, // kem.secret_key_len + KYBER512_R3_CIPHERTEXT_BYTES, // kem.ciphertext_len + KYBER_R3_SHARED_SECRET_LEN, // kem.shared_secret_len + KYBER_R3_KEYGEN_SEED_LEN, // kem.keygen_seed_len + KYBER_R3_ENCAPS_SEED_LEN, // kem.encaps_seed_len + &kem_kyber512r3_method, // kem.method }; -const KEM *get_legacy_kem_kyber512_r3(void) { - return &legacy_kem_kyber512_r3; -} +const KEM *get_legacy_kem_kyber512_r3(void) { return &legacy_kem_kyber512_r3; } static const KEM legacy_kem_kyber768_r3 = { - NID_KYBER768_R3, // kem.nid - kOIDKyber768r3, // kem.oid - sizeof(kOIDKyber768r3), // kem.oid_len - "Kyber768 Round-3", // kem.comment - KYBER768_R3_PUBLIC_KEY_BYTES, // kem.public_key_len - KYBER768_R3_SECRET_KEY_BYTES, // kem.secret_key_len - KYBER768_R3_CIPHERTEXT_BYTES, // kem.ciphertext_len - KYBER_R3_SHARED_SECRET_LEN, // kem.shared_secret_len - KYBER_R3_KEYGEN_SEED_LEN, // kem.keygen_seed_len - KYBER_R3_ENCAPS_SEED_LEN, // kem.encaps_seed_len - &kem_kyber768r3_method, // kem.method + NID_KYBER768_R3, // kem.nid + kOIDKyber768r3, // kem.oid + sizeof(kOIDKyber768r3), // kem.oid_len + "Kyber768 Round-3", // kem.comment + KYBER768_R3_PUBLIC_KEY_BYTES, // kem.public_key_len + KYBER768_R3_SECRET_KEY_BYTES, // kem.secret_key_len + KYBER768_R3_CIPHERTEXT_BYTES, // kem.ciphertext_len + KYBER_R3_SHARED_SECRET_LEN, // kem.shared_secret_len + KYBER_R3_KEYGEN_SEED_LEN, // kem.keygen_seed_len + KYBER_R3_ENCAPS_SEED_LEN, // kem.encaps_seed_len + &kem_kyber768r3_method, // kem.method }; -const KEM *get_legacy_kem_kyber768_r3(void) { - return &legacy_kem_kyber768_r3; -} +const KEM *get_legacy_kem_kyber768_r3(void) { return &legacy_kem_kyber768_r3; } static const KEM legacy_kem_kyber1024_r3 = { - NID_KYBER1024_R3, // kem.nid - kOIDKyber1024r3, // kem.oid - sizeof(kOIDKyber1024r3), // kem.oid_len - "Kyber1024 Round-3", // kem.comment - KYBER1024_R3_PUBLIC_KEY_BYTES, // kem.public_key_len - KYBER1024_R3_SECRET_KEY_BYTES, // kem.secret_key_len - KYBER1024_R3_CIPHERTEXT_BYTES, // kem.ciphertext_len - KYBER_R3_SHARED_SECRET_LEN, // kem.shared_secret_len - KYBER_R3_KEYGEN_SEED_LEN, // kem.keygen_seed_len - KYBER_R3_ENCAPS_SEED_LEN, // kem.encaps_seed_len - &kem_kyber1024r3_method, // kem.method + NID_KYBER1024_R3, // kem.nid + kOIDKyber1024r3, // kem.oid + sizeof(kOIDKyber1024r3), // kem.oid_len + "Kyber1024 Round-3", // kem.comment + KYBER1024_R3_PUBLIC_KEY_BYTES, // kem.public_key_len + KYBER1024_R3_SECRET_KEY_BYTES, // kem.secret_key_len + KYBER1024_R3_CIPHERTEXT_BYTES, // kem.ciphertext_len + KYBER_R3_SHARED_SECRET_LEN, // kem.shared_secret_len + KYBER_R3_KEYGEN_SEED_LEN, // kem.keygen_seed_len + KYBER_R3_ENCAPS_SEED_LEN, // kem.encaps_seed_len + &kem_kyber1024r3_method, // kem.method }; const KEM *get_legacy_kem_kyber1024_r3(void) { return &legacy_kem_kyber1024_r3; diff --git a/crypto/kyber/kem_kyber.h b/crypto/kyber/kem_kyber.h index 41384693eb..b8652bd9a7 100644 --- a/crypto/kyber/kem_kyber.h +++ b/crypto/kyber/kem_kyber.h @@ -4,10 +4,10 @@ #ifndef KEM_KYBER_H #define KEM_KYBER_H -#include -#include #include #include +#include +#include #include "../fipsmodule/kem/internal.h" @@ -15,21 +15,20 @@ #define KYBER_R3_KEYGEN_SEED_LEN 64 #define KYBER_R3_ENCAPS_SEED_LEN 32 -#define KYBER512_R3_PUBLIC_KEY_BYTES 800 +#define KYBER512_R3_PUBLIC_KEY_BYTES 800 #define KYBER512_R3_SECRET_KEY_BYTES 1632 #define KYBER512_R3_CIPHERTEXT_BYTES 768 -#define KYBER768_R3_PUBLIC_KEY_BYTES 1184 +#define KYBER768_R3_PUBLIC_KEY_BYTES 1184 #define KYBER768_R3_SECRET_KEY_BYTES 2400 #define KYBER768_R3_CIPHERTEXT_BYTES 1088 -#define KYBER1024_R3_PUBLIC_KEY_BYTES 1568 +#define KYBER1024_R3_PUBLIC_KEY_BYTES 1568 #define KYBER1024_R3_SECRET_KEY_BYTES 3168 #define KYBER1024_R3_CIPHERTEXT_BYTES 1568 -const KEM * get_legacy_kem_kyber512_r3(void); -const KEM * get_legacy_kem_kyber768_r3(void); -const KEM * get_legacy_kem_kyber1024_r3(void); +const KEM *get_legacy_kem_kyber512_r3(void); +const KEM *get_legacy_kem_kyber768_r3(void); +const KEM *get_legacy_kem_kyber1024_r3(void); #endif - diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/api.h b/crypto/kyber/pqcrystals_kyber_ref_common/api.h index daffc3dd95..f4c75ba469 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/api.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/api.h @@ -4,22 +4,32 @@ #include #include "openssl/base.h" -int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins); +int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, + const uint8_t *coins); int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins); +int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, + const uint8_t *pk, const uint8_t *coins); int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); +int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, + const uint8_t *sk); -int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins); +int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, + const uint8_t *coins); int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins); +int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, + const uint8_t *pk, const uint8_t *coins); int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); +int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, + const uint8_t *sk); -int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins); +int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, + const uint8_t *coins); int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk); -int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins); +int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, + const uint8_t *pk, + const uint8_t *coins); int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); -int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); +int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, + const uint8_t *sk); #endif diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/cbd.c b/crypto/kyber/pqcrystals_kyber_ref_common/cbd.c index 1500ffea56..7a6f1c0f88 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/cbd.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/cbd.c @@ -1,21 +1,20 @@ +#include "cbd.h" #include #include "params.h" -#include "cbd.h" /************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) -{ + * Name: load32_littleendian + * + * Description: load 4 bytes into a 32-bit integer + * in little-endian order + * + * Arguments: - const uint8_t *x: pointer to input byte array + * + * Returns 32-bit unsigned integer loaded from x + **************************************************/ +static uint32_t load32_littleendian(const uint8_t x[4]) { uint32_t r; - r = (uint32_t)x[0]; + r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; r |= (uint32_t)x[3] << 24; @@ -23,21 +22,20 @@ static uint32_t load32_littleendian(const uint8_t x[4]) } /************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ + * Name: load24_littleendian + * + * Description: load 3 bytes into a 32-bit integer + * in little-endian order. + * This function is only needed for Kyber-512 + * + * Arguments: - const uint8_t *x: pointer to input byte array + * + * Returns 32-bit unsigned integer loaded from x (most significant byte is zero) + **************************************************/ #if KYBER_ETA1 == 3 -static uint32_t load24_littleendian(const uint8_t x[3]) -{ +static uint32_t load24_littleendian(const uint8_t x[3]) { uint32_t r; - r = (uint32_t)x[0]; + r = (uint32_t)x[0]; r |= (uint32_t)x[1] << 8; r |= (uint32_t)x[2] << 16; return r; @@ -46,69 +44,66 @@ static uint32_t load24_littleendian(const uint8_t x[3]) /************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; + * Name: cbd2 + * + * Description: Given an array of uniformly random bytes, compute + * polynomial with coefficients distributed according to + * a centered binomial distribution with parameter eta=2 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *buf: pointer to input byte array + **************************************************/ +static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) { + unsigned int i, j; + uint32_t t, d; + int16_t a, b; - for(i=0;i>1) & 0x55555555; + for (i = 0; i < KYBER_N / 8; i++) { + t = load32_littleendian(buf + 4 * i); + d = t & 0x55555555; + d += (t >> 1) & 0x55555555; - for(j=0;j<8;j++) { - a = (d >> (4*j+0)) & 0x3; - b = (d >> (4*j+2)) & 0x3; - r->coeffs[8*i+j] = a - b; + for (j = 0; j < 8; j++) { + a = (d >> (4 * j + 0)) & 0x3; + b = (d >> (4 * j + 2)) & 0x3; + r->coeffs[8 * i + j] = a - b; } } } /************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ + * Name: cbd3 + * + * Description: Given an array of uniformly random bytes, compute + * polynomial with coefficients distributed according to + * a centered binomial distribution with parameter eta=3. + * This function is only needed for Kyber-512 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *buf: pointer to input byte array + **************************************************/ #if KYBER_ETA1 == 3 -static void cbd3(poly *r, const uint8_t buf[3*KYBER_N/4]) -{ - unsigned int i,j; - uint32_t t,d; - int16_t a,b; +static void cbd3(poly *r, const uint8_t buf[3 * KYBER_N / 4]) { + unsigned int i, j; + uint32_t t, d; + int16_t a, b; - for(i=0;i>1) & 0x00249249; - d += (t>>2) & 0x00249249; + for (i = 0; i < KYBER_N / 4; i++) { + t = load24_littleendian(buf + 3 * i); + d = t & 0x00249249; + d += (t >> 1) & 0x00249249; + d += (t >> 2) & 0x00249249; - for(j=0;j<4;j++) { - a = (d >> (6*j+0)) & 0x7; - b = (d >> (6*j+3)) & 0x7; - r->coeffs[4*i+j] = a - b; + for (j = 0; j < 4; j++) { + a = (d >> (6 * j + 0)) & 0x7; + b = (d >> (6 * j + 3)) & 0x7; + r->coeffs[4 * i + j] = a - b; } } } #endif -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]) -{ +void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) { #if KYBER_ETA1 == 2 cbd2(r, buf); #elif KYBER_ETA1 == 3 @@ -118,8 +113,7 @@ void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]) #endif } -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]) -{ +void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) { #if KYBER_ETA2 == 2 cbd2(r, buf); #else diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/cbd.h b/crypto/kyber/pqcrystals_kyber_ref_common/cbd.h index 7b677d745d..4aeb281df3 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/cbd.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/cbd.h @@ -6,9 +6,9 @@ #include "poly.h" #define poly_cbd_eta1 KYBER_NAMESPACE(poly_cbd_eta1) -void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1*KYBER_N/4]); +void poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]); #define poly_cbd_eta2 KYBER_NAMESPACE(poly_cbd_eta2) -void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2*KYBER_N/4]); +void poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]); #endif diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/fips202.c b/crypto/kyber/pqcrystals_kyber_ref_common/fips202.c index ab3d2a1210..671eb96bd6 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/fips202.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/fips202.c @@ -1,444 +1,424 @@ -/* Based on the public domain implementation in crypto_hash/keccakc512/simple/ from - * http://bench.cr.yp.to/supercop.html by Ronny Van Keer and the public domain "TweetFips202" - * implementation from https://twitter.com/tweetfips202 by Gilles Van Assche, Daniel J. Bernstein, - * and Peter Schwabe */ +/* Based on the public domain implementation in crypto_hash/keccakc512/simple/ + * from http://bench.cr.yp.to/supercop.html by Ronny Van Keer and the public + * domain "TweetFips202" implementation from https://twitter.com/tweetfips202 by + * Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */ +#include "fips202.h" #include #include -#include "fips202.h" #define NROUNDS 24 -#define ROL(a, offset) ((a << offset) ^ (a >> (64-offset))) +#define ROL(a, offset) ((a << offset) ^ (a >> (64 - offset))) /************************************************* -* Name: load64 -* -* Description: Load 8 bytes into uint64_t in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns the loaded 64-bit unsigned integer -**************************************************/ + * Name: load64 + * + * Description: Load 8 bytes into uint64_t in little-endian order + * + * Arguments: - const uint8_t *x: pointer to input byte array + * + * Returns the loaded 64-bit unsigned integer + **************************************************/ static uint64_t load64(const uint8_t x[8]) { unsigned int i; uint64_t r = 0; - for(i=0;i<8;i++) - r |= (uint64_t)x[i] << 8*i; + for (i = 0; i < 8; i++) + r |= (uint64_t)x[i] << 8 * i; return r; } /************************************************* -* Name: store64 -* -* Description: Store a 64-bit integer to array of 8 bytes in little-endian order -* -* Arguments: - uint8_t *x: pointer to the output byte array (allocated) -* - uint64_t u: input 64-bit unsigned integer -**************************************************/ + * Name: store64 + * + * Description: Store a 64-bit integer to array of 8 bytes in little-endian + *order + * + * Arguments: - uint8_t *x: pointer to the output byte array (allocated) + * - uint64_t u: input 64-bit unsigned integer + **************************************************/ static void store64(uint8_t x[8], uint64_t u) { unsigned int i; - for(i=0;i<8;i++) - x[i] = u >> 8*i; + for (i = 0; i < 8; i++) + x[i] = u >> 8 * i; } /* Keccak round constants */ static const uint64_t KeccakF_RoundConstants[NROUNDS] = { - (uint64_t)0x0000000000000001ULL, - (uint64_t)0x0000000000008082ULL, - (uint64_t)0x800000000000808aULL, - (uint64_t)0x8000000080008000ULL, - (uint64_t)0x000000000000808bULL, - (uint64_t)0x0000000080000001ULL, - (uint64_t)0x8000000080008081ULL, - (uint64_t)0x8000000000008009ULL, - (uint64_t)0x000000000000008aULL, - (uint64_t)0x0000000000000088ULL, - (uint64_t)0x0000000080008009ULL, - (uint64_t)0x000000008000000aULL, - (uint64_t)0x000000008000808bULL, - (uint64_t)0x800000000000008bULL, - (uint64_t)0x8000000000008089ULL, - (uint64_t)0x8000000000008003ULL, - (uint64_t)0x8000000000008002ULL, - (uint64_t)0x8000000000000080ULL, - (uint64_t)0x000000000000800aULL, - (uint64_t)0x800000008000000aULL, - (uint64_t)0x8000000080008081ULL, - (uint64_t)0x8000000000008080ULL, - (uint64_t)0x0000000080000001ULL, - (uint64_t)0x8000000080008008ULL -}; + (uint64_t)0x0000000000000001ULL, (uint64_t)0x0000000000008082ULL, + (uint64_t)0x800000000000808aULL, (uint64_t)0x8000000080008000ULL, + (uint64_t)0x000000000000808bULL, (uint64_t)0x0000000080000001ULL, + (uint64_t)0x8000000080008081ULL, (uint64_t)0x8000000000008009ULL, + (uint64_t)0x000000000000008aULL, (uint64_t)0x0000000000000088ULL, + (uint64_t)0x0000000080008009ULL, (uint64_t)0x000000008000000aULL, + (uint64_t)0x000000008000808bULL, (uint64_t)0x800000000000008bULL, + (uint64_t)0x8000000000008089ULL, (uint64_t)0x8000000000008003ULL, + (uint64_t)0x8000000000008002ULL, (uint64_t)0x8000000000000080ULL, + (uint64_t)0x000000000000800aULL, (uint64_t)0x800000008000000aULL, + (uint64_t)0x8000000080008081ULL, (uint64_t)0x8000000000008080ULL, + (uint64_t)0x0000000080000001ULL, (uint64_t)0x8000000080008008ULL}; /************************************************* -* Name: KeccakF1600_StatePermute -* -* Description: The Keccak F1600 Permutation -* -* Arguments: - uint64_t *state: pointer to input/output Keccak state -**************************************************/ -static void KeccakF1600_StatePermute(uint64_t state[25]) -{ - int round; - - uint64_t Aba, Abe, Abi, Abo, Abu; - uint64_t Aga, Age, Agi, Ago, Agu; - uint64_t Aka, Ake, Aki, Ako, Aku; - uint64_t Ama, Ame, Ami, Amo, Amu; - uint64_t Asa, Ase, Asi, Aso, Asu; - uint64_t BCa, BCe, BCi, BCo, BCu; - uint64_t Da, De, Di, Do, Du; - uint64_t Eba, Ebe, Ebi, Ebo, Ebu; - uint64_t Ega, Ege, Egi, Ego, Egu; - uint64_t Eka, Eke, Eki, Eko, Eku; - uint64_t Ema, Eme, Emi, Emo, Emu; - uint64_t Esa, Ese, Esi, Eso, Esu; - - //copyFromState(A, state) - Aba = state[ 0]; - Abe = state[ 1]; - Abi = state[ 2]; - Abo = state[ 3]; - Abu = state[ 4]; - Aga = state[ 5]; - Age = state[ 6]; - Agi = state[ 7]; - Ago = state[ 8]; - Agu = state[ 9]; - Aka = state[10]; - Ake = state[11]; - Aki = state[12]; - Ako = state[13]; - Aku = state[14]; - Ama = state[15]; - Ame = state[16]; - Ami = state[17]; - Amo = state[18]; - Amu = state[19]; - Asa = state[20]; - Ase = state[21]; - Asi = state[22]; - Aso = state[23]; - Asu = state[24]; - - for(round = 0; round < NROUNDS; round += 2) { - // prepareTheta - BCa = Aba^Aga^Aka^Ama^Asa; - BCe = Abe^Age^Ake^Ame^Ase; - BCi = Abi^Agi^Aki^Ami^Asi; - BCo = Abo^Ago^Ako^Amo^Aso; - BCu = Abu^Agu^Aku^Amu^Asu; - - //thetaRhoPiChiIotaPrepareTheta(round, A, E) - Da = BCu^ROL(BCe, 1); - De = BCa^ROL(BCi, 1); - Di = BCe^ROL(BCo, 1); - Do = BCi^ROL(BCu, 1); - Du = BCo^ROL(BCa, 1); - - Aba ^= Da; - BCa = Aba; - Age ^= De; - BCe = ROL(Age, 44); - Aki ^= Di; - BCi = ROL(Aki, 43); - Amo ^= Do; - BCo = ROL(Amo, 21); - Asu ^= Du; - BCu = ROL(Asu, 14); - Eba = BCa ^((~BCe)& BCi ); - Eba ^= (uint64_t)KeccakF_RoundConstants[round]; - Ebe = BCe ^((~BCi)& BCo ); - Ebi = BCi ^((~BCo)& BCu ); - Ebo = BCo ^((~BCu)& BCa ); - Ebu = BCu ^((~BCa)& BCe ); - - Abo ^= Do; - BCa = ROL(Abo, 28); - Agu ^= Du; - BCe = ROL(Agu, 20); - Aka ^= Da; - BCi = ROL(Aka, 3); - Ame ^= De; - BCo = ROL(Ame, 45); - Asi ^= Di; - BCu = ROL(Asi, 61); - Ega = BCa ^((~BCe)& BCi ); - Ege = BCe ^((~BCi)& BCo ); - Egi = BCi ^((~BCo)& BCu ); - Ego = BCo ^((~BCu)& BCa ); - Egu = BCu ^((~BCa)& BCe ); - - Abe ^= De; - BCa = ROL(Abe, 1); - Agi ^= Di; - BCe = ROL(Agi, 6); - Ako ^= Do; - BCi = ROL(Ako, 25); - Amu ^= Du; - BCo = ROL(Amu, 8); - Asa ^= Da; - BCu = ROL(Asa, 18); - Eka = BCa ^((~BCe)& BCi ); - Eke = BCe ^((~BCi)& BCo ); - Eki = BCi ^((~BCo)& BCu ); - Eko = BCo ^((~BCu)& BCa ); - Eku = BCu ^((~BCa)& BCe ); - - Abu ^= Du; - BCa = ROL(Abu, 27); - Aga ^= Da; - BCe = ROL(Aga, 36); - Ake ^= De; - BCi = ROL(Ake, 10); - Ami ^= Di; - BCo = ROL(Ami, 15); - Aso ^= Do; - BCu = ROL(Aso, 56); - Ema = BCa ^((~BCe)& BCi ); - Eme = BCe ^((~BCi)& BCo ); - Emi = BCi ^((~BCo)& BCu ); - Emo = BCo ^((~BCu)& BCa ); - Emu = BCu ^((~BCa)& BCe ); - - Abi ^= Di; - BCa = ROL(Abi, 62); - Ago ^= Do; - BCe = ROL(Ago, 55); - Aku ^= Du; - BCi = ROL(Aku, 39); - Ama ^= Da; - BCo = ROL(Ama, 41); - Ase ^= De; - BCu = ROL(Ase, 2); - Esa = BCa ^((~BCe)& BCi ); - Ese = BCe ^((~BCi)& BCo ); - Esi = BCi ^((~BCo)& BCu ); - Eso = BCo ^((~BCu)& BCa ); - Esu = BCu ^((~BCa)& BCe ); - - // prepareTheta - BCa = Eba^Ega^Eka^Ema^Esa; - BCe = Ebe^Ege^Eke^Eme^Ese; - BCi = Ebi^Egi^Eki^Emi^Esi; - BCo = Ebo^Ego^Eko^Emo^Eso; - BCu = Ebu^Egu^Eku^Emu^Esu; - - //thetaRhoPiChiIotaPrepareTheta(round+1, E, A) - Da = BCu^ROL(BCe, 1); - De = BCa^ROL(BCi, 1); - Di = BCe^ROL(BCo, 1); - Do = BCi^ROL(BCu, 1); - Du = BCo^ROL(BCa, 1); - - Eba ^= Da; - BCa = Eba; - Ege ^= De; - BCe = ROL(Ege, 44); - Eki ^= Di; - BCi = ROL(Eki, 43); - Emo ^= Do; - BCo = ROL(Emo, 21); - Esu ^= Du; - BCu = ROL(Esu, 14); - Aba = BCa ^((~BCe)& BCi ); - Aba ^= (uint64_t)KeccakF_RoundConstants[round+1]; - Abe = BCe ^((~BCi)& BCo ); - Abi = BCi ^((~BCo)& BCu ); - Abo = BCo ^((~BCu)& BCa ); - Abu = BCu ^((~BCa)& BCe ); - - Ebo ^= Do; - BCa = ROL(Ebo, 28); - Egu ^= Du; - BCe = ROL(Egu, 20); - Eka ^= Da; - BCi = ROL(Eka, 3); - Eme ^= De; - BCo = ROL(Eme, 45); - Esi ^= Di; - BCu = ROL(Esi, 61); - Aga = BCa ^((~BCe)& BCi ); - Age = BCe ^((~BCi)& BCo ); - Agi = BCi ^((~BCo)& BCu ); - Ago = BCo ^((~BCu)& BCa ); - Agu = BCu ^((~BCa)& BCe ); - - Ebe ^= De; - BCa = ROL(Ebe, 1); - Egi ^= Di; - BCe = ROL(Egi, 6); - Eko ^= Do; - BCi = ROL(Eko, 25); - Emu ^= Du; - BCo = ROL(Emu, 8); - Esa ^= Da; - BCu = ROL(Esa, 18); - Aka = BCa ^((~BCe)& BCi ); - Ake = BCe ^((~BCi)& BCo ); - Aki = BCi ^((~BCo)& BCu ); - Ako = BCo ^((~BCu)& BCa ); - Aku = BCu ^((~BCa)& BCe ); - - Ebu ^= Du; - BCa = ROL(Ebu, 27); - Ega ^= Da; - BCe = ROL(Ega, 36); - Eke ^= De; - BCi = ROL(Eke, 10); - Emi ^= Di; - BCo = ROL(Emi, 15); - Eso ^= Do; - BCu = ROL(Eso, 56); - Ama = BCa ^((~BCe)& BCi ); - Ame = BCe ^((~BCi)& BCo ); - Ami = BCi ^((~BCo)& BCu ); - Amo = BCo ^((~BCu)& BCa ); - Amu = BCu ^((~BCa)& BCe ); - - Ebi ^= Di; - BCa = ROL(Ebi, 62); - Ego ^= Do; - BCe = ROL(Ego, 55); - Eku ^= Du; - BCi = ROL(Eku, 39); - Ema ^= Da; - BCo = ROL(Ema, 41); - Ese ^= De; - BCu = ROL(Ese, 2); - Asa = BCa ^((~BCe)& BCi ); - Ase = BCe ^((~BCi)& BCo ); - Asi = BCi ^((~BCo)& BCu ); - Aso = BCo ^((~BCu)& BCa ); - Asu = BCu ^((~BCa)& BCe ); - } - - //copyToState(state, A) - state[ 0] = Aba; - state[ 1] = Abe; - state[ 2] = Abi; - state[ 3] = Abo; - state[ 4] = Abu; - state[ 5] = Aga; - state[ 6] = Age; - state[ 7] = Agi; - state[ 8] = Ago; - state[ 9] = Agu; - state[10] = Aka; - state[11] = Ake; - state[12] = Aki; - state[13] = Ako; - state[14] = Aku; - state[15] = Ama; - state[16] = Ame; - state[17] = Ami; - state[18] = Amo; - state[19] = Amu; - state[20] = Asa; - state[21] = Ase; - state[22] = Asi; - state[23] = Aso; - state[24] = Asu; + * Name: KeccakF1600_StatePermute + * + * Description: The Keccak F1600 Permutation + * + * Arguments: - uint64_t *state: pointer to input/output Keccak state + **************************************************/ +static void KeccakF1600_StatePermute(uint64_t state[25]) { + int round; + + uint64_t Aba, Abe, Abi, Abo, Abu; + uint64_t Aga, Age, Agi, Ago, Agu; + uint64_t Aka, Ake, Aki, Ako, Aku; + uint64_t Ama, Ame, Ami, Amo, Amu; + uint64_t Asa, Ase, Asi, Aso, Asu; + uint64_t BCa, BCe, BCi, BCo, BCu; + uint64_t Da, De, Di, Do, Du; + uint64_t Eba, Ebe, Ebi, Ebo, Ebu; + uint64_t Ega, Ege, Egi, Ego, Egu; + uint64_t Eka, Eke, Eki, Eko, Eku; + uint64_t Ema, Eme, Emi, Emo, Emu; + uint64_t Esa, Ese, Esi, Eso, Esu; + + // copyFromState(A, state) + Aba = state[0]; + Abe = state[1]; + Abi = state[2]; + Abo = state[3]; + Abu = state[4]; + Aga = state[5]; + Age = state[6]; + Agi = state[7]; + Ago = state[8]; + Agu = state[9]; + Aka = state[10]; + Ake = state[11]; + Aki = state[12]; + Ako = state[13]; + Aku = state[14]; + Ama = state[15]; + Ame = state[16]; + Ami = state[17]; + Amo = state[18]; + Amu = state[19]; + Asa = state[20]; + Ase = state[21]; + Asi = state[22]; + Aso = state[23]; + Asu = state[24]; + + for (round = 0; round < NROUNDS; round += 2) { + // prepareTheta + BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa; + BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase; + BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi; + BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso; + BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu; + + // thetaRhoPiChiIotaPrepareTheta(round, A, E) + Da = BCu ^ ROL(BCe, 1); + De = BCa ^ ROL(BCi, 1); + Di = BCe ^ ROL(BCo, 1); + Do = BCi ^ ROL(BCu, 1); + Du = BCo ^ ROL(BCa, 1); + + Aba ^= Da; + BCa = Aba; + Age ^= De; + BCe = ROL(Age, 44); + Aki ^= Di; + BCi = ROL(Aki, 43); + Amo ^= Do; + BCo = ROL(Amo, 21); + Asu ^= Du; + BCu = ROL(Asu, 14); + Eba = BCa ^ ((~BCe) & BCi); + Eba ^= (uint64_t)KeccakF_RoundConstants[round]; + Ebe = BCe ^ ((~BCi) & BCo); + Ebi = BCi ^ ((~BCo) & BCu); + Ebo = BCo ^ ((~BCu) & BCa); + Ebu = BCu ^ ((~BCa) & BCe); + + Abo ^= Do; + BCa = ROL(Abo, 28); + Agu ^= Du; + BCe = ROL(Agu, 20); + Aka ^= Da; + BCi = ROL(Aka, 3); + Ame ^= De; + BCo = ROL(Ame, 45); + Asi ^= Di; + BCu = ROL(Asi, 61); + Ega = BCa ^ ((~BCe) & BCi); + Ege = BCe ^ ((~BCi) & BCo); + Egi = BCi ^ ((~BCo) & BCu); + Ego = BCo ^ ((~BCu) & BCa); + Egu = BCu ^ ((~BCa) & BCe); + + Abe ^= De; + BCa = ROL(Abe, 1); + Agi ^= Di; + BCe = ROL(Agi, 6); + Ako ^= Do; + BCi = ROL(Ako, 25); + Amu ^= Du; + BCo = ROL(Amu, 8); + Asa ^= Da; + BCu = ROL(Asa, 18); + Eka = BCa ^ ((~BCe) & BCi); + Eke = BCe ^ ((~BCi) & BCo); + Eki = BCi ^ ((~BCo) & BCu); + Eko = BCo ^ ((~BCu) & BCa); + Eku = BCu ^ ((~BCa) & BCe); + + Abu ^= Du; + BCa = ROL(Abu, 27); + Aga ^= Da; + BCe = ROL(Aga, 36); + Ake ^= De; + BCi = ROL(Ake, 10); + Ami ^= Di; + BCo = ROL(Ami, 15); + Aso ^= Do; + BCu = ROL(Aso, 56); + Ema = BCa ^ ((~BCe) & BCi); + Eme = BCe ^ ((~BCi) & BCo); + Emi = BCi ^ ((~BCo) & BCu); + Emo = BCo ^ ((~BCu) & BCa); + Emu = BCu ^ ((~BCa) & BCe); + + Abi ^= Di; + BCa = ROL(Abi, 62); + Ago ^= Do; + BCe = ROL(Ago, 55); + Aku ^= Du; + BCi = ROL(Aku, 39); + Ama ^= Da; + BCo = ROL(Ama, 41); + Ase ^= De; + BCu = ROL(Ase, 2); + Esa = BCa ^ ((~BCe) & BCi); + Ese = BCe ^ ((~BCi) & BCo); + Esi = BCi ^ ((~BCo) & BCu); + Eso = BCo ^ ((~BCu) & BCa); + Esu = BCu ^ ((~BCa) & BCe); + + // prepareTheta + BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa; + BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese; + BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi; + BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso; + BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu; + + // thetaRhoPiChiIotaPrepareTheta(round+1, E, A) + Da = BCu ^ ROL(BCe, 1); + De = BCa ^ ROL(BCi, 1); + Di = BCe ^ ROL(BCo, 1); + Do = BCi ^ ROL(BCu, 1); + Du = BCo ^ ROL(BCa, 1); + + Eba ^= Da; + BCa = Eba; + Ege ^= De; + BCe = ROL(Ege, 44); + Eki ^= Di; + BCi = ROL(Eki, 43); + Emo ^= Do; + BCo = ROL(Emo, 21); + Esu ^= Du; + BCu = ROL(Esu, 14); + Aba = BCa ^ ((~BCe) & BCi); + Aba ^= (uint64_t)KeccakF_RoundConstants[round + 1]; + Abe = BCe ^ ((~BCi) & BCo); + Abi = BCi ^ ((~BCo) & BCu); + Abo = BCo ^ ((~BCu) & BCa); + Abu = BCu ^ ((~BCa) & BCe); + + Ebo ^= Do; + BCa = ROL(Ebo, 28); + Egu ^= Du; + BCe = ROL(Egu, 20); + Eka ^= Da; + BCi = ROL(Eka, 3); + Eme ^= De; + BCo = ROL(Eme, 45); + Esi ^= Di; + BCu = ROL(Esi, 61); + Aga = BCa ^ ((~BCe) & BCi); + Age = BCe ^ ((~BCi) & BCo); + Agi = BCi ^ ((~BCo) & BCu); + Ago = BCo ^ ((~BCu) & BCa); + Agu = BCu ^ ((~BCa) & BCe); + + Ebe ^= De; + BCa = ROL(Ebe, 1); + Egi ^= Di; + BCe = ROL(Egi, 6); + Eko ^= Do; + BCi = ROL(Eko, 25); + Emu ^= Du; + BCo = ROL(Emu, 8); + Esa ^= Da; + BCu = ROL(Esa, 18); + Aka = BCa ^ ((~BCe) & BCi); + Ake = BCe ^ ((~BCi) & BCo); + Aki = BCi ^ ((~BCo) & BCu); + Ako = BCo ^ ((~BCu) & BCa); + Aku = BCu ^ ((~BCa) & BCe); + + Ebu ^= Du; + BCa = ROL(Ebu, 27); + Ega ^= Da; + BCe = ROL(Ega, 36); + Eke ^= De; + BCi = ROL(Eke, 10); + Emi ^= Di; + BCo = ROL(Emi, 15); + Eso ^= Do; + BCu = ROL(Eso, 56); + Ama = BCa ^ ((~BCe) & BCi); + Ame = BCe ^ ((~BCi) & BCo); + Ami = BCi ^ ((~BCo) & BCu); + Amo = BCo ^ ((~BCu) & BCa); + Amu = BCu ^ ((~BCa) & BCe); + + Ebi ^= Di; + BCa = ROL(Ebi, 62); + Ego ^= Do; + BCe = ROL(Ego, 55); + Eku ^= Du; + BCi = ROL(Eku, 39); + Ema ^= Da; + BCo = ROL(Ema, 41); + Ese ^= De; + BCu = ROL(Ese, 2); + Asa = BCa ^ ((~BCe) & BCi); + Ase = BCe ^ ((~BCi) & BCo); + Asi = BCi ^ ((~BCo) & BCu); + Aso = BCo ^ ((~BCu) & BCa); + Asu = BCu ^ ((~BCa) & BCe); + } + + // copyToState(state, A) + state[0] = Aba; + state[1] = Abe; + state[2] = Abi; + state[3] = Abo; + state[4] = Abu; + state[5] = Aga; + state[6] = Age; + state[7] = Agi; + state[8] = Ago; + state[9] = Agu; + state[10] = Aka; + state[11] = Ake; + state[12] = Aki; + state[13] = Ako; + state[14] = Aku; + state[15] = Ama; + state[16] = Ame; + state[17] = Ami; + state[18] = Amo; + state[19] = Amu; + state[20] = Asa; + state[21] = Ase; + state[22] = Asi; + state[23] = Aso; + state[24] = Asu; } /************************************************* -* Name: keccak_init -* -* Description: Initializes the Keccak state. -* -* Arguments: - uint64_t *s: pointer to Keccak state -**************************************************/ -static void keccak_init(uint64_t s[25]) -{ + * Name: keccak_init + * + * Description: Initializes the Keccak state. + * + * Arguments: - uint64_t *s: pointer to Keccak state + **************************************************/ +static void keccak_init(uint64_t s[25]) { unsigned int i; - for(i=0;i<25;i++) + for (i = 0; i < 25; i++) s[i] = 0; } /************************************************* -* Name: keccak_absorb -* -* Description: Absorb step of Keccak; incremental. -* -* Arguments: - uint64_t *s: pointer to Keccak state -* - unsigned int pos: position in current block to be absorbed -* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128) -* - const uint8_t *in: pointer to input to be absorbed into s -* - size_t inlen: length of input in bytes -* -* Returns new position pos in current block -**************************************************/ -static unsigned int keccak_absorb(uint64_t s[25], - unsigned int pos, - unsigned int r, - const uint8_t *in, - size_t inlen) -{ + * Name: keccak_absorb + * + * Description: Absorb step of Keccak; incremental. + * + * Arguments: - uint64_t *s: pointer to Keccak state + * - unsigned int pos: position in current block to be absorbed + * - unsigned int r: rate in bytes (e.g., 168 for SHAKE128) + * - const uint8_t *in: pointer to input to be absorbed into s + * - size_t inlen: length of input in bytes + * + * Returns new position pos in current block + **************************************************/ +static unsigned int keccak_absorb(uint64_t s[25], unsigned int pos, + unsigned int r, const uint8_t *in, + size_t inlen) { unsigned int i; - while(pos+inlen >= r) { - for(i=pos;i= r) { + for (i = pos; i < r; i++) + s[i / 8] ^= (uint64_t)*in++ << 8 * (i % 8); + inlen -= r - pos; KeccakF1600_StatePermute(s); pos = 0; } - for(i=pos;i> 8*(i%8); - outlen -= i-pos; + for (i = pos; i < r && i < pos + outlen; i++) + *out++ = s[i / 8] >> 8 * (i % 8); + outlen -= i - pos; pos = i; } @@ -447,328 +427,319 @@ static unsigned int keccak_squeeze(uint8_t *out, /************************************************* -* Name: keccak_absorb_once -* -* Description: Absorb step of Keccak; -* non-incremental, starts by zeroeing the state. -* -* Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state -* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128) -* - const uint8_t *in: pointer to input to be absorbed into s -* - size_t inlen: length of input in bytes -* - uint8_t p: domain-separation byte for different Keccak-derived functions -**************************************************/ -static void keccak_absorb_once(uint64_t s[25], - unsigned int r, - const uint8_t *in, - size_t inlen, - uint8_t p) -{ + * Name: keccak_absorb_once + * + * Description: Absorb step of Keccak; + * non-incremental, starts by zeroeing the state. + * + * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state + * - unsigned int r: rate in bytes (e.g., 168 for SHAKE128) + * - const uint8_t *in: pointer to input to be absorbed into s + * - size_t inlen: length of input in bytes + * - uint8_t p: domain-separation byte for different Keccak-derived + *functions + **************************************************/ +static void keccak_absorb_once(uint64_t s[25], unsigned int r, + const uint8_t *in, size_t inlen, uint8_t p) { unsigned int i; - for(i=0;i<25;i++) + for (i = 0; i < 25; i++) s[i] = 0; - while(inlen >= r) { - for(i=0;i= r) { + for (i = 0; i < r / 8; i++) + s[i] ^= load64(in + 8 * i); in += r; inlen -= r; KeccakF1600_StatePermute(s); } - for(i=0;is); state->pos = 0; } /************************************************* -* Name: shake128_absorb -* -* Description: Absorb step of the SHAKE128 XOF; incremental. -* -* Arguments: - keccak_state *state: pointer to (initialized) output Keccak state -* - const uint8_t *in: pointer to input to be absorbed into s -* - size_t inlen: length of input in bytes -**************************************************/ -void shake128_absorb(keccak_state *state, const uint8_t *in, size_t inlen) -{ + * Name: shake128_absorb + * + * Description: Absorb step of the SHAKE128 XOF; incremental. + * + * Arguments: - keccak_state *state: pointer to (initialized) output Keccak + *state + * - const uint8_t *in: pointer to input to be absorbed into s + * - size_t inlen: length of input in bytes + **************************************************/ +void shake128_absorb(keccak_state *state, const uint8_t *in, size_t inlen) { state->pos = keccak_absorb(state->s, state->pos, SHAKE128_RATE, in, inlen); } /************************************************* -* Name: shake128_finalize -* -* Description: Finalize absorb step of the SHAKE128 XOF. -* -* Arguments: - keccak_state *state: pointer to Keccak state -**************************************************/ -void shake128_finalize(keccak_state *state) -{ + * Name: shake128_finalize + * + * Description: Finalize absorb step of the SHAKE128 XOF. + * + * Arguments: - keccak_state *state: pointer to Keccak state + **************************************************/ +void shake128_finalize(keccak_state *state) { keccak_finalize(state->s, state->pos, SHAKE128_RATE, 0x1F); state->pos = SHAKE128_RATE; } /************************************************* -* Name: shake128_squeeze -* -* Description: Squeeze step of SHAKE128 XOF. Squeezes arbitraily many -* bytes. Can be called multiple times to keep squeezing. -* -* Arguments: - uint8_t *out: pointer to output blocks -* - size_t outlen : number of bytes to be squeezed (written to output) -* - keccak_state *s: pointer to input/output Keccak state -**************************************************/ -void shake128_squeeze(uint8_t *out, size_t outlen, keccak_state *state) -{ + * Name: shake128_squeeze + * + * Description: Squeeze step of SHAKE128 XOF. Squeezes arbitraily many + * bytes. Can be called multiple times to keep squeezing. + * + * Arguments: - uint8_t *out: pointer to output blocks + * - size_t outlen : number of bytes to be squeezed (written to + *output) + * - keccak_state *s: pointer to input/output Keccak state + **************************************************/ +void shake128_squeeze(uint8_t *out, size_t outlen, keccak_state *state) { state->pos = keccak_squeeze(out, outlen, state->s, state->pos, SHAKE128_RATE); } /************************************************* -* Name: shake128_absorb_once -* -* Description: Initialize, absorb into and finalize SHAKE128 XOF; non-incremental. -* -* Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak state -* - const uint8_t *in: pointer to input to be absorbed into s -* - size_t inlen: length of input in bytes -**************************************************/ -void shake128_absorb_once(keccak_state *state, const uint8_t *in, size_t inlen) -{ + * Name: shake128_absorb_once + * + * Description: Initialize, absorb into and finalize SHAKE128 XOF; + *non-incremental. + * + * Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak + *state + * - const uint8_t *in: pointer to input to be absorbed into s + * - size_t inlen: length of input in bytes + **************************************************/ +void shake128_absorb_once(keccak_state *state, const uint8_t *in, + size_t inlen) { keccak_absorb_once(state->s, SHAKE128_RATE, in, inlen, 0x1F); state->pos = SHAKE128_RATE; } /************************************************* -* Name: shake128_squeezeblocks -* -* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of -* SHAKE128_RATE bytes each. Can be called multiple times -* to keep squeezing. Assumes new block has not yet been -* started (state->pos = SHAKE128_RATE). -* -* Arguments: - uint8_t *out: pointer to output blocks -* - size_t nblocks: number of blocks to be squeezed (written to output) -* - keccak_state *s: pointer to input/output Keccak state -**************************************************/ -void shake128_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state) -{ + * Name: shake128_squeezeblocks + * + * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of + * SHAKE128_RATE bytes each. Can be called multiple times + * to keep squeezing. Assumes new block has not yet been + * started (state->pos = SHAKE128_RATE). + * + * Arguments: - uint8_t *out: pointer to output blocks + * - size_t nblocks: number of blocks to be squeezed (written to + *output) + * - keccak_state *s: pointer to input/output Keccak state + **************************************************/ +void shake128_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state) { keccak_squeezeblocks(out, nblocks, state->s, SHAKE128_RATE); } /************************************************* -* Name: shake256_init -* -* Description: Initilizes Keccak state for use as SHAKE256 XOF -* -* Arguments: - keccak_state *state: pointer to (uninitialized) Keccak state -**************************************************/ -void shake256_init(keccak_state *state) -{ + * Name: shake256_init + * + * Description: Initilizes Keccak state for use as SHAKE256 XOF + * + * Arguments: - keccak_state *state: pointer to (uninitialized) Keccak state + **************************************************/ +void shake256_init(keccak_state *state) { keccak_init(state->s); state->pos = 0; } /************************************************* -* Name: shake256_absorb -* -* Description: Absorb step of the SHAKE256 XOF; incremental. -* -* Arguments: - keccak_state *state: pointer to (initialized) output Keccak state -* - const uint8_t *in: pointer to input to be absorbed into s -* - size_t inlen: length of input in bytes -**************************************************/ -void shake256_absorb(keccak_state *state, const uint8_t *in, size_t inlen) -{ + * Name: shake256_absorb + * + * Description: Absorb step of the SHAKE256 XOF; incremental. + * + * Arguments: - keccak_state *state: pointer to (initialized) output Keccak + *state + * - const uint8_t *in: pointer to input to be absorbed into s + * - size_t inlen: length of input in bytes + **************************************************/ +void shake256_absorb(keccak_state *state, const uint8_t *in, size_t inlen) { state->pos = keccak_absorb(state->s, state->pos, SHAKE256_RATE, in, inlen); } /************************************************* -* Name: shake256_finalize -* -* Description: Finalize absorb step of the SHAKE256 XOF. -* -* Arguments: - keccak_state *state: pointer to Keccak state -**************************************************/ -void shake256_finalize(keccak_state *state) -{ + * Name: shake256_finalize + * + * Description: Finalize absorb step of the SHAKE256 XOF. + * + * Arguments: - keccak_state *state: pointer to Keccak state + **************************************************/ +void shake256_finalize(keccak_state *state) { keccak_finalize(state->s, state->pos, SHAKE256_RATE, 0x1F); state->pos = SHAKE256_RATE; } /************************************************* -* Name: shake256_squeeze -* -* Description: Squeeze step of SHAKE256 XOF. Squeezes arbitraily many -* bytes. Can be called multiple times to keep squeezing. -* -* Arguments: - uint8_t *out: pointer to output blocks -* - size_t outlen : number of bytes to be squeezed (written to output) -* - keccak_state *s: pointer to input/output Keccak state -**************************************************/ -void shake256_squeeze(uint8_t *out, size_t outlen, keccak_state *state) -{ + * Name: shake256_squeeze + * + * Description: Squeeze step of SHAKE256 XOF. Squeezes arbitraily many + * bytes. Can be called multiple times to keep squeezing. + * + * Arguments: - uint8_t *out: pointer to output blocks + * - size_t outlen : number of bytes to be squeezed (written to + *output) + * - keccak_state *s: pointer to input/output Keccak state + **************************************************/ +void shake256_squeeze(uint8_t *out, size_t outlen, keccak_state *state) { state->pos = keccak_squeeze(out, outlen, state->s, state->pos, SHAKE256_RATE); } /************************************************* -* Name: shake256_absorb_once -* -* Description: Initialize, absorb into and finalize SHAKE256 XOF; non-incremental. -* -* Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak state -* - const uint8_t *in: pointer to input to be absorbed into s -* - size_t inlen: length of input in bytes -**************************************************/ -void shake256_absorb_once(keccak_state *state, const uint8_t *in, size_t inlen) -{ + * Name: shake256_absorb_once + * + * Description: Initialize, absorb into and finalize SHAKE256 XOF; + *non-incremental. + * + * Arguments: - keccak_state *state: pointer to (uninitialized) output Keccak + *state + * - const uint8_t *in: pointer to input to be absorbed into s + * - size_t inlen: length of input in bytes + **************************************************/ +void shake256_absorb_once(keccak_state *state, const uint8_t *in, + size_t inlen) { keccak_absorb_once(state->s, SHAKE256_RATE, in, inlen, 0x1F); state->pos = SHAKE256_RATE; } /************************************************* -* Name: shake256_squeezeblocks -* -* Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of -* SHAKE256_RATE bytes each. Can be called multiple times -* to keep squeezing. Assumes next block has not yet been -* started (state->pos = SHAKE256_RATE). -* -* Arguments: - uint8_t *out: pointer to output blocks -* - size_t nblocks: number of blocks to be squeezed (written to output) -* - keccak_state *s: pointer to input/output Keccak state -**************************************************/ -void shake256_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state) -{ + * Name: shake256_squeezeblocks + * + * Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of + * SHAKE256_RATE bytes each. Can be called multiple times + * to keep squeezing. Assumes next block has not yet been + * started (state->pos = SHAKE256_RATE). + * + * Arguments: - uint8_t *out: pointer to output blocks + * - size_t nblocks: number of blocks to be squeezed (written to + *output) + * - keccak_state *s: pointer to input/output Keccak state + **************************************************/ +void shake256_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state) { keccak_squeezeblocks(out, nblocks, state->s, SHAKE256_RATE); } /************************************************* -* Name: shake128 -* -* Description: SHAKE128 XOF with non-incremental API -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: requested output length in bytes -* - const uint8_t *in: pointer to input -* - size_t inlen: length of input in bytes -**************************************************/ -void shake128(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) -{ + * Name: shake128 + * + * Description: SHAKE128 XOF with non-incremental API + * + * Arguments: - uint8_t *out: pointer to output + * - size_t outlen: requested output length in bytes + * - const uint8_t *in: pointer to input + * - size_t inlen: length of input in bytes + **************************************************/ +void shake128(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { size_t nblocks; keccak_state state; shake128_absorb_once(&state, in, inlen); - nblocks = outlen/SHAKE128_RATE; + nblocks = outlen / SHAKE128_RATE; shake128_squeezeblocks(out, nblocks, &state); - outlen -= nblocks*SHAKE128_RATE; - out += nblocks*SHAKE128_RATE; + outlen -= nblocks * SHAKE128_RATE; + out += nblocks * SHAKE128_RATE; shake128_squeeze(out, outlen, &state); } /************************************************* -* Name: shake256 -* -* Description: SHAKE256 XOF with non-incremental API -* -* Arguments: - uint8_t *out: pointer to output -* - size_t outlen: requested output length in bytes -* - const uint8_t *in: pointer to input -* - size_t inlen: length of input in bytes -**************************************************/ -void shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) -{ + * Name: shake256 + * + * Description: SHAKE256 XOF with non-incremental API + * + * Arguments: - uint8_t *out: pointer to output + * - size_t outlen: requested output length in bytes + * - const uint8_t *in: pointer to input + * - size_t inlen: length of input in bytes + **************************************************/ +void shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { size_t nblocks; keccak_state state; shake256_absorb_once(&state, in, inlen); - nblocks = outlen/SHAKE256_RATE; + nblocks = outlen / SHAKE256_RATE; shake256_squeezeblocks(out, nblocks, &state); - outlen -= nblocks*SHAKE256_RATE; - out += nblocks*SHAKE256_RATE; + outlen -= nblocks * SHAKE256_RATE; + out += nblocks * SHAKE256_RATE; shake256_squeeze(out, outlen, &state); } /************************************************* -* Name: sha3_256 -* -* Description: SHA3-256 with non-incremental API -* -* Arguments: - uint8_t *h: pointer to output (32 bytes) -* - const uint8_t *in: pointer to input -* - size_t inlen: length of input in bytes -**************************************************/ -void sha3_256(uint8_t h[32], const uint8_t *in, size_t inlen) -{ + * Name: sha3_256 + * + * Description: SHA3-256 with non-incremental API + * + * Arguments: - uint8_t *h: pointer to output (32 bytes) + * - const uint8_t *in: pointer to input + * - size_t inlen: length of input in bytes + **************************************************/ +void sha3_256(uint8_t h[32], const uint8_t *in, size_t inlen) { unsigned int i; uint64_t s[25]; keccak_absorb_once(s, SHA3_256_RATE, in, inlen, 0x06); KeccakF1600_StatePermute(s); - for(i=0;i<4;i++) - store64(h+8*i,s[i]); + for (i = 0; i < 4; i++) + store64(h + 8 * i, s[i]); } /************************************************* -* Name: sha3_512 -* -* Description: SHA3-512 with non-incremental API -* -* Arguments: - uint8_t *h: pointer to output (64 bytes) -* - const uint8_t *in: pointer to input -* - size_t inlen: length of input in bytes -**************************************************/ -void sha3_512(uint8_t h[64], const uint8_t *in, size_t inlen) -{ + * Name: sha3_512 + * + * Description: SHA3-512 with non-incremental API + * + * Arguments: - uint8_t *h: pointer to output (64 bytes) + * - const uint8_t *in: pointer to input + * - size_t inlen: length of input in bytes + **************************************************/ +void sha3_512(uint8_t h[64], const uint8_t *in, size_t inlen) { unsigned int i; uint64_t s[25]; keccak_absorb_once(s, SHA3_512_RATE, in, inlen, 0x06); KeccakF1600_StatePermute(s); - for(i=0;i<8;i++) - store64(h+8*i,s[i]); + for (i = 0; i < 8; i++) + store64(h + 8 * i, s[i]); } diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/fips202.h b/crypto/kyber/pqcrystals_kyber_ref_common/fips202.h index 65e59a1ad2..9e417ccf3d 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/fips202.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/fips202.h @@ -1,16 +1,16 @@ #ifndef FIPS202_H #define FIPS202_H +#include #include #include -#include #define SHAKE128_RATE 168 #define SHAKE256_RATE 136 #define SHA3_256_RATE 136 #define SHA3_512_RATE 72 -#define FIPS202_PREFIX(s) pqcrystals_kyber_fips202_ref_ ## s +#define FIPS202_PREFIX(s) pqcrystals_kyber_fips202_ref_##s #define FIPS202_NAMESPACE(s) FIPS202_PREFIX(s) typedef struct { @@ -42,7 +42,7 @@ void shake256_squeeze(uint8_t *out, size_t outlen, keccak_state *state); #define shake256_absorb_once FIPS202_NAMESPACE(shake256_absorb_once) void shake256_absorb_once(keccak_state *state, const uint8_t *in, size_t inlen); #define shake256_squeezeblocks FIPS202_NAMESPACE(shake256_squeezeblocks) -void shake256_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state); +void shake256_squeezeblocks(uint8_t *out, size_t nblocks, keccak_state *state); #define shake128 FIPS202_NAMESPACE(shake128) void shake128(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen); diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c b/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c index f65e3f5e5b..abc31c2473 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c @@ -9,209 +9,208 @@ /************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) -{ + * Name: pack_pk + * + * Description: Serialize the public key as concatenation of the + * serialized vector of polynomials pk + * and the public seed used to generate the matrix A. + * + * Arguments: uint8_t *r: pointer to the output serialized public key + * polyvec *pk: pointer to the input public-key polyvec + * const uint8_t *seed: pointer to the input public seed + **************************************************/ +static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], polyvec *pk, + const uint8_t seed[KYBER_SYMBYTES]) { size_t i; polyvec_tobytes(r, pk); - for(i=0;i> 0) | ((uint16_t)buf[pos+1] << 8)) & 0xFFF; - val1 = ((buf[pos+1] >> 4) | ((uint16_t)buf[pos+2] << 4)) & 0xFFF; + while (ctr < len && pos + 3 <= buflen) { + val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; + val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; pos += 3; - if(val0 < KYBER_Q) + if (val0 < KYBER_Q) r[ctr++] = val0; - if(ctr < len && val1 < KYBER_Q) + if (ctr < len && val1 < KYBER_Q) r[ctr++] = val1; } return ctr; } -#define gen_a(A,B) gen_matrix(A,B,0) -#define gen_at(A,B) gen_matrix(A,B,1) +#define gen_a(A, B) gen_matrix(A, B, 0) +#define gen_at(A, B) gen_matrix(A, B, 1) /************************************************* -* Name: gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) + * Name: gen_matrix + * + * Description: Deterministically generate matrix A (or the transpose of A) + * from a seed. Entries of the matrix are polynomials that look + * uniformly random. Performs rejection sampling on output of + * a XOF + * + * Arguments: - polyvec *a: pointer to ouptput matrix A + * - const uint8_t *seed: pointer to input seed + * - int transposed: boolean deciding whether A or A^T is generated + **************************************************/ +#define GEN_MATRIX_NBLOCKS \ + ((12 * KYBER_N / 8 * (1 << 12) / KYBER_Q + XOF_BLOCKBYTES) / XOF_BLOCKBYTES) // Not static for benchmarking -void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) -{ +void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], + int transposed) { unsigned int ctr, i, j, k; unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2]; + uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 2]; xof_state state; - for(i=0;i #include #include "indcpa.h" +#include "openssl/rand.h" #include "params.h" #include "symmetric.h" #include "verify.h" -#include "openssl/rand.h" /************************************************* -* Name: crypto_kem_keypair_derand -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* - uint8_t *coins: pointer to input randomness -* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes) -** -* Returns 0 (success) -**************************************************/ -int crypto_kem_keypair_derand(uint8_t *pk, - uint8_t *sk, - const uint8_t coins[2*KYBER_SYMBYTES]) -{ + * Name: crypto_kem_keypair_derand + * + * Description: Generates public and private key + * for CCA-secure Kyber key encapsulation mechanism + * + * Arguments: - uint8_t *pk: pointer to output public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key + * (an already allocated array of KYBER_SECRETKEYBYTES bytes) + * - uint8_t *coins: pointer to input randomness + * (an already allocated array filled with 2*KYBER_SYMBYTES + *random bytes) + ** + * Returns 0 (success) + **************************************************/ +int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, + const uint8_t coins[2 * KYBER_SYMBYTES]) { indcpa_keypair_derand(pk, sk, coins); - memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); + memcpy(sk + KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES); + hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, + KYBER_PUBLICKEYBYTES); /* Value z for pseudo-random output on reject */ - memcpy(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, coins + KYBER_SYMBYTES, KYBER_SYMBYTES); + memcpy(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, coins + KYBER_SYMBYTES, + KYBER_SYMBYTES); return 0; } /************************************************* -* Name: crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - uint8_t *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_keypair(uint8_t *pk, - uint8_t *sk) -{ - uint8_t coins[2*KYBER_SYMBYTES]; + * Name: crypto_kem_keypair + * + * Description: Generates public and private key + * for CCA-secure Kyber key encapsulation mechanism + * + * Arguments: - uint8_t *pk: pointer to output public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key + * (an already allocated array of KYBER_SECRETKEYBYTES bytes) + * + * Returns 0 (success) + **************************************************/ +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { + uint8_t coins[2 * KYBER_SYMBYTES]; RAND_bytes(coins, KYBER_SYMBYTES); RAND_bytes(coins + KYBER_SYMBYTES, KYBER_SYMBYTES); crypto_kem_keypair_derand(pk, sk, coins); @@ -59,67 +58,62 @@ int crypto_kem_keypair(uint8_t *pk, } /************************************************* -* Name: crypto_kem_enc_derand -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - const uint8_t *coins: pointer to input randomness -* (an already allocated array filled with KYBER_SYMBYTES random bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_enc_derand(uint8_t *ct, - uint8_t *ss, - const uint8_t *pk, - const uint8_t coins[KYBER_SYMBYTES]) -{ - uint8_t buf[2*KYBER_SYMBYTES]; + * Name: crypto_kem_enc_derand + * + * Description: Generates cipher text and shared + * secret for given public key + * + * Arguments: - uint8_t *ct: pointer to output cipher text + * (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) + * - uint8_t *ss: pointer to output shared secret + * (an already allocated array of KYBER_SSBYTES bytes) + * - const uint8_t *pk: pointer to input public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * - const uint8_t *coins: pointer to input randomness + * (an already allocated array filled with KYBER_SYMBYTES random + *bytes) + * + * Returns 0 (success) + **************************************************/ +int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, + const uint8_t coins[KYBER_SYMBYTES]) { + uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; + uint8_t kr[2 * KYBER_SYMBYTES]; /* Don't release system RNG output */ hash_h(buf, coins, KYBER_SYMBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2*KYBER_SYMBYTES); + hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); + hash_g(kr, buf, 2 * KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */ - indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES); + indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); /* overwrite coins in kr with H(c) */ - hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); + hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2*KYBER_SYMBYTES); + kdf(ss, kr, 2 * KYBER_SYMBYTES); return 0; } /************************************************* -* Name: crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - uint8_t *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int crypto_kem_enc(uint8_t *ct, - uint8_t *ss, - const uint8_t *pk) -{ + * Name: crypto_kem_enc + * + * Description: Generates cipher text and shared + * secret for given public key + * + * Arguments: - uint8_t *ct: pointer to output cipher text + * (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) + * - uint8_t *ss: pointer to output shared secret + * (an already allocated array of KYBER_SSBYTES bytes) + * - const uint8_t *pk: pointer to input public key + * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) + * + * Returns 0 (success) + **************************************************/ +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { uint8_t coins[KYBER_SYMBYTES]; RAND_bytes(coins, KYBER_SYMBYTES); crypto_kem_enc_derand(ct, ss, pk, coins); @@ -127,53 +121,50 @@ int crypto_kem_enc(uint8_t *ct, } /************************************************* -* Name: crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - uint8_t *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const uint8_t *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const uint8_t *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int crypto_kem_dec(uint8_t *ss, - const uint8_t *ct, - const uint8_t *sk) -{ + * Name: crypto_kem_dec + * + * Description: Generates shared secret for given + * cipher text and private key + * + * Arguments: - uint8_t *ss: pointer to output shared secret + * (an already allocated array of KYBER_SSBYTES bytes) + * - const uint8_t *ct: pointer to input cipher text + * (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) + * - const uint8_t *sk: pointer to input private key + * (an already allocated array of KYBER_SECRETKEYBYTES bytes) + * + * Returns 0. + * + * On failure, ss will contain a pseudo-random value. + **************************************************/ +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { size_t i; int fail; - uint8_t buf[2*KYBER_SYMBYTES]; + uint8_t buf[2 * KYBER_SYMBYTES]; /* Will contain key, coins */ - uint8_t kr[2*KYBER_SYMBYTES]; + uint8_t kr[2 * KYBER_SYMBYTES]; uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES; + const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; indcpa_dec(buf, ct, sk); /* Multitarget countermeasure for coins + contributory KEM */ - for(i=0;i #include "params.h" -#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES +#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES +#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES #define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES -#define CRYPTO_BYTES KYBER_SSBYTES +#define CRYPTO_BYTES KYBER_SSBYTES -#if (KYBER_K == 2) +#if (KYBER_K == 2) #ifdef KYBER_90S #define CRYPTO_ALGNAME "Kyber512-90s" #else @@ -30,13 +30,15 @@ #endif #define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand) -int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t coins[2*KYBER_SYMBYTES]); +int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, + const uint8_t coins[2 * KYBER_SYMBYTES]); #define crypto_kem_keypair KYBER_NAMESPACE(keypair) int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); #define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand) -int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t coins[KYBER_SYMBYTES]); +int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, + const uint8_t coins[KYBER_SYMBYTES]); #define crypto_kem_enc KYBER_NAMESPACE(enc) int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/ntt.c b/crypto/kyber/pqcrystals_kyber_ref_common/ntt.c index 2f2eb10b2f..891472fbfe 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/ntt.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/ntt.c @@ -1,6 +1,6 @@ +#include "ntt.h" #include #include "params.h" -#include "ntt.h" #include "reduce.h" /* Code to generate zetas and zetas_inv used in the number-theoretic transform: @@ -37,55 +37,51 @@ void init_ntt() { */ const int16_t zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 -}; + -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, + 182, 962, -1202, -1474, 1468, 573, -1325, 264, 383, -829, 1458, + -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, 1223, + 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, + -1618, -1162, 126, 1469, -853, -90, -271, 830, 107, -1421, -247, + -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, -1103, 430, + 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, + -460, 1574, 1653, -246, 778, 1159, -147, -777, 1483, -602, 1119, + -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, 603, + 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, + -1187, -1659, -1185, -1530, -1278, 794, -1510, -854, -870, 478, -108, + -308, 996, 991, 958, -1460, 1522, 1628}; /************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ + * Name: fqmul + * + * Description: Multiplication followed by Montgomery reduction + * + * Arguments: - int16_t a: first factor + * - int16_t b: second factor + * + * Returns 16-bit integer congruent to a*b*R^{-1} mod q + **************************************************/ static int16_t fqmul(int16_t a, int16_t b) { - return montgomery_reduce((int32_t)a*b); + return montgomery_reduce((int32_t)a * b); } /************************************************* -* Name: ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ + * Name: ntt + * + * Description: Inplace number-theoretic transform (NTT) in Rq. + * input is in standard order, output is in bitreversed order + * + * Arguments: - int16_t r[256]: pointer to input/output vector of elements of + *Zq + **************************************************/ void ntt(int16_t r[256]) { unsigned int len, start, j, k; int16_t t, zeta; k = 1; - for(len = 128; len >= 2; len >>= 1) { - for(start = 0; start < 256; start = j + len) { + for (len = 128; len >= 2; len >>= 1) { + for (start = 0; start < 256; start = j + len) { zeta = zetas[k++]; - for(j = start; j < start + len; j++) { + for (j = start; j < start + len; j++) { t = fqmul(zeta, r[j + len]); r[j + len] = r[j] - t; r[j] = r[j] + t; @@ -95,24 +91,25 @@ void ntt(int16_t r[256]) { } /************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ + * Name: invntt_tomont + * + * Description: Inplace inverse number-theoretic transform in Rq and + * multiplication by Montgomery factor 2^16. + * Input is in bitreversed order, output is in standard order + * + * Arguments: - int16_t r[256]: pointer to input/output vector of elements of + *Zq + **************************************************/ void invntt(int16_t r[256]) { unsigned int start, len, j, k; int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 + const int16_t f = 1441; // mont^2/128 k = 127; - for(len = 2; len <= 128; len <<= 1) { - for(start = 0; start < 256; start = j + len) { + for (len = 2; len <= 128; len <<= 1) { + for (start = 0; start < 256; start = j + len) { zeta = zetas[k--]; - for(j = start; j < start + len; j++) { + for (j = start; j < start + len; j++) { t = r[j]; r[j] = barrett_reduce(t + r[j + len]); r[j + len] = r[j + len] - t; @@ -121,26 +118,26 @@ void invntt(int16_t r[256]) { } } - for(j = 0; j < 256; j++) + for (j = 0; j < 256; j++) r[j] = fqmul(r[j], f); } /************************************************* -* Name: basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) -{ - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); + * Name: basemul + * + * Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) + * used for multiplication of elements in Rq in NTT domain + * + * Arguments: - int16_t r[2]: pointer to the output polynomial + * - const int16_t a[2]: pointer to the first factor + * - const int16_t b[2]: pointer to the second factor + * - int16_t zeta: integer defining the reduction polynomial + **************************************************/ +void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], + int16_t zeta) { + r[0] = fqmul(a[1], b[1]); + r[0] = fqmul(r[0], zeta); r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); + r[1] = fqmul(a[0], b[1]); r[1] += fqmul(a[1], b[0]); } diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/ntt.h b/crypto/kyber/pqcrystals_kyber_ref_common/ntt.h index 227ea74f08..0dac1632a2 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/ntt.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/ntt.h @@ -14,6 +14,7 @@ void ntt(int16_t poly[256]); void invntt(int16_t poly[256]); #define basemul KYBER_NAMESPACE(basemul) -void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); +void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], + int16_t zeta); #endif diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/poly.c b/crypto/kyber/pqcrystals_kyber_ref_common/poly.c index eee8508392..a4d78853f4 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/poly.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/poly.c @@ -2,36 +2,35 @@ #include +#include "cbd.h" +#include "ntt.h" #include "params.h" #include "poly.h" -#include "ntt.h" #include "reduce.h" -#include "cbd.h" #include "symmetric.h" #include "../../internal.h" /************************************************* -* Name: poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) -{ - unsigned int i,j; + * Name: poly_compress + * + * Description: Compression and subsequent serialization of a polynomial + * + * Arguments: - uint8_t *r: pointer to output byte array + * (of length KYBER_POLYCOMPRESSEDBYTES) + * - const poly *a: pointer to input polynomial + **************************************************/ +void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) { + unsigned int i, j; int16_t u; uint32_t d0; uint8_t t[8]; #if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;icoeffs[8*i+j]; + u = a->coeffs[8 * i + j]; u += (u >> 15) & KYBER_Q; d0 = u << 4; d0 += 1665; @@ -47,10 +46,10 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) r += 4; } #elif (KYBER_POLYCOMPRESSEDBYTES == 160) - for(i=0;icoeffs[8*i+j]; + u = a->coeffs[8 * i + j]; u += (u >> 15) & KYBER_Q; d0 = u << 5; d0 += 1664; @@ -72,29 +71,28 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) } /************************************************* -* Name: poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) -{ + * Name: poly_decompress + * + * Description: De-serialization and subsequent decompression of a polynomial; + * approximate inverse of poly_compress + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *a: pointer to input byte array + * (of length KYBER_POLYCOMPRESSEDBYTES bytes) + **************************************************/ +void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { unsigned int i; #if (KYBER_POLYCOMPRESSEDBYTES == 128) - for(i=0;icoeffs[2*i+0] = (((uint16_t)(a[0] & 15)*KYBER_Q) + 8) >> 4; - r->coeffs[2*i+1] = (((uint16_t)(a[0] >> 4)*KYBER_Q) + 8) >> 4; + for (i = 0; i < KYBER_N / 2; i++) { + r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; + r->coeffs[2 * i + 1] = (((uint16_t)(a[0] >> 4) * KYBER_Q) + 8) >> 4; a += 1; } #elif (KYBER_POLYCOMPRESSEDBYTES == 160) unsigned int j; uint8_t t[8]; - for(i=0;i> 0); t[1] = (a[0] >> 5) | (a[1] << 3); t[2] = (a[1] >> 2); @@ -105,8 +103,8 @@ void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) t[7] = (a[4] >> 3); a += 5; - for(j=0;j<8;j++) - r->coeffs[8*i+j] = ((uint32_t)(t[j] & 31)*KYBER_Q + 16) >> 5; + for (j = 0; j < 8; j++) + r->coeffs[8 * i + j] = ((uint32_t)(t[j] & 31) * KYBER_Q + 16) >> 5; } #else #error "KYBER_POLYCOMPRESSEDBYTES needs to be in {128, 160}" @@ -114,97 +112,95 @@ void poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) } /************************************************* -* Name: poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) -{ + * Name: poly_tobytes + * + * Description: Serialization of a polynomial + * + * Arguments: - uint8_t *r: pointer to output byte array + * (needs space for KYBER_POLYBYTES bytes) + * - const poly *a: pointer to input polynomial + **************************************************/ +void poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) { unsigned int i; uint16_t t0, t1; - for(i=0;icoeffs[2*i]; + t0 = a->coeffs[2 * i]; t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2*i+1]; + t1 = a->coeffs[2 * i + 1]; t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3*i+0] = (t0 >> 0); - r[3*i+1] = (t0 >> 8) | (t1 << 4); - r[3*i+2] = (t1 >> 4); + r[3 * i + 0] = (t0 >> 0); + r[3 * i + 1] = (t0 >> 8) | (t1 << 4); + r[3 * i + 2] = (t1 >> 4); } } /************************************************* -* Name: poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) -{ + * Name: poly_frombytes + * + * Description: De-serialization of a polynomial; + * inverse of poly_tobytes + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *a: pointer to input byte array + * (of KYBER_POLYBYTES bytes) + **************************************************/ +void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { unsigned int i; - for(i=0;icoeffs[2*i] = ((a[3*i+0] >> 0) | ((uint16_t)a[3*i+1] << 8)) & 0xFFF; - r->coeffs[2*i+1] = ((a[3*i+1] >> 4) | ((uint16_t)a[3*i+2] << 4)) & 0xFFF; + for (i = 0; i < KYBER_N / 2; i++) { + r->coeffs[2 * i] = + ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; + r->coeffs[2 * i + 1] = + ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; } } /************************************************* -* Name: poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) -{ - unsigned int i,j; + * Name: poly_frommsg + * + * Description: Convert 32-byte message to polynomial + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *msg: pointer to input message + **************************************************/ +void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { + unsigned int i, j; crypto_word_t mask; -#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8) +#if (KYBER_INDCPA_MSGBYTES != KYBER_N / 8) #error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!" #endif - for(i=0;i> j) & 1); // We cast the result of constant_time_select_w, which is a crypto_word_t, // to int16_t. The constants must be within the range of int16_t. - OPENSSL_STATIC_ASSERT(((KYBER_Q+1)/2) <= INT16_MAX, + OPENSSL_STATIC_ASSERT(((KYBER_Q + 1) / 2) <= INT16_MAX, value_exceeds_int16_max); - r->coeffs[8*i+j] = (int16_t) constant_time_select_w(mask, - 0, ((KYBER_Q+1)/2)); + r->coeffs[8 * i + j] = + (int16_t)constant_time_select_w(mask, 0, ((KYBER_Q + 1) / 2)); } } } /************************************************* -* Name: poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) -{ - unsigned int i,j; + * Name: poly_tomsg + * + * Description: Convert polynomial to 32-byte message + * + * Arguments: - uint8_t *msg: pointer to output message + * - const poly *a: pointer to input polynomial + **************************************************/ +void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) { + unsigned int i, j; uint32_t t; - for(i=0;icoeffs[8*i+j]; + for (j = 0; j < 8; j++) { + t = a->coeffs[8 * i + j]; t <<= 1; t += 1665; t *= 80635; @@ -216,150 +212,145 @@ void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) } /************************************************* -* Name: poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA1*KYBER_N/4]; + * Name: poly_getnoise_eta1 + * + * Description: Sample a polynomial deterministically from a seed and a nonce, + * with output polynomial close to centered binomial distribution + * with parameter KYBER_ETA1 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *seed: pointer to input seed + * (of length KYBER_SYMBYTES bytes) + * - uint8_t nonce: one-byte input nonce + **************************************************/ +void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], + uint8_t nonce) { + uint8_t buf[KYBER_ETA1 * KYBER_N / 4]; prf(buf, sizeof(buf), seed, nonce); poly_cbd_eta1(r, buf); } /************************************************* -* Name: poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) -{ - uint8_t buf[KYBER_ETA2*KYBER_N/4]; + * Name: poly_getnoise_eta2 + * + * Description: Sample a polynomial deterministically from a seed and a nonce, + * with output polynomial close to centered binomial distribution + * with parameter KYBER_ETA2 + * + * Arguments: - poly *r: pointer to output polynomial + * - const uint8_t *seed: pointer to input seed + * (of length KYBER_SYMBYTES bytes) + * - uint8_t nonce: one-byte input nonce + **************************************************/ +void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], + uint8_t nonce) { + uint8_t buf[KYBER_ETA2 * KYBER_N / 4]; prf(buf, sizeof(buf), seed, nonce); poly_cbd_eta2(r, buf); } /************************************************* -* Name: poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void poly_ntt(poly *r) -{ + * Name: poly_ntt + * + * Description: Computes negacyclic number-theoretic transform (NTT) of + * a polynomial in place; + * inputs assumed to be in normal order, output in bitreversed + *order + * + * Arguments: - uint16_t *r: pointer to in/output polynomial + **************************************************/ +void poly_ntt(poly *r) { ntt(r->coeffs); poly_reduce(r); } /************************************************* -* Name: poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void poly_invntt_tomont(poly *r) -{ - invntt(r->coeffs); -} + * Name: poly_invntt_tomont + * + * Description: Computes inverse of negacyclic number-theoretic transform (NTT) + * of a polynomial in place; + * inputs assumed to be in bitreversed order, output in normal + *order + * + * Arguments: - uint16_t *a: pointer to in/output polynomial + **************************************************/ +void poly_invntt_tomont(poly *r) { invntt(r->coeffs); } /************************************************* -* Name: poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) -{ + * Name: poly_basemul_montgomery + * + * Description: Multiplication of two polynomials in NTT domain + * + * Arguments: - poly *r: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { unsigned int i; - for(i=0;icoeffs[4*i], &a->coeffs[4*i], &b->coeffs[4*i], zetas[64+i]); - basemul(&r->coeffs[4*i+2], &a->coeffs[4*i+2], &b->coeffs[4*i+2], -zetas[64+i]); + for (i = 0; i < KYBER_N / 4; i++) { + basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], + zetas[64 + i]); + basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], + -zetas[64 + i]); } } /************************************************* -* Name: poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_tomont(poly *r) -{ + * Name: poly_tomont + * + * Description: Inplace conversion of all coefficients of a polynomial + * from normal domain to Montgomery domain + * + * Arguments: - poly *r: pointer to input/output polynomial + **************************************************/ +void poly_tomont(poly *r) { unsigned int i; const int16_t f = (1ULL << 32) % KYBER_Q; - for(i=0;icoeffs[i] = montgomery_reduce((int32_t)r->coeffs[i]*f); + for (i = 0; i < KYBER_N; i++) + r->coeffs[i] = montgomery_reduce((int32_t)r->coeffs[i] * f); } /************************************************* -* Name: poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void poly_reduce(poly *r) -{ + * Name: poly_reduce + * + * Description: Applies Barrett reduction to all coefficients of a polynomial + * for details of the Barrett reduction see comments in reduce.c + * + * Arguments: - poly *r: pointer to input/output polynomial + **************************************************/ +void poly_reduce(poly *r) { unsigned int i; - for(i=0;icoeffs[i] = barrett_reduce(r->coeffs[i]); } /************************************************* -* Name: poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_add(poly *r, const poly *a, const poly *b) -{ + * Name: poly_add + * + * Description: Add two polynomials; no modular reduction is performed + * + * Arguments: - poly *r: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void poly_add(poly *r, const poly *a, const poly *b) { unsigned int i; - for(i=0;icoeffs[i] = a->coeffs[i] + b->coeffs[i]; } /************************************************* -* Name: poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void poly_sub(poly *r, const poly *a, const poly *b) -{ + * Name: poly_sub + * + * Description: Subtract two polynomials; no modular reduction is performed + * + * Arguments: - poly *r: pointer to output polynomial + * - const poly *a: pointer to first input polynomial + * - const poly *b: pointer to second input polynomial + **************************************************/ +void poly_sub(poly *r, const poly *a, const poly *b) { unsigned int i; - for(i=0;icoeffs[i] = a->coeffs[i] - b->coeffs[i]; } diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/poly.h b/crypto/kyber/pqcrystals_kyber_ref_common/poly.h index c67b95f01c..6e7365a06c 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/poly.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/poly.h @@ -8,7 +8,7 @@ * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] */ -typedef struct{ +typedef struct { int16_t coeffs[KYBER_N]; } poly; @@ -28,10 +28,12 @@ void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); #define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) -void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); +void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], + uint8_t nonce); #define poly_getnoise_eta2 KYBER_NAMESPACE(poly_getnoise_eta2) -void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); +void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], + uint8_t nonce); #define poly_ntt KYBER_NAMESPACE(poly_ntt) void poly_ntt(poly *r); diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.c b/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.c index b00d40925c..ea68f76d72 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.c @@ -1,28 +1,28 @@ +#include "polyvec.h" #include #include "params.h" #include "poly.h" -#include "polyvec.h" /************************************************* -* Name: polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) -{ - unsigned int i,j,k; + * Name: polyvec_compress + * + * Description: Compress and serialize vector of polynomials + * + * Arguments: - uint8_t *r: pointer to output byte array + * (needs space for KYBER_POLYVECCOMPRESSEDBYTES) + * - const polyvec *a: pointer to input vector of polynomials + **************************************************/ +void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], + const polyvec *a) { + unsigned int i, j, k; uint64_t d0; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; - for(i=0;ivec[i].coeffs[8*j+k]; + for (i = 0; i < KYBER_K; i++) { + for (j = 0; j < KYBER_N / 8; j++) { + for (k = 0; k < 8; k++) { + t[k] = a->vec[i].coeffs[8 * j + k]; t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; d0 = t[k]; d0 <<= 11; @@ -32,26 +32,26 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) t[k] = d0 & 0x7ff; } - r[ 0] = (t[0] >> 0); - r[ 1] = (t[0] >> 8) | (t[1] << 3); - r[ 2] = (t[1] >> 5) | (t[2] << 6); - r[ 3] = (t[2] >> 2); - r[ 4] = (t[2] >> 10) | (t[3] << 1); - r[ 5] = (t[3] >> 7) | (t[4] << 4); - r[ 6] = (t[4] >> 4) | (t[5] << 7); - r[ 7] = (t[5] >> 1); - r[ 8] = (t[5] >> 9) | (t[6] << 2); - r[ 9] = (t[6] >> 6) | (t[7] << 5); - r[10] = (t[7] >> 3); + r[0] = (t[0] >> 0); + r[1] = (t[0] >> 8) | (t[1] << 3); + r[2] = (t[1] >> 5) | (t[2] << 6); + r[3] = (t[2] >> 2); + r[4] = (t[2] >> 10) | (t[3] << 1); + r[5] = (t[3] >> 7) | (t[4] << 4); + r[6] = (t[4] >> 4) | (t[5] << 7); + r[7] = (t[5] >> 1); + r[8] = (t[5] >> 9) | (t[6] << 2); + r[9] = (t[6] >> 6) | (t[7] << 5); + r[10] = (t[7] >> 3); r += 11; } } #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; - for(i=0;ivec[i].coeffs[4*j+k]; + for (i = 0; i < KYBER_K; i++) { + for (j = 0; j < KYBER_N / 4; j++) { + for (k = 0; k < 4; k++) { + t[k] = a->vec[i].coeffs[4 * j + k]; t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; d0 = t[k]; d0 <<= 10; @@ -75,49 +75,51 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) } /************************************************* -* Name: polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) -{ - unsigned int i,j,k; + * Name: polyvec_decompress + * + * Description: De-serialize and decompress vector of polynomials; + * approximate inverse of polyvec_compress + * + * Arguments: - polyvec *r: pointer to output vector of polynomials + * - const uint8_t *a: pointer to input byte array + * (of length KYBER_POLYVECCOMPRESSEDBYTES) + **************************************************/ +void polyvec_decompress(polyvec *r, + const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { + unsigned int i, j, k; #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352)) uint16_t t[8]; - for(i=0;i> 0) | ((uint16_t)a[ 1] << 8); - t[1] = (a[1] >> 3) | ((uint16_t)a[ 2] << 5); - t[2] = (a[2] >> 6) | ((uint16_t)a[ 3] << 2) | ((uint16_t)a[4] << 10); - t[3] = (a[4] >> 1) | ((uint16_t)a[ 5] << 7); - t[4] = (a[5] >> 4) | ((uint16_t)a[ 6] << 4); - t[5] = (a[6] >> 7) | ((uint16_t)a[ 7] << 1) | ((uint16_t)a[8] << 9); - t[6] = (a[8] >> 2) | ((uint16_t)a[ 9] << 6); + for (i = 0; i < KYBER_K; i++) { + for (j = 0; j < KYBER_N / 8; j++) { + t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); + t[1] = (a[1] >> 3) | ((uint16_t)a[2] << 5); + t[2] = (a[2] >> 6) | ((uint16_t)a[3] << 2) | ((uint16_t)a[4] << 10); + t[3] = (a[4] >> 1) | ((uint16_t)a[5] << 7); + t[4] = (a[5] >> 4) | ((uint16_t)a[6] << 4); + t[5] = (a[6] >> 7) | ((uint16_t)a[7] << 1) | ((uint16_t)a[8] << 9); + t[6] = (a[8] >> 2) | ((uint16_t)a[9] << 6); t[7] = (a[9] >> 5) | ((uint16_t)a[10] << 3); a += 11; - for(k=0;k<8;k++) - r->vec[i].coeffs[8*j+k] = ((uint32_t)(t[k] & 0x7FF)*KYBER_Q + 1024) >> 11; + for (k = 0; k < 8; k++) + r->vec[i].coeffs[8 * j + k] = + ((uint32_t)(t[k] & 0x7FF) * KYBER_Q + 1024) >> 11; } } #elif (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 320)) uint16_t t[4]; - for(i=0;i> 0) | ((uint16_t)a[1] << 8); t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); a += 5; - for(k=0;k<4;k++) - r->vec[i].coeffs[4*j+k] = ((uint32_t)(t[k] & 0x3FF)*KYBER_Q + 512) >> 10; + for (k = 0; k < 4; k++) + r->vec[i].coeffs[4 * j + k] = + ((uint32_t)(t[k] & 0x3FF) * KYBER_Q + 512) >> 10; } } #else @@ -126,84 +128,80 @@ void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES } /************************************************* -* Name: polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) -{ + * Name: polyvec_tobytes + * + * Description: Serialize vector of polynomials + * + * Arguments: - uint8_t *r: pointer to output byte array + * (needs space for KYBER_POLYVECBYTES) + * - const polyvec *a: pointer to input vector of polynomials + **************************************************/ +void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) { unsigned int i; - for(i=0;ivec[i]); + for (i = 0; i < KYBER_K; i++) + poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); } /************************************************* -* Name: polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) -{ + * Name: polyvec_frombytes + * + * Description: De-serialize vector of polynomials; + * inverse of polyvec_tobytes + * + * Arguments: - uint8_t *r: pointer to output byte array + * - const polyvec *a: pointer to input vector of polynomials + * (of length KYBER_POLYVECBYTES) + **************************************************/ +void polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { unsigned int i; - for(i=0;ivec[i], a+i*KYBER_POLYBYTES); + for (i = 0; i < KYBER_K; i++) + poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); } /************************************************* -* Name: polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_ntt(polyvec *r) -{ + * Name: polyvec_ntt + * + * Description: Apply forward NTT to all elements of a vector of polynomials + * + * Arguments: - polyvec *r: pointer to in/output vector of polynomials + **************************************************/ +void polyvec_ntt(polyvec *r) { unsigned int i; - for(i=0;ivec[i]); } /************************************************* -* Name: polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void polyvec_invntt_tomont(polyvec *r) -{ + * Name: polyvec_invntt_tomont + * + * Description: Apply inverse NTT to all elements of a vector of polynomials + * and multiply by Montgomery factor 2^16 + * + * Arguments: - polyvec *r: pointer to in/output vector of polynomials + **************************************************/ +void polyvec_invntt_tomont(polyvec *r) { unsigned int i; - for(i=0;ivec[i]); } /************************************************* -* Name: polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) -{ + * Name: polyvec_basemul_acc_montgomery + * + * Description: Multiply elements of a and b in NTT domain, accumulate into r, + * and multiply by 2^-16. + * + * Arguments: - poly *r: pointer to output polynomial + * - const polyvec *a: pointer to first input vector of polynomials + * - const polyvec *b: pointer to second input vector of polynomials + **************************************************/ +void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, + const polyvec *b) { unsigned int i; poly t; poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for(i=1;ivec[i], &b->vec[i]); poly_add(r, r, &t); } @@ -212,33 +210,31 @@ void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) } /************************************************* -* Name: polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void polyvec_reduce(polyvec *r) -{ + * Name: polyvec_reduce + * + * Description: Applies Barrett reduction to each coefficient + * of each element of a vector of polynomials; + * for details of the Barrett reduction see comments in reduce.c + * + * Arguments: - polyvec *r: pointer to input/output polynomial + **************************************************/ +void polyvec_reduce(polyvec *r) { unsigned int i; - for(i=0;ivec[i]); } /************************************************* -* Name: polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) -{ + * Name: polyvec_add + * + * Description: Add vectors of polynomials + * + * Arguments: - polyvec *r: pointer to output vector of polynomials + * - const polyvec *a: pointer to first input vector of polynomials + * - const polyvec *b: pointer to second input vector of polynomials + **************************************************/ +void polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { unsigned int i; - for(i=0;ivec[i], &a->vec[i], &b->vec[i]); } diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.h b/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.h index 57b605494e..badfd376ea 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/polyvec.h @@ -5,14 +5,16 @@ #include "params.h" #include "poly.h" -typedef struct{ +typedef struct { poly vec[KYBER_K]; } polyvec; #define polyvec_compress KYBER_NAMESPACE(polyvec_compress) -void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); +void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], + const polyvec *a); #define polyvec_decompress KYBER_NAMESPACE(polyvec_decompress) -void polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); +void polyvec_decompress(polyvec *r, + const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); #define polyvec_tobytes KYBER_NAMESPACE(polyvec_tobytes) void polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); @@ -24,8 +26,10 @@ void polyvec_ntt(polyvec *r); #define polyvec_invntt_tomont KYBER_NAMESPACE(polyvec_invntt_tomont) void polyvec_invntt_tomont(polyvec *r); -#define polyvec_basemul_acc_montgomery KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); +#define polyvec_basemul_acc_montgomery \ + KYBER_NAMESPACE(polyvec_basemul_acc_montgomery) +void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, + const polyvec *b); #define polyvec_reduce KYBER_NAMESPACE(polyvec_reduce) void polyvec_reduce(polyvec *r); diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/reduce.c b/crypto/kyber/pqcrystals_kyber_ref_common/reduce.c index 9d8e7edf83..e2e57e4168 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/reduce.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/reduce.c @@ -1,42 +1,42 @@ +#include "reduce.h" #include #include "params.h" -#include "reduce.h" /************************************************* -* Name: montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t montgomery_reduce(int32_t a) -{ + * Name: montgomery_reduce + * + * Description: Montgomery reduction; given a 32-bit integer a, computes + * 16-bit integer congruent to a * R^-1 mod q, where R=2^16 + * + * Arguments: - int32_t a: input integer to be reduced; + * has to be in {-q2^15,...,q2^15-1} + * + * Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. + **************************************************/ +int16_t montgomery_reduce(int32_t a) { int16_t t; - t = (int16_t)a*QINV; - t = (a - (int32_t)t*KYBER_Q) >> 16; + t = (int16_t)a * QINV; + t = (a - (int32_t)t * KYBER_Q) >> 16; return t; } /************************************************* -* Name: barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ + * Name: barrett_reduce + * + * Description: Barrett reduction; given a 16-bit integer a, computes + * centered representative congruent to a mod q in + *{-(q-1)/2,...,(q-1)/2} + * + * Arguments: - int16_t a: input integer to be reduced + * + * Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. + **************************************************/ int16_t barrett_reduce(int16_t a) { int16_t t; - const int16_t v = ((1<<26) + KYBER_Q/2)/KYBER_Q; + const int16_t v = ((1 << 26) + KYBER_Q / 2) / KYBER_Q; - t = ((int32_t)v*a + (1<<25)) >> 26; + t = ((int32_t)v * a + (1 << 25)) >> 26; t *= KYBER_Q; return a - t; } diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/reduce.h b/crypto/kyber/pqcrystals_kyber_ref_common/reduce.h index c1bc1e4c7b..e803e496bf 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/reduce.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/reduce.h @@ -4,8 +4,8 @@ #include #include "params.h" -#define MONT -1044 // 2^16 mod q -#define QINV -3327 // q^-1 mod 2^16 +#define MONT -1044 // 2^16 mod q +#define QINV -3327 // q^-1 mod 2^16 #define montgomery_reduce KYBER_NAMESPACE(montgomery_reduce) int16_t montgomery_reduce(int32_t a); diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/verify.c b/crypto/kyber/pqcrystals_kyber_ref_common/verify.c index b7a692de8e..3d9b720733 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/verify.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/verify.c @@ -1,44 +1,42 @@ +#include "verify.h" #include #include -#include "verify.h" /************************************************* -* Name: verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int verify(const uint8_t *a, const uint8_t *b, size_t len) -{ + * Name: verify + * + * Description: Compare two arrays for equality in constant time. + * + * Arguments: const uint8_t *a: pointer to first byte array + * const uint8_t *b: pointer to second byte array + * size_t len: length of the byte arrays + * + * Returns 0 if the byte arrays are equal, 1 otherwise + **************************************************/ +int verify(const uint8_t *a, const uint8_t *b, size_t len) { size_t i; uint8_t r = 0; - for(i=0;i> 63; } /************************************************* -* Name: cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) -{ + * Name: cmov + * + * Description: Copy len bytes from x to r if b is 1; + * don't modify x if b is 0. Requires b to be in {0,1}; + * assumes two's complement representation of negative integers. + * Runs in constant time. + * + * Arguments: uint8_t *r: pointer to output byte array + * const uint8_t *x: pointer to input byte array + * size_t len: Amount of bytes to be copied + * uint8_t b: Condition bit; has to be in {0,1} + **************************************************/ +void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { uint8_t mask = constant_time_is_zero_8(b); - constant_time_select_array_8(r, r, (uint8_t*)x, mask, len); + constant_time_select_array_8(r, r, (uint8_t *)x, mask, len); } diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 22d04f319a..bbdc7db613 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -62,8 +62,8 @@ #include -#include "internal.h" #include "../internal.h" +#include "internal.h" // kMinNumBuckets is the minimum size of the buckets array in an |_LHASH|. @@ -208,7 +208,7 @@ static void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) { size_t i, alloc_size; alloc_size = sizeof(LHASH_ITEM *) * new_num_buckets; - if (alloc_size / sizeof(LHASH_ITEM*) != new_num_buckets) { + if (alloc_size / sizeof(LHASH_ITEM *) != new_num_buckets) { return; } diff --git a/crypto/lhash/lhash_test.cc b/crypto/lhash/lhash_test.cc index 6b4bfad6eb..a5d56733cf 100644 --- a/crypto/lhash/lhash_test.cc +++ b/crypto/lhash/lhash_test.cc @@ -19,8 +19,8 @@ #include #include -#include #include +#include #include #include #include @@ -86,12 +86,13 @@ TEST(LHashTest, Basic) { } std::sort(expected.begin(), expected.end()); - lh_char_doall_arg(lh.get(), - [](char *ptr, void *arg) { - ValueList *out = reinterpret_cast(arg); - out->push_back(ptr); - }, - &actual); + lh_char_doall_arg( + lh.get(), + [](char *ptr, void *arg) { + ValueList *out = reinterpret_cast(arg); + out->push_back(ptr); + }, + &actual); std::sort(actual.begin(), actual.end()); EXPECT_EQ(expected, actual); } diff --git a/crypto/mem.c b/crypto/mem.c index 2490358ce4..48cf2d5427 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -75,8 +75,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #define OPENSSL_MALLOC_PREFIX 8 -OPENSSL_STATIC_ASSERT(OPENSSL_MALLOC_PREFIX >= sizeof(size_t), - size_t_too_large) +OPENSSL_STATIC_ASSERT(OPENSSL_MALLOC_PREFIX >= sizeof(size_t), size_t_too_large) #if defined(OPENSSL_ASAN) void __asan_poison_memory_region(const volatile void *addr, size_t size); @@ -137,10 +136,9 @@ static void *(*malloc_impl)(size_t, const char *, int) = NULL; static void *(*realloc_impl)(void *, size_t, const char *, int) = NULL; static void (*free_impl)(void *, const char *, int) = NULL; -int CRYPTO_set_mem_functions( - void *(*m)(size_t, const char *, int), - void *(*r)(void *, size_t, const char *, int), - void (*f)(void *, const char *, int)) { +int CRYPTO_set_mem_functions(void *(*m)(size_t, const char *, int), + void *(*r)(void *, size_t, const char *, int), + void (*f)(void *, const char *, int)) { if (m == NULL || r == NULL || f == NULL) { return 0; } @@ -148,10 +146,8 @@ int CRYPTO_set_mem_functions( if (malloc_impl != NULL || realloc_impl != NULL || free_impl != NULL) { return 0; } - if (OPENSSL_memory_alloc != NULL || - OPENSSL_memory_free != NULL || - OPENSSL_memory_get_size != NULL || - OPENSSL_memory_realloc != NULL) { + if (OPENSSL_memory_alloc != NULL || OPENSSL_memory_free != NULL || + OPENSSL_memory_get_size != NULL || OPENSSL_memory_realloc != NULL) { // |OPENSSL_malloc/free/realloc| are customized by overriding the symbols. OPENSSL_PUT_ERROR(CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; @@ -196,7 +192,7 @@ void *OPENSSL_malloc(size_t size) { __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX); return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX; - err: +err: // This only works because ERR does not call OPENSSL_malloc. OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE); return NULL; @@ -249,7 +245,7 @@ void OPENSSL_free(void *orig_ptr) { #if defined(OPENSSL_ASAN) (void)sdallocx; free(ptr); - (void) sdallocx; + (void)sdallocx; #else if (sdallocx) { sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */); @@ -534,7 +530,7 @@ int OPENSSL_vasprintf_internal(char **str, const char *format, va_list args, *str = candidate; return ret; - err: +err: deallocate(candidate); *str = NULL; errno = ENOMEM; diff --git a/crypto/mem_set_test.cc b/crypto/mem_set_test.cc index 20a7bd1c4b..de35559b21 100644 --- a/crypto/mem_set_test.cc +++ b/crypto/mem_set_test.cc @@ -11,9 +11,9 @@ int size_count = 0; int realloc_count = 0; extern "C" { - void *new_malloc_impl(size_t size, const char *file, int line); - void new_free_impl(void *ptr, const char *file, int line); - void *new_realloc_impl(void *ptr, size_t size, const char *file, int line); +void *new_malloc_impl(size_t size, const char *file, int line); +void new_free_impl(void *ptr, const char *file, int line); +void *new_realloc_impl(void *ptr, size_t size, const char *file, int line); } void *new_malloc_impl(size_t size, const char *file, int line) { @@ -33,12 +33,13 @@ void *new_realloc_impl(void *ptr, size_t size, const char *file, int line) { } // This test is copy of |MemTest.BasicOverrides| in mem_test.cc. -// |MemTest.BasicOverrides| changed the |OPENSSL_malloc/free/realloc| by overriding related weak symbols. -// This test achieved the mem behavior change by calling |CRYPTO_set_mem_functions|. +// |MemTest.BasicOverrides| changed the |OPENSSL_malloc/free/realloc| by +// overriding related weak symbols. This test achieved the mem behavior change +// by calling |CRYPTO_set_mem_functions|. TEST(MemTest, BasicMemSet) { - // The FIPS build which runs the power on self tests can call a lot of functions - // before this test. Therefore, all the expected counts are relative to the - // starting point + // The FIPS build which runs the power on self tests can call a lot of + // functions before this test. Therefore, all the expected counts are relative + // to the starting point int starting_alloc = alloc_count; int starting_free = free_count; int starting_realloc = realloc_count; @@ -52,7 +53,8 @@ TEST(MemTest, BasicMemSet) { ASSERT_EQ(malloc_ptr, nullptr); // Call |CRYPTO_set_mem_functions| to override |OPENSSL_malloc/realloc/free|. - ASSERT_EQ(1, CRYPTO_set_mem_functions(new_malloc_impl, new_realloc_impl, new_free_impl)); + ASSERT_EQ(1, CRYPTO_set_mem_functions(new_malloc_impl, new_realloc_impl, + new_free_impl)); // Verify malloc calls |new_malloc_impl| and doesn't do anything else test_size = 10; diff --git a/crypto/mem_test.cc b/crypto/mem_test.cc index 56019359e7..46befddfab 100644 --- a/crypto/mem_test.cc +++ b/crypto/mem_test.cc @@ -16,14 +16,14 @@ int size_count = 0; int realloc_count = 0; extern "C" { - OPENSSL_EXPORT void *OPENSSL_memory_alloc(size_t size); - OPENSSL_EXPORT void OPENSSL_memory_free(void *ptr); - OPENSSL_EXPORT size_t OPENSSL_memory_get_size(void *ptr); - OPENSSL_EXPORT void *OPENSSL_memory_realloc(void *ptr, size_t size); - - void *new_malloc_impl(size_t size, const char *file, int line); - void new_free_impl(void *ptr, const char *file, int line); - void *new_realloc_impl(void *ptr, size_t size, const char *file, int line); +OPENSSL_EXPORT void *OPENSSL_memory_alloc(size_t size); +OPENSSL_EXPORT void OPENSSL_memory_free(void *ptr); +OPENSSL_EXPORT size_t OPENSSL_memory_get_size(void *ptr); +OPENSSL_EXPORT void *OPENSSL_memory_realloc(void *ptr, size_t size); + +void *new_malloc_impl(size_t size, const char *file, int line); +void new_free_impl(void *ptr, const char *file, int line); +void *new_realloc_impl(void *ptr, size_t size, const char *file, int line); } void *OPENSSL_memory_alloc(size_t size) { @@ -48,9 +48,9 @@ void *OPENSSL_memory_realloc(void *ptr, size_t size) { } TEST(MemTest, BasicOverrides) { - // The FIPS build which runs the power on self tests can call a lot of functions - // before this test. Therefore, all the expected counts are relative to the - // starting point + // The FIPS build which runs the power on self tests can call a lot of + // functions before this test. Therefore, all the expected counts are relative + // to the starting point int starting_alloc = alloc_count; int starting_free = free_count; int starting_realloc = realloc_count; @@ -101,20 +101,18 @@ TEST(MemTest, BasicOverrides) { OPENSSL_free(realloc_ptr_2); } -void *new_malloc_impl(size_t size, const char *file, int line) { - return NULL; -} +void *new_malloc_impl(size_t size, const char *file, int line) { return NULL; } void *new_realloc_impl(void *ptr, size_t size, const char *file, int line) { return NULL; } -void new_free_impl(void *ptr, const char *file, int line) { - return; -} +void new_free_impl(void *ptr, const char *file, int line) { return; } TEST(MemTest, MemSetFailWhenWeakSymbolsOverrided) { - // CRYPTO_set_mem_functions returns 0 when |OPENSSL_malloc/free/realloc| are customized by overriding the symbols. - ASSERT_EQ(0, CRYPTO_set_mem_functions(new_malloc_impl, new_realloc_impl, new_free_impl)); + // CRYPTO_set_mem_functions returns 0 when |OPENSSL_malloc/free/realloc| are + // customized by overriding the symbols. + ASSERT_EQ(0, CRYPTO_set_mem_functions(new_malloc_impl, new_realloc_impl, + new_free_impl)); } #endif diff --git a/crypto/obj/obj.c b/crypto/obj/obj.c index 848ac57ea8..ff7828f2f4 100644 --- a/crypto/obj/obj.c +++ b/crypto/obj/obj.c @@ -329,10 +329,8 @@ OPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid) { const ASN1_OBJECT *obj = OBJ_nid2obj(nid); CBB oid; - if (obj == NULL || - !CBB_add_asn1(out, &oid, CBS_ASN1_OBJECT) || - !CBB_add_bytes(&oid, obj->data, obj->length) || - !CBB_flush(out)) { + if (obj == NULL || !CBB_add_asn1(out, &oid, CBS_ASN1_OBJECT) || + !CBB_add_bytes(&oid, obj->data, obj->length) || !CBB_flush(out)) { return 0; } @@ -481,9 +479,7 @@ int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj, return ret; } -static uint32_t hash_nid(const ASN1_OBJECT *obj) { - return obj->nid; -} +static uint32_t hash_nid(const ASN1_OBJECT *obj) { return obj->nid; } static int cmp_nid(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { return a->nid - b->nid; @@ -527,14 +523,13 @@ static int obj_add_object(ASN1_OBJECT *obj) { lh_ASN1_OBJECT_new(hash_short_name, cmp_short_name); } if (global_added_by_long_name == NULL) { - global_added_by_long_name = lh_ASN1_OBJECT_new(hash_long_name, cmp_long_name); + global_added_by_long_name = + lh_ASN1_OBJECT_new(hash_long_name, cmp_long_name); } int ok = 0; - if (global_added_by_nid == NULL || - global_added_by_data == NULL || - global_added_by_short_name == NULL || - global_added_by_long_name == NULL) { + if (global_added_by_nid == NULL || global_added_by_data == NULL || + global_added_by_short_name == NULL || global_added_by_long_name == NULL) { goto err; } @@ -562,8 +557,7 @@ static int obj_add_object(ASN1_OBJECT *obj) { int OBJ_create(const char *oid, const char *short_name, const char *long_name) { ASN1_OBJECT *op = create_object_with_text_oid(obj_next_nid, oid, short_name, long_name); - if (op == NULL || - !obj_add_object(op)) { + if (op == NULL || !obj_add_object(op)) { return NID_undef; } return op->nid; diff --git a/crypto/obj/obj_test.cc b/crypto/obj/obj_test.cc index abea30d7e9..4407595b2f 100644 --- a/crypto/obj/obj_test.cc +++ b/crypto/obj/obj_test.cc @@ -64,8 +64,8 @@ TEST(ObjTest, TestBasic) { TEST(ObjTest, TestSignatureAlgorithms) { int digest_nid, pkey_nid; - ASSERT_TRUE(OBJ_find_sigid_algs(NID_sha256WithRSAEncryption, &digest_nid, - &pkey_nid)); + ASSERT_TRUE( + OBJ_find_sigid_algs(NID_sha256WithRSAEncryption, &digest_nid, &pkey_nid)); ASSERT_EQ(digest_nid, NID_sha256); ASSERT_EQ(pkey_nid, NID_rsaEncryption); @@ -142,7 +142,9 @@ TEST(ObjTest, TestObj2Txt) { // kBasicConstraints is the DER representation of 2.5.29.19, // id-basicConstraints. static const uint8_t kBasicConstraints[] = { - 0x55, 0x1d, 0x13, + 0x55, + 0x1d, + 0x13, }; // kTestOID is the DER representation of 1.2.840.113554.4.1.72585.0, diff --git a/crypto/obj/obj_xref.c b/crypto/obj/obj_xref.c index 65319f2fdd..45c79057ec 100644 --- a/crypto/obj/obj_xref.c +++ b/crypto/obj/obj_xref.c @@ -93,8 +93,7 @@ static const nid_triple kTriples[] = { // digest "undef" indicates the caller should handle this explicitly. {NID_rsassaPss, NID_undef, NID_rsaEncryption}, {NID_ED25519, NID_undef, NID_ED25519}, - {NID_MLDSA65, NID_undef, NID_MLDSA65} -}; + {NID_MLDSA65, NID_undef, NID_MLDSA65}}; int OBJ_find_sigid_algs(int sign_nid, int *out_digest_nid, int *out_pkey_nid) { for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTriples); i++) { diff --git a/crypto/ocsp/ocsp_asn.c b/crypto/ocsp/ocsp_asn.c index 839390a90d..7768513ae8 100644 --- a/crypto/ocsp/ocsp_asn.c +++ b/crypto/ocsp/ocsp_asn.c @@ -10,8 +10,8 @@ // OCSP ASN1 structure definitions can be found in RFC link below // https://tools.ietf.org/html/rfc6960#section-4.2.1 -#include "internal.h" #include "../x509/internal.h" +#include "internal.h" ASN1_SEQUENCE(OCSP_SIGNATURE) = { ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR), diff --git a/crypto/ocsp/ocsp_http.c b/crypto/ocsp/ocsp_http.c index 5c43c53b1b..fef6afb623 100644 --- a/crypto/ocsp/ocsp_http.c +++ b/crypto/ocsp/ocsp_http.c @@ -178,7 +178,7 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { OPENSSL_FALLTHROUGH; case OHS_ASN1_WRITE_INIT: - if(!BIO_mem_contents(rctx->mem, NULL, &data_len)) { + if (!BIO_mem_contents(rctx->mem, NULL, &data_len)) { rctx->state = OHS_ERROR; return 0; } @@ -187,7 +187,7 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { OPENSSL_FALLTHROUGH; case OHS_ASN1_WRITE: - if(!BIO_mem_contents(rctx->mem, &data, &data_len)) { + if (!BIO_mem_contents(rctx->mem, &data, &data_len)) { rctx->state = OHS_ERROR; return 0; } @@ -207,7 +207,7 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { goto next_io; } rctx->state = OHS_ASN1_FLUSH; - if(!BIO_reset(rctx->mem)) { + if (!BIO_reset(rctx->mem)) { return 0; } @@ -236,7 +236,7 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { // Due to strange memory BIO behaviour with BIO_gets we have to // check there's a complete line in there before calling BIO_gets // or we'll just get a partial read. - if(!BIO_mem_contents(rctx->mem, &data, &data_len)) { + if (!BIO_mem_contents(rctx->mem, &data, &data_len)) { rctx->state = OHS_ERROR; return 0; } @@ -292,7 +292,7 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { // Now reading ASN1 header: can read at least 2 bytes which is // enough for ASN1 SEQUENCE header and either length field or at // least the length of the length field. - if(!BIO_mem_contents(rctx->mem, &data, &data_len)) { + if (!BIO_mem_contents(rctx->mem, &data, &data_len)) { rctx->state = OHS_ERROR; return 0; } @@ -340,7 +340,7 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx) { OPENSSL_FALLTHROUGH; case OHS_ASN1_CONTENT: - if(!BIO_mem_contents(rctx->mem, NULL, &data_len)) { + if (!BIO_mem_contents(rctx->mem, NULL, &data_len)) { rctx->state = OHS_ERROR; return 0; } diff --git a/crypto/ocsp/ocsp_print.c b/crypto/ocsp/ocsp_print.c index 7f65a89e4b..9236c19268 100644 --- a/crypto/ocsp/ocsp_print.c +++ b/crypto/ocsp/ocsp_print.c @@ -80,7 +80,7 @@ const char *OCSP_crl_reason_str(long s) { } int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *req, unsigned long flags) { - if(bp == NULL|| req ==NULL) { + if (bp == NULL || req == NULL) { OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -131,7 +131,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *req, unsigned long flags) { } int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *resp, unsigned long flags) { - if(bp == NULL|| resp ==NULL) { + if (bp == NULL || resp == NULL) { OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER); return 0; } diff --git a/crypto/ocsp/ocsp_verify.c b/crypto/ocsp/ocsp_verify.c index ebc47d4915..16005a5c64 100644 --- a/crypto/ocsp/ocsp_verify.c +++ b/crypto/ocsp/ocsp_verify.c @@ -434,7 +434,8 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, return 0; } - // Find |signer| from |certs| or |req->optionalSignature->certs| against criteria. + // Find |signer| from |certs| or |req->optionalSignature->certs| against + // criteria. X509 *signer = NULL; int signer_status = ocsp_req_find_signer(&signer, req, gen->d.directoryName, certs, flags); diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index 95695b02e3..69404291e6 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -266,7 +266,7 @@ int PEM_write_bio_ECPKParameters(BIO *out, const EC_GROUP *group) { unsigned char *data = NULL; int buf_len = i2d_ECPKParameters(group, &data); - if(data == NULL || buf_len < 0) { + if (data == NULL || buf_len < 0) { OPENSSL_PUT_ERROR(PEM, ERR_R_ASN1_LIB); goto err; } diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index fa66620039..c91090bb82 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -70,8 +70,8 @@ #include #include -#include "../internal.h" #include "../fipsmodule/evp/internal.h" +#include "../internal.h" #define MIN_LENGTH 4 @@ -476,8 +476,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) { p = header; for (;;) { c = *header; - if (!((c >= 'A' && c <= 'Z') || c == '-' || - OPENSSL_isdigit(c))) { + if (!((c >= 'A' && c <= 'Z') || c == '-' || OPENSSL_isdigit(c))) { break; } header++; @@ -570,7 +569,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header, i = j = 0; while (len > 0) { n = (int)((len > (PEM_BUFSIZE * 5)) ? (PEM_BUFSIZE * 5) : len); - if(!EVP_EncodeUpdate(&ctx, buf, &outl, &(data[j]), n)) { + if (!EVP_EncodeUpdate(&ctx, buf, &outl, &(data[j]), n)) { goto err; } if ((outl) && (BIO_write(bp, (char *)buf, outl) != outl)) { diff --git a/crypto/pem/pem_test.cc b/crypto/pem/pem_test.cc index e692231241..b5d04fd8e1 100644 --- a/crypto/pem/pem_test.cc +++ b/crypto/pem/pem_test.cc @@ -29,11 +29,12 @@ #include "../test/test_util.h" -const char* SECRET = "test"; +const char *SECRET = "test"; -static int pem_password_callback(char *buf, int size, int rwflag, void *userdata) { - char* data = (char *)userdata; - if(size <= 0) { +static int pem_password_callback(char *buf, int size, int rwflag, + void *userdata) { + char *data = (char *)userdata; + if (size <= 0) { return 0; } return (int)BUF_strlcpy(buf, data, size); @@ -61,7 +62,8 @@ TEST(PEMTest, NoRC4) { ErrorEquals(ERR_get_error(), ERR_LIB_PEM, PEM_R_UNSUPPORTED_ENCRYPTION)); } -static void* d2i_ASN1_INTEGER_void(void ** out, const unsigned char **inp, long len) { +static void *d2i_ASN1_INTEGER_void(void **out, const unsigned char **inp, + long len) { return d2i_ASN1_INTEGER((ASN1_INTEGER **)out, inp, len); } @@ -76,14 +78,10 @@ TEST(PEMTest, WriteReadASN1IntegerPem) { GTEST_SKIP(); #endif // Numbers for testing - std::vector nums = { - 0x00000001L, - 0x00000100L, - 0x00010000L, - 0x01000000L, - -2L}; - - for(long original_value: nums) { + std::vector nums = {0x00000001L, 0x00000100L, 0x00010000L, 0x01000000L, + -2L}; + + for (long original_value : nums) { // Create an ASN1_INTEGER with value bssl::UniquePtr asn1_int(ASN1_INTEGER_new()); ASSERT_TRUE(asn1_int); @@ -101,8 +99,8 @@ TEST(PEMTest, WriteReadASN1IntegerPem) { rewind(pem_file.get()); // Read the ASN1_INTEGER back from the PEM-formatted string bssl::UniquePtr read_integer((ASN1_INTEGER *)PEM_ASN1_read( - d2i_ASN1_INTEGER_void, "ASN1 INTEGER", pem_file.get(), nullptr, - nullptr, nullptr)); + d2i_ASN1_INTEGER_void, "ASN1 INTEGER", pem_file.get(), nullptr, nullptr, + nullptr)); ASSERT_TRUE(read_integer); // Check if the read ASN1_INTEGER has the same value as the original @@ -111,7 +109,8 @@ TEST(PEMTest, WriteReadASN1IntegerPem) { } } -const char* kPemRsaPrivateKey = "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" +const char *kPemRsaPrivateKey = + "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" "MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhz3vU103jx3wICCAAw\n" "DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEA6vMhRLgHZuHFa+eiecYCgEgZDB\n" "E8EOzjGQuu4D0TVAjOa3Peb9/MzQz3t09m5pvNBFKrEl96gefpZdni5qQk34ukj9\n" @@ -121,11 +120,13 @@ const char* kPemRsaPrivateKey = "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" TEST(PEMTest, ReadPrivateKeyPem) { - bssl::UniquePtr read_bio(BIO_new_mem_buf(kPemRsaPrivateKey, BUF_strnlen(kPemRsaPrivateKey, 2048)) ); + bssl::UniquePtr read_bio( + BIO_new_mem_buf(kPemRsaPrivateKey, BUF_strnlen(kPemRsaPrivateKey, 2048))); ASSERT_TRUE(read_bio); - bssl::UniquePtr ec_key(PEM_read_bio_ECPrivateKey(read_bio.get(), nullptr, pem_password_callback, (void*)SECRET)); + bssl::UniquePtr ec_key(PEM_read_bio_ECPrivateKey( + read_bio.get(), nullptr, pem_password_callback, (void *)SECRET)); ASSERT_TRUE(ec_key); - const EC_GROUP* p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); + const EC_GROUP *p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); ASSERT_EQ(p256, EC_KEY_get0_group(ec_key.get())); } @@ -144,17 +145,20 @@ TEST(PEMTest, WriteReadRSAPem) { bssl::UniquePtr write_bio(BIO_new(BIO_s_mem())); ASSERT_TRUE(write_bio); - const EVP_CIPHER* cipher = EVP_get_cipherbynid(NID_aes_256_cbc); + const EVP_CIPHER *cipher = EVP_get_cipherbynid(NID_aes_256_cbc); ASSERT_TRUE(cipher); - ASSERT_TRUE(PEM_write_bio_RSAPrivateKey(write_bio.get(), rsa.get(), cipher, (unsigned char*)SECRET, (int)BUF_strnlen(SECRET, 256), nullptr, nullptr)); + ASSERT_TRUE(PEM_write_bio_RSAPrivateKey( + write_bio.get(), rsa.get(), cipher, (unsigned char *)SECRET, + (int)BUF_strnlen(SECRET, 256), nullptr, nullptr)); - const uint8_t* content; + const uint8_t *content; size_t content_len; BIO_mem_contents(write_bio.get(), &content, &content_len); - bssl::UniquePtr read_bio(BIO_new_mem_buf(content, content_len) ); + bssl::UniquePtr read_bio(BIO_new_mem_buf(content, content_len)); ASSERT_TRUE(read_bio); - bssl::UniquePtr rsa_read(PEM_read_bio_RSAPrivateKey(read_bio.get(), nullptr, pem_password_callback, (void*)SECRET)); + bssl::UniquePtr rsa_read(PEM_read_bio_RSAPrivateKey( + read_bio.get(), nullptr, pem_password_callback, (void *)SECRET)); ASSERT_TRUE(rsa_read); ASSERT_EQ(0, BN_cmp(RSA_get0_n(rsa.get()), RSA_get0_n(rsa_read.get()))); } @@ -162,7 +166,8 @@ TEST(PEMTest, WriteReadRSAPem) { TEST(PEMTest, WriteReadECPem) { bssl::UniquePtr ec_key(EC_KEY_new()); ASSERT_TRUE(ec_key); - bssl::UniquePtr ec_group(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); + bssl::UniquePtr ec_group( + EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); ASSERT_TRUE(ec_group); ASSERT_TRUE(EC_KEY_set_group(ec_key.get(), ec_group.get())); @@ -174,20 +179,23 @@ TEST(PEMTest, WriteReadECPem) { bssl::UniquePtr write_bio(BIO_new(BIO_s_mem())); ASSERT_TRUE(write_bio); - const EVP_CIPHER* cipher = EVP_get_cipherbynid(NID_aes_256_cbc); + const EVP_CIPHER *cipher = EVP_get_cipherbynid(NID_aes_256_cbc); ASSERT_TRUE(cipher); - ASSERT_TRUE(PEM_write_bio_ECPrivateKey(write_bio.get(), ec_key.get(), cipher, nullptr, 0, pem_password_callback, (void*)SECRET)); + ASSERT_TRUE(PEM_write_bio_ECPrivateKey(write_bio.get(), ec_key.get(), cipher, + nullptr, 0, pem_password_callback, + (void *)SECRET)); - const uint8_t* content; + const uint8_t *content; size_t content_len; BIO_mem_contents(write_bio.get(), &content, &content_len); - bssl::UniquePtr read_bio(BIO_new_mem_buf(content, content_len) ); + bssl::UniquePtr read_bio(BIO_new_mem_buf(content, content_len)); ASSERT_TRUE(read_bio); - bssl::UniquePtr ec_key_read(PEM_read_bio_ECPrivateKey(read_bio.get(), nullptr, pem_password_callback, (void*)"test")); + bssl::UniquePtr ec_key_read(PEM_read_bio_ECPrivateKey( + read_bio.get(), nullptr, pem_password_callback, (void *)"test")); ASSERT_TRUE(ec_key_read); - const BIGNUM* orig_priv_key = EC_KEY_get0_private_key(ec_key.get()); - const BIGNUM* read_priv_key = EC_KEY_get0_private_key(ec_key_read.get()); + const BIGNUM *orig_priv_key = EC_KEY_get0_private_key(ec_key.get()); + const BIGNUM *read_priv_key = EC_KEY_get0_private_key(ec_key_read.get()); ASSERT_EQ(0, BN_cmp(orig_priv_key, read_priv_key)); } @@ -260,8 +268,8 @@ TEST(PEMTest, WriteReadECPKPem) { // Check that explicitly-encoded versions of namedCurves can be correctly // parsed from a PEM file. - read_bio.reset(BIO_new_mem_buf( - kPemExplictECPARAMETERS, strlen(kPemExplictECPARAMETERS))); + read_bio.reset(BIO_new_mem_buf(kPemExplictECPARAMETERS, + strlen(kPemExplictECPARAMETERS))); read_group.reset( PEM_read_bio_ECPKParameters(read_bio.get(), nullptr, nullptr, nullptr)); ASSERT_TRUE(read_group); diff --git a/crypto/pkcs7/bio/bio_md_test.cc b/crypto/pkcs7/bio/bio_md_test.cc index 436b6c4d49..85687a04e9 100644 --- a/crypto/pkcs7/bio/bio_md_test.cc +++ b/crypto/pkcs7/bio/bio_md_test.cc @@ -118,7 +118,8 @@ TEST_P(BIOMessageDigestTest, Basic) { ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), md, NULL)); ASSERT_TRUE( EVP_DigestUpdate(ctx.get(), message_vec.data(), message_vec.size())); - ASSERT_TRUE(EVP_DigestFinal_ex(ctx.get(), buf, reinterpret_cast(&digest_len))); + ASSERT_TRUE(EVP_DigestFinal_ex( + ctx.get(), buf, reinterpret_cast(&digest_len))); EXPECT_EQ(Bytes(buf_vec.data(), buf_vec.size()), Bytes(buf, digest_len)); bio_md.release(); // |bio| took ownership bio_mem.release(); // |bio| took ownership @@ -146,7 +147,8 @@ TEST_P(BIOMessageDigestTest, Basic) { ASSERT_TRUE(EVP_DigestInit_ex(ctx.get(), md, NULL)); ASSERT_TRUE( EVP_DigestUpdate(ctx.get(), message_vec.data(), message_vec.size())); - ASSERT_TRUE(EVP_DigestFinal_ex(ctx.get(), buf, reinterpret_cast(&digest_len))); + ASSERT_TRUE(EVP_DigestFinal_ex( + ctx.get(), buf, reinterpret_cast(&digest_len))); EXPECT_EQ(Bytes(buf, digest_len), Bytes(buf_vec.data(), buf_vec.size())); EXPECT_EQ(Bytes(buf_vec.data(), buf_vec.size()), Bytes(buf, digest_len)); // Resetting |bio_md| should reset digest state, elicit different digest @@ -199,7 +201,8 @@ TEST_P(BIOMessageDigestTest, Randomized) { } EVP_DigestUpdate(ctx.get(), message.data(), message.size()); int digest_size; - EVP_DigestFinal_ex(ctx.get(), digest_buf, reinterpret_cast(&digest_size)); + EVP_DigestFinal_ex(ctx.get(), digest_buf, + reinterpret_cast(&digest_size)); ASSERT_EQ(EVP_MD_CTX_size(ctx.get()), (unsigned int)digest_size); expected_digest.insert(expected_digest.begin(), &digest_buf[0], &digest_buf[digest_size]); diff --git a/crypto/pkcs7/bio/cipher.c b/crypto/pkcs7/bio/cipher.c index 6a7eb61cfb..4c35617f4d 100644 --- a/crypto/pkcs7/bio/cipher.c +++ b/crypto/pkcs7/bio/cipher.c @@ -281,8 +281,8 @@ int BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *key, // (e.g. DES) and cipher modes (e.g. CBC, CCM) had issues with block alignment // and padding during testing, so they're forbidden for now. const EVP_CIPHER *kSupportedCiphers[] = { - EVP_aes_128_cbc(), EVP_aes_128_ctr(), EVP_aes_128_ofb(), - EVP_aes_256_cbc(), EVP_aes_256_ctr(), EVP_aes_256_ofb(), + EVP_aes_128_cbc(), EVP_aes_128_ctr(), EVP_aes_128_ofb(), + EVP_aes_256_cbc(), EVP_aes_256_ctr(), EVP_aes_256_ofb(), EVP_chacha20_poly1305(), EVP_des_ede3_cbc(), }; const size_t kSupportedCiphersCount = diff --git a/crypto/pkcs7/bio/md.c b/crypto/pkcs7/bio/md.c index 8b5489e130..16bfcbdfe5 100644 --- a/crypto/pkcs7/bio/md.c +++ b/crypto/pkcs7/bio/md.c @@ -177,5 +177,5 @@ int BIO_get_md_ctx(BIO *b, EVP_MD_CTX **ctx) { } int BIO_set_md(BIO *b, const EVP_MD *md) { - return BIO_ctrl(b, BIO_C_SET_MD, 0, (EVP_MD*)md); + return BIO_ctrl(b, BIO_C_SET_MD, 0, (EVP_MD *)md); } diff --git a/crypto/pkcs7/pkcs7.c b/crypto/pkcs7/pkcs7.c index e60384a459..37850aa588 100644 --- a/crypto/pkcs7/pkcs7.c +++ b/crypto/pkcs7/pkcs7.c @@ -866,9 +866,7 @@ int PKCS7_set_detached(PKCS7 *p7, int detach) { } } -int PKCS7_get_detached(PKCS7 *p7) { - return PKCS7_is_detached(p7); -} +int PKCS7_get_detached(PKCS7 *p7) { return PKCS7_is_detached(p7); } static BIO *pkcs7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) { @@ -1399,7 +1397,8 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509) { return ri; } -int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int _flags) { +int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, + int _flags) { GUARD_PTR(p7); GUARD_PTR(pkey); GUARD_PTR(data); diff --git a/crypto/pkcs7/pkcs7_test.cc b/crypto/pkcs7/pkcs7_test.cc index 1df52e0c4a..d15a428637 100644 --- a/crypto/pkcs7/pkcs7_test.cc +++ b/crypto/pkcs7/pkcs7_test.cc @@ -1699,7 +1699,8 @@ TEST(PKCS7Test, TestEnveloped) { // NOTE: we make |buf| larger than |pt_len| in case padding gets added. // without the extra room, we sometimes overflow into the next variable on the // stack. - uint8_t buf[pt_len + EVP_MAX_BLOCK_LENGTH], decrypted[pt_len + EVP_MAX_BLOCK_LENGTH]; + uint8_t buf[pt_len + EVP_MAX_BLOCK_LENGTH], + decrypted[pt_len + EVP_MAX_BLOCK_LENGTH]; OPENSSL_cleanse(buf, sizeof(buf)); OPENSSL_memset(buf, 'A', pt_len); @@ -1828,9 +1829,9 @@ TEST(PKCS7Test, TestEnveloped) { // expectation. Ideally we'd find a way to access the padded plaintext and // account for this deterministically by checking the random "padding" and // adusting accordingly. - const size_t max_decrypt = - pt_len + EVP_CIPHER_block_size(EVP_aes_128_cbc()); - const size_t decrypted_len = (size_t)BIO_read(bio.get(), decrypted, sizeof(decrypted)); + const size_t max_decrypt = pt_len + EVP_CIPHER_block_size(EVP_aes_128_cbc()); + const size_t decrypted_len = + (size_t)BIO_read(bio.get(), decrypted, sizeof(decrypted)); ASSERT_LE(decrypted_len, sizeof(decrypted)); if (decrypted_len > pt_len) { EXPECT_LT(max_decrypt - 4, decrypted_len); diff --git a/crypto/pkcs8/p5_pbev2.c b/crypto/pkcs8/p5_pbev2.c index 173fa98046..f266354ad0 100644 --- a/crypto/pkcs8/p5_pbev2.c +++ b/crypto/pkcs8/p5_pbev2.c @@ -65,8 +65,8 @@ #include #include -#include "internal.h" #include "../internal.h" +#include "internal.h" // 1.2.840.113549.1.5.12 @@ -291,8 +291,7 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, // All supported PRFs use a NULL parameter. CBS null; - if (!CBS_get_asn1(&alg_id, &null, CBS_ASN1_NULL) || - CBS_len(&null) != 0 || + if (!CBS_get_asn1(&alg_id, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 || CBS_len(&alg_id) != 0) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); return 0; diff --git a/crypto/pkcs8/pkcs12_test.cc b/crypto/pkcs8/pkcs12_test.cc index 147567118a..4eb31eedad 100644 --- a/crypto/pkcs8/pkcs12_test.cc +++ b/crypto/pkcs8/pkcs12_test.cc @@ -19,8 +19,8 @@ #include #include #include -#include #include +#include #include #include #include @@ -42,8 +42,7 @@ static bssl::Span StringToBytes(const std::string &str) { } static void TestImpl(const char *name, bssl::Span der, - const char *password, - const char *friendly_name) { + const char *password, const char *friendly_name) { SCOPED_TRACE(name); bssl::UniquePtr certs(sk_X509_new_null()); ASSERT_TRUE(certs); @@ -146,7 +145,8 @@ TEST(PKCS12Test, TestNoEncryption) { // no_encryption.p12 is a PKCS#12 file with neither the key or certificate is // encrypted. It was generated with: // - // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem -keypbe NONE -certpbe NONE -password pass:foo + // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem + // -keypbe NONE -certpbe NONE -password pass:foo std::string data = GetTestData("crypto/pkcs8/test/no_encryption.p12"); TestImpl("kNoEncryption", StringToBytes(data), kPassword, nullptr); } @@ -169,7 +169,8 @@ TEST(PKCS12Test, TestNULLContentInfoRoot) { TEST(PKCS12Test, TestNULLContentInfoChild) { // Content in ContentInfo from sequence contained in AuthSafe can't be NULL. - std::string data = GetTestData("crypto/pkcs8/test/null_contentinfo_child.p12"); + std::string data = + GetTestData("crypto/pkcs8/test/null_contentinfo_child.p12"); TestImplParseFail("kNoEncryption", StringToBytes(data), nullptr); } @@ -179,7 +180,8 @@ TEST(PKCS12Test, TestEmptyPassword) { #endif // Generated with - // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem -password pass: + // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem + // -password pass: std::string data = GetTestData("crypto/pkcs8/test/empty_password.p12"); TestImpl("EmptyPassword (empty password)", StringToBytes(data), "", nullptr); TestImpl("EmptyPassword (null password)", StringToBytes(data), nullptr, @@ -207,7 +209,8 @@ TEST(PKCS12Test, TestNullPassword) { #endif // Generated with - // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem -password pass: + // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem + // -password pass: // But with OpenSSL patched to pass NULL into PKCS12_create and // PKCS12_set_mac. std::string data = GetTestData("crypto/pkcs8/test/null_password.p12"); @@ -218,7 +221,8 @@ TEST(PKCS12Test, TestNullPassword) { TEST(PKCS12Test, TestUnicode) { // Generated with - // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem -password pass:"Hello, 世界" + // openssl pkcs12 -export -inkey ecdsa_p256_key.pem -in ecdsa_p256_cert.pem + // -password pass:"Hello, 世界" std::string data = GetTestData("crypto/pkcs8/test/unicode_password.p12"); TestImpl("Unicode", StringToBytes(data), kUnicodePassword, nullptr); } @@ -457,8 +461,7 @@ TEST(PKCS12Test, RoundTrip) { {bssl::Span(kTestCert2)}, 0, 0, 0, 0); // Test some Unicode. - TestRoundTrip(kPassword, "Hello, 世界!", - bssl::Span(kTestKey), + TestRoundTrip(kPassword, "Hello, 世界!", bssl::Span(kTestKey), bssl::Span(kTestCert), {bssl::Span(kTestCert2)}, 0, 0, 0, 0); TestRoundTrip(kUnicodePassword, nullptr /* no name */, @@ -520,13 +523,11 @@ TEST(PKCS12Test, RoundTrip) { static bssl::UniquePtr MakeTestKey() { bssl::UniquePtr ec_key( EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); - if (!ec_key || - !EC_KEY_generate_key(ec_key.get())) { + if (!ec_key || !EC_KEY_generate_key(ec_key.get())) { return nullptr; } bssl::UniquePtr evp_pkey(EVP_PKEY_new()); - if (!evp_pkey || - !EVP_PKEY_assign_EC_KEY(evp_pkey.get(), ec_key.release())) { + if (!evp_pkey || !EVP_PKEY_assign_EC_KEY(evp_pkey.get(), ec_key.release())) { return nullptr; } return evp_pkey; @@ -537,7 +538,7 @@ static bssl::UniquePtr MakeTestCert(EVP_PKEY *key) { if (!x509) { return nullptr; } - X509_NAME* subject = X509_get_subject_name(x509.get()); + X509_NAME *subject = X509_get_subject_name(x509.get()); if (!X509_gmtime_adj(X509_get_notBefore(x509.get()), 0) || !X509_gmtime_adj(X509_get_notAfter(x509.get()), 60 * 60 * 24) || !X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC, @@ -565,7 +566,7 @@ static bool PKCS12CreateVector(bssl::UniquePtr &p12, EVP_PKEY *pkey, } p12.reset(PKCS12_create(kPassword, nullptr /* name */, pkey, - nullptr /* cert */, chain.get(), 0, 0, 0, 0, 0)); + nullptr /* cert */, chain.get(), 0, 0, 0, 0, 0)); if (!p12) { return false; } @@ -737,4 +738,3 @@ TEST(PKCS12Test, SetMac) { strlen(kUnicodePassword), nullptr, 0, 0, nullptr)); } - diff --git a/crypto/pkcs8/pkcs8.c b/crypto/pkcs8/pkcs8.c index 9cea6471c4..2d8b79f403 100644 --- a/crypto/pkcs8/pkcs8.c +++ b/crypto/pkcs8/pkcs8.c @@ -67,9 +67,9 @@ #include #include -#include "internal.h" #include "../bytestring/internal.h" #include "../internal.h" +#include "internal.h" static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out, @@ -85,16 +85,14 @@ static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out, CBS_init(&cbs, (const uint8_t *)in, in_len); while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&cbs, &c) || - !cbb_add_ucs2_be(&cbb, c)) { + if (!cbs_get_utf8(&cbs, &c) || !cbb_add_ucs2_be(&cbb, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); goto err; } } // Terminate the result with a UCS-2 NUL. - if (!cbb_add_ucs2_be(&cbb, 0) || - !CBB_finish(&cbb, out, out_len)) { + if (!cbb_add_ucs2_be(&cbb, 0) || !CBB_finish(&cbb, out, out_len)) { goto err; } @@ -168,7 +166,7 @@ int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, I[i] = salt[i % salt_len]; } // P_len would be 0 in this case, but static analyzers don't always see that - if(pass_raw_len > 0) { + if (pass_raw_len > 0) { for (size_t i = 0; i < P_len; i++) { I[i + S_len] = pass_raw[i % pass_raw_len]; } @@ -263,8 +261,7 @@ static int pkcs12_pbe_decrypt_init(const struct pbe_suite *suite, if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&pbe_param, &salt, CBS_ASN1_OCTETSTRING) || !CBS_get_asn1_uint64(&pbe_param, &iterations) || - CBS_len(&pbe_param) != 0 || - CBS_len(param) != 0) { + CBS_len(&pbe_param) != 0 || CBS_len(param) != 0) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); return 0; } @@ -322,8 +319,7 @@ static const struct pbe_suite *get_pkcs12_pbe_suite(int pbe_nid) { for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kBuiltinPBE); i++) { if (kBuiltinPBE[i].pbe_nid == pbe_nid && // If |cipher_func| or |md_func| are missing, this is a PBES2 scheme. - kBuiltinPBE[i].cipher_func != NULL && - kBuiltinPBE[i].md_func != NULL) { + kBuiltinPBE[i].cipher_func != NULL && kBuiltinPBE[i].md_func != NULL) { return &kBuiltinPBE[i]; } } @@ -349,8 +345,7 @@ int pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg, !CBB_add_asn1(&algorithm, ¶m, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(¶m, &salt_cbb, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&salt_cbb, salt, salt_len) || - !CBB_add_asn1_uint64(¶m, iterations) || - !CBB_flush(out)) { + !CBB_add_asn1_uint64(¶m, iterations) || !CBB_flush(out)) { return 0; } @@ -362,7 +357,8 @@ int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm, const char *pass, size_t pass_len, const uint8_t *in, size_t in_len) { int ret = 0; - uint8_t *buf = NULL;; + uint8_t *buf = NULL; + ; EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(&ctx); @@ -460,8 +456,7 @@ int PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid, } salt_buf = OPENSSL_malloc(salt_len); - if (salt_buf == NULL || - !RAND_bytes(salt_buf, salt_len)) { + if (salt_buf == NULL || !RAND_bytes(salt_buf, salt_len)) { goto err; } @@ -515,8 +510,7 @@ int PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid, !CBB_reserve(&ciphertext, &ptr, max_out) || !EVP_CipherUpdate(&ctx, ptr, &n1, plaintext, plaintext_len) || !EVP_CipherFinal_ex(&ctx, ptr + n1, &n2) || - !CBB_did_write(&ciphertext, n1 + n2) || - !CBB_flush(out)) { + !CBB_did_write(&ciphertext, n1 + n2) || !CBB_flush(out)) { goto err; } diff --git a/crypto/pkcs8/pkcs8_test.cc b/crypto/pkcs8/pkcs8_test.cc index d431d66646..4d6c2d7cd5 100644 --- a/crypto/pkcs8/pkcs8_test.cc +++ b/crypto/pkcs8/pkcs8_test.cc @@ -55,7 +55,8 @@ static const uint8_t kEncryptedPBES2WithDESAndSHA1[] = { }; // kEncryptedPBES2WithAESAndSHA256 is a PKCS#8 encrypted private key using PBES2 -// with AES-128-CBC and HMAC-SHA-256 and a password of "testing". It was generated with: +// with AES-128-CBC and HMAC-SHA-256 and a password of "testing". It was +// generated with: // // clang-format off // @@ -270,41 +271,41 @@ TEST(PKCS8Test, DecryptExplicitHMACWithSHA1) { TEST(PKCS8Test, RoundTripPBEWithrSHA1And3KeyTripleDES) { // Test with different salts. - TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, - "password", nullptr, 0, 10); - TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, - "password", nullptr, 4, 10); - TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, - "password", (const uint8_t *)"salt", 4, 10); + TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, "password", + nullptr, 0, 10); + TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, "password", + nullptr, 4, 10); + TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, "password", + (const uint8_t *)"salt", 4, 10); // Test with a different iteration count. - TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, - "password", nullptr, 0, 1); + TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, "password", + nullptr, 0, 1); } // Test that both "" (empty password, encoded as "\0\0") and nullptr (no // password, encoded as "") work. TEST(PKCS8Test, RoundTripPBEWithSHA1And3KeyTripleDESEmptyPassword) { - TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, "", - nullptr, 0, 1); + TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, "", nullptr, 0, + 1); TestRoundTrip(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, nullptr, nullptr, 0, 1); } TEST(PKCS8Test, RoundTripPBEWithSHA1And40BitRC2CBC) { - TestRoundTrip(NID_pbe_WithSHA1And40BitRC2_CBC, nullptr, "password", - nullptr, 0, 10); + TestRoundTrip(NID_pbe_WithSHA1And40BitRC2_CBC, nullptr, "password", nullptr, + 0, 10); } TEST(PKCS8Test, RoundTripPBEWithSHA1And128BitRC4) { - TestRoundTrip(NID_pbe_WithSHA1And128BitRC4, nullptr, "password", - nullptr, 0, 10); + TestRoundTrip(NID_pbe_WithSHA1And128BitRC4, nullptr, "password", nullptr, 0, + 10); } TEST(PKCS8Test, RoundTripPBES2) { TestRoundTrip(-1, EVP_aes_128_cbc(), "password", nullptr, 0, 10); TestRoundTrip(-1, EVP_aes_128_cbc(), "password", nullptr, 4, 10); - TestRoundTrip(-1, EVP_aes_128_cbc(), "password", (const uint8_t *)"salt", - 4, 10); + TestRoundTrip(-1, EVP_aes_128_cbc(), "password", (const uint8_t *)"salt", 4, + 10); TestRoundTrip(-1, EVP_aes_128_cbc(), "password", nullptr, 0, 1); TestRoundTrip(-1, EVP_rc2_cbc(), "password", nullptr, 0, 10); } diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index a0bdb4b5e9..c183b21771 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c @@ -57,22 +57,22 @@ #include -#include #include +#include #include #include #include +#include #include #include -#include #include #include #include #include -#include "internal.h" #include "../bytestring/internal.h" #include "../internal.h" +#include "internal.h" int pkcs12_iterations_acceptable(uint64_t iterations) { @@ -125,10 +125,8 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey) { CBB cbb; uint8_t *der = NULL; size_t der_len; - if (!CBB_init(&cbb, 0) || - !EVP_marshal_private_key(&cbb, pkey) || - !CBB_finish(&cbb, &der, &der_len) || - der_len > LONG_MAX) { + if (!CBB_init(&cbb, 0) || !EVP_marshal_private_key(&cbb, pkey) || + !CBB_finish(&cbb, &der, &der_len) || der_len > LONG_MAX) { CBB_cleanup(&cbb); OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR); goto err; @@ -254,8 +252,7 @@ static int PKCS12_handle_sequence( } CBS child; - if (!CBS_get_asn1(&in, &child, CBS_ASN1_SEQUENCE) || - CBS_len(&in) != 0) { + if (!CBS_get_asn1(&in, &child, CBS_ASN1_SEQUENCE) || CBS_len(&in) != 0) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; } @@ -317,8 +314,7 @@ static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name, CBS attr, oid, values; if (!CBS_get_asn1(attrs, &attr, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&attr, &oid, CBS_ASN1_OBJECT) || - !CBS_get_asn1(&attr, &values, CBS_ASN1_SET) || - CBS_len(&attr) != 0) { + !CBS_get_asn1(&attr, &values, CBS_ASN1_SET) || CBS_len(&attr) != 0) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; } @@ -327,8 +323,7 @@ static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name, CBS value; if (*out_friendly_name != NULL || !CBS_get_asn1(&values, &value, CBS_ASN1_BMPSTRING) || - CBS_len(&values) != 0 || - CBS_len(&value) == 0) { + CBS_len(&values) != 0 || CBS_len(&value) == 0) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; } @@ -339,8 +334,7 @@ static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name, } while (CBS_len(&value) != 0) { uint32_t c; - if (!cbs_get_ucs2_be(&value, &c) || - !cbb_add_utf8(&cbb, c)) { + if (!cbs_get_ucs2_be(&value, &c) || !cbb_add_utf8(&cbb, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); CBB_cleanup(&cbb); goto err; @@ -453,8 +447,7 @@ static int PKCS12_handle_safe_bag(CBS *safe_bag, struct pkcs12_context *ctx) { int ok = friendly_name_len == 0 || X509_alias_set1(x509, friendly_name, friendly_name_len); OPENSSL_free(friendly_name); - if (!ok || - 0 == sk_X509_push(ctx->out_certs, x509)) { + if (!ok || 0 == sk_X509_push(ctx->out_certs, x509)) { X509_free(x509); return 0; } @@ -484,7 +477,7 @@ static int PKCS12_handle_content_info(CBS *content_info, if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) || !CBS_get_asn1(content_info, &wrapped_contents, - CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || + CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || CBS_len(content_info) != 0) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; @@ -510,9 +503,9 @@ static int PKCS12_handle_content_info(CBS *content_info, // AlgorithmIdentifier, see // https://tools.ietf.org/html/rfc5280#section-4.1.1.2 !CBS_get_asn1(&eci, &ai, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1_implicit_string( - &eci, &encrypted_contents, &storage, - CBS_ASN1_CONTEXT_SPECIFIC | 0, CBS_ASN1_OCTETSTRING)) { + !CBS_get_asn1_implicit_string(&eci, &encrypted_contents, &storage, + CBS_ASN1_CONTEXT_SPECIFIC | 0, + CBS_ASN1_OCTETSTRING)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; } @@ -604,8 +597,7 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, // See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section // four. - if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) || - CBS_len(&in) != 0 || + if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) || CBS_len(&in) != 0 || !CBS_get_asn1_uint64(&pfx, &version)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; @@ -635,7 +627,7 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, // https://tools.ietf.org/html/rfc2315#section-7. if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) || !CBS_get_asn1(&authsafe, &wrapped_authsafes, - CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { + CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; } @@ -763,7 +755,7 @@ PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, return p12; } -PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) { +PKCS12 *d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) { size_t used = 0; BUF_MEM *buf; const uint8_t *dummy; @@ -800,13 +792,12 @@ PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) { continue; } - if (buf->length > kMaxSize || - BUF_MEM_grow(buf, buf->length * 2) == 0) { + if (buf->length > kMaxSize || BUF_MEM_grow(buf, buf->length * 2) == 0) { goto out; } } - dummy = (uint8_t*) buf->data; + dummy = (uint8_t *)buf->data; ret = d2i_PKCS12(out_p12, &dummy, used); out: @@ -814,7 +805,7 @@ PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) { return ret; } -PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) { +PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) { BIO *bio; PKCS12 *ret; @@ -967,8 +958,7 @@ static int add_bag_attributes(CBB *bag, const char *name, size_t name_len, CBS_init(&name_cbs, (const uint8_t *)name, name_len); while (CBS_len(&name_cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&name_cbs, &c) || - !cbb_add_ucs2_be(&value, c)) { + if (!cbs_get_utf8(&name_cbs, &c) || !cbb_add_ucs2_be(&value, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); return 0; } @@ -985,14 +975,13 @@ static int add_bag_attributes(CBB *bag, const char *name, size_t name_len, return 0; } } - return CBB_flush_asn1_set_of(&attrs) && - CBB_flush(bag); + return CBB_flush_asn1_set_of(&attrs) && CBB_flush(bag); } static int add_cert_bag(CBB *cbb, X509 *cert, const char *name, const uint8_t *key_id, size_t key_id_len) { CBB bag, bag_oid, bag_contents, cert_bag, cert_type, wrapped_cert, cert_value; - if (// See https://tools.ietf.org/html/rfc7292#section-4.2. + if ( // See https://tools.ietf.org/html/rfc7292#section-4.2. !CBB_add_asn1(cbb, &bag, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&bag, &bag_oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&bag_oid, kCertBag, sizeof(kCertBag)) || @@ -1023,8 +1012,7 @@ static int add_cert_bag(CBB *cbb, X509 *cert, const char *name, name = cert_name; } - if (len < 0 || - !CBB_add_space(&cert_value, &buf, (size_t)len) || + if (len < 0 || !CBB_add_space(&cert_value, &buf, (size_t)len) || i2d_X509(cert, &buf) < 0 || !add_bag_attributes(&bag, name, name_len, key_id, key_id_len) || !CBB_flush(cbb)) { @@ -1066,7 +1054,7 @@ static int add_encrypted_data(CBB *out, int pbe_nid, const char *password, EVP_CIPHER_CTX_init(&ctx); CBB content_info, type, wrapper, encrypted_data, encrypted_content_info, inner_type, encrypted_content; - if (// Add the ContentInfo wrapping. + if ( // Add the ContentInfo wrapping. !CBB_add_asn1(out, &content_info, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&content_info, &type, CBS_ASN1_OBJECT) || !CBB_add_bytes(&type, kPKCS7EncryptedData, sizeof(kPKCS7EncryptedData)) || @@ -1102,8 +1090,7 @@ static int add_encrypted_data(CBB *out, int pbe_nid, const char *password, if (!CBB_reserve(&encrypted_content, &ptr, max_out) || !EVP_CipherUpdate(&ctx, ptr, &n1, in, in_len) || !EVP_CipherFinal_ex(&ctx, ptr + n1, &n2) || - !CBB_did_write(&encrypted_content, n1 + n2) || - !CBB_flush(out)) { + !CBB_did_write(&encrypted_content, n1 + n2) || !CBB_flush(out)) { goto err; } @@ -1141,8 +1128,7 @@ static int pkcs12_gen_and_write_mac(CBB *out_pfx, const uint8_t *auth_safe_data, // The iteration count has a DEFAULT of 1, but RFC 7292 says "The default // is for historical reasons and its use is deprecated." Thus we // explicitly encode the iteration count, though it is not valid DER. - !CBB_add_asn1_uint64(&mac_data, mac_iterations) || - !CBB_flush(out_pfx)) { + !CBB_add_asn1_uint64(&mac_data, mac_iterations) || !CBB_flush(out_pfx)) { goto out; } ret = 1; @@ -1154,7 +1140,7 @@ static int pkcs12_gen_and_write_mac(CBB *out_pfx, const uint8_t *auth_safe_data, PKCS12 *PKCS12_create(const char *password, const char *name, const EVP_PKEY *pkey, X509 *cert, - const STACK_OF(X509)* chain, int key_nid, int cert_nid, + const STACK_OF(X509) *chain, int key_nid, int cert_nid, int iterations, int mac_iterations, int key_type) { if (key_nid == 0) { key_nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; @@ -1168,8 +1154,8 @@ PKCS12 *PKCS12_create(const char *password, const char *name, if (mac_iterations == 0) { mac_iterations = 1; } - if (// In OpenSSL, this specifies a non-standard Microsoft key usage extension - // which we do not currently support. + if ( // In OpenSSL, this specifies a non-standard Microsoft key usage + // extension which we do not currently support. key_type != 0 || // In OpenSSL, -1 here means to omit the MAC, which we do not // currently support. Omitting it is also invalid for a password-based @@ -1291,7 +1277,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, if (pkey != NULL) { CBB content_info, oid, wrapper, data, safe_contents, bag, bag_oid, bag_contents; - if (// Add another data ContentInfo. + if ( // Add another data ContentInfo. !CBB_add_asn1(&content_infos, &content_info, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) || @@ -1339,8 +1325,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, // OpenSSL 3.x. const EVP_MD *mac_md = EVP_sha1(); uint8_t mac_salt[PKCS5_SALT_LEN]; - if (!CBB_flush(&auth_safe_data) || - !RAND_bytes(mac_salt, sizeof(mac_salt)) || + if (!CBB_flush(&auth_safe_data) || !RAND_bytes(mac_salt, sizeof(mac_salt)) || !pkcs12_gen_and_write_mac( &pfx, CBB_data(&auth_safe_data), CBB_len(&auth_safe_data), password, password_len, mac_salt, sizeof(mac_salt), mac_iterations, mac_md)) { @@ -1348,8 +1333,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, } ret = PKCS12_new(); - if (ret == NULL || - !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) { + if (ret == NULL || !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) { OPENSSL_free(ret); ret = NULL; goto err; @@ -1360,9 +1344,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, return ret; } -PKCS12 *PKCS12_new(void) { - return OPENSSL_zalloc(sizeof(PKCS12)); -} +PKCS12 *PKCS12_new(void) { return OPENSSL_zalloc(sizeof(PKCS12)); } void PKCS12_free(PKCS12 *p12) { if (p12 == NULL) { @@ -1469,4 +1451,3 @@ int PKCS12_set_mac(PKCS12 *p12, const char *password, int password_len, OPENSSL_free(mac_salt); return ret; } - diff --git a/crypto/poly1305/poly1305.c b/crypto/poly1305/poly1305.c index a99b009e48..11dfb24160 100644 --- a/crypto/poly1305/poly1305.c +++ b/crypto/poly1305/poly1305.c @@ -20,9 +20,9 @@ #include -#include "internal.h" -#include "../internal.h" #include "../fipsmodule/cpucap/internal.h" +#include "../internal.h" +#include "internal.h" #if !defined(BORINGSSL_HAS_UINT128) || !defined(OPENSSL_X86_64) diff --git a/crypto/poly1305/poly1305_vec.c b/crypto/poly1305/poly1305_vec.c index cf7cfc4565..02b0037cca 100644 --- a/crypto/poly1305/poly1305_vec.c +++ b/crypto/poly1305/poly1305_vec.c @@ -32,8 +32,8 @@ typedef __m128i xmmi; static const alignas(16) uint32_t poly1305_x64_sse2_message_mask[4] = { (1 << 26) - 1, 0, (1 << 26) - 1, 0}; static const alignas(16) uint32_t poly1305_x64_sse2_5[4] = {5, 0, 5, 0}; -static const alignas(16) uint32_t poly1305_x64_sse2_1shl128[4] = { - (1 << 24), 0, (1 << 24), 0}; +static const alignas(16) uint32_t poly1305_x64_sse2_1shl128[4] = {(1 << 24), 0, + (1 << 24), 0}; static inline uint128_t add128(uint128_t a, uint128_t b) { return a + b; } @@ -133,7 +133,8 @@ void CRYPTO_poly1305_init(poly1305_state *state, const uint8_t key[32]) { static void poly1305_first_block(poly1305_state_internal *st, const uint8_t *m) { - const xmmi MMASK = _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); + const xmmi MMASK = + _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5); const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128); xmmi T5, T6; @@ -226,7 +227,8 @@ static void poly1305_first_block(poly1305_state_internal *st, static void poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, size_t bytes) { - const xmmi MMASK = _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); + const xmmi MMASK = + _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5); const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128); @@ -416,7 +418,8 @@ static void poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, static size_t poly1305_combine(poly1305_state_internal *st, const uint8_t *m, size_t bytes) { - const xmmi MMASK = _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); + const xmmi MMASK = + _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128); const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5); @@ -835,7 +838,7 @@ void CRYPTO_poly1305_finish(poly1305_state *state, uint8_t mac[16]) { c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24); - h2 += (t1)+c; + h2 += (t1) + c; CRYPTO_store_u64_le(mac + 0, ((h0) | (h1 << 44))); CRYPTO_store_u64_le(mac + 8, ((h1 >> 20) | (h2 << 24))); diff --git a/crypto/pool/pool.c b/crypto/pool/pool.c index fc048409e4..9439c88c9e 100644 --- a/crypto/pool/pool.c +++ b/crypto/pool/pool.c @@ -41,7 +41,7 @@ static int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) { return OPENSSL_memcmp(a->data, b->data, a->len); } -CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void) { +CRYPTO_BUFFER_POOL *CRYPTO_BUFFER_POOL_new(void) { CRYPTO_BUFFER_POOL *pool = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER_POOL)); if (pool == NULL) { return NULL; @@ -87,7 +87,7 @@ static CRYPTO_BUFFER *crypto_buffer_new(const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool) { if (pool != NULL) { CRYPTO_BUFFER tmp; - tmp.data = (uint8_t *) data; + tmp.data = (uint8_t *)data; tmp.len = len; tmp.pool = pool; @@ -252,9 +252,7 @@ const uint8_t *CRYPTO_BUFFER_data(const CRYPTO_BUFFER *buf) { return buf->data; } -size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf) { - return buf->len; -} +size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf) { return buf->len; } void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out) { CBS_init(out, buf->data, buf->len); diff --git a/crypto/pool/pool_test.cc b/crypto/pool/pool_test.cc index a50f50f9fa..bfc45634e5 100644 --- a/crypto/pool/pool_test.cc +++ b/crypto/pool/pool_test.cc @@ -16,8 +16,8 @@ #include -#include "internal.h" #include "../test/test_util.h" +#include "internal.h" #if defined(OPENSSL_THREADS) #include @@ -38,7 +38,7 @@ TEST(PoolTest, Unpooled) { bssl::UniquePtr buf2 = bssl::UpRef(buf); bssl::UniquePtr buf_static( - CRYPTO_BUFFER_new_from_static_data_unsafe(kData, sizeof(kData), nullptr)); + CRYPTO_BUFFER_new_from_static_data_unsafe(kData, sizeof(kData), nullptr)); ASSERT_TRUE(buf_static); EXPECT_EQ(kData, CRYPTO_BUFFER_data(buf_static.get())); EXPECT_EQ(sizeof(kData), CRYPTO_BUFFER_len(buf_static.get())); @@ -167,8 +167,8 @@ TEST(PoolTest, Threads) { } // |buf|'s data is still valid. - EXPECT_EQ(Bytes(kData), Bytes(CRYPTO_BUFFER_data(buf.get()), - CRYPTO_BUFFER_len(buf.get()))); + EXPECT_EQ(Bytes(kData), + Bytes(CRYPTO_BUFFER_data(buf.get()), CRYPTO_BUFFER_len(buf.get()))); // Race a thread re-creating the |CRYPTO_BUFFER| with another thread freeing // it. Do this twice with sleeps so ThreadSanitizer can observe two different diff --git a/crypto/rand_extra/entropy_passive.c b/crypto/rand_extra/entropy_passive.c index e1c912496c..542e53a98d 100644 --- a/crypto/rand_extra/entropy_passive.c +++ b/crypto/rand_extra/entropy_passive.c @@ -7,7 +7,6 @@ void RAND_module_entropy_depleted(uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN], int *out_want_additional_input) { - uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH] = {0}; CRYPTO_get_seed_entropy(entropy, out_want_additional_input); RAND_load_entropy(out_entropy, entropy); diff --git a/crypto/rand_extra/forkunsafe.c b/crypto/rand_extra/forkunsafe.c index a3c00e04d1..c5b7f9ce6c 100644 --- a/crypto/rand_extra/forkunsafe.c +++ b/crypto/rand_extra/forkunsafe.c @@ -44,7 +44,5 @@ int rand_fork_unsafe_buffering_enabled(void) { return ret; } #else -int rand_fork_unsafe_buffering_enabled(void) { - return 0; -} +int rand_fork_unsafe_buffering_enabled(void) { return 0; } #endif diff --git a/crypto/rand_extra/getentropy_test.cc b/crypto/rand_extra/getentropy_test.cc index a2d5fd26ec..1af22394a4 100644 --- a/crypto/rand_extra/getentropy_test.cc +++ b/crypto/rand_extra/getentropy_test.cc @@ -50,7 +50,8 @@ TEST(GetEntropyTest, NotObviouslyBroken) { EXPECT_NE(Bytes(buf1), Bytes(kZeros)); EXPECT_NE(Bytes(buf2), Bytes(kZeros)); uint8_t buf3[256]; - // Ensure that the implementation is not simply returning the memory unchanged. + // Ensure that the implementation is not simply returning the memory + // unchanged. memcpy(buf3, buf1, sizeof(buf3)); EXPECT_EQ(getentropy(buf1, sizeof(buf1)), 0); EXPECT_NE(Bytes(buf1), Bytes(buf3)); diff --git a/crypto/rand_extra/rand_extra.c b/crypto/rand_extra/rand_extra.c index 65ba63d0b3..3b9200ba69 100644 --- a/crypto/rand_extra/rand_extra.c +++ b/crypto/rand_extra/rand_extra.c @@ -28,59 +28,41 @@ int RAND_load_file(const char *path, long num) { if (num < 0) { // read the "whole file" return 1; } else if (num <= INT_MAX) { - return (int) num; + return (int)num; } else { return INT_MAX; } } -int RAND_write_file(const char *file) { - return -1; -} +int RAND_write_file(const char *file) { return -1; } const char *RAND_file_name(char *buf, size_t num) { return NULL; } void RAND_add(const void *buf, int num, double entropy) {} -int RAND_egd(const char *path) { - return 255; -} +int RAND_egd(const char *path) { return 255; } -int RAND_egd_bytes(const char *path, int bytes) { - return bytes; -} +int RAND_egd_bytes(const char *path, int bytes) { return bytes; } -int RAND_poll(void) { - return 1; -} +int RAND_poll(void) { return 1; } -int RAND_status(void) { - return 1; -} +int RAND_status(void) { return 1; } OPENSSL_BEGIN_ALLOW_DEPRECATED static const struct rand_meth_st kSSLeayMethod = { - RAND_seed, - RAND_bytes, - RAND_cleanup, - RAND_add, - RAND_pseudo_bytes, - RAND_status, + RAND_seed, RAND_bytes, RAND_cleanup, + RAND_add, RAND_pseudo_bytes, RAND_status, }; -RAND_METHOD *RAND_SSLeay(void) { - return (RAND_METHOD*) &kSSLeayMethod; -} +RAND_METHOD *RAND_SSLeay(void) { return (RAND_METHOD *)&kSSLeayMethod; } -RAND_METHOD *RAND_OpenSSL(void) { - return RAND_SSLeay(); -} +RAND_METHOD *RAND_OpenSSL(void) { return RAND_SSLeay(); } const RAND_METHOD *RAND_get_rand_method(void) { return RAND_SSLeay(); } OPENSSL_END_ALLOW_DEPRECATED int RAND_set_rand_method(const RAND_METHOD *method) { return 1; } -void RAND_keep_random_devices_open(int a) { } +void RAND_keep_random_devices_open(int a) {} void RAND_cleanup(void) {} diff --git a/crypto/rand_extra/rand_test.cc b/crypto/rand_extra/rand_test.cc index aa48bdc948..71841823fd 100644 --- a/crypto/rand_extra/rand_test.cc +++ b/crypto/rand_extra/rand_test.cc @@ -236,20 +236,16 @@ TEST(RandTest, RdrandABI) { TEST(RandTest, PassiveEntropyLoad) { uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN] = {0}; uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH] = { - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, }; uint8_t expected_out_entropy[CTR_DRBG_ENTROPY_LEN] = { - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, }; RAND_load_entropy(out_entropy, entropy); @@ -258,7 +254,6 @@ TEST(RandTest, PassiveEntropyLoad) { } TEST(RandTest, PassiveEntropyDepletedObviouslyNotBroken) { - static const uint8_t kZeros[CTR_DRBG_ENTROPY_LEN] = {0}; uint8_t buf1[CTR_DRBG_ENTROPY_LEN] = {0}; uint8_t buf2[CTR_DRBG_ENTROPY_LEN] = {0}; @@ -267,8 +262,10 @@ TEST(RandTest, PassiveEntropyDepletedObviouslyNotBroken) { RAND_module_entropy_depleted(buf1, &out_want_additional_input_false_default); RAND_module_entropy_depleted(buf2, &out_want_additional_input_true_default); - EXPECT_TRUE(out_want_additional_input_false_default == 0 || out_want_additional_input_false_default == 1); - EXPECT_TRUE(out_want_additional_input_true_default == 0 || out_want_additional_input_true_default == 1); + EXPECT_TRUE(out_want_additional_input_false_default == 0 || + out_want_additional_input_false_default == 1); + EXPECT_TRUE(out_want_additional_input_true_default == 0 || + out_want_additional_input_true_default == 1); // |have_rdrand| inlines the cpu capability vector ending up with an undefined // reference because the variable has internal linkage in the shared build. So, @@ -278,8 +275,10 @@ TEST(RandTest, PassiveEntropyDepletedObviouslyNotBroken) { if (have_rdrand()) { want_additional_input_expect = 1; } - EXPECT_EQ(out_want_additional_input_false_default, want_additional_input_expect); - EXPECT_EQ(out_want_additional_input_true_default, want_additional_input_expect); + EXPECT_EQ(out_want_additional_input_false_default, + want_additional_input_expect); + EXPECT_EQ(out_want_additional_input_true_default, + want_additional_input_expect); #endif EXPECT_NE(Bytes(buf1), Bytes(buf2)); diff --git a/crypto/rand_extra/windows.c b/crypto/rand_extra/windows.c index d1cacf1b8c..457046b807 100644 --- a/crypto/rand_extra/windows.c +++ b/crypto/rand_extra/windows.c @@ -57,7 +57,7 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) { #else // See: https://learn.microsoft.com/en-us/windows/win32/seccng/processprng -typedef BOOL (WINAPI *ProcessPrngFunction)(PBYTE pbData, SIZE_T cbData); +typedef BOOL(WINAPI *ProcessPrngFunction)(PBYTE pbData, SIZE_T cbData); static ProcessPrngFunction g_processprng_fn = NULL; static void init_processprng(void) { @@ -65,7 +65,8 @@ static void init_processprng(void) { if (hmod == NULL) { abort(); } - g_processprng_fn = (ProcessPrngFunction)(void(*)(void))GetProcAddress(hmod, "ProcessPrng"); + g_processprng_fn = + (ProcessPrngFunction)(void (*)(void))GetProcAddress(hmod, "ProcessPrng"); if (g_processprng_fn == NULL) { abort(); } diff --git a/crypto/refcount_c11.c b/crypto/refcount_c11.c index 195eec0f59..b2bbc4bb3d 100644 --- a/crypto/refcount_c11.c +++ b/crypto/refcount_c11.c @@ -26,16 +26,18 @@ // See comment above the typedef of CRYPTO_refcount_t about these tests. -OPENSSL_STATIC_ASSERT(alignof(CRYPTO_refcount_t) == alignof(_Atomic CRYPTO_refcount_t), - _Atomic_alters_the_needed_alignment_of_a_reference_count) -OPENSSL_STATIC_ASSERT(sizeof(CRYPTO_refcount_t) == sizeof(_Atomic CRYPTO_refcount_t), - _Atomic_alters_the_size_of_a_reference_count) +OPENSSL_STATIC_ASSERT(alignof(CRYPTO_refcount_t) == + alignof(_Atomic CRYPTO_refcount_t), + _Atomic_alters_the_needed_alignment_of_a_reference_count) +OPENSSL_STATIC_ASSERT(sizeof(CRYPTO_refcount_t) == + sizeof(_Atomic CRYPTO_refcount_t), + _Atomic_alters_the_size_of_a_reference_count) OPENSSL_STATIC_ASSERT((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX, - CRYPTO_REFCOUNT_MAX_is_incorrect) + CRYPTO_REFCOUNT_MAX_is_incorrect) void CRYPTO_refcount_inc(CRYPTO_refcount_t *in_count) { - _Atomic CRYPTO_refcount_t *count = (_Atomic CRYPTO_refcount_t *) in_count; + _Atomic CRYPTO_refcount_t *count = (_Atomic CRYPTO_refcount_t *)in_count; uint32_t expected = atomic_load(count); while (expected != CRYPTO_REFCOUNT_MAX) { diff --git a/crypto/refcount_win.c b/crypto/refcount_win.c index 7ccd48ee97..6ad6efe273 100644 --- a/crypto/refcount_win.c +++ b/crypto/refcount_win.c @@ -21,12 +21,12 @@ // See comment above the typedef of CRYPTO_refcount_t about these tests. OPENSSL_STATIC_ASSERT(alignof(CRYPTO_refcount_t) == alignof(LONG), - CRYPTO_refcount_t_does_not_match_LONG_alignment); + CRYPTO_refcount_t_does_not_match_LONG_alignment); OPENSSL_STATIC_ASSERT(sizeof(CRYPTO_refcount_t) == sizeof(LONG), - CRYPTO_refcount_t_does_not_match_LONG_size); + CRYPTO_refcount_t_does_not_match_LONG_size); OPENSSL_STATIC_ASSERT((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX, - CRYPTO_REFCOUNT_MAX_is_incorrect); + CRYPTO_REFCOUNT_MAX_is_incorrect); static uint32_t atomic_load_u32(volatile LONG *ptr) { // This is not ideal because it still writes to a cacheline. MSVC is not able @@ -43,8 +43,10 @@ static uint32_t atomic_load_u32(volatile LONG *ptr) { // preferable a global mutex, and eventually this code will be replaced by // [2]. Additionally, on clang-cl, we'll use the |OPENSSL_C11_ATOMIC| path. // - // [1] https://learn.microsoft.com/en-us/windows/win32/sync/interlocked-variable-access - // [2] https://devblogs.microsoft.com/cppblog/c11-atomics-in-visual-studio-2022-version-17-5-preview-2/ + // [1] + // https://learn.microsoft.com/en-us/windows/win32/sync/interlocked-variable-access + // [2] + // https://devblogs.microsoft.com/cppblog/c11-atomics-in-visual-studio-2022-version-17-5-preview-2/ return (uint32_t)InterlockedCompareExchange(ptr, 0, 0); } diff --git a/crypto/rsa_extra/internal.h b/crypto/rsa_extra/internal.h index a232902c8c..a2f12081f3 100644 --- a/crypto/rsa_extra/internal.h +++ b/crypto/rsa_extra/internal.h @@ -93,4 +93,3 @@ BSSL_NAMESPACE_END } // extern C++ #endif - diff --git a/crypto/rsa_extra/rsa_asn1.c b/crypto/rsa_extra/rsa_asn1.c index bb6235f63e..5e4ac233ce 100644 --- a/crypto/rsa_extra/rsa_asn1.c +++ b/crypto/rsa_extra/rsa_asn1.c @@ -64,8 +64,8 @@ #include #include -#include "../fipsmodule/rsa/internal.h" #include "../bytestring/internal.h" +#include "../fipsmodule/rsa/internal.h" #include "../internal.h" @@ -94,8 +94,7 @@ RSA *RSA_parse_public_key(CBS *cbs) { } CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || - !parse_integer(&child, &ret->n) || - !parse_integer(&child, &ret->e) || + !parse_integer(&child, &ret->n) || !parse_integer(&child, &ret->e) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); RSA_free(ret); @@ -126,8 +125,7 @@ RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) { int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || - !marshal_integer(&child, rsa->n) || - !marshal_integer(&child, rsa->e) || + !marshal_integer(&child, rsa->n) || !marshal_integer(&child, rsa->e) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; @@ -139,8 +137,7 @@ int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, const RSA *rsa) { CBB cbb; CBB_zero(&cbb); - if (!CBB_init(&cbb, 0) || - !RSA_marshal_public_key(&cbb, rsa) || + if (!CBB_init(&cbb, 0) || !RSA_marshal_public_key(&cbb, rsa) || !CBB_finish(&cbb, out_bytes, out_len)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); CBB_cleanup(&cbb); @@ -158,10 +155,9 @@ static const uint64_t kVersionTwoPrime = 0; // expects absent values to be NULL. Returns 1 if JCA stripped private key, 0 // otherwise. static void detect_stripped_jca_private_key(RSA *key) { - if (!BN_is_zero(key->d) && !BN_is_zero(key->n) && - BN_is_zero(key->e) && BN_is_zero(key->iqmp) && - BN_is_zero(key->p) && BN_is_zero(key->q) && - BN_is_zero(key->dmp1) && BN_is_zero(key->dmq1)) { + if (!BN_is_zero(key->d) && !BN_is_zero(key->n) && BN_is_zero(key->e) && + BN_is_zero(key->iqmp) && BN_is_zero(key->p) && BN_is_zero(key->q) && + BN_is_zero(key->dmp1) && BN_is_zero(key->dmq1)) { BN_free(key->e); BN_free(key->p); BN_free(key->q); @@ -197,12 +193,9 @@ RSA *RSA_parse_private_key(CBS *cbs) { goto err; } - if (!parse_integer(&child, &ret->n) || - !parse_integer(&child, &ret->e) || - !parse_integer(&child, &ret->d) || - !parse_integer(&child, &ret->p) || - !parse_integer(&child, &ret->q) || - !parse_integer(&child, &ret->dmp1) || + if (!parse_integer(&child, &ret->n) || !parse_integer(&child, &ret->e) || + !parse_integer(&child, &ret->d) || !parse_integer(&child, &ret->p) || + !parse_integer(&child, &ret->q) || !parse_integer(&child, &ret->dmp1) || !parse_integer(&child, &ret->dmq1) || !parse_integer(&child, &ret->iqmp)) { goto err; @@ -243,15 +236,11 @@ int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&child, kVersionTwoPrime) || - !marshal_integer(&child, rsa->n) || - !marshal_integer(&child, rsa->e) || - !marshal_integer(&child, rsa->d) || - !marshal_integer(&child, rsa->p) || - !marshal_integer(&child, rsa->q) || - !marshal_integer(&child, rsa->dmp1) || + !marshal_integer(&child, rsa->n) || !marshal_integer(&child, rsa->e) || + !marshal_integer(&child, rsa->d) || !marshal_integer(&child, rsa->p) || + !marshal_integer(&child, rsa->q) || !marshal_integer(&child, rsa->dmp1) || !marshal_integer(&child, rsa->dmq1) || - !marshal_integer(&child, rsa->iqmp) || - !CBB_flush(cbb)) { + !marshal_integer(&child, rsa->iqmp) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } @@ -262,8 +251,7 @@ int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len, const RSA *rsa) { CBB cbb; CBB_zero(&cbb); - if (!CBB_init(&cbb, 0) || - !RSA_marshal_private_key(&cbb, rsa) || + if (!CBB_init(&cbb, 0) || !RSA_marshal_private_key(&cbb, rsa) || !CBB_finish(&cbb, out_bytes, out_len)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); CBB_cleanup(&cbb); @@ -292,8 +280,7 @@ RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) { int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !RSA_marshal_public_key(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !RSA_marshal_public_key(&cbb, in)) { CBB_cleanup(&cbb); return -1; } @@ -320,8 +307,7 @@ RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) { int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) { CBB cbb; - if (!CBB_init(&cbb, 0) || - !RSA_marshal_private_key(&cbb, in)) { + if (!CBB_init(&cbb, 0) || !RSA_marshal_private_key(&cbb, in)) { CBB_cleanup(&cbb); return -1; } diff --git a/crypto/rsa_extra/rsa_crypt.c b/crypto/rsa_extra/rsa_crypt.c index 62e34f9714..b1f4041d4b 100644 --- a/crypto/rsa_extra/rsa_crypt.c +++ b/crypto/rsa_extra/rsa_crypt.c @@ -58,12 +58,12 @@ #include -#include -#include #include -#include -#include +#include #include +#include +#include +#include #include "../fipsmodule/bn/internal.h" #include "../fipsmodule/rsa/internal.h" @@ -385,7 +385,7 @@ int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding) { - if(rsa->meth && rsa->meth->encrypt) { + if (rsa->meth && rsa->meth->encrypt) { // In OpenSSL, the RSA_METHOD |encrypt| or |pub_enc| operation does not // directly take and initialize an |out_len| parameter. Instead, it returns // the number of bytes written to |out| or a negative number for error. @@ -394,7 +394,7 @@ int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, // paradigm and OpenSSL, we initialize |out_len| based on the return value // here. int ret = rsa->meth->encrypt((int)max_out, in, out, rsa, padding); - if(ret < 0) { + if (ret < 0) { *out_len = 0; return 0; } @@ -566,7 +566,7 @@ int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, // an |out_len| parameter. To remain compatible with this new paradigm and // OpenSSL, we initialize |out_len| based on the return value here. int ret = rsa->meth->decrypt((int)max_out, in, out, rsa, padding); - if(ret < 0) { + if (ret < 0) { *out_len = 0; return 0; } diff --git a/crypto/rsa_extra/rsa_print.c b/crypto/rsa_extra/rsa_print.c index ee4b127871..c7cbead8f3 100644 --- a/crypto/rsa_extra/rsa_print.c +++ b/crypto/rsa_extra/rsa_print.c @@ -16,8 +16,7 @@ int RSA_print(BIO *bio, const RSA *rsa, int indent) { EVP_PKEY *pkey = EVP_PKEY_new(); - int ret = pkey != NULL && - EVP_PKEY_set1_RSA(pkey, (RSA *)rsa) && + int ret = pkey != NULL && EVP_PKEY_set1_RSA(pkey, (RSA *)rsa) && EVP_PKEY_print_private(bio, pkey, indent, NULL); EVP_PKEY_free(pkey); return ret; diff --git a/crypto/rsa_extra/rsa_test.cc b/crypto/rsa_extra/rsa_test.cc index f624fa8750..f6a8154be0 100644 --- a/crypto/rsa_extra/rsa_test.cc +++ b/crypto/rsa_extra/rsa_test.cc @@ -61,13 +61,13 @@ #include -#include #include +#include #include #include -#include #include #include +#include #include #include "../fipsmodule/bn/internal.h" @@ -605,11 +605,12 @@ TEST(RSATest, Set0Key) { ASSERT_TRUE(rsa); jcaKey.reset(RSA_new()); ASSERT_TRUE(jcaKey); - EXPECT_TRUE(RSA_set0_key(jcaKey.get(), BN_dup(rsa->n), BN_dup(rsa->e), BN_dup(rsa->d))); - EXPECT_TRUE(RSA_sign(hash_nid, kDummyHash, sizeof(kDummyHash), sig, - &sig_len, jcaKey.get())); - EXPECT_TRUE(RSA_verify(hash_nid, kDummyHash, sizeof(kDummyHash), sig, - sig_len, rsa.get())); + EXPECT_TRUE(RSA_set0_key(jcaKey.get(), BN_dup(rsa->n), BN_dup(rsa->e), + BN_dup(rsa->d))); + EXPECT_TRUE(RSA_sign(hash_nid, kDummyHash, sizeof(kDummyHash), sig, &sig_len, + jcaKey.get())); + EXPECT_TRUE(RSA_verify(hash_nid, kDummyHash, sizeof(kDummyHash), sig, sig_len, + rsa.get())); // NO |e|, BLINDING => ERR rsa.reset(RSA_private_key_from_bytes(kKey1, sizeof(kKey1) - 1)); @@ -618,8 +619,8 @@ TEST(RSATest, Set0Key) { ASSERT_TRUE(jcaKey); EXPECT_EQ(1, RSA_blinding_on(jcaKey.get(), nullptr)); EXPECT_TRUE(RSA_set0_key(jcaKey.get(), BN_dup(rsa->n), NULL, BN_dup(rsa->d))); - EXPECT_FALSE(RSA_sign(hash_nid, kDummyHash, sizeof(kDummyHash), sig, - &sig_len, jcaKey.get())); + EXPECT_FALSE(RSA_sign(hash_nid, kDummyHash, sizeof(kDummyHash), sig, &sig_len, + jcaKey.get())); uint32_t err = ERR_get_error(); EXPECT_EQ(ERR_LIB_RSA, ERR_GET_LIB(err)); EXPECT_EQ(RSA_R_NO_PUBLIC_EXPONENT, ERR_GET_REASON(err)); @@ -634,10 +635,10 @@ TEST(RSATest, Set0Key) { EXPECT_EQ(1, RSA_blinding_on(jcaKey.get(), nullptr)); RSA_blinding_off_temp_for_accp_compatibility(jcaKey.get()); EXPECT_EQ(0, RSA_blinding_on(jcaKey.get(), nullptr)); - EXPECT_TRUE(RSA_sign(hash_nid, kDummyHash, sizeof(kDummyHash), sig, - &sig_len, jcaKey.get())); - EXPECT_TRUE(RSA_verify(hash_nid, kDummyHash, sizeof(kDummyHash), sig, - sig_len, rsa.get())); + EXPECT_TRUE(RSA_sign(hash_nid, kDummyHash, sizeof(kDummyHash), sig, &sig_len, + jcaKey.get())); + EXPECT_TRUE(RSA_verify(hash_nid, kDummyHash, sizeof(kDummyHash), sig, sig_len, + rsa.get())); // RSA_blinding_on returns 0 for null. EXPECT_EQ(0, RSA_blinding_on(nullptr, nullptr)); @@ -682,8 +683,8 @@ TEST(RSATest, ASN1) { ERR_clear_error(); // Public keys with negative moduli are invalid. - rsa.reset(RSA_public_key_from_bytes(kEstonianRSAKey, - sizeof(kEstonianRSAKey))); + rsa.reset( + RSA_public_key_from_bytes(kEstonianRSAKey, sizeof(kEstonianRSAKey))); EXPECT_FALSE(rsa); ERR_clear_error(); } @@ -969,29 +970,29 @@ TEST(RSATest, CheckKey) { static int rsa_priv_enc(int max_out, const uint8_t *from, uint8_t *to, RSA *rsa, int padding) { - RSA_set_ex_data(rsa, 0, (void*)"rsa_priv_enc"); + RSA_set_ex_data(rsa, 0, (void *)"rsa_priv_enc"); return 0; } static int rsa_priv_dec(int max_out, const uint8_t *from, uint8_t *to, RSA *rsa, int padding) { - RSA_set_ex_data(rsa, 0, (void*)"rsa_priv_dec"); + RSA_set_ex_data(rsa, 0, (void *)"rsa_priv_dec"); return 0; } static int rsa_pub_enc(int max_out, const uint8_t *from, uint8_t *to, RSA *rsa, - int padding) { - RSA_set_ex_data(rsa, 0, (void*)"rsa_pub_enc"); + int padding) { + RSA_set_ex_data(rsa, 0, (void *)"rsa_pub_enc"); return 0; } static int rsa_pub_dec(int max_out, const uint8_t *from, uint8_t *to, RSA *rsa, - int padding) { - RSA_set_ex_data(rsa, 0, (void*)"rsa_pub_dec"); + int padding) { + RSA_set_ex_data(rsa, 0, (void *)"rsa_pub_dec"); return 0; } -static int extkey_rsa_finish (RSA *rsa) { +static int extkey_rsa_finish(RSA *rsa) { const RSA_METHOD *meth = RSA_get_method(rsa); RSA_meth_free((RSA_METHOD *)meth); return 1; @@ -1021,7 +1022,7 @@ TEST(RSATest, RSAMETHOD) { ASSERT_TRUE(RSA_meth_set0_app_data(rsa_meth, nullptr)); ASSERT_TRUE(rsa_meth->decrypt && rsa_meth->encrypt && rsa_meth->sign_raw && - rsa_meth->verify_raw); + rsa_meth->verify_raw); // rsa_meth will now be freed with key when rsa_meth->finish is called // in RSA_free @@ -1032,7 +1033,8 @@ TEST(RSATest, RSAMETHOD) { ASSERT_TRUE(rsa_key.get()); // key will now be freed with rsa_key EVP_PKEY_assign_RSA(rsa_key.get(), key); - bssl::UniquePtr rsa_key_ctx(EVP_PKEY_CTX_new(rsa_key.get(), NULL)); + bssl::UniquePtr rsa_key_ctx( + EVP_PKEY_CTX_new(rsa_key.get(), NULL)); ASSERT_TRUE(rsa_key_ctx.get()); // Encrypt Decrypt Operations (pub_enc & priv_dec) @@ -1042,8 +1044,8 @@ TEST(RSATest, RSAMETHOD) { ASSERT_TRUE(EVP_PKEY_encrypt(rsa_key_ctx.get(), &out, &out_len, &in, 0)); // Custom func return 0 since they don't write any data to out ASSERT_EQ(out_len, (size_t)0); - ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)) - , "rsa_pub_enc"); + ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)), + "rsa_pub_enc"); // Update before passing into next operation out_len = EVP_PKEY_size(rsa_key.get()); @@ -1051,18 +1053,18 @@ TEST(RSATest, RSAMETHOD) { ASSERT_TRUE(EVP_PKEY_decrypt(rsa_key_ctx.get(), &out, &out_len, &in, 0)); // Custom func return 0 since they don't write any data to out ASSERT_EQ(out_len, (size_t)0); - ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)) - , "rsa_priv_dec"); + ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)), + "rsa_priv_dec"); // Update before passing into next operation out_len = EVP_PKEY_size(rsa_key.get()); ASSERT_TRUE(EVP_PKEY_verify_recover_init(rsa_key_ctx.get())); - ASSERT_TRUE(EVP_PKEY_verify_recover(rsa_key_ctx.get(), &out, &out_len, - nullptr, 0)); + ASSERT_TRUE( + EVP_PKEY_verify_recover(rsa_key_ctx.get(), &out, &out_len, nullptr, 0)); // Custom func return 0 since they don't write any data to out ASSERT_EQ(out_len, (size_t)0); - ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)) - , "rsa_pub_dec"); + ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)), + "rsa_pub_dec"); // Update before passing into next operation out_len = EVP_PKEY_size(rsa_key.get()); @@ -1070,8 +1072,8 @@ TEST(RSATest, RSAMETHOD) { ASSERT_TRUE(RSA_sign_raw(key, &out_len, &out, 0, nullptr, 0, 0)); // Custom func return 0 since they don't write any data to out ASSERT_EQ(out_len, (size_t)0); - ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)) - , "rsa_priv_enc"); + ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)), + "rsa_priv_enc"); } TEST(RSATest, RSAEngine) { @@ -1094,8 +1096,8 @@ TEST(RSATest, RSAEngine) { // Call custom Engine implementation ASSERT_TRUE(RSA_decrypt(key, &out_len, &out, out_len, &in, 0, 0)); ASSERT_EQ(out_len, (size_t)0); - ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)) - , "rsa_priv_dec"); + ASSERT_STREQ(static_cast(RSA_get_ex_data(key, 0)), + "rsa_priv_dec"); RSA_free(key); ENGINE_free(engine); @@ -1111,9 +1113,9 @@ TEST(RSATest, KeygenFail) { // Cause RSA key generation after a prime has been generated, to test that // |rsa| is left alone. BN_GENCB cb; - BN_GENCB_set(&cb, - [](int event, int, BN_GENCB *) -> int { return event != 3; }, - nullptr); + BN_GENCB_set( + &cb, [](int event, int, BN_GENCB *) -> int { return event != 3; }, + nullptr); bssl::UniquePtr e(BN_new()); ASSERT_TRUE(e); @@ -1172,17 +1174,18 @@ TEST(RSATest, KeygenFailOnce) { // Cause only the first iteration of RSA key generation to fail. bool failed = false; BN_GENCB cb; - BN_GENCB_set(&cb, - [](int event, int n, BN_GENCB *cb_ptr) -> int { - bool *failed_ptr = static_cast(cb_ptr->arg); - if (*failed_ptr) { - ADD_FAILURE() << "Callback called multiple times."; - return 1; - } - *failed_ptr = true; - return 0; - }, - &failed); + BN_GENCB_set( + &cb, + [](int event, int n, BN_GENCB *cb_ptr) -> int { + bool *failed_ptr = static_cast(cb_ptr->arg); + if (*failed_ptr) { + ADD_FAILURE() << "Callback called multiple times."; + return 1; + } + *failed_ptr = true; + return 0; + }, + &failed); // Although key generation internally retries, the external behavior of // |BN_GENCB| is preserved. @@ -1228,20 +1231,21 @@ TEST(RSATest, KeygenInternalRetry) { // Simulate one internal attempt at key generation failing. bool failed = false; BN_GENCB cb; - BN_GENCB_set(&cb, - [](int event, int n, BN_GENCB *cb_ptr) -> int { - bool *failed_ptr = static_cast(cb_ptr->arg); - if (*failed_ptr) { - return 1; - } - *failed_ptr = true; - // This test does not test any public API behavior. It is just - // a hack to exercise the retry codepath and make sure it - // works. - OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); - return 0; - }, - &failed); + BN_GENCB_set( + &cb, + [](int event, int n, BN_GENCB *cb_ptr) -> int { + bool *failed_ptr = static_cast(cb_ptr->arg); + if (*failed_ptr) { + return 1; + } + *failed_ptr = true; + // This test does not test any public API behavior. It is just + // a hack to exercise the retry codepath and make sure it + // works. + OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); + return 0; + }, + &failed); // Key generation internally retries on RSA_R_TOO_MANY_ITERATIONS. bssl::UniquePtr e(BN_new()); @@ -1257,15 +1261,15 @@ TEST(RSATest, OldCallback) { int old_callback_call_count = 0; void (*old_style_callback)(int, int, void *) = [](int event, int n, - void *ptr) -> void { + void *ptr) -> void { BN_GENCB *cb_ptr = static_cast(ptr); int *count_ptr = static_cast(cb_ptr->arg); *count_ptr += 1; }; int new_callback_call_count = 0; - int (*new_style_callback)(int, int, BN_GENCB *cb_ptr) = [](int event, int n, - BN_GENCB *cb_ptr) -> int { + int (*new_style_callback)(int, int, BN_GENCB *cb_ptr) = + [](int event, int n, BN_GENCB *cb_ptr) -> int { int *count_ptr = static_cast(cb_ptr->arg); *count_ptr += 1; return 1; @@ -1312,8 +1316,8 @@ TEST(RSATest, OverwriteKey) { ciphertext.resize(len); std::vector plaintext(RSA_size(key1.get())); - ASSERT_TRUE(RSA_decrypt(key1.get(), &len, plaintext.data(), - plaintext.size(), ciphertext.data(), ciphertext.size(), + ASSERT_TRUE(RSA_decrypt(key1.get(), &len, plaintext.data(), plaintext.size(), + ciphertext.data(), ciphertext.size(), RSA_PKCS1_OAEP_PADDING)); plaintext.resize(len); EXPECT_EQ(Bytes(plaintext), Bytes(kPlaintext, kPlaintextLen)); @@ -1349,15 +1353,14 @@ TEST(RSATest, OverwriteKey) { auto check_rsa_compatible = [&](RSA *enc, RSA *dec) { ciphertext.resize(RSA_size(enc)); - ASSERT_TRUE(RSA_encrypt(enc, &len, ciphertext.data(), - ciphertext.size(), kPlaintext, kPlaintextLen, - RSA_PKCS1_OAEP_PADDING)); + ASSERT_TRUE(RSA_encrypt(enc, &len, ciphertext.data(), ciphertext.size(), + kPlaintext, kPlaintextLen, RSA_PKCS1_OAEP_PADDING)); ciphertext.resize(len); plaintext.resize(RSA_size(dec)); - ASSERT_TRUE(RSA_decrypt(dec, &len, plaintext.data(), - plaintext.size(), ciphertext.data(), - ciphertext.size(), RSA_PKCS1_OAEP_PADDING)); + ASSERT_TRUE(RSA_decrypt(dec, &len, plaintext.data(), plaintext.size(), + ciphertext.data(), ciphertext.size(), + RSA_PKCS1_OAEP_PADDING)); plaintext.resize(len); EXPECT_EQ(Bytes(plaintext), Bytes(kPlaintext, kPlaintextLen)); }; @@ -1395,7 +1398,8 @@ TEST(RSATest, PrintBio) { size_t len; BIO_mem_contents(bio.get(), &data, &len); - const char *expected = "" + const char *expected = + "" " Private-Key: (512 bit)\n" " modulus:\n" " 00:aa:36:ab:ce:88:ac:fd:ff:55:52:3c:7f:c4:52:\n" @@ -1718,10 +1722,10 @@ TEST(RSATest, DISABLED_BlindingCacheConcurrency) { constexpr size_t kSignaturesPerThread = 100; constexpr size_t kNumThreads = 2048; #endif - // On some platforms, the number of threads should be reduced because resources are limited. - // e.g. Travis CI MacOS has 2 cores and 4 GB memories. + // On some platforms, the number of threads should be reduced because + // resources are limited. e.g. Travis CI MacOS has 2 cores and 4 GB memories. size_t numOfThreads = kNumThreads; - const char* rsaThreadsLimit = getenv("RSA_TEST_THREADS_LIMIT"); + const char *rsaThreadsLimit = getenv("RSA_TEST_THREADS_LIMIT"); if (rsaThreadsLimit != nullptr) { numOfThreads = std::stoul(std::string(rsaThreadsLimit), nullptr); } diff --git a/crypto/rsa_extra/rsassa_pss_asn1.c b/crypto/rsa_extra/rsassa_pss_asn1.c index 583e9117d2..6569df4d6b 100644 --- a/crypto/rsa_extra/rsassa_pss_asn1.c +++ b/crypto/rsa_extra/rsassa_pss_asn1.c @@ -96,7 +96,8 @@ static int parse_oid(CBS *oid, // For One-way Hash Functions: // All implementations MUST accept both NULL and absent parameters as legal and -// equivalent encodings. See 2.1. https://tools.ietf.org/html/rfc4055#section-2.1 +// equivalent encodings. See 2.1. +// https://tools.ietf.org/html/rfc4055#section-2.1 static int is_absent_or_null(CBS *params) { CBS null; return (CBS_len(params) == 0) || @@ -108,10 +109,8 @@ static int is_absent_or_null(CBS *params) { // See 2.1. https://tools.ietf.org/html/rfc4055#page-5 static int decode_one_way_hash(CBS *cbs, RSA_ALGOR_IDENTIFIER **hash_algor) { CBS seq, oid; - if (CBS_get_asn1(cbs, &seq, CBS_ASN1_SEQUENCE) && - (CBS_len(cbs) == 0) && - CBS_get_asn1(&seq, &oid, CBS_ASN1_OBJECT) && - is_absent_or_null(&seq) && + if (CBS_get_asn1(cbs, &seq, CBS_ASN1_SEQUENCE) && (CBS_len(cbs) == 0) && + CBS_get_asn1(&seq, &oid, CBS_ASN1_OBJECT) && is_absent_or_null(&seq) && parse_oid(&oid, rsa_pss_hash_functions, OPENSSL_ARRAY_SIZE(rsa_pss_hash_functions), hash_algor)) { return 1; @@ -126,8 +125,7 @@ static int decode_mask_gen(CBS *cbs, RSA_MGA_IDENTIFIER **mga) { CBS seq, mgf1_oid, hash_seq, hash_oid; RSA_ALGOR_IDENTIFIER *mgf1 = NULL; RSA_ALGOR_IDENTIFIER *hash_algor = NULL; - if (CBS_get_asn1(cbs, &seq, CBS_ASN1_SEQUENCE) && - (CBS_len(cbs) == 0) && + if (CBS_get_asn1(cbs, &seq, CBS_ASN1_SEQUENCE) && (CBS_len(cbs) == 0) && CBS_get_asn1(&seq, &mgf1_oid, CBS_ASN1_OBJECT) && parse_oid(&mgf1_oid, rsa_pss_mg_functions, OPENSSL_ARRAY_SIZE(rsa_pss_mg_functions), &mgf1) && @@ -155,7 +153,8 @@ static int decode_mask_gen(CBS *cbs, RSA_MGA_IDENTIFIER **mga) { // When the tag value does not exist, |seq| gets recovered. // It returns one when the element exists. static int get_context_specific_value(CBS *seq, CBS *out, int index) { - unsigned int tag_value = CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | index; + unsigned int tag_value = + CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | index; CBS seq_cp = {seq->data, seq->len}; if (CBS_get_asn1(seq, out, tag_value)) { return 1; @@ -184,7 +183,8 @@ static int decode_pss_hash(CBS *seq, RSA_ALGOR_IDENTIFIER **hash_algor) { static int decode_pss_mask_gen(CBS *seq, RSA_MGA_IDENTIFIER **mga) { CBS cs; if (!get_context_specific_value(seq, &cs, TAG_VALUE_INDEX_1)) { - // MaskGenAlgorithm field can be absent, which means default(mgf1) is encoded. + // MaskGenAlgorithm field can be absent, which means default(mgf1) is + // encoded. return 1; } return decode_mask_gen(&cs, mga); @@ -263,13 +263,11 @@ int RSASSA_PSS_parse_params(CBS *params, RSASSA_PSS_PARAMS **pss_params) { RSA_INTEGER *salt_len = NULL; RSA_INTEGER *trailer_field = NULL; CBS seq; - if (CBS_get_asn1(params, &seq, CBS_ASN1_SEQUENCE) && - (CBS_len(params) == 0) && + if (CBS_get_asn1(params, &seq, CBS_ASN1_SEQUENCE) && (CBS_len(params) == 0) && decode_pss_hash(&seq, &hash_algor) && decode_pss_mask_gen(&seq, &mask_gen_algor) && decode_pss_salt_len(&seq, &salt_len) && - decode_pss_trailer_field(&seq, &trailer_field) && - (CBS_len(&seq) == 0)) { + decode_pss_trailer_field(&seq, &trailer_field) && (CBS_len(&seq) == 0)) { *pss_params = RSASSA_PSS_PARAMS_new(); if ((*pss_params) != NULL) { (*pss_params)->hash_algor = hash_algor; @@ -341,9 +339,7 @@ RSASSA_PSS_PARAMS *RSASSA_PSS_PARAMS_new(void) { return ret; } -void RSA_INTEGER_free(RSA_INTEGER *ptr) { - OPENSSL_free(ptr); -} +void RSA_INTEGER_free(RSA_INTEGER *ptr) { OPENSSL_free(ptr); } void RSA_ALGOR_IDENTIFIER_free(RSA_ALGOR_IDENTIFIER *algor) { OPENSSL_free(algor); @@ -472,7 +468,7 @@ static int hash_algor_to_EVP_MD(RSA_ALGOR_IDENTIFIER *hash_algor, } int RSASSA_PSS_PARAMS_get(const RSASSA_PSS_PARAMS *pss, const EVP_MD **md, - const EVP_MD **mgf1md, int *saltlen) { + const EVP_MD **mgf1md, int *saltlen) { if (pss == NULL || md == NULL || mgf1md == NULL || saltlen == NULL) { return 0; } diff --git a/crypto/rsa_extra/rsassa_pss_asn1_test.cc b/crypto/rsa_extra/rsassa_pss_asn1_test.cc index 193ca4c07e..dabe151c75 100644 --- a/crypto/rsa_extra/rsassa_pss_asn1_test.cc +++ b/crypto/rsa_extra/rsassa_pss_asn1_test.cc @@ -94,7 +94,8 @@ static const uint8_t pss_sha256_salt_30[] = { // Java uses NULL to encode parameters of Hash func. // ```JDK11 // Signature signatureSHA256Java = Signature.getInstance("RSASSA-PSS") -// PSSParameterSpec pssParameterSpec = new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 0, 1); +// PSSParameterSpec pssParameterSpec = new PSSParameterSpec("SHA-256", "MGF1", +// MGF1ParameterSpec.SHA256, 0, 1); // signatureSHA256Java.setParameter(pssParameterSpec); // byte[] bytes = signatureSHA256Java.getParameters().getEncoded(); // ``` @@ -212,8 +213,8 @@ static const uint8_t jdk_pss_sha256_mgf1_sha1[] = { // Mask Algorithm: mgf1 with sha1 (absent) // Minimum Salt Length: 0x1e (30) // Trailer Field: 0x01 (absent) -static const uint8_t jdk_pss_sha1_mgf1_sha1_salt_30[] = { - 0x30, 0x05, 0xA2, 0x03, 0x02, 0x01, 0x1E}; +static const uint8_t jdk_pss_sha1_mgf1_sha1_salt_30[] = {0x30, 0x05, 0xA2, 0x03, + 0x02, 0x01, 0x1E}; // These bytes are manually created for test purpose. // pss_with_trailer_field_1 is a DER-encoded RSASSA-PSS-params: @@ -221,8 +222,8 @@ static const uint8_t jdk_pss_sha1_mgf1_sha1_salt_30[] = { // Mask Algorithm: mgf1 with sha1 (absent) // Minimum Salt Length: 0x14 (absent) // Trailer Field: 0x01 (default, not absent) -static const uint8_t pss_with_trailer_field_1[] = { - 0x30, 0x05, 0xA3, 0x03, 0x02, 0x01, 0x01}; +static const uint8_t pss_with_trailer_field_1[] = {0x30, 0x05, 0xA3, 0x03, + 0x02, 0x01, 0x01}; // Invalid test inputs: @@ -259,12 +260,11 @@ static const uint8_t pss_with_tag2_before_tag0[] = { 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xA1, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x08, 0x30, 0x0D, 0x06, 0x09, 0x60, - 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00 -}; + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00}; // pss_with_tag4 has tag [4]. -static const uint8_t pss_with_tag4[] = { - 0x30, 0x05, 0xA4, 0x03, 0x02, 0x01, 0x1E}; +static const uint8_t pss_with_tag4[] = {0x30, 0x05, 0xA4, 0x03, + 0x02, 0x01, 0x1E}; // pss_with_double_salt_30 has two tag[2]. static const uint8_t pss_with_double_salt_30[] = { @@ -280,23 +280,25 @@ static const uint8_t pss_with_sequence_length_too_short[] = { static const uint8_t pss_with_sequence_length_too_long[] = { 0x30, 0x06, 0xA2, 0x03, 0x02, 0x01, 0x1E}; -// pss_with_tag2_length_too_short should use 0x03 as tag2 length instead of 0x02. -// This invalid bytes are modified from jdk_pss_sha1_mgf1_sha1_salt_30. -static const uint8_t pss_with_tag2_length_too_short[] = { - 0x30, 0x05, 0xA2, 0x02, 0x02, 0x01, 0x1E}; +// pss_with_tag2_length_too_short should use 0x03 as tag2 length instead of +// 0x02. This invalid bytes are modified from jdk_pss_sha1_mgf1_sha1_salt_30. +static const uint8_t pss_with_tag2_length_too_short[] = {0x30, 0x05, 0xA2, 0x02, + 0x02, 0x01, 0x1E}; // pss_with_tag2_length_too_long should use 0x03 as tag2 length instead of 0x04. // This invalid bytes are modified from jdk_pss_sha1_mgf1_sha1_salt_30. -static const uint8_t pss_with_tag2_length_too_long[] = { - 0x30, 0x05, 0xA2, 0x04, 0x02, 0x01, 0x1E}; +static const uint8_t pss_with_tag2_length_too_long[] = {0x30, 0x05, 0xA2, 0x04, + 0x02, 0x01, 0x1E}; -// pss_with_negative_salt_length is modified from jdk_pss_sha1_mgf1_sha1_salt_30. -static const uint8_t pss_with_negative_salt_length[] = { - 0x30, 0x05, 0xA2, 0x03, 0x02, 0x01, 0xFF}; +// pss_with_negative_salt_length is modified from +// jdk_pss_sha1_mgf1_sha1_salt_30. +static const uint8_t pss_with_negative_salt_length[] = {0x30, 0x05, 0xA2, 0x03, + 0x02, 0x01, 0xFF}; -// pss_with_negative_salt_length is modified from jdk_pss_sha1_mgf1_sha1_salt_30. -static const uint8_t pss_with_trailer_field_not_1[] = { - 0x30, 0x05, 0xA3, 0x03, 0x02, 0x01, 0x02}; +// pss_with_negative_salt_length is modified from +// jdk_pss_sha1_mgf1_sha1_salt_30. +static const uint8_t pss_with_trailer_field_not_1[] = {0x30, 0x05, 0xA3, 0x03, + 0x02, 0x01, 0x02}; static const int omit_salt_len = -1; @@ -340,8 +342,8 @@ struct PssParseTestInput { NID_mgf1, NID_sha256, omit_salt_len}, {jdk_pss_sha256_mgf1_sha1, sizeof(jdk_pss_sha256_mgf1_sha1), NID_sha256, NID_undef, NID_undef, omit_salt_len}, - {jdk_pss_sha1_mgf1_sha1_salt_30, sizeof(jdk_pss_sha1_mgf1_sha1_salt_30), NID_undef, - NID_undef, NID_undef, 30}, + {jdk_pss_sha1_mgf1_sha1_salt_30, sizeof(jdk_pss_sha1_mgf1_sha1_salt_30), + NID_undef, NID_undef, NID_undef, 30}, }; class PssParseTest : public testing::TestWithParam {}; @@ -409,8 +411,10 @@ struct InvalidPssParseInput { {pss_with_tag2_before_tag0, sizeof(pss_with_tag2_before_tag0)}, {pss_with_tag4, sizeof(pss_with_tag4)}, {pss_with_double_salt_30, sizeof(pss_with_double_salt_30)}, - {pss_with_sequence_length_too_short, sizeof(pss_with_sequence_length_too_short)}, - {pss_with_sequence_length_too_long, sizeof(pss_with_sequence_length_too_long)}, + {pss_with_sequence_length_too_short, + sizeof(pss_with_sequence_length_too_short)}, + {pss_with_sequence_length_too_long, + sizeof(pss_with_sequence_length_too_long)}, {pss_with_tag2_length_too_short, sizeof(pss_with_tag2_length_too_short)}, {pss_with_tag2_length_too_long, sizeof(pss_with_tag2_length_too_long)}, {pss_with_negative_salt_length, sizeof(pss_with_negative_salt_length)}, @@ -461,7 +465,8 @@ static void test_RSASSA_PSS_PARAMS_get(RSASSA_PSS_PARAMS *pss, EXPECT_EQ(saltlen, expect_saltlen); } -class PssConversionTest : public testing::TestWithParam {}; +class PssConversionTest + : public testing::TestWithParam {}; // This test is to check the conversion between |RSASSA_PSS_PARAMS| and // (|*sigmd|, |*mgf1md| and |saltlen|), which are fields of |RSA_PKEY_CTX|. diff --git a/crypto/rwlock_static_init.cc b/crypto/rwlock_static_init.cc index 680b2eebe4..0bb7764b01 100644 --- a/crypto/rwlock_static_init.cc +++ b/crypto/rwlock_static_init.cc @@ -8,31 +8,31 @@ #include +#include #include +#include #include #include -#include -#include static void thread_task_rand(bool *myFlag) { uint8_t buf[16]; - if(1 == RAND_bytes(buf, sizeof(buf))) { + if (1 == RAND_bytes(buf, sizeof(buf))) { *myFlag = true; } } -int main(int _argc, char** _argv) { +int main(int _argc, char **_argv) { constexpr size_t kNumThreads = 16; bool myFlags[kNumThreads] = {}; std::thread myThreads[kNumThreads]; for (size_t i = 0; i < kNumThreads; i++) { - bool* myFlag = &myFlags[i]; + bool *myFlag = &myFlags[i]; myThreads[i] = std::thread(thread_task_rand, myFlag); } for (size_t i = 0; i < kNumThreads; i++) { myThreads[i].join(); - if(!myFlags[i]) { + if (!myFlags[i]) { std::cerr << "Thread " << i << " failed." << std::endl; exit(1); return 1; diff --git a/crypto/spake25519/spake25519.c b/crypto/spake25519/spake25519.c index 0a256b09f5..6da8a4d9b5 100644 --- a/crypto/spake25519/spake25519.c +++ b/crypto/spake25519/spake25519.c @@ -32,13 +32,17 @@ // points used in the SPAKE2 protocol. // // N: -// x: 49918732221787544735331783592030787422991506689877079631459872391322455579424 -// y: 54629554431565467720832445949441049581317094546788069926228343916274969994000 +// x: +// 49918732221787544735331783592030787422991506689877079631459872391322455579424 +// y: +// 54629554431565467720832445949441049581317094546788069926228343916274969994000 // encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778 // // M: -// x: 31406539342727633121250288103050113562375374900226415211311216773867585644232 -// y: 21177308356423958466833845032658859666296341766942662650232962324899758529114 +// x: +// 31406539342727633121250288103050113562375374900226415211311216773867585644232 +// y: +// 21177308356423958466833845032658859666296341766942662650232962324899758529114 // encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e // // These points and their precomputation tables are generated with the @@ -270,9 +274,9 @@ static const uint8_t kSpakeMSmallPrecomp[15 * 2 * 32] = { 0xa6, 0x76, 0x81, 0x28, 0xb2, 0x65, 0xe8, 0x47, 0x14, 0xc6, 0x39, 0x06, }; -SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role, - const uint8_t *my_name, size_t my_name_len, - const uint8_t *their_name, size_t their_name_len) { +SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role, const uint8_t *my_name, + size_t my_name_len, const uint8_t *their_name, + size_t their_name_len) { SPAKE2_CTX *ctx = OPENSSL_zalloc(sizeof(SPAKE2_CTX)); if (ctx == NULL) { return NULL; @@ -342,8 +346,8 @@ static void scalar_add(scalar *dest, const scalar *src) { } int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len, - size_t max_out_len, const uint8_t *password, - size_t password_len) { + size_t max_out_len, const uint8_t *password, + size_t password_len) { if (ctx->state != spake2_state_init) { return 0; } @@ -384,8 +388,9 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len, // bit and so one for all the bottom three bits. scalar password_scalar; - bn_little_endian_to_words(password_scalar.words, sizeof(password_scalar) / BN_BYTES, - password_tmp, sizeof(password_scalar)); + bn_little_endian_to_words(password_scalar.words, + sizeof(password_scalar) / BN_BYTES, password_tmp, + sizeof(password_scalar)); // |password_scalar| is the result of |x25519_sc_reduce| and thus is, at // most, $l-1$ (where $l$ is |kOrder|, the order of the prime-order subgroup @@ -416,7 +421,8 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len, assert((password_scalar.words[0] & 7) == 0); } bn_words_to_little_endian(ctx->password_scalar, sizeof(ctx->password_scalar), - password_scalar.words, sizeof(password_scalar) / BN_BYTES); + password_scalar.words, + sizeof(password_scalar) / BN_BYTES); ge_p3 mask; x25519_ge_scalarmult_small_precomp(&mask, ctx->password_scalar, @@ -462,8 +468,7 @@ static void update_with_length_prefix(SHA512_CTX *sha, const uint8_t *data, int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, size_t *out_key_len, size_t max_out_key_len, const uint8_t *their_msg, size_t their_msg_len) { - if (ctx->state != spake2_state_msg_generated || - their_msg_len != 32) { + if (ctx->state != spake2_state_msg_generated || their_msg_len != 32) { return 0; } @@ -476,9 +481,9 @@ int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, size_t *out_key_len, // Unmask peer's value. ge_p3 peers_mask; x25519_ge_scalarmult_small_precomp(&peers_mask, ctx->password_scalar, - ctx->my_role == spake2_role_alice - ? kSpakeNSmallPrecomp - : kSpakeMSmallPrecomp); + ctx->my_role == spake2_role_alice + ? kSpakeNSmallPrecomp + : kSpakeMSmallPrecomp); ge_cached peers_mask_cached; x25519_ge_p3_to_cached(&peers_mask_cached, &peers_mask); diff --git a/crypto/spake25519/spake25519_test.cc b/crypto/spake25519/spake25519_test.cc index df20ec8540..cd99a42bda 100644 --- a/crypto/spake25519/spake25519_test.cc +++ b/crypto/spake25519/spake25519_test.cc @@ -71,7 +71,7 @@ struct SPAKE2Run { if (alice_corrupt_msg_bit >= 0 && static_cast(alice_corrupt_msg_bit) < 8 * alice_msg_len) { - alice_msg[alice_corrupt_msg_bit/8] ^= 1 << (alice_corrupt_msg_bit & 7); + alice_msg[alice_corrupt_msg_bit / 8] ^= 1 << (alice_corrupt_msg_bit & 7); } uint8_t alice_key[64], bob_key[64]; @@ -90,9 +90,7 @@ struct SPAKE2Run { return true; } - bool key_matches() const { - return key_matches_; - } + bool key_matches() const { return key_matches_; } std::string alice_password = "password"; std::string bob_password = "password"; diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index 9d95d3e096..0cac7a7468 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -117,7 +117,7 @@ void OPENSSL_sk_zero(OPENSSL_STACK *sk) { if (sk == NULL || sk->num == 0) { return; } - OPENSSL_memset(sk->data, 0, sizeof(void*) * sk->num); + OPENSSL_memset(sk->data, 0, sizeof(void *) * sk->num); sk->num = 0; sk->sorted = 0; } @@ -339,7 +339,7 @@ int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, const void *p, } int OPENSSL_sk_unshift(OPENSSL_STACK *sk, void *data) { - return (int)OPENSSL_sk_insert(sk, data, 0); + return (int)OPENSSL_sk_insert(sk, data, 0); } void *OPENSSL_sk_shift(OPENSSL_STACK *sk) { diff --git a/crypto/stack/stack_test.cc b/crypto/stack/stack_test.cc index 05b7a99cf0..3c5ea02bd4 100644 --- a/crypto/stack/stack_test.cc +++ b/crypto/stack/stack_test.cc @@ -117,7 +117,7 @@ TEST(StackTest, Basic) { EXPECT_EQ(-1, sk_TEST_INT_find(sk.get(), value.get())); EXPECT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, raw)); EXPECT_EQ(4UL, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), raw)); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), raw)); // sk_TEST_INT_insert can also insert values at the end. value = TEST_INT_new(7); @@ -263,7 +263,7 @@ TEST(StackTest, Sorted) { ASSERT_TRUE(three); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, three.get())); EXPECT_EQ(3, *sk_TEST_INT_value(sk.get(), index)); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), three.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), three.get())); sk_TEST_INT_sort(sk.get()); EXPECT_TRUE(sk_TEST_INT_is_sorted(sk.get())); @@ -284,7 +284,7 @@ TEST(StackTest, Sorted) { ASSERT_TRUE(three); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, three.get())); EXPECT_EQ(3u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), three.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), three.get())); // Copies preserve comparison and sorted information. bssl::UniquePtr copy(sk_TEST_INT_deep_copy( @@ -297,14 +297,14 @@ TEST(StackTest, Sorted) { EXPECT_TRUE(sk_TEST_INT_is_sorted(copy.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(copy.get(), &index, three.get())); EXPECT_EQ(3u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(copy.get(), three.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(copy.get(), three.get())); ShallowStack copy2(sk_TEST_INT_dup(sk.get())); ASSERT_TRUE(copy2); EXPECT_TRUE(sk_TEST_INT_is_sorted(copy2.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(copy2.get(), &index, three.get())); EXPECT_EQ(3u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(copy.get(), three.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(copy.get(), three.get())); // Removing elements does not affect sortedness. TEST_INT_free(sk_TEST_INT_delete(sk.get(), 0)); @@ -316,13 +316,13 @@ TEST(StackTest, Sorted) { EXPECT_FALSE(sk_TEST_INT_is_sorted(sk.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, three.get())); EXPECT_EQ(2u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), three.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), three.get())); sk_TEST_INT_sort(sk.get()); ExpectStackEquals(sk.get(), {6, 5, 4, 3, 2, 1}); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, three.get())); EXPECT_EQ(3u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), three.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), three.get())); // Inserting a new element invalidates sortedness. auto tmp = TEST_INT_new(10); @@ -331,7 +331,7 @@ TEST(StackTest, Sorted) { EXPECT_FALSE(sk_TEST_INT_is_sorted(sk.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, ten.get())); EXPECT_EQ(6u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), ten.get())); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), ten.get())); } while (std::next_permutation(vec.begin(), vec.end())); } @@ -353,21 +353,21 @@ TEST(StackTest, FindFirst) { size_t index; ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, two)); EXPECT_EQ(1u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), two)); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), two)); // Comparator-based equality, unsorted. sk_TEST_INT_set_cmp_func(sk.get(), compare); EXPECT_FALSE(sk_TEST_INT_is_sorted(sk.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, two)); EXPECT_EQ(1u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), two)); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), two)); // Comparator-based equality, sorted. sk_TEST_INT_sort(sk.get()); EXPECT_TRUE(sk_TEST_INT_is_sorted(sk.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, two)); EXPECT_EQ(1u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), two)); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), two)); // Comparator-based equality, sorted and at the front. sk_TEST_INT_set_cmp_func(sk.get(), compare_reverse); @@ -375,7 +375,7 @@ TEST(StackTest, FindFirst) { EXPECT_TRUE(sk_TEST_INT_is_sorted(sk.get())); ASSERT_TRUE(sk_TEST_INT_find_awslc(sk.get(), &index, two)); EXPECT_EQ(0u, index); - EXPECT_EQ((int) index, sk_TEST_INT_find(sk.get(), two)); + EXPECT_EQ((int)index, sk_TEST_INT_find(sk.get(), two)); } // Exhaustively test the binary search. @@ -417,7 +417,7 @@ TEST(StackTest, BinarySearch) { } else { ASSERT_TRUE(found); EXPECT_EQ(i, idx); - EXPECT_EQ((int) idx, sk_TEST_INT_find(sk.get(), key.get())); + EXPECT_EQ((int)idx, sk_TEST_INT_find(sk.get(), key.get())); } } } diff --git a/crypto/test/abi_test.cc b/crypto/test/abi_test.cc index 24cec427db..14c17d6210 100644 --- a/crypto/test/abi_test.cc +++ b/crypto/test/abi_test.cc @@ -172,8 +172,7 @@ template WriteFile(stderr_handle, buf, strlen(buf), &unused, nullptr); } #else - OPENSSL_UNUSED ssize_t unused_ret = - write(STDERR_FILENO, buf, strlen(buf)); + OPENSSL_UNUSED ssize_t unused_ret = write(STDERR_FILENO, buf, strlen(buf)); #endif abort(); } @@ -190,7 +189,7 @@ class UnwindStatus { const char *err_; }; -template +template class UnwindStatusOr { public: UnwindStatusOr(UnwindStatus status) : status_(status) { @@ -472,8 +471,8 @@ static void AddUnwindError(UnwindCursor *cursor, Args... args) { g_unwind_errors[g_num_unwind_errors].ip = cursor->starting_ip(); StrCatSignalSafe(g_unwind_errors[g_num_unwind_errors].str, args...); #else - StrCatSignalSafe(g_unwind_errors[g_num_unwind_errors].str, - "unwinding at ", cursor->ToString(), ": ", args...); + StrCatSignalSafe(g_unwind_errors[g_num_unwind_errors].str, "unwinding at ", + cursor->ToString(), ": ", args...); #endif g_num_unwind_errors++; } @@ -587,8 +586,8 @@ static void ReadUnwindResult(Result *out) { symbol.info.Name, displacement, WordToHex(ip).data(), g_unwind_errors[i].str); } else { - snprintf(buf, sizeof(buf), "unwinding at 0x%s: %s", - WordToHex(ip).data(), g_unwind_errors[i].str); + snprintf(buf, sizeof(buf), "unwinding at 0x%s: %s", WordToHex(ip).data(), + g_unwind_errors[i].str); } out->errors.emplace_back(buf); #else @@ -621,8 +620,8 @@ static long ExceptionHandler(EXCEPTION_POINTERS *info) { static void EnableUnwindTestsImpl() { if (IsDebuggerPresent()) { - // Unwind tests drive logic via |EXCEPTION_SINGLE_STEP|, which conflicts with - // debuggers. + // Unwind tests drive logic via |EXCEPTION_SINGLE_STEP|, which conflicts + // with debuggers. fprintf(stderr, "Debugger detected. Disabling unwind tests.\n"); return; } @@ -641,7 +640,7 @@ static void EnableUnwindTestsImpl() { g_unwind_tests_enabled = true; } -#else // !OPENSSL_WINDOWS +#else // !OPENSSL_WINDOWS // HandleEINTR runs |func| and returns the result, retrying the operation on // |EINTR|. template diff --git a/crypto/test/abi_test.h b/crypto/test/abi_test.h index ffe44792eb..d5432244fb 100644 --- a/crypto/test/abi_test.h +++ b/crypto/test/abi_test.h @@ -62,7 +62,8 @@ struct alignas(16) Reg128 { // References: // SysV64: https://github.com/hjl-tools/x86-psABI/wiki/x86-64-psABI-1.0.pdf -// Win64: https://docs.microsoft.com/en-us/cpp/build/x64-software-conventions?view=vs-2017#register-usage +// Win64: +// https://docs.microsoft.com/en-us/cpp/build/x64-software-conventions?view=vs-2017#register-usage #if defined(OPENSSL_WINDOWS) #define LOOP_CALLER_STATE_REGISTERS() \ CALLER_STATE_REGISTER(uint64_t, rbx) \ @@ -97,7 +98,8 @@ struct alignas(16) Reg128 { // References: // SysV32: https://uclibc.org/docs/psABI-i386.pdf and -// Win32: https://docs.microsoft.com/en-us/cpp/cpp/argument-passing-and-naming-conventions?view=vs-2017 +// Win32: +// https://docs.microsoft.com/en-us/cpp/cpp/argument-passing-and-naming-conventions?view=vs-2017 #define LOOP_CALLER_STATE_REGISTERS() \ CALLER_STATE_REGISTER(uint32_t, esi) \ CALLER_STATE_REGISTER(uint32_t, edi) \ @@ -108,8 +110,10 @@ struct alignas(16) Reg128 { // References: // AAPCS: https://developer.arm.com/docs/ihi0042/latest -// iOS32: https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARMv6FunctionCallingConventions.html -// Linux: http://sourcery.mentor.com/sgpp/lite/arm/portal/kbattach142/arm_gnu_linux_%20abi.pdf +// iOS32: +// https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARMv6FunctionCallingConventions.html +// Linux: +// http://sourcery.mentor.com/sgpp/lite/arm/portal/kbattach142/arm_gnu_linux_%20abi.pdf // // ARM specifies a common calling convention, except r9 is left to the platform. // Linux treats r9 as callee-saved, while iOS 3+ treats it as caller-saved. Most @@ -147,36 +151,37 @@ struct alignas(16) Reg128 { // References: // AAPCS64: https://developer.arm.com/docs/ihi0055/latest -// iOS64: https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html +// iOS64: +// https://developer.apple.com/library/archive/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html // // In aarch64, r18 (accessed as w18 or x18 in a 64-bit context) is the platform // register. iOS says user code may not touch it. We found no clear reference // for Linux. The iOS behavior implies portable assembly cannot use it, and // aarch64 has many registers. Thus this framework ignores register's existence. // We test r18 violations in arm-xlate.pl. -#define LOOP_CALLER_STATE_REGISTERS() \ +#define LOOP_CALLER_STATE_REGISTERS() \ /* Per AAPCS64, section 5.1.2, only the bottom 64 bits of v8-v15 */ \ - /* are preserved. These are accessed as dN. */ \ - CALLER_STATE_REGISTER(uint64_t, d8) \ - CALLER_STATE_REGISTER(uint64_t, d9) \ - CALLER_STATE_REGISTER(uint64_t, d10) \ - CALLER_STATE_REGISTER(uint64_t, d11) \ - CALLER_STATE_REGISTER(uint64_t, d12) \ - CALLER_STATE_REGISTER(uint64_t, d13) \ - CALLER_STATE_REGISTER(uint64_t, d14) \ - CALLER_STATE_REGISTER(uint64_t, d15) \ - /* For consistency with dN, use the 64-bit name xN, rather than */ \ - /* the generic rN. */ \ - CALLER_STATE_REGISTER(uint64_t, x19) \ - CALLER_STATE_REGISTER(uint64_t, x20) \ - CALLER_STATE_REGISTER(uint64_t, x21) \ - CALLER_STATE_REGISTER(uint64_t, x22) \ - CALLER_STATE_REGISTER(uint64_t, x23) \ - CALLER_STATE_REGISTER(uint64_t, x24) \ - CALLER_STATE_REGISTER(uint64_t, x25) \ - CALLER_STATE_REGISTER(uint64_t, x26) \ - CALLER_STATE_REGISTER(uint64_t, x27) \ - CALLER_STATE_REGISTER(uint64_t, x28) \ + /* are preserved. These are accessed as dN. */ \ + CALLER_STATE_REGISTER(uint64_t, d8) \ + CALLER_STATE_REGISTER(uint64_t, d9) \ + CALLER_STATE_REGISTER(uint64_t, d10) \ + CALLER_STATE_REGISTER(uint64_t, d11) \ + CALLER_STATE_REGISTER(uint64_t, d12) \ + CALLER_STATE_REGISTER(uint64_t, d13) \ + CALLER_STATE_REGISTER(uint64_t, d14) \ + CALLER_STATE_REGISTER(uint64_t, d15) \ + /* For consistency with dN, use the 64-bit name xN, rather than */ \ + /* the generic rN. */ \ + CALLER_STATE_REGISTER(uint64_t, x19) \ + CALLER_STATE_REGISTER(uint64_t, x20) \ + CALLER_STATE_REGISTER(uint64_t, x21) \ + CALLER_STATE_REGISTER(uint64_t, x22) \ + CALLER_STATE_REGISTER(uint64_t, x23) \ + CALLER_STATE_REGISTER(uint64_t, x24) \ + CALLER_STATE_REGISTER(uint64_t, x25) \ + CALLER_STATE_REGISTER(uint64_t, x26) \ + CALLER_STATE_REGISTER(uint64_t, x27) \ + CALLER_STATE_REGISTER(uint64_t, x28) \ CALLER_STATE_REGISTER(uint64_t, x29) #elif defined(OPENSSL_PPC64LE) @@ -190,7 +195,8 @@ struct CRReg { }; // References: -// ELFv2: http://openpowerfoundation.org/wp-content/uploads/resources/leabi/leabi-20170510.pdf +// ELFv2: +// http://openpowerfoundation.org/wp-content/uploads/resources/leabi/leabi-20170510.pdf // // Note vector and floating-point registers on POWER have two different names. // Originally, there were 32 floating-point registers and 32 vector registers, @@ -511,8 +517,8 @@ crypto_word_t abi_test_trampoline(crypto_word_t func, // This symbol is not a function and should not be called. void abi_test_unwind_start(Uncallable); -// abi_test_unwind_return points at the instruction immediately after the call in -// |abi_test_trampoline|. When unwinding the function under test, this is the +// abi_test_unwind_return points at the instruction immediately after the call +// in |abi_test_trampoline|. When unwinding the function under test, this is the // expected address in the |abi_test_trampoline| frame. After this address, the // unwind tester should ignore |SIGTRAP| until |abi_test_unwind_stop|. // diff --git a/crypto/test/file_test.cc b/crypto/test/file_test.cc index d7ef95115e..7424a95d82 100644 --- a/crypto/test/file_test.cc +++ b/crypto/test/file_test.cc @@ -68,7 +68,8 @@ static std::string StripSpace(const char *str, size_t len) { return std::string(str, len); } -static std::pair ParseKeyValue(const char *str, const size_t len) { +static std::pair ParseKeyValue(const char *str, + const size_t len) { const char *delimiter = FindDelimiter(str); std::string key, value; if (delimiter == nullptr) { @@ -288,9 +289,7 @@ bool FileTest::GetInstruction(std::string *out_value, const std::string &key) { return true; } -void FileTest::IgnoreAllUnusedInstructions() { - unused_instructions_.clear(); -} +void FileTest::IgnoreAllUnusedInstructions() { unused_instructions_.clear(); } const std::string &FileTest::GetInstructionOrDie(const std::string &key) { if (!HasInstruction(key)) { @@ -409,8 +408,7 @@ int FileTestMain(FileTestFunc run_test, void *arg, const char *path) { } int FileTestMain(const FileTest::Options &opts) { - std::unique_ptr reader( - new FileLineReader(opts.path)); + std::unique_ptr reader(new FileLineReader(opts.path)); if (!reader->is_open()) { fprintf(stderr, "Could not open file %s: %s.\n", opts.path, strerror(errno)); @@ -462,6 +460,4 @@ int FileTestMain(const FileTest::Options &opts) { return failed ? 1 : 0; } -void FileTest::SkipCurrent() { - ClearTest(); -} +void FileTest::SkipCurrent() { ClearTest(); } diff --git a/crypto/test/file_test.h b/crypto/test/file_test.h index 1502003874..1d2759face 100644 --- a/crypto/test/file_test.h +++ b/crypto/test/file_test.h @@ -113,7 +113,7 @@ class FileTest { // successful runs. bool silent = false; // comment_callback is called after each comment in the input is parsed. - std::function comment_callback; + std::function comment_callback; // is_kas_test is true if a NIST “KAS” test is being parsed. These tests // are inconsistent with the other NIST files to such a degree that they // need their own boolean. @@ -243,7 +243,7 @@ class FileTest { // comment_callback_, if set, is a callback function that is called with the // contents of each comment as they are parsed. - std::function comment_callback_; + std::function comment_callback_; FileTest(const FileTest &) = delete; FileTest &operator=(const FileTest &) = delete; diff --git a/crypto/test/file_util.h b/crypto/test/file_util.h index 376e151287..c51892b342 100644 --- a/crypto/test/file_util.h +++ b/crypto/test/file_util.h @@ -47,13 +47,13 @@ class ScopedFD { ~ScopedFD() { reset(); } ScopedFD(ScopedFD &&other) noexcept { *this = std::move(other); } - ScopedFD &operator=(ScopedFD&& other) { + ScopedFD &operator=(ScopedFD &&other) { reset(other.release()); return *this; } ScopedFD(const ScopedFD &other) = delete; - ScopedFD &operator=(ScopedFD& other) = delete; + ScopedFD &operator=(ScopedFD &other) = delete; bool is_valid() const { return fd_ >= 0; } int get() const { return fd_; } @@ -88,8 +88,8 @@ class TemporaryFile { TemporaryFile() = default; ~TemporaryFile(); - TemporaryFile(TemporaryFile&& other) noexcept { *this = std::move(other); } - TemporaryFile& operator=(TemporaryFile&&other) { + TemporaryFile(TemporaryFile &&other) noexcept { *this = std::move(other); } + TemporaryFile &operator=(TemporaryFile &&other) { // Ensure |path_| is empty so it doesn't try to delete the File. auto old_other_path = other.path_; other.path_ = {}; @@ -97,8 +97,8 @@ class TemporaryFile { return *this; } - TemporaryFile(const TemporaryFile&) = delete; - TemporaryFile& operator=(const TemporaryFile&) = delete; + TemporaryFile(const TemporaryFile &) = delete; + TemporaryFile &operator=(const TemporaryFile &) = delete; // Init initializes the temporary file with the specified content. It returns // true on success and false on error. On error, callers should call diff --git a/crypto/test/gtest_main.cc b/crypto/test/gtest_main.cc index 9f1386e3ee..34e2f4a814 100644 --- a/crypto/test/gtest_main.cc +++ b/crypto/test/gtest_main.cc @@ -19,9 +19,9 @@ #include +#include "../internal.h" #include "abi_test.h" #include "gtest_main.h" -#include "../internal.h" int main(int argc, char **argv) { diff --git a/crypto/test/test_util.cc b/crypto/test/test_util.cc index 9c010c5d50..fac06a14fa 100644 --- a/crypto/test/test_util.cc +++ b/crypto/test/test_util.cc @@ -111,9 +111,8 @@ bssl::UniquePtr RSAFromPEM(const char *pem) { PEM_read_bio_RSAPrivateKey(bio.get(), nullptr, nullptr, nullptr)); } -bssl::UniquePtr MakeTestCert(const char *issuer, - const char *subject, EVP_PKEY *key, - bool is_ca) { +bssl::UniquePtr MakeTestCert(const char *issuer, const char *subject, + EVP_PKEY *key, bool is_ca) { bssl::UniquePtr cert(X509_new()); if (!cert || // !X509_set_version(cert.get(), X509_VERSION_3) || @@ -140,8 +139,7 @@ bssl::UniquePtr MakeTestCert(const char *issuer, return cert; } -bssl::UniquePtr CertsToStack( - const std::vector &certs) { +bssl::UniquePtr CertsToStack(const std::vector &certs) { bssl::UniquePtr stack(sk_X509_new_null()); if (!stack) { return nullptr; @@ -156,24 +154,25 @@ bssl::UniquePtr CertsToStack( #if defined(OPENSSL_WINDOWS) size_t createTempFILEpath(char buffer[PATH_MAX]) { - // On Windows, tmpfile() may attempt to create temp files in the root directory - // of the drive, which requires Admin privileges, resulting in test failure. + // On Windows, tmpfile() may attempt to create temp files in the root + // directory of the drive, which requires Admin privileges, resulting in test + // failure. char pathname[PATH_MAX]; - if(0 == GetTempPathA(PATH_MAX, pathname)) { + if (0 == GetTempPathA(PATH_MAX, pathname)) { return 0; } return GetTempFileNameA(pathname, "awslctest", 0, buffer); } -FILE* createRawTempFILE() { +FILE *createRawTempFILE() { char filename[PATH_MAX]; - if(createTempFILEpath(filename) == 0) { + if (createTempFILEpath(filename) == 0) { return nullptr; } return fopen(filename, "w+b"); } #else -#include #include +#include size_t createTempFILEpath(char buffer[PATH_MAX]) { snprintf(buffer, PATH_MAX, "awslcTestTmpFileXXXXXX"); @@ -185,18 +184,13 @@ size_t createTempFILEpath(char buffer[PATH_MAX]) { close(fd); return strnlen(buffer, PATH_MAX); } -FILE* createRawTempFILE() { - return tmpfile(); -} +FILE *createRawTempFILE() { return tmpfile(); } #endif -TempFILE createTempFILE() { - return TempFILE(createRawTempFILE()); -} +TempFILE createTempFILE() { return TempFILE(createRawTempFILE()); } -void CustomDataFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int index, long argl, void *argp) { +void CustomDataFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int index, + long argl, void *argp) { free(ptr); } - diff --git a/crypto/test/test_util.h b/crypto/test/test_util.h index 4adb192638..d4957a79be 100644 --- a/crypto/test/test_util.h +++ b/crypto/test/test_util.h @@ -90,9 +90,8 @@ static const int64_t kReferenceTime = 1474934400; // MakeTestCert creates an X509 certificate for use in testing. It is configured // to be valid from 1 day prior |kReferenceTime| until 1 day after // |kReferenceTime|. -bssl::UniquePtr MakeTestCert(const char *issuer, - const char *subject, EVP_PKEY *key, - bool is_ca); +bssl::UniquePtr MakeTestCert(const char *issuer, const char *subject, + EVP_PKEY *key, bool is_ca); // unique_ptr will automatically call fclose on the file descriptior when the // variable goes out of scope, so we need to specify BIO_NOCLOSE close flags @@ -113,7 +112,7 @@ using TempFILE = std::unique_ptr; #endif size_t createTempFILEpath(char buffer[PATH_MAX]); -FILE* createRawTempFILE(); +FILE *createRawTempFILE(); TempFILE createTempFILE(); // CustomData is for testing new structs that we add support for |ex_data|. @@ -121,8 +120,8 @@ typedef struct { int custom_data; } CustomData; -void CustomDataFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int index, long argl, void *argp); +void CustomDataFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int index, + long argl, void *argp); // ErrorEquals asserts that |err| is an error with library |lib| and reason // |reason|. testing::AssertionResult ErrorEquals(uint32_t err, int lib, int reason); diff --git a/crypto/test/wycheproof_util.h b/crypto/test/wycheproof_util.h index 8e10420cf1..95292d490e 100644 --- a/crypto/test/wycheproof_util.h +++ b/crypto/test/wycheproof_util.h @@ -41,7 +41,8 @@ struct WycheproofResult { bool IsValid(const std::vector &acceptable_flags = {}) const; }; -// GetWycheproofResult sets |*out| to the parsed "result" and "flags" keys of |t|. +// GetWycheproofResult sets |*out| to the parsed "result" and "flags" keys of +// |t|. bool GetWycheproofResult(FileTest *t, WycheproofResult *out); // GetWycheproofDigest returns a digest function using the Wycheproof name, or diff --git a/crypto/thread_pthread.c b/crypto/thread_pthread.c index 2ab8444e66..fc198d8d8f 100644 --- a/crypto/thread_pthread.c +++ b/crypto/thread_pthread.c @@ -33,44 +33,45 @@ OPENSSL_STATIC_ASSERT(alignof(CRYPTO_MUTEX) >= alignof(pthread_rwlock_t), CRYPTO_MUTEX_has_insufficient_alignment) void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_init((pthread_rwlock_t *) lock, NULL) != 0) { + if (pthread_rwlock_init((pthread_rwlock_t *)lock, NULL) != 0) { abort(); } } void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_rdlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_rdlock((pthread_rwlock_t *)lock) != 0) { abort(); } } void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_wrlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_wrlock((pthread_rwlock_t *)lock) != 0) { abort(); } } void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_unlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_unlock((pthread_rwlock_t *)lock) != 0) { abort(); } } void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_unlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_unlock((pthread_rwlock_t *)lock) != 0) { abort(); } } void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) { - pthread_rwlock_destroy((pthread_rwlock_t *) lock); + pthread_rwlock_destroy((pthread_rwlock_t *)lock); } // Some MinGW pthreads implementations might fail on first use of // locks initialized using PTHREAD_RWLOCK_INITIALIZER. // See: https://sourceforge.net/p/mingw-w64/bugs/883/ typedef int (*pthread_rwlock_func_ptr)(pthread_rwlock_t *); -static int rwlock_EINVAL_fallback_retry(const pthread_rwlock_func_ptr func_ptr, pthread_rwlock_t* lock) { +static int rwlock_EINVAL_fallback_retry(const pthread_rwlock_func_ptr func_ptr, + pthread_rwlock_t *lock) { int result = EINVAL; #ifdef __MINGW32__ const int MAX_ATTEMPTS = 10; @@ -79,7 +80,7 @@ static int rwlock_EINVAL_fallback_retry(const pthread_rwlock_func_ptr func_ptr, sched_yield(); attempt_num += 1; result = func_ptr(lock); - } while(result == EINVAL && attempt_num < MAX_ATTEMPTS); + } while (result == EINVAL && attempt_num < MAX_ATTEMPTS); #endif return result; } diff --git a/crypto/thread_test.cc b/crypto/thread_test.cc index 85643a0444..473aa3e214 100644 --- a/crypto/thread_test.cc +++ b/crypto/thread_test.cc @@ -15,8 +15,8 @@ #include "internal.h" #include -#include #include +#include #include @@ -107,7 +107,7 @@ static void thread_local_destructor(void *arg) { return; } - unsigned *count = reinterpret_cast(arg); + unsigned *count = reinterpret_cast(arg); (*count)++; } @@ -172,7 +172,7 @@ TEST(ThreadTest, ClearState) { std::thread myThreads[kNumThreads]; for (int i = 0; i < kNumThreads; i++) { - bool* myFlag = &myFlags[i]; + bool *myFlag = &myFlags[i]; *myFlag = false; myThreads[i] = std::thread(thread_task, myFlag); } @@ -182,7 +182,7 @@ TEST(ThreadTest, ClearState) { } } -#endif // OPENSSL_PTHREADS +#endif // OPENSSL_PTHREADS TEST(ThreadTest, InitThreads) { constexpr size_t kNumThreads = 10; diff --git a/crypto/thread_win.c b/crypto/thread_win.c index 9a1f8045ec..eaf25fcb90 100644 --- a/crypto/thread_win.c +++ b/crypto/thread_win.c @@ -46,23 +46,23 @@ void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) { } void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) { - InitializeSRWLock((SRWLOCK *) lock); + InitializeSRWLock((SRWLOCK *)lock); } void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) { - AcquireSRWLockShared((SRWLOCK *) lock); + AcquireSRWLockShared((SRWLOCK *)lock); } void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) { - AcquireSRWLockExclusive((SRWLOCK *) lock); + AcquireSRWLockExclusive((SRWLOCK *)lock); } void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) { - ReleaseSRWLockShared((SRWLOCK *) lock); + ReleaseSRWLockShared((SRWLOCK *)lock); } void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) { - ReleaseSRWLockExclusive((SRWLOCK *) lock); + ReleaseSRWLockExclusive((SRWLOCK *)lock); } void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) { @@ -113,7 +113,7 @@ static void NTAPI thread_local_destructor(PVOID module, DWORD reason, return; } - void **pointers = (void**) TlsGetValue(g_thread_local_key); + void **pointers = (void **)TlsGetValue(g_thread_local_key); if (pointers == NULL) { return; } @@ -149,12 +149,10 @@ static void NTAPI thread_local_destructor(PVOID module, DWORD reason, #define STRINGIFY(x) #x #define EXPAND_AND_STRINGIFY(x) STRINGIFY(x) #ifdef _WIN64 -__pragma(comment(linker, "/INCLUDE:_tls_used")) -__pragma(comment( +__pragma(comment(linker, "/INCLUDE:_tls_used")) __pragma(comment( linker, "/INCLUDE:" EXPAND_AND_STRINGIFY(p_thread_callback_boringssl))) #else -__pragma(comment(linker, "/INCLUDE:__tls_used")) -__pragma(comment( +__pragma(comment(linker, "/INCLUDE:__tls_used")) __pragma(comment( linker, "/INCLUDE:_" EXPAND_AND_STRINGIFY(p_thread_callback_boringssl))) #endif @@ -178,9 +176,9 @@ __pragma(comment( // .CRT section is merged with .rdata on x64 so it must be constant data. #pragma const_seg(".CRT$XLC") -// When defining a const variable, it must have external linkage to be sure the -// linker doesn't discard it. -extern const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl; + // When defining a const variable, it must have external linkage to be sure + // the linker doesn't discard it. + extern const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl; const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor; // Reset the default section. #pragma const_seg() @@ -188,7 +186,7 @@ const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor; #else #pragma data_seg(".CRT$XLC") -PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor; + PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor; // Reset the default section. #pragma data_seg() diff --git a/crypto/trust_token/pmbtoken.c b/crypto/trust_token/pmbtoken.c index 0aa4d0992a..0ebf3630a1 100644 --- a/crypto/trust_token/pmbtoken.c +++ b/crypto/trust_token/pmbtoken.c @@ -134,13 +134,11 @@ static int cbb_add_prefixed_point(CBB *out, const EC_GROUP *group, if (prefix_point) { CBB child; if (!CBB_add_u16_length_prefixed(out, &child) || - !point_to_cbb(&child, group, point) || - !CBB_flush(out)) { + !point_to_cbb(&child, group, point) || !CBB_flush(out)) { return 0; } } else { - if (!point_to_cbb(out, group, point) || - !CBB_flush(out)) { + if (!point_to_cbb(out, group, point) || !CBB_flush(out)) { return 0; } } @@ -186,10 +184,10 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method, const EC_SCALAR *xs, const EC_SCALAR *ys) { const EC_GROUP *group = method->group; EC_JACOBIAN pub[3]; - if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, - x0, &method->h_precomp, y0, NULL, NULL) || - !ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp, - x1, &method->h_precomp, y1, NULL, NULL) || + if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, x0, + &method->h_precomp, y0, NULL, NULL) || + !ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp, x1, + &method->h_precomp, y1, NULL, NULL) || !ec_point_mul_scalar_precomp(method->group, &pub[2], &method->g_precomp, xs, &method->h_precomp, ys, NULL, NULL)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE); @@ -326,14 +324,16 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind( SHA512_CTX hash_ctx; const EC_GROUP *group = method->group; - STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = sk_TRUST_TOKEN_PRETOKEN_new_null(); + STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = + sk_TRUST_TOKEN_PRETOKEN_new_null(); if (pretokens == NULL) { goto err; } for (size_t i = 0; i < count; i++) { // Insert |pretoken| into |pretokens| early to simplify error-handling. - TRUST_TOKEN_PRETOKEN *pretoken = OPENSSL_malloc(sizeof(TRUST_TOKEN_PRETOKEN)); + TRUST_TOKEN_PRETOKEN *pretoken = + OPENSSL_malloc(sizeof(TRUST_TOKEN_PRETOKEN)); if (pretoken == NULL || !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) { TRUST_TOKEN_PRETOKEN_free(pretoken); @@ -424,8 +424,7 @@ static int hash_c_dleq(const PMBTOKEN_METHOD *method, EC_SCALAR *out, !point_to_cbb(&cbb, method->group, S) || !point_to_cbb(&cbb, method->group, W) || !point_to_cbb(&cbb, method->group, K0) || - !point_to_cbb(&cbb, method->group, K1) || - !CBB_finish(&cbb, &buf, &len) || + !point_to_cbb(&cbb, method->group, K1) || !CBB_finish(&cbb, &buf, &len) || !method->hash_c(method->group, out, buf, len)) { goto err; } @@ -492,8 +491,7 @@ static int hash_c_batch(const PMBTOKEN_METHOD *method, EC_SCALAR *out, if (!CBB_init(&cbb, 0) || !CBB_add_bytes(&cbb, kDLEQBatchLabel, sizeof(kDLEQBatchLabel)) || !CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) || - !CBB_add_u16(&cbb, (uint16_t)index) || - !CBB_finish(&cbb, &buf, &len) || + !CBB_add_u16(&cbb, (uint16_t)index) || !CBB_finish(&cbb, &buf, &len) || !method->hash_c(method->group, out, buf, len)) { goto err; } @@ -537,7 +535,7 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb, // Setup the DLEQ proof. EC_SCALAR ks0, ks1; - if (// ks0, ks1 <- Zp + if ( // ks0, ks1 <- Zp !ec_random_nonzero_scalar(group, &ks0, kDefaultAdditionalData) || !ec_random_nonzero_scalar(group, &ks1, kDefaultAdditionalData) || // Ks = ks0*(G;T) + ks1*(H;S) @@ -561,7 +559,7 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb, &priv->pub1_precomp); EC_SCALAR k0, k1, minus_co, uo, vo; - if (// k0, k1 <- Zp + if ( // k0, k1 <- Zp !ec_random_nonzero_scalar(group, &k0, kDefaultAdditionalData) || !ec_random_nonzero_scalar(group, &k1, kDefaultAdditionalData) || // Kb = k0*(G;T) + k1*(H;S) @@ -626,8 +624,7 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb, ec_scalar_add(group, &vs, &ks1, &vs); // Store DLEQ2 proof in transcript. - if (!scalar_to_cbb(cbb, group, &cs) || - !scalar_to_cbb(cbb, group, &us) || + if (!scalar_to_cbb(cbb, group, &cs) || !scalar_to_cbb(cbb, group, &us) || !scalar_to_cbb(cbb, group, &vs)) { return 0; } @@ -658,12 +655,9 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb, ec_scalar_select(group, &v1, mask, &vb, &vo); // Store DLEQOR2 proof in transcript. - if (!scalar_to_cbb(cbb, group, &c0) || - !scalar_to_cbb(cbb, group, &c1) || - !scalar_to_cbb(cbb, group, &u0) || - !scalar_to_cbb(cbb, group, &u1) || - !scalar_to_cbb(cbb, group, &v0) || - !scalar_to_cbb(cbb, group, &v1)) { + if (!scalar_to_cbb(cbb, group, &c0) || !scalar_to_cbb(cbb, group, &c1) || + !scalar_to_cbb(cbb, group, &u0) || !scalar_to_cbb(cbb, group, &u1) || + !scalar_to_cbb(cbb, group, &v0) || !scalar_to_cbb(cbb, group, &v1)) { return 0; } @@ -699,8 +693,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs, // Decode the DLEQ proof. EC_SCALAR cs, us, vs; - if (!scalar_from_cbs(cbs, group, &cs) || - !scalar_from_cbs(cbs, group, &us) || + if (!scalar_from_cbs(cbs, group, &cs) || !scalar_from_cbs(cbs, group, &us) || !scalar_from_cbs(cbs, group, &vs)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return 0; @@ -720,12 +713,9 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs, // Decode the DLEQOR proof. EC_SCALAR c0, c1, u0, u1, v0, v1; - if (!scalar_from_cbs(cbs, group, &c0) || - !scalar_from_cbs(cbs, group, &c1) || - !scalar_from_cbs(cbs, group, &u0) || - !scalar_from_cbs(cbs, group, &u1) || - !scalar_from_cbs(cbs, group, &v0) || - !scalar_from_cbs(cbs, group, &v1)) { + if (!scalar_from_cbs(cbs, group, &c0) || !scalar_from_cbs(cbs, group, &c1) || + !scalar_from_cbs(cbs, group, &u0) || !scalar_from_cbs(cbs, group, &u1) || + !scalar_from_cbs(cbs, group, &v0) || !scalar_from_cbs(cbs, group, &v1)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return 0; } @@ -736,7 +726,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs, EC_SCALAR minus_c0, minus_c1; ec_scalar_neg(group, &minus_c0, &c0); ec_scalar_neg(group, &minus_c1, &c1); - if (// K0 = u0*(G;T) + v0*(H;S) - c0*(pub0;W) + if ( // K0 = u0*(G;T) + v0*(H;S) - c0*(pub0;W) !mul_public_3(group, &jacobians[idx_K00], g, &u0, &method->h, &v0, &pub0, &minus_c0) || !mul_public_3(group, &jacobians[idx_K01], T, &u0, S, &v0, W, &minus_c0) || @@ -807,12 +797,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, EC_SCALAR *es = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); - if (!Tps || - !Sps || - !Wps || - !Wsps || - !es || - !CBB_init(&batch_cbb, 0) || + if (!Tps || !Sps || !Wps || !Wsps || !es || !CBB_init(&batch_cbb, 0) || !point_to_cbb(&batch_cbb, method->group, &key->pubs) || !point_to_cbb(&batch_cbb, method->group, &key->pub0) || !point_to_cbb(&batch_cbb, method->group, &key->pub1)) { @@ -943,13 +928,8 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind( EC_SCALAR *es = OPENSSL_calloc(count, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); - if (ret == NULL || - Tps == NULL || - Sps == NULL || - Wps == NULL || - Wsps == NULL || - es == NULL || - !CBB_init(&batch_cbb, 0) || + if (ret == NULL || Tps == NULL || Sps == NULL || Wps == NULL || + Wsps == NULL || es == NULL || !CBB_init(&batch_cbb, 0) || !point_to_cbb(&batch_cbb, method->group, &key->pubs) || !point_to_cbb(&batch_cbb, method->group, &key->pub0) || !point_to_cbb(&batch_cbb, method->group, &key->pub1)) { @@ -1018,8 +998,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind( TRUST_TOKEN *token = TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb)); CBB_cleanup(&token_cbb); - if (token == NULL || - !sk_TRUST_TOKEN_push(ret, token)) { + if (token == NULL || !sk_TRUST_TOKEN_push(ret, token)) { TRUST_TOKEN_free(token); goto err; } @@ -1163,8 +1142,7 @@ static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out, CBB cbb; uint8_t *buf = NULL; size_t len; - if (!CBB_init(&cbb, 0) || - !point_to_cbb(&cbb, group, t) || + if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) || !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) || !CBB_finish(&cbb, &buf, &len) || !ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( @@ -1336,8 +1314,7 @@ static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_JACOBIAN *out, CBB cbb; uint8_t *buf = NULL; size_t len; - if (!CBB_init(&cbb, 0) || - !point_to_cbb(&cbb, group, t) || + if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) || !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) || !CBB_finish(&cbb, &buf, &len) || !ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( @@ -1383,8 +1360,7 @@ static void pmbtoken_exp2_init_method_impl(void) { 0x1c, 0x2c, 0x72, 0x25, 0xf0, 0x4a, 0x45, 0x23, 0x2d, 0x57, 0x93, 0x0e, 0xb2, 0x55, 0xb8, 0x57, 0x25, 0x4c, 0x1e, 0xdb, 0xfd, 0x58, 0x70, 0x17, 0x9a, 0xbb, 0x9e, 0x5e, 0x93, 0x9e, 0x92, 0xd3, 0xe8, - 0x25, 0x62, 0xbf, 0x59, 0xb2, 0xd2, 0x3d, 0x71, 0xff - }; + 0x25, 0x62, 0xbf, 0x59, 0xb2, 0xd2, 0x3d, 0x71, 0xff}; pmbtoken_exp2_ok = pmbtoken_init_method( &pmbtoken_exp2_method, EC_group_p384(), kH, sizeof(kH), @@ -1510,12 +1486,11 @@ static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out, CBB cbb; uint8_t *buf = NULL; size_t len; - if (!CBB_init(&cbb, 0) || - !point_to_cbb(&cbb, group, t) || + if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) || !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) || !CBB_finish(&cbb, &buf, &len) || - !ec_hash_to_curve_p384_xmd_sha384_sswu( - group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) { + !ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashSLabel, + sizeof(kHashSLabel), buf, len)) { goto err; } @@ -1530,15 +1505,15 @@ static int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out, static int pmbtoken_pst1_hash_c(const EC_GROUP *group, EC_SCALAR *out, uint8_t *buf, size_t len) { const uint8_t kHashCLabel[] = "PMBTokens PST V1 HashC"; - return ec_hash_to_scalar_p384_xmd_sha384( - group, out, kHashCLabel, sizeof(kHashCLabel), buf, len); + return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashCLabel, + sizeof(kHashCLabel), buf, len); } static int pmbtoken_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, uint8_t *buf, size_t len) { const uint8_t kHashLabel[] = "PMBTokens PST V1 HashToScalar"; - return ec_hash_to_scalar_p384_xmd_sha384( - group, out, kHashLabel, sizeof(kHashLabel), buf, len); + return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashLabel, + sizeof(kHashLabel), buf, len); } static int pmbtoken_pst1_ok = 0; @@ -1557,8 +1532,7 @@ static void pmbtoken_pst1_init_method_impl(void) { 0xa2, 0x32, 0xf4, 0x22, 0x40, 0x07, 0x2d, 0x9b, 0x6f, 0xab, 0xff, 0x2a, 0x92, 0x03, 0xb1, 0x73, 0x09, 0x1a, 0x6a, 0x4a, 0xc2, 0x4c, 0xac, 0x13, 0x59, 0xf4, 0x28, 0x0e, 0x78, 0x69, 0xa5, 0xdf, 0x0d, - 0x74, 0xeb, 0x14, 0xca, 0x8a, 0x32, 0xbb, 0xd3, 0x91 - }; + 0x74, 0xeb, 0x14, 0xca, 0x8a, 0x32, 0xbb, 0xd3, 0x91}; pmbtoken_pst1_ok = pmbtoken_init_method( &pmbtoken_pst1_method, EC_group_p384(), kH, sizeof(kH), diff --git a/crypto/trust_token/trust_token.c b/crypto/trust_token/trust_token.c index 521e7adc06..17e5373c2f 100644 --- a/crypto/trust_token/trust_token.c +++ b/crypto/trust_token/trust_token.c @@ -183,7 +183,7 @@ int TRUST_TOKEN_derive_key_from_secret( } if (!method->derive_key_from_secret(&priv_cbb, &pub_cbb, secret, - secret_len)) { + secret_len)) { return 0; } @@ -266,8 +266,7 @@ static int trust_token_client_begin_issuance_impl( int ret = 0; CBB request; STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = NULL; - if (!CBB_init(&request, 0) || - !CBB_add_u16(&request, count)) { + if (!CBB_init(&request, 0) || !CBB_add_u16(&request, count)) { goto err; } @@ -306,17 +305,14 @@ int TRUST_TOKEN_CLIENT_begin_issuance_over_message( } -STACK_OF(TRUST_TOKEN) * - TRUST_TOKEN_CLIENT_finish_issuance(TRUST_TOKEN_CLIENT *ctx, - size_t *out_key_index, - const uint8_t *response, - size_t response_len) { +STACK_OF(TRUST_TOKEN) *TRUST_TOKEN_CLIENT_finish_issuance( + TRUST_TOKEN_CLIENT *ctx, size_t *out_key_index, const uint8_t *response, + size_t response_len) { CBS in; CBS_init(&in, response, response_len); uint16_t count; uint32_t key_id; - if (!CBS_get_u16(&in, &count) || - !CBS_get_u32(&in, &key_id)) { + if (!CBS_get_u16(&in, &count) || !CBS_get_u32(&in, &key_id)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return NULL; } @@ -397,8 +393,7 @@ int TRUST_TOKEN_CLIENT_finish_redemption(TRUST_TOKEN_CLIENT *ctx, } if (!CBS_get_u16_length_prefixed(&in, &srr) || - !CBS_get_u16_length_prefixed(&in, &sig) || - CBS_len(&in) != 0) { + !CBS_get_u16_length_prefixed(&in, &sig) || CBS_len(&in) != 0) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_ERROR); return 0; } @@ -550,8 +545,7 @@ int TRUST_TOKEN_ISSUER_issue(const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, int ret = 0; CBB response; - if (!CBB_init(&response, 0) || - !CBB_add_u16(&response, num_to_issue) || + if (!CBB_init(&response, 0) || !CBB_add_u16(&response, num_to_issue) || !CBB_add_u32(&response, public_metadata)) { goto err; } diff --git a/crypto/trust_token/trust_token_test.cc b/crypto/trust_token/trust_token_test.cc index fd18776a2c..9a13ff518b 100644 --- a/crypto/trust_token/trust_token_test.cc +++ b/crypto/trust_token/trust_token_test.cc @@ -90,8 +90,7 @@ TEST(TrustTokenTest, KeyGenExp1) { 0x48, 0xe5, 0x68, 0x8a, 0xfc, 0x86, 0x9c, 0x79, 0x5a, 0x79, 0xc1, 0x09, 0x33, 0x53, 0xdc, 0x3d, 0xe9, 0x93, 0x7c, 0x5b, 0x72, 0xf7, 0xa0, 0x8a, 0x1f, 0x07, 0x6c, 0x38, 0x3c, 0x99, 0x0b, 0xe4, 0x4e, 0xa4, 0xbd, 0x41, - 0x1f, 0x83, 0xa6, 0xd3 - }; + 0x1f, 0x83, 0xa6, 0xd3}; ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)), Bytes(priv_key, priv_key_len)); @@ -149,8 +148,7 @@ TEST(TrustTokenTest, KeyGenExp2VOPRF) { 0x3e, 0xba, 0xab, 0x85, 0xa7, 0x77, 0xd7, 0x0a, 0x02, 0xc5, 0x36, 0xfe, 0x62, 0xa3, 0xca, 0x01, 0x75, 0xc7, 0x62, 0x19, 0xc7, 0xf0, 0x30, 0xc5, 0x14, 0x60, 0x13, 0x97, 0x4f, 0x63, 0x05, 0x37, 0x92, - 0x7b, 0x76, 0x8e, 0x9f, 0xd0, 0x1a, 0x74, 0x44 - }; + 0x7b, 0x76, 0x8e, 0x9f, 0xd0, 0x1a, 0x74, 0x44}; ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)), Bytes(priv_key, priv_key_len)); @@ -163,8 +161,7 @@ TEST(TrustTokenTest, KeyGenExp2VOPRF) { 0x43, 0x06, 0x70, 0x2c, 0x84, 0xdc, 0x23, 0x18, 0xc7, 0x6a, 0x58, 0xcf, 0x9e, 0xc1, 0xfa, 0xf2, 0x30, 0xdd, 0xad, 0x62, 0x24, 0xde, 0x11, 0xc1, 0xba, 0x8d, 0xc3, 0x4f, 0xfb, 0xe5, 0xa5, 0xd4, 0x37, 0xba, 0x3b, 0x70, - 0xc0, 0xc3, 0xef, 0x20, 0x43 - }; + 0xc0, 0xc3, 0xef, 0x20, 0x43}; ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)), Bytes(pub_key, pub_key_len)); } @@ -212,8 +209,7 @@ TEST(TrustTokenTest, KeyGenExp2PMB) { 0x2a, 0xd2, 0x5f, 0x92, 0xb4, 0x6a, 0x89, 0xa5, 0x54, 0xbd, 0x27, 0x5e, 0xeb, 0x43, 0x07, 0x9b, 0x2b, 0x8b, 0x22, 0x59, 0x13, 0x4b, 0x9c, 0x56, 0xd8, 0x63, 0xd9, 0xe6, 0x85, 0x15, 0x2c, 0x82, 0x52, 0x40, 0x8f, 0xb1, - 0xe7, 0x56, 0x07, 0x98 - }; + 0xe7, 0x56, 0x07, 0x98}; ASSERT_EQ(Bytes(kExpectedPriv, sizeof(kExpectedPriv)), Bytes(priv_key, priv_key_len)); @@ -242,8 +238,7 @@ TEST(TrustTokenTest, KeyGenExp2PMB) { 0xe4, 0xe1, 0x9b, 0xf9, 0x12, 0x39, 0xb1, 0x79, 0xbb, 0x21, 0x92, 0x00, 0xa4, 0x89, 0xf5, 0xbd, 0xd7, 0x89, 0x27, 0x40, 0xdc, 0xb1, 0x09, 0x38, 0x63, 0x91, 0x8c, 0xa5, 0x27, 0x27, 0x97, 0x39, 0x35, 0xfa, 0x1a, 0x8a, - 0xa7, 0xe5, 0xc4, 0xd8, 0xbf, 0xe7, 0xbe - }; + 0xa7, 0xe5, 0xc4, 0xd8, 0xbf, 0xe7, 0xbe}; ASSERT_EQ(Bytes(kExpectedPub, sizeof(kExpectedPub)), Bytes(pub_key, pub_key_len)); } @@ -314,8 +309,7 @@ static int ec_point_uncompressed_from_compressed( const EC_GROUP *group, uint8_t out[EC_MAX_UNCOMPRESSED], size_t *out_len, const uint8_t *in, size_t len) { bssl::UniquePtr point(EC_POINT_new(group)); - if (!point || - !EC_POINT_oct2point(group, point.get(), in, len, nullptr)) { + if (!point || !EC_POINT_oct2point(group, point.get(), in, len, nullptr)) { return 0; } @@ -331,16 +325,14 @@ static bool setup_voprf_test_key(const EC_GROUP *group, 0x05, 0x16, 0x46, 0xb9, 0xe6, 0xe7, 0xa7, 0x1a, 0xe2, 0x7c, 0x1e, 0x1d, 0x0b, 0x87, 0xb4, 0x38, 0x1d, 0xb6, 0xd3, 0x59, 0x5e, 0xee, 0xb1, 0xad, 0xb4, 0x15, 0x79, 0xad, 0xbf, 0x99, 0x2f, 0x42, 0x78, 0xf9, 0x01, 0x6e, - 0xaf, 0xc9, 0x44, 0xed, 0xaa, 0x2b, 0x43, 0x18, 0x35, 0x81, 0x77, 0x9d - }; + 0xaf, 0xc9, 0x44, 0xed, 0xaa, 0x2b, 0x43, 0x18, 0x35, 0x81, 0x77, 0x9d}; static const uint8_t kPublicKey[] = { 0x03, 0x1d, 0x68, 0x96, 0x86, 0xc6, 0x11, 0x99, 0x1b, 0x55, 0xf1, 0xa1, 0xd8, 0xf4, 0x30, 0x5c, 0xcd, 0x6c, 0xb7, 0x19, 0x44, 0x6f, 0x66, 0x0a, 0x30, 0xdb, 0x61, 0xb7, 0xaa, 0x87, 0xb4, 0x6a, 0xcf, 0x59, 0xb7, 0xc0, 0xd4, 0xa9, 0x07, 0x7b, - 0x3d, 0xa2, 0x1c, 0x25, 0xdd, 0x48, 0x22, 0x29, 0xa0 - }; + 0x3d, 0xa2, 0x1c, 0x25, 0xdd, 0x48, 0x22, 0x29, 0xa0}; if (!ec_scalar_from_bytes(group, &out->xs, kPrivateKey, sizeof(kPrivateKey))) { @@ -364,16 +356,14 @@ TEST(TrustTokenTest, PSTV1VOPRFTestVector1) { 0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7, 0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56, 0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99, - 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9 - }; + 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9}; static const uint8_t kEvaluatedElement[] = { 0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1, 0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10, 0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee, 0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62, - 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6 - }; + 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6}; static const uint8_t kProof[] = { 0xbf, 0xc6, 0xcf, 0x38, 0x59, 0x12, 0x7f, 0x5f, 0xe2, 0x55, 0x48, 0x85, @@ -383,15 +373,13 @@ TEST(TrustTokenTest, PSTV1VOPRFTestVector1) { 0x87, 0xf3, 0xbf, 0x4f, 0x9f, 0x58, 0x02, 0x82, 0x97, 0xcc, 0xb9, 0xcc, 0xb1, 0x8a, 0xe7, 0x18, 0x2b, 0xcd, 0x1e, 0xf2, 0x39, 0xdf, 0x77, 0xe3, 0xbe, 0x65, 0xef, 0x14, 0x7f, 0x3a, 0xcf, 0x8b, 0xc9, 0xcb, 0xfc, 0x55, - 0x24, 0xb7, 0x02, 0x26, 0x34, 0x14, 0xf0, 0x43, 0xe3, 0xb7, 0xca, 0x2e - }; + 0x24, 0xb7, 0x02, 0x26, 0x34, 0x14, 0xf0, 0x43, 0xe3, 0xb7, 0xca, 0x2e}; static const uint8_t kProofScalar[] = { 0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3, 0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62, 0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d, - 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1 - }; + 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1}; uint8_t blinded_buf[EC_MAX_UNCOMPRESSED]; size_t blinded_len; @@ -437,35 +425,30 @@ TEST(TrustTokenTest, PSTV1VOPRFTestVector2) { 0xe5, 0xf2, 0xcc, 0xa0, 0x3d, 0x2b, 0xdc, 0x61, 0xe5, 0x52, 0x21, 0x72, 0x1c, 0x3b, 0x3e, 0x56, 0xfc, 0x01, 0x2e, 0x36, 0xd3, 0x1a, 0xe5, 0xf8, 0xdc, 0x05, 0x81, 0x09, 0x59, 0x15, - 0x56, 0xa6, 0xdb, 0xd3, 0xa8, 0xc6, 0x9c, 0x43, 0x3b - }; + 0x56, 0xa6, 0xdb, 0xd3, 0xa8, 0xc6, 0x9c, 0x43, 0x3b}; static const uint8_t kEvaluatedElement[] = { 0x03, 0xf1, 0x6f, 0x90, 0x39, 0x47, 0x03, 0x54, 0x00, 0xe9, 0x6b, 0x7f, 0x53, 0x1a, 0x38, 0xd4, 0xa0, 0x7a, 0xc8, 0x9a, 0x80, 0xf8, 0x9d, 0x86, 0xa1, 0xbf, 0x08, 0x9c, 0x52, 0x5a, 0x92, 0xc7, 0xf4, 0x73, 0x37, 0x29, 0xca, 0x30, 0xc5, 0x6c, - 0xe7, 0x8b, 0x1a, 0xb4, 0xf7, 0xd9, 0x2d, 0xb8, 0xb4 - }; + 0xe7, 0x8b, 0x1a, 0xb4, 0xf7, 0xd9, 0x2d, 0xb8, 0xb4}; static const uint8_t kProof[] = { - 0xd0, 0x05, 0xd6, 0xda, 0xaa, 0xd7, 0x57, 0x14, 0x14, 0xc1, 0xe0, - 0xc7, 0x5f, 0x7e, 0x57, 0xf2, 0x11, 0x3c, 0xa9, 0xf4, 0x60, 0x4e, - 0x84, 0xbc, 0x90, 0xf9, 0xbe, 0x52, 0xda, 0x89, 0x6f, 0xff, 0x3b, - 0xee, 0x49, 0x6d, 0xcd, 0xe2, 0xa5, 0x78, 0xae, 0x9d, 0xf3, 0x15, - 0x03, 0x25, 0x85, 0xf8, 0x01, 0xfb, 0x21, 0xc6, 0x08, 0x0a, 0xc0, - 0x56, 0x72, 0xb2, 0x91, 0xe5, 0x75, 0xa4, 0x02, 0x95, 0xb3, 0x06, - 0xd9, 0x67, 0x71, 0x7b, 0x28, 0xe0, 0x8f, 0xcc, 0x8a, 0xd1, 0xca, - 0xb4, 0x78, 0x45, 0xd1, 0x6a, 0xf7, 0x3b, 0x3e, 0x64, 0x3d, 0xdc, - 0xc1, 0x91, 0x20, 0x8e, 0x71, 0xc6, 0x46, 0x30 - }; + 0xd0, 0x05, 0xd6, 0xda, 0xaa, 0xd7, 0x57, 0x14, 0x14, 0xc1, 0xe0, 0xc7, + 0x5f, 0x7e, 0x57, 0xf2, 0x11, 0x3c, 0xa9, 0xf4, 0x60, 0x4e, 0x84, 0xbc, + 0x90, 0xf9, 0xbe, 0x52, 0xda, 0x89, 0x6f, 0xff, 0x3b, 0xee, 0x49, 0x6d, + 0xcd, 0xe2, 0xa5, 0x78, 0xae, 0x9d, 0xf3, 0x15, 0x03, 0x25, 0x85, 0xf8, + 0x01, 0xfb, 0x21, 0xc6, 0x08, 0x0a, 0xc0, 0x56, 0x72, 0xb2, 0x91, 0xe5, + 0x75, 0xa4, 0x02, 0x95, 0xb3, 0x06, 0xd9, 0x67, 0x71, 0x7b, 0x28, 0xe0, + 0x8f, 0xcc, 0x8a, 0xd1, 0xca, 0xb4, 0x78, 0x45, 0xd1, 0x6a, 0xf7, 0x3b, + 0x3e, 0x64, 0x3d, 0xdc, 0xc1, 0x91, 0x20, 0x8e, 0x71, 0xc6, 0x46, 0x30}; static const uint8_t kProofScalar[] = { 0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3, 0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62, 0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d, - 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1 - }; + 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1}; uint8_t blinded_buf[EC_MAX_UNCOMPRESSED]; size_t blinded_len; @@ -511,53 +494,45 @@ TEST(TrustTokenTest, PSTV1VOPRFTestVector3) { 0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7, 0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56, 0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99, - 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9 - }; + 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9}; static const uint8_t kBlindedElement2[] = { 0x02, 0xfa, 0x02, 0x47, 0x0d, 0x7f, 0x15, 0x10, 0x18, 0xb4, 0x1e, 0x82, 0x22, 0x3c, 0x32, 0xfa, 0xd8, 0x24, 0xde, 0x6a, 0xd4, 0xb5, 0xce, 0x9f, 0x8e, 0x9f, 0x98, 0x08, 0x3c, 0x9a, 0x72, 0x6d, 0xe9, 0xa1, 0xfc, 0x39, 0xd7, 0xa0, 0xcb, 0x6f, - 0x4f, 0x18, 0x8d, 0xd9, 0xce, 0xa0, 0x14, 0x74, 0xcd - }; + 0x4f, 0x18, 0x8d, 0xd9, 0xce, 0xa0, 0x14, 0x74, 0xcd}; static const uint8_t kEvaluatedElement1[] = { 0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1, 0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10, 0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee, 0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62, - 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6 - }; + 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6}; static const uint8_t kEvaluatedElement2[] = { 0x02, 0x8e, 0x9e, 0x11, 0x56, 0x25, 0xff, 0x4c, 0x2f, 0x07, 0xbf, 0x87, 0xce, 0x3f, 0xd7, 0x3f, 0xc7, 0x79, 0x94, 0xa7, 0xa0, 0xc1, 0xdf, 0x03, 0xd2, 0xa6, 0x30, 0xa3, 0xd8, 0x45, 0x93, 0x0e, 0x2e, 0x63, 0xa1, 0x65, 0xb1, 0x14, 0xd9, 0x8f, - 0xe3, 0x4e, 0x61, 0xb6, 0x8d, 0x23, 0xc0, 0xb5, 0x0a - }; + 0xe3, 0x4e, 0x61, 0xb6, 0x8d, 0x23, 0xc0, 0xb5, 0x0a}; static const uint8_t kProof[] = { - 0x6d, 0x8d, 0xcb, 0xd2, 0xfc, 0x95, 0x55, 0x0a, 0x02, 0x21, 0x1f, - 0xb7, 0x8a, 0xfd, 0x01, 0x39, 0x33, 0xf3, 0x07, 0xd2, 0x1e, 0x7d, - 0x85, 0x5b, 0x0b, 0x1e, 0xd0, 0xaf, 0x78, 0x07, 0x6d, 0x81, 0x37, - 0xad, 0x8b, 0x0a, 0x1b, 0xfa, 0x05, 0x67, 0x6d, 0x32, 0x52, 0x49, - 0xc1, 0xdb, 0xb9, 0xa5, 0x2b, 0xd8, 0x1b, 0x1c, 0x2b, 0x7b, 0x0e, - 0xfc, 0x77, 0xcf, 0x7b, 0x27, 0x8e, 0x1c, 0x94, 0x7f, 0x62, 0x83, - 0xf1, 0xd4, 0xc5, 0x13, 0x05, 0x3f, 0xc0, 0xad, 0x19, 0xe0, 0x26, - 0xfb, 0x0c, 0x30, 0x65, 0x4b, 0x53, 0xd9, 0xce, 0xa4, 0xb8, 0x7b, - 0x03, 0x72, 0x71, 0xb5, 0xd2, 0xe2, 0xd0, 0xea - }; + 0x6d, 0x8d, 0xcb, 0xd2, 0xfc, 0x95, 0x55, 0x0a, 0x02, 0x21, 0x1f, 0xb7, + 0x8a, 0xfd, 0x01, 0x39, 0x33, 0xf3, 0x07, 0xd2, 0x1e, 0x7d, 0x85, 0x5b, + 0x0b, 0x1e, 0xd0, 0xaf, 0x78, 0x07, 0x6d, 0x81, 0x37, 0xad, 0x8b, 0x0a, + 0x1b, 0xfa, 0x05, 0x67, 0x6d, 0x32, 0x52, 0x49, 0xc1, 0xdb, 0xb9, 0xa5, + 0x2b, 0xd8, 0x1b, 0x1c, 0x2b, 0x7b, 0x0e, 0xfc, 0x77, 0xcf, 0x7b, 0x27, + 0x8e, 0x1c, 0x94, 0x7f, 0x62, 0x83, 0xf1, 0xd4, 0xc5, 0x13, 0x05, 0x3f, + 0xc0, 0xad, 0x19, 0xe0, 0x26, 0xfb, 0x0c, 0x30, 0x65, 0x4b, 0x53, 0xd9, + 0xce, 0xa4, 0xb8, 0x7b, 0x03, 0x72, 0x71, 0xb5, 0xd2, 0xe2, 0xd0, 0xea}; static const uint8_t kProofScalar[] = { - 0xa0, 0x97, 0xe7, 0x22, 0xed, 0x24, 0x27, 0xde, 0x86, 0x96, - 0x69, 0x10, 0xac, 0xba, 0x9f, 0x5c, 0x35, 0x0e, 0x80, 0x40, - 0xf8, 0x28, 0xbf, 0x6c, 0xec, 0xa2, 0x74, 0x05, 0x42, 0x0c, - 0xdf, 0x3d, 0x63, 0xcb, 0x3a, 0xef, 0x00, 0x5f, 0x40, 0xba, - 0x51, 0x94, 0x3c, 0x80, 0x26, 0x87, 0x79, 0x63 - }; - - uint8_t blinded_buf[2*EC_MAX_UNCOMPRESSED]; + 0xa0, 0x97, 0xe7, 0x22, 0xed, 0x24, 0x27, 0xde, 0x86, 0x96, 0x69, 0x10, + 0xac, 0xba, 0x9f, 0x5c, 0x35, 0x0e, 0x80, 0x40, 0xf8, 0x28, 0xbf, 0x6c, + 0xec, 0xa2, 0x74, 0x05, 0x42, 0x0c, 0xdf, 0x3d, 0x63, 0xcb, 0x3a, 0xef, + 0x00, 0x5f, 0x40, 0xba, 0x51, 0x94, 0x3c, 0x80, 0x26, 0x87, 0x79, 0x63}; + + uint8_t blinded_buf[2 * EC_MAX_UNCOMPRESSED]; size_t blinded_len; ASSERT_TRUE(ec_point_uncompressed_from_compressed( group, blinded_buf, &blinded_len, kBlindedElement1, @@ -600,13 +575,9 @@ TEST(TrustTokenTest, PSTV1VOPRFTestVector3) { } static std::vector AllMethods() { - return { - TRUST_TOKEN_experiment_v1(), - TRUST_TOKEN_experiment_v2_voprf(), - TRUST_TOKEN_experiment_v2_pmb(), - TRUST_TOKEN_pst_v1_voprf(), - TRUST_TOKEN_pst_v1_pmb() - }; + return {TRUST_TOKEN_experiment_v1(), TRUST_TOKEN_experiment_v2_voprf(), + TRUST_TOKEN_experiment_v2_pmb(), TRUST_TOKEN_pst_v1_voprf(), + TRUST_TOKEN_pst_v1_pmb()}; } class TrustTokenProtocolTestBase : public ::testing::Test { @@ -936,7 +907,7 @@ TEST_P(TrustTokenProtocolTest, IssuedWithBadKeyID) { class TrustTokenMetadataTest : public TrustTokenProtocolTestBase, public testing::WithParamInterface< - std::tuple> { + std::tuple> { public: TrustTokenMetadataTest() : TrustTokenProtocolTestBase(std::get<0>(GetParam()), @@ -1181,8 +1152,7 @@ TEST_P(TrustTokenMetadataTest, ExcessDataProof) { INSTANTIATE_TEST_SUITE_P( TrustTokenAllMetadataTest, TrustTokenMetadataTest, - testing::Combine(testing::ValuesIn(AllMethods()), - testing::Bool(), + testing::Combine(testing::ValuesIn(AllMethods()), testing::Bool(), testing::Values(TrustTokenProtocolTest::KeyID(0), TrustTokenProtocolTest::KeyID(1), TrustTokenProtocolTest::KeyID(2)), @@ -1251,8 +1221,7 @@ TEST_P(TrustTokenBadKeyTest, BadKey) { INSTANTIATE_TEST_SUITE_P(TrustTokenAllBadKeyTest, TrustTokenBadKeyTest, testing::Combine(testing::ValuesIn(AllMethods()), - testing::Bool(), - testing::Bool(), + testing::Bool(), testing::Bool(), testing::Values(0, 1, 2, 3, 4, 5))); } // namespace diff --git a/crypto/trust_token/voprf.c b/crypto/trust_token/voprf.c index 504deee534..b325500927 100644 --- a/crypto/trust_token/voprf.c +++ b/crypto/trust_token/voprf.c @@ -230,8 +230,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_blind(const VOPRF_METHOD *method, // We sample r in Montgomery form to simplify inverting. EC_SCALAR r; - if (!ec_random_nonzero_scalar(group, &r, - kDefaultAdditionalData)) { + if (!ec_random_nonzero_scalar(group, &r, kDefaultAdditionalData)) { goto err; } @@ -275,12 +274,9 @@ static int hash_to_scalar_dleq(const VOPRF_METHOD *method, EC_SCALAR *out, size_t len; if (!CBB_init(&cbb, 0) || !CBB_add_bytes(&cbb, kDLEQLabel, sizeof(kDLEQLabel)) || - !cbb_add_point(&cbb, group, X) || - !cbb_add_point(&cbb, group, T) || - !cbb_add_point(&cbb, group, W) || - !cbb_add_point(&cbb, group, K0) || - !cbb_add_point(&cbb, group, K1) || - !CBB_finish(&cbb, &buf, &len) || + !cbb_add_point(&cbb, group, X) || !cbb_add_point(&cbb, group, T) || + !cbb_add_point(&cbb, group, W) || !cbb_add_point(&cbb, group, K0) || + !cbb_add_point(&cbb, group, K1) || !CBB_finish(&cbb, &buf, &len) || !method->hash_to_scalar(group, out, buf, len)) { goto err; } @@ -335,8 +331,7 @@ static int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out, if (!CBB_init(&cbb, 0) || !CBB_add_bytes(&cbb, kDLEQBatchLabel, sizeof(kDLEQBatchLabel)) || !CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) || - !CBB_add_u16(&cbb, (uint16_t)index) || - !CBB_finish(&cbb, &buf, &len) || + !CBB_add_u16(&cbb, (uint16_t)index) || !CBB_finish(&cbb, &buf, &len) || !method->hash_to_scalar(method->group_func(), out, buf, len)) { goto err; } @@ -365,11 +360,11 @@ static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb, // Setup the DLEQ proof. EC_SCALAR r; - if (// r <- Zp + if ( // r <- Zp !ec_random_nonzero_scalar(group, &r, kDefaultAdditionalData) || // k0;k1 = r*(G;T) !ec_point_mul_scalar_base(group, &jacobians[idx_k0], &r) || - !ec_point_mul_scalar(group, &jacobians[idx_k1], T, &r)) { + !ec_point_mul_scalar(group, &jacobians[idx_k1], T, &r)) { return 0; } @@ -398,8 +393,7 @@ static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb, ec_scalar_add(group, &u, &r, &u); // Store DLEQ proof in transcript. - if (!scalar_to_cbb(cbb, group, &c) || - !scalar_to_cbb(cbb, group, &u)) { + if (!scalar_to_cbb(cbb, group, &c) || !scalar_to_cbb(cbb, group, &u)) { return 0; } @@ -432,8 +426,7 @@ static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs, // Decode the DLEQ proof. EC_SCALAR c, u; - if (!scalar_from_cbs(cbs, group, &c) || - !scalar_from_cbs(cbs, group, &u)) { + if (!scalar_from_cbs(cbs, group, &c) || !scalar_from_cbs(cbs, group, &u)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return 0; } @@ -489,10 +482,7 @@ static int voprf_sign_tt(const VOPRF_METHOD *method, EC_SCALAR *es = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); - if (!BTs || - !Zs || - !es || - !CBB_init(&batch_cbb, 0) || + if (!BTs || !Zs || !es || !CBB_init(&batch_cbb, 0) || !cbb_add_point(&batch_cbb, group, &key->pubs)) { goto err; } @@ -583,10 +573,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( EC_SCALAR *es = OPENSSL_calloc(count, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); - if (ret == NULL || - BTs == NULL || - Zs == NULL || - es == NULL || + if (ret == NULL || BTs == NULL || Zs == NULL || es == NULL || !CBB_init(&batch_cbb, 0) || !cbb_add_point(&batch_cbb, group, &key->pubs)) { goto err; @@ -635,8 +622,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( TRUST_TOKEN *token = TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb)); CBB_cleanup(&token_cbb); - if (token == NULL || - !sk_TRUST_TOKEN_push(ret, token)) { + if (token == NULL || !sk_TRUST_TOKEN_push(ret, token)) { TRUST_TOKEN_free(token); goto err; } @@ -685,11 +671,12 @@ static void sha384_update_u16(SHA512_CTX *ctx, uint16_t v) { SHA384_Update(ctx, buf, 2); } -static void sha384_update_point_with_length( - SHA512_CTX *ctx, const EC_GROUP *group, const EC_AFFINE *point) { +static void sha384_update_point_with_length(SHA512_CTX *ctx, + const EC_GROUP *group, + const EC_AFFINE *point) { uint8_t buf[EC_MAX_COMPRESSED]; - size_t len = ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, - buf, sizeof(buf)); + size_t len = ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, buf, + sizeof(buf)); assert(len > 0); sha384_update_u16(ctx, (uint16_t)len); SHA384_Update(ctx, buf, len); @@ -729,11 +716,9 @@ static int compute_composite_element(const VOPRF_METHOD *method, if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) || !CBB_add_u16(&cbb, SHA384_DIGEST_LENGTH) || !CBB_add_bytes(&cbb, seed, SHA384_DIGEST_LENGTH) || - !CBB_add_u16(&cbb, index) || - !cbb_serialize_point(&cbb, group, C) || + !CBB_add_u16(&cbb, index) || !cbb_serialize_point(&cbb, group, C) || !cbb_serialize_point(&cbb, group, D) || - !CBB_add_bytes(&cbb, kCompositeLabel, - sizeof(kCompositeLabel) - 1) || + !CBB_add_bytes(&cbb, kCompositeLabel, sizeof(kCompositeLabel) - 1) || !CBB_finish(&cbb, NULL, &len) || !method->hash_to_scalar(group, di, transcript, len)) { return 0; @@ -786,8 +771,7 @@ static int generate_proof(const VOPRF_METHOD *method, CBB *cbb, ec_scalar_sub(group, &s, r, &s); // Store DLEQ proof in transcript. - if (!scalar_to_cbb(cbb, group, &c) || - !scalar_to_cbb(cbb, group, &s)) { + if (!scalar_to_cbb(cbb, group, &c) || !scalar_to_cbb(cbb, group, &s)) { return 0; } @@ -795,8 +779,8 @@ static int generate_proof(const VOPRF_METHOD *method, CBB *cbb, } static int verify_proof(const VOPRF_METHOD *method, CBS *cbs, - const TRUST_TOKEN_CLIENT_KEY *pub, - const EC_JACOBIAN *M, const EC_JACOBIAN *Z) { + const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *M, + const EC_JACOBIAN *Z) { const EC_GROUP *group = method->group_func(); enum { @@ -809,16 +793,14 @@ static int verify_proof(const VOPRF_METHOD *method, CBS *cbs, EC_JACOBIAN jacobians[num_idx]; EC_SCALAR c, s; - if (!scalar_from_cbs(cbs, group, &c) || - !scalar_from_cbs(cbs, group, &s)) { + if (!scalar_from_cbs(cbs, group, &c) || !scalar_from_cbs(cbs, group, &s)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return 0; } EC_JACOBIAN pubs; ec_affine_to_jacobian(group, &pubs, &pub->pubs); - if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs, - &c) || + if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs, &c) || !mul_public_2(group, &jacobians[idx_t3], M, &s, Z, &c)) { return 0; } @@ -1022,8 +1004,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind( TRUST_TOKEN *token = TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb)); CBB_cleanup(&token_cbb); - if (token == NULL || - !sk_TRUST_TOKEN_push(ret, token)) { + if (token == NULL || !sk_TRUST_TOKEN_push(ret, token)) { TRUST_TOKEN_free(token); goto err; } @@ -1031,18 +1012,15 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind( EC_JACOBIAN M, Z; if (!ec_point_mul_scalar_public_batch(group, &M, - /*g_scalar=*/NULL, BTs, dis, - count) || + /*g_scalar=*/NULL, BTs, dis, count) || !ec_point_mul_scalar_public_batch(group, &Z, - /*g_scalar=*/NULL, Zs, dis, - count)) { + /*g_scalar=*/NULL, Zs, dis, count)) { goto err; } CBS proof; if (!CBS_get_u16_length_prefixed(cbs, &proof) || - !verify_proof(method, &proof, key, &M, &Z) || - CBS_len(&proof) != 0) { + !verify_proof(method, &proof, key, &M, &Z) || CBS_len(&proof) != 0) { goto err; } @@ -1069,8 +1047,7 @@ static int voprf_read(const VOPRF_METHOD *method, CBS_init(&cbs, token, token_len); EC_AFFINE Ws; if (!CBS_get_bytes(&cbs, &salt, TRUST_TOKEN_NONCE_SIZE) || - !cbs_get_point(&cbs, group, &Ws) || - CBS_len(&cbs) != 0) { + !cbs_get_point(&cbs, group, &Ws) || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN); return 0; } @@ -1113,7 +1090,7 @@ static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out, } static int voprf_exp2_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, - uint8_t *buf, size_t len) { + uint8_t *buf, size_t len) { const uint8_t kHashCLabel[] = "TrustToken VOPRF Experiment V2 HashToScalar"; return ec_hash_to_scalar_p384_xmd_sha512_draft07( group, out, kHashCLabel, sizeof(kHashCLabel), buf, len); @@ -1189,7 +1166,7 @@ static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out, } static int voprf_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, - uint8_t *buf, size_t len) { + uint8_t *buf, size_t len) { const uint8_t kHashCLabel[] = "HashToScalar-OPRFV1-\x01-P384-SHA384"; return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashCLabel, sizeof(kHashCLabel) - 1, buf, len); diff --git a/crypto/x509/algorithm.c b/crypto/x509/algorithm.c index 38b919252e..7400fe0aed 100644 --- a/crypto/x509/algorithm.c +++ b/crypto/x509/algorithm.c @@ -62,8 +62,8 @@ #include #include -#include "../fipsmodule/pqdsa/internal.h" #include "../fipsmodule/evp/internal.h" +#include "../fipsmodule/pqdsa/internal.h" #include "internal.h" // Restrict the digests that are allowed in X509 certificates @@ -99,7 +99,8 @@ int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor) { } if (EVP_PKEY_id(pkey) == EVP_PKEY_PQDSA) { - return X509_ALGOR_set0(algor, OBJ_nid2obj(pkey->pkey.pqdsa_key->pqdsa->nid), V_ASN1_UNDEF, NULL); + return X509_ALGOR_set0(algor, OBJ_nid2obj(pkey->pkey.pqdsa_key->pqdsa->nid), + V_ASN1_UNDEF, NULL); } // Default behavior: look up the OID for the algorithm/hash pair and encode @@ -142,7 +143,7 @@ int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, if (pkey_nid != EVP_PKEY_id(pkey) && !(sigalg_nid == NID_rsassaPss && pkey_nid == NID_rsaEncryption && EVP_PKEY_id(pkey) == EVP_PKEY_RSA_PSS) && - !(sigalg_nid == NID_MLDSA65 && pkey_nid == NID_MLDSA65 && + !(sigalg_nid == NID_MLDSA65 && pkey_nid == NID_MLDSA65 && EVP_PKEY_id(pkey) == EVP_PKEY_PQDSA)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_PUBLIC_KEY_TYPE); return 0; diff --git a/crypto/x509/asn1_gen.c b/crypto/x509/asn1_gen.c index 73a5cc3f0c..cbef626eb9 100644 --- a/crypto/x509/asn1_gen.c +++ b/crypto/x509/asn1_gen.c @@ -133,8 +133,7 @@ static int cbs_str_equal(const CBS *cbs, const char *str) { static CBS_ASN1_TAG parse_tag(const CBS *cbs) { CBS copy = *cbs; uint64_t num; - if (!CBS_get_u64_decimal(©, &num) || - num > CBS_ASN1_TAG_NUMBER_MASK) { + if (!CBS_get_u64_decimal(©, &num) || num > CBS_ASN1_TAG_NUMBER_MASK) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_NUMBER); return 0; } @@ -400,8 +399,7 @@ static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, uint8_t *out; int ok = len > 0 && // CBB_add_space(&child, &out, len) && - i2c_ASN1_INTEGER(obj, &out) == len && - CBB_flush(cbb); + i2c_ASN1_INTEGER(obj, &out) == len && CBB_flush(cbb); ASN1_INTEGER_free(obj); return ok; } @@ -428,7 +426,7 @@ static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, return 0; } CBS value_cbs; - CBS_init(&value_cbs, (const uint8_t*)value, strlen(value)); + CBS_init(&value_cbs, (const uint8_t *)value, strlen(value)); int ok = type == CBS_ASN1_UTCTIME ? CBS_parse_utc_time(&value_cbs, NULL, /*allow_timezone_offset=*/0) diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h index c66b29f4f0..1a67120f21 100644 --- a/crypto/x509/internal.h +++ b/crypto/x509/internal.h @@ -307,9 +307,9 @@ struct x509_store_st { X509_VERIFY_PARAM *param; // Callbacks for various operations - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity CRYPTO_refcount_t references; CRYPTO_EX_DATA ex_data; @@ -318,7 +318,7 @@ struct x509_store_st { // This is the functions plus an instance of the local variables. struct x509_lookup_st { const X509_LOOKUP_METHOD *method; // the functions - void *method_data; // method data + void *method_data; // method data X509_STORE *store_ctx; // who owns us } /* X509_LOOKUP */; @@ -341,9 +341,9 @@ struct x509_store_ctx_st { STACK_OF(X509) *trusted_stack; // Callbacks for various operations - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity // The following is built up @@ -357,7 +357,7 @@ struct x509_store_ctx_st { X509 *current_issuer; // cert currently being tested as valid issuer X509_CRL *current_crl; // current CRL - int current_crl_score; // score of current CRL + int current_crl_score; // score of current CRL CRYPTO_EX_DATA ex_data; } /* X509_STORE_CTX */; diff --git a/crypto/x509/policy.c b/crypto/x509/policy.c index 52039b639f..d003cef26d 100644 --- a/crypto/x509/policy.c +++ b/crypto/x509/policy.c @@ -672,8 +672,7 @@ int X509_policy_check(const STACK_OF(X509) *certs, (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1; size_t inhibit_any_policy = (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1; - size_t policy_mapping = - (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1; + size_t policy_mapping = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1; levels = sk_X509_POLICY_LEVEL_new_null(); if (levels == NULL) { diff --git a/crypto/x509/rsa_pss.c b/crypto/x509/rsa_pss.c index f4da3756b6..e5ba870121 100644 --- a/crypto/x509/rsa_pss.c +++ b/crypto/x509/rsa_pss.c @@ -250,7 +250,8 @@ int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) { goto err; } - if (!X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os)) { + if (!X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, + os)) { goto err; } os = NULL; diff --git a/crypto/x509/tab_test.cc b/crypto/x509/tab_test.cc index be17b7ad1d..e01c053c10 100644 --- a/crypto/x509/tab_test.cc +++ b/crypto/x509/tab_test.cc @@ -70,7 +70,7 @@ TEST(X509V3Test, TabTest) { EXPECT_EQ(OPENSSL_ARRAY_SIZE(standard_exts), STANDARD_EXTENSION_COUNT); for (size_t i = 1; i < OPENSSL_ARRAY_SIZE(standard_exts); i++) { SCOPED_TRACE(i); - EXPECT_LT(standard_exts[i-1]->ext_nid, standard_exts[i]->ext_nid); + EXPECT_LT(standard_exts[i - 1]->ext_nid, standard_exts[i]->ext_nid); } } diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index f62e632fef..5a49740416 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -418,9 +418,7 @@ const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, return NCONF_get_section(ctx->db, section); } -void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf) { - ctx->db = conf; -} +void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf) { ctx->db = conf; } void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, const X509 *subj, const X509_REQ *req, const X509_CRL *crl, int flags) { diff --git a/crypto/x509/v3_ocsp.c b/crypto/x509/v3_ocsp.c index 60571cb33c..2a7075b35b 100644 --- a/crypto/x509/v3_ocsp.c +++ b/crypto/x509/v3_ocsp.c @@ -50,22 +50,20 @@ const X509V3_EXT_METHOD v3_crl_invdate = { NULL, }; -const X509V3_EXT_METHOD v3_ocsp_nonce = { - NID_id_pkix_OCSP_Nonce, - 0, - NULL, - ocsp_nonce_new, - ocsp_nonce_free, - d2i_ocsp_nonce, - i2d_ocsp_nonce, - 0, - 0, - 0, - 0, - i2r_ocsp_nonce, - 0, - NULL -}; +const X509V3_EXT_METHOD v3_ocsp_nonce = {NID_id_pkix_OCSP_Nonce, + 0, + NULL, + ocsp_nonce_new, + ocsp_nonce_free, + d2i_ocsp_nonce, + i2d_ocsp_nonce, + 0, + 0, + 0, + 0, + i2r_ocsp_nonce, + 0, + NULL}; const X509V3_EXT_METHOD v3_ocsp_nocheck = { NID_id_pkix_OCSP_noCheck, diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 99791d87ca..fa7d16f1f6 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -171,10 +171,10 @@ int X509_PURPOSE_get_by_sname(const char *sname) { } int X509_PURPOSE_get_by_id(int purpose) { - for (size_t i = 0; i #include -#include #include +#include #include #include "internal.h" diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c index 584bb49e2f..009fe32820 100644 --- a/crypto/x509/v3_utl.c +++ b/crypto/x509/v3_utl.c @@ -1262,8 +1262,8 @@ static int ipv6_from_asc(unsigned char v6[16], const char *in) { // This condition is to suppress gcc-12 warning. // https://github.com/aws/aws-lc/issues/487 if (v6stat.zero_pos >= v6stat.total) { - // This should not happen. - return 0; + // This should not happen. + return 0; } OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total); // Copy final part diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 87518ffa8b..0c20a89098 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -59,8 +59,8 @@ #include #include #include -#include #include +#include #include #include #include @@ -86,9 +86,7 @@ int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH); } -X509_NAME *X509_get_issuer_name(const X509 *a) { - return a->cert_info->issuer; -} +X509_NAME *X509_get_issuer_name(const X509 *a) { return a->cert_info->issuer; } uint32_t X509_issuer_name_hash(X509 *x) { return X509_NAME_hash(x->cert_info->issuer); diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c index ebce685914..616efea1ce 100644 --- a/crypto/x509/x509_def.c +++ b/crypto/x509/x509_def.c @@ -77,6 +77,4 @@ const char *X509_get_default_cert_file(void) { return X509_CERT_FILE; } const char *X509_get_default_cert_dir_env(void) { return X509_CERT_DIR_EVP; } -const char *X509_get_default_cert_file_env(void) { - return X509_CERT_FILE_EVP; -} +const char *X509_get_default_cert_file_env(void) { return X509_CERT_FILE_EVP; } diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 6daed45015..05aa890acd 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -67,8 +67,8 @@ static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); -static X509_OBJECT *X509_OBJECT_retrieve_by_subject( - STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); +static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, + int type, X509_NAME *name); static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x); static int X509_OBJECT_up_ref_count(X509_OBJECT *a); @@ -164,8 +164,7 @@ X509_STORE *X509_STORE_new(void) { ret->objs = sk_X509_OBJECT_new(x509_object_cmp_sk); ret->get_cert_methods = sk_X509_LOOKUP_new_null(); ret->param = X509_VERIFY_PARAM_new(); - if (ret->objs == NULL || - ret->get_cert_methods == NULL || + if (ret->objs == NULL || ret->get_cert_methods == NULL || ret->param == NULL) { X509_STORE_free(ret); return NULL; @@ -175,19 +174,19 @@ X509_STORE *X509_STORE_new(void) { } int X509_STORE_lock(X509_STORE *v) { - if (v == NULL) { - return 0; - } - CRYPTO_MUTEX_lock_write(&v->objs_lock); - return 1; + if (v == NULL) { + return 0; + } + CRYPTO_MUTEX_lock_write(&v->objs_lock); + return 1; } int X509_STORE_unlock(X509_STORE *v) { - if (v == NULL) { - return 0; - } - CRYPTO_MUTEX_unlock_write(&v->objs_lock); - return 1; + if (v == NULL) { + return 0; + } + CRYPTO_MUTEX_unlock_write(&v->objs_lock); + return 1; } int X509_STORE_up_ref(X509_STORE *store) { @@ -360,25 +359,25 @@ X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a) { } int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj) { - if (a == NULL || !X509_up_ref(obj)) { - return 0; - } + if (a == NULL || !X509_up_ref(obj)) { + return 0; + } - X509_OBJECT_free_contents(a); - a->type = X509_LU_X509; - a->data.x509 = obj; - return 1; + X509_OBJECT_free_contents(a); + a->type = X509_LU_X509; + a->data.x509 = obj; + return 1; } int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj) { - if (a == NULL || !X509_CRL_up_ref(obj)) { - return 0; - } + if (a == NULL || !X509_CRL_up_ref(obj)) { + return 0; + } - X509_OBJECT_free_contents(a); - a->type = X509_LU_CRL; - a->data.crl = obj; - return 1; + X509_OBJECT_free_contents(a); + a->type = X509_LU_CRL; + a->data.crl = obj; + return 1; } static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, @@ -431,8 +430,8 @@ static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, return x509_object_idx_cnt(h, type, name, NULL); } -X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, - int type, X509_NAME *name) { +X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name) { int idx; idx = X509_OBJECT_idx_by_subject(h, type, name); if (idx == -1) { @@ -570,7 +569,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { } // If certificate matches all OK if (x509_check_issued_with_callback(ctx, x, obj.data.x509)) { - if (x509_check_cert_time(ctx, obj.data.x509, /*suppress_error*/1)) { + if (x509_check_cert_time(ctx, obj.data.x509, /*suppress_error*/ 1)) { *issuer = obj.data.x509; return 1; } @@ -601,14 +600,14 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { // we continue searching. We leave the last tested issuer certificate in // |issuer| on purpose. This returns the closest match if none of the // candidate issuer certificates' timestamps were valid. - if (x509_check_cert_time(ctx, *issuer, /*suppress_error*/1)) { + if (x509_check_cert_time(ctx, *issuer, /*suppress_error*/ 1)) { break; } } } } CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); - if(*issuer) { + if (*issuer) { X509_up_ref(*issuer); } return ret; diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index 7fda8f0c58..5598840eaa 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -35,11 +35,11 @@ #include #include -#include "internal.h" #include "../evp_extra/internal.h" +#include "../fipsmodule/pqdsa/internal.h" #include "../internal.h" #include "../test/test_util.h" -#include "../fipsmodule/pqdsa/internal.h" +#include "internal.h" #if defined(OPENSSL_THREADS) #include @@ -230,8 +230,9 @@ Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY= )"; // kExampleRsassaPssCert is an example RSA-PSS self-signed certificate, -// signed with sha256. The Public Key Algorithm of 'kExamplePSSCert' is 'rsaEncryption'. -// But the Public Key Algorithm of'kExampleRsassaPssCert' is 'rsassaPss'. +// signed with sha256. The Public Key Algorithm of 'kExamplePSSCert' is +// 'rsaEncryption'. But the Public Key Algorithm of'kExampleRsassaPssCert' is +// 'rsassaPss'. static const char kExampleRsassaPssCert[] = R"( -----BEGIN CERTIFICATE----- MIIDfDCCAjmgAwIBAgIUEIxD6A5SEeKV47rjkU8lPp4YOcEwOAYJKoZIhvcNAQEK @@ -577,7 +578,7 @@ w1AH9efZBw== )"; // This certificate is the example certificate provided in section 3 of -//https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ +// https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ static const char kMLDSA65Cert[] = R"( -----BEGIN CERTIFICATE----- MIIVjTCCCIqgAwIBAgIUFZ/+byL9XMQsUk32/V4o0N44804wCwYJYIZIAWUDBAMS @@ -1057,8 +1058,8 @@ d5YVX0c90VMnUhF/dlrqS9U= // if includeNetscapeExtension { // interTemplate.ExtraExtensions = []pkix.Extension{ // pkix.Extension{ -// Id: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 113730, 1, 1}), -// Value: []byte{0x03, 0x02, 2, 0x04}, +// Id: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 113730, 1, +// 1}), Value: []byte{0x03, 0x02, 2, 0x04}, // }, // } // } else { @@ -1067,8 +1068,8 @@ d5YVX0c90VMnUhF/dlrqS9U= // interKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) -// interDER, err := x509.CreateCertificate(rand.Reader, interTemplate, root, &interKey.PublicKey, rootPriv) -// if err != nil { +// interDER, err := x509.CreateCertificate(rand.Reader, interTemplate, root, +// &interKey.PublicKey, rootPriv) if err != nil { // panic(err) // } @@ -1081,14 +1082,14 @@ d5YVX0c90VMnUhF/dlrqS9U= // Subject: pkix.Name{ // CommonName: "Leaf from CA with no Basic Constraints", // }, -// NotBefore: time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC), -// NotAfter: time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC), -// BasicConstraintsValid: true, +// NotBefore: time.Date(2000, time.January, 1, 0, 0, 0, 0, +// time.UTC), NotAfter: time.Date(2099, time.January, 1, 0, +// 0, 0, 0, time.UTC), BasicConstraintsValid: true, // } // leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) -// leafDER, err := x509.CreateCertificate(rand.Reader, leafTemplate, inter, &leafKey.PublicKey, interKey) -// if err != nil { +// leafDER, err := x509.CreateCertificate(rand.Reader, leafTemplate, inter, +// &leafKey.PublicKey, interKey) if err != nil { // panic(err) // } @@ -1367,14 +1368,14 @@ static const char kCommonNameNotDNS[] = "Not a DNS name"; // Subject: pkix.Name{ // CommonName: "EKU msSGC", // }, -// NotBefore: time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC), -// NotAfter: time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC), -// BasicConstraintsValid: true, -// ExtKeyUsage: []x509.ExtKeyUsage{FILL IN HERE}, +// NotBefore: time.Date(2000, time.January, 1, 0, 0, 0, 0, +// time.UTC), NotAfter: time.Date(2099, time.January, 1, 0, +// 0, 0, 0, time.UTC), BasicConstraintsValid: true, ExtKeyUsage: +// []x509.ExtKeyUsage{FILL IN HERE}, // } // leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) -// leafDER, err := x509.CreateCertificate(rand.Reader, leafTemplate, root, &leafKey.PublicKey, rootPriv) -// if err != nil { +// leafDER, err := x509.CreateCertificate(rand.Reader, leafTemplate, root, +// &leafKey.PublicKey, rootPriv) if err != nil { // panic(err) // } // pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER}) @@ -1521,16 +1522,13 @@ static int Verify( CertsToStack(intermediates)); bssl::UniquePtr crls_stack(CRLsToStack(crls)); - if (!roots_stack || - !intermediates_stack || - !crls_stack) { + if (!roots_stack || !intermediates_stack || !crls_stack) { return X509_V_ERR_UNSPECIFIED; } bssl::UniquePtr ctx(X509_STORE_CTX_new()); bssl::UniquePtr store(X509_STORE_new()); - if (!ctx || - !store) { + if (!ctx || !store) { return X509_V_ERR_UNSPECIFIED; } @@ -1845,12 +1843,10 @@ TEST(X509Test, StoreThreads) { ASSERT_TRUE(X509_verify_cert(ctx.get())); ASSERT_EQ(X509_STORE_CTX_get_error(ctx.get()), X509_V_OK); }); - threads.emplace_back([&] { - ASSERT_TRUE(X509_STORE_add_cert(store.get(), other1.get())); - }); - threads.emplace_back([&] { - ASSERT_TRUE(X509_STORE_add_cert(store.get(), other2.get())); - }); + threads.emplace_back( + [&] { ASSERT_TRUE(X509_STORE_add_cert(store.get(), other1.get())); }); + threads.emplace_back( + [&] { ASSERT_TRUE(X509_STORE_add_cert(store.get(), other2.get())); }); } for (auto &thread : threads) { thread.join(); @@ -2035,8 +2031,10 @@ TEST(X509Test, ZeroLengthsWithCheckFunctions) { TEST(X509Test, WrongLengthCheckFunctions) { bssl::UniquePtr leaf(CertFromPEM(kSANTypesLeaf)); - EXPECT_EQ(-2, X509_check_host(leaf.get(), kHostname, strlen(kHostname) + 1, 0, nullptr)); - EXPECT_NE(1, X509_check_host(leaf.get(), kHostname, strlen(kHostname) - 1, 0, nullptr)); + EXPECT_EQ(-2, X509_check_host(leaf.get(), kHostname, strlen(kHostname) + 1, 0, + nullptr)); + EXPECT_NE(1, X509_check_host(leaf.get(), kHostname, strlen(kHostname) - 1, 0, + nullptr)); EXPECT_EQ(-2, X509_check_email(leaf.get(), kEmail, strlen(kEmail) + 1, 0)); EXPECT_NE(1, X509_check_email(leaf.get(), kEmail, strlen(kEmail) - 1, 0)); @@ -2045,10 +2043,12 @@ TEST(X509Test, WrongLengthCheckFunctions) { TEST(X509Test, MatchFoundSetsPeername) { bssl::UniquePtr leaf(CertFromPEM(kSANTypesLeaf)); char *peername = nullptr; - EXPECT_NE(1, X509_check_host(leaf.get(), kWrongHostname, strlen(kWrongHostname), 0, &peername)); + EXPECT_NE(1, X509_check_host(leaf.get(), kWrongHostname, + strlen(kWrongHostname), 0, &peername)); ASSERT_EQ(nullptr, peername); - EXPECT_EQ(1, X509_check_host(leaf.get(), kHostname, strlen(kHostname), 0, &peername)); + EXPECT_EQ(1, X509_check_host(leaf.get(), kHostname, strlen(kHostname), 0, + &peername)); EXPECT_STREQ(peername, kHostname); OPENSSL_free(peername); } @@ -2138,7 +2138,8 @@ TEST(X509Test, TestCRL) { // Parsing kBadExtensionCRL should fail. EXPECT_FALSE(CRLFromPEM(kBadExtensionCRL)); - // Ensure X509_OBJECT_get0_X509_CRL only returns a CRL if the X509 object is valid + // Ensure X509_OBJECT_get0_X509_CRL only returns a CRL if the X509 object is + // valid X509_OBJECT validCRL; validCRL.type = X509_LU_CRL; validCRL.data.crl = basic_crl.get(); @@ -2925,7 +2926,8 @@ TEST(X509Test, MLDSA65SignVerifyCert) { // certificate, then verifies the certificate's signature. // Generate mldsa key - bssl::UniquePtr ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr)); + bssl::UniquePtr ctx( + EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr)); ASSERT_TRUE(ctx); ASSERT_TRUE(EVP_PKEY_CTX_pqdsa_set_params(ctx.get(), NID_MLDSA65)); ASSERT_TRUE(EVP_PKEY_keygen_init(ctx.get())); @@ -3148,31 +3150,31 @@ TEST(X509Test, TestPrintUTCTIME) { static const struct { const char *val, *want; } asn1_utctime_tests[] = { - {"", "Bad time value"}, + {"", "Bad time value"}, - // Correct RFC 5280 form. Test years < 2000 and > 2000. - {"090303125425Z", "Mar 3 12:54:25 2009 GMT"}, - {"900303125425Z", "Mar 3 12:54:25 1990 GMT"}, - {"000303125425Z", "Mar 3 12:54:25 2000 GMT"}, + // Correct RFC 5280 form. Test years < 2000 and > 2000. + {"090303125425Z", "Mar 3 12:54:25 2009 GMT"}, + {"900303125425Z", "Mar 3 12:54:25 1990 GMT"}, + {"000303125425Z", "Mar 3 12:54:25 2000 GMT"}, - // Correct form, bad values. - {"000000000000Z", "Bad time value"}, - {"999999999999Z", "Bad time value"}, + // Correct form, bad values. + {"000000000000Z", "Bad time value"}, + {"999999999999Z", "Bad time value"}, - // Missing components. - {"090303125425", "Bad time value"}, - {"9003031254", "Bad time value"}, - {"9003031254Z", "Bad time value"}, + // Missing components. + {"090303125425", "Bad time value"}, + {"9003031254", "Bad time value"}, + {"9003031254Z", "Bad time value"}, - // GENERALIZEDTIME confused for UTCTIME. - {"20090303125425Z", "Bad time value"}, + // GENERALIZEDTIME confused for UTCTIME. + {"20090303125425Z", "Bad time value"}, - // Legal ASN.1, but not legal RFC 5280. - {"9003031254+0800", "Bad time value"}, - {"9003031254-0800", "Bad time value"}, + // Legal ASN.1, but not legal RFC 5280. + {"9003031254+0800", "Bad time value"}, + {"9003031254-0800", "Bad time value"}, - // Trailing garbage. - {"9003031254Z ", "Bad time value"}, + // Trailing garbage. + {"9003031254Z ", "Bad time value"}, }; for (auto t : asn1_utctime_tests) { @@ -3248,7 +3250,7 @@ TEST(X509Test, X509AlgorSetMd) { X509_ALGOR_get0(&obj, &ptype, &pval, alg.get()); EXPECT_TRUE(obj); EXPECT_EQ(OBJ_obj2nid(obj), NID_sha256); - EXPECT_EQ(ptype, V_ASN1_NULL); // OpenSSL has V_ASN1_UNDEF + EXPECT_EQ(ptype, V_ASN1_NULL); // OpenSSL has V_ASN1_UNDEF EXPECT_EQ(pval, nullptr); EXPECT_TRUE(X509_ALGOR_set_md(alg.get(), EVP_md5())); X509_ALGOR_get0(&obj, &ptype, &pval, alg.get()); @@ -3423,8 +3425,7 @@ TEST(X509Test, PEMX509Info) { // creates a new X509_INFO when a repeated type is seen. std::string pem = // The first few entries have one of everything in different orders. - cert + rsa + crl + - rsa + crl + cert + + cert + rsa + crl + rsa + crl + cert + // Unknown types are ignored. crl + unknown + cert + rsa + // Seeing a new certificate starts a new entry, so now we have a bunch of @@ -3442,19 +3443,19 @@ TEST(X509Test, PEMX509Info) { const EVP_PKEY *key; const X509_CRL *crl; } kExpected[] = { - {cert_obj.get(), rsa_obj.get(), crl_obj.get()}, - {cert_obj.get(), rsa_obj.get(), crl_obj.get()}, - {cert_obj.get(), rsa_obj.get(), crl_obj.get()}, - {cert_obj.get(), nullptr, nullptr}, - {cert_obj.get(), nullptr, nullptr}, - {cert_obj.get(), nullptr, nullptr}, - {cert_obj.get(), rsa_obj.get(), nullptr}, - {nullptr, rsa_obj.get(), nullptr}, - {nullptr, rsa_obj.get(), nullptr}, - {nullptr, rsa_obj.get(), nullptr}, - {nullptr, rsa_obj.get(), crl_obj.get()}, - {nullptr, nullptr, crl_obj.get()}, - {nullptr, nullptr, crl_obj.get()}, + {cert_obj.get(), rsa_obj.get(), crl_obj.get()}, + {cert_obj.get(), rsa_obj.get(), crl_obj.get()}, + {cert_obj.get(), rsa_obj.get(), crl_obj.get()}, + {cert_obj.get(), nullptr, nullptr}, + {cert_obj.get(), nullptr, nullptr}, + {cert_obj.get(), nullptr, nullptr}, + {cert_obj.get(), rsa_obj.get(), nullptr}, + {nullptr, rsa_obj.get(), nullptr}, + {nullptr, rsa_obj.get(), nullptr}, + {nullptr, rsa_obj.get(), nullptr}, + {nullptr, rsa_obj.get(), crl_obj.get()}, + {nullptr, nullptr, crl_obj.get()}, + {nullptr, nullptr, crl_obj.get()}, }; auto check_info = [](const ExpectedInfo *expected, const X509_INFO *info) { @@ -3666,38 +3667,34 @@ TEST(X509Test, CommonNameFallback) { } TEST(X509Test, LooksLikeDNSName) { - static const char *kValid[] = { - "example.com", - "eXample123-.com", - "*.example.com", - "exa_mple.com", - "example.com.", - "project-dev:us-central1:main", - }; - static const char *kInvalid[] = { - "-eXample123-.com", - "", - ".", - "*", - "*.", - "example..com", - ".example.com", - "example.com..", - "*foo.example.com", - "foo.*.example.com", - "foo,bar", - }; + static const char *kValid[] = { + "example.com", "eXample123-.com", "*.example.com", + "exa_mple.com", "example.com.", "project-dev:us-central1:main", + }; + static const char *kInvalid[] = { + "-eXample123-.com", + "", + ".", + "*", + "*.", + "example..com", + ".example.com", + "example.com..", + "*foo.example.com", + "foo.*.example.com", + "foo,bar", + }; - for (const char *str : kValid) { - SCOPED_TRACE(str); - EXPECT_TRUE(x509v3_looks_like_dns_name( - reinterpret_cast(str), strlen(str))); - } - for (const char *str : kInvalid) { - SCOPED_TRACE(str); - EXPECT_FALSE(x509v3_looks_like_dns_name( - reinterpret_cast(str), strlen(str))); - } + for (const char *str : kValid) { + SCOPED_TRACE(str); + EXPECT_TRUE(x509v3_looks_like_dns_name( + reinterpret_cast(str), strlen(str))); + } + for (const char *str : kInvalid) { + SCOPED_TRACE(str); + EXPECT_FALSE(x509v3_looks_like_dns_name( + reinterpret_cast(str), strlen(str))); + } } TEST(X509Test, CommonNameAndNameConstraints) { @@ -3794,8 +3791,8 @@ TEST(X509Test, ServerGatedCryptoEKUs) { // The server-auth EKU is sufficient, and it doesn't matter if an SGC EKU is // also included. Lastly, not specifying an EKU is also valid. - for (X509 *leaf : {server_eku.get(), server_eku_plus_ms_sgc.get(), - no_eku.get()}) { + for (X509 *leaf : + {server_eku.get(), server_eku_plus_ms_sgc.get(), no_eku.get()}) { EXPECT_EQ(X509_V_OK, verify_cert(leaf)); } } @@ -3852,9 +3849,9 @@ TEST(X509Test, InvalidExtensions) { ASSERT_TRUE(invalid_leaf); bssl::UniquePtr trailing_leaf = CertFromPEM( - GetTestData((std::string("crypto/x509/test/trailing_data_leaf_") + - ext + ".pem") - .c_str()) + GetTestData( + (std::string("crypto/x509/test/trailing_data_leaf_") + ext + ".pem") + .c_str()) .c_str()); ASSERT_TRUE(trailing_leaf); @@ -4290,7 +4287,7 @@ TEST(X509Test, AlgorithmParameters) { ErrorEquals(ERR_get_error(), ERR_LIB_X509, X509_R_INVALID_PARAMETER)); } -TEST(X509Test, GeneralName) { +TEST(X509Test, GeneralName) { const std::vector kNames[] = { // [0] { // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } @@ -4956,7 +4953,7 @@ TEST(X509Test, ExpiredCandidate) { ASSERT_TRUE(X509_STORE_add_cert(store.get(), intermediate1.get())); #endif ASSERT_TRUE(X509_STORE_CTX_init(ctx.get(), store.get(), leaf.get(), - intermediates_stack.get())); + intermediates_stack.get())); X509 *issuer; EXPECT_TRUE(X509_STORE_CTX_get1_issuer(&issuer, ctx.get(), leaf.get())); @@ -5583,12 +5580,13 @@ TEST(X509Test, AddDuplicates) { // look them up to exercise un/locking functions. const size_t kNumThreads = 10; std::vector threads; - for (size_t i = 0; i < kNumThreads/2; i++) { + for (size_t i = 0; i < kNumThreads / 2; i++) { threads.emplace_back([&] { // Sleep with some jitter to offset thread execution uint8_t sleep_buf[1]; ASSERT_TRUE(RAND_bytes(sleep_buf, sizeof(sleep_buf))); - std::this_thread::sleep_for(std::chrono::microseconds(1 + (sleep_buf[0] % 5))); + std::this_thread::sleep_for( + std::chrono::microseconds(1 + (sleep_buf[0] % 5))); EXPECT_TRUE(X509_STORE_add_cert(store.get(), a.get())); EXPECT_TRUE(X509_STORE_add_cert(store.get(), b.get())); }); @@ -5599,7 +5597,8 @@ TEST(X509Test, AddDuplicates) { // Sleep after taking the lock to cause contention. Sleep longer than the // adder half of threads to ensure we hold the lock while they contend // for it. - std::this_thread::sleep_for(std::chrono::microseconds(11 + (sleep_buf[0] % 5))); + std::this_thread::sleep_for( + std::chrono::microseconds(11 + (sleep_buf[0] % 5))); ASSERT_TRUE(X509_STORE_unlock(store.get())); }); } @@ -5880,7 +5879,7 @@ TEST(X509Test, NamePrint) { "/CN= spaces ", }; std::string oneline_expected; - for (const auto& component : kOnelineComponents) { + for (const auto &component : kOnelineComponents) { oneline_expected += component; } @@ -5911,7 +5910,7 @@ TEST(X509Test, NamePrint) { EXPECT_EQ(buf, X509_NAME_oneline(name.get(), buf, len)); std::string truncated; - for (const auto& component : kOnelineComponents) { + for (const auto &component : kOnelineComponents) { if (truncated.size() + strlen(component) + 1 > len) { break; } @@ -5986,7 +5985,7 @@ TEST(X509Test, Print) { const uint8_t *data; size_t data_len; ASSERT_TRUE(BIO_mem_contents(bio.get(), &data, &data_len)); - std::string print(reinterpret_cast(data), data_len); + std::string print(reinterpret_cast(data), data_len); static const char expected_certificate_string[] = R"(Certificate: Data: Version: 3 (0x2) @@ -6340,17 +6339,12 @@ TEST(X509Test, SetSerialNumberCheckEndian) { ASSERT_TRUE(root); // Numbers for testing - std::vector nums = { - 0x0000000000000001LL, - 0x0000000000000100LL, - 0x0000000000010000LL, - 0x0000000001000000LL, - 0x0000000100000000LL, - 0x0000010000000000LL, - 0x0001000000000000LL, - -2LL}; - - for(int64_t num: nums) { + std::vector nums = {0x0000000000000001LL, 0x0000000000000100LL, + 0x0000000000010000LL, 0x0000000001000000LL, + 0x0000000100000000LL, 0x0000010000000000LL, + 0x0001000000000000LL, -2LL}; + + for (int64_t num : nums) { bssl::UniquePtr serial(ASN1_INTEGER_new()); ASSERT_TRUE(serial); // Set serial number for cert @@ -6358,7 +6352,8 @@ TEST(X509Test, SetSerialNumberCheckEndian) { ASSERT_TRUE(X509_set_serialNumber(root.get(), serial.get())); // Get serial number for cert int64_t val; - ASSERT_TRUE(ASN1_INTEGER_get_int64(&val, X509_get0_serialNumber(root.get()))); + ASSERT_TRUE( + ASN1_INTEGER_get_int64(&val, X509_get0_serialNumber(root.get()))); EXPECT_EQ(num, val); } } @@ -6400,8 +6395,8 @@ TEST(X509Test, Policy) { // By default, OpenSSL does not check policies, so even syntax errors in the // certificatePolicies extension go unnoticed. (This is probably not // important.) - EXPECT_EQ(X509_V_OK, Verify(leaf.get(), {root.get()}, - {intermediate.get()}, /*crls=*/{})); + EXPECT_EQ(X509_V_OK, Verify(leaf.get(), {root.get()}, {intermediate.get()}, + /*crls=*/{})); EXPECT_EQ(X509_V_OK, Verify(leaf_invalid.get(), {root.get()}, {intermediate.get()}, /*crls=*/{})); @@ -6445,34 +6440,30 @@ TEST(X509Test, Policy) { })); // The policy extension cannot be parsed. - EXPECT_EQ(X509_V_ERR_INVALID_POLICY_EXTENSION, - Verify(leaf.get(), {root.get()}, {intermediate_invalid.get()}, - /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, - [&](X509_STORE_CTX *ctx) { - set_policies(ctx, {oid1.get()}); - })); - EXPECT_EQ(X509_V_ERR_INVALID_POLICY_EXTENSION, - Verify(leaf_invalid.get(), {root.get()}, {intermediate.get()}, - /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, - [&](X509_STORE_CTX *ctx) { - set_policies(ctx, {oid1.get()}); - })); + EXPECT_EQ( + X509_V_ERR_INVALID_POLICY_EXTENSION, + Verify(leaf.get(), {root.get()}, {intermediate_invalid.get()}, + /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, + [&](X509_STORE_CTX *ctx) { set_policies(ctx, {oid1.get()}); })); + EXPECT_EQ( + X509_V_ERR_INVALID_POLICY_EXTENSION, + Verify(leaf_invalid.get(), {root.get()}, {intermediate.get()}, + /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, + [&](X509_STORE_CTX *ctx) { set_policies(ctx, {oid1.get()}); })); // There is a duplicate policy in the policy extension. - EXPECT_EQ(X509_V_ERR_INVALID_POLICY_EXTENSION, - Verify(leaf.get(), {root.get()}, {intermediate_duplicate.get()}, - /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, - [&](X509_STORE_CTX *ctx) { - set_policies(ctx, {oid1.get()}); - })); + EXPECT_EQ( + X509_V_ERR_INVALID_POLICY_EXTENSION, + Verify(leaf.get(), {root.get()}, {intermediate_duplicate.get()}, + /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, + [&](X509_STORE_CTX *ctx) { set_policies(ctx, {oid1.get()}); })); // The policy extension in the leaf cannot be parsed. - EXPECT_EQ(X509_V_ERR_INVALID_POLICY_EXTENSION, - Verify(leaf_duplicate.get(), {root.get()}, {intermediate.get()}, - /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, - [&](X509_STORE_CTX *ctx) { - set_policies(ctx, {oid1.get()}); - })); + EXPECT_EQ( + X509_V_ERR_INVALID_POLICY_EXTENSION, + Verify(leaf_duplicate.get(), {root.get()}, {intermediate.get()}, + /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY, + [&](X509_STORE_CTX *ctx) { set_policies(ctx, {oid1.get()}); })); // With just a trust anchor, policy checking silently succeeds. EXPECT_EQ(X509_V_OK, Verify(root.get(), {root.get()}, {}, @@ -7720,7 +7711,7 @@ TEST(X509Test, ParamInheritance) { EXPECT_EQ(X509_VERIFY_PARAM_get_depth(dest.get()), 5); } - // |X509_VERIFY_PARAM_set1| with both unset. + // |X509_VERIFY_PARAM_set1| with both unset. { bssl::UniquePtr dest(X509_VERIFY_PARAM_new()); ASSERT_TRUE(dest); diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 530daf2145..84c43de925 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -117,7 +117,7 @@ int X509_TRUST_get_by_id(int id) { for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(trstandard); i++) { if (trstandard[i].trust == id) { OPENSSL_STATIC_ASSERT(OPENSSL_ARRAY_SIZE(trstandard) <= INT_MAX, - indices_must_fit_in_int); + indices_must_fit_in_int); return (int)i; } } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 75773131ea..c2feabfcc5 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -519,7 +519,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { issuer = sk_X509_value(sk, i); if (x509_check_issued_with_callback(ctx, x, issuer)) { candidate = issuer; - if (x509_check_cert_time(ctx, candidate, /*suppress_error*/1)) { + if (x509_check_cert_time(ctx, candidate, /*suppress_error*/ 1)) { break; } } @@ -1439,7 +1439,7 @@ static int internal_verify(X509_STORE_CTX *ctx) { } check_cert: - ok = x509_check_cert_time(ctx, xs, /*suppress_error*/0); + ok = x509_check_cert_time(ctx, xs, /*suppress_error*/ 0); if (!ok) { goto end; } @@ -1731,9 +1731,7 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, X509_STORE_CTX_set_time_posix(ctx, flags, t); } -X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) { - return ctx->cert; -} +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) { return ctx->cert; } void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) { diff --git a/fuzz/bn_div.cc b/fuzz/bn_div.cc index 16b060e507..6ec2a53152 100644 --- a/fuzz/bn_div.cc +++ b/fuzz/bn_div.cc @@ -29,11 +29,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { uint8_t sign0, sign1; CBS_init(&cbs, buf, len); if (!CBS_get_u16_length_prefixed(&cbs, &child0) || - !CBS_get_u8(&child0, &sign0) || - CBS_len(&child0) == 0 || + !CBS_get_u8(&child0, &sign0) || CBS_len(&child0) == 0 || !CBS_get_u16_length_prefixed(&cbs, &child1) || - !CBS_get_u8(&child1, &sign1) || - CBS_len(&child1) == 0) { + !CBS_get_u8(&child1, &sign1) || CBS_len(&child1) == 0) { return 0; } diff --git a/fuzz/bn_mod_exp.cc b/fuzz/bn_mod_exp.cc index f34708fb5a..6e8ba7026d 100644 --- a/fuzz/bn_mod_exp.cc +++ b/fuzz/bn_mod_exp.cc @@ -62,31 +62,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { uint8_t sign, sign1; CBS_init(&cbs, buf, len); if (!CBS_get_u16_length_prefixed(&cbs, &child0) || - !CBS_get_u8(&child0, &sign) || - CBS_len(&child0) == 0 || - !CBS_get_u16_length_prefixed(&cbs, &child1) || - CBS_len(&child1) == 0 || - !CBS_get_u16_length_prefixed(&cbs, &child2) || - CBS_len(&child2) == 0 || + !CBS_get_u8(&child0, &sign) || CBS_len(&child0) == 0 || + !CBS_get_u16_length_prefixed(&cbs, &child1) || CBS_len(&child1) == 0 || + !CBS_get_u16_length_prefixed(&cbs, &child2) || CBS_len(&child2) == 0 || !CBS_get_u16_length_prefixed(&cbs, &child3) || - !CBS_get_u8(&child3, &sign1) || - CBS_len(&child3) == 0 || - !CBS_get_u16_length_prefixed(&cbs, &child4) || - CBS_len(&child4) == 0 || - !CBS_get_u16_length_prefixed(&cbs, &child5) || - CBS_len(&child5) == 0) { + !CBS_get_u8(&child3, &sign1) || CBS_len(&child3) == 0 || + !CBS_get_u16_length_prefixed(&cbs, &child4) || CBS_len(&child4) == 0 || + !CBS_get_u16_length_prefixed(&cbs, &child5) || CBS_len(&child5) == 0) { return 0; } // Don't fuzz inputs larger than 512 bytes (4096 bits). This isn't ideal, but // the naive |mod_exp| above is somewhat slow, so this otherwise causes the // fuzzers to spend a lot of time exploring timeouts. - if (CBS_len(&child0) > 512 || - CBS_len(&child1) > 512 || - CBS_len(&child2) > 512 || - CBS_len(&child3) > 512 || - CBS_len(&child4) > 512 || - CBS_len(&child5) > 512) { + if (CBS_len(&child0) > 512 || CBS_len(&child1) > 512 || + CBS_len(&child2) > 512 || CBS_len(&child3) > 512 || + CBS_len(&child4) > 512 || CBS_len(&child5) > 512) { return 0; } @@ -154,11 +145,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { CHECK(BN_nnmod(base1.get(), base1.get(), modulus1.get(), ctx.get())); // Run the x2 implementation and compare the results. - CHECK(BN_mod_exp_mont_consttime_x2(result.get(), base.get(), power.get(), - modulus.get(), mont.get(), - result1.get(), base1.get(), power1.get(), - modulus1.get(), mont1.get(), - ctx.get())); + CHECK(BN_mod_exp_mont_consttime_x2( + result.get(), base.get(), power.get(), modulus.get(), mont.get(), + result1.get(), base1.get(), power1.get(), modulus1.get(), mont1.get(), + ctx.get())); CHECK(BN_cmp(result.get(), expected.get()) == 0); CHECK(BN_cmp(result1.get(), expected1.get()) == 0); } diff --git a/fuzz/decode_client_hello_inner.cc b/fuzz/decode_client_hello_inner.cc index db090c59ad..2c9a154f92 100644 --- a/fuzz/decode_client_hello_inner.cc +++ b/fuzz/decode_client_hello_inner.cc @@ -13,8 +13,8 @@ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include -#include #include +#include #include "../ssl/internal.h" diff --git a/fuzz/der_roundtrip.cc b/fuzz/der_roundtrip.cc index 03fa4c3945..3e2c70bf10 100644 --- a/fuzz/der_roundtrip.cc +++ b/fuzz/der_roundtrip.cc @@ -33,8 +33,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { if (!CBB_init(cbb.get(), consumed) || !CBB_add_asn1(cbb.get(), &body_cbb, tag) || !CBB_add_bytes(&body_cbb, CBS_data(&body), CBS_len(&body)) || - !CBB_flush(cbb.get()) || - CBB_len(cbb.get()) != consumed || + !CBB_flush(cbb.get()) || CBB_len(cbb.get()) != consumed || memcmp(CBB_data(cbb.get()), buf, consumed) != 0) { abort(); } @@ -44,8 +43,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { if (sig != NULL) { uint8_t *enc; size_t enc_len; - if (!ECDSA_SIG_to_bytes(&enc, &enc_len, sig) || - enc_len != len || + if (!ECDSA_SIG_to_bytes(&enc, &enc_len, sig) || enc_len != len || memcmp(buf, enc, len) != 0) { abort(); } diff --git a/fuzz/ocsp_http.cc b/fuzz/ocsp_http.cc index 5c28ace0c0..eeab834c6d 100644 --- a/fuzz/ocsp_http.cc +++ b/fuzz/ocsp_http.cc @@ -9,17 +9,15 @@ #include "../crypto/ocsp/internal.h" static const uint8_t kOCSPRequestDER[] = { - 0x30, 0x68, 0x30, 0x66, 0x30, 0x3f, 0x30, 0x3d, 0x30, 0x3b, 0x30, - 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, - 0x14, 0xde, 0x79, 0x32, 0xb3, 0x21, 0x7e, 0x48, 0xfb, 0x4e, 0x47, - 0xae, 0x0b, 0x90, 0x07, 0xa5, 0x53, 0x76, 0xae, 0x44, 0xca, 0x04, - 0x14, 0x12, 0xdf, 0x81, 0x75, 0x71, 0xca, 0x92, 0xd3, 0xce, 0x1b, - 0x2c, 0x2b, 0x77, 0x3b, 0x9e, 0x33, 0x77, 0xf3, 0xf7, 0x6f, 0x02, - 0x02, 0x77, 0x78, 0xa2, 0x23, 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, - 0x04, 0x10, 0x30, 0x3f, 0x12, 0x8c, 0xd8, 0x24, 0xa2, 0xb4, 0x65, - 0xf4, 0xc8, 0x46, 0x88, 0x2b, 0x3e, 0x1f -}; + 0x30, 0x68, 0x30, 0x66, 0x30, 0x3f, 0x30, 0x3d, 0x30, 0x3b, 0x30, 0x09, + 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0xde, + 0x79, 0x32, 0xb3, 0x21, 0x7e, 0x48, 0xfb, 0x4e, 0x47, 0xae, 0x0b, 0x90, + 0x07, 0xa5, 0x53, 0x76, 0xae, 0x44, 0xca, 0x04, 0x14, 0x12, 0xdf, 0x81, + 0x75, 0x71, 0xca, 0x92, 0xd3, 0xce, 0x1b, 0x2c, 0x2b, 0x77, 0x3b, 0x9e, + 0x33, 0x77, 0xf3, 0xf7, 0x6f, 0x02, 0x02, 0x77, 0x78, 0xa2, 0x23, 0x30, + 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x02, 0x04, 0x12, 0x04, 0x10, 0x30, 0x3f, 0x12, 0x8c, 0xd8, 0x24, + 0xa2, 0xb4, 0x65, 0xf4, 0xc8, 0x46, 0x88, 0x2b, 0x3e, 0x1f}; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { bssl::UniquePtr bio(BIO_new(BIO_s_mem())); @@ -38,7 +36,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { // Check that there are contents. const uint8_t *contents; size_t outlen; - if(!BIO_mem_contents(req_ctx->mem, &contents, &outlen)){ + if (!BIO_mem_contents(req_ctx->mem, &contents, &outlen)) { // This code block shouldn't be reached. |req_ctx->mem| should always have // contents if |OCSP_REQ_CTX_nbio| returns 1. return 1; diff --git a/fuzz/pkcs7_decrypt.cc b/fuzz/pkcs7_decrypt.cc index 0d73e40128..4108c84bb1 100644 --- a/fuzz/pkcs7_decrypt.cc +++ b/fuzz/pkcs7_decrypt.cc @@ -5,10 +5,10 @@ #include #include +#include #include #include #include -#include // The corpus was created using the following key. // If you change the key, the corpus should be augmented with inputs @@ -100,18 +100,20 @@ jbgtnMeOs3SWELGeAG2TXsKmNOb0OwzGeL5jJpe6tsEUiQQQxhfarBIlxoTPizI= )"; class SharedData { -public: + public: EVP_PKEY *key = nullptr; X509 *cert = nullptr; SharedData() { { - BIO *key_bio = BIO_new_mem_buf(const_cast(kKey), sizeof(kKey) - 1); + BIO *key_bio = + BIO_new_mem_buf(const_cast(kKey), sizeof(kKey) - 1); key = PEM_read_bio_PrivateKey(key_bio, nullptr, nullptr, nullptr); BIO_free(key_bio); } { - BIO *cert_bio = BIO_new_mem_buf(const_cast(kCert), sizeof(kCert) - 1); + BIO *cert_bio = + BIO_new_mem_buf(const_cast(kCert), sizeof(kCert) - 1); cert = PEM_read_bio_X509(cert_bio, nullptr, nullptr, nullptr); BIO_free(cert_bio); } @@ -136,17 +138,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { { BIO *data_bio = BIO_new(BIO_s_mem()); -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED PKCS7_decrypt(pkcs7, sharedData.key, NULL, data_bio, 0); -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED BIO_free(data_bio); } { BIO *data_bio = BIO_new(BIO_s_mem()); -OPENSSL_BEGIN_ALLOW_DEPRECATED + OPENSSL_BEGIN_ALLOW_DEPRECATED PKCS7_decrypt(pkcs7, sharedData.key, sharedData.cert, data_bio, 0); -OPENSSL_END_ALLOW_DEPRECATED + OPENSSL_END_ALLOW_DEPRECATED BIO_free(data_bio); } diff --git a/fuzz/pkcs7_verify.cc b/fuzz/pkcs7_verify.cc index a63e135c72..32593802b0 100644 --- a/fuzz/pkcs7_verify.cc +++ b/fuzz/pkcs7_verify.cc @@ -46,14 +46,15 @@ e3IOOq2ruXmq1jykxpmi82IcTRUE8TZBfL/yz0nxpHKAYC1VwMezrkgZDGz4npxf )"; class SharedData { -public: + public: X509_STORE *store = nullptr; STACK_OF(X509) *certs = nullptr; SharedData() { X509 *cert = nullptr; { - BIO *cert_bio = BIO_new_mem_buf(const_cast(kCert), sizeof(kCert) - 1); + BIO *cert_bio = + BIO_new_mem_buf(const_cast(kCert), sizeof(kCert) - 1); cert = PEM_read_bio_X509(cert_bio, nullptr, nullptr, nullptr); BIO_free(cert_bio); } @@ -81,7 +82,7 @@ static SharedData sharedData; OPENSSL_BEGIN_ALLOW_DEPRECATED extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { - BIO* data_bio = nullptr; + BIO *data_bio = nullptr; PKCS7 *pkcs7 = d2i_PKCS7(nullptr, &buf, len); if (!pkcs7) { diff --git a/fuzz/pkcs8.cc b/fuzz/pkcs8.cc index e6bfb83fe8..e2d31f2e79 100644 --- a/fuzz/pkcs8.cc +++ b/fuzz/pkcs8.cc @@ -28,8 +28,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { uint8_t *der; size_t der_len; CBB cbb; - if (CBB_init(&cbb, 0) && - EVP_marshal_private_key(&cbb, pkey) && + if (CBB_init(&cbb, 0) && EVP_marshal_private_key(&cbb, pkey) && CBB_finish(&cbb, &der, &der_len)) { OPENSSL_free(der); } diff --git a/fuzz/pkcs8_v2.cc b/fuzz/pkcs8_v2.cc index 77cc07f90c..889939a943 100644 --- a/fuzz/pkcs8_v2.cc +++ b/fuzz/pkcs8_v2.cc @@ -18,8 +18,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { uint8_t *der; size_t der_len; CBB cbb; - if (CBB_init(&cbb, 0) && - EVP_marshal_private_key_v2(&cbb, pkey) && + if (CBB_init(&cbb, 0) && EVP_marshal_private_key_v2(&cbb, pkey) && CBB_finish(&cbb, &der, &der_len)) { OPENSSL_free(der); } diff --git a/fuzz/spki.cc b/fuzz/spki.cc index 29b6d7a009..2643a3f24c 100644 --- a/fuzz/spki.cc +++ b/fuzz/spki.cc @@ -29,8 +29,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { uint8_t *der; size_t der_len; CBB cbb; - if (CBB_init(&cbb, 0) && - EVP_marshal_public_key(&cbb, pkey) && + if (CBB_init(&cbb, 0) && EVP_marshal_public_key(&cbb, pkey) && CBB_finish(&cbb, &der, &der_len)) { OPENSSL_free(der); } diff --git a/fuzz/ssl_ctx_api.cc b/fuzz/ssl_ctx_api.cc index f7c1f73501..e8ec5ef2dc 100644 --- a/fuzz/ssl_ctx_api.cc +++ b/fuzz/ssl_ctx_api.cc @@ -333,7 +333,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { [](SSL_CTX *ctx, CBS *cbs) { SSL_CTX_get0_certificate(ctx); }, [](SSL_CTX *ctx, CBS *cbs) { SSL_CTX_get0_privatekey(ctx); }, [](SSL_CTX *ctx, CBS *cbs) { - STACK_OF(X509) * chains; + STACK_OF(X509) *chains; SSL_CTX_get0_chain_certs(ctx, &chains); }, [](SSL_CTX *ctx, CBS *cbs) { diff --git a/fuzz/ssl_serialization.cc b/fuzz/ssl_serialization.cc index f55aea554d..c2a25baa10 100644 --- a/fuzz/ssl_serialization.cc +++ b/fuzz/ssl_serialization.cc @@ -33,7 +33,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { if (!SSL_to_bytes(ssl.get(), &encoded, &encoded_len)) { uint32_t e = ERR_get_error(); if (e == 0) { - fprintf(stderr, "In Fuzz, SSL_to_bytes failed without giving a error code.\n"); + fprintf(stderr, + "In Fuzz, SSL_to_bytes failed without giving a error code.\n"); return 1; } uint32_t e_lib = ERR_GET_LIB(e); @@ -41,8 +42,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { if (e_reason == SSL_R_SERIALIZATION_UNSUPPORTED) { return 0; } - fprintf(stderr, "In Fuzz, SSL_to_bytes failed with error: lib %u, reason %u, str %s\n", - e_lib, e_reason, ERR_reason_error_string(e)); + fprintf( + stderr, + "In Fuzz, SSL_to_bytes failed with error: lib %u, reason %u, str %s\n", + e_lib, e_reason, ERR_reason_error_string(e)); return 1; } diff --git a/include/openssl/aead.h b/include/openssl/aead.h index 64df91ecfe..f6060828bc 100644 --- a/include/openssl/aead.h +++ b/include/openssl/aead.h @@ -435,10 +435,7 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls13(void); // Obscure functions. // evp_aead_direction_t denotes the direction of an AEAD operation. -enum evp_aead_direction_t { - evp_aead_open, - evp_aead_seal -}; +enum evp_aead_direction_t { evp_aead_open, evp_aead_seal }; // EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal // AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a diff --git a/include/openssl/arm_arch.h b/include/openssl/arm_arch.h index b770f964d8..2c73a0439f 100644 --- a/include/openssl/arm_arch.h +++ b/include/openssl/arm_arch.h @@ -80,7 +80,7 @@ #define ARMV8_SHA512 (1 << 6) // ARMV8_SHA3 indicates support for hardware SHA-3 instructions including EOR3. -#define ARMV8_SHA3 (1 << 11) +#define ARMV8_SHA3 (1 << 11) // The Neoverse V1, V2, and Apple M1 micro-architectures are detected to enable // high unrolling factor of AES-GCM and other algorithms that leverage a @@ -108,40 +108,36 @@ // |____ _ _____|_____ _ _____|_________|_______ _|____ _ ___|________| // -# define ARM_CPU_IMP_ARM 0x41 +#define ARM_CPU_IMP_ARM 0x41 -# define ARM_CPU_PART_CORTEX_A72 0xD08 -# define ARM_CPU_PART_N1 0xD0C -# define ARM_CPU_PART_V1 0xD40 -# define ARM_CPU_PART_V2 0xD4F +#define ARM_CPU_PART_CORTEX_A72 0xD08 +#define ARM_CPU_PART_N1 0xD0C +#define ARM_CPU_PART_V1 0xD40 +#define ARM_CPU_PART_V2 0xD4F -# define MIDR_PARTNUM_SHIFT 4 -# define MIDR_PARTNUM_MASK (0xfffUL << MIDR_PARTNUM_SHIFT) -# define MIDR_PARTNUM(midr) \ - (((midr) & MIDR_PARTNUM_MASK) >> MIDR_PARTNUM_SHIFT) +#define MIDR_PARTNUM_SHIFT 4 +#define MIDR_PARTNUM_MASK (0xfffUL << MIDR_PARTNUM_SHIFT) +#define MIDR_PARTNUM(midr) (((midr)&MIDR_PARTNUM_MASK) >> MIDR_PARTNUM_SHIFT) -# define MIDR_IMPLEMENTER_SHIFT 24 -# define MIDR_IMPLEMENTER_MASK (0xffUL << MIDR_IMPLEMENTER_SHIFT) -# define MIDR_IMPLEMENTER(midr) \ - (((midr) & MIDR_IMPLEMENTER_MASK) >> MIDR_IMPLEMENTER_SHIFT) +#define MIDR_IMPLEMENTER_SHIFT 24 +#define MIDR_IMPLEMENTER_MASK (0xffUL << MIDR_IMPLEMENTER_SHIFT) +#define MIDR_IMPLEMENTER(midr) \ + (((midr)&MIDR_IMPLEMENTER_MASK) >> MIDR_IMPLEMENTER_SHIFT) -# define MIDR_ARCHITECTURE_SHIFT 16 -# define MIDR_ARCHITECTURE_MASK (0xfUL << MIDR_ARCHITECTURE_SHIFT) -# define MIDR_ARCHITECTURE(midr) \ - (((midr) & MIDR_ARCHITECTURE_MASK) >> MIDR_ARCHITECTURE_SHIFT) +#define MIDR_ARCHITECTURE_SHIFT 16 +#define MIDR_ARCHITECTURE_MASK (0xfUL << MIDR_ARCHITECTURE_SHIFT) +#define MIDR_ARCHITECTURE(midr) \ + (((midr)&MIDR_ARCHITECTURE_MASK) >> MIDR_ARCHITECTURE_SHIFT) -# define MIDR_CPU_MODEL_MASK \ - (MIDR_IMPLEMENTER_MASK | \ - MIDR_PARTNUM_MASK | \ - MIDR_ARCHITECTURE_MASK) +#define MIDR_CPU_MODEL_MASK \ + (MIDR_IMPLEMENTER_MASK | MIDR_PARTNUM_MASK | MIDR_ARCHITECTURE_MASK) -# define MIDR_CPU_MODEL(imp, partnum) \ - (((imp) << MIDR_IMPLEMENTER_SHIFT) | \ - (0xfUL << MIDR_ARCHITECTURE_SHIFT) | \ - ((partnum) << MIDR_PARTNUM_SHIFT)) +#define MIDR_CPU_MODEL(imp, partnum) \ + (((imp) << MIDR_IMPLEMENTER_SHIFT) | (0xfUL << MIDR_ARCHITECTURE_SHIFT) | \ + ((partnum) << MIDR_PARTNUM_SHIFT)) -# define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ - (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) +#define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ + (((midr)&MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) #endif // ARM || AARCH64 diff --git a/include/openssl/asm_base.h b/include/openssl/asm_base.h index 2f240e32be..a6d62bb9b4 100644 --- a/include/openssl/asm_base.h +++ b/include/openssl/asm_base.h @@ -43,8 +43,8 @@ #if defined(__ELF__) // Every ELF object file, even empty ones, should disable executable stacks. See // https://www.airs.com/blog/archives/518. -.pushsection .note.GNU-stack, "", %progbits -.popsection +.pushsection.note.GNU - stack, "", % progbits + .popsection #endif #if defined(__CET__) && defined(OPENSSL_X86_64) @@ -184,7 +184,8 @@ #endif #if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 -.pushsection .note.gnu.property, "a"; + .pushsection.note.gnu.property, + "a"; .balign 8; .long 4; .long 0x10; @@ -192,7 +193,7 @@ .asciz "GNU"; .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ .long 4; -.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); +.long(GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); .long 0; .popsection; #endif diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h index 89046fbe5f..ec80a0ff44 100644 --- a/include/openssl/asn1t.h +++ b/include/openssl/asn1t.h @@ -9,7 +9,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -57,8 +57,8 @@ #ifndef OPENSSL_HEADER_ASN1T_H #define OPENSSL_HEADER_ASN1T_H -#include #include +#include #if defined(__cplusplus) extern "C" { @@ -81,32 +81,23 @@ typedef struct ASN1_TLC_st ASN1_TLC; /* Macros for start and end of ASN1_ITEM definition */ -#define ASN1_ITEM_start(itname) \ - const ASN1_ITEM itname##_it = { - +#define ASN1_ITEM_start(itname) const ASN1_ITEM itname##_it = { #define ASN1_ITEM_end(itname) \ - }; + } \ + ; /* Macros to aid ASN1 template writing */ -#define ASN1_ITEM_TEMPLATE(tname) \ - static const ASN1_TEMPLATE tname##_item_tt +#define ASN1_ITEM_TEMPLATE(tname) static const ASN1_TEMPLATE tname##_item_tt -#define ASN1_ITEM_TEMPLATE_END(tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_PRIMITIVE,\ - -1,\ - &tname##_item_tt,\ - 0,\ - NULL,\ - 0,\ - #tname \ - ASN1_ITEM_end(tname) +#define ASN1_ITEM_TEMPLATE_END(tname) \ + ; \ + ASN1_ITEM_start(tname) ASN1_ITYPE_PRIMITIVE, -1, &tname##_item_tt, 0, NULL, \ + 0, #tname ASN1_ITEM_end(tname) /* This is a ASN1 type which just embeds a template */ - + /* This pair helps declare a SEQUENCE. We can do: * * ASN1_SEQUENCE(stname) = { @@ -127,50 +118,40 @@ typedef struct ASN1_TLC_st ASN1_TLC; * a structure called stname. */ -#define ASN1_SEQUENCE(tname) \ - static const ASN1_TEMPLATE tname##_seq_tt[] +#define ASN1_SEQUENCE(tname) static const ASN1_TEMPLATE tname##_seq_tt[] #define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname) -#define ASN1_SEQUENCE_END_name(stname, tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) +#define ASN1_SEQUENCE_END_name(stname, tname) \ + ; \ + ASN1_ITEM_start(tname) ASN1_ITYPE_SEQUENCE, V_ASN1_SEQUENCE, tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), NULL, sizeof(stname), \ + #stname ASN1_ITEM_end(tname) -#define ASN1_SEQUENCE_cb(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \ - ASN1_SEQUENCE(tname) +#define ASN1_SEQUENCE_cb(tname, cb) \ + static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \ + ASN1_SEQUENCE(tname) -#define ASN1_SEQUENCE_ref(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), cb, 0}; \ - ASN1_SEQUENCE(tname) +#define ASN1_SEQUENCE_ref(tname, cb) \ + static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, \ + offsetof(tname, references), cb, 0}; \ + ASN1_SEQUENCE(tname) -#define ASN1_SEQUENCE_enc(tname, enc, cb) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, cb, offsetof(tname, enc)}; \ - ASN1_SEQUENCE(tname) +#define ASN1_SEQUENCE_enc(tname, enc, cb) \ + static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, cb, \ + offsetof(tname, enc)}; \ + ASN1_SEQUENCE(tname) -#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) +#define ASN1_SEQUENCE_END_enc(stname, tname) \ + ASN1_SEQUENCE_END_ref(stname, tname) #define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) -#define ASN1_SEQUENCE_END_ref(stname, tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - &tname##_aux,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) +#define ASN1_SEQUENCE_END_ref(stname, tname) \ + ; \ + ASN1_ITEM_start(tname) ASN1_ITYPE_SEQUENCE, V_ASN1_SEQUENCE, tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), &tname##_aux, \ + sizeof(stname), #stname ASN1_ITEM_end(tname) /* This pair helps declare a CHOICE type. We can do: @@ -189,157 +170,150 @@ typedef struct ASN1_TLC_st ASN1_TLC; * ASN1_SOMEOTHER *opt2; * } value; * } chname; - * + * * the name of the selector must be 'type'. * to use an alternative selector name use the * ASN1_CHOICE_END_selector() version. */ -#define ASN1_CHOICE(tname) \ - static const ASN1_TEMPLATE tname##_ch_tt[] +#define ASN1_CHOICE(tname) static const ASN1_TEMPLATE tname##_ch_tt[] -#define ASN1_CHOICE_cb(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \ - ASN1_CHOICE(tname) +#define ASN1_CHOICE_cb(tname, cb) \ + static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \ + ASN1_CHOICE(tname) #define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname) -#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type) - -#define ASN1_CHOICE_END_selector(stname, tname, selname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_CHOICE,\ - offsetof(stname,selname) ,\ - tname##_ch_tt,\ - sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) - -#define ASN1_CHOICE_END_cb(stname, tname, selname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_CHOICE,\ - offsetof(stname,selname) ,\ - tname##_ch_tt,\ - sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ - &tname##_aux,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) +#define ASN1_CHOICE_END_name(stname, tname) \ + ASN1_CHOICE_END_selector(stname, tname, type) + +#define ASN1_CHOICE_END_selector(stname, tname, selname) \ + ; \ + ASN1_ITEM_start(tname) ASN1_ITYPE_CHOICE, offsetof(stname, selname), \ + tname##_ch_tt, sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), NULL, \ + sizeof(stname), #stname ASN1_ITEM_end(tname) + +#define ASN1_CHOICE_END_cb(stname, tname, selname) \ + ; \ + ASN1_ITEM_start(tname) ASN1_ITYPE_CHOICE, offsetof(stname, selname), \ + tname##_ch_tt, sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), \ + &tname##_aux, sizeof(stname), #stname ASN1_ITEM_end(tname) /* This helps with the template wrapper form of ASN1_ITEM */ -#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \ - (flags), (tag), 0,\ - #name, ASN1_ITEM_ref(type) } +#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) \ + { (flags), (tag), 0, #name, ASN1_ITEM_ref(type) } /* These help with SEQUENCE or CHOICE components */ /* used to declare other types */ -#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \ - (flags), (tag), offsetof(stname, field),\ - #field, ASN1_ITEM_ref(type) } +#define ASN1_EX_TYPE(flags, tag, stname, field, type) \ + { (flags), (tag), offsetof(stname, field), #field, ASN1_ITEM_ref(type) } /* used when the structure is combined with the parent */ -#define ASN1_EX_COMBINE(flags, tag, type) { \ - (flags)|ASN1_TFLG_COMBINE, (tag), 0, NULL, ASN1_ITEM_ref(type) } +#define ASN1_EX_COMBINE(flags, tag, type) \ + { (flags) | ASN1_TFLG_COMBINE, (tag), 0, NULL, ASN1_ITEM_ref(type) } /* implicit and explicit helper macros */ #define ASN1_IMP_EX(stname, field, type, tag, ex) \ - ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type) + ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type) #define ASN1_EXP_EX(stname, field, type, tag, ex) \ - ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type) + ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type) /* Any defined by macros: the field used is in the table itself */ -#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) } +#define ASN1_ADB_OBJECT(tblname) \ + { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) } /* Plain simple type */ -#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type) +#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0, 0, stname, field, type) /* OPTIONAL simple type */ -#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type) +#define ASN1_OPT(stname, field, type) \ + ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type) /* IMPLICIT tagged simple type */ -#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0) +#define ASN1_IMP(stname, field, type, tag) \ + ASN1_IMP_EX(stname, field, type, tag, 0) /* IMPLICIT tagged OPTIONAL simple type */ -#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) +#define ASN1_IMP_OPT(stname, field, type, tag) \ + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) /* Same as above but EXPLICIT */ -#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0) -#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) +#define ASN1_EXP(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, 0) +#define ASN1_EXP_OPT(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) /* SEQUENCE OF type */ #define ASN1_SEQUENCE_OF(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type) + ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type) /* OPTIONAL SEQUENCE OF */ -#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type) +#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \ + ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 0, stname, field, \ + type) /* Same as above but for SET OF */ #define ASN1_SET_OF(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type) + ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type) #define ASN1_SET_OF_OPT(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type) + ASN1_EX_TYPE(ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, 0, stname, field, type) /* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */ #define ASN1_IMP_SET_OF(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) #define ASN1_EXP_SET_OF(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) #define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL) + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL) #define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL) + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL) #define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) #define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL) + ASN1_IMP_EX(stname, field, type, tag, \ + ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL) #define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) #define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL) + ASN1_EXP_EX(stname, field, type, tag, \ + ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL) /* Macros for the ASN1_ADB structure */ -#define ASN1_ADB(name) \ - static const ASN1_ADB_TABLE name##_adbtbl[] +#define ASN1_ADB(name) static const ASN1_ADB_TABLE name##_adbtbl[] #define ASN1_ADB_END(name, flags, field, app_table, def, none) \ - ;\ - static const ASN1_ADB name##_adb = {\ - flags,\ - offsetof(name, field),\ - app_table,\ - name##_adbtbl,\ - sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\ - def,\ - none\ - } - -#define ADB_ENTRY(val, template) {val, template} - -#define ASN1_ADB_TEMPLATE(name) \ - static const ASN1_TEMPLATE name##_tt + ; \ + static const ASN1_ADB name##_adb = { \ + flags, \ + offsetof(name, field), \ + app_table, \ + name##_adbtbl, \ + sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE), \ + def, \ + none} + +#define ADB_ENTRY(val, template) \ + { val, template } + +#define ASN1_ADB_TEMPLATE(name) static const ASN1_TEMPLATE name##_tt /* This is the ASN1 template structure that defines * a wrapper round the actual type. It determines the @@ -348,11 +322,11 @@ typedef struct ASN1_TLC_st ASN1_TLC; */ struct ASN1_TEMPLATE_st { -uint32_t flags; /* Various flags */ -int tag; /* tag, not used if no tagging */ -unsigned long offset; /* Offset of this field in structure */ -const char *field_name; /* Field name */ -ASN1_ITEM_EXP *item; /* Relevant ASN1_ITEM or ASN1_ADB */ + uint32_t flags; /* Various flags */ + int tag; /* tag, not used if no tagging */ + unsigned long offset; /* Offset of this field in structure */ + const char *field_name; /* Field name */ + ASN1_ITEM_EXP *item; /* Relevant ASN1_ITEM or ASN1_ADB */ }; /* Macro to extract ASN1_ITEM and ASN1_ADB pointer from ASN1_TEMPLATE */ @@ -366,33 +340,33 @@ typedef struct ASN1_ADB_st ASN1_ADB; typedef struct asn1_must_be_null_st ASN1_MUST_BE_NULL; struct ASN1_ADB_st { - uint32_t flags; /* Various flags */ - unsigned long offset; /* Offset of selector field */ - ASN1_MUST_BE_NULL *unused; - const ASN1_ADB_TABLE *tbl; /* Table of possible types */ - long tblcount; /* Number of entries in tbl */ - const ASN1_TEMPLATE *default_tt; /* Type to use if no match */ - const ASN1_TEMPLATE *null_tt; /* Type to use if selector is NULL */ + uint32_t flags; /* Various flags */ + unsigned long offset; /* Offset of selector field */ + ASN1_MUST_BE_NULL *unused; + const ASN1_ADB_TABLE *tbl; /* Table of possible types */ + long tblcount; /* Number of entries in tbl */ + const ASN1_TEMPLATE *default_tt; /* Type to use if no match */ + const ASN1_TEMPLATE *null_tt; /* Type to use if selector is NULL */ }; struct ASN1_ADB_TABLE_st { - int value; /* NID for an object */ - const ASN1_TEMPLATE tt; /* item for this value */ + int value; /* NID for an object */ + const ASN1_TEMPLATE tt; /* item for this value */ }; /* template flags */ /* Field is optional */ -#define ASN1_TFLG_OPTIONAL (0x1) +#define ASN1_TFLG_OPTIONAL (0x1) /* Field is a SET OF */ -#define ASN1_TFLG_SET_OF (0x1 << 1) +#define ASN1_TFLG_SET_OF (0x1 << 1) /* Field is a SEQUENCE OF */ -#define ASN1_TFLG_SEQUENCE_OF (0x2 << 1) +#define ASN1_TFLG_SEQUENCE_OF (0x2 << 1) /* Mask for SET OF or SEQUENCE OF */ -#define ASN1_TFLG_SK_MASK (0x3 << 1) +#define ASN1_TFLG_SK_MASK (0x3 << 1) /* These flags mean the tag should be taken from the * tag field. If EXPLICIT then the underlying type @@ -400,36 +374,36 @@ struct ASN1_ADB_TABLE_st { */ /* IMPLICIT tagging */ -#define ASN1_TFLG_IMPTAG (0x1 << 3) +#define ASN1_TFLG_IMPTAG (0x1 << 3) /* EXPLICIT tagging, inner tag from underlying type */ -#define ASN1_TFLG_EXPTAG (0x2 << 3) +#define ASN1_TFLG_EXPTAG (0x2 << 3) -#define ASN1_TFLG_TAG_MASK (0x3 << 3) +#define ASN1_TFLG_TAG_MASK (0x3 << 3) /* context specific IMPLICIT */ -#define ASN1_TFLG_IMPLICIT ASN1_TFLG_IMPTAG|ASN1_TFLG_CONTEXT +#define ASN1_TFLG_IMPLICIT ASN1_TFLG_IMPTAG | ASN1_TFLG_CONTEXT /* context specific EXPLICIT */ -#define ASN1_TFLG_EXPLICIT ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT +#define ASN1_TFLG_EXPLICIT ASN1_TFLG_EXPTAG | ASN1_TFLG_CONTEXT /* If tagging is in force these determine the * type of tag to use. Otherwise the tag is - * determined by the underlying type. These + * determined by the underlying type. These * values reflect the actual octet format. */ -/* Universal tag */ -#define ASN1_TFLG_UNIVERSAL (0x0<<6) -/* Application tag */ -#define ASN1_TFLG_APPLICATION (0x1<<6) -/* Context specific tag */ -#define ASN1_TFLG_CONTEXT (0x2<<6) -/* Private tag */ -#define ASN1_TFLG_PRIVATE (0x3<<6) +/* Universal tag */ +#define ASN1_TFLG_UNIVERSAL (0x0 << 6) +/* Application tag */ +#define ASN1_TFLG_APPLICATION (0x1 << 6) +/* Context specific tag */ +#define ASN1_TFLG_CONTEXT (0x2 << 6) +/* Private tag */ +#define ASN1_TFLG_PRIVATE (0x3 << 6) -#define ASN1_TFLG_TAG_CLASS (0x3<<6) +#define ASN1_TFLG_TAG_CLASS (0x3 << 6) /* These are for ANY DEFINED BY type. In this case * the 'item' field points to an ASN1_ADB structure @@ -437,9 +411,9 @@ struct ASN1_ADB_TABLE_st { * relevant type */ -#define ASN1_TFLG_ADB_MASK (0x3<<8) +#define ASN1_TFLG_ADB_MASK (0x3 << 8) -#define ASN1_TFLG_ADB_OID (0x1<<8) +#define ASN1_TFLG_ADB_OID (0x1 << 8) /* This flag means a parent structure is passed * instead of the field: this is useful is a @@ -449,18 +423,19 @@ struct ASN1_ADB_TABLE_st { * ASN1_CHOICE_END_name() macro for example. */ -#define ASN1_TFLG_COMBINE (0x1<<10) +#define ASN1_TFLG_COMBINE (0x1 << 10) /* This is the actual ASN1 item itself */ struct ASN1_ITEM_st { -char itype; /* The item type, primitive, SEQUENCE, CHOICE or extern */ -int utype; /* underlying type */ -const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains the contents */ -long tcount; /* Number of templates if SEQUENCE or CHOICE */ -const void *funcs; /* functions that handle this type */ -long size; /* Structure size (usually)*/ -const char *sname; /* Structure name */ + char itype; /* The item type, primitive, SEQUENCE, CHOICE or extern */ + int utype; /* underlying type */ + const ASN1_TEMPLATE + *templates; /* If SEQUENCE or CHOICE this contains the contents */ + long tcount; /* Number of templates if SEQUENCE or CHOICE */ + const void *funcs; /* functions that handle this type */ + long size; /* Structure size (usually)*/ + const char *sname; /* Structure name */ }; /* These are values for the itype field and @@ -469,7 +444,7 @@ const char *sname; /* Structure name */ * For PRIMITIVE types the underlying type * determines the behaviour if items is NULL. * - * Otherwise templates must contain a single + * Otherwise templates must contain a single * template and the type is treated in the * same way as the type specified in the template. * @@ -483,7 +458,7 @@ const char *sname; /* Structure name */ * selector. * * The 'funcs' field is used for application - * specific functions. + * specific functions. * * The EXTERN type uses a new style d2i/i2d. * The new style should be used where possible @@ -499,45 +474,47 @@ const char *sname; /* Structure name */ * */ -#define ASN1_ITYPE_PRIMITIVE 0x0 +#define ASN1_ITYPE_PRIMITIVE 0x0 -#define ASN1_ITYPE_SEQUENCE 0x1 +#define ASN1_ITYPE_SEQUENCE 0x1 -#define ASN1_ITYPE_CHOICE 0x2 +#define ASN1_ITYPE_CHOICE 0x2 -#define ASN1_ITYPE_EXTERN 0x4 +#define ASN1_ITYPE_EXTERN 0x4 -#define ASN1_ITYPE_MSTRING 0x5 +#define ASN1_ITYPE_MSTRING 0x5 /* Deprecated tag and length cache */ struct ASN1_TLC_st; /* Typedefs for ASN1 function pointers */ -typedef ASN1_VALUE * ASN1_new_func(void); +typedef ASN1_VALUE *ASN1_new_func(void); typedef void ASN1_free_func(ASN1_VALUE *a); -typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in, long length); -typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in); +typedef ASN1_VALUE *ASN1_d2i_func(ASN1_VALUE **a, const unsigned char **in, + long length); +typedef int ASN1_i2d_func(ASN1_VALUE *a, unsigned char **in); -typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, - int tag, int aclass, char opt, ASN1_TLC *ctx); +typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + const ASN1_ITEM *it, int tag, int aclass, char opt, + ASN1_TLC *ctx); -typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); +typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, + const ASN1_ITEM *it, int tag, int aclass); typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it); typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it); -typedef int ASN1_ex_print_func(BIO *out, ASN1_VALUE **pval, - int indent, const char *fname, - const ASN1_PCTX *pctx); +typedef int ASN1_ex_print_func(BIO *out, ASN1_VALUE **pval, int indent, + const char *fname, const ASN1_PCTX *pctx); typedef struct ASN1_EXTERN_FUNCS_st { - void *app_data; - ASN1_ex_new_func *asn1_ex_new; - ASN1_ex_free_func *asn1_ex_free; - ASN1_ex_d2i *asn1_ex_d2i; - ASN1_ex_i2d *asn1_ex_i2d; - /* asn1_ex_print is unused. */ - ASN1_ex_print_func *asn1_ex_print; + void *app_data; + ASN1_ex_new_func *asn1_ex_new; + ASN1_ex_free_func *asn1_ex_free; + ASN1_ex_d2i *asn1_ex_d2i; + ASN1_ex_i2d *asn1_ex_i2d; + /* asn1_ex_print is unused. */ + ASN1_ex_print_func *asn1_ex_print; } ASN1_EXTERN_FUNCS; /* This is the ASN1_AUX structure: it handles various @@ -550,7 +527,7 @@ typedef struct ASN1_EXTERN_FUNCS_st { * used. This is most useful where the supplied routines * *almost* do the right thing but need some extra help * at a few points. If the callback returns zero then - * it is assumed a fatal error has occurred and the + * it is assumed a fatal error has occurred and the * main operation should be abandoned. * * If major changes in the default behaviour are required @@ -558,125 +535,112 @@ typedef struct ASN1_EXTERN_FUNCS_st { */ typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it, - void *exarg); + void *exarg); typedef struct ASN1_AUX_st { - void *app_data; - uint32_t flags; - int ref_offset; /* Offset of reference value */ - ASN1_aux_cb *asn1_cb; - int enc_offset; /* Offset of ASN1_ENCODING structure */ + void *app_data; + uint32_t flags; + int ref_offset; /* Offset of reference value */ + ASN1_aux_cb *asn1_cb; + int enc_offset; /* Offset of ASN1_ENCODING structure */ } ASN1_AUX; /* Flags in ASN1_AUX */ /* Use a reference count */ -#define ASN1_AFLG_REFCOUNT 1 +#define ASN1_AFLG_REFCOUNT 1 /* Save the encoding of structure (useful for signatures) */ -#define ASN1_AFLG_ENCODING 2 +#define ASN1_AFLG_ENCODING 2 /* operation values for asn1_cb */ -#define ASN1_OP_NEW_PRE 0 -#define ASN1_OP_NEW_POST 1 -#define ASN1_OP_FREE_PRE 2 -#define ASN1_OP_FREE_POST 3 -#define ASN1_OP_D2I_PRE 4 -#define ASN1_OP_D2I_POST 5 +#define ASN1_OP_NEW_PRE 0 +#define ASN1_OP_NEW_POST 1 +#define ASN1_OP_FREE_PRE 2 +#define ASN1_OP_FREE_POST 3 +#define ASN1_OP_D2I_PRE 4 +#define ASN1_OP_D2I_POST 5 /* ASN1_OP_I2D_PRE and ASN1_OP_I2D_POST are not supported. We leave the * constants undefined so code relying on them does not accidentally compile. */ -#define ASN1_OP_PRINT_PRE 8 -#define ASN1_OP_PRINT_POST 9 -#define ASN1_OP_STREAM_PRE 10 -#define ASN1_OP_STREAM_POST 11 -#define ASN1_OP_DETACHED_PRE 12 -#define ASN1_OP_DETACHED_POST 13 +#define ASN1_OP_PRINT_PRE 8 +#define ASN1_OP_PRINT_POST 9 +#define ASN1_OP_STREAM_PRE 10 +#define ASN1_OP_STREAM_POST 11 +#define ASN1_OP_DETACHED_PRE 12 +#define ASN1_OP_DETACHED_POST 13 /* Macro to implement a primitive type */ #define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0) -#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \ - ASN1_ITEM_start(itname) \ - ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \ - ASN1_ITEM_end(itname) +#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \ + ASN1_ITEM_start(itname) ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, \ + #itname ASN1_ITEM_end(itname) /* Macro to implement a multi string type */ -#define IMPLEMENT_ASN1_MSTRING(itname, mask) \ - ASN1_ITEM_start(itname) \ - ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \ - ASN1_ITEM_end(itname) - -#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \ - ASN1_ITEM_start(sname) \ - ASN1_ITYPE_EXTERN, \ - tag, \ - NULL, \ - 0, \ - &fptrs, \ - 0, \ - #sname \ - ASN1_ITEM_end(sname) +#define IMPLEMENT_ASN1_MSTRING(itname, mask) \ + ASN1_ITEM_start(itname) ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, \ + sizeof(ASN1_STRING), #itname ASN1_ITEM_end(itname) + +#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \ + ASN1_ITEM_start(sname) ASN1_ITYPE_EXTERN, tag, NULL, 0, &fptrs, 0, \ + #sname ASN1_ITEM_end(sname) /* Macro to implement standard functions in terms of ASN1_ITEM structures */ -#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname) +#define IMPLEMENT_ASN1_FUNCTIONS(stname) \ + IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname) -#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname) +#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) \ + IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname) #define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \ - IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname) + IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname) #define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname) + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname) #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname) + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname) #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(pre, stname, itname, fname) \ - pre stname *fname##_new(void) \ - { \ - return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ - } \ - pre void fname##_free(stname *a) \ - { \ - ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ - } + pre stname *fname##_new(void) { \ + return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ + } \ + pre void fname##_free(stname *a) { \ + ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ + } #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \ - stname *fname##_new(void) \ - { \ - return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ - } \ - void fname##_free(stname *a) \ - { \ - ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ - } - -#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) - -#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ - stname *d2i_##fname(stname **a, const unsigned char **in, long len) \ - { \ - return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\ - } \ - int i2d_##fname(stname *a, unsigned char **out) \ - { \ - return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\ - } + stname *fname##_new(void) { \ + return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ + } \ + void fname##_free(stname *a) { \ + ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ + } + +#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) + +#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ + stname *d2i_##fname(stname **a, const unsigned char **in, long len) { \ + return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \ + ASN1_ITEM_rptr(itname)); \ + } \ + int i2d_##fname(stname *a, unsigned char **out) { \ + return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname)); \ + } /* This includes evil casts to remove const: they will go away when full * ASN1 constification is done. */ #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \ - stname *d2i_##fname(stname **a, const unsigned char **in, long len) \ - { \ - return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\ - } \ - int i2d_##fname(const stname *a, unsigned char **out) \ - { \ - return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\ - } + stname *d2i_##fname(stname **a, const unsigned char **in, long len) { \ + return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \ + ASN1_ITEM_rptr(itname)); \ + } \ + int i2d_##fname(const stname *a, unsigned char **out) { \ + return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname)); \ + } #define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \ stname *stname##_dup(stname *x) { \ @@ -689,11 +653,11 @@ typedef struct ASN1_AUX_st { } #define IMPLEMENT_ASN1_FUNCTIONS_const(name) \ - IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name) + IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name) -#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) +#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) /* external definitions for primitive types */ diff --git a/include/openssl/base.h b/include/openssl/base.h index 5f39445fcc..4a08330690 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -104,12 +104,13 @@ extern "C" { #define OPENSSL_VERSION_NUMBER 0x1010107f #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER -// BORINGSSL_API_VERSION is replaced with AWSLC_API_VERSION to avoid users interpreting AWSLC as BoringSSL. -// Below are BoringSSL's comments on BORINGSSL_API_VERSION. -// BORINGSSL_API_VERSION is a positive integer that increments as BoringSSL -// changes over time. The value itself is not meaningful. It will be incremented -// whenever is convenient to coordinate an API change with consumers. This will -// not denote any special point in development. +// BORINGSSL_API_VERSION is replaced with AWSLC_API_VERSION to avoid users +// interpreting AWSLC as BoringSSL. Below are BoringSSL's comments on +// BORINGSSL_API_VERSION. BORINGSSL_API_VERSION is a positive integer that +// increments as BoringSSL changes over time. The value itself is not +// meaningful. It will be incremented whenever is convenient to coordinate an +// API change with consumers. This will not denote any special point in +// development. // // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not @@ -165,7 +166,8 @@ extern "C" { __pragma(warning(push)) __pragma(warning(disable : 4996)) #define OPENSSL_END_ALLOW_DEPRECATED __pragma(warning(pop)) -#elif (defined(__GNUC__) && ((__GNUC__ > 4) || (__GNUC_MINOR__ >= 6))) || defined(__clang__) +#elif (defined(__GNUC__) && ((__GNUC__ > 4) || (__GNUC_MINOR__ >= 6))) || \ + defined(__clang__) // `_Pragma("GCC diagnostic push")` was added in GCC 4.6 // http://gcc.gnu.org/gcc-4.6/changes.html #define OPENSSL_DEPRECATED __attribute__((__deprecated__)) @@ -189,8 +191,8 @@ extern "C" { // https://sourceforge.net/p/mingw-w64/wiki2/gnu%20printf/. #if defined(__MINGW_PRINTF_FORMAT) #define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check) \ - __attribute__( \ - (__format__(__MINGW_PRINTF_FORMAT, string_index, first_to_check))) + __attribute__(( \ + __format__(__MINGW_PRINTF_FORMAT, string_index, first_to_check))) #else #define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check) \ __attribute__((__format__(__printf__, string_index, first_to_check))) @@ -352,7 +354,8 @@ typedef struct kem_key_st KEM_KEY; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD; typedef struct evp_pkey_st EVP_PKEY; -typedef struct evp_pkey_ctx_signature_context_params_st EVP_PKEY_CTX_SIGNATURE_CONTEXT_PARAMS; +typedef struct evp_pkey_ctx_signature_context_params_st + EVP_PKEY_CTX_SIGNATURE_CONTEXT_PARAMS; typedef struct hmac_ctx_st HMAC_CTX; typedef struct md4_state_st MD4_CTX; typedef struct md5_state_st MD5_CTX; @@ -500,7 +503,7 @@ class StackAllocated { ~StackAllocated() { cleanup(&ctx_); } StackAllocated(const StackAllocated &) = delete; - StackAllocated& operator=(const StackAllocated &) = delete; + StackAllocated &operator=(const StackAllocated &) = delete; T *get() { return &ctx_; } const T *get() const { return &ctx_; } diff --git a/include/openssl/bio.h b/include/openssl/bio.h index ddc1a265cb..3bcadf29fc 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -153,12 +153,12 @@ OPENSSL_EXPORT int BIO_write_ex(BIO *bio, const void *data, size_t data_len, // It returns one if all bytes were successfully written and zero on error. OPENSSL_EXPORT int BIO_write_all(BIO *bio, const void *data, size_t len); -// BIO_puts calls the |bio| |callback_ex| if set with |BIO_CB_PUTS|, attempts +// BIO_puts calls the |bio| |callback_ex| if set with |BIO_CB_PUTS|, attempts // to write a NUL terminated string from |buf| to |bio|, then calls // |callback_ex| with |BIO_CB_PUTS|+|BIO_CB_RETURN|. If |callback_ex| is set // BIO_puts returns the value from calling the |callback_ex|, otherwise -// |BIO_puts| returns the number of bytes written, or a negative number on -// error. Unless the application defines a custom bputs method, this will +// |BIO_puts| returns the number of bytes written, or a negative number on +// error. Unless the application defines a custom bputs method, this will // delegate to using bwrite. OPENSSL_EXPORT int BIO_puts(BIO *bio, const char *buf); @@ -172,8 +172,8 @@ OPENSSL_EXPORT int BIO_flush(BIO *bio); // These are generic functions for sending control requests to a BIO. In // general one should use the wrapper functions like |BIO_get_close|. -// BIO_ctrl call the |bio| |callback_ex| if set with |BIO_CB_CTRL|, sends the -// control request |cmd| to |bio|, then calls |callback_ex| with |BIO_CB_CTRL| +// BIO_ctrl call the |bio| |callback_ex| if set with |BIO_CB_CTRL|, sends the +// control request |cmd| to |bio|, then calls |callback_ex| with |BIO_CB_CTRL| // + |BIO_CB_RETURN|. The |cmd| argument should be one of the |BIO_C_*| values. OPENSSL_EXPORT long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg); @@ -326,7 +326,8 @@ OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio); OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio); // BIO_set_callback_ex sets the |callback_ex| for |bio|. -OPENSSL_EXPORT void BIO_set_callback_ex(BIO *bio, BIO_callback_fn_ex callback_ex); +OPENSSL_EXPORT void BIO_set_callback_ex(BIO *bio, + BIO_callback_fn_ex callback_ex); // BIO_set_callback_arg sets the callback |arg| for |bio|. OPENSSL_EXPORT void BIO_set_callback_arg(BIO *bio, char *arg); @@ -454,8 +455,8 @@ OPENSSL_EXPORT int BIO_mem_contents(const BIO *bio, // WARNING: don't use this, use |BIO_mem_contents|. A negative return value // or zero from this function can mean either that it failed or that the // memory buffer is empty. -#define BIO_get_mem_data(bio, contents) BIO_ctrl(bio, BIO_CTRL_INFO, 0, \ - (char *)(contents)) +#define BIO_get_mem_data(bio, contents) \ + BIO_ctrl(bio, BIO_CTRL_INFO, 0, (char *)(contents)) // BIO_get_mem_ptr sets |*out| to a BUF_MEM containing the current contents of // |bio|. It returns one on success or zero on error. OPENSSL_EXPORT int BIO_get_mem_ptr(BIO *bio, BUF_MEM **out); @@ -683,18 +684,20 @@ OPENSSL_EXPORT int BIO_do_connect(BIO *bio); #define BIO_CTRL_DGRAM_QUERY_MTU 40 // as kernel for current MTU -#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for MTU. want to use - this if asking the kernel fails */ +#define BIO_CTRL_DGRAM_SET_MTU \ + 42 /* set cached value for MTU. want to use \ + this if asking the kernel fails */ -#define BIO_CTRL_DGRAM_MTU_EXCEEDED 43 /* check whether the MTU was exceed in - the previous write operation. */ +#define BIO_CTRL_DGRAM_MTU_EXCEEDED \ + 43 /* check whether the MTU was exceed in \ + the previous write operation. */ // BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT is unsupported as it is unused by consumers // and depends on |timeval|, which is not 2038-clean on all platforms. -#define BIO_CTRL_DGRAM_GET_PEER 46 +#define BIO_CTRL_DGRAM_GET_PEER 46 -#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47 +#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47 // BIO Pairs. @@ -760,7 +763,7 @@ OPENSSL_EXPORT int BIO_meth_set_create(BIO_METHOD *method, int (*create)(BIO *)); // BIO_meth_get_create returns |create| function of |method|. -OPENSSL_EXPORT int (*BIO_meth_get_create(const BIO_METHOD *method)) (BIO *); +OPENSSL_EXPORT int (*BIO_meth_get_create(const BIO_METHOD *method))(BIO *); // BIO_meth_set_destroy sets a function to release data associated with a |BIO| // and returns one. The function's return value is ignored. @@ -768,7 +771,7 @@ OPENSSL_EXPORT int BIO_meth_set_destroy(BIO_METHOD *method, int (*destroy)(BIO *)); // BIO_meth_get_destroy returns |destroy| function of |method|. -OPENSSL_EXPORT int (*BIO_meth_get_destroy(const BIO_METHOD *method)) (BIO *); +OPENSSL_EXPORT int (*BIO_meth_get_destroy(const BIO_METHOD *method))(BIO *); // BIO_meth_set_write sets the implementation of |BIO_write| for |method| and // returns one. |BIO_METHOD|s which implement |BIO_write| should also implement @@ -787,7 +790,8 @@ OPENSSL_EXPORT int BIO_meth_set_gets(BIO_METHOD *method, int (*gets)(BIO *, char *, int)); // BIO_meth_get_gets returns |gets| function of |method|. -OPENSSL_EXPORT int (*BIO_meth_get_gets(const BIO_METHOD *method)) (BIO *, char *, int); +OPENSSL_EXPORT int (*BIO_meth_get_gets(const BIO_METHOD *method))(BIO *, char *, + int); // BIO_meth_set_ctrl sets the implementation of |BIO_ctrl| for |method| and // returns one. @@ -795,15 +799,18 @@ OPENSSL_EXPORT int BIO_meth_set_ctrl(BIO_METHOD *method, long (*ctrl)(BIO *, int, long, void *)); // BIO_meth_get_ctrl returns |ctrl| function of |method|. -OPENSSL_EXPORT long (*BIO_meth_get_ctrl(const BIO_METHOD *method)) (BIO *, int, long, void *); +OPENSSL_EXPORT long (*BIO_meth_get_ctrl(const BIO_METHOD *method))(BIO *, int, + long, + void *); // BIO_meth_set_callback_ctrl sets the implementation of |callback_ctrl| for // |method| and returns one. -OPENSSL_EXPORT int BIO_meth_set_callback_ctrl(BIO_METHOD *method, - long (*callback_ctrl)(BIO *, int, bio_info_cb)); +OPENSSL_EXPORT int BIO_meth_set_callback_ctrl( + BIO_METHOD *method, long (*callback_ctrl)(BIO *, int, bio_info_cb)); // BIO_meth_get_callback_ctrl returns |callback_ctrl| function of |method|. -OPENSSL_EXPORT long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *method)) (BIO *, int, bio_info_cb); +OPENSSL_EXPORT long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *method))( + BIO *, int, bio_info_cb); // BIO_set_data sets custom data on |bio|. It may be retried with // |BIO_get_data|. @@ -907,16 +914,17 @@ OPENSSL_EXPORT void BIO_set_shutdown(BIO *bio, int shutdown); // BIO_get_shutdown returns the method-specific "shutdown" bit. OPENSSL_EXPORT int BIO_get_shutdown(BIO *bio); -// BIO_meth_set_puts sets the implementation of |BIO_puts| for |method| and +// BIO_meth_set_puts sets the implementation of |BIO_puts| for |method| and // returns 1. OPENSSL_EXPORT int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)); // BIO_meth_get_puts returns |puts| function of |method|. -OPENSSL_EXPORT int (*BIO_meth_get_puts(const BIO_METHOD *method)) (BIO *, const char *); +OPENSSL_EXPORT int (*BIO_meth_get_puts(const BIO_METHOD *method))(BIO *, + const char *); -// BIO_s_secmem returns the normal BIO_METHOD |BIO_s_mem|. Deprecated since AWS-LC -// does not support secure heaps. +// BIO_s_secmem returns the normal BIO_METHOD |BIO_s_mem|. Deprecated since +// AWS-LC does not support secure heaps. OPENSSL_EXPORT OPENSSL_DEPRECATED const BIO_METHOD *BIO_s_secmem(void); @@ -999,7 +1007,7 @@ struct bio_st { // |BIO_CB_READ|+|BIO_CB_RETURN|, |BIO_CB_WRITE|, // |BIO_CB_WRITE|+|BIO_CB_RETURN|, |BIO_CB_PUTS|, // |BIO_CB_PUTS|+|BIO_CB_RETURN|, |BIO_CB_GETS|, - // |BIO_CB_GETS|+|BIO_CB_RETURN|, |BIO_CB_CTRL|, + // |BIO_CB_GETS|+|BIO_CB_RETURN|, |BIO_CB_CTRL|, // |BIO_CB_CTRL|+|BIO_CB_RETURN|, and |BIO_CB_FREE|. BIO_callback_fn_ex callback_ex; // Optional callback argument, only intended for applications use. diff --git a/include/openssl/blowfish.h b/include/openssl/blowfish.h index 293b1755bf..e753ceba99 100644 --- a/include/openssl/blowfish.h +++ b/include/openssl/blowfish.h @@ -59,7 +59,7 @@ #include -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -86,7 +86,7 @@ OPENSSL_EXPORT void BF_cbc_encrypt(const uint8_t *in, uint8_t *out, uint8_t *ivec, int enc); -#ifdef __cplusplus +#ifdef __cplusplus } #endif diff --git a/include/openssl/bn.h b/include/openssl/bn.h index f96eae79bb..16cd2d6fb4 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -639,13 +639,13 @@ OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, // Random and prime number generation. // The following are values for the |top| parameter of |BN_rand|. -#define BN_RAND_TOP_ANY (-1) -#define BN_RAND_TOP_ONE 0 -#define BN_RAND_TOP_TWO 1 +#define BN_RAND_TOP_ANY (-1) +#define BN_RAND_TOP_ONE 0 +#define BN_RAND_TOP_TWO 1 // The following are values for the |bottom| parameter of |BN_rand|. -#define BN_RAND_BOTTOM_ANY 0 -#define BN_RAND_BOTTOM_ODD 1 +#define BN_RAND_BOTTOM_ANY 0 +#define BN_RAND_BOTTOM_ODD 1 // BN_rand sets |rnd| to a random number of length |bits|. It returns one on // success and zero otherwise. @@ -700,7 +700,7 @@ OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); // BN_GENCB argument and may call the function with other argument values. struct bn_gencb_st { uint8_t type; - void *arg; // callback-specific data + void *arg; // callback-specific data union { int (*new_style)(int event, int n, struct bn_gencb_st *); void (*old_style)(int, int, void *); @@ -716,11 +716,11 @@ OPENSSL_EXPORT BN_GENCB *BN_GENCB_new(void); OPENSSL_EXPORT void BN_GENCB_free(BN_GENCB *callback); // BN_GENCB_set configures |callback| to call |f| and sets |callback->arg| to -// |arg|. |BN_GENCB_set| is recommended over |BN_GENCB_set_old| as |BN_GENCB_set| -// accepts callbacks that return a result and have a strong type for the -// |BN_GENCB|. Only one callback can be configured in a |BN_GENCB|, calling -// |BN_GENCB_set| or |BN_GENCB_set_old| multiple times will overwrite the -// callback. +// |arg|. |BN_GENCB_set| is recommended over |BN_GENCB_set_old| as +// |BN_GENCB_set| accepts callbacks that return a result and have a strong type +// for the |BN_GENCB|. Only one callback can be configured in a |BN_GENCB|, +// calling |BN_GENCB_set| or |BN_GENCB_set_old| multiple times will overwrite +// the callback. OPENSSL_EXPORT void BN_GENCB_set(BN_GENCB *callback, int (*f)(int event, int n, BN_GENCB *), void *arg); @@ -1027,11 +1027,11 @@ OPENSSL_EXPORT BN_CTX *BN_CTX_secure_new(void); // multiplications at once using AVX-512 SIMD. If AVX-512 is not // available, it falls back to two calls of // `BN_mod_exp_mont_consttime`. -OPENSSL_EXPORT int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, const BIGNUM *p1, - const BIGNUM *m1, const BN_MONT_CTX *in_mont1, - BIGNUM *rr2, const BIGNUM *a2, const BIGNUM *p2, - const BIGNUM *m2, const BN_MONT_CTX *in_mont2, - BN_CTX *ctx); +OPENSSL_EXPORT int BN_mod_exp_mont_consttime_x2( + BIGNUM *rr1, const BIGNUM *a1, const BIGNUM *p1, const BIGNUM *m1, + const BN_MONT_CTX *in_mont1, BIGNUM *rr2, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m2, const BN_MONT_CTX *in_mont2, + BN_CTX *ctx); // BN_set_flags does nothing. See comments regarding |BN_FLG_CONSTTIME| being // intentionally omitted for more details. diff --git a/include/openssl/boringssl_prefix_symbols.h b/include/openssl/boringssl_prefix_symbols.h index 93442671b3..fcdcac4128 100644 --- a/include/openssl/boringssl_prefix_symbols.h +++ b/include/openssl/boringssl_prefix_symbols.h @@ -1,5 +1,5 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -// This file is intentionally empty, were AWS-LC installed with symbol prefixes, this file would contain -// macro definitions for the prefixed symbols. +// This file is intentionally empty, were AWS-LC installed with symbol prefixes, +// this file would contain macro definitions for the prefixed symbols. diff --git a/include/openssl/boringssl_prefix_symbols_asm.h b/include/openssl/boringssl_prefix_symbols_asm.h index 93442671b3..fcdcac4128 100644 --- a/include/openssl/boringssl_prefix_symbols_asm.h +++ b/include/openssl/boringssl_prefix_symbols_asm.h @@ -1,5 +1,5 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -// This file is intentionally empty, were AWS-LC installed with symbol prefixes, this file would contain -// macro definitions for the prefixed symbols. +// This file is intentionally empty, were AWS-LC installed with symbol prefixes, +// this file would contain macro definitions for the prefixed symbols. diff --git a/include/openssl/cmac.h b/include/openssl/cmac.h index 2b2815ed78..e58ecbb82e 100644 --- a/include/openssl/cmac.h +++ b/include/openssl/cmac.h @@ -75,7 +75,8 @@ OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len); // Deprecated functions. -// CMAC_CTX_get0_cipher_ctx returns a pointer to the |EVP_CIPHER_CTX| from |ctx|. +// CMAC_CTX_get0_cipher_ctx returns a pointer to the |EVP_CIPHER_CTX| from +// |ctx|. OPENSSL_EXPORT EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx); diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 0f39e8ab1a..d7a976763f 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -85,7 +85,8 @@ OPENSSL_EXPORT int CRYPTO_needs_hwcap2_workaround(void); #endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP // Data-Independent Timing (DIT) on AArch64 -#if defined(OPENSSL_AARCH64) && (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)) +#if defined(OPENSSL_AARCH64) && \ + (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)) // (TODO): See if we can detect the DIT capability in Windows environment #define AARCH64_DIT_SUPPORTED #endif @@ -117,8 +118,8 @@ OPENSSL_EXPORT void armv8_enable_dit(void); // which case it returns one. OPENSSL_EXPORT int FIPS_mode(void); -// FIPS_is_entropy_cpu_jitter returns 1 if CPU jitter is used as the entropy source -// for AWS-LC. Otherwise, returns 0; +// FIPS_is_entropy_cpu_jitter returns 1 if CPU jitter is used as the entropy +// source for AWS-LC. Otherwise, returns 0; OPENSSL_EXPORT int FIPS_is_entropy_cpu_jitter(void); // fips_counter_t denotes specific APIs/algorithms. A counter is maintained for @@ -143,7 +144,8 @@ OPENSSL_EXPORT size_t FIPS_read_counter(enum fips_counter_t counter); // OPENSSL_VERSION_TEXT contains a string the identifies the version of // “OpenSSL”. node.js requires a version number in this text. -#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 (compatible; AWS-LC " AWSLC_VERSION_NUMBER_STRING ")" +#define OPENSSL_VERSION_TEXT \ + "OpenSSL 1.1.1 (compatible; AWS-LC " AWSLC_VERSION_NUMBER_STRING ")" #define OPENSSL_VERSION 0 #define OPENSSL_CFLAGS 1 @@ -233,7 +235,7 @@ OPENSSL_EXPORT uint32_t FIPS_version(void); // FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in // the current BoringSSL and zero otherwise. OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm); -#endif //BORINGSSL_FIPS_140_3 +#endif // BORINGSSL_FIPS_140_3 #if defined(__cplusplus) diff --git a/include/openssl/ctrdrbg.h b/include/openssl/ctrdrbg.h index 5440fb4d14..62288a8914 100644 --- a/include/openssl/ctrdrbg.h +++ b/include/openssl/ctrdrbg.h @@ -46,7 +46,7 @@ OPENSSL_EXPORT CTR_DRBG_STATE *CTR_DRBG_new( size_t personalization_len); // CTR_DRBG_free frees |state| if non-NULL, or else does nothing. -OPENSSL_EXPORT void CTR_DRBG_free(CTR_DRBG_STATE* state); +OPENSSL_EXPORT void CTR_DRBG_free(CTR_DRBG_STATE *state); // CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy // in |entropy| and, optionally, up to |CTR_DRBG_ENTROPY_LEN| bytes of diff --git a/include/openssl/curve25519.h b/include/openssl/curve25519.h index 95511a920d..e1b7f4ba3d 100644 --- a/include/openssl/curve25519.h +++ b/include/openssl/curve25519.h @@ -40,8 +40,8 @@ extern "C" { // X25519_keypair sets |out_public_value| and |out_private_key| to a freshly // generated, public–private key pair. OPENSSL_EXPORT void X25519_keypair( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - uint8_t out_private_key[X25519_PRIVATE_KEY_LEN]); + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + uint8_t out_private_key[X25519_PRIVATE_KEY_LEN]); // X25519 writes a shared key to |out_shared_key| that is calculated from the // given private key and the peer's public value. It returns one on success and @@ -49,15 +49,16 @@ OPENSSL_EXPORT void X25519_keypair( // // Don't use the shared key directly, rather use a KDF and also include the two // public values as inputs. -OPENSSL_EXPORT int X25519(uint8_t out_shared_key[X25519_SHARED_KEY_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN], - const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]); +OPENSSL_EXPORT int X25519( + uint8_t out_shared_key[X25519_SHARED_KEY_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN], + const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]); // X25519_public_from_private calculates a Diffie-Hellman public value from the // given private key and writes it to |out_public_value|. OPENSSL_EXPORT void X25519_public_from_private( - uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], - const uint8_t private_key[X25519_PRIVATE_KEY_LEN]); + uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], + const uint8_t private_key[X25519_PRIVATE_KEY_LEN]); // Ed25519. @@ -78,60 +79,62 @@ OPENSSL_EXPORT void X25519_public_from_private( // ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly // generated, public–private key pair. -OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]); +OPENSSL_EXPORT void ED25519_keypair( + uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]); // ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from // |message| using |private_key|. It returns one on success or zero on // allocation failure. -OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); +OPENSSL_EXPORT int ED25519_sign( + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]); // ED25519_verify returns one iff |signature| is a valid signature, by // |public_key| of |message_len| bytes from |message|. It returns zero // otherwise. -OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); +OPENSSL_EXPORT int ED25519_verify( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]); // ED25519ctx_sign sets |out_sig| to be a Ed25519ctx (RFC 8032) pure signature // of |message_len| bytes from |message| using |private_key|, and the provided // |context_len| bytes for |context|. |context_len| must be greater than zero, // but no more than 255. It returns one on success or zero on failure. OPENSSL_EXPORT int ED25519ctx_sign( - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, size_t context_len); // ED25519ctx_verify returns one iff |signature| is a valid Ed25519ctx pure // signature, by |public_key| of |message_len| bytes from |message|, and // |context_len| bytes from |context|. |context_len| must be greater than zero, // but no more than 255. It returns zero otherwise. -OPENSSL_EXPORT int ED25519ctx_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *context, size_t context_len); +OPENSSL_EXPORT int ED25519ctx_verify( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len); // ED25519ph_sign sets |out_sig| to be a Ed25519ph (RFC 8032) / HashEdDSA // signature of |message_len| bytes from |message| using |private_key|, and the // provided |context_len| bytes for |context|. |context_len| may be zero, but no // more than 255. It returns one on success or zero on failure. OPENSSL_EXPORT int ED25519ph_sign( - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t *message, size_t message_len, - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t *message, + size_t message_len, const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, size_t context_len); // ED25519ph_verify returns one iff |signature| is a valid Ed25519ph (RFC 8032) // / HashEdDSA signature, by |public_key| of |message_len| bytes from |message|, // and |context_len| bytes from |context|. |context_len| may be zero, but no // more than 255. It returns zero otherwise. -OPENSSL_EXPORT int ED25519ph_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *context, size_t context_len); +OPENSSL_EXPORT int ED25519ph_verify( + const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len); // ED25519ph_sign_digest sets |out_sig| to be a Ed25519ph (RFC 8032) / HashEdDSA // signature of a pre-computed SHA-512 message digest |digest| using @@ -139,29 +142,29 @@ OPENSSL_EXPORT int ED25519ph_verify(const uint8_t *message, size_t message_len, // |context_len| may be zero, but no more than 255. // It returns one on success or zero on failure. OPENSSL_EXPORT int ED25519ph_sign_digest( - uint8_t out_sig[ED25519_SIGNATURE_LEN], - const uint8_t digest[64], - const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t *context, size_t context_len); + uint8_t out_sig[ED25519_SIGNATURE_LEN], const uint8_t digest[64], + const uint8_t private_key[ED25519_PRIVATE_KEY_LEN], const uint8_t *context, + size_t context_len); // ED25519ph_verify_digest returns one iff |signature| is a valid Ed25519ph (RFC // 8032) / HashEdDSA signature, by |public_key| of a pre-computed SHA-512 // message digest |digest|, and |context_len| bytes from |context|. // |context_len| may be zero, but no more than 255. // It returns zero otherwise. -OPENSSL_EXPORT int ED25519ph_verify_digest(const uint8_t digest[64], - const uint8_t signature[ED25519_SIGNATURE_LEN], - const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], - const uint8_t *context, size_t context_len); +OPENSSL_EXPORT int ED25519ph_verify_digest( + const uint8_t digest[64], const uint8_t signature[ED25519_SIGNATURE_LEN], + const uint8_t public_key[ED25519_PUBLIC_KEY_LEN], const uint8_t *context, + size_t context_len); // ED25519_keypair_from_seed calculates a public and private key from an // Ed25519 “seed”. Seed values are not exposed by this API (although they // happen to be the first 32 bytes of a private key) so this function is for // interoperating with systems that may store just a seed instead of a full // private key. -OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], - uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN], - const uint8_t seed[ED25519_SEED_LEN]); +OPENSSL_EXPORT void ED25519_keypair_from_seed( + uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], + uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN], + const uint8_t seed[ED25519_SEED_LEN]); // SPAKE2. @@ -176,10 +179,7 @@ OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUB // spake2_role_t enumerates the different “roles” in SPAKE2. The protocol // requires that the symmetry of the two parties be broken so one participant // must be “Alice” and the other be “Bob”. -enum spake2_role_t { - spake2_role_alice, - spake2_role_bob -}; +enum spake2_role_t { spake2_role_alice, spake2_role_bob }; // SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a // single execution of the protocol). SPAKE2 requires the symmetry of the two @@ -190,10 +190,11 @@ enum spake2_role_t { // bound into the protocol. For example MAC addresses, hostnames, usernames // etc. These values are not exposed and can avoid context-confusion attacks // when a password is shared between several devices. -OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new( - enum spake2_role_t my_role, - const uint8_t *my_name, size_t my_name_len, - const uint8_t *their_name, size_t their_name_len); +OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role, + const uint8_t *my_name, + size_t my_name_len, + const uint8_t *their_name, + size_t their_name_len); // SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated. OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx); diff --git a/include/openssl/des.h b/include/openssl/des.h index f425a792e5..006ee6861c 100644 --- a/include/openssl/des.h +++ b/include/openssl/des.h @@ -101,13 +101,17 @@ OPENSSL_EXPORT int DES_is_weak_key(const DES_cblock *key); // 0: key is not weak and has odd parity // -1: key is not odd // -2: key is a weak key, the parity might also be even -OPENSSL_EXPORT int DES_set_key(const DES_cblock *key, DES_key_schedule *schedule); +OPENSSL_EXPORT int DES_set_key(const DES_cblock *key, + DES_key_schedule *schedule); -// DES_set_key_unchecked performs a key schedule and initialises |schedule| with |key|. -OPENSSL_EXPORT void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule); +// DES_set_key_unchecked performs a key schedule and initialises |schedule| with +// |key|. +OPENSSL_EXPORT void DES_set_key_unchecked(const DES_cblock *key, + DES_key_schedule *schedule); // DES_key_sched calls |DES_set_key|. -OPENSSL_EXPORT int DES_key_sched(const DES_cblock *key, DES_key_schedule *schedule); +OPENSSL_EXPORT int DES_key_sched(const DES_cblock *key, + DES_key_schedule *schedule); // DES_set_odd_parity sets the parity bits (the least-significant bits in each // byte) of |key| given the other bits in each byte. @@ -133,8 +137,7 @@ OPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output, const DES_key_schedule *ks1, const DES_key_schedule *ks2, - const DES_key_schedule *ks3, - int enc); + const DES_key_schedule *ks3, int enc); // DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len| // bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus diff --git a/include/openssl/dh.h b/include/openssl/dh.h index c3904f827a..43358794a0 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -376,7 +376,7 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED void DH_clear_flags(DH *dh, int flags); // cache the montgomery form of the prime to speed up multiplication at the cost // of increasing memory storage. AWS-LC always does this and does not support // turning this option off. -// +// // NOTE: This is also on by default in OpenSSL. #define DH_FLAG_CACHE_MONT_P 0 diff --git a/include/openssl/digest.h b/include/openssl/digest.h index 83d4189b71..dcbeec0665 100644 --- a/include/openssl/digest.h +++ b/include/openssl/digest.h @@ -177,7 +177,8 @@ OPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, // length of the hash in bytes, before any truncation (e.g., 32 for SHA-224 and // SHA-256, 64 for SHA-384 and SHA-512). // This constant is only used internally by HMAC. -#define EVP_MAX_MD_CHAINING_LENGTH 64 // SHA-512 has the longest chaining length so far +#define EVP_MAX_MD_CHAINING_LENGTH \ + 64 // SHA-512 has the longest chaining length so far // EVP_MAX_MD_BLOCK_SIZE is the largest digest block size supported, in // bytes. diff --git a/include/openssl/err.h b/include/openssl/err.h index f3e52eafc2..d247c4e055 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -111,9 +111,9 @@ #include +#include #include #include -#include #if defined(__cplusplus) extern "C" { @@ -266,7 +266,8 @@ typedef int (*ERR_print_errors_callback_t)(const char *str, size_t len, // The string will have the following format (which differs from // |ERR_error_string|): // -// [thread id]:error:[error code]:[library name]:OPENSSL_internal:[reason string]:[file]:[line number]:[optional string data] +// [thread id]:error:[error code]:[library name]:OPENSSL_internal:[reason +// string]:[file]:[line number]:[optional string data] // // The callback can return one to continue the iteration or zero to stop it. // The |ctx| argument is an opaque value that is passed through to the @@ -306,50 +307,50 @@ OPENSSL_EXPORT int ERR_get_next_error_library(void); // Built-in library and reason codes. // The following values are built-in library codes. -#define ERR_LIB_NONE 1 -#define ERR_LIB_SYS 2 -#define ERR_LIB_BN 3 -#define ERR_LIB_RSA 4 -#define ERR_LIB_DH 5 -#define ERR_LIB_EVP 6 -#define ERR_LIB_BUF 7 -#define ERR_LIB_OBJ 8 -#define ERR_LIB_PEM 9 -#define ERR_LIB_DSA 10 -#define ERR_LIB_X509 11 -#define ERR_LIB_ASN1 12 -#define ERR_LIB_CONF 13 -#define ERR_LIB_CRYPTO 14 -#define ERR_LIB_EC 15 -#define ERR_LIB_SSL 16 -#define ERR_LIB_BIO 17 -#define ERR_LIB_PKCS7 18 -#define ERR_LIB_PKCS8 19 -#define ERR_LIB_X509V3 20 -#define ERR_LIB_RAND 21 -#define ERR_LIB_ENGINE 22 -#define ERR_LIB_OCSP 23 -#define ERR_LIB_UI 24 -#define ERR_LIB_COMP 25 -#define ERR_LIB_ECDSA 26 -#define ERR_LIB_ECDH 27 -#define ERR_LIB_HMAC 28 -#define ERR_LIB_DIGEST 29 -#define ERR_LIB_CIPHER 30 -#define ERR_LIB_HKDF 31 -#define ERR_LIB_TRUST_TOKEN 32 -#define ERR_LIB_USER 33 -#define ERR_NUM_LIBS 34 -#define ERR_LIB_PKCS12 35 -#define ERR_LIB_DSO 36 -#define ERR_LIB_OSSL_STORE 37 -#define ERR_LIB_FIPS 38 -#define ERR_LIB_CMS 39 -#define ERR_LIB_TS 40 -#define ERR_LIB_CT 41 -#define ERR_LIB_ASYNC 42 -#define ERR_LIB_KDF 43 -#define ERR_LIB_SM2 44 +#define ERR_LIB_NONE 1 +#define ERR_LIB_SYS 2 +#define ERR_LIB_BN 3 +#define ERR_LIB_RSA 4 +#define ERR_LIB_DH 5 +#define ERR_LIB_EVP 6 +#define ERR_LIB_BUF 7 +#define ERR_LIB_OBJ 8 +#define ERR_LIB_PEM 9 +#define ERR_LIB_DSA 10 +#define ERR_LIB_X509 11 +#define ERR_LIB_ASN1 12 +#define ERR_LIB_CONF 13 +#define ERR_LIB_CRYPTO 14 +#define ERR_LIB_EC 15 +#define ERR_LIB_SSL 16 +#define ERR_LIB_BIO 17 +#define ERR_LIB_PKCS7 18 +#define ERR_LIB_PKCS8 19 +#define ERR_LIB_X509V3 20 +#define ERR_LIB_RAND 21 +#define ERR_LIB_ENGINE 22 +#define ERR_LIB_OCSP 23 +#define ERR_LIB_UI 24 +#define ERR_LIB_COMP 25 +#define ERR_LIB_ECDSA 26 +#define ERR_LIB_ECDH 27 +#define ERR_LIB_HMAC 28 +#define ERR_LIB_DIGEST 29 +#define ERR_LIB_CIPHER 30 +#define ERR_LIB_HKDF 31 +#define ERR_LIB_TRUST_TOKEN 32 +#define ERR_LIB_USER 33 +#define ERR_NUM_LIBS 34 +#define ERR_LIB_PKCS12 35 +#define ERR_LIB_DSO 36 +#define ERR_LIB_OSSL_STORE 37 +#define ERR_LIB_FIPS 38 +#define ERR_LIB_CMS 39 +#define ERR_LIB_TS 40 +#define ERR_LIB_CT 41 +#define ERR_LIB_ASYNC 42 +#define ERR_LIB_KDF 43 +#define ERR_LIB_SM2 44 // The following reason codes used to denote an error occuring in another // library. They are sometimes used for a stack trace. @@ -489,7 +490,7 @@ OPENSSL_EXPORT void ERR_set_error_data(char *data, int flags); // queue. #define ERR_NUM_ERRORS 16 -#define ERR_PACK(lib, reason) \ +#define ERR_PACK(lib, reason) \ (((((uint32_t)(lib)) & 0xff) << 24) | ((((uint32_t)(reason)) & 0xfff))) // OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 78cac8fb01..f820816d4d 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -181,13 +181,15 @@ OPENSSL_EXPORT DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey); // parameter p for DH parameter generation. If this function is not called, // the default length of 2048 is used. |pbits| must be greater than or equal // to 256. Returns 1 on success, otherwise returns a non-positive value. -OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits); +OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, + int pbits); // EVP_PKEY_CTX_set_dh_paramgen_generator sets the DH generator for DH parameter // generation. If this function is not called, the default value of 2 is used. // |gen| must be greater than 1. Returns 1 on success, otherwise returns a // non-positive value. -OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen); +OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, + int gen); #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_RSA NID_rsaEncryption @@ -759,11 +761,11 @@ OPENSSL_EXPORT int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey); // provide large enough |ciphertext| and |shared_secret| buffers. // // It returns one on success or zero on error. -OPENSSL_EXPORT int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx /* IN */, - uint8_t *ciphertext /* OUT */, - size_t *ciphertext_len /* OUT */, - uint8_t *shared_secret /* OUT */, - size_t *shared_secret_len /* OUT */); +OPENSSL_EXPORT int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx /* IN */, + uint8_t *ciphertext /* OUT */, + size_t *ciphertext_len /* OUT */, + uint8_t *shared_secret /* OUT */, + size_t *shared_secret_len /* OUT */); // EVP_PKEY_decapsulate is an operation defined for a KEM (Key Encapsulation // Mechanism). For the KEM specified in |ctx|, the function: @@ -783,11 +785,11 @@ OPENSSL_EXPORT int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx /* IN */, // provide large enough |shared_secret| buffer. // // It returns one on success or zero on error. -OPENSSL_EXPORT int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx /* IN */, - uint8_t *shared_secret /* OUT */, - size_t *shared_secret_len /* OUT */, - const uint8_t *ciphertext /* IN */, - size_t ciphertext_len /* IN */); +OPENSSL_EXPORT int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx /* IN */, + uint8_t *shared_secret /* OUT */, + size_t *shared_secret_len /* OUT */, + const uint8_t *ciphertext /* IN */, + size_t ciphertext_len /* IN */); // EVP_PKEY_paramgen_init initialises an |EVP_PKEY_CTX| for a parameter // generation operation. It should be called before |EVP_PKEY_paramgen|. @@ -956,15 +958,17 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_kem_set_params(EVP_PKEY_CTX *ctx, int nid); // EVP_PKEY_KEM, initializes the KEM key based on |nid| and populates the // public key part of the KEM key with the contents of |in|. It returns the // pointer to the allocated PKEY on sucess and NULL on error. -OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_kem_new_raw_public_key( - int nid, const uint8_t *in, size_t len); +OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_kem_new_raw_public_key(int nid, + const uint8_t *in, + size_t len); // EVP_PKEY_kem_new_raw_secret_key generates a new EVP_PKEY object of type // EVP_PKEY_KEM, initializes the KEM key based on |nid| and populates the // secret key part of the KEM key with the contents of |in|. It returns the // pointer to the allocated PKEY on sucess and NULL on error. -OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_kem_new_raw_secret_key( - int nid, const uint8_t *in, size_t len); +OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_kem_new_raw_secret_key(int nid, + const uint8_t *in, + size_t len); // EVP_PKEY_kem_new_raw_key generates a new EVP_PKEY object of type // EVP_PKEY_KEM, initializes the KEM key based on |nid| and populates the @@ -992,15 +996,20 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_pqdsa_set_params(EVP_PKEY_CTX *ctx, int nid); // EVP_PKEY_PQDSA, initializes the PQDSA key based on |nid| and populates the // public key part of the PQDSA key with the contents of |in|. It returns the // pointer to the allocated PKEY on sucess and NULL on error. -OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_t *in, size_t len); +OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, + const uint8_t *in, + size_t len); // EVP_PKEY_pqdsa_new_raw_private_key generates a new EVP_PKEY object of type // EVP_PKEY_PQDSA, initializes the PQDSA key based on |nid| and populates the // secret key part of the PQDSA key with the contents of |in|. If the contents // of |in| is the private key seed, then this function will generate the -// corresponding key pair and populate both public and private parts of the PKEY. -// It returns the pointer to the allocated PKEY on sucess and NULL on error. -OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t len); +// corresponding key pair and populate both public and private parts of the +// PKEY. It returns the pointer to the allocated PKEY on sucess and NULL on +// error. +OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, + const uint8_t *in, + size_t len); // Diffie-Hellman-specific control functions. @@ -1134,7 +1143,7 @@ OPENSSL_EXPORT void EVP_MD_do_all(void (*callback)(const EVP_MD *cipher, const char *name, const char *unused, void *arg), - void *arg); + void *arg); // i2d_PrivateKey marshals a private key from |key| to type-specific format, as @@ -1292,9 +1301,9 @@ OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp, // EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of // the given type. If successful, it returns one. If the |type| argument // is one of |EVP_PKEY_RSA|, |EVP_PKEY_DSA|, or |EVP_PKEY_EC| values it calls -// the corresponding |EVP_PKEY_assign_*| functions (which should be used instead). -// Otherwise, if |type| cannot be set via |EVP_PKEY_set_type| or if the key -// is NULL, it returns zero. +// the corresponding |EVP_PKEY_assign_*| functions (which should be used +// instead). Otherwise, if |type| cannot be set via |EVP_PKEY_set_type| or if +// the key is NULL, it returns zero. OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); // EVP_PKEY_type returns |nid|. @@ -1362,7 +1371,8 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED int EVP_PKEY_CTX_set_dsa_paramgen_bits( // EVP_PKEY_CTX_set_dsa_paramgen_md sets the digest function used for DSA // parameter generation. If not specified, one of SHA-1 (160), SHA-224 (224), // or SHA-256 (256) is selected based on the number of bits in |q|. -OPENSSL_EXPORT OPENSSL_DEPRECATED int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD* md); +OPENSSL_EXPORT OPENSSL_DEPRECATED int EVP_PKEY_CTX_set_dsa_paramgen_md( + EVP_PKEY_CTX *ctx, const EVP_MD *md); // EVP_PKEY_CTX_set_dsa_paramgen_q_bits sets the number of bits in q to use for // DSA parameter generation. If not specified, the default is 256. If a digest @@ -1386,8 +1396,9 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED int EVP_PKEY_CTX_set_dsa_paramgen_q_bits( // |value| is the value to set. // // It returns 1 for success and 0 or a negative value for failure. -OPENSSL_EXPORT OPENSSL_DEPRECATED int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, - const char *value); +OPENSSL_EXPORT OPENSSL_DEPRECATED int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, + const char *type, + const char *value); // Preprocessor compatibility section (hidden). diff --git a/include/openssl/experimental/kem_deterministic_api.h b/include/openssl/experimental/kem_deterministic_api.h index 018c3c9918..f4b0530951 100644 --- a/include/openssl/experimental/kem_deterministic_api.h +++ b/include/openssl/experimental/kem_deterministic_api.h @@ -28,10 +28,10 @@ extern "C" { // is non-NULL, it overwrites |*out_pkey| with the resulting key. Otherwise, it // sets |*out_pkey| to a newly-allocated |EVP_PKEY| containing the result. // It returns one on success or zero on error. -OPENSSL_EXPORT int EVP_PKEY_keygen_deterministic(EVP_PKEY_CTX *ctx /* IN */, +OPENSSL_EXPORT int EVP_PKEY_keygen_deterministic(EVP_PKEY_CTX *ctx /* IN */, EVP_PKEY **out_pkey /* OUT */, const uint8_t *seed /* IN */, - size_t *seed_len /* IN */); + size_t *seed_len /* IN */); // EVP_PKEY_encapsulate_deterministic is an operation defined for a KEM (Key // Encapsulation Mechanism). The function performs the same encapsulation @@ -53,13 +53,11 @@ OPENSSL_EXPORT int EVP_PKEY_keygen_deterministic(EVP_PKEY_CTX *ctx /* IN */, // seed is not required. // // It returns one on success or zero on error. -OPENSSL_EXPORT int EVP_PKEY_encapsulate_deterministic(EVP_PKEY_CTX *ctx /* IN */, - uint8_t *ciphertext /* OUT */, - size_t *ciphertext_len /* OUT */, - uint8_t *shared_secret /* OUT */, - size_t *shared_secret_len /* OUT */, - const uint8_t *seed /* IN */, - size_t *seed_len /* IN */); +OPENSSL_EXPORT int EVP_PKEY_encapsulate_deterministic( + EVP_PKEY_CTX *ctx /* IN */, uint8_t *ciphertext /* OUT */, + size_t *ciphertext_len /* OUT */, uint8_t *shared_secret /* OUT */, + size_t *shared_secret_len /* OUT */, const uint8_t *seed /* IN */, + size_t *seed_len /* IN */); #if defined(__cplusplus) diff --git a/include/openssl/hmac.h b/include/openssl/hmac.h index 0f791bffc0..d5468c8703 100644 --- a/include/openssl/hmac.h +++ b/include/openssl/hmac.h @@ -60,8 +60,8 @@ #include #include -#include #include +#include #if defined(__cplusplus) extern "C" { @@ -157,17 +157,23 @@ OPENSSL_EXPORT void HMAC_CTX_reset(HMAC_CTX *ctx); #define HMAC_MD5_PRECOMPUTED_KEY_SIZE 32 // HMAC_SHA1_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA1, in bytes #define HMAC_SHA1_PRECOMPUTED_KEY_SIZE 40 -// HMAC_SHA224_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA224, in bytes +// HMAC_SHA224_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA224, in +// bytes #define HMAC_SHA224_PRECOMPUTED_KEY_SIZE 64 -// HMAC_SHA256_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA256, in bytes +// HMAC_SHA256_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA256, in +// bytes #define HMAC_SHA256_PRECOMPUTED_KEY_SIZE 64 -// HMAC_SHA384_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA384, in bytes +// HMAC_SHA384_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA384, in +// bytes #define HMAC_SHA384_PRECOMPUTED_KEY_SIZE 128 -// HMAC_SHA512_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA512, in bytes +// HMAC_SHA512_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA512, in +// bytes #define HMAC_SHA512_PRECOMPUTED_KEY_SIZE 128 -// HMAC_SHA512_224_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA512_224, in bytes +// HMAC_SHA512_224_PRECOMPUTED_KEY_SIZE is the precomputed key size for +// SHA512_224, in bytes #define HMAC_SHA512_224_PRECOMPUTED_KEY_SIZE 128 -// HMAC_SHA512_256_PRECOMPUTED_KEY_SIZE is the precomputed key size for SHA512_256, in bytes +// HMAC_SHA512_256_PRECOMPUTED_KEY_SIZE is the precomputed key size for +// SHA512_256, in bytes #define HMAC_SHA512_256_PRECOMPUTED_KEY_SIZE 128 // HMAC_MAX_PRECOMPUTED_KEY_SIZE is the largest precomputed key size, in bytes. @@ -216,7 +222,7 @@ OPENSSL_EXPORT int HMAC_set_precomputed_key_export(HMAC_CTX *ctx); // precomputed key instead of the key reduces by 2 the number of hash // compression function calls (or more if key is larger than the block length) OPENSSL_EXPORT int HMAC_get_precomputed_key(HMAC_CTX *ctx, uint8_t *out, - size_t *out_len); + size_t *out_len); // HMAC_Init_from_precomputed_key sets up an initialised |HMAC_CTX| to use // |md| as the hash function and |precomputed_key| as the precomputed key @@ -229,11 +235,11 @@ OPENSSL_EXPORT int HMAC_get_precomputed_key(HMAC_CTX *ctx, uint8_t *out, // // Note: Contrary to input keys to |HMAC_Init_ex|, which can be the empty key, // an input precomputed key cannot be empty in an initial call to -// |HMAC_Init_from_precomputed_key|. Otherwise, the call fails and returns zero. -OPENSSL_EXPORT int HMAC_Init_from_precomputed_key(HMAC_CTX *ctx, - const uint8_t *precomputed_key, - size_t precompute_key_len, - const EVP_MD *md); +// |HMAC_Init_from_precomputed_key|. Otherwise, the call fails and returns +// zero. +OPENSSL_EXPORT int HMAC_Init_from_precomputed_key( + HMAC_CTX *ctx, const uint8_t *precomputed_key, size_t precompute_key_len, + const EVP_MD *md); // Deprecated functions. @@ -250,7 +256,8 @@ OPENSSL_EXPORT int HMAC_CTX_copy(HMAC_CTX *dest, const HMAC_CTX *src); // Private functions typedef struct hmac_methods_st HmacMethods; -// We use a union to ensure that enough space is allocated and never actually bother with the named members. +// We use a union to ensure that enough space is allocated and never actually +// bother with the named members. union md_ctx_union { MD5_CTX md5; SHA_CTX sha1; diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index 892c20fb3c..b0acb1ada0 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -25,12 +25,12 @@ extern "C" { // and writes them to |out|. It returns one on success and zero on error. // TLS 1.2: https://datatracker.ietf.org/doc/html/rfc5246#section-5 // TLS 1.{0,1}: https://datatracker.ietf.org/doc/html/rfc4346#section-5 -OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest, - uint8_t *out, size_t out_len, - const uint8_t *secret, size_t secret_len, - const char *label, size_t label_len, - const uint8_t *seed1, size_t seed1_len, - const uint8_t *seed2, size_t seed2_len); +OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest, uint8_t *out, + size_t out_len, const uint8_t *secret, + size_t secret_len, const char *label, + size_t label_len, const uint8_t *seed1, + size_t seed1_len, const uint8_t *seed2, + size_t seed2_len); // SSKDF_digest computes the One-step key derivation using the // provided digest algorithm as the backing PRF. This algorithm @@ -52,9 +52,9 @@ OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest, // // Specification is available at https://doi.org/10.6028/NIST.SP.800-56Cr2 OPENSSL_EXPORT int SSKDF_digest(uint8_t *out_key, size_t out_len, - const EVP_MD *digest, - const uint8_t *secret, size_t secret_len, - const uint8_t *info, size_t info_len); + const EVP_MD *digest, const uint8_t *secret, + size_t secret_len, const uint8_t *info, + size_t info_len); // SSKDF_hmac computes the One-step key derivation using the // provided digest algorithm with HMAC as the backing PRF. This algorithm @@ -80,10 +80,10 @@ OPENSSL_EXPORT int SSKDF_digest(uint8_t *out_key, size_t out_len, // is equal to the length of the specified |digest| input block length in // bytes. OPENSSL_EXPORT int SSKDF_hmac(uint8_t *out_key, size_t out_len, - const EVP_MD *digest, - const uint8_t *secret, size_t secret_len, - const uint8_t *info, size_t info_len, - const uint8_t *salt, size_t salt_len); + const EVP_MD *digest, const uint8_t *secret, + size_t secret_len, const uint8_t *info, + size_t info_len, const uint8_t *salt, + size_t salt_len); // KBKDF_ctr_hmac derives keying material using the KDF counter mode algorithm, // using the provided key derivation key |secret| and fixed info |info|. diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index 9ff22baa17..84b89e89b2 100644 --- a/include/openssl/lhash.h +++ b/include/openssl/lhash.h @@ -80,10 +80,11 @@ OPENSSL_EXPORT void lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), // These two macros are the bare minimum of |LHASH| macros downstream consumers // use. #define IMPLEMENT_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ - void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ - o_type *a = arg1; \ - a_type *b = arg2; \ - name##_doall_arg(a, b); } + void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ + o_type *a = arg1; \ + a_type *b = arg2; \ + name##_doall_arg(a, b); \ + } #define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG diff --git a/include/openssl/mem.h b/include/openssl/mem.h index d306758a99..3da79b19f7 100644 --- a/include/openssl/mem.h +++ b/include/openssl/mem.h @@ -59,8 +59,8 @@ #include -#include #include +#include #if defined(__cplusplus) extern "C" { @@ -97,7 +97,7 @@ OPENSSL_EXPORT void *OPENSSL_calloc(size_t num, size_t size); // allocated with |OPENSSL_malloc| and must be freed with |OPENSSL_free|. // If |ptr| is null |OPENSSL_malloc| is called instead. OPENSSL_EXPORT void *OPENSSL_realloc(void *ptr, size_t new_size); -#endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC +#endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC // OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the // memory allocated at |ptr| and frees it along with the private data. @@ -174,7 +174,7 @@ OPENSSL_EXPORT int OPENSSL_strncasecmp(const char *a, const char *b, size_t n); // DECIMAL_SIZE returns an upper bound for the length of the decimal // representation of the given type. -#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define DECIMAL_SIZE(type) ((sizeof(type) * 8 + 2) / 3 + 1) // BIO_snprintf has the same behavior as snprintf(3). OPENSSL_EXPORT int BIO_snprintf(char *buf, size_t n, const char *format, ...) @@ -230,28 +230,35 @@ OPENSSL_EXPORT void CRYPTO_free(void *ptr, const char *file, int line); // allocations on free, but we define |OPENSSL_clear_free| for compatibility. OPENSSL_EXPORT void OPENSSL_clear_free(void *ptr, size_t len); -// CRYPTO_set_mem_functions is used to override the implementation of |OPENSSL_malloc/free/realloc|. +// CRYPTO_set_mem_functions is used to override the implementation of +// |OPENSSL_malloc/free/realloc|. // -// |OPENSSL_malloc/free/realloc| can be customized by implementing |OPENSSL_memory_alloc/free/realloc| or calling -// CRYPTO_set_mem_functions. If |OPENSSL_memory_alloc/free/realloc| is defined CRYPTO_set_mem_functions will fail. -// All of the warnings for |OPENSSL_malloc/free/realloc| apply to CRYPTO_set_mem_functions: -// -- https://github.com/aws/aws-lc/blame/d164f5762b1ad5d4f2d1561fb85daa556fdff5ef/crypto/mem.c#L111-L127 +// |OPENSSL_malloc/free/realloc| can be customized by implementing +// |OPENSSL_memory_alloc/free/realloc| or calling CRYPTO_set_mem_functions. If +// |OPENSSL_memory_alloc/free/realloc| is defined CRYPTO_set_mem_functions will +// fail. All of the warnings for |OPENSSL_malloc/free/realloc| apply to +// CRYPTO_set_mem_functions: +// -- +// https://github.com/aws/aws-lc/blame/d164f5762b1ad5d4f2d1561fb85daa556fdff5ef/crypto/mem.c#L111-L127 // This function is only recommended for debug purpose(e.g. track mem usage). -// AWS-LC differs from OpenSSL's CRYPTO_set_mem_functions in that __FILE__ and __LINE__ are not supplied. +// AWS-LC differs from OpenSSL's CRYPTO_set_mem_functions in that __FILE__ and +// __LINE__ are not supplied. // // It returns one on success and zero otherwise. OPENSSL_EXPORT int CRYPTO_set_mem_functions( - void *(*m)(size_t, const char *, int), - void *(*r)(void *, size_t, const char *, int), - void (*f)(void *, const char *, int)); - -// OPENSSL supports the concept of secure heaps to help protect applications from pointer overruns or underruns that -// could return arbitrary data from the program's dynamic memory area where sensitive information may be stored. -// AWS-LC does not support secure heaps. The initialization functions intentionally return zero to indicate that secure -// heaps aren't supported. We return the regular malloc and zalloc versions when the secure_* counterparts are called, -// which is what OPENSSL does when secure heap is not enabled. -// If there is any interest in utilizing "secure heaps" with AWS-LC, cut us an issue at -// https://github.com/aws/aws-lc/issues/new/choose + void *(*m)(size_t, const char *, int), + void *(*r)(void *, size_t, const char *, int), + void (*f)(void *, const char *, int)); + +// OPENSSL supports the concept of secure heaps to help protect applications +// from pointer overruns or underruns that could return arbitrary data from the +// program's dynamic memory area where sensitive information may be stored. +// AWS-LC does not support secure heaps. The initialization functions +// intentionally return zero to indicate that secure heaps aren't supported. We +// return the regular malloc and zalloc versions when the secure_* counterparts +// are called, which is what OPENSSL does when secure heap is not enabled. If +// there is any interest in utilizing "secure heaps" with AWS-LC, cut us an +// issue at https://github.com/aws/aws-lc/issues/new/choose // CRYPTO_secure_malloc_init returns zero. OPENSSL_EXPORT int CRYPTO_secure_malloc_init(size_t size, size_t min_size); diff --git a/include/openssl/objects.h b/include/openssl/objects.h index 5ebfa26f20..55fd509281 100644 --- a/include/openssl/objects.h +++ b/include/openssl/objects.h @@ -15,5 +15,5 @@ /* This header is provided in order to make compiling against code that expects OpenSSL easier. */ -#include "obj.h" #include "asn1.h" +#include "obj.h" diff --git a/include/openssl/poly1305.h b/include/openssl/poly1305.h index a38ef21788..30b92213a2 100644 --- a/include/openssl/poly1305.h +++ b/include/openssl/poly1305.h @@ -17,7 +17,7 @@ #include -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif diff --git a/include/openssl/pool.h b/include/openssl/pool.h index c61a4babff..aec4c3c8d5 100644 --- a/include/openssl/pool.h +++ b/include/openssl/pool.h @@ -35,7 +35,7 @@ DEFINE_STACK_OF(CRYPTO_BUFFER) // CRYPTO_BUFFER_POOL_new returns a freshly allocated |CRYPTO_BUFFER_POOL| or // NULL on error. -OPENSSL_EXPORT CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void); +OPENSSL_EXPORT CRYPTO_BUFFER_POOL *CRYPTO_BUFFER_POOL_new(void); // CRYPTO_BUFFER_POOL_free frees |pool|, which must be empty. OPENSSL_EXPORT void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool); diff --git a/include/openssl/ripemd.h b/include/openssl/ripemd.h index 47d69ee2a6..54a6cba275 100644 --- a/include/openssl/ripemd.h +++ b/include/openssl/ripemd.h @@ -59,14 +59,14 @@ #include -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif -# define RIPEMD160_CBLOCK 64 -# define RIPEMD160_LBLOCK (RIPEMD160_CBLOCK/4) -# define RIPEMD160_DIGEST_LENGTH 20 +#define RIPEMD160_CBLOCK 64 +#define RIPEMD160_LBLOCK (RIPEMD160_CBLOCK / 4) +#define RIPEMD160_DIGEST_LENGTH 20 struct RIPEMD160state_st { uint32_t h[5]; @@ -80,7 +80,7 @@ OPENSSL_EXPORT int RIPEMD160_Init(RIPEMD160_CTX *ctx); // RIPEMD160_Update adds |len| bytes from |data| to |ctx| and returns one. OPENSSL_EXPORT int RIPEMD160_Update(RIPEMD160_CTX *ctx, const void *data, - size_t len); + size_t len); // RIPEMD160_Final adds the final padding to |ctx| and writes the resulting // digest to |out|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index f684987070..6863ed7499 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -59,7 +59,8 @@ #include #include -// OpenSSL includes BN in this header: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/include/openssl/rsa.h#L21 +// OpenSSL includes BN in this header: +// https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/include/openssl/rsa.h#L21 #include #include @@ -243,49 +244,45 @@ OPENSSL_EXPORT void RSA_meth_free(RSA_METHOD *meth); // RSA_meth_set_init sets |init| on |meth|. |init| should return one on // success and zero on failure. -OPENSSL_EXPORT int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)); +OPENSSL_EXPORT int RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa)); // RSA_meth_set_finish sets |finish| on |meth|. The |finish| function // is called in |RSA_free| before freeing the key. |finish| should return // one on success and zero on failure. OPENSSL_EXPORT int RSA_meth_set_finish(RSA_METHOD *meth, - int (*finish) (RSA *rsa)); + int (*finish)(RSA *rsa)); // RSA_meth_set_priv_dec sets |priv_dec| on |meth|. |priv_dec| should decrypt // |max_out| bytes at |from| using the private key |rsa| and store the plaintext // in |to|. |priv_dec| should return the size of the recovered plaintext or a // negative number on error. -OPENSSL_EXPORT int RSA_meth_set_priv_dec(RSA_METHOD *meth, - int (*priv_dec) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)); +OPENSSL_EXPORT int RSA_meth_set_priv_dec( + RSA_METHOD *meth, int (*priv_dec)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)); // RSA_meth_set_priv_enc sets |priv_enc| on |meth|. |priv_enc| should sign // |max_out| bytes at |from| using the private key |rsa| and store the // signature in |to|. |priv_enc| should return the size of the signature or a // negative number for error. -OPENSSL_EXPORT int RSA_meth_set_priv_enc(RSA_METHOD *meth, - int (*priv_enc) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)); +OPENSSL_EXPORT int RSA_meth_set_priv_enc( + RSA_METHOD *meth, int (*priv_enc)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)); // RSA_meth_set_pub_dec sets |pub_dec| on |meth|. |pub_dec| should recover the // |max_out| bytes of the message digest at |from| using the signer's public // key |rsa| and store it in |to|. |pub_dec| should return the size of the // recovered message digest or a negative number on error. -OPENSSL_EXPORT int RSA_meth_set_pub_dec(RSA_METHOD *meth, - int (*pub_dec) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)); +OPENSSL_EXPORT int RSA_meth_set_pub_dec( + RSA_METHOD *meth, int (*pub_dec)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)); // RSA_meth_set_pub_enc sets |pub_enc| on |meth|. |pub_enc| should encrypt // |max_out| bytes at |from| using the public key |rsa| and stores the // ciphertext in |to|. |pub_enc| should return the size of the encrypted data // or a negative number on error. -OPENSSL_EXPORT int RSA_meth_set_pub_enc(RSA_METHOD *meth, - int (*pub_enc) (int max_out, const uint8_t *from, - uint8_t *to, RSA *rsa, - int padding)); +OPENSSL_EXPORT int RSA_meth_set_pub_enc( + RSA_METHOD *meth, int (*pub_enc)(int max_out, const uint8_t *from, + uint8_t *to, RSA *rsa, int padding)); // RSA_meth_set0_app_data sets |app_data| on |meth|. Although set0 functions // generally take ownership in AWS-LC, to maintain OpenSSL compatibility, @@ -296,12 +293,10 @@ OPENSSL_EXPORT int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); // RSA_meth_set_sign sets |sign| on |meth|. The function |sign| should return // one on success and zero on failure. -OPENSSL_EXPORT int RSA_meth_set_sign(RSA_METHOD *meth, - int (*sign) (int type, - const unsigned char *m, - unsigned int m_length, - unsigned char *sigret, - unsigned int *siglen, const RSA *rsa)); +OPENSSL_EXPORT int RSA_meth_set_sign( + RSA_METHOD *meth, + int (*sign)(int type, const unsigned char *m, unsigned int m_length, + unsigned char *sigret, unsigned int *siglen, const RSA *rsa)); // Key generation. @@ -607,7 +602,7 @@ OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa); // is available on the error queue. OPENSSL_EXPORT int RSA_check_key(const RSA *rsa); -// RSA_check_fips performs two FIPS related checks in addition to basic +// RSA_check_fips performs two FIPS related checks in addition to basic // validity tests from RSA_check_key: // - partial public key validation (SP 800-89), // - pair-wise consistency test. @@ -619,9 +614,9 @@ OPENSSL_EXPORT int RSA_check_fips(RSA *key); // |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to // exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the // hash function for generating the mask. If NULL, |Hash| is used. The |sLen| -// argument specifies the expected salt length in bytes. If |sLen| is RSA_PSS_SALTLEN_DIGEST then -// the salt length is the same as the hash length. If -2, then the salt length -// is recovered and all values accepted. +// argument specifies the expected salt length in bytes. If |sLen| is +// RSA_PSS_SALTLEN_DIGEST then the salt length is the same as the hash length. +// If -2, then the salt length is recovered and all values accepted. // // If unsure, use RSA_PSS_SALTLEN_DIGEST. // @@ -641,7 +636,8 @@ OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, // function for generating the mask. If NULL, |Hash| is used. The |sLen| // argument specifies the expected salt length in bytes. // If |sLen| is RSA_PSS_SALTLEN_DIGEST then the salt length is the same as -// the hash length. If -2, then the salt length is maximal given the space in |EM|. +// the hash length. If -2, then the salt length is maximal given the space in +// |EM|. // // It returns one on success or zero on error. // @@ -670,7 +666,9 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1( // // It returns one on success and zero on error. OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS1_MGF1(uint8_t *out, size_t len, - const uint8_t *seed, size_t seed_len, const EVP_MD *md); + const uint8_t *seed, + size_t seed_len, + const EVP_MD *md); // RSA_add_pkcs1_prefix builds a version of |digest| prefixed with the // DigestInfo header for the given hash function and sets |out_msg| to point to @@ -825,7 +823,7 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx); // |r|. This macro is added in for OpenSSL compatibility. To avoid exposing // internals, we ignore the |f| parameter. The |r| parameter is passed into // |OPENSSL_PUT_ERROR|. -#define RSAerr(f,r) OPENSSL_PUT_ERROR(RSA, r); +#define RSAerr(f, r) OPENSSL_PUT_ERROR(RSA, r); // RSA_flags returns the flags for |rsa|. These are a bitwise OR of |RSA_FLAG_*| // constants. @@ -842,15 +840,18 @@ OPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags); // RSA_blinding_on returns one in case blinding is on, otherwise 0. OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); -// RSA_blinding_off_temp_for_accp_compatibility sets |rsa|'s RSA_FLAG_NO_BLINDING. +// RSA_blinding_off_temp_for_accp_compatibility sets |rsa|'s +// RSA_FLAG_NO_BLINDING. // // Private keys missing |e| are often used by the JCA. In order to use such keys -// for signing/decryption, one can use RSA_blinding_off_temp_for_accp_compatibility -// to disable blinding. In general, we strongly advise against disabling blinding. -// This method is temporarily provided to support ACCP. It will be replaced -// by a method that would allow creating an RSA private key from a modulus and -// a private exponent having blinding disabled. -OPENSSL_EXPORT OPENSSL_DEPRECATED void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa); +// for signing/decryption, one can use +// RSA_blinding_off_temp_for_accp_compatibility to disable blinding. In general, +// we strongly advise against disabling blinding. This method is temporarily +// provided to support ACCP. It will be replaced by a method that would allow +// creating an RSA private key from a modulus and a private exponent having +// blinding disabled. +OPENSSL_EXPORT OPENSSL_DEPRECATED void +RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa); // RSA_pkey_ctx_ctrl is a vestigial OpenSSL function that has been obsoleted by // the EVP interface. External callers should not use this. Internal callers @@ -859,7 +860,8 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED void RSA_blinding_off_temp_for_accp_compatibil // This function directly calls |EVP_PKEY_CTX_ctrl| with some guards around the // key's type. The key type must either be RSA or RSA-PSS, otherwise -1 is // returned. -OPENSSL_EXPORT OPENSSL_DEPRECATED int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, +OPENSSL_EXPORT OPENSSL_DEPRECATED int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, + int optype, int cmd, int p1, void *p2); // RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you diff --git a/include/openssl/service_indicator.h b/include/openssl/service_indicator.h index 5f8f61180f..7ec9767f85 100644 --- a/include/openssl/service_indicator.h +++ b/include/openssl/service_indicator.h @@ -28,19 +28,16 @@ extern "C" { OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void); OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void); -OPENSSL_EXPORT const char* awslc_version_string(void); +OPENSSL_EXPORT const char *awslc_version_string(void); -enum FIPSStatus { - AWSLC_NOT_APPROVED = 0, - AWSLC_APPROVED = 1 -}; +enum FIPSStatus { AWSLC_NOT_APPROVED = 0, AWSLC_APPROVED = 1 }; #if defined(AWSLC_FIPS) #define AWSLC_MODE_STRING "AWS-LC FIPS " -// CALL_SERVICE_AND_CHECK_APPROVED performs an approval check and runs the service. -// The |approved| value passed in will change to |AWSLC_APPROVED| and +// CALL_SERVICE_AND_CHECK_APPROVED performs an approval check and runs the +// service. The |approved| value passed in will change to |AWSLC_APPROVED| and // |AWSLC_NOT_APPROVED| accordingly to the approved state of the service ran. // It is highly recommended that users of the service indicator use this macro // when interacting with the service indicator. @@ -49,18 +46,17 @@ enum FIPSStatus { // long-running applications that use the release build of AWS-LC. Debug builds // use an assert before + 1 == after to ensure in testing the service indicator // is operating as expected. -#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \ - do { \ - (approved) = AWSLC_NOT_APPROVED; \ - int before = FIPS_service_indicator_before_call(); \ - func; \ - int after = FIPS_service_indicator_after_call(); \ - if (before != after) { \ - assert(before + 1 == after); \ - (approved) = AWSLC_APPROVED; \ - } \ - } \ - while(0) \ +#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \ + do { \ + (approved) = AWSLC_NOT_APPROVED; \ + int before = FIPS_service_indicator_before_call(); \ + func; \ + int after = FIPS_service_indicator_after_call(); \ + if (before != after) { \ + assert(before + 1 == after); \ + (approved) = AWSLC_APPROVED; \ + } \ + } while (0) #else @@ -69,14 +65,13 @@ enum FIPSStatus { // CALL_SERVICE_AND_CHECK_APPROVED always returns |AWSLC_APPROVED| when AWS-LC // is not built in FIPS mode for easier consumer compatibility that have both // FIPS and non-FIPS libraries. -#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \ - do { \ - (approved) = AWSLC_APPROVED; \ - func; \ - } \ - while(0) \ - -#endif // AWSLC_FIPS +#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \ + do { \ + (approved) = AWSLC_APPROVED; \ + func; \ + } while (0) + +#endif // AWSLC_FIPS #define AWSLC_VERSION_STRING AWSLC_MODE_STRING AWSLC_VERSION_NUMBER_STRING diff --git a/include/openssl/sshkdf.h b/include/openssl/sshkdf.h index 42c6ece4f0..69ff362b6a 100644 --- a/include/openssl/sshkdf.h +++ b/include/openssl/sshkdf.h @@ -26,12 +26,12 @@ extern "C" { // The following defines are the valid |type| values for SSHKDF(). -#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 -#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 +#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 +#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 68 -#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 -#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 +#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 +#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 // SSHKDF is a key derivation function used in the SSH Transport Layer Protocol // defined in Section 7.2 of RFC 4253. It calculates a derived key |out| of @@ -42,12 +42,11 @@ extern "C" { // |xcghash| is produced during the SSH Diffie-Hellman exchange. // // SSHKDF is only FIPS 140-3 Approved for use in SSH. -OPENSSL_EXPORT int SSHKDF(const EVP_MD *evp_md, - const uint8_t *key, size_t key_len, - const uint8_t *xcghash, size_t xcghash_len, - const uint8_t *session_id, size_t session_id_len, - char type, - uint8_t *out, size_t out_len); +OPENSSL_EXPORT int SSHKDF(const EVP_MD *evp_md, const uint8_t *key, + size_t key_len, const uint8_t *xcghash, + size_t xcghash_len, const uint8_t *session_id, + size_t session_id_len, char type, uint8_t *out, + size_t out_len); #if defined(__cplusplus) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index e2659a1b2c..c12058a461 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -392,10 +392,10 @@ OPENSSL_EXPORT int SSL_pending(const SSL *ssl); // been decrypted. If |ssl| has neither, this function returns zero. // // If read-ahead has been enabled with |SSL_CTX_set_read_ahead| or -// |SSL_set_read_ahead|, the behavior of |SSL_pending| will change, it may return -// 1 and a call to |SSL_read| to return no data. This can happen when a partial -// record has been read but can not be decrypted without more data from the read -// BIO. +// |SSL_set_read_ahead|, the behavior of |SSL_pending| will change, it may +// return 1 and a call to |SSL_read| to return no data. This can happen when a +// partial record has been read but can not be decrypted without more data from +// the read BIO. // // In DTLS, it is possible for this function to return one while |SSL_pending| // returns zero. For example, |SSL_read| may read a datagram with two records, @@ -1462,11 +1462,13 @@ DEFINE_CONST_STACK_OF(SSL_CIPHER) // https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value); -// SSL_CIPHER_find returns a SSL_CIPHER structure which has the cipher ID stored in ptr or -// NULL if unknown. The ptr parameter is a two element array of char, which stores the -// two-byte TLS cipher ID (as allocated by IANA) in network byte order. SSL_CIPHER_find re-casts -// |ptr| to uint16_t and calls |SSL_get_cipher_by_value| to get the SSL_CIPHER structure. -OPENSSL_EXPORT const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); +// SSL_CIPHER_find returns a SSL_CIPHER structure which has the cipher ID stored +// in ptr or NULL if unknown. The ptr parameter is a two element array of char, +// which stores the two-byte TLS cipher ID (as allocated by IANA) in network +// byte order. SSL_CIPHER_find re-casts |ptr| to uint16_t and calls +// |SSL_get_cipher_by_value| to get the SSL_CIPHER structure. +OPENSSL_EXPORT const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, + const unsigned char *ptr); // SSL_CIPHER_get_id returns |cipher|'s non-IANA id. This is not its // IANA-assigned number, which is called the "value" here, although it may be @@ -1672,8 +1674,8 @@ OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out, // opcode-less. Inside an equal-preference group, spaces are not allowed. // // Note: TLS 1.3 ciphersuites are only configurable via -// |SSL_CTX_set_ciphersuites| or |SSL_set_ciphersuites|. Other setter functions have -// no impact on TLS 1.3 ciphersuites. +// |SSL_CTX_set_ciphersuites| or |SSL_set_ciphersuites|. Other setter functions +// have no impact on TLS 1.3 ciphersuites. // SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is // substituted when a cipher string starts with 'DEFAULT'. @@ -1872,12 +1874,13 @@ OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); // or transported |ssl|'s that haven't yet performed a new handshake. OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl); -// SSL_client_hello_get0_ciphers provides access to the client ciphers field from the -// Client Hello, optionally writing the result to an out pointer. It returns the field -// length if successful, or 0 if |ssl| is a client or the handshake hasn't occurred yet. -// |out| points to the raw bytes from the client hello message so it may contain invalid -// or unsupported Cipher IDs. -OPENSSL_EXPORT size_t SSL_client_hello_get0_ciphers(SSL *ssl, const unsigned char **out); +// SSL_client_hello_get0_ciphers provides access to the client ciphers field +// from the Client Hello, optionally writing the result to an out pointer. It +// returns the field length if successful, or 0 if |ssl| is a client or the +// handshake hasn't occurred yet. |out| points to the raw bytes from the client +// hello message so it may contain invalid or unsupported Cipher IDs. +OPENSSL_EXPORT size_t SSL_client_hello_get0_ciphers(SSL *ssl, + const unsigned char **out); // SSL_session_reused returns one if |ssl| performed an abbreviated handshake // and zero otherwise. @@ -2684,7 +2687,7 @@ OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups); // SSL_GROUP_X25519_MLKEM768 is defined at // https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html -#define SSL_GROUP_X25519_MLKEM768 0x11EC +#define SSL_GROUP_X25519_MLKEM768 0x11EC // The following PQ and hybrid group IDs are not yet standardized. Current IDs // are driven by community consensus and are defined at: @@ -2695,7 +2698,7 @@ OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups); // The following are defined at // https://datatracker.ietf.org/doc/html/draft-connolly-tls-mlkem-key-agreement.html -#define SSL_GROUP_MLKEM768 0x0768 +#define SSL_GROUP_MLKEM768 0x0768 #define SSL_GROUP_MLKEM1024 0x1024 // SSL_get_group_id returns the ID of the group used by |ssl|'s most recently @@ -3656,8 +3659,7 @@ OPENSSL_EXPORT const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile( #define PSK_MAX_PSK_LEN 256 // SSL_psk_client_cb_func defines a function signature for the client callback. -typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, - const char *hint, +typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, uint8_t *psk, @@ -3674,20 +3676,18 @@ typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, // at most |max_identity_len|. The PSK's length must be at most |max_psk_len|. // The callback returns the length of the PSK or 0 if no suitable identity was // found. -OPENSSL_EXPORT void SSL_CTX_set_psk_client_callback( - SSL_CTX *ctx, SSL_psk_client_cb_func cb); +OPENSSL_EXPORT void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, + SSL_psk_client_cb_func cb); // SSL_set_psk_client_callback sets the callback to be called when PSK is // negotiated on the client. This callback must be set to enable PSK cipher // suites on the client. See also |SSL_CTX_set_psk_client_callback|. -OPENSSL_EXPORT void SSL_set_psk_client_callback( - SSL *ssl, SSL_psk_client_cb_func cb); +OPENSSL_EXPORT void SSL_set_psk_client_callback(SSL *ssl, + SSL_psk_client_cb_func cb); // SSL_psk_server_cb_func defines a function signature for the server callback. -typedef unsigned (*SSL_psk_server_cb_func)(SSL *ssl, - const char *identity, - uint8_t *psk, - unsigned max_psk_len); +typedef unsigned (*SSL_psk_server_cb_func)(SSL *ssl, const char *identity, + uint8_t *psk, unsigned max_psk_len); // SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is // negotiated on the server. This callback must be set to enable PSK cipher @@ -3696,14 +3696,14 @@ typedef unsigned (*SSL_psk_server_cb_func)(SSL *ssl, // The callback is passed the identity in |identity|. It should write a PSK of // length at most |max_psk_len| to |psk| and return the number of bytes written // or zero if the PSK identity is unknown. -OPENSSL_EXPORT void SSL_CTX_set_psk_server_callback( - SSL_CTX *ctx, SSL_psk_server_cb_func cb); +OPENSSL_EXPORT void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, + SSL_psk_server_cb_func cb); // SSL_set_psk_server_callback sets the callback to be called when PSK is // negotiated on the server. This callback must be set to enable PSK cipher // suites on the server. See also |SSL_CTX_set_psk_server_callback|. -OPENSSL_EXPORT void SSL_set_psk_server_callback( - SSL *ssl, SSL_psk_server_cb_func cb); +OPENSSL_EXPORT void SSL_set_psk_server_callback(SSL *ssl, + SSL_psk_server_cb_func cb); // SSL_CTX_use_psk_identity_hint configures server connections to advertise an // identity hint of |identity_hint|. It returns one on success and zero on @@ -5168,14 +5168,16 @@ OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx); // if |yes| is 0 it disables read ahead and returns 1, // if |yes| is any other value nothing is changed and 0 is returned. // -// When read ahead is enabled all future reads will be up to the buffer size configured -// with |SSL_CTX_set_default_read_buffer_len|, the default buffer size is -// |SSL3_RT_MAX_PLAIN_LENGTH| + |SSL3_RT_MAX_ENCRYPTED_OVERHEAD| = 16704 bytes. +// When read ahead is enabled all future reads will be up to the buffer size +// configured with |SSL_CTX_set_default_read_buffer_len|, the default buffer +// size is |SSL3_RT_MAX_PLAIN_LENGTH| + |SSL3_RT_MAX_ENCRYPTED_OVERHEAD| = 16704 +// bytes. // -// Read ahead should only be enabled on non-blocking IO sources configured with |SSL_set_bio|. -// When read ahead is enabled AWS-LC will make reads for potentially more data than is -// avaliable in the BIO with the assumption a partial read will be returned. If -// a blocking BIO is used and never returns the read could get stuck forever. +// Read ahead should only be enabled on non-blocking IO sources configured with +// |SSL_set_bio|. When read ahead is enabled AWS-LC will make reads for +// potentially more data than is avaliable in the BIO with the assumption a +// partial read will be returned. If a blocking BIO is used and never returns +// the read could get stuck forever. OPENSSL_EXPORT int SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); // SSL_get_read_ahead returns 1 if |ssl| is not null and read ahead is enabled @@ -5187,25 +5189,27 @@ OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *ssl); // if |yes| is 0 it disables read ahead and returns 1, // if |yes| is any other value nothing is changed and 0 is returned. // -// When read ahead is enabled all future reads will be for up to the buffer size configured -// with |SSL_CTX_set_default_read_buffer_len|. The default buffer size is -// |SSL3_RT_MAX_PLAIN_LENGTH| + |SSL3_RT_MAX_ENCRYPTED_OVERHEAD| = 16704 bytes +// When read ahead is enabled all future reads will be for up to the buffer size +// configured with |SSL_CTX_set_default_read_buffer_len|. The default buffer +// size is |SSL3_RT_MAX_PLAIN_LENGTH| + |SSL3_RT_MAX_ENCRYPTED_OVERHEAD| = +// 16704 bytes // -// Read ahead should only be enabled on non-blocking IO sources configured with |SSL_set_bio|, -// when read ahead is enabled AWS-LC will make reads for potentially more data than is -// available in the BIO. +// Read ahead should only be enabled on non-blocking IO sources configured with +// |SSL_set_bio|, when read ahead is enabled AWS-LC will make reads for +// potentially more data than is available in the BIO. OPENSSL_EXPORT int SSL_set_read_ahead(SSL *ssl, int yes); -// SSL_CTX_set_default_read_buffer_len sets the size of the buffer reads will use on -// |ctx| if read ahead has been enabled. 0 is the minimum and 65535 is the maximum. -// A |len| of 0 is the same behavior as read ahead turned off: each call to -// |SSL_read| reads the amount specified in the TLS Record Header. -OPENSSL_EXPORT int SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); +// SSL_CTX_set_default_read_buffer_len sets the size of the buffer reads will +// use on |ctx| if read ahead has been enabled. 0 is the minimum and 65535 is +// the maximum. A |len| of 0 is the same behavior as read ahead turned off: each +// call to |SSL_read| reads the amount specified in the TLS Record Header. +OPENSSL_EXPORT int SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, + size_t len); // SSL_set_default_read_buffer_len sets the size of the buffer reads will use on -// |ssl| if read ahead has been enabled. 0 is the minimum and 65535 is the maximum. -// A |len| of 0 is the same behavior as read ahead turned off: each call to -// |SSL_read| reads the amount specified in the TLS Record Header. +// |ssl| if read ahead has been enabled. 0 is the minimum and 65535 is the +// maximum. A |len| of 0 is the same behavior as read ahead turned off: each +// call to |SSL_read| reads the amount specified in the TLS Record Header. OPENSSL_EXPORT int SSL_set_default_read_buffer_len(SSL *ssl, size_t len); // SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START. diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index baad4140ff..a81f5035c2 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -119,7 +119,7 @@ #include #include -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -248,7 +248,7 @@ extern "C" { // record. This does not include the record header. Some ciphers use explicit // nonces, so it includes both the AEAD overhead as well as the nonce. #define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \ - (EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH) + (EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH) OPENSSL_STATIC_ASSERT(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >= SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD, @@ -326,7 +326,7 @@ OPENSSL_STATIC_ASSERT(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >= #define SSL3_MT_CCS 1 -#ifdef __cplusplus +#ifdef __cplusplus } // extern C #endif diff --git a/include/openssl/stack.h b/include/openssl/stack.h index beb3c2dcce..0afb5e0cc0 100644 --- a/include/openssl/stack.h +++ b/include/openssl/stack.h @@ -384,7 +384,7 @@ BSSL_NAMESPACE_BEGIN namespace internal { template struct StackTraits {}; -} +} // namespace internal BSSL_NAMESPACE_END } @@ -417,8 +417,10 @@ BSSL_NAMESPACE_END OPENSSL_MSVC_PRAGMA(warning(push)) \ OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ OPENSSL_CLANG_PRAGMA("clang diagnostic push") \ - OPENSSL_CLANG_PRAGMA("clang diagnostic ignored \"-Wunknown-warning-option\"") \ - OPENSSL_CLANG_PRAGMA("clang diagnostic ignored \"-Wcast-function-type-strict\"") \ + OPENSSL_CLANG_PRAGMA( \ + "clang diagnostic ignored \"-Wunknown-warning-option\"") \ + OPENSSL_CLANG_PRAGMA( \ + "clang diagnostic ignored \"-Wcast-function-type-strict\"") \ \ DECLARE_STACK_OF(name) \ \ @@ -510,8 +512,8 @@ BSSL_NAMESPACE_END } \ \ /* use 3-arg sk_*_find_awslc when size_t-sized |out_index| needed */ \ - OPENSSL_INLINE int sk_##name##_find_awslc(const STACK_OF(name) *sk, \ - size_t *out_index, constptrtype p) { \ + OPENSSL_INLINE int sk_##name##_find_awslc( \ + const STACK_OF(name) *sk, size_t *out_index, constptrtype p) { \ return OPENSSL_sk_find((const OPENSSL_STACK *)sk, out_index, \ (const void *)p, sk_##name##_call_cmp_func); \ } \ @@ -526,7 +528,7 @@ BSSL_NAMESPACE_END if (ok == 0 || out_index > INT_MAX) { \ return -1; \ } \ - return (int) out_index; \ + return (int)out_index; \ } \ \ OPENSSL_INLINE int sk_##name##_unshift(STACK_OF(name) *sk, ptrtype p) { \ @@ -601,7 +603,9 @@ namespace internal { template struct DeleterImpl< Stack, typename std::enable_if::kIsConst>::type> { - static void Free(Stack *sk) { OPENSSL_sk_free(reinterpret_cast(sk)); } + static void Free(Stack *sk) { + OPENSSL_sk_free(reinterpret_cast(sk)); + } }; // Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the @@ -633,9 +637,7 @@ class StackIteratorImpl { bool operator==(StackIteratorImpl other) const { return sk_ == other.sk_ && idx_ == other.idx_; } - bool operator!=(StackIteratorImpl other) const { - return !(*this == other); - } + bool operator!=(StackIteratorImpl other) const { return !(*this == other); } Type *operator*() const { return reinterpret_cast( diff --git a/include/openssl/target.h b/include/openssl/target.h index 2a907dd797..fed7657ab5 100644 --- a/include/openssl/target.h +++ b/include/openssl/target.h @@ -104,9 +104,8 @@ // // TODO(b/291101350): Remove this workaround once Android baremetal no longer // defines it. -#if defined(__linux__) && \ - !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) && \ - !defined(CROS_EC) && !defined(CROS_ZEPHYR) +#if defined(__linux__) && !defined(ANDROID_BAREMETAL) && \ + !defined(OPENSSL_NANOLIBC) && !defined(CROS_EC) && !defined(CROS_ZEPHYR) #define OPENSSL_LINUX #endif diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 347e5525e1..4a8c742ade 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -152,7 +152,7 @@ #include -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -291,14 +291,14 @@ extern "C" { #define TLSEXT_MAXLEN_host_name 255 // PSK ciphersuites from 4279 -#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A -#define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B -#define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C -#define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D +#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A +#define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B +#define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C +#define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D // PSK ciphersuites from RFC 5489 -#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA 0x0300C035 -#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA 0x0300C036 +#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA 0x0300C035 +#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA 0x0300C036 // Additional TLS ciphersuites from expired Internet Draft // draft-ietf-tls-56-bit-ciphersuites-01.txt @@ -652,7 +652,7 @@ extern "C" { #define TLS_MD_MAX_CONST_SIZE 20 -#ifdef __cplusplus +#ifdef __cplusplus } // extern C #endif diff --git a/include/openssl/trust_token.h b/include/openssl/trust_token.h index b6aa6b34e2..3491ae70b9 100644 --- a/include/openssl/trust_token.h +++ b/include/openssl/trust_token.h @@ -167,11 +167,9 @@ OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_issuance_over_message( // arrives without the specified key present. The caller takes ownership of the // list and must call |sk_TRUST_TOKEN_pop_free| when done. The list is empty if // issuance fails. -OPENSSL_EXPORT STACK_OF(TRUST_TOKEN) * - TRUST_TOKEN_CLIENT_finish_issuance(TRUST_TOKEN_CLIENT *ctx, - size_t *out_key_index, - const uint8_t *response, - size_t response_len); +OPENSSL_EXPORT STACK_OF(TRUST_TOKEN) *TRUST_TOKEN_CLIENT_finish_issuance( + TRUST_TOKEN_CLIENT *ctx, size_t *out_key_index, const uint8_t *response, + size_t response_len); // TRUST_TOKEN_CLIENT_begin_redemption produces a request to redeem a token diff --git a/include/openssl/type_check.h b/include/openssl/type_check.h index 0f3fb05f8a..4140fb05d4 100644 --- a/include/openssl/type_check.h +++ b/include/openssl/type_check.h @@ -84,29 +84,35 @@ extern "C" { // // An example of an error thrown during compilation: // ``` -// error: negative width in bit-field +// error: negative width in bit-field // 'static_assertion_at_line_913_error_is_AEAD_state_is_too_small' // ``` #define AWSLC_CONCAT(left, right) left##right -#define AWSLC_STATIC_ASSERT_DEFINE(cond, msg) typedef struct { \ - unsigned int AWSLC_CONCAT(static_assertion_, msg) : (cond) ? 1 : - 1; \ - } AWSLC_CONCAT(static_assertion_, msg) OPENSSL_UNUSED; -#define AWSLC_STATIC_ASSERT_ADD_LINE0(cond, suffix) AWSLC_STATIC_ASSERT_DEFINE(cond, AWSLC_CONCAT(at_line_, suffix)) -#define AWSLC_STATIC_ASSERT_ADD_LINE1(cond, line, suffix) AWSLC_STATIC_ASSERT_ADD_LINE0(cond, AWSLC_CONCAT(line, suffix)) -#define AWSLC_STATIC_ASSERT_ADD_LINE2(cond, suffix) AWSLC_STATIC_ASSERT_ADD_LINE1(cond, __LINE__, suffix) -#define AWSLC_STATIC_ASSERT_ADD_ERROR(cond, suffix) AWSLC_STATIC_ASSERT_ADD_LINE2(cond, AWSLC_CONCAT(_error_is_, suffix)) -#define OPENSSL_STATIC_ASSERT(cond, error) AWSLC_STATIC_ASSERT_ADD_ERROR(cond, error) +#define AWSLC_STATIC_ASSERT_DEFINE(cond, msg) \ + typedef struct { \ + unsigned int AWSLC_CONCAT(static_assertion_, msg) : (cond) ? 1 : -1; \ + } AWSLC_CONCAT(static_assertion_, msg) OPENSSL_UNUSED; +#define AWSLC_STATIC_ASSERT_ADD_LINE0(cond, suffix) \ + AWSLC_STATIC_ASSERT_DEFINE(cond, AWSLC_CONCAT(at_line_, suffix)) +#define AWSLC_STATIC_ASSERT_ADD_LINE1(cond, line, suffix) \ + AWSLC_STATIC_ASSERT_ADD_LINE0(cond, AWSLC_CONCAT(line, suffix)) +#define AWSLC_STATIC_ASSERT_ADD_LINE2(cond, suffix) \ + AWSLC_STATIC_ASSERT_ADD_LINE1(cond, __LINE__, suffix) +#define AWSLC_STATIC_ASSERT_ADD_ERROR(cond, suffix) \ + AWSLC_STATIC_ASSERT_ADD_LINE2(cond, AWSLC_CONCAT(_error_is_, suffix)) +#define OPENSSL_STATIC_ASSERT(cond, error) \ + AWSLC_STATIC_ASSERT_ADD_ERROR(cond, error) // CHECKED_CAST casts |p| from type |from| to type |to|. // // TODO(davidben): Although this macro is not public API and is unused in // BoringSSL, wpa_supplicant uses it to define its own stacks. Remove this once // wpa_supplicant has been fixed. -#define CHECKED_CAST(to, from, p) ((to) (1 ? (p) : (from)0)) +#define CHECKED_CAST(to, from, p) ((to)(1 ? (p) : (from)0)) // CHECKED_PTR_OF casts a given pointer to void* and statically checks that it // was a pointer to |type|. -#define CHECKED_PTR_OF(type, p) CHECKED_CAST(void*, type*, (p)) +#define CHECKED_PTR_OF(type, p) CHECKED_CAST(void *, type *, (p)) #if defined(__cplusplus) } // extern C diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 185d29b9d8..494fa2a195 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -2784,7 +2784,8 @@ OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); // X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates // used by |ctx| for certificate verification. -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( + X509_STORE_CTX *ctx); // X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates // in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this @@ -5003,17 +5004,17 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, #define NS_OBJSIGN_CA 0x01 #define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) - typedef struct x509_purpose_st { - int purpose; - int trust; // Default trust ID - int flags; - int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); - char *name; - char *sname; - void *usr_data; - } X509_PURPOSE; +typedef struct x509_purpose_st { + int purpose; + int trust; // Default trust ID + int flags; + int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); + char *name; + char *sname; + void *usr_data; +} X509_PURPOSE; - DEFINE_STACK_OF(X509_PURPOSE) +DEFINE_STACK_OF(X509_PURPOSE) // X509_STORE_get0_objects returns a non-owning pointer of |store|'s internal // object list. Although this function is not const, callers must not modify @@ -5073,12 +5074,12 @@ DECLARE_STACK_OF(DIST_POINT) // This is used for a table of trust checking functions struct x509_trust_st { -int trust; -int flags; -int (*check_trust)(const X509_TRUST *, X509 *); -char *name; -int arg1; -void *arg2; + int trust; + int flags; + int (*check_trust)(const X509_TRUST *, X509 *); + char *name; + int arg1; + void *arg2; } /* X509_TRUST */; DEFINE_STACK_OF(X509_TRUST) diff --git a/ssl/bio_ssl.cc b/ssl/bio_ssl.cc index fe834507b1..a02b047835 100644 --- a/ssl/bio_ssl.cc +++ b/ssl/bio_ssl.cc @@ -12,9 +12,7 @@ #include -static SSL *get_ssl(BIO *bio) { - return reinterpret_cast(bio->ptr); -} +static SSL *get_ssl(BIO *bio) { return reinterpret_cast(bio->ptr); } static int ssl_read(BIO *bio, char *out, int outl) { SSL *ssl = get_ssl(bio); @@ -146,9 +144,7 @@ static long ssl_ctrl(BIO *bio, int cmd, long num, void *ptr) { } } -static int ssl_new(BIO *bio) { - return 1; -} +static int ssl_new(BIO *bio) { return 1; } static int ssl_free(BIO *bio) { SSL *ssl = get_ssl(bio); diff --git a/ssl/custom_extensions.cc b/ssl/custom_extensions.cc index cf9435cd97..b5ad595752 100644 --- a/ssl/custom_extensions.cc +++ b/ssl/custom_extensions.cc @@ -32,8 +32,8 @@ void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension) { } static const SSL_CUSTOM_EXTENSION *custom_ext_find( - STACK_OF(SSL_CUSTOM_EXTENSION) *stack, - unsigned *out_index, uint16_t value) { + STACK_OF(SSL_CUSTOM_EXTENSION) *stack, unsigned *out_index, + uint16_t value) { for (size_t i = 0; i < sk_SSL_CUSTOM_EXTENSION_num(stack); i++) { const SSL_CUSTOM_EXTENSION *ext = sk_SSL_CUSTOM_EXTENSION_value(stack, i); if (ext->value == value) { @@ -74,8 +74,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) { for (size_t i = 0; i < sk_SSL_CUSTOM_EXTENSION_num(stack); i++) { const SSL_CUSTOM_EXTENSION *ext = sk_SSL_CUSTOM_EXTENSION_value(stack, i); - if (ssl->server && - !(hs->custom_extensions.received & (1u << i))) { + if (ssl->server && !(hs->custom_extensions.received & (1u << i))) { // Servers cannot echo extensions that the client didn't send. continue; } @@ -93,7 +92,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) { !CBB_add_bytes(&contents_cbb, contents, contents_len) || !CBB_flush(extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - ERR_add_error_dataf("extension %u", (unsigned) ext->value); + ERR_add_error_dataf("extension %u", (unsigned)ext->value); if (ext->free_callback && 0 < contents_len) { ext->free_callback(ssl, ext->value, contents, ext->add_arg); } @@ -116,7 +115,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) { default: ssl_send_alert(ssl, SSL3_AL_FATAL, alert); OPENSSL_PUT_ERROR(SSL, SSL_R_CUSTOM_EXTENSION_ERROR); - ERR_add_error_dataf("extension %u", (unsigned) ext->value); + ERR_add_error_dataf("extension %u", (unsigned)ext->value); return 0; } } @@ -135,7 +134,7 @@ int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert, const SSL_CUSTOM_EXTENSION *ext = custom_ext_find(ssl->ctx->client_custom_extensions, &index, value); - if (// Unknown extensions are not allowed in a ServerHello. + if ( // Unknown extensions are not allowed in a ServerHello. ext == NULL || // Also, if we didn't send the extension, that's also unacceptable. !(hs->custom_extensions.sent & (1u << index))) { @@ -197,8 +196,7 @@ static int custom_ext_append(STACK_OF(SSL_CUSTOM_EXTENSION) **stack, SSL_custom_ext_free_cb free_cb, void *add_arg, SSL_custom_ext_parse_cb parse_cb, void *parse_arg) { - if (add_cb == NULL || - 0xffff < extension_value || + if (add_cb == NULL || 0xffff < extension_value || SSL_extension_supported(extension_value) || // Specifying a free callback without an add callback is nonsensical // and an error. diff --git a/ssl/d1_both.cc b/ssl/d1_both.cc index b910b96d9c..5971c0f750 100644 --- a/ssl/d1_both.cc +++ b/ssl/d1_both.cc @@ -271,8 +271,7 @@ static hm_fragment *dtls1_get_incoming_message( assert(frag->seq == msg_hdr->seq); // The new fragment must be compatible with the previous fragments from this // message. - if (frag->type != msg_hdr->type || - frag->msg_len != msg_hdr->msg_len) { + if (frag->type != msg_hdr->type || frag->msg_len != msg_hdr->msg_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH); *out_alert = SSL_AD_ILLEGAL_PARAMETER; return NULL; @@ -498,8 +497,7 @@ void dtls_clear_outgoing_messages(SSL *ssl) { bool dtls1_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { // Pick a modest size hint to save most of the |realloc| calls. - if (!CBB_init(cbb, 64) || - !CBB_add_u8(cbb, type) || + if (!CBB_init(cbb, 64) || !CBB_add_u8(cbb, type) || !CBB_add_u24(cbb, 0 /* length (filled in later) */) || !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) || !CBB_add_u24(cbb, 0 /* offset */) || @@ -561,8 +559,7 @@ static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) { if (!is_ccs) { // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript // on hs. - if (ssl->s3->hs != NULL && - !ssl->s3->hs->transcript.Update(data)) { + if (ssl->s3->hs != NULL && !ssl->s3->hs->transcript.Update(data)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } @@ -657,12 +654,9 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, CBS cbs, body; struct hm_header_st hdr; CBS_init(&cbs, msg->data.data(), msg->data.size()); - if (!dtls1_parse_fragment(&cbs, &hdr, &body) || - hdr.frag_off != 0 || - hdr.frag_len != CBS_len(&body) || - hdr.msg_len != CBS_len(&body) || - !CBS_skip(&body, ssl->d1->outgoing_offset) || - CBS_len(&cbs) != 0) { + if (!dtls1_parse_fragment(&cbs, &hdr, &body) || hdr.frag_off != 0 || + hdr.frag_len != CBS_len(&body) || hdr.msg_len != CBS_len(&body) || + !CBS_skip(&body, ssl->d1->outgoing_offset) || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return seal_error; } @@ -820,8 +814,6 @@ int dtls1_retransmit_outgoing_messages(SSL *ssl) { return send_flight(ssl); } -unsigned int dtls1_min_mtu(void) { - return kMinMTU; -} +unsigned int dtls1_min_mtu(void) { return kMinMTU; } BSSL_NAMESPACE_END diff --git a/ssl/d1_lib.cc b/ssl/d1_lib.cc index 52fbfae5fe..15f0410391 100644 --- a/ssl/d1_lib.cc +++ b/ssl/d1_lib.cc @@ -72,11 +72,11 @@ BSSL_NAMESPACE_BEGIN // DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire // before starting to decrease the MTU. -#define DTLS1_MTU_TIMEOUTS 2 +#define DTLS1_MTU_TIMEOUTS 2 // DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire // before failing the DTLS handshake. -#define DTLS1_MAX_TIMEOUTS 12 +#define DTLS1_MAX_TIMEOUTS 12 DTLS1_STATE::DTLS1_STATE() : has_change_cipher_spec(false), diff --git a/ssl/d1_pkt.cc b/ssl/d1_pkt.cc index b866156265..309f9b7f56 100644 --- a/ssl/d1_pkt.cc +++ b/ssl/d1_pkt.cc @@ -116,9 +116,9 @@ #include #include -#include -#include #include +#include +#include #include #include "../crypto/internal.h" diff --git a/ssl/d1_srtp.cc b/ssl/d1_srtp.cc index 12c8075030..8f2c91686b 100644 --- a/ssl/d1_srtp.cc +++ b/ssl/d1_srtp.cc @@ -128,16 +128,20 @@ using namespace bssl; static const SRTP_PROTECTION_PROFILE kSRTPProfiles[] = { { - "SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80, + "SRTP_AES128_CM_SHA1_80", + SRTP_AES128_CM_SHA1_80, }, { - "SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32, + "SRTP_AES128_CM_SHA1_32", + SRTP_AES128_CM_SHA1_32, }, { - "SRTP_AEAD_AES_128_GCM", SRTP_AEAD_AES_128_GCM, + "SRTP_AEAD_AES_128_GCM", + SRTP_AEAD_AES_128_GCM, }, { - "SRTP_AEAD_AES_256_GCM", SRTP_AEAD_AES_256_GCM, + "SRTP_AEAD_AES_256_GCM", + SRTP_AEAD_AES_256_GCM, }, {0, 0}, }; diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc index a28dcdc9cb..34b7430bc0 100644 --- a/ssl/dtls_method.cc +++ b/ssl/dtls_method.cc @@ -175,26 +175,14 @@ const SSL_METHOD *DTLSv1_method(void) { // Legacy side-specific methods. -const SSL_METHOD *DTLSv1_2_server_method(void) { - return DTLSv1_2_method(); -} +const SSL_METHOD *DTLSv1_2_server_method(void) { return DTLSv1_2_method(); } -const SSL_METHOD *DTLSv1_server_method(void) { - return DTLSv1_method(); -} +const SSL_METHOD *DTLSv1_server_method(void) { return DTLSv1_method(); } -const SSL_METHOD *DTLSv1_2_client_method(void) { - return DTLSv1_2_method(); -} +const SSL_METHOD *DTLSv1_2_client_method(void) { return DTLSv1_2_method(); } -const SSL_METHOD *DTLSv1_client_method(void) { - return DTLSv1_method(); -} +const SSL_METHOD *DTLSv1_client_method(void) { return DTLSv1_method(); } -const SSL_METHOD *DTLS_server_method(void) { - return DTLS_method(); -} +const SSL_METHOD *DTLS_server_method(void) { return DTLS_method(); } -const SSL_METHOD *DTLS_client_method(void) { - return DTLS_method(); -} +const SSL_METHOD *DTLS_client_method(void) { return DTLS_method(); } diff --git a/ssl/dtls_record.cc b/ssl/dtls_record.cc index 26819f165d..b3191e601b 100644 --- a/ssl/dtls_record.cc +++ b/ssl/dtls_record.cc @@ -117,8 +117,8 @@ #include #include -#include "internal.h" #include "../crypto/internal.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -194,8 +194,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, uint16_t version; uint8_t sequence[8]; CBS body; - if (!CBS_get_u8(&cbs, &type) || - !CBS_get_u16(&cbs, &version) || + if (!CBS_get_u8(&cbs, &type) || !CBS_get_u16(&cbs, &version) || !CBS_copy_bytes(&cbs, sequence, 8) || !CBS_get_u16_length_prefixed(&cbs, &body) || CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { diff --git a/ssl/encrypted_client_hello.cc b/ssl/encrypted_client_hello.cc index 8c4a42ce83..3d838ae6d2 100644 --- a/ssl/encrypted_client_hello.cc +++ b/ssl/encrypted_client_hello.cc @@ -428,7 +428,7 @@ static bool parse_ech_config(CBS *cbs, ECHConfig *out, bool *out_supported, CBS ech_config(out->raw); CBS public_name, public_key, cipher_suites, extensions; - if (!CBS_skip(&ech_config, 2) || // version + if (!CBS_skip(&ech_config, 2) || // version !CBS_get_u16_length_prefixed(&ech_config, &contents) || !CBS_get_u8(&contents, &out->config_id) || !CBS_get_u16(&contents, &out->kem_id) || @@ -576,9 +576,10 @@ bool ECHServerConfig::SetupContext(EVP_HPKE_CTX *ctx, uint16_t kdf_id, assert(kdf_id == EVP_HPKE_HKDF_SHA256); assert(get_ech_aead(aead_id) != NULL); - return EVP_HPKE_CTX_setup_recipient( - ctx, key_.get(), EVP_hpke_hkdf_sha256(), get_ech_aead(aead_id), enc.data(), - enc.size(), CBB_data(info_cbb.get()), CBB_len(info_cbb.get())); + return EVP_HPKE_CTX_setup_recipient(ctx, key_.get(), EVP_hpke_hkdf_sha256(), + get_ech_aead(aead_id), enc.data(), + enc.size(), CBB_data(info_cbb.get()), + CBB_len(info_cbb.get())); } bool ssl_is_valid_ech_config_list(Span ech_config_list) { @@ -750,8 +751,7 @@ static bool setup_ech_grease(SSL_HANDSHAKE *hs) { bssl::ScopedCBB cbb; CBB enc_cbb, payload_cbb; uint8_t *payload; - if (!CBB_init(cbb.get(), 256) || - !CBB_add_u16(cbb.get(), kdf_id) || + if (!CBB_init(cbb.get(), 256) || !CBB_add_u16(cbb.get(), kdf_id) || !CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) || !CBB_add_u8(cbb.get(), config_id) || !CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) || @@ -889,7 +889,7 @@ bool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span enc) { payload_len != payload_span.size()) { return false; } -#endif // BORINGSSL_UNSAFE_FUZZER_MODE +#endif // BORINGSSL_UNSAFE_FUZZER_MODE return true; } @@ -938,9 +938,9 @@ void SSL_get0_ech_name_override(const SSL *ssl, const char **out_name, } } -void SSL_get0_ech_retry_configs( - const SSL *ssl, const uint8_t **out_retry_configs, - size_t *out_retry_configs_len) { +void SSL_get0_ech_retry_configs(const SSL *ssl, + const uint8_t **out_retry_configs, + size_t *out_retry_configs_len) { const SSL_HANDSHAKE *hs = ssl->s3->hs.get(); if (!hs || !hs->ech_authenticated_reject) { // It is an error to call this function except in response to diff --git a/ssl/extensions.cc b/ssl/extensions.cc index a44bb87095..5dc9dbaf72 100644 --- a/ssl/extensions.cc +++ b/ssl/extensions.cc @@ -510,9 +510,7 @@ static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return true; } -static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { - return true; -} +static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } // Server name indication (SNI). // @@ -563,8 +561,7 @@ static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, } static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { - if (hs->ssl->s3->session_reused || - !hs->should_ack_sni) { + if (hs->ssl->s3->session_reused || !hs->should_ack_sni) { return true; } @@ -700,8 +697,7 @@ static bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, ssl_client_hello_type_t type) { const SSL *const ssl = hs->ssl; // Renegotiation indication is not necessary in TLS 1.3. - if (hs->min_version >= TLS1_3_VERSION || - type == ssl_client_hello_inner) { + if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) { return true; } @@ -884,8 +880,7 @@ static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, SSL *const ssl = hs->ssl; if (contents != NULL) { - if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || - CBS_len(contents) != 0) { + if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || CBS_len(contents) != 0) { return false; } @@ -956,8 +951,7 @@ static bool ext_ticket_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, // advertise the extension to avoid potentially breaking servers which carry // over the state from the previous handshake, such as OpenSSL servers // without upstream's 3c3f0259238594d77264a78944d409f2127642c4. - if (!ssl->s3->initial_handshake_complete && - ssl->session != nullptr && + if (!ssl->s3->initial_handshake_complete && ssl->session != nullptr && !ssl->session->ticket.empty() && // Don't send TLS 1.3 session tickets in the ticket extension. ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { @@ -1196,8 +1190,7 @@ static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, while (CBS_len(contents) != 0) { CBS proto; - if (!CBS_get_u8_length_prefixed(contents, &proto) || - CBS_len(&proto) == 0) { + if (!CBS_get_u8_length_prefixed(contents, &proto) || CBS_len(&proto) == 0) { return false; } } @@ -1230,10 +1223,8 @@ static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return false; } - if (contents == NULL || - ssl->s3->initial_handshake_complete || - ssl->ctx->next_protos_advertised_cb == NULL || - SSL_is_dtls(ssl)) { + if (contents == NULL || ssl->s3->initial_handshake_complete || + ssl->ctx->next_protos_advertised_cb == NULL || SSL_is_dtls(ssl)) { return true; } @@ -1262,8 +1253,7 @@ static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { CBB contents; if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || !CBB_add_u16_length_prefixed(out, &contents) || - !CBB_add_bytes(&contents, npa, npa_len) || - !CBB_flush(out)) { + !CBB_add_bytes(&contents, npa, npa_len) || !CBB_flush(out)) { return false; } @@ -1427,8 +1417,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS_len(contents) != 0 || !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || // Empty protocol names are forbidden. - CBS_len(&protocol_name) == 0 || - CBS_len(&protocol_name_list) != 0) { + CBS_len(&protocol_name) == 0 || CBS_len(&protocol_name_list) != 0) { return false; } @@ -1516,8 +1505,7 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS protocol_name_list; if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) || - CBS_len(&contents) != 0 || - !ssl_is_valid_alpn_list(protocol_name_list)) { + CBS_len(&contents) != 0 || !ssl_is_valid_alpn_list(protocol_name_list)) { OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); *out_alert = SSL_AD_DECODE_ERROR; return false; @@ -1674,8 +1662,7 @@ static bool ext_srtp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, const SSL *const ssl = hs->ssl; const STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl); - if (profiles == NULL || - sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 || + if (profiles == NULL || sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 || !SSL_is_dtls(ssl)) { return true; } @@ -1716,8 +1703,7 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS profile_ids, srtp_mki; uint16_t profile_id; if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || - !CBS_get_u16(&profile_ids, &profile_id) || - CBS_len(&profile_ids) != 0 || + !CBS_get_u16(&profile_ids, &profile_id) || CBS_len(&profile_ids) != 0 || !CBS_get_u8_length_prefixed(contents, &srtp_mki) || CBS_len(contents) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); @@ -1798,8 +1784,7 @@ static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { !CBB_add_u16_length_prefixed(out, &contents) || !CBB_add_u16_length_prefixed(&contents, &profile_ids) || !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) || - !CBB_add_u8(&contents, 0 /* empty MKI */) || - !CBB_flush(out)) { + !CBB_add_u8(&contents, 0 /* empty MKI */) || !CBB_flush(out)) { return false; } @@ -1835,8 +1820,8 @@ static bool ext_ec_point_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, return ext_ec_point_add_extension(hs, out); } -static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, - CBS *contents) { +static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, + uint8_t *out_alert, CBS *contents) { if (contents == NULL) { return true; } @@ -1863,8 +1848,8 @@ static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert return true; } -static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, - CBS *contents) { +static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, + uint8_t *out_alert, CBS *contents) { if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { return true; } @@ -1969,8 +1954,7 @@ bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { uint16_t psk_id; - if (!CBS_get_u16(contents, &psk_id) || - CBS_len(contents) != 0) { + if (!CBS_get_u16(contents, &psk_id) || CBS_len(contents) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); *out_alert = SSL_AD_DECODE_ERROR; return false; @@ -2005,8 +1989,7 @@ bool ssl_ext_pre_shared_key_parse_clienthello( !CBS_get_u16_length_prefixed(&identities, out_ticket) || !CBS_get_u32(&identities, out_obfuscated_ticket_age) || !CBS_get_u16_length_prefixed(contents, &binders) || - CBS_len(&binders) == 0 || - CBS_len(contents) != 0) { + CBS_len(&binders) == 0 || CBS_len(contents) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); *out_alert = SSL_AD_DECODE_ERROR; return false; @@ -2061,8 +2044,7 @@ bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || !CBB_add_u16_length_prefixed(out, &contents) || // We only consider the first identity for resumption - !CBB_add_u16(&contents, 0) || - !CBB_flush(out)) { + !CBB_add_u16(&contents, 0) || !CBB_flush(out)) { return false; } @@ -2101,8 +2083,7 @@ static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs, CBS ke_modes; if (!CBS_get_u8_length_prefixed(contents, &ke_modes) || - CBS_len(&ke_modes) == 0 || - CBS_len(contents) != 0) { + CBS_len(&ke_modes) == 0 || CBS_len(contents) != 0) { *out_alert = SSL_AD_DECODE_ERROR; return false; } @@ -2139,8 +2120,7 @@ static bool ext_early_data_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, // handshakes with ClientHelloOuter, it can skip past early data. See // draft-ietf-tls-esni-13, section 6.1. if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) || - !CBB_add_u16(out_compressible, 0) || - !CBB_flush(out_compressible)) { + !CBB_add_u16(out_compressible, 0) || !CBB_flush(out_compressible)) { return false; } @@ -2186,10 +2166,10 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs, } static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs, - uint8_t *out_alert, CBS *contents) { + uint8_t *out_alert, + CBS *contents) { SSL *const ssl = hs->ssl; - if (contents == NULL || - ssl_protocol_version(ssl) < TLS1_3_VERSION) { + if (contents == NULL || ssl_protocol_version(ssl) < TLS1_3_VERSION) { return true; } @@ -2207,8 +2187,7 @@ static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } - if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || - !CBB_add_u16(out, 0) || + if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || !CBB_add_u16(out, 0) || !CBB_flush(out)) { return false; } @@ -2501,14 +2480,12 @@ static bool ext_supported_groups_add_clienthello(const SSL_HANDSHAKE *hs, // Add a fake group. See RFC 8701. if (ssl->ctx->grease_enabled && - !CBB_add_u16(&groups_bytes, - ssl_get_grease_value(hs, ssl_grease_group))) { + !CBB_add_u16(&groups_bytes, ssl_get_grease_value(hs, ssl_grease_group))) { return false; } for (uint16_t group : tls1_get_grouplist(hs)) { - if (is_post_quantum_group(group) && - hs->max_version < TLS1_3_VERSION) { + if (is_post_quantum_group(group) && hs->max_version < TLS1_3_VERSION) { continue; } if (!CBB_add_u16(&groups_bytes, group)) { @@ -2551,7 +2528,7 @@ static bool parse_u16_array(const CBS *cbs, Array *out) { } static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs, - uint8_t *out_alert, + uint8_t *out_alert, CBS *contents) { if (contents == NULL) { return true; @@ -2559,8 +2536,7 @@ static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs, CBS supported_group_list; if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) || - CBS_len(&supported_group_list) == 0 || - CBS_len(contents) != 0 || + CBS_len(&supported_group_list) == 0 || CBS_len(contents) != 0 || !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) { return false; } @@ -2779,8 +2755,7 @@ static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs, // accept for a delegated credential. CBS sigalg_list; if (!CBS_get_u16_length_prefixed(contents, &sigalg_list) || - CBS_len(&sigalg_list) == 0 || - CBS_len(contents) != 0 || + CBS_len(&sigalg_list) == 0 || CBS_len(contents) != 0 || !parse_u16_array(&sigalg_list, &hs->peer_delegated_credential_sigalgs)) { return false; } @@ -2840,8 +2815,7 @@ static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs, CBS alg_ids; if (!CBS_get_u8_length_prefixed(contents, &alg_ids) || - CBS_len(contents) != 0 || - CBS_len(&alg_ids) == 0 || + CBS_len(contents) != 0 || CBS_len(&alg_ids) == 0 || CBS_len(&alg_ids) % 2 == 1) { return false; } @@ -2916,7 +2890,7 @@ static bool ext_alps_add_clienthello_impl(const SSL_HANDSHAKE *hs, CBB *out, ssl_client_hello_type_t type, bool use_new_codepoint) { const SSL *const ssl = hs->ssl; - if (// ALPS requires TLS 1.3. + if ( // ALPS requires TLS 1.3. hs->max_version < TLS1_3_VERSION || // Do not offer ALPS without ALPN. hs->config->alpn_client_proto_list.empty() || @@ -2970,8 +2944,7 @@ static bool ext_alps_add_clienthello_old(const SSL_HANDSHAKE *hs, CBB *out, } static bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs, - uint8_t *out_alert, - CBS *contents, + uint8_t *out_alert, CBS *contents, bool use_new_codepoint) { SSL *const ssl = hs->ssl; if (contents == nullptr) { @@ -3001,16 +2974,14 @@ static bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs, return true; } -static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, - uint8_t *out_alert, +static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { return ext_alps_parse_serverhello_impl(hs, out_alert, contents, /*use_new_codepoint=*/true); } static bool ext_alps_parse_serverhello_old(SSL_HANDSHAKE *hs, - uint8_t *out_alert, - CBS *contents) { + uint8_t *out_alert, CBS *contents) { return ext_alps_parse_serverhello_impl(hs, out_alert, contents, /*use_new_codepoint=*/false); } @@ -3026,7 +2997,7 @@ static bool ext_alps_add_serverhello_impl(SSL_HANDSHAKE *hs, CBB *out, return true; } - if (use_new_codepoint != hs->config->alps_use_new_codepoint) { + if (use_new_codepoint != hs->config->alps_use_new_codepoint) { // Do nothing, we'll send the other codepoint. return true; } @@ -3080,8 +3051,7 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, bool found = false; CBS alps_list; if (!CBS_get_u16_length_prefixed(&alps_contents, &alps_list) || - CBS_len(&alps_contents) != 0 || - CBS_len(&alps_list) == 0) { + CBS_len(&alps_contents) != 0 || CBS_len(&alps_list) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); *out_alert = SSL_AD_DECODE_ERROR; return false; @@ -3115,185 +3085,185 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, // kExtensions contains all the supported extensions. static const struct tls_extension kExtensions[] = { - { - TLSEXT_TYPE_server_name, - ext_sni_add_clienthello, - ext_sni_parse_serverhello, - ext_sni_parse_clienthello, - ext_sni_add_serverhello, - }, - { - TLSEXT_TYPE_encrypted_client_hello, - ext_ech_add_clienthello, - ext_ech_parse_serverhello, - ext_ech_parse_clienthello, - ext_ech_add_serverhello, - }, - { - TLSEXT_TYPE_extended_master_secret, - ext_ems_add_clienthello, - ext_ems_parse_serverhello, - ext_ems_parse_clienthello, - ext_ems_add_serverhello, - }, - { - TLSEXT_TYPE_renegotiate, - ext_ri_add_clienthello, - ext_ri_parse_serverhello, - ext_ri_parse_clienthello, - ext_ri_add_serverhello, - }, - { - TLSEXT_TYPE_supported_groups, - ext_supported_groups_add_clienthello, - ext_supported_groups_parse_serverhello, - ext_supported_groups_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_ec_point_formats, - ext_ec_point_add_clienthello, - ext_ec_point_parse_serverhello, - ext_ec_point_parse_clienthello, - ext_ec_point_add_serverhello, - }, - { - TLSEXT_TYPE_session_ticket, - ext_ticket_add_clienthello, - ext_ticket_parse_serverhello, - // Ticket extension client parsing is handled in ssl_session.c - ignore_parse_clienthello, - ext_ticket_add_serverhello, - }, - { - TLSEXT_TYPE_application_layer_protocol_negotiation, - ext_alpn_add_clienthello, - ext_alpn_parse_serverhello, - // ALPN is negotiated late in |ssl_negotiate_alpn|. - ignore_parse_clienthello, - ext_alpn_add_serverhello, - }, - { - TLSEXT_TYPE_status_request, - ext_ocsp_add_clienthello, - ext_ocsp_parse_serverhello, - ext_ocsp_parse_clienthello, - ext_ocsp_add_serverhello, - }, - { - TLSEXT_TYPE_signature_algorithms, - ext_sigalgs_add_clienthello, - forbid_parse_serverhello, - ext_sigalgs_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_next_proto_neg, - ext_npn_add_clienthello, - ext_npn_parse_serverhello, - ext_npn_parse_clienthello, - ext_npn_add_serverhello, - }, - { - TLSEXT_TYPE_certificate_timestamp, - ext_sct_add_clienthello, - ext_sct_parse_serverhello, - ext_sct_parse_clienthello, - ext_sct_add_serverhello, - }, - { - TLSEXT_TYPE_channel_id, - ext_channel_id_add_clienthello, - ext_channel_id_parse_serverhello, - ext_channel_id_parse_clienthello, - ext_channel_id_add_serverhello, - }, - { - TLSEXT_TYPE_srtp, - ext_srtp_add_clienthello, - ext_srtp_parse_serverhello, - ext_srtp_parse_clienthello, - ext_srtp_add_serverhello, - }, - { - TLSEXT_TYPE_key_share, - ext_key_share_add_clienthello, - forbid_parse_serverhello, - ignore_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_psk_key_exchange_modes, - ext_psk_key_exchange_modes_add_clienthello, - forbid_parse_serverhello, - ext_psk_key_exchange_modes_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_early_data, - ext_early_data_add_clienthello, - ext_early_data_parse_serverhello, - ext_early_data_parse_clienthello, - ext_early_data_add_serverhello, - }, - { - TLSEXT_TYPE_supported_versions, - ext_supported_versions_add_clienthello, - forbid_parse_serverhello, - ignore_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_cookie, - ext_cookie_add_clienthello, - forbid_parse_serverhello, - ignore_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_quic_transport_parameters, - ext_quic_transport_params_add_clienthello, - ext_quic_transport_params_parse_serverhello, - ext_quic_transport_params_parse_clienthello, - ext_quic_transport_params_add_serverhello, - }, - { - TLSEXT_TYPE_quic_transport_parameters_legacy, - ext_quic_transport_params_add_clienthello_legacy, - ext_quic_transport_params_parse_serverhello_legacy, - ext_quic_transport_params_parse_clienthello_legacy, - ext_quic_transport_params_add_serverhello_legacy, - }, - { - TLSEXT_TYPE_cert_compression, - cert_compression_add_clienthello, - cert_compression_parse_serverhello, - cert_compression_parse_clienthello, - cert_compression_add_serverhello, - }, - { - TLSEXT_TYPE_delegated_credential, - ext_delegated_credential_add_clienthello, - forbid_parse_serverhello, - ext_delegated_credential_parse_clienthello, - dont_add_serverhello, - }, - { - TLSEXT_TYPE_application_settings, - ext_alps_add_clienthello, - ext_alps_parse_serverhello, - // ALPS is negotiated late in |ssl_negotiate_alpn|. - ignore_parse_clienthello, - ext_alps_add_serverhello, - }, - { - TLSEXT_TYPE_application_settings_old, - ext_alps_add_clienthello_old, - ext_alps_parse_serverhello_old, - // ALPS is negotiated late in |ssl_negotiate_alpn|. - ignore_parse_clienthello, - ext_alps_add_serverhello_old, - }, + { + TLSEXT_TYPE_server_name, + ext_sni_add_clienthello, + ext_sni_parse_serverhello, + ext_sni_parse_clienthello, + ext_sni_add_serverhello, + }, + { + TLSEXT_TYPE_encrypted_client_hello, + ext_ech_add_clienthello, + ext_ech_parse_serverhello, + ext_ech_parse_clienthello, + ext_ech_add_serverhello, + }, + { + TLSEXT_TYPE_extended_master_secret, + ext_ems_add_clienthello, + ext_ems_parse_serverhello, + ext_ems_parse_clienthello, + ext_ems_add_serverhello, + }, + { + TLSEXT_TYPE_renegotiate, + ext_ri_add_clienthello, + ext_ri_parse_serverhello, + ext_ri_parse_clienthello, + ext_ri_add_serverhello, + }, + { + TLSEXT_TYPE_supported_groups, + ext_supported_groups_add_clienthello, + ext_supported_groups_parse_serverhello, + ext_supported_groups_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_ec_point_formats, + ext_ec_point_add_clienthello, + ext_ec_point_parse_serverhello, + ext_ec_point_parse_clienthello, + ext_ec_point_add_serverhello, + }, + { + TLSEXT_TYPE_session_ticket, + ext_ticket_add_clienthello, + ext_ticket_parse_serverhello, + // Ticket extension client parsing is handled in ssl_session.c + ignore_parse_clienthello, + ext_ticket_add_serverhello, + }, + { + TLSEXT_TYPE_application_layer_protocol_negotiation, + ext_alpn_add_clienthello, + ext_alpn_parse_serverhello, + // ALPN is negotiated late in |ssl_negotiate_alpn|. + ignore_parse_clienthello, + ext_alpn_add_serverhello, + }, + { + TLSEXT_TYPE_status_request, + ext_ocsp_add_clienthello, + ext_ocsp_parse_serverhello, + ext_ocsp_parse_clienthello, + ext_ocsp_add_serverhello, + }, + { + TLSEXT_TYPE_signature_algorithms, + ext_sigalgs_add_clienthello, + forbid_parse_serverhello, + ext_sigalgs_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_next_proto_neg, + ext_npn_add_clienthello, + ext_npn_parse_serverhello, + ext_npn_parse_clienthello, + ext_npn_add_serverhello, + }, + { + TLSEXT_TYPE_certificate_timestamp, + ext_sct_add_clienthello, + ext_sct_parse_serverhello, + ext_sct_parse_clienthello, + ext_sct_add_serverhello, + }, + { + TLSEXT_TYPE_channel_id, + ext_channel_id_add_clienthello, + ext_channel_id_parse_serverhello, + ext_channel_id_parse_clienthello, + ext_channel_id_add_serverhello, + }, + { + TLSEXT_TYPE_srtp, + ext_srtp_add_clienthello, + ext_srtp_parse_serverhello, + ext_srtp_parse_clienthello, + ext_srtp_add_serverhello, + }, + { + TLSEXT_TYPE_key_share, + ext_key_share_add_clienthello, + forbid_parse_serverhello, + ignore_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_psk_key_exchange_modes, + ext_psk_key_exchange_modes_add_clienthello, + forbid_parse_serverhello, + ext_psk_key_exchange_modes_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_early_data, + ext_early_data_add_clienthello, + ext_early_data_parse_serverhello, + ext_early_data_parse_clienthello, + ext_early_data_add_serverhello, + }, + { + TLSEXT_TYPE_supported_versions, + ext_supported_versions_add_clienthello, + forbid_parse_serverhello, + ignore_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_cookie, + ext_cookie_add_clienthello, + forbid_parse_serverhello, + ignore_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_quic_transport_parameters, + ext_quic_transport_params_add_clienthello, + ext_quic_transport_params_parse_serverhello, + ext_quic_transport_params_parse_clienthello, + ext_quic_transport_params_add_serverhello, + }, + { + TLSEXT_TYPE_quic_transport_parameters_legacy, + ext_quic_transport_params_add_clienthello_legacy, + ext_quic_transport_params_parse_serverhello_legacy, + ext_quic_transport_params_parse_clienthello_legacy, + ext_quic_transport_params_add_serverhello_legacy, + }, + { + TLSEXT_TYPE_cert_compression, + cert_compression_add_clienthello, + cert_compression_parse_serverhello, + cert_compression_parse_clienthello, + cert_compression_add_serverhello, + }, + { + TLSEXT_TYPE_delegated_credential, + ext_delegated_credential_add_clienthello, + forbid_parse_serverhello, + ext_delegated_credential_parse_clienthello, + dont_add_serverhello, + }, + { + TLSEXT_TYPE_application_settings, + ext_alps_add_clienthello, + ext_alps_parse_serverhello, + // ALPS is negotiated late in |ssl_negotiate_alpn|. + ignore_parse_clienthello, + ext_alps_add_serverhello, + }, + { + TLSEXT_TYPE_application_settings_old, + ext_alps_add_clienthello_old, + ext_alps_parse_serverhello_old, + // ALPS is negotiated late in |ssl_negotiate_alpn|. + ignore_parse_clienthello, + ext_alps_add_serverhello_old, + }, }; #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension)) @@ -3618,8 +3588,7 @@ bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) { } // Discard empty extensions blocks before TLS 1.3. - if (ssl_protocol_version(ssl) < TLS1_3_VERSION && - CBB_len(&extensions) == 0) { + if (ssl_protocol_version(ssl) < TLS1_3_VERSION && CBB_len(&extensions) == 0) { CBB_discard_child(out); } @@ -3971,8 +3940,8 @@ static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys( } if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key), tlsext_tick_md(), NULL) || - !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL, - key->aes_key, iv.data())) { + !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL, key->aes_key, + iv.data())) { return ssl_ticket_aead_error; } } @@ -4218,8 +4187,7 @@ bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) { CBS channel_id = msg.body, extension; if (!CBS_get_u16(&channel_id, &extension_type) || !CBS_get_u16_length_prefixed(&channel_id, &extension) || - CBS_len(&channel_id) != 0 || - extension_type != TLSEXT_TYPE_channel_id || + CBS_len(&channel_id) != 0 || extension_type != TLSEXT_TYPE_channel_id || CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -4305,8 +4273,7 @@ bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) { !BN_bn2cbb_padded(&child, 32, x.get()) || !BN_bn2cbb_padded(&child, 32, y.get()) || !BN_bn2cbb_padded(&child, 32, sig->r) || - !BN_bn2cbb_padded(&child, 32, sig->s) || - !CBB_flush(cbb)) { + !BN_bn2cbb_padded(&child, 32, sig->s) || !CBB_flush(cbb)) { return false; } @@ -4386,16 +4353,14 @@ bool ssl_is_sct_list_valid(const CBS *contents) { // of the SCTs may be empty. CBS copy = *contents; CBS sct_list; - if (!CBS_get_u16_length_prefixed(©, &sct_list) || - CBS_len(©) != 0 || + if (!CBS_get_u16_length_prefixed(©, &sct_list) || CBS_len(©) != 0 || CBS_len(&sct_list) == 0) { return false; } while (CBS_len(&sct_list) > 0) { CBS sct; - if (!CBS_get_u16_length_prefixed(&sct_list, &sct) || - CBS_len(&sct) == 0) { + if (!CBS_get_u16_length_prefixed(&sct_list, &sct) || CBS_len(&sct) == 0) { return false; } } diff --git a/ssl/handoff.cc b/ssl/handoff.cc index 75a3ad38ac..d321121686 100644 --- a/ssl/handoff.cc +++ b/ssl/handoff.cc @@ -46,7 +46,7 @@ static bool serialize_features(CBB *out) { return false; } Span all_ciphers = AllCiphers(); - for (const SSL_CIPHER& cipher : all_ciphers) { + for (const SSL_CIPHER &cipher : all_ciphers) { if (!CBB_add_u16(&ciphers, static_cast(cipher.id))) { return false; } @@ -55,7 +55,7 @@ static bool serialize_features(CBB *out) { if (!CBB_add_asn1(out, &groups, CBS_ASN1_OCTETSTRING)) { return false; } - for (const NamedGroup& g : NamedGroups()) { + for (const NamedGroup &g : NamedGroups()) { if (!CBB_add_u16(&groups, g.group_id)) { return false; } @@ -77,9 +77,7 @@ static bool serialize_features(CBB *out) { bool SSL_serialize_handoff(const SSL *ssl, CBB *out, SSL_CLIENT_HELLO *out_hello) { const SSL3_STATE *const s3 = ssl->s3; - if (!ssl->server || - s3->hs == nullptr || - s3->rwstate != SSL_ERROR_HANDOFF) { + if (!ssl->server || s3->hs == nullptr || s3->rwstate != SSL_ERROR_HANDOFF) { return false; } @@ -93,8 +91,7 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out, !CBB_add_asn1_octet_string(&seq, reinterpret_cast(s3->hs_buf->data), s3->hs_buf->length) || - !serialize_features(&seq) || - !CBB_flush(out) || + !serialize_features(&seq) || !CBB_flush(out) || !ssl->method->get_message(ssl, &msg) || !ssl_client_hello_init(ssl, out_hello, msg.body)) { return false; @@ -105,9 +102,7 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out, bool SSL_decline_handoff(SSL *ssl) { const SSL3_STATE *const s3 = ssl->s3; - if (!ssl->server || - s3->hs == nullptr || - s3->rwstate != SSL_ERROR_HANDOFF) { + if (!ssl->server || s3->hs == nullptr || s3->rwstate != SSL_ERROR_HANDOFF) { return false; } @@ -335,11 +330,10 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) { } size_t read_iv_len = 0; const uint8_t *read_iv = nullptr; - if (type == handback_after_handshake && - ssl->version == TLS1_VERSION && + if (type == handback_after_handshake && ssl->version == TLS1_VERSION && SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) && !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) { - return false; + return false; } // TODO(mab): make sure everything is serialized. @@ -378,8 +372,7 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) { sizeof(kUnusedChannelID)) || // These two fields were historically |token_binding_negotiated| and // |negotiated_token_binding_param|. - !CBB_add_asn1_bool(&seq, 0) || - !CBB_add_asn1_uint64(&seq, 0) || + !CBB_add_asn1_bool(&seq, 0) || !CBB_add_asn1_uint64(&seq, 0) || !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) || !CBB_add_asn1_bool(&seq, s3->hs->cert_request) || !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) || @@ -467,14 +460,13 @@ static bool CopyExact(Span out, const CBS *in) { } bool SSL_apply_handback(SSL *ssl, Span handback) { - if (ssl->do_handshake != nullptr || - ssl->method->is_dtls) { + if (ssl->do_handshake != nullptr || ssl->method->is_dtls) { return false; } SSL3_STATE *const s3 = ssl->s3; uint64_t handback_version, unused_token_binding_param, cipher, type_u64, - alps_codepoint; + alps_codepoint; CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv, next_proto, alpn, hostname, unused_channel_id, transcript, key_share; @@ -487,8 +479,7 @@ bool SSL_apply_handback(SSL *ssl, Span handback) { if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) || !CBS_get_asn1_uint64(&seq, &handback_version) || handback_version != kHandbackVersion || - !CBS_get_asn1_uint64(&seq, &type_u64) || - type_u64 > handback_max_value) { + !CBS_get_asn1_uint64(&seq, &type_u64) || type_u64 > handback_max_value) { return false; } @@ -796,8 +787,7 @@ int SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello, CBS cbs, seq; CBS_init(&cbs, capabilities, capabilities_len); UniquePtr hints = MakeUnique(); - if (hints == nullptr || - !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) || + if (hints == nullptr || !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) || !apply_remote_features(ssl, &seq)) { return 0; } @@ -881,8 +871,7 @@ int SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello, // } // HandshakeHints tags. -static const CBS_ASN1_TAG kServerRandomTLS13Tag = - CBS_ASN1_CONTEXT_SPECIFIC | 0; +static const CBS_ASN1_TAG kServerRandomTLS13Tag = CBS_ASN1_CONTEXT_SPECIFIC | 0; static const CBS_ASN1_TAG kKeyShareHintTag = CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1; static const CBS_ASN1_TAG kSignatureHintTag = @@ -891,8 +880,7 @@ static const CBS_ASN1_TAG kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 3; static const CBS_ASN1_TAG kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4; static const CBS_ASN1_TAG kCompressCertificateTag = CBS_ASN1_CONTEXT_SPECIFIC | 5; -static const CBS_ASN1_TAG kServerRandomTLS12Tag = - CBS_ASN1_CONTEXT_SPECIFIC | 6; +static const CBS_ASN1_TAG kServerRandomTLS12Tag = CBS_ASN1_CONTEXT_SPECIFIC | 6; static const CBS_ASN1_TAG kECDHEHintTag = CBS_ASN1_CONSTRUCTED | 7; static const CBS_ASN1_TAG kDecryptedTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 8; static const CBS_ASN1_TAG kRenewTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 9; diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index b785d96a80..76996d47b8 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc @@ -220,9 +220,11 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs, // are used to filter the |ciphers|. |any_enabled| will be true if not all // ciphers are filtered out. // It returns true when success. It returns false otherwise. -static bool collect_cipher_protocol_ids(STACK_OF(SSL_CIPHER) *ciphers, - CBB *cbb, uint32_t mask_k, uint32_t mask_a, uint16_t max_version, - uint16_t min_version, bool *any_enabled) { +static bool collect_cipher_protocol_ids(STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb, + uint32_t mask_k, uint32_t mask_a, + uint16_t max_version, + uint16_t min_version, + bool *any_enabled) { *any_enabled = false; for (const SSL_CIPHER *cipher : ciphers) { @@ -264,7 +266,8 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out, if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) { bool any_enabled = false; if (!collect_cipher_protocol_ids(SSL_get_ciphers(ssl), &child, mask_k, - mask_a, hs->max_version, hs->min_version, &any_enabled)) { + mask_a, hs->max_version, hs->min_version, + &any_enabled)) { return false; } @@ -275,13 +278,16 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out, } } else if (hs->max_version >= TLS1_3_VERSION) { // Only TLS 1.3 ciphers - STACK_OF(SSL_CIPHER) *ciphers = (ssl->config && ssl->config->tls13_cipher_list) ? - ssl->config->tls13_cipher_list->ciphers.get() : ssl->ctx->tls13_cipher_list->ciphers.get(); + STACK_OF(SSL_CIPHER) *ciphers = + (ssl->config && ssl->config->tls13_cipher_list) + ? ssl->config->tls13_cipher_list->ciphers.get() + : ssl->ctx->tls13_cipher_list->ciphers.get(); bool any_enabled = false; - if (!collect_cipher_protocol_ids(ciphers, &child, mask_k, - mask_a, hs->max_version, hs->min_version, &any_enabled)) { + if (!collect_cipher_protocol_ids(ciphers, &child, mask_k, mask_a, + hs->max_version, hs->min_version, + &any_enabled)) { return false; } @@ -317,8 +323,7 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs, } // Do not send a session ID on renegotiation. - if (!ssl->s3->initial_handshake_complete && - !empty_session_id && + if (!ssl->s3->initial_handshake_complete && !empty_session_id && !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) { return false; } @@ -395,7 +400,7 @@ static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version, } if (!CBS_get_u16(&supported_versions.data, out_version) || - CBS_len(&supported_versions.data) != 0) { + CBS_len(&supported_versions.data) != 0) { *out_alert = SSL_AD_DECODE_ERROR; return false; } @@ -584,7 +589,8 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) { return ssl_hs_ok; } -static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_early_reverify_server_certificate( + SSL_HANDSHAKE *hs) { if (hs->ssl->ctx->reverify_on_resume) { // Don't send an alert on error. The alert be in early data, which the // server may not accept anyway. It would also be a mismatch between QUIC @@ -792,8 +798,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite); uint32_t mask_a, mask_k; ssl_get_client_disabled(hs, &mask_a, &mask_k); - if (cipher == nullptr || - (cipher->algorithm_mkey & mask_k) || + if (cipher == nullptr || (cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a) || SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) || SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) || @@ -1003,8 +1008,7 @@ static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) { if (!CBS_get_u8(&certificate_status, &status_type) || status_type != TLSEXT_STATUSTYPE_ocsp || !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) || - CBS_len(&ocsp_response) == 0 || - CBS_len(&certificate_status) != 0) { + CBS_len(&ocsp_response) == 0 || CBS_len(&certificate_status) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; @@ -1503,8 +1507,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { !CBB_reserve(&enc_pms, &ptr, RSA_size(rsa)) || !RSA_encrypt(rsa, &enc_pms_len, ptr, RSA_size(rsa), pms.data(), pms.size(), RSA_PKCS1_PADDING) || - !CBB_did_write(&enc_pms, enc_pms_len) || - !CBB_flush(&body)) { + !CBB_did_write(&enc_pms, enc_pms_len) || !CBB_flush(&body)) { return ssl_hs_error; } } else if (alg_k & SSL_kECDHE) { @@ -1622,8 +1625,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_private_key_operation; } - if (!CBB_did_write(&child, sig_len) || - !ssl_add_message_cbb(ssl, cbb.get())) { + if (!CBB_did_write(&child, sig_len) || !ssl_add_message_cbb(ssl, cbb.get())) { return ssl_hs_error; } @@ -1692,8 +1694,7 @@ static bool can_false_start(const SSL_HANDSHAKE *hs) { // TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to // sacrifice False Start on them. Instead, we rely on the ServerHello.random // downgrade signal, which we unconditionally enforce. - if (SSL_is_dtls(ssl) || - SSL_version(ssl) != TLS1_2_VERSION || + if (SSL_is_dtls(ssl) || SSL_version(ssl) != TLS1_2_VERSION || hs->new_cipher->algorithm_mkey != SSL_kECDHE || hs->new_cipher->algorithm_mac != SSL_AEAD) { return false; diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index 55e47f49e4..a85515ce84 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc @@ -167,8 +167,8 @@ #include #include -#include "internal.h" #include "../crypto/internal.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -201,8 +201,7 @@ static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, if (ssl_client_hello_get_extension(client_hello, &supported_versions, TLSEXT_TYPE_supported_versions)) { if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) || - CBS_len(&supported_versions) != 0 || - CBS_len(&versions) == 0) { + CBS_len(&supported_versions) != 0 || CBS_len(&versions) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); *out_alert = SSL_AD_DECODE_ERROR; return false; @@ -265,7 +264,8 @@ static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, } bool ssl_parse_client_cipher_list( - SSL *ssl, const SSL_CLIENT_HELLO *client_hello, UniquePtr *ciphers_out) { + SSL *ssl, const SSL_CLIENT_HELLO *client_hello, + UniquePtr *ciphers_out) { ciphers_out->reset(); CBS cipher_suites; @@ -274,7 +274,7 @@ bool ssl_parse_client_cipher_list( // Store raw bytes for cipher suites offered ssl->all_client_cipher_suites.reset(static_cast(OPENSSL_memdup( - client_hello->cipher_suites, client_hello->cipher_suites_len))); + client_hello->cipher_suites, client_hello->cipher_suites_len))); ssl->all_client_cipher_suites_len = client_hello->cipher_suites_len; // Cipher suites are encoded as 2-byte unsigned integers @@ -287,7 +287,7 @@ bool ssl_parse_client_cipher_list( if (!sk) { return false; } - + while (CBS_len(&cipher_suites) > 0) { uint16_t cipher_suite; @@ -328,9 +328,9 @@ static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, // Also loop through all available private keys and set authentication masks // accordingly to indicate support. // |cert_private_keys| is already checked above in |ssl_has_certificate|. - for (auto & cert_private_key : cert->cert_private_keys) { + for (auto &cert_private_key : cert->cert_private_keys) { EVP_PKEY *private_key = cert_private_key.privatekey.get(); - if(private_key != nullptr) { + if (private_key != nullptr) { mask_a |= ssl_cipher_auth_mask_for_key(private_key); if (EVP_PKEY_id(private_key) == EVP_PKEY_RSA) { mask_k |= SSL_kRSA; @@ -355,8 +355,8 @@ static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, *out_mask_a = mask_a; } -static const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs, - const SSLCipherPreferenceList *server_pref) { +static const SSL_CIPHER *choose_cipher( + SSL_HANDSHAKE *hs, const SSLCipherPreferenceList *server_pref) { SSL *const ssl = hs->ssl; const STACK_OF(SSL_CIPHER) *prio, *allow; // in_group_flags will either be NULL, or will point to an array of bytes @@ -385,12 +385,11 @@ static const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs, const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); size_t cipher_index; - if (// Check if the cipher is supported for the current version. + if ( // Check if the cipher is supported for the current version. SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) && ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && // Check the cipher is supported for the server configuration. - (c->algorithm_mkey & mask_k) && - (c->algorithm_auth & mask_a) && + (c->algorithm_mkey & mask_k) && (c->algorithm_auth & mask_a) && // Check the cipher is in the |allow| list. sk_SSL_CIPHER_find_awslc(allow, &cipher_index, c)) { if (in_group_flags != NULL && in_group_flags[i]) { @@ -507,15 +506,15 @@ static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) { // clients implement X25519. while (CBS_len(&supported_groups) > 0) { uint16_t group; - if (!CBS_get_u16(&supported_groups, &group) || - group == SSL_GROUP_X25519) { + if (!CBS_get_u16(&supported_groups, &group) || group == SSL_GROUP_X25519) { return false; } } - if (// JDK 11 always sends the same contents in signature_algorithms and - // signature_algorithms_cert. This is unusual: signature_algorithms_cert, - // if omitted, is treated as if it were signature_algorithms. + if ( // JDK 11 always sends the same contents in signature_algorithms and + // signature_algorithms_cert. This is unusual: + // signature_algorithms_cert, if omitted, is treated as if it were + // signature_algorithms. sigalgs != sigalgs_cert || // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it // sends status_request. This is unusual: status_request_v2 is not widely @@ -627,14 +626,12 @@ static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert, // // Act as if the extensibility does not exist to simplify parsing. !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || - CBS_len(&server_name_list) != 0 || - CBS_len(&sni) != 0) { + CBS_len(&server_name_list) != 0 || CBS_len(&sni) != 0) { *out_alert = SSL_AD_DECODE_ERROR; return false; } - if (name_type != TLSEXT_NAMETYPE_host_name || - CBS_len(&host_name) == 0 || + if (name_type != TLSEXT_NAMETYPE_host_name || CBS_len(&host_name) == 0 || CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || CBS_contains_zero_byte(&host_name)) { *out_alert = SSL_AD_UNRECOGNIZED_NAME; @@ -728,7 +725,7 @@ static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) { return ssl_hs_error; default: - /* fallthrough */; + /* fallthrough */; } } @@ -822,7 +819,8 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - if (!ssl_parse_client_cipher_list(ssl, &client_hello, &ssl->client_cipher_suites)) { + if (!ssl_parse_client_cipher_list(ssl, &client_hello, + &ssl->client_cipher_suites)) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; @@ -1019,8 +1017,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { // If this is a resumption and the original handshake didn't support // ChannelID then we didn't record the original handshake hashes in the // session and so cannot resume with ChannelIDs. - if (ssl->session != NULL && - ssl->session->original_handshake_hash_len == 0) { + if (ssl->session != NULL && ssl->session->original_handshake_hash_len == 0) { hs->channel_id_negotiated = false; } @@ -1166,8 +1163,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { hs->new_session->group_id = group_id; hs->key_shares[0] = SSLKeyShare::Create(group_id); - if (!hs->key_shares[0] || - !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || + if (!hs->key_shares[0] || !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || !CBB_add_u16(cbb.get(), group_id) || !CBB_add_u8_length_prefixed(cbb.get(), &child)) { return ssl_hs_error; @@ -1175,8 +1171,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); bool hint_ok = false; - if (hints && !hs->hints_requested && - hints->ecdhe_group_id == group_id && + if (hints && !hs->hints_requested && hints->ecdhe_group_id == group_id && !hints->ecdhe_public_key.empty() && !hints->ecdhe_private_key.empty()) { CBS cbs = MakeConstSpan(hints->ecdhe_private_key); @@ -1762,8 +1757,7 @@ static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { } if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || - !tls1_verify_channel_id(hs, msg) || - !ssl_hash_message(hs, msg)) { + !tls1_verify_channel_id(hs, msg) || !ssl_hash_message(hs, msg)) { return ssl_hs_error; } @@ -1832,8 +1826,7 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { } if (!ssl->method->add_change_cipher_spec(ssl) || - !tls1_change_cipher_state(hs, evp_aead_seal) || - !ssl_send_finished(hs)) { + !tls1_change_cipher_state(hs, evp_aead_seal) || !ssl_send_finished(hs)) { return ssl_hs_error; } diff --git a/ssl/internal.h b/ssl/internal.h index 56a322efad..d363936736 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -723,7 +723,8 @@ bool ssl_create_cipher_list(UniquePtr *out_cipher_list, bool strict, bool config_tls13); // update_cipher_list creates a new |SSLCipherPreferenceList| containing ciphers -// from both |ciphers| and |tls13_ciphers| and assigns it to |dst|. The function: +// from both |ciphers| and |tls13_ciphers| and assigns it to |dst|. The +// function: // // 1. Creates a copy of |ciphers| // 2. Removes any stale TLS 1.3 ciphersuites from the copy @@ -767,8 +768,8 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); // cipher. |has_aes_hw| indicates if the choice should be made as if support for // AES in hardware is available. const SSL_CIPHER *ssl_choose_tls13_cipher( - const STACK_OF(SSL_CIPHER) *client_cipher_suites, bool has_aes_hw, uint16_t version, - const STACK_OF(SSL_CIPHER) *tls13_ciphers); + const STACK_OF(SSL_CIPHER) *client_cipher_suites, bool has_aes_hw, + uint16_t version, const STACK_OF(SSL_CIPHER) *tls13_ciphers); // Transcript layer. @@ -1287,8 +1288,8 @@ OPENSSL_EXPORT Span HybridGroups(); // PQGroups returns all supported post-quantum groups. A post-quantum // group may be a hybrid group containing at least one PQ -// component (e.g. SSL_GROUP_SECP256R1_KYBER768_DRAFT00) or a standalone PQ group -// (e.g. KYBER768_R3). +// component (e.g. SSL_GROUP_SECP256R1_KYBER768_DRAFT00) or a standalone PQ +// group (e.g. KYBER768_R3). Span PQGroups(); // ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it @@ -2518,10 +2519,12 @@ bool ssl_client_cipher_list_contains_cipher( const SSL_CLIENT_HELLO *client_hello, uint16_t id); // ssl_parse_client_cipher_list returns the ciphers offered by the client -// during handshake that are supported by this library, or null if the handshake hasn't -// occurred or there was an error. It also stores the unparsed raw bytes of cipher suites offered in -// the client hello into |ssl->all_client_cipher_suites|. -bool ssl_parse_client_cipher_list(SSL *ssl, const SSL_CLIENT_HELLO *client_hello, +// during handshake that are supported by this library, or null if the handshake +// hasn't occurred or there was an error. It also stores the unparsed raw bytes +// of cipher suites offered in the client hello into +// |ssl->all_client_cipher_suites|. +bool ssl_parse_client_cipher_list(SSL *ssl, + const SSL_CLIENT_HELLO *client_hello, UniquePtr *ciphers_out); @@ -3385,18 +3388,18 @@ struct SSL_CONFIG { // true. bool aes_hw_override_value : 1; - // conf_max_version_use_default indicates whether the |SSL_CONFIG| is configured - // to use the default maximum protocol version for the relevant protocol - // method. By default, |SSL_new| will set this to true and connections will use - // the default max version. callers can change the max version used by calling - // |SSL_set_max_proto_version| with a non-zero value. + // conf_max_version_use_default indicates whether the |SSL_CONFIG| is + // configured to use the default maximum protocol version for the relevant + // protocol method. By default, |SSL_new| will set this to true and + // connections will use the default max version. callers can change the max + // version used by calling |SSL_set_max_proto_version| with a non-zero value. bool conf_max_version_use_default : 1; - // conf_min_version_use_default indicates whether the |SSL_CONFIG| is configured - // to use the default minimum protocol version for the relevant protocol - // method. By default, |SSL_new| will set this to true and connections will use - // the default min version. callers can change the min version used by calling - // |SSL_set_min_proto_version| with a non-zero value. + // conf_min_version_use_default indicates whether the |SSL_CONFIG| is + // configured to use the default minimum protocol version for the relevant + // protocol method. By default, |SSL_new| will set this to true and + // connections will use the default min version. callers can change the min + // version used by calling |SSL_set_min_proto_version| with a non-zero value. bool conf_min_version_use_default : 1; // alps_use_new_codepoint if set indicates we use new ALPS extension codepoint @@ -3744,15 +3747,17 @@ struct ssl_method_st { // TLS13_DEFAULT_CIPHER_LIST_AES_HW is the default TLS 1.3 cipher suite // configuration when AES hardware acceleration is enabled. -#define TLS13_DEFAULT_CIPHER_LIST_AES_HW "TLS_AES_128_GCM_SHA256:" \ - "TLS_AES_256_GCM_SHA384:" \ - "TLS_CHACHA20_POLY1305_SHA256" +#define TLS13_DEFAULT_CIPHER_LIST_AES_HW \ + "TLS_AES_128_GCM_SHA256:" \ + "TLS_AES_256_GCM_SHA384:" \ + "TLS_CHACHA20_POLY1305_SHA256" // TLS13_DEFAULT_CIPHER_LIST_NO_AES_HW is the default TLS 1.3 cipher suite // configuration when no AES hardware acceleration is enabled. -#define TLS13_DEFAULT_CIPHER_LIST_NO_AES_HW "TLS_CHACHA20_POLY1305_SHA256:" \ - "TLS_AES_128_GCM_SHA256:" \ - "TLS_AES_256_GCM_SHA384" +#define TLS13_DEFAULT_CIPHER_LIST_NO_AES_HW \ + "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256:" \ + "TLS_AES_256_GCM_SHA384" #define MIN_SAFE_FRAGMENT_SIZE 512 struct ssl_ctx_st : public bssl::RefCounted { @@ -3781,8 +3786,10 @@ struct ssl_ctx_st : public bssl::RefCounted { /// in case the client makes several connections before getting a renewal. uint8_t num_tickets = 2; - // read_ahead_buffer_size is the amount of data to read if |enable_read_ahead| is true - size_t read_ahead_buffer_size = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD; + // read_ahead_buffer_size is the amount of data to read if |enable_read_ahead| + // is true + size_t read_ahead_buffer_size = + SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD; // quic_method is the method table corresponding to the QUIC hooks. const SSL_QUIC_METHOD *quic_method = nullptr; @@ -4079,9 +4086,9 @@ struct ssl_ctx_st : public bssl::RefCounted { // If enable_early_data is true, early data can be sent and accepted. bool enable_early_data : 1; - // enable_read_ahead indicates whether the |SSL_CTX| is configured to read as much - // as will fit in the SSLBuffer from the BIO, or just enough to read the record - // header and then the length of the body + // enable_read_ahead indicates whether the |SSL_CTX| is configured to read as + // much as will fit in the SSLBuffer from the BIO, or just enough to read the + // record header and then the length of the body bool enable_read_ahead : 1; // aes_hw_override if set indicates we should override checking for AES @@ -4095,16 +4102,16 @@ struct ssl_ctx_st : public bssl::RefCounted { // conf_max_version_use_default indicates whether the |SSL_CTX| is configured // to use the default maximum protocol version for the relevant protocol - // method. By default, |SSL_CTX_new| will set this to true and connections will - // use the default max version. callers can change the max version used by calling - // |SSL_CTX_set_max_proto_version| with a non-zero value. + // method. By default, |SSL_CTX_new| will set this to true and connections + // will use the default max version. callers can change the max version used + // by calling |SSL_CTX_set_max_proto_version| with a non-zero value. bool conf_max_version_use_default : 1; // conf_min_version_use_default indicates whether the |SSL_CTX| is configured // to use the default minimum protocol version for the relevant protocol - // method. By default, |SSL_CTX_new| will set this to true and connections will - // use the default min version. callers can change the min version used by calling - // |SSL_CTX_set_min_proto_version| with a non-zero value. + // method. By default, |SSL_CTX_new| will set this to true and connections + // will use the default min version. callers can change the min version used + // by calling |SSL_CTX_set_min_proto_version| with a non-zero value. bool conf_min_version_use_default : 1; private: @@ -4133,7 +4140,8 @@ struct ssl_st { uint16_t max_send_fragment = 0; - size_t read_ahead_buffer_size = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD; + size_t read_ahead_buffer_size = + SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD; // There are 2 BIO's even though they are normally both the same. This is so // data can be read and written to different handlers @@ -4218,8 +4226,8 @@ struct ssl_st { bool enable_early_data : 1; // enable_read_ahead indicates whether the |SSL| is configured to read as much - // as will fit in the SSLBuffer from the BIO, or just enough to read the record - // header and then the length of the body + // as will fit in the SSLBuffer from the BIO, or just enough to read the + // record header and then the length of the body bool enable_read_ahead : 1; }; diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc index a4e79adb69..0a6100d4f8 100644 --- a/ssl/s3_both.cc +++ b/ssl/s3_both.cc @@ -122,8 +122,8 @@ #include #include #include -#include #include +#include #include #include #include @@ -170,8 +170,7 @@ static bool add_record_to_flight(SSL *ssl, uint8_t type, bool tls_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { // Pick a modest size hint to save most of the |realloc| calls. - if (!CBB_init(cbb, 64) || - !CBB_add_u8(cbb, type) || + if (!CBB_init(cbb, 64) || !CBB_add_u8(cbb, type) || !CBB_add_u24_length_prefixed(cbb, body)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); CBB_cleanup(cbb); @@ -234,8 +233,7 @@ bool tls_add_message(SSL *ssl, Array msg) { ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg); // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on // hs. - if (ssl->s3->hs != NULL && - !ssl->s3->hs->transcript.Update(msg)) { + if (ssl->s3->hs != NULL && !ssl->s3->hs->transcript.Update(msg)) { return false; } return true; @@ -461,8 +459,7 @@ static ssl_open_record_t read_v2_client_hello(SSL *ssl, size_t *out_consumed, } // Add the null compression scheme and finish. - if (!CBB_add_u8(&hello_body, 1) || - !CBB_add_u8(&hello_body, 0) || + if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) || !CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_open_record_error; @@ -484,8 +481,7 @@ static bool parse_message(const SSL *ssl, SSLMessage *out, uint32_t len; CBS_init(&cbs, reinterpret_cast(ssl->s3->hs_buf->data), ssl->s3->hs_buf->length); - if (!CBS_get_u8(&cbs, &out->type) || - !CBS_get_u24(&cbs, &len)) { + if (!CBS_get_u8(&cbs, &out->type) || !CBS_get_u24(&cbs, &len)) { *out_bytes_needed = 4; return false; } @@ -573,11 +569,9 @@ ssl_open_record_t tls_open_handshake(SSL *ssl, size_t *out_consumed, // Some dedicated error codes for protocol mixups should the application // wish to interpret them differently. (These do not overlap with // ClientHello or V2ClientHello.) - const char *str = reinterpret_cast(in.data()); - if (strncmp("GET ", str, 4) == 0 || - strncmp("POST ", str, 5) == 0 || - strncmp("HEAD ", str, 5) == 0 || - strncmp("PUT ", str, 4) == 0) { + const char *str = reinterpret_cast(in.data()); + if (strncmp("GET ", str, 4) == 0 || strncmp("POST ", str, 5) == 0 || + strncmp("HEAD ", str, 5) == 0 || strncmp("PUT ", str, 4) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST); *out_alert = 0; return ssl_open_record_error; @@ -638,8 +632,7 @@ ssl_open_record_t tls_open_handshake(SSL *ssl, size_t *out_consumed, void tls_next_message(SSL *ssl) { SSLMessage msg; - if (!tls_get_message(ssl, &msg) || - !ssl->s3->hs_buf || + if (!tls_get_message(ssl, &msg) || !ssl->s3->hs_buf || ssl->s3->hs_buf->length < CBS_len(&msg.raw)) { assert(0); return; @@ -669,9 +662,7 @@ class CipherScorer { // MinScore returns a |Score| that will compare less than the score of all // cipher suites. - Score MinScore() const { - return Score(false, false); - } + Score MinScore() const { return Score(false, false); } Score Evaluate(const SSL_CIPHER *a) const { return Score( @@ -686,15 +677,15 @@ class CipherScorer { }; const SSL_CIPHER *ssl_choose_tls13_cipher( - const STACK_OF(SSL_CIPHER) *client_cipher_suites, bool has_aes_hw, uint16_t version, - const STACK_OF(SSL_CIPHER) *tls13_ciphers) { - + const STACK_OF(SSL_CIPHER) *client_cipher_suites, bool has_aes_hw, + uint16_t version, const STACK_OF(SSL_CIPHER) *tls13_ciphers) { const SSL_CIPHER *best = nullptr; CipherScorer scorer(has_aes_hw); CipherScorer::Score best_score = scorer.MinScore(); for (size_t i = 0; i < sk_SSL_CIPHER_num(client_cipher_suites); i++) { - const SSL_CIPHER *client_cipher = sk_SSL_CIPHER_value(client_cipher_suites, i); + const SSL_CIPHER *client_cipher = + sk_SSL_CIPHER_value(client_cipher_suites, i); const SSL_CIPHER *candidate = nullptr; if (tls13_ciphers != nullptr) { // Limit to configured TLS 1.3 ciphers diff --git a/ssl/ssl_asn1.cc b/ssl/ssl_asn1.cc index da6dc40a18..22a05d6428 100644 --- a/ssl/ssl_asn1.cc +++ b/ssl/ssl_asn1.cc @@ -317,16 +317,14 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb, } } - if (in->group_id > 0 && - (!CBB_add_asn1(&session, &child, kGroupIDTag) || - !CBB_add_asn1_uint64(&child, in->group_id))) { + if (in->group_id > 0 && (!CBB_add_asn1(&session, &child, kGroupIDTag) || + !CBB_add_asn1_uint64(&child, in->group_id))) { return 0; } // The certificate chain is only serialized if the leaf's SHA-256 isn't // serialized instead. - if (in->certs != NULL && - !in->peer_sha256_valid && + if (in->certs != NULL && !in->peer_sha256_valid && sk_CRYPTO_BUFFER_num(in->certs.get()) >= 2) { if (!CBB_add_asn1(&session, &child, kCertChainTag)) { return 0; @@ -542,8 +540,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, uint64_t version, ssl_version; uint16_t unused; if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1_uint64(&session, &version) || - version != kVersion || + !CBS_get_asn1_uint64(&session, &version) || version != kVersion || !CBS_get_asn1_uint64(&session, &ssl_version) || // Require sessions have versions valid in either TLS or DTLS. The session // will not be used by the handshake if not applicable, but, for @@ -559,8 +556,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, CBS cipher; uint16_t cipher_value; if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) || - !CBS_get_u16(&cipher, &cipher_value) || - CBS_len(&cipher) != 0) { + !CBS_get_u16(&cipher, &cipher_value) || CBS_len(&cipher) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); return nullptr; } @@ -592,8 +588,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, if (!CBS_get_asn1(&session, &child, kTimeTag) || !CBS_get_asn1_uint64(&child, &ret->time) || !CBS_get_asn1(&session, &child, kTimeoutTag) || - !CBS_get_asn1_uint64(&child, &timeout) || - timeout > UINT32_MAX) { + !CBS_get_asn1_uint64(&child, &timeout) || timeout > UINT32_MAX) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); return nullptr; } @@ -696,8 +691,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, if (has_peer) { UniquePtr buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool)); - if (!buffer || - !PushToStack(ret->certs.get(), std::move(buffer))) { + if (!buffer || !PushToStack(ret->certs.get(), std::move(buffer))) { return nullptr; } } @@ -722,8 +716,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, int age_add_present; if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present, kTicketAgeAddTag) || - (age_add_present && - !CBS_get_u32(&age_add, &ret->ticket_age_add)) || + (age_add_present && !CBS_get_u32(&age_add, &ret->ticket_age_add)) || CBS_len(&age_add) != 0) { return nullptr; } diff --git a/ssl/ssl_buffer.cc b/ssl/ssl_buffer.cc index b61e1ad846..c08c759dcb 100644 --- a/ssl/ssl_buffer.cc +++ b/ssl/ssl_buffer.cc @@ -31,7 +31,8 @@ BSSL_NAMESPACE_BEGIN // BIO uses int instead of size_t. No lengths will exceed SSLBUFFER_MAX_CAPACITY // (uint16_t), so this will not overflow. -static_assert(SSLBUFFER_MAX_CAPACITY <= INT_MAX, "uint16_t does not fit in int"); +static_assert(SSLBUFFER_MAX_CAPACITY <= INT_MAX, + "uint16_t does not fit in int"); static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0, "SSL3_ALIGN_PAYLOAD must be a power of 2"); @@ -126,12 +127,9 @@ void SSLBuffer::DiscardConsumed() { // An SSLBuffer is serialized as the following ASN.1 structure: // // SSLBuffer ::= SEQUENCE { -// version INTEGER (1), -- SSLBuffer structure version -// bufAllocated BOOLEAN, -// offset INTEGER, -// size INTEGER, -// cap INTEGER, -// buf OCTET STRING, +// version INTEGER (1), -- SSLBuffer structure +// version bufAllocated BOOLEAN, offset INTEGER, size +// INTEGER, cap INTEGER, buf OCTET STRING, // } static const unsigned kSSLBufferVersion = 1; @@ -144,10 +142,10 @@ bool SSLBuffer::DoSerialization(CBB *cbb) { !CBB_add_asn1_uint64(&seq, kSSLBufferVersion) || !CBB_add_asn1_bool(&seq, (buf_allocated_ ? 1 : 0)) || !CBB_add_asn1_uint64(&seq, offset_) || - !CBB_add_asn1_uint64(&seq, size_) || - !CBB_add_asn1_uint64(&seq, cap_) || + !CBB_add_asn1_uint64(&seq, size_) || !CBB_add_asn1_uint64(&seq, cap_) || (buf_allocated_ && !CBB_add_asn1_octet_string(&seq, buf_, buf_size_)) || - (!buf_allocated_ && !CBB_add_asn1_octet_string(&seq, inline_buf_, SSL3_RT_HEADER_LENGTH))) { + (!buf_allocated_ && + !CBB_add_asn1_octet_string(&seq, inline_buf_, SSL3_RT_HEADER_LENGTH))) { return false; } return CBB_flush(cbb) == 1; @@ -162,14 +160,11 @@ bool SSLBuffer::DoDeserialization(CBS *cbs) { int buf_allocated_int; uint64_t version, offset, size, cap; if (!CBS_get_asn1(cbs, &seq, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1_uint64(&seq, &version) || - version != kSSLBufferVersion || + !CBS_get_asn1_uint64(&seq, &version) || version != kSSLBufferVersion || !CBS_get_asn1_bool(&seq, &buf_allocated_int) || !CBS_get_asn1_uint64(&seq, &offset) || - !CBS_get_asn1_uint64(&seq, &size) || - !CBS_get_asn1_uint64(&seq, &cap) || - !CBS_get_asn1(&seq, &buf, CBS_ASN1_OCTETSTRING) || - CBS_len(&seq) != 0) { + !CBS_get_asn1_uint64(&seq, &size) || !CBS_get_asn1_uint64(&seq, &cap) || + !CBS_get_asn1(&seq, &buf, CBS_ASN1_OCTETSTRING) || CBS_len(&seq) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_SERIALIZATION_INVALID_SSL_BUFFER); return false; } @@ -241,8 +236,8 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) { // of data. If not enable_read_ahead, only read as much to get to len bytes, // at this point we know len is less than the overall size of the buffer. assert(buf->cap() >= buf->size()); - size_t read_amount = ssl->enable_read_ahead ? buf->cap() - buf->size() : - len - buf->size(); + size_t read_amount = + ssl->enable_read_ahead ? buf->cap() - buf->size() : len - buf->size(); assert(read_amount <= buf->cap() - buf->size()); int ret = BIO_read(ssl->rbio.get(), buf->data() + buf->size(), static_cast(read_amount)); @@ -261,9 +256,9 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { ssl->s3->read_buffer.DiscardConsumed(); size_t buffer_size = len; if (SSL_is_dtls(ssl)) { - static_assert( - DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= SSLBUFFER_MAX_CAPACITY, - "DTLS read buffer is too large"); + static_assert(DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= + SSLBUFFER_MAX_CAPACITY, + "DTLS read buffer is too large"); // The |len| parameter is ignored in DTLS. len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; @@ -276,7 +271,8 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { } } - if (!ssl->s3->read_buffer.EnsureCap(ssl_record_prefix_len(ssl), buffer_size)) { + if (!ssl->s3->read_buffer.EnsureCap(ssl_record_prefix_len(ssl), + buffer_size)) { return -1; } diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc index 932b4801cb..86036d4349 100644 --- a/ssl/ssl_cert.cc +++ b/ssl/ssl_cert.cc @@ -270,7 +270,7 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return leaf_cert_and_privkey_error; } - return do_leaf_cert_and_privkey_checks(&cert_cbs, pubkey.get(), privkey); + return do_leaf_cert_and_privkey_checks(&cert_cbs, pubkey.get(), privkey); } static int cert_set_chain_and_key( diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc index 6f7283ca21..1d4f1150c4 100644 --- a/ssl/ssl_cipher.cc +++ b/ssl/ssl_cipher.cc @@ -149,8 +149,8 @@ #include #include -#include "internal.h" #include "../crypto/internal.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -159,26 +159,26 @@ static constexpr SSL_CIPHER kCiphers[] = { // The RSA ciphers // Cipher 02 { - SSL3_TXT_RSA_NULL_SHA, - "TLS_RSA_WITH_NULL_SHA", - SSL3_CK_RSA_NULL_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_eNULL, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + SSL3_TXT_RSA_NULL_SHA, + "TLS_RSA_WITH_NULL_SHA", + SSL3_CK_RSA_NULL_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_eNULL, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher 0A { - SSL3_TXT_RSA_DES_192_CBC3_SHA, - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - SSL3_CK_RSA_DES_192_CBC3_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_3DES, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + SSL3_TXT_RSA_DES_192_CBC3_SHA, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + SSL3_CK_RSA_DES_192_CBC3_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_3DES, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, @@ -186,188 +186,188 @@ static constexpr SSL_CIPHER kCiphers[] = { // Cipher 2F { - TLS1_TXT_RSA_WITH_AES_128_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA", - TLS1_CK_RSA_WITH_AES_128_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_AES128, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_RSA_WITH_AES_128_SHA, + "TLS_RSA_WITH_AES_128_CBC_SHA", + TLS1_CK_RSA_WITH_AES_128_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher 35 { - TLS1_TXT_RSA_WITH_AES_256_SHA, - "TLS_RSA_WITH_AES_256_CBC_SHA", - TLS1_CK_RSA_WITH_AES_256_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_AES256, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_RSA_WITH_AES_256_SHA, + "TLS_RSA_WITH_AES_256_CBC_SHA", + TLS1_CK_RSA_WITH_AES_256_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher 3C { - TLS1_TXT_RSA_WITH_AES_128_SHA256, - "TLS_RSA_WITH_AES_128_CBC_SHA256", - TLS1_CK_RSA_WITH_AES_128_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_AES128, - SSL_SHA256, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_RSA_WITH_AES_128_SHA256, + "TLS_RSA_WITH_AES_128_CBC_SHA256", + TLS1_CK_RSA_WITH_AES_128_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_AES128, + SSL_SHA256, + SSL_HANDSHAKE_MAC_SHA256, }, // PSK cipher suites. // Cipher 8C { - TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, - "TLS_PSK_WITH_AES_128_CBC_SHA", - TLS1_CK_PSK_WITH_AES_128_CBC_SHA, - SSL_kPSK, - SSL_aPSK, - SSL_AES128, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, + "TLS_PSK_WITH_AES_128_CBC_SHA", + TLS1_CK_PSK_WITH_AES_128_CBC_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_AES128, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher 8D { - TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, - "TLS_PSK_WITH_AES_256_CBC_SHA", - TLS1_CK_PSK_WITH_AES_256_CBC_SHA, - SSL_kPSK, - SSL_aPSK, - SSL_AES256, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, + "TLS_PSK_WITH_AES_256_CBC_SHA", + TLS1_CK_PSK_WITH_AES_256_CBC_SHA, + SSL_kPSK, + SSL_aPSK, + SSL_AES256, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // GCM ciphersuites from RFC 5288 // Cipher 9C { - TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, - "TLS_RSA_WITH_AES_128_GCM_SHA256", - TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, - SSL_kRSA, - SSL_aRSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, + "TLS_RSA_WITH_AES_128_GCM_SHA256", + TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_AES128GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher 9D { - TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, - "TLS_RSA_WITH_AES_256_GCM_SHA384", - TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, - SSL_kRSA, - SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA384, + TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, + "TLS_RSA_WITH_AES_256_GCM_SHA384", + TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, + SSL_kRSA, + SSL_aRSA, + SSL_AES256GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA384, }, // TLS 1.3 suites. // Cipher 1301 { - TLS1_3_RFC_AES_128_GCM_SHA256, - "TLS_AES_128_GCM_SHA256", - TLS1_3_CK_AES_128_GCM_SHA256, - SSL_kGENERIC, - SSL_aGENERIC, - SSL_AES128GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_3_RFC_AES_128_GCM_SHA256, + "TLS_AES_128_GCM_SHA256", + TLS1_3_CK_AES_128_GCM_SHA256, + SSL_kGENERIC, + SSL_aGENERIC, + SSL_AES128GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher 1302 { - TLS1_3_RFC_AES_256_GCM_SHA384, - "TLS_AES_256_GCM_SHA384", - TLS1_3_CK_AES_256_GCM_SHA384, - SSL_kGENERIC, - SSL_aGENERIC, - SSL_AES256GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA384, + TLS1_3_RFC_AES_256_GCM_SHA384, + "TLS_AES_256_GCM_SHA384", + TLS1_3_CK_AES_256_GCM_SHA384, + SSL_kGENERIC, + SSL_aGENERIC, + SSL_AES256GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA384, }, // Cipher 1303 { - TLS1_3_RFC_CHACHA20_POLY1305_SHA256, - "TLS_CHACHA20_POLY1305_SHA256", - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - SSL_kGENERIC, - SSL_aGENERIC, - SSL_CHACHA20POLY1305, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + "TLS_CHACHA20_POLY1305_SHA256", + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + SSL_kGENERIC, + SSL_aGENERIC, + SSL_CHACHA20POLY1305, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher C009 { - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES128, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES128, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher C00A { - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES256, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES256, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher C013 { - TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - SSL_kECDHE, - SSL_aRSA, - SSL_AES128, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE, + SSL_aRSA, + SSL_AES128, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher C014 { - TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, - SSL_kECDHE, - SSL_aRSA, - SSL_AES256, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDHE, + SSL_aRSA, + SSL_AES256, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher C027 { - TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, - SSL_kECDHE, - SSL_aRSA, - SSL_AES128, - SSL_SHA256, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_AES128, + SSL_SHA256, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher C028 @@ -386,114 +386,114 @@ static constexpr SSL_CIPHER kCiphers[] = { // Cipher C02B { - TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES128GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher C02C { - TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHE, - SSL_aECDSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA384, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + SSL_kECDHE, + SSL_aECDSA, + SSL_AES256GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA384, }, // Cipher C02F { - TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHE, - SSL_aRSA, - SSL_AES128GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_AES128GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher C030 { - TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHE, - SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA384, + TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + SSL_kECDHE, + SSL_aRSA, + SSL_AES256GCM, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA384, }, // ECDHE-PSK cipher suites. // Cipher C035 { - TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", - TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, - SSL_kECDHE, - SSL_aPSK, - SSL_AES128, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, + SSL_kECDHE, + SSL_aPSK, + SSL_AES128, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // Cipher C036 { - TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", - TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, - SSL_kECDHE, - SSL_aPSK, - SSL_AES256, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, + TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", + TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, + SSL_kECDHE, + SSL_aPSK, + SSL_AES256, + SSL_SHA1, + SSL_HANDSHAKE_MAC_DEFAULT, }, // ChaCha20-Poly1305 cipher suites. // Cipher CCA8 { - TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - SSL_kECDHE, - SSL_aRSA, - SSL_CHACHA20POLY1305, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_CHACHA20POLY1305, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher CCA9 { - TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - SSL_kECDHE, - SSL_aECDSA, - SSL_CHACHA20POLY1305, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + SSL_kECDHE, + SSL_aECDSA, + SSL_CHACHA20POLY1305, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, // Cipher CCAB { - TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, - "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", - TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, - SSL_kECDHE, - SSL_aPSK, - SSL_CHACHA20POLY1305, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, + TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, + "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", + TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, + SSL_kECDHE, + SSL_aPSK, + SSL_CHACHA20POLY1305, + SSL_AEAD, + SSL_HANDSHAKE_MAC_SHA256, }, }; @@ -679,7 +679,7 @@ bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, // filter cipher selection appropriately. // // Additionally enforce that SHA-384 is only used with AES-256. - if(version != TLS1_2_VERSION || cipher->algorithm_enc != SSL_AES256) { + if (version != TLS1_2_VERSION || cipher->algorithm_enc != SSL_AES256) { return false; } @@ -834,11 +834,11 @@ bool SSLCipherPreferenceList::Init(UniquePtr ciphers_arg, return true; } -bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList& other) { +bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList &other) { size_t size = sk_SSL_CIPHER_num(other.ciphers.get()); Span other_flags(other.in_group_flags, size); - UniquePtr other_ciphers(sk_SSL_CIPHER_dup( - other.ciphers.get())); + UniquePtr other_ciphers( + sk_SSL_CIPHER_dup(other.ciphers.get())); if (!other_ciphers) { return false; } @@ -851,10 +851,10 @@ void SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) { return; } if (!in_group_flags[index] /* last element of group */ && index > 0) { - in_group_flags[index-1] = false; + in_group_flags[index - 1] = false; } for (size_t i = index; i < sk_SSL_CIPHER_num(ciphers.get()) - 1; ++i) { - in_group_flags[i] = in_group_flags[i+1]; + in_group_flags[i] = in_group_flags[i + 1]; } sk_SSL_CIPHER_delete(ciphers.get(), index); } @@ -868,11 +868,12 @@ void SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) { // of that strength. // - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and // |min_version|. -static void ssl_cipher_apply_rule( - uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, - uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule, - int strength_bits, bool in_group, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p) { +static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, + uint32_t alg_auth, uint32_t alg_enc, + uint32_t alg_mac, uint16_t min_version, + int rule, int strength_bits, bool in_group, + CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *next, *last; const SSL_CIPHER *cp; bool reverse = false; @@ -925,8 +926,7 @@ static void ssl_cipher_apply_rule( } } else { if (!(alg_mkey & cp->algorithm_mkey) || - !(alg_auth & cp->algorithm_auth) || - !(alg_enc & cp->algorithm_enc) || + !(alg_auth & cp->algorithm_auth) || !(alg_enc & cp->algorithm_enc) || !(alg_mac & cp->algorithm_mac) || (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) || // The NULL cipher must be selected explicitly. @@ -1140,7 +1140,7 @@ static bool ssl_cipher_process_rulestr(const char *rule_str, for (j = 0; j < OPENSSL_ARRAY_SIZE(kCiphers); j++) { const SSL_CIPHER *cipher = &kCiphers[j]; if ((config_tls13 && cipher->algorithm_mkey != SSL_kGENERIC) || - (!config_tls13 && cipher->algorithm_mkey == SSL_kGENERIC)) { + (!config_tls13 && cipher->algorithm_mkey == SSL_kGENERIC)) { continue; } if (rule_equals(cipher->name, buf, buf_len) || @@ -1215,18 +1215,17 @@ static bool ssl_cipher_process_rulestr(const char *rule_str, } static const char *kKnownKeywordFilterRulesMappingToDefault[] = { - "ALL", - "DEFAULT", - "FIPS", - "HIGH", + "ALL", + "DEFAULT", + "FIPS", + "HIGH", }; -static bool is_known_default_alias_keyword_filter_rule(const char *rule, - size_t *matched_rule_length) { - +static bool is_known_default_alias_keyword_filter_rule( + const char *rule, size_t *matched_rule_length) { for (auto known_rule : kKnownKeywordFilterRulesMappingToDefault) { if (strncmp(rule, known_rule, strlen(known_rule)) == 0) { - *matched_rule_length = (size_t) strlen(known_rule); + *matched_rule_length = (size_t)strlen(known_rule); return true; } } @@ -1253,8 +1252,8 @@ int update_cipher_list(UniquePtr &dst, // Delete any existing TLSv1.3 ciphersuites. These will be first in the list while (sk_SSL_CIPHER_num(tmp_cipher_list.get()) > 0 && - SSL_CIPHER_get_min_version(sk_SSL_CIPHER_value(tmp_cipher_list.get(), 0)) - == TLS1_3_VERSION) { + SSL_CIPHER_get_min_version( + sk_SSL_CIPHER_value(tmp_cipher_list.get(), 0)) == TLS1_3_VERSION) { sk_SSL_CIPHER_delete(tmp_cipher_list.get(), 0); num_removed_tls13_ciphers++; } @@ -1266,7 +1265,8 @@ int update_cipher_list(UniquePtr &dst, STACK_OF(SSL_CIPHER) *tls13_cipher_stack = tls13_ciphers->ciphers.get(); num_added_tls13_ciphers = sk_SSL_CIPHER_num(tls13_cipher_stack); for (int i = sk_SSL_CIPHER_num(tls13_cipher_stack) - 1; i >= 0; i--) { - const SSL_CIPHER *tls13_cipher = sk_SSL_CIPHER_value(tls13_cipher_stack, i); + const SSL_CIPHER *tls13_cipher = + sk_SSL_CIPHER_value(tls13_cipher_stack, i); if (!sk_SSL_CIPHER_unshift(tmp_cipher_list.get(), tls13_cipher)) { return 0; } @@ -1279,11 +1279,11 @@ int update_cipher_list(UniquePtr &dst, return 0; } std::fill(updated_in_group_flags.begin(), updated_in_group_flags.end(), - false); + false); // Copy in_group_flags from |ctx->tls13_cipher_list| if (tls13_ciphers && tls13_ciphers->in_group_flags) { - const auto& tls13_flags = tls13_ciphers->in_group_flags; + const auto &tls13_flags = tls13_ciphers->in_group_flags; // Ensure value of last element in |in_group_flags| is 0. The last cipher // in a list must be the end of any group in that list. if (tls13_flags[num_added_tls13_ciphers - 1] != 0) { @@ -1298,12 +1298,14 @@ int update_cipher_list(UniquePtr &dst, if (ciphers && ciphers->in_group_flags) { for (size_t i = 0; i < num_updated_tls12_ciphers; i++) { updated_in_group_flags[i + num_added_tls13_ciphers] = - ciphers->in_group_flags[i + num_removed_tls13_ciphers]; + ciphers->in_group_flags[i + num_removed_tls13_ciphers]; } } - Span flags_span(updated_in_group_flags.data(), updated_in_group_flags.size()); - UniquePtr new_list = MakeUnique(); + Span flags_span(updated_in_group_flags.data(), + updated_in_group_flags.size()); + UniquePtr new_list = + MakeUnique(); if (!new_list || !new_list->Init(std::move(tmp_cipher_list), flags_span)) { return 0; } @@ -1387,7 +1389,8 @@ bool ssl_create_cipher_list(UniquePtr *out_cipher_list, // Check for keyword rules that map to the default "ALL" rule. const char *rule_p = rule_str; size_t matched_rule_length = 0; - if (is_known_default_alias_keyword_filter_rule(rule_str, &matched_rule_length)) { + if (is_known_default_alias_keyword_filter_rule(rule_str, + &matched_rule_length)) { if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail, strict, config_tls13)) { return false; @@ -1543,9 +1546,9 @@ const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) { SSL_CIPHER c; c.id = 0x03000000L | value; - return reinterpret_cast(bsearch( - &c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER), - ssl_cipher_id_cmp)); + return reinterpret_cast( + bsearch(&c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER), + ssl_cipher_id_cmp)); } const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr) { @@ -1659,7 +1662,7 @@ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) { int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) { return (cipher->algorithm_enc & SSL_eNULL) == 0 && - cipher->algorithm_mac != SSL_AEAD; + cipher->algorithm_mac != SSL_AEAD; } uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { @@ -1684,7 +1687,7 @@ uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) { return TLS1_2_VERSION; } -static const char* kUnknownCipher = "(NONE)"; +static const char *kUnknownCipher = "(NONE)"; // return the actual cipher being used const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { @@ -1856,7 +1859,7 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, break; case SSL_eNULL: - enc="None"; + enc = "None"; break; default: @@ -1902,10 +1905,10 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, } bool tls_print_all_supported_cipher_suites(bool use_openssl_name) { - for (const SSL_CIPHER cipher : kCiphers) { - fprintf(stdout, "%s\n", use_openssl_name ? SSL_CIPHER_get_name(&cipher) - : SSL_CIPHER_standard_name(&cipher)); + fprintf(stdout, "%s\n", + use_openssl_name ? SSL_CIPHER_get_name(&cipher) + : SSL_CIPHER_standard_name(&cipher)); } return true; diff --git a/ssl/ssl_decrepit.c b/ssl/ssl_decrepit.c index c6df9a11ed..7691fe4267 100644 --- a/ssl/ssl_decrepit.c +++ b/ssl/ssl_decrepit.c @@ -152,8 +152,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, } int r = snprintf(buf, sizeof(buf), "%s/%s", path, dirent->d_name); - if (r <= 0 || - r >= (int)sizeof(buf) || + if (r <= 0 || r >= (int)sizeof(buf) || !SSL_add_file_cert_subjects_to_stack(stack, buf)) { break; } diff --git a/ssl/ssl_file.cc b/ssl/ssl_file.cc index cc32f886f3..e15c50f102 100644 --- a/ssl/ssl_file.cc +++ b/ssl/ssl_file.cc @@ -475,8 +475,9 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) { // Read a file that contains our certificate in "PEM" format, possibly followed // by a sequence of CA certificates that should be sent to the peer in the // Certificate message. -static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) { - if(ctx == nullptr && ssl == nullptr) { +static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, + const char *file) { + if (ctx == nullptr && ssl == nullptr) { return 0; } diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc index b7b915027c..62dfae1072 100644 --- a/ssl/ssl_key_share.cc +++ b/ssl/ssl_key_share.cc @@ -31,11 +31,11 @@ #include #include -#include "internal.h" -#include "../crypto/internal.h" #include "../crypto/fipsmodule/ec/internal.h" #include "../crypto/fipsmodule/ml_kem/ml_kem.h" +#include "../crypto/internal.h" #include "../crypto/kyber/kem_kyber.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -211,8 +211,7 @@ class KEMKeyShare : public SSLKeyShare { size_t public_key_len = 0; EVP_PKEY *raw_key = nullptr; if (!EVP_PKEY_keygen_init(ctx_.get()) || - !EVP_PKEY_keygen(ctx_.get(), &raw_key) || - !raw_key || + !EVP_PKEY_keygen(ctx_.get(), &raw_key) || !raw_key || !EVP_PKEY_get_raw_public_key(raw_key, nullptr, &public_key_len)) { EVP_PKEY_free(raw_key); OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -232,7 +231,7 @@ class KEMKeyShare : public SSLKeyShare { if (!CBB_add_space(out, &public_key, public_key_len) || !EVP_PKEY_get_raw_public_key(pkey.get(), public_key, &public_key_bytes_written) || - public_key_bytes_written != public_key_len) { + public_key_bytes_written != public_key_len) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } @@ -282,8 +281,8 @@ class KEMKeyShare : public SSLKeyShare { } // Initialize pkey from the received public key - UniquePtr pkey( - EVP_PKEY_kem_new_raw_public_key(nid_, peer_key.begin(), peer_key.size())); + UniquePtr pkey(EVP_PKEY_kem_new_raw_public_key( + nid_, peer_key.begin(), peer_key.size())); if (!pkey) { *out_alert = SSL_AD_ILLEGAL_PARAMETER; @@ -301,8 +300,8 @@ class KEMKeyShare : public SSLKeyShare { // Retrieve the lengths of the ciphertext and shared secret size_t ciphertext_len = 0; size_t secret_len = 0; - if (!EVP_PKEY_encapsulate(ctx_.get(), nullptr, &ciphertext_len, - nullptr, &secret_len)) { + if (!EVP_PKEY_encapsulate(ctx_.get(), nullptr, &ciphertext_len, nullptr, + &secret_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } @@ -321,11 +320,10 @@ class KEMKeyShare : public SSLKeyShare { size_t secret_bytes_written = secret_len; if (!CBB_add_space(out_public_key, &ciphertext, ciphertext_len) || - !EVP_PKEY_encapsulate(ctx_.get(), ciphertext, - &ciphertext_bytes_written, shared_secret.data(), - &secret_bytes_written) || - ciphertext_bytes_written != ciphertext_len || - secret_bytes_written != secret_len) { + !EVP_PKEY_encapsulate(ctx_.get(), ciphertext, &ciphertext_bytes_written, + shared_secret.data(), &secret_bytes_written) || + ciphertext_bytes_written != ciphertext_len || + secret_bytes_written != secret_len) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } @@ -339,8 +337,8 @@ class KEMKeyShare : public SSLKeyShare { } // Because this is a KEM key share, |peer_key| is actually the ciphertext - // resulting from the peer encapsulating the shared secret under our public key. - // In Finish(), we use our previously generated secret key to decrypt + // resulting from the peer encapsulating the shared secret under our public + // key. In Finish(), we use our previously generated secret key to decrypt // that ciphertext and obtain the shared secret. bool Finish(Array *out_secret, uint8_t *out_alert, Span peer_key) override { @@ -366,7 +364,8 @@ class KEMKeyShare : public SSLKeyShare { // Retrieve the length of the shared secret size_t secret_len = 0; - if (!EVP_PKEY_decapsulate(ctx_.get(), nullptr, &secret_len, nullptr, peer_key.size())) { + if (!EVP_PKEY_decapsulate(ctx_.get(), nullptr, &secret_len, nullptr, + peer_key.size())) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } @@ -386,7 +385,7 @@ class KEMKeyShare : public SSLKeyShare { if (!EVP_PKEY_decapsulate(ctx_.get(), shared_secret.data(), &secret_bytes_written, ciphertext, peer_key.size()) || - secret_bytes_written != secret_len) { + secret_bytes_written != secret_len) { OPENSSL_PUT_ERROR(SSL, SSL_AD_ILLEGAL_PARAMETER); return false; } @@ -408,272 +407,282 @@ class KEMKeyShare : public SSLKeyShare { // all of which are used to generate a hybrid shared secret. // See https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design. class HybridKeyShare : public SSLKeyShare { - public: - HybridKeyShare(uint16_t group_id) : group_id_(group_id), - exchange_performed(false), hybrid_group_(nullptr) { - for (const HybridGroup &hybrid_group : HybridGroups()) { - if (group_id_ == hybrid_group.group_id) { - hybrid_group_ = &hybrid_group; - for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) { - key_shares_[i] = SSLKeyShare::Create(hybrid_group.component_group_ids[i]); - } - return; - } + public: + HybridKeyShare(uint16_t group_id) + : group_id_(group_id), exchange_performed(false), hybrid_group_(nullptr) { + for (const HybridGroup &hybrid_group : HybridGroups()) { + if (group_id_ == hybrid_group.group_id) { + hybrid_group_ = &hybrid_group; + for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) { + key_shares_[i] = + SSLKeyShare::Create(hybrid_group.component_group_ids[i]); + } + return; } - hybrid_group_ = nullptr; } + hybrid_group_ = nullptr; + } - uint16_t GroupID() const override { return group_id_; } + uint16_t GroupID() const override { return group_id_; } - bool Offer(CBB *out) override { - // Ensure |out| is valid, has no children, and has been initialized. - // We check that |out| has no children because otherwise CBB_data() - // will produce a fatal error by way of assert(cbb->child == NULL); - if (!out || out->child || !CBB_data(out)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return false; - } + bool Offer(CBB *out) override { + // Ensure |out| is valid, has no children, and has been initialized. + // We check that |out| has no children because otherwise CBB_data() + // will produce a fatal error by way of assert(cbb->child == NULL); + if (!out || out->child || !CBB_data(out)) { + OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); + return false; + } - if (!hybrid_group_ || this->exchange_performed) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + if (!hybrid_group_ || this->exchange_performed) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } + + // Iterate through the component groups and Offer() each of their key + // shares. If one of the calls to a component Offer() fails, + // OPENSSL_PUT_ERROR will be set appropriately in that component. + for (const UniquePtr &key_share : key_shares_) { + if (!key_share || !key_share->Offer(out)) { return false; } + } + this->exchange_performed = true; + return true; + } - // Iterate through the component groups and Offer() each of their key - // shares. If one of the calls to a component Offer() fails, - // OPENSSL_PUT_ERROR will be set appropriately in that component. - for (const UniquePtr &key_share : key_shares_) { - if (!key_share || !key_share->Offer(out)) { - return false; - } - } - this->exchange_performed = true; - return true; + bool Accept(CBB *out_public_key, Array *out_secret, + uint8_t *out_alert, Span peer_key) override { + if (!out_alert) { + OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); + return false; } - bool Accept(CBB *out_public_key, Array *out_secret, - uint8_t *out_alert, Span peer_key) override { - if (!out_alert) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return false; - } + // Set alert to internal error by default + *out_alert = SSL_AD_INTERNAL_ERROR; + + if (!out_secret || !peer_key.data()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); + return false; + } - // Set alert to internal error by default - *out_alert = SSL_AD_INTERNAL_ERROR; + // Ensure |out_public_key| is valid, has no children, and has been + // initialized. We check that |out_public_key| has no children because + // otherwise CBB_data() will produce a fatal error by way of + // assert(cbb->child == NULL); + if (!out_public_key || out_public_key->child || !CBB_data(out_public_key)) { + OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); + return false; + } - if (!out_secret|| !peer_key.data()) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return false; - } + if (!hybrid_group_ || this->exchange_performed) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } - // Ensure |out_public_key| is valid, has no children, and has been - // initialized. We check that |out_public_key| has no children because - // otherwise CBB_data() will produce a fatal error by way of - // assert(cbb->child == NULL); - if (!out_public_key || out_public_key->child || !CBB_data(out_public_key)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return false; - } + // A hybrid shared secret with two components should be 64 bytes. + // If it happens to be larger, the CBB will grow accordingly. + CBB hybrid_shared_secret; + if (!CBB_init(&hybrid_shared_secret, 64)) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } - if (!hybrid_group_ || this->exchange_performed) { + // Accept() each component key share. Each component's Accept() function + // will generate a shared secret and a public key to be sent back to + // the peer. The hybrid public key is the concatenation of all component + // public keys; the hybrid shared secret is the concatenation of all + // component shared secrets. + size_t peer_key_read_index = 0; + for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) { + size_t component_key_size = 0; + if (!get_component_offer_key_share_size( + &component_key_size, hybrid_group_->component_group_ids[i])) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - // A hybrid shared secret with two components should be 64 bytes. - // If it happens to be larger, the CBB will grow accordingly. - CBB hybrid_shared_secret; - if (!CBB_init(&hybrid_shared_secret, 64)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + // Verify that |peer_key| contains enough data + if (peer_key_read_index + component_key_size > peer_key.size()) { + CBB_cleanup(&hybrid_shared_secret); + *out_alert = SSL_AD_ILLEGAL_PARAMETER; + OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HYBRID_KEYSHARE); return false; } - // Accept() each component key share. Each component's Accept() function - // will generate a shared secret and a public key to be sent back to - // the peer. The hybrid public key is the concatenation of all component - // public keys; the hybrid shared secret is the concatenation of all - // component shared secrets. - size_t peer_key_read_index = 0; - for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) { - size_t component_key_size = 0; - if (!get_component_offer_key_share_size(&component_key_size, hybrid_group_->component_group_ids[i])) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - - // Verify that |peer_key| contains enough data - if (peer_key_read_index + component_key_size > peer_key.size()) { - CBB_cleanup(&hybrid_shared_secret); - *out_alert = SSL_AD_ILLEGAL_PARAMETER; - OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HYBRID_KEYSHARE); - return false; - } - - Span component_key = + Span component_key = peer_key.subspan(peer_key_read_index, component_key_size); - Array component_secret; - if (!key_shares_[i] || - !key_shares_[i]->Accept(out_public_key, &component_secret, out_alert, component_key) || - !CBB_add_bytes(&hybrid_shared_secret, component_secret.data(), component_secret.size())) { - CBB_cleanup(&hybrid_shared_secret); - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - - peer_key_read_index += component_key_size; - } - - // Final validation that |peer_key| was the correct size - if (peer_key_read_index != peer_key.size()) { + Array component_secret; + if (!key_shares_[i] || + !key_shares_[i]->Accept(out_public_key, &component_secret, out_alert, + component_key) || + !CBB_add_bytes(&hybrid_shared_secret, component_secret.data(), + component_secret.size())) { CBB_cleanup(&hybrid_shared_secret); - *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - // Retain the hybrid shared secret for our use. - if (!CBBFinishArray(&hybrid_shared_secret, out_secret)) { - CBB_cleanup(&hybrid_shared_secret); - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - - // Success; clear the alert - *out_alert = 0; - - this->exchange_performed = true; - return true; + peer_key_read_index += component_key_size; } - bool Finish(Array *out_secret, uint8_t *out_alert, - Span peer_key) override { - if (!out_alert) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return false; - } - - // Set alert to internal error by default - *out_alert = SSL_AD_INTERNAL_ERROR; + // Final validation that |peer_key| was the correct size + if (peer_key_read_index != peer_key.size()) { + CBB_cleanup(&hybrid_shared_secret); + *out_alert = SSL_AD_DECODE_ERROR; + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } - if (!out_secret || !peer_key.data()) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return false; - } + // Retain the hybrid shared secret for our use. + if (!CBBFinishArray(&hybrid_shared_secret, out_secret)) { + CBB_cleanup(&hybrid_shared_secret); + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } - if (!hybrid_group_ || !this->exchange_performed) { - OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return false; - } + // Success; clear the alert + *out_alert = 0; - // A hybrid shared secret with two components should be 64 bytes. - // If it happens to be larger, the CBB will grow accordingly. - CBB hybrid_shared_secret; - if (!CBB_init(&hybrid_shared_secret, 64)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } + this->exchange_performed = true; + return true; + } - // Finish() each component key share. Each component's Finish() function - // will generate a shared secret. The hybrid shared secret is the - // concatenation of all component shared secrets. - size_t peer_key_index = 0; - for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) { + bool Finish(Array *out_secret, uint8_t *out_alert, + Span peer_key) override { + if (!out_alert) { + OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); + return false; + } - size_t component_key_size = 0; - if (!get_component_accept_key_share_size(&component_key_size, hybrid_group_->component_group_ids[i])) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } + // Set alert to internal error by default + *out_alert = SSL_AD_INTERNAL_ERROR; - // Verify that |peer_key| contains enough data - if (peer_key_index + component_key_size > peer_key.size()) { - CBB_cleanup(&hybrid_shared_secret); - *out_alert = SSL_AD_DECODE_ERROR; - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } + if (!out_secret || !peer_key.data()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); + return false; + } - Span component_key = - peer_key.subspan(peer_key_index, component_key_size); + if (!hybrid_group_ || !this->exchange_performed) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return false; + } - Array component_secret; - if (!key_shares_[i] || - !key_shares_[i]->Finish(&component_secret, out_alert, component_key) || - !CBB_add_bytes(&hybrid_shared_secret, component_secret.data(), component_secret.size())) { - CBB_cleanup(&hybrid_shared_secret); - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } + // A hybrid shared secret with two components should be 64 bytes. + // If it happens to be larger, the CBB will grow accordingly. + CBB hybrid_shared_secret; + if (!CBB_init(&hybrid_shared_secret, 64)) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } - peer_key_index += component_key_size; + // Finish() each component key share. Each component's Finish() function + // will generate a shared secret. The hybrid shared secret is the + // concatenation of all component shared secrets. + size_t peer_key_index = 0; + for (size_t i = 0; i < NUM_HYBRID_COMPONENTS; i++) { + size_t component_key_size = 0; + if (!get_component_accept_key_share_size( + &component_key_size, hybrid_group_->component_group_ids[i])) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; } - // Final validation that |peer_key| was the correct size - if (peer_key_index != peer_key.size()) { + // Verify that |peer_key| contains enough data + if (peer_key_index + component_key_size > peer_key.size()) { CBB_cleanup(&hybrid_shared_secret); - *out_alert = SSL_AD_ILLEGAL_PARAMETER; + *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - // Retain the hybrid shared secret for our use. - if (!CBBFinishArray(&hybrid_shared_secret, out_secret)) { + Span component_key = + peer_key.subspan(peer_key_index, component_key_size); + + Array component_secret; + if (!key_shares_[i] || + !key_shares_[i]->Finish(&component_secret, out_alert, + component_key) || + !CBB_add_bytes(&hybrid_shared_secret, component_secret.data(), + component_secret.size())) { CBB_cleanup(&hybrid_shared_secret); OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - // Success; clear the alert - *out_alert = 0; - return true; + peer_key_index += component_key_size; + } + + // Final validation that |peer_key| was the correct size + if (peer_key_index != peer_key.size()) { + CBB_cleanup(&hybrid_shared_secret); + *out_alert = SSL_AD_ILLEGAL_PARAMETER; + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } + + // Retain the hybrid shared secret for our use. + if (!CBBFinishArray(&hybrid_shared_secret, out_secret)) { + CBB_cleanup(&hybrid_shared_secret); + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } + + // Success; clear the alert + *out_alert = 0; + return true; + } + + private: + // Only need to support SSL Groups that are a component of a supported + // HybridKeyShare + bool get_component_offer_key_share_size(size_t *out, + uint16_t component_group_id) { + switch (component_group_id) { + case SSL_GROUP_SECP256R1: + *out = 1 + (2 * EC_P256R1_FIELD_ELEM_BYTES); + return true; + case SSL_GROUP_KYBER768_R3: + *out = KYBER768_R3_PUBLIC_KEY_BYTES; + return true; + case SSL_GROUP_MLKEM768: + *out = MLKEM768_PUBLIC_KEY_BYTES; + return true; + case SSL_GROUP_X25519: + *out = 32; + return true; + default: + return false; } + } - private: - // Only need to support SSL Groups that are a component of a supported HybridKeyShare - bool get_component_offer_key_share_size(size_t *out, uint16_t component_group_id) { - switch (component_group_id) { - case SSL_GROUP_SECP256R1: - *out = 1 + (2 * EC_P256R1_FIELD_ELEM_BYTES); - return true; - case SSL_GROUP_KYBER768_R3: - *out = KYBER768_R3_PUBLIC_KEY_BYTES; - return true; - case SSL_GROUP_MLKEM768: - *out = MLKEM768_PUBLIC_KEY_BYTES; - return true; - case SSL_GROUP_X25519: - *out = 32; - return true; - default: - return false; - } - } - - // Only need to support SSL Groups that are a component of a supported HybridKeyShare - bool get_component_accept_key_share_size(size_t *out, uint16_t component_group_id) { - switch (component_group_id) { - case SSL_GROUP_SECP256R1: - *out = 1 + (2 * EC_P256R1_FIELD_ELEM_BYTES); - return true; - case SSL_GROUP_KYBER768_R3: - *out = KYBER768_R3_CIPHERTEXT_BYTES; - return true; - case SSL_GROUP_MLKEM768: - *out = MLKEM768_CIPHERTEXT_BYTES; - return true; - case SSL_GROUP_X25519: - *out = 32; - return true; - default: - return false; - } - } - - uint16_t group_id_; - bool exchange_performed; - const HybridGroup *hybrid_group_; - UniquePtr key_shares_[NUM_HYBRID_COMPONENTS]; + // Only need to support SSL Groups that are a component of a supported + // HybridKeyShare + bool get_component_accept_key_share_size(size_t *out, + uint16_t component_group_id) { + switch (component_group_id) { + case SSL_GROUP_SECP256R1: + *out = 1 + (2 * EC_P256R1_FIELD_ELEM_BYTES); + return true; + case SSL_GROUP_KYBER768_R3: + *out = KYBER768_R3_CIPHERTEXT_BYTES; + return true; + case SSL_GROUP_MLKEM768: + *out = MLKEM768_CIPHERTEXT_BYTES; + return true; + case SSL_GROUP_X25519: + *out = 32; + return true; + default: + return false; + } + } + + uint16_t group_id_; + bool exchange_performed; + const HybridGroup *hybrid_group_; + UniquePtr key_shares_[NUM_HYBRID_COMPONENTS]; }; CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = { @@ -682,60 +691,61 @@ CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = { {NID_secp384r1, SSL_GROUP_SECP384R1, "P-384", "secp384r1"}, {NID_secp521r1, SSL_GROUP_SECP521R1, "P-521", "secp521r1"}, {NID_X25519, SSL_GROUP_X25519, "X25519", "x25519"}, - {NID_SecP256r1Kyber768Draft00, SSL_GROUP_SECP256R1_KYBER768_DRAFT00, "SecP256r1Kyber768Draft00", ""}, - {NID_X25519Kyber768Draft00, SSL_GROUP_X25519_KYBER768_DRAFT00, "X25519Kyber768Draft00", ""}, - {NID_SecP256r1MLKEM768, SSL_GROUP_SECP256R1_MLKEM768, "SecP256r1MLKEM768", ""}, + {NID_SecP256r1Kyber768Draft00, SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + "SecP256r1Kyber768Draft00", ""}, + {NID_X25519Kyber768Draft00, SSL_GROUP_X25519_KYBER768_DRAFT00, + "X25519Kyber768Draft00", ""}, + {NID_SecP256r1MLKEM768, SSL_GROUP_SECP256R1_MLKEM768, "SecP256r1MLKEM768", + ""}, {NID_X25519MLKEM768, SSL_GROUP_X25519_MLKEM768, "X25519MLKEM768", ""}, }; -CONSTEXPR_ARRAY uint16_t kPQGroups[] = { - SSL_GROUP_KYBER512_R3, - SSL_GROUP_KYBER768_R3, - SSL_GROUP_KYBER1024_R3, - SSL_GROUP_MLKEM768, - SSL_GROUP_MLKEM1024, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - SSL_GROUP_X25519_KYBER768_DRAFT00, - SSL_GROUP_SECP256R1_MLKEM768, - SSL_GROUP_X25519_MLKEM768 -}; +CONSTEXPR_ARRAY uint16_t kPQGroups[] = {SSL_GROUP_KYBER512_R3, + SSL_GROUP_KYBER768_R3, + SSL_GROUP_KYBER1024_R3, + SSL_GROUP_MLKEM768, + SSL_GROUP_MLKEM1024, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + SSL_GROUP_X25519_KYBER768_DRAFT00, + SSL_GROUP_SECP256R1_MLKEM768, + SSL_GROUP_X25519_MLKEM768}; CONSTEXPR_ARRAY HybridGroup kHybridGroups[] = { - { - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, // group_id { - SSL_GROUP_SECP256R1, // component_group_ids[0] - SSL_GROUP_KYBER768_R3, // component_group_ids[1] + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, // group_id + { + SSL_GROUP_SECP256R1, // component_group_ids[0] + SSL_GROUP_KYBER768_R3, // component_group_ids[1] + }, }, - }, - { - SSL_GROUP_X25519_KYBER768_DRAFT00, // group_id { - SSL_GROUP_X25519, // component_group_ids[0] - SSL_GROUP_KYBER768_R3, // component_group_ids[1] + SSL_GROUP_X25519_KYBER768_DRAFT00, // group_id + { + SSL_GROUP_X25519, // component_group_ids[0] + SSL_GROUP_KYBER768_R3, // component_group_ids[1] + }, }, - }, - { - SSL_GROUP_SECP256R1_MLKEM768, // group_id { - SSL_GROUP_SECP256R1, // component_group_ids[0] - SSL_GROUP_MLKEM768, // component_group_ids[1] + SSL_GROUP_SECP256R1_MLKEM768, // group_id + { + SSL_GROUP_SECP256R1, // component_group_ids[0] + SSL_GROUP_MLKEM768, // component_group_ids[1] + }, }, - }, - { - SSL_GROUP_X25519_MLKEM768, // group_id { - // Note: MLKEM768 is sent first due to FIPS requirements. - // For more details, see https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html#section-3 - SSL_GROUP_MLKEM768, // component_group_ids[0] - SSL_GROUP_X25519, // component_group_ids[1] - }, - } -}; - -} // namespace + SSL_GROUP_X25519_MLKEM768, // group_id + { + // Note: MLKEM768 is sent first due to FIPS requirements. + // For more details, see + // https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html#section-3 + SSL_GROUP_MLKEM768, // component_group_ids[0] + SSL_GROUP_X25519, // component_group_ids[1] + }, + }}; + +} // namespace Span NamedGroups() { return MakeConstSpan(kNamedGroups, OPENSSL_ARRAY_SIZE(kNamedGroups)); @@ -785,8 +795,7 @@ UniquePtr SSLKeyShare::Create(uint16_t group_id) { bool SSLKeyShare::Accept(CBB *out_public_key, Array *out_secret, uint8_t *out_alert, Span peer_key) { *out_alert = SSL_AD_INTERNAL_ERROR; - return Offer(out_public_key) && - Finish(out_secret, out_alert, peer_key); + return Offer(out_public_key) && Finish(out_secret, out_alert, peer_key); } bool ssl_nid_to_group_id(uint16_t *out_group_id, int nid) { @@ -810,10 +819,10 @@ bool ssl_group_id_to_nid(uint16_t *out_nid, int group_id) { return false; } -bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) { +bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, + size_t len) { for (const auto &group : kNamedGroups) { - if (len == strlen(group.name) && - !strncmp(group.name, name, len)) { + if (len == strlen(group.name) && !strncmp(group.name, name, len)) { *out_group_id = group.group_id; return true; } @@ -830,7 +839,7 @@ BSSL_NAMESPACE_END using namespace bssl; -const char* SSL_get_group_name(uint16_t group_id) { +const char *SSL_get_group_name(uint16_t group_id) { for (const auto &group : kNamedGroups) { if (group.group_id == group_id) { return group.name; diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index b19eb13fce..09fd44c268 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc @@ -586,8 +586,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { return nullptr; } - const bool has_aes_hw = ret->aes_hw_override ? ret->aes_hw_override_value : - EVP_has_aes_hardware(); + const bool has_aes_hw = ret->aes_hw_override ? ret->aes_hw_override_value + : EVP_has_aes_hardware(); const char *cipher_rule; if (has_aes_hw) { cipher_rule = TLS13_DEFAULT_CIPHER_LIST_AES_HW; @@ -1775,7 +1775,8 @@ int SSL_get_read_ahead(const SSL *ssl) { int SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) { GUARD_PTR(ctx); - // SSLBUFFER_MAX_CAPACITY(0xffff) is the maximum SSLBuffer supports reading at one time + // SSLBUFFER_MAX_CAPACITY(0xffff) is the maximum SSLBuffer supports reading at + // one time if (len > SSLBUFFER_MAX_CAPACITY) { len = SSLBUFFER_MAX_CAPACITY; } @@ -1788,7 +1789,8 @@ int SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) { int SSL_set_default_read_buffer_len(SSL *ssl, size_t len) { GUARD_PTR(ssl); - // SSLBUFFER_MAX_CAPACITY(0xffff) is the maximum SSLBuffer supports reading at one time + // SSLBUFFER_MAX_CAPACITY(0xffff) is the maximum SSLBuffer supports reading at + // one time if (len > SSLBUFFER_MAX_CAPACITY) { len = SSLBUFFER_MAX_CAPACITY; } @@ -1822,7 +1824,8 @@ int SSL_set_read_ahead(SSL *ssl, int yes) { return 1; } else { return 0; - }} + } +} int SSL_pending(const SSL *ssl) { return static_cast(ssl->s3->pending_app_data.size()); @@ -2187,24 +2190,26 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value : EVP_has_aes_hardware(); if (!ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str, - false /* not strict */, - false /* don't configure TLSv1.3 ciphers */)) { + false /* not strict */, + false /* don't configure TLSv1.3 ciphers */)) { return 0; } - return update_cipher_list(ctx->cipher_list, ctx->cipher_list, ctx->tls13_cipher_list); + return update_cipher_list(ctx->cipher_list, ctx->cipher_list, + ctx->tls13_cipher_list); } int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) { const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value : EVP_has_aes_hardware(); if (!ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str, - true /* strict */, - false /* don't configure TLSv1.3 ciphers */)) { + true /* strict */, + false /* don't configure TLSv1.3 ciphers */)) { return 0; } - return update_cipher_list(ctx->cipher_list, ctx->cipher_list, ctx->tls13_cipher_list); + return update_cipher_list(ctx->cipher_list, ctx->cipher_list, + ctx->tls13_cipher_list); } int SSL_set_cipher_list(SSL *ssl, const char *str) { @@ -2215,15 +2220,17 @@ int SSL_set_cipher_list(SSL *ssl, const char *str) { ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(); if (!ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str, - false /* not strict */, - false /* don't configure TLSv1.3 ciphers */)) { + false /* not strict */, + false /* don't configure TLSv1.3 ciphers */)) { return 0; } - UniquePtr &tls13_ciphers = ssl->config->tls13_cipher_list ? ssl->config->tls13_cipher_list : - ssl->ctx->tls13_cipher_list; + UniquePtr &tls13_ciphers = + ssl->config->tls13_cipher_list ? ssl->config->tls13_cipher_list + : ssl->ctx->tls13_cipher_list; - return update_cipher_list(ssl->config->cipher_list, ssl->config->cipher_list, tls13_ciphers); + return update_cipher_list(ssl->config->cipher_list, ssl->config->cipher_list, + tls13_ciphers); } int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) { @@ -2231,12 +2238,13 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) { : EVP_has_aes_hardware(); if (!ssl_create_cipher_list(&ctx->tls13_cipher_list, has_aes_hw, str, - false /* not strict */, - true /* only configure TLSv1.3 ciphers */)) { + false /* not strict */, + true /* only configure TLSv1.3 ciphers */)) { return 0; } - return update_cipher_list(ctx->cipher_list, ctx->cipher_list, ctx->tls13_cipher_list); + return update_cipher_list(ctx->cipher_list, ctx->cipher_list, + ctx->tls13_cipher_list); } int SSL_set_ciphersuites(SSL *ssl, const char *str) { @@ -2246,16 +2254,18 @@ int SSL_set_ciphersuites(SSL *ssl, const char *str) { const bool has_aes_hw = ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(); - if (!ssl_create_cipher_list(&ssl->config->tls13_cipher_list, - has_aes_hw, str, false /* not strict */, - true /* configure TLSv1.3 ciphers */)) { + if (!ssl_create_cipher_list(&ssl->config->tls13_cipher_list, has_aes_hw, str, + false /* not strict */, + true /* configure TLSv1.3 ciphers */)) { return 0; } - UniquePtr &ciphers = ssl->config->cipher_list ? ssl->config->cipher_list : - ssl->ctx->cipher_list; + UniquePtr &ciphers = ssl->config->cipher_list + ? ssl->config->cipher_list + : ssl->ctx->cipher_list; - return update_cipher_list(ssl->config->cipher_list, ciphers, ssl->config->tls13_cipher_list); + return update_cipher_list(ssl->config->cipher_list, ciphers, + ssl->config->tls13_cipher_list); } int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { @@ -2265,16 +2275,18 @@ int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { const bool has_aes_hw = ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(); - if (!ssl_create_cipher_list(&ssl->config->cipher_list, - has_aes_hw, str, true /* strict */, - false /* don't configure TLSv1.3 ciphers */)) { + if (!ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str, + true /* strict */, + false /* don't configure TLSv1.3 ciphers */)) { return 0; } - UniquePtr &tls13_ciphers = ssl->config->tls13_cipher_list ? ssl->config->tls13_cipher_list : - ssl->ctx->tls13_cipher_list; + UniquePtr &tls13_ciphers = + ssl->config->tls13_cipher_list ? ssl->config->tls13_cipher_list + : ssl->ctx->tls13_cipher_list; - return update_cipher_list(ssl->config->cipher_list, ssl->config->cipher_list, tls13_ciphers); + return update_cipher_list(ssl->config->cipher_list, ssl->config->cipher_list, + tls13_ciphers); } const char *SSL_get_servername(const SSL *ssl, const int type) { @@ -2920,9 +2932,7 @@ void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, int keylength)) {} -long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff) { - return 0; -} +long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff) { return 0; } static int use_psk_identity_hint(UniquePtr *out, const char *identity_hint) { @@ -3514,13 +3524,13 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { size_t SSL_client_hello_get0_ciphers(SSL *ssl, const unsigned char **out) { if (SSL_get_client_ciphers(ssl) == nullptr) { - return 0; + return 0; } - const char * ciphers = ssl->all_client_cipher_suites.get(); + const char *ciphers = ssl->all_client_cipher_suites.get(); assert(ciphers != nullptr); if (out != nullptr) { - *out = reinterpret_cast(ciphers); + *out = reinterpret_cast(ciphers); } return ssl->all_client_cipher_suites_len; } diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc index 17de1bd08f..177704ed0e 100644 --- a/ssl/ssl_session.cc +++ b/ssl/ssl_session.cc @@ -147,8 +147,8 @@ #include #include -#include "internal.h" #include "../crypto/internal.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -179,11 +179,9 @@ uint32_t ssl_hash_session_id(Span session_id) { session_id = tmp_storage; } - uint32_t hash = - ((uint32_t)session_id[0]) | - ((uint32_t)session_id[1] << 8) | - ((uint32_t)session_id[2] << 16) | - ((uint32_t)session_id[3] << 24); + uint32_t hash = ((uint32_t)session_id[0]) | ((uint32_t)session_id[1] << 8) | + ((uint32_t)session_id[2] << 16) | + ((uint32_t)session_id[3] << 24); return hash; } @@ -198,7 +196,8 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { new_session->ssl_version = session->ssl_version; new_session->is_quic = session->is_quic; new_session->sid_ctx_length = session->sid_ctx_length; - OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length); + OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, + session->sid_ctx_length); // Copy the key material. new_session->secret_length = session->secret_length; @@ -216,7 +215,7 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { if (session->certs != nullptr) { auto buf_up_ref = [](const CRYPTO_BUFFER *buf) { CRYPTO_BUFFER_up_ref(const_cast(buf)); - return const_cast(buf); + return const_cast(buf); }; new_session->certs.reset(sk_CRYPTO_BUFFER_deep_copy( session->certs.get(), buf_up_ref, CRYPTO_BUFFER_free)); @@ -505,7 +504,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL_HANDSHAKE *hs, CBB *out, total = session_len; #else int len; - if (!EVP_EncryptUpdate(ctx.get(), ptr + total, &len, session_buf, session_len)) { + if (!EVP_EncryptUpdate(ctx.get(), ptr + total, &len, session_buf, + session_len)) { return 0; } total += len; @@ -521,8 +521,7 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL_HANDSHAKE *hs, CBB *out, unsigned hlen; if (!HMAC_Update(hctx.get(), CBB_data(out), CBB_len(out)) || !CBB_reserve(out, &ptr, EVP_MAX_MD_SIZE) || - !HMAC_Final(hctx.get(), ptr, &hlen) || - !CBB_did_write(out, hlen)) { + !HMAC_Final(hctx.get(), ptr, &hlen) || !CBB_did_write(out, hlen)) { return 0; } @@ -547,8 +546,7 @@ static int ssl_encrypt_ticket_with_method(SSL_HANDSHAKE *hs, CBB *out, } size_t out_len; - if (!method->seal(ssl, ptr, &out_len, max_out, session_buf, - session_len)) { + if (!method->seal(ssl, ptr, &out_len, max_out, session_buf, session_len)) { OPENSSL_PUT_ERROR(SSL, SSL_R_TICKET_ENCRYPTION_FAILED); return 0; } @@ -561,7 +559,7 @@ static int ssl_encrypt_ticket_with_method(SSL_HANDSHAKE *hs, CBB *out, } bool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out, - const SSL_SESSION *session) { + const SSL_SESSION *session) { // Serialize the SSL_SESSION to be encoded into the ticket. uint8_t *session_buf = nullptr; size_t session_len; @@ -892,7 +890,7 @@ static bool add_session_locked(SSL_CTX *ctx, UniquePtr session) { /*lock=*/false)) { break; } - ssl_update_counter(ctx, ctx->stats.sess_cache_full, /*lock=*/ false); + ssl_update_counter(ctx, ctx->stats.sess_cache_full, /*lock=*/false); } } @@ -1021,8 +1019,8 @@ X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) { return session->x509_peer; } -const STACK_OF(CRYPTO_BUFFER) * - SSL_SESSION_get0_peer_certificates(const SSL_SESSION *session) { +const STACK_OF(CRYPTO_BUFFER) *SSL_SESSION_get0_peer_certificates( + const SSL_SESSION *session) { return session->certs.get(); } @@ -1247,8 +1245,7 @@ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session) { int SSL_set_session(SSL *ssl, SSL_SESSION *session) { // SSL_set_session may only be called before the handshake has started. - if (ssl->s3->initial_handshake_complete || - ssl->s3->hs == NULL || + if (ssl->s3->initial_handshake_complete || ssl->s3->hs == NULL || ssl->s3->hs->state != 0) { abort(); } @@ -1293,11 +1290,10 @@ typedef struct timeout_param_st { static void timeout_doall_arg(SSL_SESSION *session, void *void_param) { TIMEOUT_PARAM *param = reinterpret_cast(void_param); - if (param->time == 0 || - session->time + session->timeout < session->time || + if (param->time == 0 || session->time + session->timeout < session->time || param->time > (session->time + session->timeout)) { // TODO(davidben): This can probably just call |remove_session|. - (void) lh_SSL_SESSION_delete(param->cache, session); + (void)lh_SSL_SESSION_delete(param->cache, session); SSL_SESSION_list_remove(param->ctx, session); // TODO(https://crbug.com/boringssl/251): Callbacks should not be called // under a lock. @@ -1330,8 +1326,9 @@ int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *session) { return ctx->new_session_cb; } -void SSL_CTX_sess_set_remove_cb( - SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *session)) { +void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, + void (*cb)(SSL_CTX *ctx, + SSL_SESSION *session)) { ctx->remove_session_cb = cb; } @@ -1353,8 +1350,8 @@ SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, return ctx->get_session_cb; } -void SSL_CTX_set_info_callback( - SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value)) { +void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl, + int type, int value)) { ctx->info_callback = cb; } diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 9de0cb42b8..88e3c474c4 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -43,13 +43,13 @@ #include #include +#include "../crypto/fipsmodule/ec/internal.h" +#include "../crypto/fipsmodule/ml_kem/ml_kem.h" #include "../crypto/internal.h" +#include "../crypto/kyber/kem_kyber.h" #include "../crypto/test/file_util.h" #include "../crypto/test/test_util.h" #include "internal.h" -#include "../crypto/kyber/kem_kyber.h" -#include "../crypto/fipsmodule/ec/internal.h" -#include "../crypto/fipsmodule/ml_kem/ml_kem.h" #if defined(OPENSSL_WINDOWS) // Windows defines struct timeval in winsock2.h. @@ -541,28 +541,28 @@ static const CipherTest kTLSv13CipherTests[] = { }; static const char *kBadRules[] = { - // Invalid brackets. - "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256", - "RSA]", - "[[RSA]]", - // Operators inside brackets. - "[+RSA]", - // Unknown directive. - "@BOGUS", - "BOGUS", - // COMPLEMENTOFDEFAULT is empty. - "COMPLEMENTOFDEFAULT", - // Invalid command. - "?BAR", - // Special operators are not allowed if equi-preference groups are used. - "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO", - "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO", - "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO", - "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH", - // Opcode supplied, but missing selector. - "+", - // Spaces are forbidden in equal-preference groups. - "[AES128-SHA | AES128-SHA256]", + // Invalid brackets. + "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256", + "RSA]", + "[[RSA]]", + // Operators inside brackets. + "[+RSA]", + // Unknown directive. + "@BOGUS", + "BOGUS", + // COMPLEMENTOFDEFAULT is empty. + "COMPLEMENTOFDEFAULT", + // Invalid command. + "?BAR", + // Special operators are not allowed if equi-preference groups are used. + "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO", + "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO", + "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO", + "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH", + // Opcode supplied, but missing selector. + "+", + // Spaces are forbidden in equal-preference groups. + "[AES128-SHA | AES128-SHA256]", }; static const char *kMustNotIncludeNull[] = { @@ -582,94 +582,94 @@ static const char *kMustNotInclude3DES[] = { }; static const CurveTest kCurveTests[] = { - { - "P-256", - {SSL_GROUP_SECP256R1}, - }, - { - "P-256:P-384:P-521:X25519", { - SSL_GROUP_SECP256R1, - SSL_GROUP_SECP384R1, - SSL_GROUP_SECP521R1, - SSL_GROUP_X25519, + "P-256", + {SSL_GROUP_SECP256R1}, }, - }, - { - "prime256v1:secp384r1:secp521r1:x25519", { - SSL_GROUP_SECP256R1, - SSL_GROUP_SECP384R1, - SSL_GROUP_SECP521R1, - SSL_GROUP_X25519, + "P-256:P-384:P-521:X25519", + { + SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1, + SSL_GROUP_SECP521R1, + SSL_GROUP_X25519, + }, }, - }, - { - "SecP256r1Kyber768Draft00:prime256v1:secp384r1:secp521r1:x25519", { - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - SSL_GROUP_SECP256R1, - SSL_GROUP_SECP384R1, - SSL_GROUP_SECP521R1, - SSL_GROUP_X25519, + "prime256v1:secp384r1:secp521r1:x25519", + { + SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1, + SSL_GROUP_SECP521R1, + SSL_GROUP_X25519, + }, }, - }, - { - "X25519Kyber768Draft00:prime256v1:secp384r1", { - SSL_GROUP_X25519_KYBER768_DRAFT00, - SSL_GROUP_SECP256R1, - SSL_GROUP_SECP384R1, + "SecP256r1Kyber768Draft00:prime256v1:secp384r1:secp521r1:x25519", + { + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1, + SSL_GROUP_SECP521R1, + SSL_GROUP_X25519, + }, }, - }, - { - "X25519:X25519Kyber768Draft00", { - SSL_GROUP_X25519, - SSL_GROUP_X25519_KYBER768_DRAFT00, + "X25519Kyber768Draft00:prime256v1:secp384r1", + { + SSL_GROUP_X25519_KYBER768_DRAFT00, + SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1, + }, }, - }, - { - "X25519:SecP256r1Kyber768Draft00:prime256v1", { - SSL_GROUP_X25519, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - SSL_GROUP_SECP256R1, + "X25519:X25519Kyber768Draft00", + { + SSL_GROUP_X25519, + SSL_GROUP_X25519_KYBER768_DRAFT00, + }, }, - }, - { - "SecP256r1MLKEM768:prime256v1:secp384r1:secp521r1:x25519", { - SSL_GROUP_SECP256R1_MLKEM768, - SSL_GROUP_SECP256R1, - SSL_GROUP_SECP384R1, - SSL_GROUP_SECP521R1, - SSL_GROUP_X25519, + "X25519:SecP256r1Kyber768Draft00:prime256v1", + { + SSL_GROUP_X25519, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + SSL_GROUP_SECP256R1, + }, + }, + { + "SecP256r1MLKEM768:prime256v1:secp384r1:secp521r1:x25519", + { + SSL_GROUP_SECP256R1_MLKEM768, + SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1, + SSL_GROUP_SECP521R1, + SSL_GROUP_X25519, + }, }, - }, - { - "X25519MLKEM768:prime256v1:secp384r1", { - SSL_GROUP_X25519_MLKEM768, - SSL_GROUP_SECP256R1, - SSL_GROUP_SECP384R1, + "X25519MLKEM768:prime256v1:secp384r1", + { + SSL_GROUP_X25519_MLKEM768, + SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1, + }, }, - }, - { - "X25519:X25519MLKEM768", { - SSL_GROUP_X25519, - SSL_GROUP_X25519_MLKEM768, + "X25519:X25519MLKEM768", + { + SSL_GROUP_X25519, + SSL_GROUP_X25519_MLKEM768, + }, }, - }, - { - "X25519:SecP256r1MLKEM768:prime256v1", { - SSL_GROUP_X25519, - SSL_GROUP_SECP256R1_MLKEM768, - SSL_GROUP_SECP256R1, + "X25519:SecP256r1MLKEM768:prime256v1", + { + SSL_GROUP_X25519, + SSL_GROUP_SECP256R1_MLKEM768, + SSL_GROUP_SECP256R1, + }, }, - }, }; @@ -681,739 +681,748 @@ static const size_t X25519_KEYSHARE_SIZE = 32; static const size_t X25519_SECRET_SIZE = 32; static const GroupTest kKemGroupTests[] = { - { - NID_KYBER768_R3, - SSL_GROUP_KYBER768_R3, - KYBER768_R3_PUBLIC_KEY_BYTES, - KYBER768_R3_CIPHERTEXT_BYTES, - KYBER_R3_SHARED_SECRET_LEN, - }, - { - NID_MLKEM768, - SSL_GROUP_MLKEM768, - MLKEM768_PUBLIC_KEY_BYTES, - MLKEM768_CIPHERTEXT_BYTES, - MLKEM768_SHARED_SECRET_LEN, - }, + { + NID_KYBER768_R3, + SSL_GROUP_KYBER768_R3, + KYBER768_R3_PUBLIC_KEY_BYTES, + KYBER768_R3_CIPHERTEXT_BYTES, + KYBER_R3_SHARED_SECRET_LEN, + }, + { + NID_MLKEM768, + SSL_GROUP_MLKEM768, + MLKEM768_PUBLIC_KEY_BYTES, + MLKEM768_CIPHERTEXT_BYTES, + MLKEM768_SHARED_SECRET_LEN, + }, }; static const HybridGroupTest kHybridGroupTests[] = { - { - NID_SecP256r1Kyber768Draft00, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - P256_KEYSHARE_SIZE + KYBER768_R3_PUBLIC_KEY_BYTES, - P256_KEYSHARE_SIZE + KYBER768_R3_CIPHERTEXT_BYTES, - P256_SECRET_SIZE + KYBER_R3_SHARED_SECRET_LEN, { - P256_KEYSHARE_SIZE, // offer_share_sizes[0] - KYBER768_R3_PUBLIC_KEY_BYTES, // offer_share_sizes[1] + NID_SecP256r1Kyber768Draft00, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + P256_KEYSHARE_SIZE + KYBER768_R3_PUBLIC_KEY_BYTES, + P256_KEYSHARE_SIZE + KYBER768_R3_CIPHERTEXT_BYTES, + P256_SECRET_SIZE + KYBER_R3_SHARED_SECRET_LEN, + { + P256_KEYSHARE_SIZE, // offer_share_sizes[0] + KYBER768_R3_PUBLIC_KEY_BYTES, // offer_share_sizes[1] + }, + { + P256_KEYSHARE_SIZE, // accept_share_sizes[0] + KYBER768_R3_CIPHERTEXT_BYTES, // accept_share_sizes[1] + }, }, { - P256_KEYSHARE_SIZE, // accept_share_sizes[0] - KYBER768_R3_CIPHERTEXT_BYTES, // accept_share_sizes[1] + NID_X25519Kyber768Draft00, + SSL_GROUP_X25519_KYBER768_DRAFT00, + X25519_KEYSHARE_SIZE + KYBER768_R3_PUBLIC_KEY_BYTES, + X25519_KEYSHARE_SIZE + KYBER768_R3_CIPHERTEXT_BYTES, + X25519_SECRET_SIZE + KYBER_R3_SHARED_SECRET_LEN, + { + X25519_KEYSHARE_SIZE, // offer_share_sizes[0] + KYBER768_R3_PUBLIC_KEY_BYTES, // offer_share_sizes[1] + }, + { + X25519_KEYSHARE_SIZE, // accept_share_sizes[0] + KYBER768_R3_CIPHERTEXT_BYTES, // accept_share_sizes[1] + }, }, - }, - { - NID_X25519Kyber768Draft00, - SSL_GROUP_X25519_KYBER768_DRAFT00, - X25519_KEYSHARE_SIZE + KYBER768_R3_PUBLIC_KEY_BYTES, - X25519_KEYSHARE_SIZE + KYBER768_R3_CIPHERTEXT_BYTES, - X25519_SECRET_SIZE + KYBER_R3_SHARED_SECRET_LEN, { - X25519_KEYSHARE_SIZE, // offer_share_sizes[0] - KYBER768_R3_PUBLIC_KEY_BYTES, // offer_share_sizes[1] + NID_SecP256r1MLKEM768, + SSL_GROUP_SECP256R1_MLKEM768, + P256_KEYSHARE_SIZE + MLKEM768_PUBLIC_KEY_BYTES, + P256_KEYSHARE_SIZE + MLKEM768_CIPHERTEXT_BYTES, + P256_SECRET_SIZE + MLKEM768_SHARED_SECRET_LEN, + { + P256_KEYSHARE_SIZE, // offer_share_sizes[0] + MLKEM768_PUBLIC_KEY_BYTES, // offer_share_sizes[1] + }, + { + P256_KEYSHARE_SIZE, // accept_share_sizes[0] + MLKEM768_CIPHERTEXT_BYTES, // accept_share_sizes[1] + }, }, { - X25519_KEYSHARE_SIZE, // accept_share_sizes[0] - KYBER768_R3_CIPHERTEXT_BYTES, // accept_share_sizes[1] + NID_X25519MLKEM768, + SSL_GROUP_X25519_MLKEM768, + X25519_KEYSHARE_SIZE + MLKEM768_PUBLIC_KEY_BYTES, + X25519_KEYSHARE_SIZE + MLKEM768_CIPHERTEXT_BYTES, + X25519_SECRET_SIZE + MLKEM768_SHARED_SECRET_LEN, + { + // MLKEM768 is sent first for X25519MLKEM768 for FIPS compliance + // See: + // https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html#section-3 + MLKEM768_PUBLIC_KEY_BYTES, // offer_share_sizes[0] + X25519_KEYSHARE_SIZE, // offer_share_sizes[1] + }, + { + // MLKEM768 is sent first for X25519MLKEM768 for FIPS compliance + // See: + // https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html#section-3 + MLKEM768_CIPHERTEXT_BYTES, // accept_share_sizes[0] + X25519_KEYSHARE_SIZE, // accept_share_sizes[1] + }, }, - }, - { - NID_SecP256r1MLKEM768, - SSL_GROUP_SECP256R1_MLKEM768, - P256_KEYSHARE_SIZE + MLKEM768_PUBLIC_KEY_BYTES, - P256_KEYSHARE_SIZE + MLKEM768_CIPHERTEXT_BYTES, - P256_SECRET_SIZE + MLKEM768_SHARED_SECRET_LEN, +}; + +static const char *kBadCurvesLists[] = { + "", + ":", + "::", + "P-256::X25519", + "RSA:P-256", + "P-256:RSA", + "X25519:P-256:", + ":X25519:P-256", + "kyber768_r3", + "x25519_kyber768:prime256v1", + "mlkem768", + "x25519_mlkem768:prime256v1", +}; + +static const HybridHandshakeTest kHybridHandshakeTests[] = { + // The corresponding hybrid group should be negotiated when client + // and server support only that group { - P256_KEYSHARE_SIZE, // offer_share_sizes[0] - MLKEM768_PUBLIC_KEY_BYTES, // offer_share_sizes[1] + "X25519Kyber768Draft00", + TLS1_3_VERSION, + "X25519Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_X25519_KYBER768_DRAFT00, + false, }, + { - P256_KEYSHARE_SIZE, // accept_share_sizes[0] - MLKEM768_CIPHERTEXT_BYTES, // accept_share_sizes[1] + "SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + false, }, - }, - { - NID_X25519MLKEM768, - SSL_GROUP_X25519_MLKEM768, - X25519_KEYSHARE_SIZE + MLKEM768_PUBLIC_KEY_BYTES, - X25519_KEYSHARE_SIZE + MLKEM768_CIPHERTEXT_BYTES, - X25519_SECRET_SIZE + MLKEM768_SHARED_SECRET_LEN, + + // The client's preferred hybrid group should be negotiated when also + // supported by the server, even if the server "prefers"/supports other + // groups. { - // MLKEM768 is sent first for X25519MLKEM768 for FIPS compliance - // See: https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html#section-3 - MLKEM768_PUBLIC_KEY_BYTES, // offer_share_sizes[0] - X25519_KEYSHARE_SIZE, // offer_share_sizes[1] + "X25519Kyber768Draft00:x25519", + TLS1_3_VERSION, + "x25519:prime256v1:X25519Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_X25519_KYBER768_DRAFT00, + false, }, + { - // MLKEM768 is sent first for X25519MLKEM768 for FIPS compliance - // See: https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem.html#section-3 - MLKEM768_CIPHERTEXT_BYTES, // accept_share_sizes[0] - X25519_KEYSHARE_SIZE, // accept_share_sizes[1] + "X25519Kyber768Draft00:x25519", + TLS1_3_VERSION, + "X25519Kyber768Draft00:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519_KYBER768_DRAFT00, + false, }, - }, -}; -static const char *kBadCurvesLists[] = { - "", - ":", - "::", - "P-256::X25519", - "RSA:P-256", - "P-256:RSA", - "X25519:P-256:", - ":X25519:P-256", - "kyber768_r3", - "x25519_kyber768:prime256v1", - "mlkem768", - "x25519_mlkem768:prime256v1", -}; + { + "SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "X25519Kyber768Draft00:secp384r1:x25519:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + false, + }, -static const HybridHandshakeTest kHybridHandshakeTests[] = { - // The corresponding hybrid group should be negotiated when client - // and server support only that group - { - "X25519Kyber768Draft00", - TLS1_3_VERSION, - "X25519Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_X25519_KYBER768_DRAFT00, - false, - }, + // The client lists PQ/hybrid groups as both first and second preferences. + // The key share logic is implemented such that the client will always + // attempt to send one hybrid key share and one classical key share. + // Therefore, the client will send key shares [SecP256r1Kyber768Draft00, + // x25519], + // skipping X25519Kyber768Draft00, and the server will choose to negotiate + // x25519 since it is the only mutually supported group. + { + "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519", + TLS1_3_VERSION, + "secp384r1:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, - { - "SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - false, - }, - - // The client's preferred hybrid group should be negotiated when also - // supported by the server, even if the server "prefers"/supports other groups. - { - "X25519Kyber768Draft00:x25519", - TLS1_3_VERSION, - "x25519:prime256v1:X25519Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_X25519_KYBER768_DRAFT00, - false, - }, + // The client will send key shares [x25519, SecP256r1Kyber768Draft00]. + // The server will negotiate SecP256r1Kyber768Draft00 since it is the only + // mutually supported group. + { + "x25519:secp384r1:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "SecP256r1Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + false, + }, - { - "X25519Kyber768Draft00:x25519", - TLS1_3_VERSION, - "X25519Kyber768Draft00:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519_KYBER768_DRAFT00, - false, - }, + // The client will send key shares [x25519, SecP256r1Kyber768Draft00]. The + // server will negotiate x25519 since the client listed it as its first + // preference, even though it supports SecP256r1Kyber768Draft00. + { + "x25519:prime256v1:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "prime256v1:x25519:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, - { - "SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "X25519Kyber768Draft00:secp384r1:x25519:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - false, - }, - - // The client lists PQ/hybrid groups as both first and second preferences. - // The key share logic is implemented such that the client will always - // attempt to send one hybrid key share and one classical key share. - // Therefore, the client will send key shares [SecP256r1Kyber768Draft00, x25519], - // skipping X25519Kyber768Draft00, and the server will choose to negotiate - // x25519 since it is the only mutually supported group. - { - "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519", - TLS1_3_VERSION, - "secp384r1:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - - // The client will send key shares [x25519, SecP256r1Kyber768Draft00]. - // The server will negotiate SecP256r1Kyber768Draft00 since it is the only - // mutually supported group. - { - "x25519:secp384r1:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "SecP256r1Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - false, - }, - - // The client will send key shares [x25519, SecP256r1Kyber768Draft00]. The - // server will negotiate x25519 since the client listed it as its first - // preference, even though it supports SecP256r1Kyber768Draft00. - { - "x25519:prime256v1:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "prime256v1:x25519:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - - // The client will send key shares [SecP256r1Kyber768Draft00, x25519]. - // The server will negotiate SecP256r1Kyber768Draft00 since the client listed - // it as its first preference. - { - "SecP256r1Kyber768Draft00:x25519:prime256v1", - TLS1_3_VERSION, - "prime256v1:x25519:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - false, - }, - - // In the supported_groups extension, the client will indicate its - // preferences, in order, as [SecP256r1Kyber768Draft00, X25519Kyber768Draft00, - // x25519, prime256v1]. From those groups, it will send key shares - // [SecP256r1Kyber768Draft00, x25519]. The server supports, and receives a - // key share for, x25519. However, when selecting a mutually supported group - // to negotiate, the server recognizes that the client prefers - // X25519Kyber768Draft00 over x25519. Since the server also supports - // X25519Kyber768Draft00, but did not receive a key share for it, it will - // select it and send an HRR. This ensures that the client's highest - // preference group will be negotiated, even at the expense of an additional - // round-trip. - // - // In our SSL implementation, this situation is unique to the case where the - // client supports both ECC and hybrid/PQ. When sending key shares, the - // client will send at most two key shares in one of the following ways: + // The client will send key shares [SecP256r1Kyber768Draft00, x25519]. + // The server will negotiate SecP256r1Kyber768Draft00 since the client + // listed + // it as its first preference. + { + "SecP256r1Kyber768Draft00:x25519:prime256v1", + TLS1_3_VERSION, + "prime256v1:x25519:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + false, + }, - // (a) one ECC key share - if the client supports only ECC; - // (b) one PQ key share - if the client supports only PQ; - // (c) one ECC and one PQ key share - if the client supports ECC and PQ. - // - // One of the above cases will be true irrespective of how many groups - // the client supports. If, say, the client supports four ECC groups - // and zero PQ groups, it will still only send a single ECC share. In cases - // (a) and (b), either the server supports that group and chooses to - // negotiate it, or it doesn't support it and sends an HRR. Case (c) is the - // only case where the server might receive a key share for a mutually - // supported group, but chooses to respect the client's preference order - // defined in the supported_groups extension at the expense of an additional - // round-trip. - { - "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519:prime256v1", - TLS1_3_VERSION, - "X25519Kyber768Draft00:prime256v1:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519_KYBER768_DRAFT00, - true, - }, - - // Like the previous case, but the client's prioritization of ECC and PQ - // is inverted. - { - "x25519:prime256v1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00", - TLS1_3_VERSION, - "X25519Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - true, - }, - - // The client will send key shares [SecP256r1Kyber768Draft00, x25519]. The - // server will negotiate X25519Kyber768Draft00 after an HRR. - { - "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519:prime256v1", - TLS1_3_VERSION, - "X25519Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_X25519_KYBER768_DRAFT00, - true, - }, - - // EC should be negotiated when client prefers EC, or server does not - // support hybrid - { - "X25519Kyber768Draft00:x25519", - TLS1_3_VERSION, - "x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - { - "x25519:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - { - "prime256v1:X25519Kyber768Draft00", - TLS1_3_VERSION, - "X25519Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - { - "prime256v1:x25519:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "x25519:prime256v1:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - - // EC should be negotiated, after a HelloRetryRequest, if the server - // supports only curves for which it did not initially receive a key share - { - "X25519Kyber768Draft00:x25519:SecP256r1Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - "prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - true, - }, - { - "X25519Kyber768Draft00:SecP256r1Kyber768Draft00:prime256v1:x25519", - TLS1_3_VERSION, - "secp224r1:secp384r1:secp521r1:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - true, - }, - - // Hybrid should be negotiated, after a HelloRetryRequest, if the server - // supports only curves for which it did not initially receive a key share - { - "x25519:prime256v1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00", - TLS1_3_VERSION, - "secp224r1:X25519Kyber768Draft00:secp521r1", - TLS1_3_VERSION, - SSL_GROUP_X25519_KYBER768_DRAFT00, - true, - }, - { - "X25519Kyber768Draft00:x25519:prime256v1:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_KYBER768_DRAFT00, - true, - }, - - // If there is no overlap between client and server groups, - // the handshake should fail - { - "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:secp384r1", - TLS1_3_VERSION, - "prime256v1:x25519", - TLS1_3_VERSION, - 0, - false, - }, - { - "secp384r1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00", - TLS1_3_VERSION, - "prime256v1:x25519", - TLS1_3_VERSION, - 0, - false, - }, - { - "secp384r1:SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "prime256v1:x25519:X25519Kyber768Draft00", - TLS1_3_VERSION, - 0, - false, - }, - { - "SecP256r1Kyber768Draft00", - TLS1_3_VERSION, - "X25519Kyber768Draft00", - TLS1_3_VERSION, - 0, - false, - }, - - // If the client supports hybrid TLS 1.3, but the server - // only supports TLS 1.2, then TLS 1.2 EC should be negotiated. - { - "SecP256r1Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - "prime256v1:x25519", - TLS1_2_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - - // Same as above, but server also has SecP256r1Kyber768Draft00 in it's - // supported list, but can't use it since TLS 1.3 is the minimum version that - // supports PQ. - { - "SecP256r1Kyber768Draft00:prime256v1", - TLS1_3_VERSION, - "SecP256r1Kyber768Draft00:prime256v1:x25519", - TLS1_2_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - - // If the client configures the curve list to include a hybrid - // curve, then initiates a 1.2 handshake, it will not advertise - // hybrid groups because hybrid is not supported for 1.2. So - // a 1.2 EC handshake will be negotiated (even if the server - // supports 1.3 with corresponding hybrid group). - { - "SecP256r1Kyber768Draft00:x25519", - TLS1_2_VERSION, - "SecP256r1Kyber768Draft00:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - { - "SecP256r1Kyber768Draft00:prime256v1", - TLS1_2_VERSION, - "prime256v1:x25519", - TLS1_2_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - // The corresponding hybrid group should be negotiated when client - // and server support only that group - { - "X25519MLKEM768", - TLS1_3_VERSION, - "X25519MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_X25519_MLKEM768, - false, - }, + // In the supported_groups extension, the client will indicate its + // preferences, in order, as [SecP256r1Kyber768Draft00, + // X25519Kyber768Draft00, + // x25519, prime256v1]. From those groups, it will send key shares + // [SecP256r1Kyber768Draft00, x25519]. The server supports, and receives a + // key share for, x25519. However, when selecting a mutually supported group + // to negotiate, the server recognizes that the client prefers + // X25519Kyber768Draft00 over x25519. Since the server also supports + // X25519Kyber768Draft00, but did not receive a key share for it, it will + // select it and send an HRR. This ensures that the client's highest + // preference group will be negotiated, even at the expense of an additional + // round-trip. + // + // In our SSL implementation, this situation is unique to the case where the + // client supports both ECC and hybrid/PQ. When sending key shares, the + // client will send at most two key shares in one of the following ways: - { - "SecP256r1MLKEM768", - TLS1_3_VERSION, - "SecP256r1MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_MLKEM768, - false, - }, - - // The client's preferred hybrid group should be negotiated when also - // supported by the server, even if the server "prefers"/supports other groups. - { - "X25519MLKEM768:x25519", - TLS1_3_VERSION, - "x25519:prime256v1:X25519MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_X25519_MLKEM768, - false, - }, + // (a) one ECC key share - if the client supports only ECC; + // (b) one PQ key share - if the client supports only PQ; + // (c) one ECC and one PQ key share - if the client supports ECC and PQ. + // + // One of the above cases will be true irrespective of how many groups + // the client supports. If, say, the client supports four ECC groups + // and zero PQ groups, it will still only send a single ECC share. In cases + // (a) and (b), either the server supports that group and chooses to + // negotiate it, or it doesn't support it and sends an HRR. Case (c) is the + // only case where the server might receive a key share for a mutually + // supported group, but chooses to respect the client's preference order + // defined in the supported_groups extension at the expense of an additional + // round-trip. + { + "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519:prime256v1", + TLS1_3_VERSION, + "X25519Kyber768Draft00:prime256v1:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519_KYBER768_DRAFT00, + true, + }, - { - "X25519MLKEM768:x25519", - TLS1_3_VERSION, - "X25519MLKEM768:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519_MLKEM768, - false, - }, + // Like the previous case, but the client's prioritization of ECC and PQ + // is inverted. + { + "x25519:prime256v1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00", + TLS1_3_VERSION, + "X25519Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + true, + }, - { - "SecP256r1MLKEM768", - TLS1_3_VERSION, - "X25519MLKEM768:secp384r1:x25519:SecP256r1MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_MLKEM768, - false, - }, - - // The client lists PQ/hybrid groups as both first and second preferences. - // The key share logic is implemented such that the client will always - // attempt to send one hybrid key share and one classical key share. - // Therefore, the client will send key shares [SecP256r1MLKEM768, x25519], - // skipping X25519MLKEM768, and the server will choose to negotiate - // x25519 since it is the only mutually supported group. - { - "SecP256r1MLKEM768:X25519MLKEM768:x25519", - TLS1_3_VERSION, - "secp384r1:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - - // The client will send key shares [x25519, SecP256r1MLKEM768]. - // The server will negotiate SecP256r1MLKEM768 since it is the only - // mutually supported group. - { - "x25519:secp384r1:SecP256r1MLKEM768", - TLS1_3_VERSION, - "SecP256r1MLKEM768:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_MLKEM768, - false, - }, - - // The client will send key shares [x25519, SecP256r1MLKEM768]. The - // server will negotiate x25519 since the client listed it as its first - // preference, even though it supports SecP256r1MLKEM768. - { - "x25519:prime256v1:SecP256r1MLKEM768", - TLS1_3_VERSION, - "prime256v1:x25519:SecP256r1MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - - // The client will send key shares [SecP256r1MLKEM768, x25519]. - // The server will negotiate SecP256r1MLKEM768 since the client listed - // it as its first preference. - { - "SecP256r1MLKEM768:x25519:prime256v1", - TLS1_3_VERSION, - "prime256v1:x25519:SecP256r1MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_MLKEM768, - false, - }, - - // In the supported_groups extension, the client will indicate its - // preferences, in order, as [SecP256r1MLKEM768, X25519MLKEM768, - // x25519, prime256v1]. From those groups, it will send key shares - // [SecP256r1MLKEM768, x25519]. The server supports, and receives a - // key share for, x25519. However, when selecting a mutually supported group - // to negotiate, the server recognizes that the client prefers - // X25519MLKEM768 over x25519. Since the server also supports - // X25519MLKEM768, but did not receive a key share for it, it will - // select it and send an HRR. This ensures that the client's highest - // preference group will be negotiated, even at the expense of an additional - // round-trip. - // - // In our SSL implementation, this situation is unique to the case where the - // client supports both ECC and hybrid/PQ. When sending key shares, the - // client will send at most two key shares in one of the following ways: + // The client will send key shares [SecP256r1Kyber768Draft00, x25519]. The + // server will negotiate X25519Kyber768Draft00 after an HRR. + { + "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:x25519:prime256v1", + TLS1_3_VERSION, + "X25519Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_X25519_KYBER768_DRAFT00, + true, + }, - // (a) one ECC key share - if the client supports only ECC; - // (b) one PQ key share - if the client supports only PQ; - // (c) one ECC and one PQ key share - if the client supports ECC and PQ. - // - // One of the above cases will be true irrespective of how many groups - // the client supports. If, say, the client supports four ECC groups - // and zero PQ groups, it will still only send a single ECC share. In cases - // (a) and (b), either the server supports that group and chooses to - // negotiate it, or it doesn't support it and sends an HRR. Case (c) is the - // only case where the server might receive a key share for a mutually - // supported group, but chooses to respect the client's preference order - // defined in the supported_groups extension at the expense of an additional - // round-trip. - { - "SecP256r1MLKEM768:X25519MLKEM768:x25519:prime256v1", - TLS1_3_VERSION, - "X25519MLKEM768:prime256v1:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519_MLKEM768, - true, - }, - - // Like the previous case, but the client's prioritization of ECC and PQ - // is inverted. - { - "x25519:prime256v1:SecP256r1MLKEM768:X25519MLKEM768", - TLS1_3_VERSION, - "X25519MLKEM768:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - true, - }, - - // The client will send key shares [SecP256r1MLKEM768, x25519]. The - // server will negotiate X25519MLKEM768 after an HRR. - { - "SecP256r1MLKEM768:X25519MLKEM768:x25519:prime256v1", - TLS1_3_VERSION, - "X25519MLKEM768:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_X25519_MLKEM768, - true, - }, - - // EC should be negotiated when client prefers EC, or server does not - // support hybrid - { - "X25519MLKEM768:x25519", - TLS1_3_VERSION, - "x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - { - "x25519:SecP256r1MLKEM768", - TLS1_3_VERSION, - "x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - { - "prime256v1:X25519MLKEM768", - TLS1_3_VERSION, - "X25519MLKEM768:prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - { - "prime256v1:x25519:SecP256r1MLKEM768", - TLS1_3_VERSION, - "x25519:prime256v1:SecP256r1MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - - // EC should be negotiated, after a HelloRetryRequest, if the server - // supports only curves for which it did not initially receive a key share - { - "X25519MLKEM768:x25519:SecP256r1MLKEM768:prime256v1", - TLS1_3_VERSION, - "prime256v1", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1, - true, - }, - { - "X25519MLKEM768:SecP256r1MLKEM768:prime256v1:x25519", - TLS1_3_VERSION, - "secp224r1:secp384r1:secp521r1:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - true, - }, - - // Hybrid should be negotiated, after a HelloRetryRequest, if the server - // supports only curves for which it did not initially receive a key share - { - "x25519:prime256v1:SecP256r1MLKEM768:X25519MLKEM768", - TLS1_3_VERSION, - "secp224r1:X25519MLKEM768:secp521r1", - TLS1_3_VERSION, - SSL_GROUP_X25519_MLKEM768, - true, - }, - { - "X25519MLKEM768:x25519:prime256v1:SecP256r1MLKEM768", - TLS1_3_VERSION, - "SecP256r1MLKEM768", - TLS1_3_VERSION, - SSL_GROUP_SECP256R1_MLKEM768, - true, - }, - - // If there is no overlap between client and server groups, - // the handshake should fail - { - "SecP256r1MLKEM768:X25519MLKEM768:secp384r1", - TLS1_3_VERSION, - "prime256v1:x25519", - TLS1_3_VERSION, - 0, - false, - }, - { - "secp384r1:SecP256r1MLKEM768:X25519MLKEM768", - TLS1_3_VERSION, - "prime256v1:x25519", - TLS1_3_VERSION, - 0, - false, - }, - { - "secp384r1:SecP256r1MLKEM768", - TLS1_3_VERSION, - "prime256v1:x25519:X25519MLKEM768", - TLS1_3_VERSION, - 0, - false, - }, - { - "SecP256r1MLKEM768", - TLS1_3_VERSION, - "X25519MLKEM768", - TLS1_3_VERSION, - 0, - false, - }, - - // If the client supports hybrid TLS 1.3, but the server - // only supports TLS 1.2, then TLS 1.2 EC should be negotiated. - { - "SecP256r1MLKEM768:prime256v1", - TLS1_3_VERSION, - "prime256v1:x25519", - TLS1_2_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - - // Same as above, but server also has SecP256r1MLKEM768 in it's - // supported list, but can't use it since TLS 1.3 is the minimum version that - // supports PQ. - { - "SecP256r1MLKEM768:prime256v1", - TLS1_3_VERSION, - "SecP256r1MLKEM768:prime256v1:x25519", - TLS1_2_VERSION, - SSL_GROUP_SECP256R1, - false, - }, - - // If the client configures the curve list to include a hybrid - // curve, then initiates a 1.2 handshake, it will not advertise - // hybrid groups because hybrid is not supported for 1.2. So - // a 1.2 EC handshake will be negotiated (even if the server - // supports 1.3 with corresponding hybrid group). - { - "SecP256r1MLKEM768:x25519", - TLS1_2_VERSION, - "SecP256r1MLKEM768:x25519", - TLS1_3_VERSION, - SSL_GROUP_X25519, - false, - }, - { - "SecP256r1MLKEM768:prime256v1", - TLS1_2_VERSION, - "prime256v1:x25519", - TLS1_2_VERSION, - SSL_GROUP_SECP256R1, - false, - }, + // EC should be negotiated when client prefers EC, or server does not + // support hybrid + { + "X25519Kyber768Draft00:x25519", + TLS1_3_VERSION, + "x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + { + "x25519:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + { + "prime256v1:X25519Kyber768Draft00", + TLS1_3_VERSION, + "X25519Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + { + "prime256v1:x25519:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "x25519:prime256v1:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + + // EC should be negotiated, after a HelloRetryRequest, if the server + // supports only curves for which it did not initially receive a key share + { + "X25519Kyber768Draft00:x25519:SecP256r1Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + "prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + true, + }, + { + "X25519Kyber768Draft00:SecP256r1Kyber768Draft00:prime256v1:x25519", + TLS1_3_VERSION, + "secp224r1:secp384r1:secp521r1:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + true, + }, + + // Hybrid should be negotiated, after a HelloRetryRequest, if the server + // supports only curves for which it did not initially receive a key share + { + "x25519:prime256v1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00", + TLS1_3_VERSION, + "secp224r1:X25519Kyber768Draft00:secp521r1", + TLS1_3_VERSION, + SSL_GROUP_X25519_KYBER768_DRAFT00, + true, + }, + { + "X25519Kyber768Draft00:x25519:prime256v1:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_KYBER768_DRAFT00, + true, + }, + + // If there is no overlap between client and server groups, + // the handshake should fail + { + "SecP256r1Kyber768Draft00:X25519Kyber768Draft00:secp384r1", + TLS1_3_VERSION, + "prime256v1:x25519", + TLS1_3_VERSION, + 0, + false, + }, + { + "secp384r1:SecP256r1Kyber768Draft00:X25519Kyber768Draft00", + TLS1_3_VERSION, + "prime256v1:x25519", + TLS1_3_VERSION, + 0, + false, + }, + { + "secp384r1:SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "prime256v1:x25519:X25519Kyber768Draft00", + TLS1_3_VERSION, + 0, + false, + }, + { + "SecP256r1Kyber768Draft00", + TLS1_3_VERSION, + "X25519Kyber768Draft00", + TLS1_3_VERSION, + 0, + false, + }, + + // If the client supports hybrid TLS 1.3, but the server + // only supports TLS 1.2, then TLS 1.2 EC should be negotiated. + { + "SecP256r1Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + "prime256v1:x25519", + TLS1_2_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + + // Same as above, but server also has SecP256r1Kyber768Draft00 in it's + // supported list, but can't use it since TLS 1.3 is the minimum version + // that + // supports PQ. + { + "SecP256r1Kyber768Draft00:prime256v1", + TLS1_3_VERSION, + "SecP256r1Kyber768Draft00:prime256v1:x25519", + TLS1_2_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + + // If the client configures the curve list to include a hybrid + // curve, then initiates a 1.2 handshake, it will not advertise + // hybrid groups because hybrid is not supported for 1.2. So + // a 1.2 EC handshake will be negotiated (even if the server + // supports 1.3 with corresponding hybrid group). + { + "SecP256r1Kyber768Draft00:x25519", + TLS1_2_VERSION, + "SecP256r1Kyber768Draft00:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + { + "SecP256r1Kyber768Draft00:prime256v1", + TLS1_2_VERSION, + "prime256v1:x25519", + TLS1_2_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + // The corresponding hybrid group should be negotiated when client + // and server support only that group + { + "X25519MLKEM768", + TLS1_3_VERSION, + "X25519MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_X25519_MLKEM768, + false, + }, + + { + "SecP256r1MLKEM768", + TLS1_3_VERSION, + "SecP256r1MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_MLKEM768, + false, + }, + + // The client's preferred hybrid group should be negotiated when also + // supported by the server, even if the server "prefers"/supports other + // groups. + { + "X25519MLKEM768:x25519", + TLS1_3_VERSION, + "x25519:prime256v1:X25519MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_X25519_MLKEM768, + false, + }, + + { + "X25519MLKEM768:x25519", + TLS1_3_VERSION, + "X25519MLKEM768:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519_MLKEM768, + false, + }, + + { + "SecP256r1MLKEM768", + TLS1_3_VERSION, + "X25519MLKEM768:secp384r1:x25519:SecP256r1MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_MLKEM768, + false, + }, + + // The client lists PQ/hybrid groups as both first and second preferences. + // The key share logic is implemented such that the client will always + // attempt to send one hybrid key share and one classical key share. + // Therefore, the client will send key shares [SecP256r1MLKEM768, x25519], + // skipping X25519MLKEM768, and the server will choose to negotiate + // x25519 since it is the only mutually supported group. + { + "SecP256r1MLKEM768:X25519MLKEM768:x25519", + TLS1_3_VERSION, + "secp384r1:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + + // The client will send key shares [x25519, SecP256r1MLKEM768]. + // The server will negotiate SecP256r1MLKEM768 since it is the only + // mutually supported group. + { + "x25519:secp384r1:SecP256r1MLKEM768", + TLS1_3_VERSION, + "SecP256r1MLKEM768:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_MLKEM768, + false, + }, + + // The client will send key shares [x25519, SecP256r1MLKEM768]. The + // server will negotiate x25519 since the client listed it as its first + // preference, even though it supports SecP256r1MLKEM768. + { + "x25519:prime256v1:SecP256r1MLKEM768", + TLS1_3_VERSION, + "prime256v1:x25519:SecP256r1MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + + // The client will send key shares [SecP256r1MLKEM768, x25519]. + // The server will negotiate SecP256r1MLKEM768 since the client listed + // it as its first preference. + { + "SecP256r1MLKEM768:x25519:prime256v1", + TLS1_3_VERSION, + "prime256v1:x25519:SecP256r1MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_MLKEM768, + false, + }, + + // In the supported_groups extension, the client will indicate its + // preferences, in order, as [SecP256r1MLKEM768, X25519MLKEM768, + // x25519, prime256v1]. From those groups, it will send key shares + // [SecP256r1MLKEM768, x25519]. The server supports, and receives a + // key share for, x25519. However, when selecting a mutually supported group + // to negotiate, the server recognizes that the client prefers + // X25519MLKEM768 over x25519. Since the server also supports + // X25519MLKEM768, but did not receive a key share for it, it will + // select it and send an HRR. This ensures that the client's highest + // preference group will be negotiated, even at the expense of an additional + // round-trip. + // + // In our SSL implementation, this situation is unique to the case where the + // client supports both ECC and hybrid/PQ. When sending key shares, the + // client will send at most two key shares in one of the following ways: + + // (a) one ECC key share - if the client supports only ECC; + // (b) one PQ key share - if the client supports only PQ; + // (c) one ECC and one PQ key share - if the client supports ECC and PQ. + // + // One of the above cases will be true irrespective of how many groups + // the client supports. If, say, the client supports four ECC groups + // and zero PQ groups, it will still only send a single ECC share. In cases + // (a) and (b), either the server supports that group and chooses to + // negotiate it, or it doesn't support it and sends an HRR. Case (c) is the + // only case where the server might receive a key share for a mutually + // supported group, but chooses to respect the client's preference order + // defined in the supported_groups extension at the expense of an additional + // round-trip. + { + "SecP256r1MLKEM768:X25519MLKEM768:x25519:prime256v1", + TLS1_3_VERSION, + "X25519MLKEM768:prime256v1:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519_MLKEM768, + true, + }, + + // Like the previous case, but the client's prioritization of ECC and PQ + // is inverted. + { + "x25519:prime256v1:SecP256r1MLKEM768:X25519MLKEM768", + TLS1_3_VERSION, + "X25519MLKEM768:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + true, + }, + + // The client will send key shares [SecP256r1MLKEM768, x25519]. The + // server will negotiate X25519MLKEM768 after an HRR. + { + "SecP256r1MLKEM768:X25519MLKEM768:x25519:prime256v1", + TLS1_3_VERSION, + "X25519MLKEM768:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_X25519_MLKEM768, + true, + }, + + // EC should be negotiated when client prefers EC, or server does not + // support hybrid + { + "X25519MLKEM768:x25519", + TLS1_3_VERSION, + "x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + { + "x25519:SecP256r1MLKEM768", + TLS1_3_VERSION, + "x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + { + "prime256v1:X25519MLKEM768", + TLS1_3_VERSION, + "X25519MLKEM768:prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + { + "prime256v1:x25519:SecP256r1MLKEM768", + TLS1_3_VERSION, + "x25519:prime256v1:SecP256r1MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + + // EC should be negotiated, after a HelloRetryRequest, if the server + // supports only curves for which it did not initially receive a key share + { + "X25519MLKEM768:x25519:SecP256r1MLKEM768:prime256v1", + TLS1_3_VERSION, + "prime256v1", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1, + true, + }, + { + "X25519MLKEM768:SecP256r1MLKEM768:prime256v1:x25519", + TLS1_3_VERSION, + "secp224r1:secp384r1:secp521r1:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + true, + }, + + // Hybrid should be negotiated, after a HelloRetryRequest, if the server + // supports only curves for which it did not initially receive a key share + { + "x25519:prime256v1:SecP256r1MLKEM768:X25519MLKEM768", + TLS1_3_VERSION, + "secp224r1:X25519MLKEM768:secp521r1", + TLS1_3_VERSION, + SSL_GROUP_X25519_MLKEM768, + true, + }, + { + "X25519MLKEM768:x25519:prime256v1:SecP256r1MLKEM768", + TLS1_3_VERSION, + "SecP256r1MLKEM768", + TLS1_3_VERSION, + SSL_GROUP_SECP256R1_MLKEM768, + true, + }, + + // If there is no overlap between client and server groups, + // the handshake should fail + { + "SecP256r1MLKEM768:X25519MLKEM768:secp384r1", + TLS1_3_VERSION, + "prime256v1:x25519", + TLS1_3_VERSION, + 0, + false, + }, + { + "secp384r1:SecP256r1MLKEM768:X25519MLKEM768", + TLS1_3_VERSION, + "prime256v1:x25519", + TLS1_3_VERSION, + 0, + false, + }, + { + "secp384r1:SecP256r1MLKEM768", + TLS1_3_VERSION, + "prime256v1:x25519:X25519MLKEM768", + TLS1_3_VERSION, + 0, + false, + }, + { + "SecP256r1MLKEM768", + TLS1_3_VERSION, + "X25519MLKEM768", + TLS1_3_VERSION, + 0, + false, + }, + + // If the client supports hybrid TLS 1.3, but the server + // only supports TLS 1.2, then TLS 1.2 EC should be negotiated. + { + "SecP256r1MLKEM768:prime256v1", + TLS1_3_VERSION, + "prime256v1:x25519", + TLS1_2_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + + // Same as above, but server also has SecP256r1MLKEM768 in it's + // supported list, but can't use it since TLS 1.3 is the minimum version + // that + // supports PQ. + { + "SecP256r1MLKEM768:prime256v1", + TLS1_3_VERSION, + "SecP256r1MLKEM768:prime256v1:x25519", + TLS1_2_VERSION, + SSL_GROUP_SECP256R1, + false, + }, + + // If the client configures the curve list to include a hybrid + // curve, then initiates a 1.2 handshake, it will not advertise + // hybrid groups because hybrid is not supported for 1.2. So + // a 1.2 EC handshake will be negotiated (even if the server + // supports 1.3 with corresponding hybrid group). + { + "SecP256r1MLKEM768:x25519", + TLS1_2_VERSION, + "SecP256r1MLKEM768:x25519", + TLS1_3_VERSION, + SSL_GROUP_X25519, + false, + }, + { + "SecP256r1MLKEM768:prime256v1", + TLS1_2_VERSION, + "prime256v1:x25519", + TLS1_2_VERSION, + SSL_GROUP_SECP256R1, + false, + }, }; -const HybridGroup* GetHybridGroup(uint16_t group_id){ - for (const HybridGroup &g : HybridGroups()) { - if (group_id == g.group_id) { - return &g; - } +const HybridGroup *GetHybridGroup(uint16_t group_id) { + for (const HybridGroup &g : HybridGroups()) { + if (group_id == g.group_id) { + return &g; } + } - return NULL; + return NULL; } static STACK_OF(SSL_CIPHER) *tls13_ciphers(const SSL_CTX *ctx) { @@ -1457,8 +1466,7 @@ static bool CipherListsEqual(SSL_CTX *ctx, for (size_t i = 0; i < expected.size(); i++) { const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i); if (expected[i].id != SSL_CIPHER_get_id(cipher) || - expected[i].in_group_flag != - !!SSL_CTX_cipher_in_group(ctx, i)) { + expected[i].in_group_flag != !!SSL_CTX_cipher_in_group(ctx, i)) { return false; } } @@ -2788,14 +2796,14 @@ static bool ConnectClientAndServer(bssl::UniquePtr *out_client, } // Correct ID and name -#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") +#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") // Invalid ID -#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x13") +#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x13") TEST(SSLTest, FindingCipher) { bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); // Configure only TLS 1.3. @@ -2807,24 +2815,28 @@ TEST(SSLTest, FindingCipher) { server_ctx.get())); SCOPED_TRACE("TLS_AES_128_GCM_SHA256"); - const SSL_CIPHER *cipher1 = SSL_CIPHER_find(server.get(), TLS13_AES_128_GCM_SHA256_BYTES); + const SSL_CIPHER *cipher1 = + SSL_CIPHER_find(server.get(), TLS13_AES_128_GCM_SHA256_BYTES); ASSERT_TRUE(cipher1); EXPECT_STREQ("TLS_AES_128_GCM_SHA256", SSL_CIPHER_standard_name(cipher1)); SCOPED_TRACE("TLS_CHACHA20_POLY1305_SHA256"); - const SSL_CIPHER *cipher2 = SSL_CIPHER_find(server.get(), TLS13_CHACHA20_POLY1305_SHA256_BYTES); + const SSL_CIPHER *cipher2 = + SSL_CIPHER_find(server.get(), TLS13_CHACHA20_POLY1305_SHA256_BYTES); ASSERT_TRUE(cipher2); - EXPECT_STREQ("TLS_CHACHA20_POLY1305_SHA256", SSL_CIPHER_standard_name(cipher2)); + EXPECT_STREQ("TLS_CHACHA20_POLY1305_SHA256", + SSL_CIPHER_standard_name(cipher2)); SCOPED_TRACE("TLS_AES_256_GCM_SHA384"); - const SSL_CIPHER *cipher3 = SSL_CIPHER_find(client.get(), TLS13_AES_256_GCM_SHA384_BYTES); + const SSL_CIPHER *cipher3 = + SSL_CIPHER_find(client.get(), TLS13_AES_256_GCM_SHA384_BYTES); ASSERT_FALSE(cipher3); } TEST(SSLTest, SSLGetCiphersReturnsTLS13Default) { bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); // Configure only TLS 1.3. @@ -2834,16 +2846,20 @@ TEST(SSLTest, SSLGetCiphersReturnsTLS13Default) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); bssl::UniquePtr client, server; - // Have to ensure config is not shed per current implementation of SSL_get_ciphers. - ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), server_ctx.get(), - ClientConfig(), false)); + // Have to ensure config is not shed per current implementation of + // SSL_get_ciphers. + ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get(), ClientConfig(), false)); // Ensure default TLS 1.3 Ciphersuites are present - const SSL_CIPHER *cipher1 = SSL_get_cipher_by_value(TLS1_3_CK_AES_128_GCM_SHA256 & 0xFFFF); + const SSL_CIPHER *cipher1 = + SSL_get_cipher_by_value(TLS1_3_CK_AES_128_GCM_SHA256 & 0xFFFF); ASSERT_TRUE(cipher1); - const SSL_CIPHER *cipher2 = SSL_get_cipher_by_value(TLS1_3_CK_AES_256_GCM_SHA384 & 0xFFFF); + const SSL_CIPHER *cipher2 = + SSL_get_cipher_by_value(TLS1_3_CK_AES_256_GCM_SHA384 & 0xFFFF); ASSERT_TRUE(cipher2); - const SSL_CIPHER *cipher3 = SSL_get_cipher_by_value(TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xFFFF); + const SSL_CIPHER *cipher3 = + SSL_get_cipher_by_value(TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xFFFF); ASSERT_TRUE(cipher3); STACK_OF(SSL_CIPHER) *client_ciphers = SSL_get_ciphers(client.get()); @@ -2862,7 +2878,7 @@ TEST(SSLTest, TLS13ConfigCiphers) { // This configures SSL_CTX objects with default TLS 1.2 and 1.3 ciphersuites bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -2872,11 +2888,14 @@ TEST(SSLTest, TLS13ConfigCiphers) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); // Restrict TLS 1.3 ciphersuite - ASSERT_TRUE(SSL_CTX_set_ciphersuites(client_ctx.get(), "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")); - ASSERT_TRUE(SSL_CTX_set_ciphersuites(server_ctx.get(), "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")); + ASSERT_TRUE(SSL_CTX_set_ciphersuites( + client_ctx.get(), "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")); + ASSERT_TRUE(SSL_CTX_set_ciphersuites( + server_ctx.get(), "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); // Modify ciphersuites on the SSL object, this modifies ssl->config ASSERT_TRUE(SSL_set_ciphersuites(client.get(), "TLS_AES_256_GCM_SHA384")); @@ -2887,22 +2906,27 @@ TEST(SSLTest, TLS13ConfigCiphers) { ASSERT_EQ(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_SHARED_CIPHER); bssl::UniquePtr client2, server2; - ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), + server_ctx.get())); // Modify ciphersuites on the SSL object, this modifies ssl->config - ASSERT_TRUE(SSL_set_ciphersuites(client2.get(), "TLS_CHACHA20_POLY1305_SHA256")); - ASSERT_TRUE(SSL_set_ciphersuites(server2.get(), "TLS_CHACHA20_POLY1305_SHA256")); + ASSERT_TRUE( + SSL_set_ciphersuites(client2.get(), "TLS_CHACHA20_POLY1305_SHA256")); + ASSERT_TRUE( + SSL_set_ciphersuites(server2.get(), "TLS_CHACHA20_POLY1305_SHA256")); ASSERT_TRUE(CompleteHandshakes(client2.get(), server2.get())); - ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(client2.get())), (uint32_t)TLS1_3_CK_CHACHA20_POLY1305_SHA256); - ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(server2.get())), (uint32_t)TLS1_3_CK_CHACHA20_POLY1305_SHA256); + ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(client2.get())), + (uint32_t)TLS1_3_CK_CHACHA20_POLY1305_SHA256); + ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(server2.get())), + (uint32_t)TLS1_3_CK_CHACHA20_POLY1305_SHA256); } TEST(SSLTest, TLS13ConfigCtxInteraction) { // This configures SSL_CTX objects with default TLS 1.2 and 1.3 ciphersuites bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -2912,11 +2936,14 @@ TEST(SSLTest, TLS13ConfigCtxInteraction) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); // Restrict TLS 1.3 ciphersuite on the SSL_CTX objects - ASSERT_TRUE(SSL_CTX_set_ciphersuites(client_ctx.get(), "TLS_AES_128_GCM_SHA256")); - ASSERT_TRUE(SSL_CTX_set_ciphersuites(server_ctx.get(), "TLS_AES_128_GCM_SHA256")); + ASSERT_TRUE( + SSL_CTX_set_ciphersuites(client_ctx.get(), "TLS_AES_128_GCM_SHA256")); + ASSERT_TRUE( + SSL_CTX_set_ciphersuites(server_ctx.get(), "TLS_AES_128_GCM_SHA256")); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); // Modify TLS 1.3 ciphersuites for client's SSL object, but not server ASSERT_TRUE(SSL_set_ciphersuites(client.get(), "TLS_AES_256_GCM_SHA384")); @@ -2929,7 +2956,8 @@ TEST(SSLTest, TLS13ConfigCtxInteraction) { ERR_clear_error(); bssl::UniquePtr client2, server2; - ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), + server_ctx.get())); // Modify TLS 1.3 ciphersuites for server2 SSL object, but not client ASSERT_TRUE(SSL_set_ciphersuites(server2.get(), "TLS_AES_256_GCM_SHA384")); @@ -2944,7 +2972,7 @@ TEST(SSLTest, TLS12ConfigCiphers) { // This configures SSL_CTX objects with default TLS 1.2 and 1.3 ciphersuites bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -2954,15 +2982,23 @@ TEST(SSLTest, TLS12ConfigCiphers) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION)); // Restrict TLS 1.2 ciphersuite - ASSERT_TRUE(SSL_CTX_set_cipher_list(client_ctx.get(), "TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_GCM_SHA384")); - ASSERT_TRUE(SSL_CTX_set_cipher_list(server_ctx.get(), "TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_GCM_SHA384")); + ASSERT_TRUE(SSL_CTX_set_cipher_list( + client_ctx.get(), + "TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_GCM_SHA384")); + ASSERT_TRUE(SSL_CTX_set_cipher_list( + server_ctx.get(), + "TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_GCM_SHA384")); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); - // Modify ciphersuites on the SSL object and introduce mismatch, this modifies ssl->config - ASSERT_TRUE(SSL_set_cipher_list(client.get(), "TLS_RSA_WITH_AES_256_CBC_SHA")); - ASSERT_TRUE(SSL_set_cipher_list(server.get(), "TLS_RSA_WITH_AES_256_GCM_SHA384")); + // Modify ciphersuites on the SSL object and introduce mismatch, this modifies + // ssl->config + ASSERT_TRUE( + SSL_set_cipher_list(client.get(), "TLS_RSA_WITH_AES_256_CBC_SHA")); + ASSERT_TRUE( + SSL_set_cipher_list(server.get(), "TLS_RSA_WITH_AES_256_GCM_SHA384")); // Handshake should fail as config objects have no shared cipher. ASSERT_FALSE(CompleteHandshakes(client.get(), server.get())); @@ -2971,22 +3007,28 @@ TEST(SSLTest, TLS12ConfigCiphers) { ERR_clear_error(); bssl::UniquePtr client2, server2; - ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), + server_ctx.get())); - // Modify ciphersuites on the SSL object with a new third cipher, this modifies ssl->config - ASSERT_TRUE(SSL_set_cipher_list(client2.get(), "TLS_RSA_WITH_AES_128_CBC_SHA")); - ASSERT_TRUE(SSL_set_cipher_list(server2.get(), "TLS_RSA_WITH_AES_128_CBC_SHA")); + // Modify ciphersuites on the SSL object with a new third cipher, this + // modifies ssl->config + ASSERT_TRUE( + SSL_set_cipher_list(client2.get(), "TLS_RSA_WITH_AES_128_CBC_SHA")); + ASSERT_TRUE( + SSL_set_cipher_list(server2.get(), "TLS_RSA_WITH_AES_128_CBC_SHA")); ASSERT_TRUE(CompleteHandshakes(client2.get(), server2.get())); - ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(client2.get())), (uint32_t)TLS1_CK_RSA_WITH_AES_128_SHA); - ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(server2.get())), (uint32_t)TLS1_CK_RSA_WITH_AES_128_SHA); + ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(client2.get())), + (uint32_t)TLS1_CK_RSA_WITH_AES_128_SHA); + ASSERT_EQ(SSL_CIPHER_get_id(SSL_get_current_cipher(server2.get())), + (uint32_t)TLS1_CK_RSA_WITH_AES_128_SHA); } TEST(SSLTest, TLS12ConfigCtxInteraction) { // This configures SSL_CTX objects with default TLS 1.2 and 1.3 ciphersuites bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -2996,14 +3038,18 @@ TEST(SSLTest, TLS12ConfigCtxInteraction) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_2_VERSION)); // Restrict TLS 1.2 ciphersuites on the SSL_CTX objects - ASSERT_TRUE(SSL_CTX_set_cipher_list(client_ctx.get(), "TLS_RSA_WITH_AES_256_CBC_SHA")); - ASSERT_TRUE(SSL_CTX_set_cipher_list(server_ctx.get(), "TLS_RSA_WITH_AES_256_CBC_SHA")); + ASSERT_TRUE(SSL_CTX_set_cipher_list(client_ctx.get(), + "TLS_RSA_WITH_AES_256_CBC_SHA")); + ASSERT_TRUE(SSL_CTX_set_cipher_list(server_ctx.get(), + "TLS_RSA_WITH_AES_256_CBC_SHA")); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); // Modify TLS 1.2 ciphersuite for client's SSL object, but not server - ASSERT_TRUE(SSL_set_cipher_list(client.get(), "TLS_RSA_WITH_AES_256_GCM_SHA384")); + ASSERT_TRUE( + SSL_set_cipher_list(client.get(), "TLS_RSA_WITH_AES_256_GCM_SHA384")); // Handshake should fail as client SSL config and server CTX objects have no // shared TLS 1.2 cipher. @@ -3013,10 +3059,12 @@ TEST(SSLTest, TLS12ConfigCtxInteraction) { ERR_clear_error(); bssl::UniquePtr client2, server2; - ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client2, &server2, client_ctx.get(), + server_ctx.get())); // Modify TLS 1.2 ciphersuites for server2 SSL object, but not client - ASSERT_TRUE(SSL_set_cipher_list(server2.get(), "TLS_RSA_WITH_AES_256_GCM_SHA384")); + ASSERT_TRUE( + SSL_set_cipher_list(server2.get(), "TLS_RSA_WITH_AES_256_GCM_SHA384")); // Handshake should fail as server SSL config and client CTX objects have no // shared TLS 1.2 cipher. @@ -3027,13 +3075,14 @@ TEST(SSLTest, TLS12ConfigCtxInteraction) { TEST(SSLTest, SSLGetCiphersReturnsTLS13Custom) { bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); // Configure custom TLS 1.3 Ciphersuites SSL_CTX_set_ciphersuites(server_ctx.get(), "TLS_AES_128_GCM_SHA256"); - SSL_CTX_set_ciphersuites(client_ctx.get(), "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); + SSL_CTX_set_ciphersuites(client_ctx.get(), + "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); // Configure only TLS 1.3. ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION)); @@ -3042,17 +3091,21 @@ TEST(SSLTest, SSLGetCiphersReturnsTLS13Custom) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION)); bssl::UniquePtr client, server; - // Have to ensure config is not shed per current implementation of SSL_get_ciphers. - ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), server_ctx.get(), - ClientConfig(), false)); + // Have to ensure config is not shed per current implementation of + // SSL_get_ciphers. + ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get(), ClientConfig(), false)); ASSERT_TRUE(CompleteHandshakes(client.get(), server.get())); // Ensure default TLS 1.3 Ciphersuites are present - const SSL_CIPHER *cipher1 = SSL_get_cipher_by_value(TLS1_3_CK_AES_128_GCM_SHA256 & 0xFFFF); + const SSL_CIPHER *cipher1 = + SSL_get_cipher_by_value(TLS1_3_CK_AES_128_GCM_SHA256 & 0xFFFF); ASSERT_TRUE(cipher1); - const SSL_CIPHER *cipher2 = SSL_get_cipher_by_value(TLS1_3_CK_AES_256_GCM_SHA384 & 0xFFFF); + const SSL_CIPHER *cipher2 = + SSL_get_cipher_by_value(TLS1_3_CK_AES_256_GCM_SHA384 & 0xFFFF); ASSERT_TRUE(cipher2); - const SSL_CIPHER *cipher3 = SSL_get_cipher_by_value(TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xFFFF); + const SSL_CIPHER *cipher3 = + SSL_get_cipher_by_value(TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xFFFF); ASSERT_TRUE(cipher3); STACK_OF(SSL_CIPHER) *client_ciphers = SSL_get_ciphers(client.get()); @@ -3069,16 +3122,17 @@ TEST(SSLTest, SSLGetCiphersReturnsTLS13Custom) { TEST(SSLTest, GetClientCiphersAfterHandshakeFailure1_3) { bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); - bssl::UniquePtr server_ctx = CreateContextWithTestCertificate(TLS_method()); + bssl::UniquePtr server_ctx = + CreateContextWithTestCertificate(TLS_method()); // configure client to add fake ciphersuite SSL_CTX_set_grease_enabled(client_ctx.get(), 1); // There will be no cipher match, handshake will not succeed. - ASSERT_TRUE(SSL_CTX_set_ciphersuites(client_ctx.get(), - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")); - ASSERT_TRUE(SSL_CTX_set_ciphersuites(server_ctx.get(), - "TLS_AES_128_GCM_SHA256")); + ASSERT_TRUE(SSL_CTX_set_ciphersuites( + client_ctx.get(), "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")); + ASSERT_TRUE( + SSL_CTX_set_ciphersuites(server_ctx.get(), "TLS_AES_128_GCM_SHA256")); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -3087,8 +3141,8 @@ TEST(SSLTest, GetClientCiphersAfterHandshakeFailure1_3) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION)); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, - client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); const unsigned char *tmp = nullptr; // Handshake not completed, getting ciphers should fail @@ -3099,7 +3153,7 @@ TEST(SSLTest, GetClientCiphersAfterHandshakeFailure1_3) { // This should fail, but should be able to inspect client ciphers still ASSERT_FALSE(CompleteHandshakes(client.get(), server.get())); - ASSERT_EQ(SSL_client_hello_get0_ciphers(client.get(), nullptr), (size_t) 0); + ASSERT_EQ(SSL_client_hello_get0_ciphers(client.get(), nullptr), (size_t)0); const unsigned char expected_cipher_bytes[] = {0x13, 0x02, 0x13, 0x03}; const unsigned char *p = nullptr; @@ -3114,13 +3168,13 @@ TEST(SSLTest, GetClientCiphersAfterHandshakeFailure1_3) { ASSERT_FALSE(SSL_get_cipher_by_value(grease_val)); // Sanity check for first cipher ID after grease value - uint16_t cipher_val = CRYPTO_load_u16_be(p+2); + uint16_t cipher_val = CRYPTO_load_u16_be(p + 2); ASSERT_TRUE(SSL_get_cipher_by_value((cipher_val))); // Check order and validity of the rest of the client cipher suites, // excluding the grease value (2nd byte onwards) ASSERT_EQ(Bytes(expected_cipher_bytes, sizeof(expected_cipher_bytes)), - Bytes(p+2, sizeof(expected_cipher_bytes))); + Bytes(p + 2, sizeof(expected_cipher_bytes))); // Parsed ciphersuite list should only have 2 valid ciphersuites as configured // (grease value should not be included). Even though the handshake fails, @@ -3130,13 +3184,15 @@ TEST(SSLTest, GetClientCiphersAfterHandshakeFailure1_3) { TEST(SSLTest, GetClientCiphers1_3) { bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); - bssl::UniquePtr server_ctx = CreateContextWithTestCertificate(TLS_method()); + bssl::UniquePtr server_ctx = + CreateContextWithTestCertificate(TLS_method()); // configure client to add fake ciphersuite SSL_CTX_set_grease_enabled(client_ctx.get(), 1); ASSERT_TRUE(SSL_CTX_set_ciphersuites(client_ctx.get(), - "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")); + "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_" + "SHA384:TLS_CHACHA20_POLY1305_SHA256")); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -3144,8 +3200,8 @@ TEST(SSLTest, GetClientCiphers1_3) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION)); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, - client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); const unsigned char *tmp = nullptr; // Handshake not completed, getting ciphers should fail @@ -3155,9 +3211,10 @@ TEST(SSLTest, GetClientCiphers1_3) { ASSERT_TRUE(CompleteHandshakes(client.get(), server.get())); - ASSERT_EQ(SSL_client_hello_get0_ciphers(client.get(), nullptr), (size_t) 0); + ASSERT_EQ(SSL_client_hello_get0_ciphers(client.get(), nullptr), (size_t)0); - const unsigned char expected_cipher_bytes[] = {0x13, 0x01, 0x13, 0x02, 0x13, 0x03}; + const unsigned char expected_cipher_bytes[] = {0x13, 0x01, 0x13, + 0x02, 0x13, 0x03}; const unsigned char *p = nullptr; // Expected size is 2 bytes more than |expected_cipher_bytes| to account for @@ -3170,13 +3227,13 @@ TEST(SSLTest, GetClientCiphers1_3) { ASSERT_FALSE(SSL_get_cipher_by_value(grease_val)); // Sanity check for first cipher ID after grease value - uint16_t cipher_val = CRYPTO_load_u16_be(p+2); + uint16_t cipher_val = CRYPTO_load_u16_be(p + 2); ASSERT_TRUE(SSL_get_cipher_by_value((cipher_val))); // Check order and validity of the rest of the client cipher suites, // excluding the grease value (2nd byte onwards) ASSERT_EQ(Bytes(expected_cipher_bytes, sizeof(expected_cipher_bytes)), - Bytes(p+2, sizeof(expected_cipher_bytes))); + Bytes(p + 2, sizeof(expected_cipher_bytes))); // Parsed ciphersuite list should only have 3 valid ciphersuites as configured // (grease value should not be included) @@ -3186,21 +3243,22 @@ TEST(SSLTest, GetClientCiphers1_3) { TEST(SSLTest, GetClientCiphers1_2) { bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr server_ctx = - CreateContextWithTestCertificate(TLS_method()); + CreateContextWithTestCertificate(TLS_method()); // configure client to add fake ciphersuite SSL_CTX_set_grease_enabled(client_ctx.get(), 1); ASSERT_TRUE(SSL_CTX_set_cipher_list(client_ctx.get(), - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")); + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:" + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_2_VERSION)); ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_2_VERSION)); bssl::UniquePtr client, server; - ASSERT_TRUE(CreateClientAndServer(&client, &server, - client_ctx.get(), server_ctx.get())); + ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(), + server_ctx.get())); const unsigned char *tmp = nullptr; // Handshake not completed, getting ciphers should fail @@ -3210,7 +3268,7 @@ TEST(SSLTest, GetClientCiphers1_2) { ASSERT_TRUE(CompleteHandshakes(client.get(), server.get())); - ASSERT_EQ(SSL_client_hello_get0_ciphers(client.get(), nullptr), (size_t) 0); + ASSERT_EQ(SSL_client_hello_get0_ciphers(client.get(), nullptr), (size_t)0); const unsigned char expected_cipher_bytes[] = {0xC0, 0x2C, 0xC0, 0x13}; const unsigned char *p = nullptr; @@ -3225,13 +3283,13 @@ TEST(SSLTest, GetClientCiphers1_2) { ASSERT_FALSE(SSL_get_cipher_by_value(grease_val)); // Sanity check for first cipher ID after grease value - uint16_t cipher_val = CRYPTO_load_u16_be(p+2); + uint16_t cipher_val = CRYPTO_load_u16_be(p + 2); ASSERT_TRUE(SSL_get_cipher_by_value((cipher_val))); // Check order and validity of the rest of the client cipher suites, // excluding the grease value (2nd byte onwards) ASSERT_EQ(Bytes(expected_cipher_bytes, sizeof(expected_cipher_bytes)), - Bytes(p+2, sizeof(expected_cipher_bytes))); + Bytes(p + 2, sizeof(expected_cipher_bytes))); // Parsed ciphersuite list should only have 2 valid ciphersuites as configured // (grease value should not be included) @@ -3277,8 +3335,7 @@ static void SetUpExpectedNewCodePoint(SSL_CTX *ctx) { const uint8_t *data; size_t len; if (!SSL_early_callback_ctx_extension_get( - client_hello, TLSEXT_TYPE_application_settings, &data, - &len)) { + client_hello, TLSEXT_TYPE_application_settings, &data, &len)) { ADD_FAILURE() << "Could not find alps new codepoint."; return ssl_select_cert_error; } @@ -3891,7 +3948,7 @@ TEST(SSLTest, ECHPublicName) { } // These test certificates generated with the following Go program. - /* clang-format off +/* clang-format off func main() { notBefore := time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC) notAfter := time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC) @@ -4315,7 +4372,8 @@ static const uint8_t kTestName[] = { // SSLVersionTest executes its test cases under all available protocol versions. // Test cases call |Connect| to create a connection using context objects with // the protocol version fixed to the current version under test. -class SSLVersionTest : public ::testing::TestWithParam<::std::tuple> { +class SSLVersionTest + : public ::testing::TestWithParam<::std::tuple> { protected: SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {} @@ -4362,9 +4420,7 @@ class SSLVersionTest : public ::testing::TestWithParam<::std::tuple(GetParam()); - } + VersionParam getVersionParam() const { return std::get<0>(GetParam()); } void TransferServerSSL() { if (!getVersionParam().transfer_ssl) { @@ -4380,13 +4436,9 @@ class SSLVersionTest : public ::testing::TestWithParam<::std::tuple(GetParam()); - } + size_t read_ahead_buffer_size() const { return std::get<1>(GetParam()); } - bool enable_read_ahead() const { - return read_ahead_buffer_size() != 0; - } + bool enable_read_ahead() const { return read_ahead_buffer_size() != 0; } void CheckCounterInit() { EXPECT_EQ(SSL_CTX_sess_connect(client_ctx_.get()), 0); @@ -4420,12 +4472,16 @@ class SSLVersionTest : public ::testing::TestWithParam<::std::tuple key_; }; -INSTANTIATE_TEST_SUITE_P(WithVersion, SSLVersionTest, - testing::Combine(::testing::ValuesIn(kAllVersions), testing::Values(0, 128, 512, 8192, 65535)), - [](const testing::TestParamInfo<::std::tuple>& test_info) { - std::string test_name = std::string(std::get<0>(test_info.param).name) + "_BufferSize_"; - return test_name + std::to_string(std::get<1>(test_info.param)); - }); +INSTANTIATE_TEST_SUITE_P( + WithVersion, SSLVersionTest, + testing::Combine(::testing::ValuesIn(kAllVersions), + testing::Values(0, 128, 512, 8192, 65535)), + [](const testing::TestParamInfo<::std::tuple> + &test_info) { + std::string test_name = + std::string(std::get<0>(test_info.param).name) + "_BufferSize_"; + return test_name + std::to_string(std::get<1>(test_info.param)); + }); TEST_P(SSLVersionTest, SequenceNumber) { CheckCounterInit(); @@ -4964,59 +5020,58 @@ TEST(SSLTest, ClientHello) { uint16_t max_version; std::vector expected; } kTests[] = { - {TLS1_VERSION, - {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09, - 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, - 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, - 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}}, - {TLS1_1_VERSION, - {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x02, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09, - 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, - 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, - 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}}, - {TLS1_2_VERSION, - {0x16, 0x03, 0x01, 0x00, 0x86, 0x01, 0x00, 0x00, 0x82, 0x03, 0x03, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0xcc, 0xa9, - 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09, - 0xc0, 0x13, 0xc0, 0x27, 0xc0, 0x0a, 0xc0, 0x14, 0xc0, 0x28, 0x00, 0x9c, - 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, 0x01, 0x00, 0x00, 0x37, - 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, - 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, - 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, - 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, - 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01}}, - {TLS1_3_VERSION, - {0x16, 0x03, 0x01, 0x00, 0xe9, 0x01, 0x00, 0x00, 0xe5, 0x03, 0x03, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, - 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, - 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x27, 0xc0, 0x0a, 0xc0, 0x14, 0xc0, 0x28, - 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, 0x01, 0x00, - 0x00, 0x74, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, - 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, - 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, - 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x33, 0x00, - 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x2b, 0x00, - 0x09, 0x08, 0x03, 0x04, 0x03, 0x03, 0x03, 0x02, 0x03, 0x01}} - }; + {TLS1_VERSION, + {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09, + 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, + 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, + 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, + 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}}, + {TLS1_1_VERSION, + {0x16, 0x03, 0x01, 0x00, 0x58, 0x01, 0x00, 0x00, 0x54, 0x03, 0x02, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0xc0, 0x09, + 0xc0, 0x13, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, + 0x00, 0x1f, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, + 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, + 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00}}, + {TLS1_2_VERSION, + {0x16, 0x03, 0x01, 0x00, 0x86, 0x01, 0x00, 0x00, 0x82, 0x03, 0x03, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0xcc, 0xa9, + 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09, + 0xc0, 0x13, 0xc0, 0x27, 0xc0, 0x0a, 0xc0, 0x14, 0xc0, 0x28, 0x00, 0x9c, + 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, 0x01, 0x00, 0x00, 0x37, + 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, + 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, + 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, + 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01}}, + {TLS1_3_VERSION, + {0x16, 0x03, 0x01, 0x00, 0xe9, 0x01, 0x00, 0x00, 0xe5, 0x03, 0x03, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x13, 0x01, 0x13, 0x02, 0x13, 0x03, + 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, + 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x27, 0xc0, 0x0a, 0xc0, 0x14, 0xc0, 0x28, + 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, 0x01, 0x00, + 0x00, 0x74, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, + 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, + 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, + 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, + 0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x33, 0x00, + 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x2b, 0x00, + 0x09, 0x08, 0x03, 0x04, 0x03, 0x03, 0x03, 0x02, 0x03, 0x01}}}; for (const auto &t : kTests) { SCOPED_TRACE(t.max_version); @@ -5029,8 +5084,10 @@ TEST(SSLTest, ClientHello) { ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), t.max_version)); ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)); - // Explicitly set TLS 1.3 ciphersuites so CPU capabilities don't affect order - ASSERT_TRUE(SSL_CTX_set_ciphersuites(ctx.get(), TLS13_DEFAULT_CIPHER_LIST_AES_HW)); + // Explicitly set TLS 1.3 ciphersuites so CPU capabilities don't affect + // order + ASSERT_TRUE( + SSL_CTX_set_ciphersuites(ctx.get(), TLS13_DEFAULT_CIPHER_LIST_AES_HW)); bssl::UniquePtr ssl(SSL_new(ctx.get())); ASSERT_TRUE(ssl); @@ -5044,8 +5101,10 @@ TEST(SSLTest, ClientHello) { int pre = client_hello.size(); if (t.max_version == TLS1_3_VERSION) { - ASSERT_GE(client_hello.size(), kRandomOffset + SSL3_RANDOM_SIZE + 1 + SSL3_SESSION_ID_SIZE); - OPENSSL_memset(client_hello.data() + kRandomOffset, 0, SSL3_RANDOM_SIZE + 1 + SSL3_SESSION_ID_SIZE); + ASSERT_GE(client_hello.size(), + kRandomOffset + SSL3_RANDOM_SIZE + 1 + SSL3_SESSION_ID_SIZE); + OPENSSL_memset(client_hello.data() + kRandomOffset, 0, + SSL3_RANDOM_SIZE + 1 + SSL3_SESSION_ID_SIZE); // Jump to key share extension and zero out the key OPENSSL_memset(client_hello.data() + 187, 0, 32); } else { @@ -5691,18 +5750,23 @@ TEST_P(SSLVersionTest, Version) { EXPECT_EQ(strcmp(version_name, client_name), 0); EXPECT_EQ(strcmp(version_name, server_name), 0); - // Client/server version equality asserted above, assert equality for cipher here. + // Client/server version equality asserted above, assert equality for cipher + // here. ASSERT_TRUE(SSL_get_current_cipher(client_.get())); ASSERT_TRUE(SSL_get_current_cipher(server_.get())); - EXPECT_EQ(SSL_get_current_cipher(client_.get())->id, SSL_get_current_cipher(server_.get())->id); + EXPECT_EQ(SSL_get_current_cipher(client_.get())->id, + SSL_get_current_cipher(server_.get())->id); const uint16_t version = SSL_version(client_.get()); if (version == TLS1_2_VERSION || version == TLS1_3_VERSION) { const char *version_str = SSL_get_version(client_.get()); - EXPECT_STREQ(version_str, SSL_CIPHER_get_version(SSL_get_current_cipher(client_.get()))); - } else if (version == DTLS1_2_VERSION) { // ciphers don't differentiate D/TLS - EXPECT_STREQ("TLSv1.2", SSL_CIPHER_get_version(SSL_get_current_cipher(client_.get()))); + EXPECT_STREQ(version_str, + SSL_CIPHER_get_version(SSL_get_current_cipher(client_.get()))); + } else if (version == DTLS1_2_VERSION) { // ciphers don't differentiate D/TLS + EXPECT_STREQ("TLSv1.2", + SSL_CIPHER_get_version(SSL_get_current_cipher(client_.get()))); } else { - EXPECT_STREQ("TLSv1/SSLv3", SSL_CIPHER_get_version(SSL_get_current_cipher(client_.get()))); + EXPECT_STREQ("TLSv1/SSLv3", + SSL_CIPHER_get_version(SSL_get_current_cipher(client_.get()))); } } @@ -5785,7 +5849,7 @@ TEST_P(SSLVersionTest, SSLClientCiphers) { // Client ciphers ARE NOT SERIALIZED, so skip tests that rely on transfer or // serialization of |ssl| and accompanying objects under test. if (getVersionParam().transfer_ssl) { - return; + return; } EXPECT_FALSE(SSL_get_client_ciphers(client_.get())); @@ -5797,7 +5861,8 @@ TEST_P(SSLVersionTest, SSLClientCiphers) { // The client should still have no view of the server's preferences, but the // server should have seen at least one cipher from the client. EXPECT_FALSE(SSL_get_client_ciphers(client_.get())); - EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), (size_t) 0); + EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), + (size_t)0); // With config shedding disabled, clearing |server| shouldn't error and // should reset server's client ciphers @@ -5809,7 +5874,8 @@ TEST_P(SSLVersionTest, SSLClientCiphers) { // These should be unaffected by config shedding EXPECT_FALSE(SSL_get_client_ciphers(client_.get())); - EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), (size_t) 0); + EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), + (size_t)0); } static bool ChainsEqual(STACK_OF(X509) *chain, @@ -6132,8 +6198,8 @@ TEST_P(SSLVersionTest, SSLWriteRetry) { // own SSLBuffer freeing up space for the write above ASSERT_EQ(ret, 2 * kChunkLen); } else { - // Otherwise, although the first half made it to the transport, the second - // half is blocked. + // Otherwise, although the first half made it to the transport, the + // second half is blocked. ASSERT_EQ(ret, -1); ASSERT_EQ(SSL_get_error(client_.get(), -1), SSL_ERROR_WANT_WRITE); // Check the first half and make room for another record. @@ -6141,9 +6207,10 @@ TEST_P(SSLVersionTest, SSLWriteRetry) { ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0); count--; - // Retrying with fewer bytes than previously attempted is an error. If the - // input length is less than the number of bytes successfully written, the - // check happens at a different point, with a different error. + // Retrying with fewer bytes than previously attempted is an error. If + // the input length is less than the number of bytes successfully + // written, the check happens at a different point, with a different + // error. // // TODO(davidben): Should these cases use the same error? ASSERT_EQ( @@ -6732,8 +6799,7 @@ const CertificateKeyTestParams kCertificateKeyTests[] = { {GetTestCertificate, GetTestKey, SSL_PKEY_RSA, "TLS_RSA_WITH_AES_256_CBC_SHA:", SSL_SIGN_RSA_PSS_RSAE_SHA256}, {GetECDSATestCertificate, GetECDSATestKey, SSL_PKEY_ECC, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:", - SSL_SIGN_ECDSA_SECP256R1_SHA256}, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:", SSL_SIGN_ECDSA_SECP256R1_SHA256}, {GetED25519TestCertificate, GetED25519TestKey, SSL_PKEY_ED25519, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:", SSL_SIGN_ED25519}, }; @@ -7116,7 +7182,7 @@ static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to, static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int index, long argl, void *argp) { - delete reinterpret_cast(ptr); + delete reinterpret_cast(ptr); } static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT; @@ -7601,7 +7667,7 @@ TEST_P(SSLVersionTest, ReadAhead) { ASSERT_TRUE(Connect()); size_t buf_len; std::string test_string = "Hello, world!"; - for (char & i : test_string) { + for (char &i : test_string) { ASSERT_EQ(1, SSL_write_ex(server_.get(), &i, 1, &buf_len)); } @@ -7788,7 +7854,7 @@ void VerifyHandoff(bool use_new_alps_codepoint) { SSL_set_alps_use_new_codepoint(client.get(), use_new_alps_codepoint); ASSERT_TRUE(SSL_set_alpn_protos(client.get(), alpn, sizeof(alpn)) == 0); ASSERT_TRUE(SSL_add_application_settings(client.get(), proto, - sizeof(proto), nullptr, 0)); + sizeof(proto), nullptr, 0)); if (is_resume) { ASSERT_TRUE(g_last_session); SSL_set_session(client.get(), g_last_session.get()); @@ -7835,16 +7901,16 @@ void VerifyHandoff(bool use_new_alps_codepoint) { SSL_CTX_set_alpn_select_cb( handshaker_ctx.get(), [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, - unsigned in_len, void *arg) -> int { - return SSL_select_next_proto( - const_cast(out), out_len, in, in_len, - alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED - ? SSL_TLSEXT_ERR_OK - : SSL_TLSEXT_ERR_NOACK; + unsigned in_len, void *arg) -> int { + return SSL_select_next_proto(const_cast(out), out_len, + in, in_len, alpn, + sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED + ? SSL_TLSEXT_ERR_OK + : SSL_TLSEXT_ERR_NOACK; }, nullptr); - ASSERT_TRUE(SSL_add_application_settings(handshaker.get(), proto, - sizeof(proto), alps, sizeof(alps))); + ASSERT_TRUE(SSL_add_application_settings( + handshaker.get(), proto, sizeof(proto), alps, sizeof(alps))); ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff)); @@ -8214,67 +8280,67 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = { "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809" "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2" "0302011da206040474657374a7030101ff020108020100a0030101ff"}, - // In runner.go, the test case - // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate - // below bytes by adding print statement on the output of |SSL_to_bytes| in - // bssl_shim.cc. - // We've bumped the buffer size in the |previous_client/server_finished| - // fields. This verifies that the original size is parsable and reencoded - // with the new size. + // In runner.go, the test case + // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate + // below bytes by adding print statement on the output of |SSL_to_bytes| in + // bssl_shim.cc. + // We've bumped the buffer size in the |previous_client/server_finished| + // fields. This verifies that the original size is parsable and reencoded + // with the new size. {"308203883082038402010102020304020240003082036a020102040800000000000000000" - "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6" - "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888" - "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000" - "000000000000000000020100020100020100020100a04e304c02010102020304040213010" - "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1" - "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a" - "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade" - "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000" - "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b" - "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c" - "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000" - "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a" - "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4" - "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30" - "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a" - "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094" - "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0" - "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31" - "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320" - "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39" - "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2" - "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020" - "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602" - "0101020117040e300c0201010201000201000101ff020108020100a0030101ff", - "308203f0308203ec0201010202030402024000308203d202010204080000000000000000" - "0408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38" - "a6b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3" - "8883d33f236a040200000201000201010440000000000000000000000000020100040c00" - "0000000000000000000000020100020100020100020100a04e304c020101020203040402" - "1301040004200b66320d0201000440000000000000000000000000020100020100020100" - "020100a04e304c0201010202030404021301040004200b66320d38c8fa1b0dfe9e37fcf2" - "bf0bafb43077fa020100020100020100020100a04e304c02010102020304040213010400" - "04200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da104" - "020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374ab" - "03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade" - "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c000000000000000000000000" - "00000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c1" - "6b43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a1" - "78ce69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c0218000000000000" - "00000000000000000000b503020120b88201700482016c040000b20002a3005635545201" - "0000a027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda" - "1002a4d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072" - "ab33c30e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6b" - "b111867a87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e" - "9044e90949975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c67" - "38010100a027abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2e" - "a52d3401d3110a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d1" - "8796c97e83204daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573" - "bcf0252dc4d390baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af571" - "73f864070fdce241be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204" - "030013013016020101020117040e300c0201010201000201000101ffbb23302102010102" - "04030013013016020101020117040e300c0201010201000201000101ff020108020100a0" - "030101ff"}, + "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6" + "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888" + "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000" + "000000000000000000020100020100020100020100a04e304c02010102020304040213010" + "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1" + "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a" + "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade" + "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000" + "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b" + "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c" + "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000" + "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a" + "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4" + "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30" + "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a" + "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094" + "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0" + "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31" + "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320" + "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39" + "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2" + "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020" + "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602" + "0101020117040e300c0201010201000201000101ff020108020100a0030101ff", + "308203f0308203ec0201010202030402024000308203d202010204080000000000000000" + "0408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38" + "a6b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3" + "8883d33f236a040200000201000201010440000000000000000000000000020100040c00" + "0000000000000000000000020100020100020100020100a04e304c020101020203040402" + "1301040004200b66320d0201000440000000000000000000000000020100020100020100" + "020100a04e304c0201010202030404021301040004200b66320d38c8fa1b0dfe9e37fcf2" + "bf0bafb43077fa020100020100020100020100a04e304c02010102020304040213010400" + "04200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da104" + "020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374ab" + "03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade" + "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c000000000000000000000000" + "00000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c1" + "6b43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a1" + "78ce69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c0218000000000000" + "00000000000000000000b503020120b88201700482016c040000b20002a3005635545201" + "0000a027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda" + "1002a4d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072" + "ab33c30e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6b" + "b111867a87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e" + "9044e90949975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c67" + "38010100a027abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2e" + "a52d3401d3110a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d1" + "8796c97e83204daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573" + "bcf0252dc4d390baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af571" + "73f864070fdce241be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204" + "030013013016020101020117040e300c0201010201000201000101ffbb23302102010102" + "04030013013016020101020117040e300c0201010201000201000101ff020108020100a0" + "030101ff"}, // In runner.go, the test case // "TLS-ECH-Server-Cipher-HKDF-SHA256-AES-256-GCM-SSL_Transfer" is used // to generate below bytes by adding print statement on the output of @@ -8306,8 +8372,8 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = { "86542c4a1e7ec44b0957bb315c17851bd8498b1d1131a79e19c66463e0566985ef55deb5" "48fe370058ba83566278d01b3a565075b8ef2a82bea17ae95fa91b7b3ffa611a7d8a6331" "00045a5a0000ba15301302010102040300130330080201010201050400bb153013020101" - "02040300130330080201010201050400020108020100a0030101ff", nullptr} -}; + "02040300130330080201010201050400020108020100a0030101ff", + nullptr}}; class EncodeDecodeKATTest : public testing::TestWithParam {}; @@ -8677,8 +8743,9 @@ TEST_P(SSLVersionTest, SessionPropertiesThreads) { EXPECT_TRUE(SSL_get_peer_cert_chain(ssl)); bssl::UniquePtr peer(SSL_get_peer_certificate(ssl)); EXPECT_TRUE(peer); - STACK_OF(X509) *verified_chain= SSL_get0_verified_chain(ssl); - // This test sets a custom verifier callback which doesn't actually do any verification + STACK_OF(X509) *verified_chain = SSL_get0_verified_chain(ssl); + // This test sets a custom verifier callback which doesn't actually do any + // verification EXPECT_FALSE(verified_chain); EXPECT_TRUE(SSL_get_current_cipher(ssl)); EXPECT_TRUE(SSL_get_group_id(ssl)); @@ -8698,7 +8765,7 @@ TEST_P(SSLVersionTest, SessionPropertiesThreads) { } static void SetValueOnFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int index, long argl, void *argp) { + int index, long argl, void *argp) { if (ptr != nullptr) { *static_cast(ptr) = argl; } @@ -8786,14 +8853,16 @@ TEST_P(SSLVersionTest, SimpleVerifiedChain) { UniquePtr client_ssl, server_ssl; ClientConfig config; - ASSERT_TRUE(ConnectClientAndServer(&client_ssl, &server_ssl, client_ctx_.get(), - server_ctx_.get(), config)); + ASSERT_TRUE(ConnectClientAndServer( + &client_ssl, &server_ssl, client_ctx_.get(), server_ctx_.get(), config)); STACK_OF(X509) *client_chain = SSL_get_peer_full_cert_chain(client_ssl.get()); - STACK_OF(X509) *verified_client_chain = SSL_get0_verified_chain(client_ssl.get()); + STACK_OF(X509) *verified_client_chain = + SSL_get0_verified_chain(client_ssl.get()); EXPECT_TRUE(verified_client_chain); - STACK_OF(X509) *verified_server_chain = SSL_get0_verified_chain(server_ssl.get()); + STACK_OF(X509) *verified_server_chain = + SSL_get0_verified_chain(server_ssl.get()); // The client didn't send a certificate so the server shouldn't have anything EXPECT_FALSE(verified_server_chain); @@ -8833,18 +8902,20 @@ TEST_P(SSLVersionTest, VerifiedChain) { UniquePtr client_ssl, server_ssl; ClientConfig config; - ASSERT_TRUE(ConnectClientAndServer(&client_ssl, &server_ssl, client_ctx_.get(), - server_ctx_.get(), config)); + ASSERT_TRUE(ConnectClientAndServer( + &client_ssl, &server_ssl, client_ctx_.get(), server_ctx_.get(), config)); // The client didn't send a certificate so the server shouldn't have anything - STACK_OF(X509) *verified_client_chain = SSL_get0_verified_chain(server_ssl.get()); + STACK_OF(X509) *verified_client_chain = + SSL_get0_verified_chain(server_ssl.get()); EXPECT_FALSE(verified_client_chain); STACK_OF(X509) *client_chain = SSL_get_peer_full_cert_chain(server_ssl.get()); EXPECT_FALSE(client_chain); // The server sent a chain that the client can verify, the client directly // trusts the server's certificate - STACK_OF(X509) *verified_server_chain = SSL_get0_verified_chain(client_ssl.get()); + STACK_OF(X509) *verified_server_chain = + SSL_get0_verified_chain(client_ssl.get()); EXPECT_EQ(sk_X509_num(verified_server_chain), 1UL); EXPECT_EQ(X509_cmp(sk_X509_value(verified_server_chain, 0), cert_.get()), 0); @@ -8867,7 +8938,8 @@ TEST_P(SSLVersionTest, FailedHandshakeVerifiedChain) { ASSERT_TRUE(UseCertAndKey(server_ctx_.get())); UniquePtr client_ssl, server_ssl; - ASSERT_TRUE(CreateClientAndServer(&client_ssl, &server_ssl, client_ctx_.get(), server_ctx_.get())); + ASSERT_TRUE(CreateClientAndServer(&client_ssl, &server_ssl, client_ctx_.get(), + server_ctx_.get())); ASSERT_FALSE(CompleteHandshakes(client_ssl.get(), server_ssl.get())); EXPECT_NE(SSL_get_verify_result(client_ssl.get()), X509_V_OK); @@ -8878,7 +8950,8 @@ TEST_P(SSLVersionTest, FailedHandshakeVerifiedChain) { // For a failed handshake SSL_get0_verified_chain will return null - STACK_OF(X509) *verified_client_chain = SSL_get0_verified_chain(client_ssl.get()); + STACK_OF(X509) *verified_client_chain = + SSL_get0_verified_chain(client_ssl.get()); EXPECT_FALSE(verified_client_chain); } @@ -9577,7 +9650,8 @@ TEST_F(QUICMethodTest, ZeroRTTAccept) { // The client should still have no view of the server's preferences, but the // server should have seen at least one cipher from the client. EXPECT_FALSE(SSL_get_client_ciphers(client_.get())); - EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), (size_t) 0); + EXPECT_GT(sk_SSL_CIPHER_num(SSL_get_client_ciphers(server_.get())), + (size_t)0); // Finish up the client and server handshakes. ASSERT_TRUE(CompleteHandshakesForQUIC()); @@ -10851,8 +10925,8 @@ TEST(SSLTest, SSLGetSignatureData) { // Explicitly configure |SSL_VERIFY_PEER| so both the client and server // verify each other SSL_CTX_set_custom_verify( - ctx.get(), SSL_VERIFY_PEER, - [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; }); + ctx.get(), SSL_VERIFY_PEER, + [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; }); ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION)); ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION)); @@ -11115,20 +11189,20 @@ class AlpsNewCodepointTest : public testing::Test { // success and one on failure. ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn))); SSL_CTX_set_alpn_select_cb( - server_ctx_.get(), - [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, - unsigned in_len, void *arg) -> int { - return SSL_select_next_proto( - const_cast(out), out_len, in, in_len, - alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED - ? SSL_TLSEXT_ERR_OK - : SSL_TLSEXT_ERR_NOACK; - }, - nullptr); + server_ctx_.get(), + [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, + unsigned in_len, void *arg) -> int { + return SSL_select_next_proto(const_cast(out), out_len, in, + in_len, alpn, + sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED + ? SSL_TLSEXT_ERR_OK + : SSL_TLSEXT_ERR_NOACK; + }, + nullptr); ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto, - sizeof(proto), nullptr, 0)); - ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto, - sizeof(proto), alps, sizeof(alps))); + sizeof(proto), nullptr, 0)); + ASSERT_TRUE(SSL_add_application_settings( + server_.get(), proto, sizeof(proto), alps, sizeof(alps))); } bssl::UniquePtr client_ctx_; @@ -11895,9 +11969,8 @@ TEST(SSLTest, IntermittentEmptyRead) { BIO_set_init(b, 1); return 1; })); - ASSERT_TRUE(BIO_meth_set_read(method.get(), [](BIO *, char *, int) -> int { - return 0; - })); + ASSERT_TRUE(BIO_meth_set_read(method.get(), + [](BIO *, char *, int) -> int { return 0; })); bssl::UniquePtr rbio_empty(BIO_new(method.get())); ASSERT_TRUE(rbio_empty); BIO_set_flags(rbio_empty.get(), BIO_FLAGS_READ); @@ -11911,8 +11984,8 @@ TEST(SSLTest, IntermittentEmptyRead) { // Server writes some data to the client const uint8_t write_data[] = {1, 2, 3}; - int ret = SSL_write(server.get(), write_data, (int) sizeof(write_data)); - EXPECT_EQ(ret, (int) sizeof(write_data)); + int ret = SSL_write(server.get(), write_data, (int)sizeof(write_data)); + EXPECT_EQ(ret, (int)sizeof(write_data)); EXPECT_EQ(SSL_get_error(server.get(), ret), SSL_ERROR_NONE); uint8_t read_data[] = {0, 0, 0}; @@ -11925,7 +11998,7 @@ TEST(SSLTest, IntermittentEmptyRead) { // Reset client rbio, read should succeed SSL_set0_rbio(client.get(), client_rbio.release()); ret = SSL_read(client.get(), read_data, sizeof(read_data)); - EXPECT_EQ(ret, (int) sizeof(write_data)); + EXPECT_EQ(ret, (int)sizeof(write_data)); EXPECT_EQ(OPENSSL_memcmp(read_data, write_data, sizeof(write_data)), 0); EXPECT_EQ(SSL_get_error(client.get(), ret), SSL_ERROR_NONE); @@ -12020,7 +12093,7 @@ TEST(SSLTest, NameLists) { size_t num = t.func(nullptr, 0); EXPECT_GT(num, 0u); - std::vector list(num); + std::vector list(num); EXPECT_EQ(num, t.func(list.data(), list.size())); // Check the expected values are in the list. @@ -12051,13 +12124,16 @@ TEST(SSLTest, NameLists) { class KemKeyShareTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(KemKeyShareTests, KemKeyShareTest, testing::ValuesIn(kKemGroupTests)); +INSTANTIATE_TEST_SUITE_P(KemKeyShareTests, KemKeyShareTest, + testing::ValuesIn(kKemGroupTests)); // Test a successful round-trip for KemKeyShare TEST_P(KemKeyShareTest, KemKeyShares) { GroupTest t = GetParam(); - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_TRUE(server_key_share); EXPECT_EQ(t.group_id, client_key_share->GroupID()); @@ -12080,8 +12156,8 @@ TEST_P(KemKeyShareTest, KemKeyShares) { Array server_secret; const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); - Span client_public_key = - MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); + Span client_public_key = MakeConstSpan( + client_out_public_key_data, CBB_len(&client_out_public_key)); EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); EXPECT_EQ(CBB_len(&server_out_public_key), t.accept_key_share_size); @@ -12094,9 +12170,10 @@ TEST_P(KemKeyShareTest, KemKeyShares) { Array client_secret; const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); - Span server_public_key = - MakeConstSpan(server_out_public_key_data, CBB_len(&server_out_public_key)); - EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + Span server_public_key = MakeConstSpan( + server_out_public_key_data, CBB_len(&server_out_public_key)); + EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_secret.size(), t.shared_secret_size); EXPECT_EQ(client_alert, 0); @@ -12108,14 +12185,16 @@ TEST_P(KemKeyShareTest, KemKeyShares) { } class BadKemKeyShareOfferTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(BadKemKeyShareOfferTests, BadKemKeyShareOfferTest, testing::ValuesIn(kKemGroupTests)); +INSTANTIATE_TEST_SUITE_P(BadKemKeyShareOfferTests, BadKemKeyShareOfferTest, + testing::ValuesIn(kKemGroupTests)); // Test failure cases for KEMKeyShare::Offer() TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { GroupTest t = GetParam(); // Basic nullptr checks { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_FALSE(client_key_share->Offer(nullptr)); @@ -12123,7 +12202,8 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { // Offer() should fail if |client_out_public_key| has children { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; CBB child; @@ -12136,7 +12216,8 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { // Offer() should succeed on the first call, but fail on all repeated calls { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; @@ -12149,8 +12230,10 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { // Offer() should fail if Accept() was previously called { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_TRUE(server_key_share); uint8_t server_alert = 0; @@ -12166,9 +12249,10 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); const uint8_t *client_public_key_data = CBB_data(&client_out_public_key); Span client_public_key = - MakeConstSpan(client_public_key_data, CBB_len(&client_out_public_key)); + MakeConstSpan(client_public_key_data, CBB_len(&client_out_public_key)); - EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); + EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, + &server_alert, client_public_key)); EXPECT_EQ(server_alert, 0); EXPECT_FALSE(server_key_share->Offer(&server_offer_out)); @@ -12182,7 +12266,8 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { // to it so that it records a non-zero length, then its buffer is // invalidated. { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; CBB_init(&client_out_public_key, t.offer_key_share_size); @@ -12190,7 +12275,7 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { // Keep a pointer to the buffer so we can cleanup correctly uint8_t *buf = client_out_public_key.u.base.buf; client_out_public_key.u.base.buf = nullptr; - EXPECT_EQ(CBB_len(&client_out_public_key), (size_t) 2); + EXPECT_EQ(CBB_len(&client_out_public_key), (size_t)2); EXPECT_FALSE(client_key_share->Offer(&client_out_public_key)); client_out_public_key.u.base.buf = buf; CBB_cleanup(&client_out_public_key); @@ -12198,7 +12283,7 @@ TEST_P(BadKemKeyShareOfferTest, BadKemKeyShareOffers) { } TEST(SSLTest, SessionPrint) { - static const std::array kExpectedTLS13{ + static const std::array kExpectedTLS13{ {"SSL-Session:", " Protocol :", " Cipher : ", " Session-ID: ", " Session-ID-ctx:", " Resumption PSK:", " PSK identity:", " TLS session ticket lifetime hint:", @@ -12245,14 +12330,16 @@ TEST(SSLTest, SessionPrint) { } class BadKemKeyShareAcceptTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(BadKemKeyShareAcceptTests, BadKemKeyShareAcceptTest, testing::ValuesIn(kKemGroupTests)); +INSTANTIATE_TEST_SUITE_P(BadKemKeyShareAcceptTests, BadKemKeyShareAcceptTest, + testing::ValuesIn(kKemGroupTests)); // Test failure cases for KEMKeyShare::Accept() TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { GroupTest t = GetParam(); // Basic nullptr checks { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); uint8_t server_alert = 0; Array server_secret; @@ -12269,14 +12356,14 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR); server_alert = 0; - EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, - &server_secret, nullptr, - client_public_key)); + EXPECT_FALSE(server_key_share->Accept( + &server_out_public_key, &server_secret, nullptr, client_public_key)); } // |server_out_public_key| is properly initialized, then is assigned a child { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); uint8_t server_alert = 0; Array server_secret; @@ -12297,7 +12384,8 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // some zeros are written to it so that it records a non-zero length, // then its buffer is invalidated. { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); uint8_t server_alert = 0; Array server_secret; @@ -12309,7 +12397,7 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // Keep a pointer to the buffer so we can cleanup correctly uint8_t *buf = server_out_public_key.u.base.buf; server_out_public_key.u.base.buf = nullptr; - EXPECT_EQ(CBB_len(&server_out_public_key), (size_t) 2); + EXPECT_EQ(CBB_len(&server_out_public_key), (size_t)2); EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); @@ -12322,7 +12410,8 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // previously called by that peer. The server should have no reason to // call Offer(); enforcing this case will guard against that type of bug. { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); uint8_t server_alert = 0; Array server_secret; @@ -12335,7 +12424,7 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { const uint8_t *server_offer_out_data = CBB_data(&server_offer_out); ASSERT_TRUE(server_offer_out_data); Span server_offered_pk = - MakeConstSpan(server_offer_out_data, CBB_len(&server_offer_out)); + MakeConstSpan(server_offer_out_data, CBB_len(&server_offer_out)); EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, server_offered_pk)); @@ -12346,8 +12435,10 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // |client_public_key| is initialized with too little data { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); Span client_public_key; @@ -12359,7 +12450,8 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // Generate a valid |client_public_key|, then truncate the last byte EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key) - 1); @@ -12375,8 +12467,10 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // |client_public_key| is initialized with too much data { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); Span client_public_key; @@ -12389,7 +12483,8 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); EXPECT_TRUE(CBB_add_zeros(&client_out_public_key, 1)); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); @@ -12405,7 +12500,8 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // |client_public_key| has been initialized but is empty { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); uint8_t server_alert = 0; Array server_secret; @@ -12414,7 +12510,7 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size)); const uint8_t empty_client_public_key_buf[] = {0}; Span client_public_key = - MakeConstSpan(empty_client_public_key_buf, 0); + MakeConstSpan(empty_client_public_key_buf, 0); EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); @@ -12427,9 +12523,12 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { // will succeed, but the client and the server will end up with different // secrets, and the overall handshake will eventually fail. { - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr random_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr random_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); ASSERT_TRUE(random_key_share); @@ -12445,26 +12544,28 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { EXPECT_TRUE(CBB_init(&client_out_public_key, t.offer_key_share_size)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); - // Generate a random public key that is incompatible with client's secret key + // Generate a random public key that is incompatible with client's secret + // key EXPECT_TRUE(CBB_init(&random_out_public_key, t.offer_key_share_size)); EXPECT_TRUE(random_key_share->Offer(&random_out_public_key)); - const uint8_t *random_out_public_key_data = CBB_data(&random_out_public_key); + const uint8_t *random_out_public_key_data = + CBB_data(&random_out_public_key); ASSERT_TRUE(random_out_public_key_data); Span client_public_key = - MakeConstSpan(random_out_public_key_data, t.offer_key_share_size); + MakeConstSpan(random_out_public_key_data, t.offer_key_share_size); // When the server calls Accept() with the modified public key, it will // return success EXPECT_TRUE(CBB_init(&server_out_public_key, t.accept_key_share_size)); - EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, - &server_secret, &server_alert, - client_public_key)); + EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, + &server_alert, client_public_key)); // And when the client calls Finish(), it will also return success - const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); + const uint8_t *server_out_public_key_data = + CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); - Span server_public_key = - MakeConstSpan(server_out_public_key_data, CBB_len(&server_out_public_key)); + Span server_public_key = MakeConstSpan( + server_out_public_key_data, CBB_len(&server_out_public_key)); EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); @@ -12484,45 +12585,51 @@ TEST_P(BadKemKeyShareAcceptTest, BadKemKeyShareAccept) { } class BadKemKeyShareFinishTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(BadKemKeyShareFinishTests, BadKemKeyShareFinishTest, testing::ValuesIn(kKemGroupTests)); +INSTANTIATE_TEST_SUITE_P(BadKemKeyShareFinishTests, BadKemKeyShareFinishTest, + testing::ValuesIn(kKemGroupTests)); TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) { GroupTest t = GetParam(); // Basic nullptr checks { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); Span server_public_key; Array client_secret; uint8_t client_alert = 0; - EXPECT_FALSE(client_key_share->Finish(nullptr, &client_alert, - server_public_key)); + EXPECT_FALSE( + client_key_share->Finish(nullptr, &client_alert, server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); client_alert = 0; - EXPECT_FALSE(client_key_share->Finish(&client_secret, nullptr, - server_public_key)); + EXPECT_FALSE( + client_key_share->Finish(&client_secret, nullptr, server_public_key)); } // A call to Finish() should fail if Offer() was not called previously { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); Span server_public_key; Array client_secret; uint8_t client_alert = 0; EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, - server_public_key)); + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); } // Set up the client and server states for the remaining tests - bssl::UniquePtr server_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); - bssl::UniquePtr random_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr random_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); ASSERT_TRUE(random_key_share); @@ -12545,7 +12652,7 @@ TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) { client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, - &server_alert, client_public_key)); + &server_alert, client_public_key)); EXPECT_EQ(server_alert, 0); // |server_public_key| has been initialized with too little data. Here, we @@ -12553,10 +12660,13 @@ TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) { // key. However, it doesn't matter if it is a fragment of a valid key, or // complete garbage, the client will reject it all the same. { - const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); + const uint8_t *server_out_public_key_data = + CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); - server_public_key = MakeConstSpan(server_out_public_key_data, t.accept_key_share_size - 1); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + server_public_key = + MakeConstSpan(server_out_public_key_data, t.accept_key_share_size - 1); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); client_alert = 0; } @@ -12567,10 +12677,13 @@ TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) { // valid key with nonsense appended, or complete garbage, the client will // reject it all the same. { - const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); + const uint8_t *server_out_public_key_data = + CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); - server_public_key = MakeConstSpan(server_out_public_key_data, t.accept_key_share_size + 1); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + server_public_key = + MakeConstSpan(server_out_public_key_data, t.accept_key_share_size + 1); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); client_alert = 0; } @@ -12584,13 +12697,15 @@ TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) { // a call to Accept(). Here we modify it by replacing it with a randomly // generated public key that is incompatible with the secret key EXPECT_TRUE(random_key_share->Offer(&random_out_public_key)); - const uint8_t *random_out_public_key_data = CBB_data(&random_out_public_key); + const uint8_t *random_out_public_key_data = + CBB_data(&random_out_public_key); ASSERT_TRUE(random_out_public_key_data); server_public_key = - MakeConstSpan(random_out_public_key_data, t.accept_key_share_size); + MakeConstSpan(random_out_public_key_data, t.accept_key_share_size); // The call to Finish() will return success - EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, 0); // The shared secrets are of the correct length... @@ -12607,15 +12722,18 @@ TEST_P(BadKemKeyShareFinishTest, BadKemKeyShareFinish) { } class HybridKeyShareTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(HybridKeyShareTests, HybridKeyShareTest, testing::ValuesIn(kHybridGroupTests)); +INSTANTIATE_TEST_SUITE_P(HybridKeyShareTests, HybridKeyShareTest, + testing::ValuesIn(kHybridGroupTests)); // Test a successful round-trip for HybridKeyShare TEST_P(HybridKeyShareTest, HybridKeyShares) { HybridGroupTest t = GetParam(); // Set up client and server with test case parameters - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_TRUE(server_key_share); EXPECT_EQ(t.group_id, client_key_share->GroupID()); @@ -12638,8 +12756,8 @@ TEST_P(HybridKeyShareTest, HybridKeyShares) { Array server_secret; const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); - Span client_public_key = - MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); + Span client_public_key = MakeConstSpan( + client_out_public_key_data, CBB_len(&client_out_public_key)); EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); EXPECT_EQ(CBB_len(&server_out_public_key), t.accept_key_share_size); @@ -12652,8 +12770,9 @@ TEST_P(HybridKeyShareTest, HybridKeyShares) { const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); Span server_public_key = MakeConstSpan( - server_out_public_key_data, CBB_len(&server_out_public_key)); - EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + server_out_public_key_data, CBB_len(&server_out_public_key)); + EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, 0); // Verify that client and server arrived at the same shared secret. @@ -12663,18 +12782,21 @@ TEST_P(HybridKeyShareTest, HybridKeyShares) { CBB_cleanup(&client_out_public_key); CBB_cleanup(&server_out_public_key); - } -class BadHybridKeyShareOfferTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareOfferTests, BadHybridKeyShareOfferTest, testing::ValuesIn(kHybridGroupTests)); +class BadHybridKeyShareOfferTest + : public testing::TestWithParam {}; +INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareOfferTests, + BadHybridKeyShareOfferTest, + testing::ValuesIn(kHybridGroupTests)); // Test failure cases for HybridKeyShare::Offer() TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) { HybridGroupTest t = GetParam(); // Basic nullptr check { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_FALSE(client_key_share->Offer(nullptr)); @@ -12682,7 +12804,8 @@ TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) { // Offer() should fail if |client_out| has not been initialized at all. { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; CBB_zero(&client_out_public_key); @@ -12692,7 +12815,8 @@ TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) { // Offer() should fail if the CBB has children { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); @@ -12705,7 +12829,8 @@ TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) { // Offer() should succeed on the first call, but fail on all repeated calls { - bssl::UniquePtr client_key_share = bssl::SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + bssl::SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; @@ -12720,7 +12845,8 @@ TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) { // to it so that it records a non-zero length, then its buffer is // invalidated. { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); CBB client_out_public_key; @@ -12729,22 +12855,26 @@ TEST_P(BadHybridKeyShareOfferTest, BadHybridKeyShareOffers) { // Keep a pointer to the buffer so we can cleanup correctly uint8_t *buf = client_out_public_key.u.base.buf; client_out_public_key.u.base.buf = nullptr; - EXPECT_EQ(CBB_len(&client_out_public_key), (size_t) 2); + EXPECT_EQ(CBB_len(&client_out_public_key), (size_t)2); EXPECT_FALSE(client_key_share->Offer(&client_out_public_key)); client_out_public_key.u.base.buf = buf; CBB_cleanup(&client_out_public_key); } } -class BadHybridKeyShareAcceptTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareAcceptTests, BadHybridKeyShareAcceptTest, testing::ValuesIn(kHybridGroupTests)); +class BadHybridKeyShareAcceptTest + : public testing::TestWithParam {}; +INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareAcceptTests, + BadHybridKeyShareAcceptTest, + testing::ValuesIn(kHybridGroupTests)); // Test failure cases for HybridKeyShare::Accept() TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { HybridGroupTest t = GetParam(); // Basic nullptr checks { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); Span client_public_key; Array server_secret; @@ -12761,14 +12891,14 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { EXPECT_EQ(server_alert, SSL_AD_INTERNAL_ERROR); server_alert = 0; - EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, - &server_secret, nullptr, - client_public_key)); + EXPECT_FALSE(server_key_share->Accept( + &server_out_public_key, &server_secret, nullptr, client_public_key)); } // |server_out_public_key| has not been initialized { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); Span client_public_key; Array server_secret; @@ -12783,7 +12913,8 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // |server_out_public_key| is properly initialized, then is assigned a child { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); Span client_public_key; Array server_secret; @@ -12804,7 +12935,8 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // some zeros are written to it so that it records a non-zero length, // then its buffer is invalidated. { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); Span client_public_key; Array server_secret; @@ -12816,7 +12948,7 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // Keep a pointer to the buffer so we can cleanup correctly uint8_t *buf = server_out_public_key.u.base.buf; server_out_public_key.u.base.buf = nullptr; - EXPECT_EQ(CBB_len(&server_out_public_key), (size_t) 2); + EXPECT_EQ(CBB_len(&server_out_public_key), (size_t)2); EXPECT_FALSE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); @@ -12827,7 +12959,8 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // |client_public_key| has not been initialized with anything { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); Span client_public_key; Array server_secret; @@ -12844,13 +12977,15 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // |client_public_key| has been initialized but is empty { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); Array server_secret; CBB server_out_public_key; uint8_t server_alert = 0; - const uint8_t empty_buffer[1] = {0}; // Arrays must have at least 1 element to compile on Windows + const uint8_t empty_buffer[1] = { + 0}; // Arrays must have at least 1 element to compile on Windows Span client_public_key = MakeConstSpan(empty_buffer, 0); EXPECT_TRUE(CBB_init(&server_out_public_key, 64)); @@ -12863,8 +12998,10 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // |client_public_key| is initialized with too little data { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); Span client_public_key; @@ -12876,7 +13013,8 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // Generate a valid |client_public_key|, then truncate the last byte EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key) - 1); @@ -12892,8 +13030,10 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // |client_public_key| is initialized with too much data { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); Span client_public_key; @@ -12906,7 +13046,8 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); EXPECT_TRUE(CBB_add_zeros(&client_out_public_key, 1)); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); @@ -12932,8 +13073,10 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { ASSERT_TRUE(hybrid_group != NULL); // Create the hybrid key shares and generate a valid |client_public_key| - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_TRUE(server_key_share); @@ -12963,21 +13106,25 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // (We have to do this in a roundabout way with malloc'ing another // buffer because CBBs cannot be arbitrarily edited.) size_t client_out_public_key_len = CBB_len(&client_out_public_key); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); uint8_t *buffer = (uint8_t *)OPENSSL_malloc(client_out_public_key_len); ASSERT_TRUE(buffer); - OPENSSL_memcpy(buffer, client_out_public_key_data, client_out_public_key_len); + OPENSSL_memcpy(buffer, client_out_public_key_data, + client_out_public_key_len); - for (size_t j = client_public_key_index; j < client_public_key_index + t.offer_share_sizes[i]; j++) { - buffer[j] = 7; // 7 is arbitrary + for (size_t j = client_public_key_index; + j < client_public_key_index + t.offer_share_sizes[i]; j++) { + buffer[j] = 7; // 7 is arbitrary } Span client_public_key = - MakeConstSpan(buffer, client_out_public_key_len); + MakeConstSpan(buffer, client_out_public_key_len); // The server will Accept() the invalid public key - bool accepted = server_key_share-> - Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key); + bool accepted = + server_key_share->Accept(&server_out_public_key, &server_secret, + &server_alert, client_public_key); if (accepted) { // The Accept() functionality for X25519 and all KEM key shares is @@ -12988,18 +13135,18 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { // continue with the handshake, then verify that the client and // server ultimately arrived at different shared secrets. EXPECT_TRUE( - hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 || - hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM768 || - hybrid_group->component_group_ids[i] == SSL_GROUP_X25519 - ); + hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 || + hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM768 || + hybrid_group->component_group_ids[i] == SSL_GROUP_X25519); // The handshake will complete without error... EXPECT_EQ(server_alert, 0); EXPECT_EQ(server_secret.size(), t.shared_secret_size); Span server_public_key = MakeConstSpan( - CBB_data(&server_out_public_key), CBB_len(&server_out_public_key)); - EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + CBB_data(&server_out_public_key), CBB_len(&server_out_public_key)); + EXPECT_TRUE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_secret.size(), t.shared_secret_size); EXPECT_EQ(client_alert, 0); @@ -13022,15 +13169,19 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) { } -class BadHybridKeyShareFinishTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareFinishTests, BadHybridKeyShareFinishTest, testing::ValuesIn(kHybridGroupTests)); +class BadHybridKeyShareFinishTest + : public testing::TestWithParam {}; +INSTANTIATE_TEST_SUITE_P(BadHybridKeyShareFinishTests, + BadHybridKeyShareFinishTest, + testing::ValuesIn(kHybridGroupTests)); // Test failure cases for HybridKeyShare::Finish() TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { HybridGroupTest t = GetParam(); // Basic nullptr checks { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); Span server_public_key; Array client_secret; uint8_t client_alert = 0; @@ -13038,11 +13189,13 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { CBB_init(&client_public_key_out, 2); EXPECT_TRUE(client_key_share->Offer(&client_public_key_out)); - EXPECT_FALSE(client_key_share->Finish(nullptr, &client_alert, server_public_key)); + EXPECT_FALSE( + client_key_share->Finish(nullptr, &client_alert, server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); client_alert = 0; - EXPECT_FALSE(client_key_share->Finish(&client_secret, nullptr, server_public_key)); + EXPECT_FALSE( + client_key_share->Finish(&client_secret, nullptr, server_public_key)); CBB_cleanup(&client_public_key_out); } @@ -13050,15 +13203,18 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // It is an error if Finish() is called without there // having been a previous call to Offer() { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); Array client_secret; uint8_t client_alert = 0; uint8_t *buffer = (uint8_t *)OPENSSL_malloc(t.accept_key_share_size); - Span server_public_key = MakeConstSpan(buffer, t.accept_key_share_size); + Span server_public_key = + MakeConstSpan(buffer, t.accept_key_share_size); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); OPENSSL_free(buffer); @@ -13066,7 +13222,8 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // |server_public_key| has not been initialized with anything { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); Span server_public_key; Array client_secret; uint8_t client_alert = 0; @@ -13075,7 +13232,8 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { EXPECT_TRUE(client_key_share->Offer(&client_public_key_out)); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_INTERNAL_ERROR); CBB_cleanup(&client_public_key_out); @@ -13083,26 +13241,31 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // |server_public_key| is initialized but is empty { - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); Array client_secret; uint8_t client_alert = 0; - const uint8_t empty_buffer[1] = {0}; // Arrays must have at least 1 element to compile on Windows + const uint8_t empty_buffer[1] = { + 0}; // Arrays must have at least 1 element to compile on Windows Span server_public_key = MakeConstSpan(empty_buffer, 0); CBB client_public_key_out; CBB_init(&client_public_key_out, 2); EXPECT_TRUE(client_key_share->Offer(&client_public_key_out)); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); CBB_cleanup(&client_public_key_out); EXPECT_EQ(client_alert, SSL_AD_DECODE_ERROR); } // |server_public_key| is initialized with too little data { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); Span client_public_key; @@ -13117,23 +13280,25 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // Generate a valid |client_public_key| EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); // Generate a valid |server_public_key|, then truncate the last byte EXPECT_TRUE(CBB_init(&server_out_public_key, 64)); - EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, - &server_secret, &server_alert, - client_public_key)); + EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, + &server_alert, client_public_key)); EXPECT_EQ(server_alert, 0); - const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); + const uint8_t *server_out_public_key_data = + CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); server_public_key = MakeConstSpan(server_out_public_key_data, CBB_len(&server_out_public_key) - 1); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_DECODE_ERROR); CBB_cleanup(&server_out_public_key); @@ -13142,8 +13307,10 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // |server_public_key| is initialized with too much data { - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(server_key_share); ASSERT_TRUE(client_key_share); Span client_public_key; @@ -13158,24 +13325,26 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // Generate a valid |client_public_key| EXPECT_TRUE(CBB_init(&client_out_public_key, 64)); EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); - const uint8_t *client_out_public_key_data = CBB_data(&client_out_public_key); + const uint8_t *client_out_public_key_data = + CBB_data(&client_out_public_key); ASSERT_TRUE(client_out_public_key_data); client_public_key = MakeConstSpan(client_out_public_key_data, CBB_len(&client_out_public_key)); // Generate a valid |server_public_key|, then append a byte EXPECT_TRUE(CBB_init(&server_out_public_key, 64)); - EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, - &server_secret, &server_alert, - client_public_key)); + EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, + &server_alert, client_public_key)); EXPECT_EQ(server_alert, 0); EXPECT_TRUE(CBB_add_zeros(&server_out_public_key, 1)); - const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); + const uint8_t *server_out_public_key_data = + CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); server_public_key = MakeConstSpan(server_out_public_key_data, CBB_len(&server_out_public_key)); - EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, server_public_key)); + EXPECT_FALSE(client_key_share->Finish(&client_secret, &client_alert, + server_public_key)); EXPECT_EQ(client_alert, SSL_AD_ILLEGAL_PARAMETER); CBB_cleanup(&server_out_public_key); @@ -13194,8 +13363,10 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { ASSERT_TRUE(hybrid_group != NULL); // Create the hybrid key shares and generate a valid |server_public_key| - bssl::UniquePtr client_key_share = SSLKeyShare::Create(t.group_id); - bssl::UniquePtr server_key_share = SSLKeyShare::Create(t.group_id); + bssl::UniquePtr client_key_share = + SSLKeyShare::Create(t.group_id); + bssl::UniquePtr server_key_share = + SSLKeyShare::Create(t.group_id); ASSERT_TRUE(client_key_share); ASSERT_TRUE(server_key_share); @@ -13212,7 +13383,7 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { EXPECT_TRUE(client_key_share->Offer(&client_out_public_key)); Span client_public_key = MakeConstSpan( - CBB_data(&client_out_public_key), CBB_len(&client_out_public_key)); + CBB_data(&client_out_public_key), CBB_len(&client_out_public_key)); EXPECT_TRUE(server_key_share->Accept(&server_out_public_key, &server_secret, &server_alert, client_public_key)); @@ -13232,16 +13403,19 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // (We have to do this in a roundabout way with malloc'ing another // buffer because CBBs cannot be arbitrarily edited.) size_t server_out_public_key_len = CBB_len(&server_out_public_key); - const uint8_t *server_out_public_key_data = CBB_data(&server_out_public_key); + const uint8_t *server_out_public_key_data = + CBB_data(&server_out_public_key); ASSERT_TRUE(server_out_public_key_data); uint8_t *buffer = (uint8_t *)OPENSSL_malloc(server_out_public_key_len); ASSERT_TRUE(buffer); - OPENSSL_memcpy(buffer, server_out_public_key_data, server_out_public_key_len); - for (size_t j = server_public_key_index; j < server_public_key_index + t.accept_share_sizes[i]; j++) { - buffer[j] = 7; // 7 is arbitrary + OPENSSL_memcpy(buffer, server_out_public_key_data, + server_out_public_key_len); + for (size_t j = server_public_key_index; + j < server_public_key_index + t.accept_share_sizes[i]; j++) { + buffer[j] = 7; // 7 is arbitrary } Span server_public_key = - MakeConstSpan(buffer, server_out_public_key_len); + MakeConstSpan(buffer, server_out_public_key_len); // The client will Finish() with the invalid public key bool accepted = client_key_share->Finish(&client_secret, &client_alert, @@ -13256,10 +13430,9 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { // continue with the handshake, then verify that the client and // server ultimately arrived at different shared secrets. EXPECT_TRUE( - hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 || - hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM768 || - hybrid_group->component_group_ids[i] == SSL_GROUP_X25519 - ); + hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 || + hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM768 || + hybrid_group->component_group_ids[i] == SSL_GROUP_X25519); // The handshake will complete without error... EXPECT_EQ(client_alert, 0); @@ -13283,8 +13456,11 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) { } } -class PerformHybridHandshakeTest : public testing::TestWithParam {}; -INSTANTIATE_TEST_SUITE_P(PerformHybridHandshakeTests, PerformHybridHandshakeTest, testing::ValuesIn(kHybridHandshakeTests)); +class PerformHybridHandshakeTest + : public testing::TestWithParam {}; +INSTANTIATE_TEST_SUITE_P(PerformHybridHandshakeTests, + PerformHybridHandshakeTest, + testing::ValuesIn(kHybridHandshakeTests)); // This test runs through an overall handshake flow for all of the cases // defined in kHybridHandshakeTests. This test runs through both positive and diff --git a/ssl/ssl_text.cc b/ssl/ssl_text.cc index a2cb0e2308..1933d97d0c 100644 --- a/ssl/ssl_text.cc +++ b/ssl/ssl_text.cc @@ -124,4 +124,3 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *sess) { return 1; } - diff --git a/ssl/ssl_transcript.cc b/ssl/ssl_transcript.cc index 58fd21e57c..d5581e6546 100644 --- a/ssl/ssl_transcript.cc +++ b/ssl/ssl_transcript.cc @@ -168,13 +168,9 @@ bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) { EVP_DigestUpdate(hash_.get(), buffer_->data, buffer_->length); } -void SSLTranscript::FreeBuffer() { - buffer_.reset(); -} +void SSLTranscript::FreeBuffer() { buffer_.reset(); } -size_t SSLTranscript::DigestLen() const { - return EVP_MD_size(Digest()); -} +size_t SSLTranscript::DigestLen() const { return EVP_MD_size(Digest()); } const EVP_MD *SSLTranscript::Digest() const { return EVP_MD_CTX_md(hash_.get()); @@ -192,8 +188,7 @@ bool SSLTranscript::UpdateForHelloRetryRequest() { } const uint8_t header[4] = {SSL3_MT_MESSAGE_HASH, 0, 0, static_cast(hash_len)}; - if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) || - !Update(header) || + if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) || !Update(header) || !Update(MakeConstSpan(old_hash, hash_len))) { return false; } @@ -220,8 +215,7 @@ bool SSLTranscript::CopyToHashContext(EVP_MD_CTX *ctx, bool SSLTranscript::Update(Span in) { // Depending on the state of the handshake, either the handshake buffer may be // active, the rolling hash, or both. - if (buffer_ && - !BUF_MEM_append(buffer_.get(), in.data(), in.size())) { + if (buffer_ && !BUF_MEM_append(buffer_.get(), in.data(), in.size())) { return false; } diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc index 946cc421d2..c31ba9d4e3 100644 --- a/ssl/ssl_versions.cc +++ b/ssl/ssl_versions.cc @@ -22,8 +22,8 @@ #include #include -#include "internal.h" #include "../crypto/internal.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -85,7 +85,7 @@ bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method, // The following functions map between API versions and wire versions. The // public API works on wire versions. -static const char* kUnknownVersion = "unknown"; +static const char *kUnknownVersion = "unknown"; struct VersionInfo { uint16_t version; @@ -93,12 +93,9 @@ struct VersionInfo { }; static const VersionInfo kVersionNames[] = { - {TLS1_3_VERSION, "TLSv1.3"}, - {TLS1_2_VERSION, "TLSv1.2"}, - {TLS1_1_VERSION, "TLSv1.1"}, - {TLS1_VERSION, "TLSv1"}, - {DTLS1_VERSION, "DTLSv1"}, - {DTLS1_2_VERSION, "DTLSv1.2"}, + {TLS1_3_VERSION, "TLSv1.3"}, {TLS1_2_VERSION, "TLSv1.2"}, + {TLS1_1_VERSION, "TLSv1.1"}, {TLS1_VERSION, "TLSv1"}, + {DTLS1_VERSION, "DTLSv1"}, {DTLS1_2_VERSION, "DTLSv1.2"}, }; static const char *ssl_version_to_string(uint16_t version) { @@ -110,9 +107,7 @@ static const char *ssl_version_to_string(uint16_t version) { return kUnknownVersion; } -static uint16_t wire_version_to_api(uint16_t version) { - return version; -} +static uint16_t wire_version_to_api(uint16_t version) { return version; } // api_version_to_wire maps |version| to some representative wire version. static bool api_version_to_wire(uint16_t *out, uint16_t version) { @@ -228,7 +223,7 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version, // If there is a disabled version after the first enabled one, all versions // after it are implicitly disabled. if (any_enabled) { - max_version = kProtocolVersions[i-1].version; + max_version = kProtocolVersions[i - 1].version; break; } } diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc index b6059d3554..27aeebd18a 100644 --- a/ssl/ssl_x509.cc +++ b/ssl/ssl_x509.cc @@ -535,24 +535,24 @@ static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) { } const SSL_X509_METHOD ssl_crypto_x509_method = { - ssl_crypto_x509_check_client_CA_list, - ssl_crypto_x509_cert_clear, - ssl_crypto_x509_cert_free, - ssl_crypto_x509_cert_dup, - ssl_crypto_x509_cert_flush_cached_chain, - ssl_crypto_x509_cert_flush_leaf, - ssl_crypto_x509_session_cache_objects, - ssl_crypto_x509_session_dup, - ssl_crypto_x509_session_clear, - ssl_crypto_x509_session_verify_cert_chain, - ssl_crypto_x509_hs_flush_cached_ca_names, - ssl_crypto_x509_ssl_new, - ssl_crypto_x509_ssl_config_free, - ssl_crypto_x509_ssl_flush_cached_client_CA, - ssl_crypto_x509_ssl_auto_chain_if_needed, - ssl_crypto_x509_ssl_ctx_new, - ssl_crypto_x509_ssl_ctx_free, - ssl_crypto_x509_ssl_ctx_flush_cached_client_CA, + ssl_crypto_x509_check_client_CA_list, + ssl_crypto_x509_cert_clear, + ssl_crypto_x509_cert_free, + ssl_crypto_x509_cert_dup, + ssl_crypto_x509_cert_flush_cached_chain, + ssl_crypto_x509_cert_flush_leaf, + ssl_crypto_x509_session_cache_objects, + ssl_crypto_x509_session_dup, + ssl_crypto_x509_session_clear, + ssl_crypto_x509_session_verify_cert_chain, + ssl_crypto_x509_hs_flush_cached_ca_names, + ssl_crypto_x509_ssl_new, + ssl_crypto_x509_ssl_config_free, + ssl_crypto_x509_ssl_flush_cached_client_CA, + ssl_crypto_x509_ssl_auto_chain_if_needed, + ssl_crypto_x509_ssl_ctx_new, + ssl_crypto_x509_ssl_ctx_free, + ssl_crypto_x509_ssl_ctx_flush_cached_client_CA, }; BSSL_NAMESPACE_END diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc index 081c8eb7b5..4c7259663e 100644 --- a/ssl/t1_enc.cc +++ b/ssl/t1_enc.cc @@ -375,7 +375,8 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, if (use_context) { seed[2 * SSL3_RANDOM_SIZE] = static_cast(context_len >> 8); seed[2 * SSL3_RANDOM_SIZE + 1] = static_cast(context_len); - OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context, context_len); + OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context, + context_len); } const SSL_SESSION *session = SSL_get_session(ssl); diff --git a/ssl/test/async_bio.cc b/ssl/test/async_bio.cc index 1c9859afee..8d5deb8663 100644 --- a/ssl/test/async_bio.cc +++ b/ssl/test/async_bio.cc @@ -138,16 +138,8 @@ static long AsyncCallbackCtrl(BIO *bio, int cmd, bio_info_cb fp) { } const BIO_METHOD g_async_bio_method = { - BIO_TYPE_FILTER, - "async bio", - AsyncWrite, - AsyncRead, - NULL /* puts */, - NULL /* gets */, - AsyncCtrl, - AsyncNew, - AsyncFree, - AsyncCallbackCtrl, + BIO_TYPE_FILTER, "async bio", AsyncWrite, AsyncRead, NULL /* puts */, + NULL /* gets */, AsyncCtrl, AsyncNew, AsyncFree, AsyncCallbackCtrl, }; } // namespace diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index 28010b8786..924072b8ce 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc @@ -355,7 +355,8 @@ static bool CheckListContains(const char *type, return true; } } - fprintf(stderr, "Unexpected %s: %s\n", type, (str == nullptr) ? "" : str); + fprintf(stderr, "Unexpected %s: %s\n", type, + (str == nullptr) ? "" : str); return false; } @@ -989,8 +990,8 @@ static bool DoConnection(bssl::UniquePtr *out_session, fprintf(stderr, "SSL error: %s\n", SSL_error_description(ssl_err)); if (ssl_err == SSL_ERROR_SYSCALL) { int err = errno; - fprintf(stderr, "Error occurred: errno = %d, description = %s\n", err, strerror(err)); - + fprintf(stderr, "Error occurred: errno = %d, description = %s\n", err, + strerror(err)); } } return false; diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h index b6a0f078a4..150bff3e8a 100644 --- a/ssl/test/fuzzer.h +++ b/ssl/test/fuzzer.h @@ -396,8 +396,7 @@ class TLSFuzzer { const uint8_t *bufp = kCertificateDER; bssl::UniquePtr cert(d2i_X509(NULL, &bufp, sizeof(kCertificateDER))); - if (!cert || - !SSL_CTX_use_certificate(ctx_.get(), cert.get()) || + if (!cert || !SSL_CTX_use_certificate(ctx_.get(), cert.get()) || !SSL_CTX_set_ocsp_response(ctx_.get(), kOCSPResponse, sizeof(kOCSPResponse)) || !SSL_CTX_set_signed_cert_timestamp_list(ctx_.get(), kSCT, diff --git a/ssl/test/handshake_util.cc b/ssl/test/handshake_util.cc index b6d8280d6c..2c5607ae8d 100644 --- a/ssl/test/handshake_util.cc +++ b/ssl/test/handshake_util.cc @@ -273,8 +273,8 @@ static bool Proxy(BIO *socket, bool async, int control, int rfd, int wfd) { return false; } if (header[1] != 3) { - fprintf(stderr, "bad header\n"); - return false; + fprintf(stderr, "bad header\n"); + return false; } size_t remaining = (header[3] << 8) + header[4]; while (remaining > 0) { @@ -442,7 +442,7 @@ static bool StartHandshaker(ScopedProcess *out, ScopedFD *out_control, } temp_fds[pair.second] = next_fd; if (posix_spawn_file_actions_adddup2(&actions, pair.second, next_fd) != - 0 || + 0 || posix_spawn_file_actions_addclose(&actions, pair.second) != 0) { return false; } @@ -613,12 +613,9 @@ static bool PrepareHandoff(SSL *ssl, SettingsWriter *writer, const TestConfig *config = GetTestConfig(ssl); int ret = -1; do { - ret = CheckIdempotentError( - "SSL_do_handshake", ssl, - [&]() -> int { return SSL_do_handshake(ssl); }); - } while (!HandoffReady(ssl, ret) && - config->async && - RetryAsync(ssl, ret)); + ret = CheckIdempotentError("SSL_do_handshake", ssl, + [&]() -> int { return SSL_do_handshake(ssl); }); + } while (!HandoffReady(ssl, ret) && config->async && RetryAsync(ssl, ret)); if (!HandoffReady(ssl, ret)) { fprintf(stderr, "Handshake failed while waiting for handoff.\n"); return false; diff --git a/ssl/test/handshake_util.h b/ssl/test/handshake_util.h index dda9206e75..bf18e1f563 100644 --- a/ssl/test/handshake_util.h +++ b/ssl/test/handshake_util.h @@ -62,6 +62,6 @@ constexpr char kControlMsgError = 'E'; // Handshaker hit an error constexpr int kFdControl = 3; // Bi-directional dgram socket. constexpr int kFdProxyToHandshaker = 4; // Uni-directional pipe. constexpr int kFdHandshakerToProxy = 5; // Uni-directional pipe. -#endif // HANDSHAKER_SUPPORTED +#endif // HANDSHAKER_SUPPORTED #endif // HEADER_TEST_HANDSHAKE diff --git a/ssl/test/handshaker.cc b/ssl/test/handshaker.cc index 7f2ba5af8e..38d178eebe 100644 --- a/ssl/test/handshaker.cc +++ b/ssl/test/handshaker.cc @@ -24,10 +24,10 @@ #include #include +#include "../crypto/internal.h" #include "handshake_util.h" #include "test_config.h" #include "test_state.h" -#include "../crypto/internal.h" using namespace bssl; @@ -82,17 +82,16 @@ bool Handshaker(const TestConfig *config, int rfd, int wfd, if (!CBS_get_asn1_element(&cbs, &handoff, CBS_ASN1_SEQUENCE) || !DeserializeContextState(&cbs, ctx.get()) || !SetTestState(ssl.get(), TestState::Deserialize(&cbs, ctx.get())) || - !GetTestState(ssl.get()) || - !SSL_apply_handoff(ssl.get(), handoff)) { + !GetTestState(ssl.get()) || !SSL_apply_handoff(ssl.get(), handoff)) { fprintf(stderr, "Handoff application failed.\n"); return false; } int ret = 0; for (;;) { - ret = CheckIdempotentError( - "SSL_do_handshake", ssl.get(), - [&]() -> int { return SSL_do_handshake(ssl.get()); }); + ret = CheckIdempotentError("SSL_do_handshake", ssl.get(), [&]() -> int { + return SSL_do_handshake(ssl.get()); + }); if (SSL_get_error(ssl.get(), ret) == SSL_ERROR_WANT_READ) { // Synchronize with the proxy, i.e. don't let the handshake continue until // the proxy has sent more data. @@ -268,8 +267,8 @@ int main(int argc, char **argv) { return SignalError(); } } else { - if (!Handshaker(config, kFdProxyToHandshaker, kFdHandshakerToProxy, - request, kFdControl)) { + if (!Handshaker(config, kFdProxyToHandshaker, kFdHandshakerToProxy, request, + kFdControl)) { return SignalError(); } } diff --git a/ssl/test/mock_quic_transport.cc b/ssl/test/mock_quic_transport.cc index b1c42f680b..4aaabb53d9 100644 --- a/ssl/test/mock_quic_transport.cc +++ b/ssl/test/mock_quic_transport.cc @@ -95,8 +95,7 @@ bool MockQuicTransport::ReadHeader(uint8_t *out_type, uint16_t cipher_suite; uint32_t remaining_bytes; CBS_init(&cbs, header, sizeof(header)); - if (!CBS_get_u8(&cbs, out_type) || - !CBS_get_u8(&cbs, &level_id) || + if (!CBS_get_u8(&cbs, out_type) || !CBS_get_u8(&cbs, &level_id) || !CBS_get_u16(&cbs, &cipher_suite) || !CBS_get_u32(&cbs, &remaining_bytes) || level_id >= read_levels_.size()) { @@ -117,8 +116,7 @@ bool MockQuicTransport::ReadHeader(uint8_t *out_type, } continue; } - fprintf(stderr, - "Got record at level %s, but keys were not configured.\n", + fprintf(stderr, "Got record at level %s, but keys were not configured.\n", LevelToString(level)); return false; } diff --git a/ssl/test/packeted_bio.cc b/ssl/test/packeted_bio.cc index 35dd8a8f15..2fb9d2f43f 100644 --- a/ssl/test/packeted_bio.cc +++ b/ssl/test/packeted_bio.cc @@ -33,8 +33,7 @@ const uint8_t kOpcodeTimeout = 'T'; const uint8_t kOpcodeTimeoutAck = 't'; struct PacketedBio { - explicit PacketedBio(timeval *clock_arg) - : clock(clock_arg) { + explicit PacketedBio(timeval *clock_arg) : clock(clock_arg) { OPENSSL_memset(&timeout, 0, sizeof(timeout)); } @@ -223,16 +222,9 @@ static long PacketedCallbackCtrl(BIO *bio, int cmd, bio_info_cb fp) { } const BIO_METHOD g_packeted_bio_method = { - BIO_TYPE_FILTER, - "packeted bio", - PacketedWrite, - PacketedRead, - NULL /* puts */, - NULL /* gets */, - PacketedCtrl, - PacketedNew, - PacketedFree, - PacketedCallbackCtrl, + BIO_TYPE_FILTER, "packeted bio", PacketedWrite, PacketedRead, + NULL /* puts */, NULL /* gets */, PacketedCtrl, PacketedNew, + PacketedFree, PacketedCallbackCtrl, }; } // namespace diff --git a/ssl/test/ssl_transfer.cc b/ssl/test/ssl_transfer.cc index d1d43955f9..0f89bc397a 100644 --- a/ssl/test/ssl_transfer.cc +++ b/ssl/test/ssl_transfer.cc @@ -9,8 +9,8 @@ #include -#include "test_config.h" #include "../internal.h" +#include "test_config.h" SSLTransfer::SSLTransfer() {} @@ -40,14 +40,14 @@ static bool WriteData(std::string prefix, const uint8_t *input, size_t len) { // by using |SSL_to/from_bytes|. When success, |in| is freed and |out| holds // the transferred SSL. static bool EncodeAndDecodeSSL(const TestConfig *config, SSL *in, SSL_CTX *ctx, - bssl::UniquePtr *out) { + bssl::UniquePtr *out) { // Encoding SSL to bytes. size_t encoded_len; bssl::UniquePtr encoded; uint8_t *encoded_raw; if (!SSL_to_bytes(in, &encoded_raw, &encoded_len)) { fprintf(stderr, "SSL_to_bytes failed. Error code: %s\n", - ERR_reason_error_string(ERR_peek_last_error())); + ERR_reason_error_string(ERR_peek_last_error())); return false; } encoded.reset(encoded_raw); @@ -60,7 +60,8 @@ static bool EncodeAndDecodeSSL(const TestConfig *config, SSL *in, SSL_CTX *ctx, const uint8_t *ptr2 = encoded.get(); SSL *server2_ = SSL_from_bytes(ptr2, encoded_len, ctx); if (server2_ == nullptr) { - fprintf(stderr, "SSL_from_bytes failed. Error code: %s\n", ERR_reason_error_string(ERR_peek_last_error())); + fprintf(stderr, "SSL_from_bytes failed. Error code: %s\n", + ERR_reason_error_string(ERR_peek_last_error())); return false; } out->reset(server2_); @@ -82,7 +83,8 @@ static void MoveBIOs(SSL *dest, SSL *src) { } // TransferSSL transfers |in| to |out|. -static bool TransferSSL(const TestConfig *config, bssl::UniquePtr *in, bssl::UniquePtr *out) { +static bool TransferSSL(const TestConfig *config, bssl::UniquePtr *in, + bssl::UniquePtr *out) { if (!in || !in->get()) { return false; } @@ -90,7 +92,7 @@ static bool TransferSSL(const TestConfig *config, bssl::UniquePtr *in, bssl // Encode the SSL |in| into bytes. // Decode the bytes into a new SSL. bssl::UniquePtr decoded_ssl; - if (!EncodeAndDecodeSSL(config, in->get(), in_ctx, &decoded_ssl)){ + if (!EncodeAndDecodeSSL(config, in->get(), in_ctx, &decoded_ssl)) { return false; } // Move the bio. @@ -105,7 +107,8 @@ static bool TransferSSL(const TestConfig *config, bssl::UniquePtr *in, bssl } // Unset the test state of |in|. std::unique_ptr tmp1; - if (!SetTestState(in->get(), std::move(tmp1)) || !SetTestConfig(in->get(), nullptr)) { + if (!SetTestState(in->get(), std::move(tmp1)) || + !SetTestConfig(in->get(), nullptr)) { return false; } // Free the SSL of |in|. @@ -133,7 +136,7 @@ void SSLTransfer::MarkTest(const TestConfig *config, const SSL *ssl) { bool SSLTransfer::ResetSSL(const TestConfig *config, bssl::UniquePtr *in) { if (config->do_ssl_transfer && IsSupported(in->get())) { - // Below message is to inform runner.go that this test case + // Below message is to inform runner.go that this test case // is going to test SSL transfer. fprintf(stderr, "SSL transfer is going to be tested.\n"); if (!TransferSSL(config, in, nullptr)) { @@ -157,7 +160,8 @@ bool SSLTransfer::IsSupported(const SSL *in) { return ret; } -bool SSLTransfer::MarkOrReset(const TestConfig *config, bssl::UniquePtr *in) { +bool SSLTransfer::MarkOrReset(const TestConfig *config, + bssl::UniquePtr *in) { if (!config || !in) { return false; } diff --git a/ssl/test/ssl_transfer.h b/ssl/test/ssl_transfer.h index 057ffdb405..f9cbf3c98f 100644 --- a/ssl/test/ssl_transfer.h +++ b/ssl/test/ssl_transfer.h @@ -15,18 +15,20 @@ struct SSLTransfer { public: SSLTransfer(); - // MarkTest generate a mark(err msg) if a test case of runner.go can be used to test - // SSL transfer when |config->check_ssl_transfer| is true. + // MarkTest generate a mark(err msg) if a test case of runner.go can be used + // to test SSL transfer when |config->check_ssl_transfer| is true. void MarkTest(const TestConfig *config, const SSL *ssl); - // ResetSSL resets |in| with a newly allocated SSL when |config->do_ssl_transfer| is true. - // The newly allocated SSL has states transferred from the previous one hold by |in|. + // ResetSSL resets |in| with a newly allocated SSL when + // |config->do_ssl_transfer| is true. The newly allocated SSL has states + // transferred from the previous one hold by |in|. bool ResetSSL(const TestConfig *config, bssl::UniquePtr *in); // MarkOrReset wraps |MarkTest| and |ResetSSL|. bool MarkOrReset(const TestConfig *config, bssl::UniquePtr *in); - // IsSupported returns true when |in| can be transferred. Otherwise, returns false. + // IsSupported returns true when |in| can be transferred. Otherwise, returns + // false. bool IsSupported(const SSL *in); }; diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index 6d628ae341..933d3e1fda 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc @@ -317,10 +317,13 @@ std::vector SortedFlags() { BoolFlag("-use-ticket-callback", &TestConfig::use_ticket_callback), BoolFlag("-renew-ticket", &TestConfig::renew_ticket), BoolFlag("-enable-early-data", &TestConfig::enable_early_data), - BoolFlag("-enable-client-custom-extension", &TestConfig::enable_client_custom_extension), - BoolFlag("-enable-server-custom-extension", &TestConfig::enable_server_custom_extension), + BoolFlag("-enable-client-custom-extension", + &TestConfig::enable_client_custom_extension), + BoolFlag("-enable-server-custom-extension", + &TestConfig::enable_server_custom_extension), BoolFlag("-custom-extension-skip", &TestConfig::custom_extension_skip), - BoolFlag("-custom-extension-fail-add", &TestConfig::custom_extension_fail_add), + BoolFlag("-custom-extension-fail-add", + &TestConfig::custom_extension_fail_add), Base64Flag("-ocsp-response", &TestConfig::ocsp_response), Base64Flag("-expect-ocsp-response", &TestConfig::expect_ocsp_response), BoolFlag("-check-close-notify", &TestConfig::check_close_notify), @@ -422,11 +425,12 @@ std::vector SortedFlags() { &TestConfig::early_write_after_message), BoolFlag("-check-ssl-transfer", &TestConfig::check_ssl_transfer), BoolFlag("-do-ssl-transfer", &TestConfig::do_ssl_transfer), - IntFlag("-read-ahead-buffer-size", - &TestConfig::read_ahead_buffer_size), - StringFlag("-ssl-fuzz-seed-path-prefix", &TestConfig::ssl_fuzz_seed_path_prefix), + IntFlag("-read-ahead-buffer-size", &TestConfig::read_ahead_buffer_size), + StringFlag("-ssl-fuzz-seed-path-prefix", + &TestConfig::ssl_fuzz_seed_path_prefix), StringFlag("-tls13-ciphersuites", &TestConfig::tls13_ciphersuites), - StringPairVectorFlag("-multiple-certs-slot", &TestConfig::multiple_certs_slot), + StringPairVectorFlag("-multiple-certs-slot", + &TestConfig::multiple_certs_slot), BoolFlag("-no-check-client-certificate-type", &TestConfig::no_check_client_certificate_type), }; @@ -462,10 +466,8 @@ bool RemovePrefix(const char **str, const char *prefix) { } // namespace -bool ParseConfig(int argc, char **argv, bool is_shim, - TestConfig *out_initial, - TestConfig *out_resume, - TestConfig *out_retry) { +bool ParseConfig(int argc, char **argv, bool is_shim, TestConfig *out_initial, + TestConfig *out_resume, TestConfig *out_retry) { for (int i = 0; i < argc; i++) { bool skip = false; const char *arg = argv[i]; @@ -878,8 +880,7 @@ static int AlpnSelectCallback(SSL *ssl, const uint8_t **out, uint8_t *outlen, if (!config->expect_advertised_alpn.empty() && (config->expect_advertised_alpn.size() != inlen || - OPENSSL_memcmp(config->expect_advertised_alpn.data(), in, inlen) != - 0)) { + OPENSSL_memcmp(config->expect_advertised_alpn.data(), in, inlen) != 0)) { fprintf(stderr, "bad ALPN select callback inputs.\n"); exit(1); } @@ -1438,8 +1439,7 @@ static enum ssl_select_cert_result_t SelectCertificateCallback( return ssl_select_cert_error; } - if (config->use_early_callback && - !InstallMultipleCertificates(ssl) && + if (config->use_early_callback && !InstallMultipleCertificates(ssl) && !InstallCertificate(ssl)) { return ssl_select_cert_error; } @@ -1499,11 +1499,8 @@ static int SendQuicAlert(SSL *ssl, enum ssl_encryption_level_t level, } static const SSL_QUIC_METHOD g_quic_method = { - SetQuicReadSecret, - SetQuicWriteSecret, - AddQuicHandshakeData, - FlushQuicFlight, - SendQuicAlert, + SetQuicReadSecret, SetQuicWriteSecret, AddQuicHandshakeData, + FlushQuicFlight, SendQuicAlert, }; static bool MaybeInstallCertCompressionAlg( @@ -1535,8 +1532,8 @@ bssl::UniquePtr TestConfig::SetupCtx(SSL_CTX *old_ctx) const { if (!SSL_CTX_set_strict_cipher_list(ssl_ctx.get(), cipher_list.c_str())) { return nullptr; } - if (!tls13_ciphersuites.empty() - && !SSL_CTX_set_ciphersuites(ssl_ctx.get(), tls13_ciphersuites.c_str())) { + if (!tls13_ciphersuites.empty() && + !SSL_CTX_set_ciphersuites(ssl_ctx.get(), tls13_ciphersuites.c_str())) { return nullptr; } @@ -1656,8 +1653,8 @@ bssl::UniquePtr TestConfig::SetupCtx(SSL_CTX *old_ctx) const { if (use_ocsp_callback) { SSL_CTX_set_tlsext_status_cb(ssl_ctx.get(), LegacyOCSPCallback); int (*cb)(SSL *, void *) = nullptr; - if(!SSL_CTX_get_tlsext_status_cb(ssl_ctx.get(), &cb) || - cb != LegacyOCSPCallback){ + if (!SSL_CTX_get_tlsext_status_cb(ssl_ctx.get(), &cb) || + cb != LegacyOCSPCallback) { return nullptr; } } @@ -2014,12 +2011,10 @@ bssl::UniquePtr TestConfig::NewSSL( if (enable_signed_cert_timestamps) { SSL_enable_signed_cert_timestamps(ssl.get()); } - if (min_version != 0 && - !SSL_set_min_proto_version(ssl.get(), min_version)) { + if (min_version != 0 && !SSL_set_min_proto_version(ssl.get(), min_version)) { return nullptr; } - if (max_version != 0 && - !SSL_set_max_proto_version(ssl.get(), max_version)) { + if (max_version != 0 && !SSL_set_max_proto_version(ssl.get(), max_version)) { return nullptr; } if (mtu != 0) { @@ -2147,8 +2142,8 @@ bssl::UniquePtr TestConfig::NewSSL( bssl::UniquePtr dc_buf( CRYPTO_BUFFER_new_from_CBS(&dc_cbs, nullptr)); - if (!SSL_set1_delegated_credential(ssl.get(), dc_buf.get(), - priv.get(), nullptr)) { + if (!SSL_set1_delegated_credential(ssl.get(), dc_buf.get(), priv.get(), + nullptr)) { fprintf(stderr, "SSL_set1_delegated_credential failed.\n"); return nullptr; } diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h index cf7b476590..2510c6a08c 100644 --- a/ssl/test/test_config.h +++ b/ssl/test/test_config.h @@ -221,7 +221,7 @@ struct TestConfig { std::vector> multiple_certs_slot; bool no_check_client_certificate_type = false; - std::vector handshaker_args; + std::vector handshaker_args; bssl::UniquePtr SetupCtx(SSL_CTX *old_ctx) const; diff --git a/ssl/test/test_state.cc b/ssl/test/test_state.cc index 86deb5553c..a19dbb43e4 100644 --- a/ssl/test/test_state.cc +++ b/ssl/test/test_state.cc @@ -25,7 +25,7 @@ static CRYPTO_once_t g_once = CRYPTO_ONCE_INIT; static int g_state_index = 0; // Some code treats the zero time special, so initialize the clock to a // non-zero time. -static timeval g_clock = { 1234, 1234 }; +static timeval g_clock = {1234, 1234}; static void TestStateExFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int index, long argl, void *argp) { @@ -107,10 +107,8 @@ bool DeserializeContextState(CBS *cbs, SSL_CTX *ctx) { CBS in, sessions, ticket_keys; uint16_t version; constexpr uint16_t kVersion = 0; - if (!CBS_get_u24_length_prefixed(cbs, &in) || - !CBS_get_u16(&in, &version) || - version > kVersion || - !CBS_get_u8_length_prefixed(&in, &ticket_keys) || + if (!CBS_get_u24_length_prefixed(cbs, &in) || !CBS_get_u16(&in, &version) || + version > kVersion || !CBS_get_u8_length_prefixed(&in, &ticket_keys) || !SSL_CTX_set_tlsext_ticket_keys(ctx, CBS_data(&ticket_keys), CBS_len(&ticket_keys)) || !CBS_get_asn1(&in, &sessions, CBS_ASN1_SEQUENCE)) { @@ -139,8 +137,7 @@ bool TestState::Serialize(CBB *cbb) const { &text, reinterpret_cast(msg_callback_text.data()), msg_callback_text.length()) || !CBB_add_asn1_uint64(&out, g_clock.tv_sec) || - !CBB_add_asn1_uint64(&out, g_clock.tv_usec) || - !CBB_flush(cbb)) { + !CBB_add_asn1_uint64(&out, g_clock.tv_usec) || !CBB_flush(cbb)) { return false; } return true; @@ -152,16 +149,15 @@ std::unique_ptr TestState::Deserialize(CBS *cbs, SSL_CTX *ctx) { uint16_t version; constexpr uint16_t kVersion = 0; uint64_t sec, usec; - if (!CBS_get_u24_length_prefixed(cbs, &in) || - !CBS_get_u16(&in, &version) || + if (!CBS_get_u24_length_prefixed(cbs, &in) || !CBS_get_u16(&in, &version) || version > kVersion || !CBS_get_u24_length_prefixed(&in, &pending_session) || !CBS_get_u16_length_prefixed(&in, &text)) { return nullptr; } if (CBS_len(&pending_session)) { - out_state->pending_session = SSL_SESSION_parse( - &pending_session, ctx->x509_method, ctx->pool); + out_state->pending_session = + SSL_SESSION_parse(&pending_session, ctx->x509_method, ctx->pool); if (!out_state->pending_session) { return nullptr; } @@ -170,8 +166,7 @@ std::unique_ptr TestState::Deserialize(CBS *cbs, SSL_CTX *ctx) { reinterpret_cast(CBS_data(&text)), CBS_len(&text)); // TODO(2020-05-01): Make this unconditional & merge into above. if (CBS_len(&in) > 0) { - if (!CBS_get_asn1_uint64(&in, &sec) || - !CBS_get_asn1_uint64(&in, &usec)) { + if (!CBS_get_asn1_uint64(&in, &sec) || !CBS_get_asn1_uint64(&in, &usec)) { return nullptr; } g_clock.tv_sec = sec; diff --git a/ssl/test/test_state.h b/ssl/test/test_state.h index 4199d4ae03..5b86129080 100644 --- a/ssl/test/test_state.h +++ b/ssl/test/test_state.h @@ -66,7 +66,7 @@ struct TestState { // completion. This tests that the callback is not called again after this. bool cert_verified = false; int explicit_renegotiates = 0; - std::function get_handshake_hints_cb; + std::function get_handshake_hints_cb; int last_message_received = -1; }; diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index 6e894f9f36..b387e8c9b5 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc @@ -164,8 +164,7 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, } CBS context, certificate_list; - if (!CBS_get_u8_length_prefixed(&body, &context) || - CBS_len(&context) != 0 || + if (!CBS_get_u8_length_prefixed(&body, &context) || CBS_len(&context) != 0 || !CBS_get_u24_length_prefixed(&body, &certificate_list) || CBS_len(&body) != 0) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -216,8 +215,7 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, UniquePtr buf( CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool)); - if (!buf || - !PushToStack(certs.get(), std::move(buf))) { + if (!buf || !PushToStack(certs.get(), std::move(buf))) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return false; } @@ -244,8 +242,7 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, if (!CBS_get_u8(&status_request.data, &status_type) || status_type != TLSEXT_STATUSTYPE_ocsp || !CBS_get_u24_length_prefixed(&status_request.data, &ocsp_response) || - CBS_len(&ocsp_response) == 0 || - CBS_len(&status_request.data) != 0) { + CBS_len(&ocsp_response) == 0 || CBS_len(&status_request.data) != 0) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return false; } @@ -312,7 +309,8 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, return true; } -bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) { +bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, + const SSLMessage &msg) { SSL *const ssl = hs->ssl; if (hs->peer_pubkey == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -322,8 +320,7 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) CBS body = msg.body, signature; uint16_t signature_algorithm; if (!CBS_get_u16(&body, &signature_algorithm) || - !CBS_get_u16_length_prefixed(&body, &signature) || - CBS_len(&body) != 0) { + !CBS_get_u16_length_prefixed(&body, &signature) || CBS_len(&body) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return false; @@ -602,8 +599,7 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { return sign_result; } - if (!CBB_did_write(&child, sig_len) || - !ssl_add_message_cbb(ssl, cbb.get())) { + if (!CBB_did_write(&child, sig_len) || !ssl_add_message_cbb(ssl, cbb.get())) { return ssl_private_key_failure; } @@ -672,8 +668,7 @@ bool tls13_add_key_update(SSL *ssl, int update_requested) { static bool tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { CBS body = msg.body; uint8_t key_update_request; - if (!CBS_get_u8(&body, &key_update_request) || - CBS_len(&body) != 0 || + if (!CBS_get_u8(&body, &key_update_request) || CBS_len(&body) != 0 || (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED && key_update_request != SSL_KEY_UPDATE_REQUESTED)) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc index aa2a4d40f7..f9f2c7f7f0 100644 --- a/ssl/tls13_client.cc +++ b/ssl/tls13_client.cc @@ -80,10 +80,9 @@ static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) { if (level == ssl_encryption_initial) { bssl::UniquePtr null_ctx = SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl)); - if (!null_ctx || - !ssl->method->set_write_state(ssl, ssl_encryption_initial, - std::move(null_ctx), - /*secret_for_quic=*/{})) { + if (!null_ctx || !ssl->method->set_write_state( + ssl, ssl_encryption_initial, std::move(null_ctx), + /*secret_for_quic=*/{})) { return false; } ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); @@ -109,8 +108,7 @@ static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs, } // The RFC8446 version of the structure fixes some legacy values. // Additionally, the session ID must echo the original one. - if (out->legacy_version != TLS1_2_VERSION || - out->compression_method != 0 || + if (out->legacy_version != TLS1_2_VERSION || out->compression_method != 0 || !CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len) || CBS_len(&out->extensions) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); @@ -179,8 +177,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { // Queue up a ChangeCipherSpec for whenever we next send something. This // will be before the second ClientHello. If we offered early data, this was // already done. - if (!hs->early_data_offered && - !ssl->method->add_change_cipher_spec(ssl)) { + if (!hs->early_data_offered && !ssl->method->add_change_cipher_spec(ssl)) { return ssl_hs_error; } @@ -256,8 +253,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { if (cookie.present) { CBS cookie_value; if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) || - CBS_len(&cookie_value) == 0 || - CBS_len(&cookie.data) != 0) { + CBS_len(&cookie_value) == 0 || CBS_len(&cookie.data) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; @@ -541,8 +537,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) { } CBS body = msg.body, extensions; - if (!CBS_get_u16_length_prefixed(&body, &extensions) || - CBS_len(&body) != 0) { + if (!CBS_get_u16_length_prefixed(&body, &extensions) || CBS_len(&body) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; @@ -858,8 +853,7 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { } } - if (!ssl_on_certificate_selected(hs) || - !tls13_add_certificate(hs)) { + if (!ssl_on_certificate_selected(hs) || !tls13_add_certificate(hs)) { return ssl_hs_error; } @@ -1075,8 +1069,7 @@ UniquePtr tls13_create_session_with_ticket(SSL *ssl, CBS *body) { !CBS_get_u8_length_prefixed(body, &ticket_nonce) || !CBS_get_u16_length_prefixed(body, &ticket) || !session->ticket.CopyFrom(ticket) || - !CBS_get_u16_length_prefixed(body, &extensions) || - CBS_len(body) != 0) { + !CBS_get_u16_length_prefixed(body, &extensions) || CBS_len(body) != 0) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return nullptr; diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc index ad023ef8eb..63b611718a 100644 --- a/ssl/tls13_enc.cc +++ b/ssl/tls13_enc.cc @@ -455,8 +455,7 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len, unsigned context_len; ScopedEVP_MD_CTX ctx; if (!transcript.CopyToHashContext(ctx.get(), digest) || - !EVP_DigestUpdate(ctx.get(), truncated.data(), - truncated.size()) || + !EVP_DigestUpdate(ctx.get(), truncated.data(), truncated.size()) || !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) { return false; } diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index 8d8d500efe..b908e1948a 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc @@ -102,8 +102,7 @@ static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, CBB contents; if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || !CBB_add_u16_length_prefixed(out, &contents) || - !CBB_add_u16(&contents, hs->ssl->version) || - !CBB_flush(out)) { + !CBB_add_u16(&contents, hs->ssl->version) || !CBB_flush(out)) { return 0; } @@ -115,11 +114,13 @@ static const SSL_CIPHER *choose_tls13_cipher(const SSL *ssl) { // First check config, otherwise fallback to ctx preferences. if (ssl->config && ssl->config->tls13_cipher_list && ssl->config->tls13_cipher_list.get()->ciphers && - sk_SSL_CIPHER_num(ssl->config->tls13_cipher_list.get()->ciphers.get()) > 0) { + sk_SSL_CIPHER_num(ssl->config->tls13_cipher_list.get()->ciphers.get()) > + 0) { tls13_ciphers = ssl->config->tls13_cipher_list.get()->ciphers.get(); } else if (ssl->ctx->tls13_cipher_list && - ssl->ctx->tls13_cipher_list.get()->ciphers && - sk_SSL_CIPHER_num(ssl->ctx->tls13_cipher_list.get()->ciphers.get()) > 0) { + ssl->ctx->tls13_cipher_list.get()->ciphers && + sk_SSL_CIPHER_num( + ssl->ctx->tls13_cipher_list.get()->ciphers.get()) > 0) { tls13_ciphers = ssl->ctx->tls13_cipher_list.get()->ciphers.get(); } @@ -132,8 +133,8 @@ static const SSL_CIPHER *choose_tls13_cipher(const SSL *ssl) { static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { SSL *const ssl = hs->ssl; - if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a - // session ticket. + if ( // If the client doesn't accept resumption with PSK_DHE_KE, don't send a + // session ticket. !hs->accept_psk_mode || // We only implement stateless resumption in TLS 1.3, so skip sending // tickets if disabled. @@ -232,7 +233,8 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { client_hello.session_id_len); hs->session_id_len = client_hello.session_id_len; - if (!ssl_parse_client_cipher_list(ssl, &client_hello, &ssl->client_cipher_suites)) { + if (!ssl_parse_client_cipher_list(ssl, &client_hello, + &ssl->client_cipher_suites)) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; @@ -485,7 +487,8 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { } else if (!found_key_share) { ssl->s3->early_data_reason = ssl_early_data_hello_retry_request; } else if (hs->custom_extensions.received) { - ssl->s3->early_data_reason = ssl_early_data_unsupported_with_custom_extension; + ssl->s3->early_data_reason = + ssl_early_data_unsupported_with_custom_extension; } else { // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the // PRF hashes match. @@ -945,8 +948,8 @@ static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) { // the wire sooner and also avoids triggering a write on |SSL_read| when // processing the client Finished. This requires computing the client // Finished early. See RFC 8446, section 4.6.1. - static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, - 0, 0}; + static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0, + 0}; if (ssl->quic_method == nullptr && !hs->transcript.Update(kEndOfEarlyData)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -1185,8 +1188,7 @@ static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { return ssl_hs_read_message; } if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || - !tls1_verify_channel_id(hs, msg) || - !ssl_hash_message(hs, msg)) { + !tls1_verify_channel_id(hs, msg) || !ssl_hash_message(hs, msg)) { return ssl_hs_error; } @@ -1213,8 +1215,7 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { } if (!ssl->s3->early_data_accepted) { - if (!ssl_hash_message(hs, msg) || - !tls13_derive_resumption_secret(hs)) { + if (!ssl_hash_message(hs, msg) || !tls13_derive_resumption_secret(hs)) { return ssl_hs_error; } diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc index 326cbe753d..04f96b87c9 100644 --- a/ssl/tls_method.cc +++ b/ssl/tls_method.cc @@ -201,24 +201,24 @@ static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) {} static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {} const SSL_X509_METHOD ssl_noop_x509_method = { - ssl_noop_x509_check_client_CA_names, - ssl_noop_x509_clear, - ssl_noop_x509_free, - ssl_noop_x509_dup, - ssl_noop_x509_flush_cached_chain, - ssl_noop_x509_flush_cached_leaf, - ssl_noop_x509_session_cache_objects, - ssl_noop_x509_session_dup, - ssl_noop_x509_session_clear, - ssl_noop_x509_session_verify_cert_chain, - ssl_noop_x509_hs_flush_cached_ca_names, - ssl_noop_x509_ssl_new, - ssl_noop_x509_ssl_config_free, - ssl_noop_x509_ssl_flush_cached_client_CA, - ssl_noop_x509_ssl_auto_chain_if_needed, - ssl_noop_x509_ssl_ctx_new, - ssl_noop_x509_ssl_ctx_free, - ssl_noop_x509_ssl_ctx_flush_cached_client_CA, + ssl_noop_x509_check_client_CA_names, + ssl_noop_x509_clear, + ssl_noop_x509_free, + ssl_noop_x509_dup, + ssl_noop_x509_flush_cached_chain, + ssl_noop_x509_flush_cached_leaf, + ssl_noop_x509_session_cache_objects, + ssl_noop_x509_session_dup, + ssl_noop_x509_session_clear, + ssl_noop_x509_session_verify_cert_chain, + ssl_noop_x509_hs_flush_cached_ca_names, + ssl_noop_x509_ssl_new, + ssl_noop_x509_ssl_config_free, + ssl_noop_x509_ssl_flush_cached_client_CA, + ssl_noop_x509_ssl_auto_chain_if_needed, + ssl_noop_x509_ssl_ctx_new, + ssl_noop_x509_ssl_ctx_free, + ssl_noop_x509_ssl_ctx_flush_cached_client_CA, }; BSSL_NAMESPACE_END @@ -234,9 +234,7 @@ const SSL_METHOD *TLS_method(void) { return &kMethod; } -const SSL_METHOD *SSLv23_method(void) { - return TLS_method(); -} +const SSL_METHOD *SSLv23_method(void) { return TLS_method(); } const SSL_METHOD *TLS_with_buffers_method(void) { static const SSL_METHOD kMethod = { @@ -278,42 +276,22 @@ const SSL_METHOD *TLSv1_method(void) { // Legacy side-specific methods. -const SSL_METHOD *TLSv1_2_server_method(void) { - return TLSv1_2_method(); -} +const SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); } -const SSL_METHOD *TLSv1_1_server_method(void) { - return TLSv1_1_method(); -} +const SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); } -const SSL_METHOD *TLSv1_server_method(void) { - return TLSv1_method(); -} +const SSL_METHOD *TLSv1_server_method(void) { return TLSv1_method(); } -const SSL_METHOD *TLSv1_2_client_method(void) { - return TLSv1_2_method(); -} +const SSL_METHOD *TLSv1_2_client_method(void) { return TLSv1_2_method(); } -const SSL_METHOD *TLSv1_1_client_method(void) { - return TLSv1_1_method(); -} +const SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); } -const SSL_METHOD *TLSv1_client_method(void) { - return TLSv1_method(); -} +const SSL_METHOD *TLSv1_client_method(void) { return TLSv1_method(); } -const SSL_METHOD *SSLv23_server_method(void) { - return SSLv23_method(); -} +const SSL_METHOD *SSLv23_server_method(void) { return SSLv23_method(); } -const SSL_METHOD *SSLv23_client_method(void) { - return SSLv23_method(); -} +const SSL_METHOD *SSLv23_client_method(void) { return SSLv23_method(); } -const SSL_METHOD *TLS_server_method(void) { - return TLS_method(); -} +const SSL_METHOD *TLS_server_method(void) { return TLS_method(); } -const SSL_METHOD *TLS_client_method(void) { - return TLS_method(); -} +const SSL_METHOD *TLS_client_method(void) { return TLS_method(); } diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc index fee24e6e0f..5c4697dd54 100644 --- a/ssl/tls_record.cc +++ b/ssl/tls_record.cc @@ -115,8 +115,8 @@ #include #include -#include "internal.h" #include "../crypto/internal.h" +#include "internal.h" BSSL_NAMESPACE_BEGIN @@ -222,8 +222,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, // Decode the record header. uint8_t type; uint16_t version, ciphertext_len; - if (!CBS_get_u8(&cbs, &type) || - !CBS_get_u16(&cbs, &version) || + if (!CBS_get_u8(&cbs, &type) || !CBS_get_u16(&cbs, &version) || !CBS_get_u16(&cbs, &ciphertext_len)) { *out_consumed = SSL3_RT_HEADER_LENGTH; return ssl_open_record_partial; @@ -263,12 +262,9 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, *out_consumed = in.size() - CBS_len(&cbs); - if (ssl->s3->have_version && - ssl_protocol_version(ssl) >= TLS1_3_VERSION && - SSL_in_init(ssl) && - type == SSL3_RT_CHANGE_CIPHER_SPEC && - ciphertext_len == 1 && - CBS_data(&body)[0] == 1) { + if (ssl->s3->have_version && ssl_protocol_version(ssl) >= TLS1_3_VERSION && + SSL_in_init(ssl) && type == SSL3_RT_CHANGE_CIPHER_SPEC && + ciphertext_len == 1 && CBS_data(&body)[0] == 1) { ssl->s3->empty_record_count++; if (ssl->s3->empty_record_count > kMaxEmptyRecords) { OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS); @@ -280,8 +276,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, // Skip early data received when expecting a second ClientHello if we rejected // 0RTT. - if (ssl->s3->skip_early_data && - ssl->s3->aead_read_ctx->is_null_cipher() && + if (ssl->s3->skip_early_data && ssl->s3->aead_read_ctx->is_null_cipher() && type == SSL3_RT_APPLICATION_DATA) { return skip_early_data(ssl, out_alert, *out_consumed); } @@ -360,8 +355,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, } // Handshake messages may not interleave with any other record type. - if (type != SSL3_RT_HANDSHAKE && - tls_has_unprocessed_handshake_data(ssl)) { + if (type != SSL3_RT_HANDSHAKE && tls_has_unprocessed_handshake_data(ssl)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); *out_alert = SSL_AD_UNEXPECTED_MESSAGE; return ssl_open_record_error; @@ -379,8 +373,7 @@ static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, SSLAEADContext *aead = ssl->s3->aead_write_ctx.get(); uint8_t *extra_in = NULL; size_t extra_in_len = 0; - if (!aead->is_null_cipher() && - aead->ProtocolVersion() >= TLS1_3_VERSION) { + if (!aead->is_null_cipher() && aead->ProtocolVersion() >= TLS1_3_VERSION) { // TLS 1.3 hides the actual record type inside the encrypted data. extra_in = &type; extra_in_len = 1; @@ -456,7 +449,8 @@ static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len, in_len -= 1; } // clang-format on - return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len); + return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, + extra_in_len); } // tls_seal_scatter_record seals a new record of type |type| and body |in| and @@ -573,8 +567,7 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, // without specifying how to handle it. JDK11 misuses it to signal // full-duplex connection close after the handshake. As a workaround, skip // user_canceled as in TLS 1.2. This matches NSS and OpenSSL. - if (ssl->s3->have_version && - ssl_protocol_version(ssl) >= TLS1_3_VERSION && + if (ssl->s3->have_version && ssl_protocol_version(ssl) >= TLS1_3_VERSION && alert_descr != SSL_AD_USER_CANCELLED) { *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); diff --git a/tests/ci/test_apps/seccomp_app.c b/tests/ci/test_apps/seccomp_app.c index a58fa0302e..c46ccdc32f 100644 --- a/tests/ci/test_apps/seccomp_app.c +++ b/tests/ci/test_apps/seccomp_app.c @@ -10,7 +10,6 @@ #include static void enable_seccomp(void) { - // Kill on all system calls by default. scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { @@ -32,12 +31,13 @@ static void enable_seccomp(void) { } int main() { - const char notice[] = "\nTesting AWS-LC pre-sandbox.\n"; #if defined(USE_AWS_LC_PRE_SANDBOX) - const char status[] = "Pre-sandbox configuration is ENABLED, expect success.\n\n"; + const char status[] = + "Pre-sandbox configuration is ENABLED, expect success.\n\n"; #else - const char status[] = "Pre-sandbox configuration is DISABLED, expect failure.\n\n"; + const char status[] = + "Pre-sandbox configuration is DISABLED, expect failure.\n\n"; #endif write(STDOUT_FILENO, notice, sizeof(notice)); diff --git a/tests/compiler_features_tests/builtin_swap_check.c b/tests/compiler_features_tests/builtin_swap_check.c index 6a62fbcf15..c900c20e98 100644 --- a/tests/compiler_features_tests/builtin_swap_check.c +++ b/tests/compiler_features_tests/builtin_swap_check.c @@ -9,14 +9,14 @@ #include int main(int argc, char **argv) { - uint16_t test16 = 0; - test16 = __builtin_bswap16(test16); + uint16_t test16 = 0; + test16 = __builtin_bswap16(test16); - uint32_t test32 = 0; - test32 = __builtin_bswap32(test32); + uint32_t test32 = 0; + test32 = __builtin_bswap32(test32); - uint64_t test64 = 0; - test64 = __builtin_bswap64(test64); + uint64_t test64 = 0; + test64 = __builtin_bswap64(test64); - return EXIT_SUCCESS; + return EXIT_SUCCESS; } diff --git a/tests/compiler_features_tests/c11.c b/tests/compiler_features_tests/c11.c index b8925fc09e..2b73fdb665 100644 --- a/tests/compiler_features_tests/c11.c +++ b/tests/compiler_features_tests/c11.c @@ -4,8 +4,8 @@ // Simple program that should also be able to compiler, udeful to test different // compiler flags -#include #include +#include // Some platforms define ATOMIC_LONG_LOCK_FREE as an expression like: // (__atomic_always_lock_free (sizeof (atomic_long), (void *) 0) ? 2 : @@ -19,6 +19,4 @@ #error "Should not get here, the above line should be false or invalid" #endif -int main(int argc, char **argv) { - return EXIT_SUCCESS; -} +int main(int argc, char **argv) { return EXIT_SUCCESS; } diff --git a/tests/compiler_features_tests/linux_u32.c b/tests/compiler_features_tests/linux_u32.c index c38bc3cda4..6ace1fa6be 100644 --- a/tests/compiler_features_tests/linux_u32.c +++ b/tests/compiler_features_tests/linux_u32.c @@ -12,6 +12,4 @@ #include #include -int main(int argc, char **argv) { - return EXIT_SUCCESS; -} +int main(int argc, char **argv) { return EXIT_SUCCESS; } diff --git a/tests/compiler_features_tests/memcmp_invalid_stripped_check.c b/tests/compiler_features_tests/memcmp_invalid_stripped_check.c index 28ffaeb074..5b404f34b9 100644 --- a/tests/compiler_features_tests/memcmp_invalid_stripped_check.c +++ b/tests/compiler_features_tests/memcmp_invalid_stripped_check.c @@ -5,9 +5,10 @@ #include int main(int argc, char **argv) { - // A bug of 'memcmp' is reported in gcc (9.2, 9.3, 10.1). See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189 - // AWS-LC warns the build when detecting the unexpected 'memcmp' behavior. - // Below test case is equivalent to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189#c7 + // A bug of 'memcmp' is reported in gcc (9.2, 9.3, 10.1). See + // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189 AWS-LC warns the build + // when detecting the unexpected 'memcmp' behavior. Below test case is + // equivalent to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189#c7 char a[] = "\0abc"; int res = memcmp(a, "\0\0\0\0", 4); printf("memcmp result %d\n", res); diff --git a/tests/compiler_features_tests/stdalign_check.c b/tests/compiler_features_tests/stdalign_check.c index 60fc13aa42..b708deed54 100644 --- a/tests/compiler_features_tests/stdalign_check.c +++ b/tests/compiler_features_tests/stdalign_check.c @@ -5,20 +5,20 @@ // for stdalign.h, try to compile this instead. #include -#include #include +#include #include int main(int argc, char **argv) { - alignas(8) uint8_t test[16]; - size_t alignment = alignof(uint8_t); + alignas(8) uint8_t test[16]; + size_t alignment = alignof(uint8_t); - test[0] = 0; + test[0] = 0; - // Try to eliminate dead store optimisation and similar - if (alignment == 1000 && test[0] != 0) { - return EXIT_FAILURE; - } + // Try to eliminate dead store optimisation and similar + if (alignment == 1000 && test[0] != 0) { + return EXIT_FAILURE; + } - return EXIT_SUCCESS; + return EXIT_SUCCESS; } diff --git a/tool-openssl/crl.cc b/tool-openssl/crl.cc index d47e9757df..d8451bfb5f 100644 --- a/tool-openssl/crl.cc +++ b/tool-openssl/crl.cc @@ -1,19 +1,18 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include "internal.h" -#include #include +#include #include +#include "internal.h" static const argument_t kArguments[] = { - { "-help", kBooleanArgument, "Display option summary" }, - { "-in", kOptionalArgument, "Input file, default stdin" }, - { "-hash", kBooleanArgument, "Print hash value" }, - { "-fingerprint", kBooleanArgument, "Print CRL fingerprint" }, - { "-noout", kBooleanArgument, "No CRL output" }, - { "", kOptionalArgument, "" } -}; + {"-help", kBooleanArgument, "Display option summary"}, + {"-in", kOptionalArgument, "Input file, default stdin"}, + {"-hash", kBooleanArgument, "Print hash value"}, + {"-fingerprint", kBooleanArgument, "Print CRL fingerprint"}, + {"-noout", kBooleanArgument, "No CRL output"}, + {"", kOptionalArgument, ""}}; bool CRLTool(const args_list_t &args) { args_map_t parsed_args; @@ -51,7 +50,8 @@ bool CRLTool(const args_list_t &args) { } } - bssl::UniquePtr crl(PEM_read_X509_CRL(in_file.get(), NULL, NULL, NULL)); + bssl::UniquePtr crl( + PEM_read_X509_CRL(in_file.get(), NULL, NULL, NULL)); if (crl == NULL) { fprintf(stderr, "unable to load CRL\n"); @@ -79,7 +79,7 @@ bool CRLTool(const args_list_t &args) { } if (!noout) { - if(!PEM_write_X509_CRL(stdout, crl.get())) { + if (!PEM_write_X509_CRL(stdout, crl.get())) { fprintf(stderr, "unable to write CRL\n"); return false; } diff --git a/tool-openssl/crl_test.cc b/tool-openssl/crl_test.cc index 0eba58c807..8aecd84802 100644 --- a/tool-openssl/crl_test.cc +++ b/tool-openssl/crl_test.cc @@ -1,15 +1,15 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include "openssl/x509.h" #include #include +#include +#include "../crypto/test/test_util.h" #include "internal.h" +#include "openssl/x509.h" #include "test_util.h" -#include "../crypto/test/test_util.h" -#include -static X509_CRL* createTestCRL() { +static X509_CRL *createTestCRL() { bssl::UniquePtr crl(X509_CRL_new()); if (!crl) { ERR_print_errors_fp(stderr); @@ -19,8 +19,9 @@ static X509_CRL* createTestCRL() { // Set issuer name bssl::UniquePtr issuer(X509_NAME_new()); if (!issuer || - !X509_NAME_add_entry_by_txt(issuer.get(), "CN", MBSTRING_ASC, (unsigned char *)"Test CA", -1, -1, 0) || - !X509_CRL_set_issuer_name(crl.get(), issuer.get())) { + !X509_NAME_add_entry_by_txt(issuer.get(), "CN", MBSTRING_ASC, + (unsigned char *)"Test CA", -1, -1, 0) || + !X509_CRL_set_issuer_name(crl.get(), issuer.get())) { return nullptr; } @@ -28,19 +29,21 @@ static X509_CRL* createTestCRL() { bssl::UniquePtr lastUpdate(ASN1_TIME_new()); bssl::UniquePtr nextUpdate(ASN1_TIME_new()); if (!lastUpdate || !nextUpdate || !X509_gmtime_adj(lastUpdate.get(), 0) || - !X509_gmtime_adj(nextUpdate.get(), 86400L) || // 24 hours from now - !X509_CRL_set1_lastUpdate(crl.get(), lastUpdate.get()) || - !X509_CRL_set1_nextUpdate(crl.get(), nextUpdate.get())) { + !X509_gmtime_adj(nextUpdate.get(), 86400L) || // 24 hours from now + !X509_CRL_set1_lastUpdate(crl.get(), lastUpdate.get()) || + !X509_CRL_set1_nextUpdate(crl.get(), nextUpdate.get())) { return nullptr; } // Add a revoked certificate X509_REVOKED *revoked = X509_REVOKED_new(); bssl::UniquePtr serialNumber(ASN1_INTEGER_new()); - if (!revoked || !serialNumber || !ASN1_INTEGER_set(serialNumber.get(), 1) || // Serial number of revoked cert - !X509_REVOKED_set_serialNumber(revoked, serialNumber.get()) || - !X509_REVOKED_set_revocationDate(revoked, lastUpdate.get()) || - !X509_CRL_add0_revoked(crl.get(), revoked)) { + if (!revoked || !serialNumber || + !ASN1_INTEGER_set(serialNumber.get(), + 1) || // Serial number of revoked cert + !X509_REVOKED_set_serialNumber(revoked, serialNumber.get()) || + !X509_REVOKED_set_revocationDate(revoked, lastUpdate.get()) || + !X509_CRL_add0_revoked(crl.get(), revoked)) { return nullptr; } @@ -59,26 +62,24 @@ static X509_CRL* createTestCRL() { } class CRLTest : public ::testing::Test { -protected: - void SetUp() override { - ASSERT_GT(createTempFILEpath(in_path), 0u); + protected: + void SetUp() override { + ASSERT_GT(createTempFILEpath(in_path), 0u); - // Create a test CRL - crl.reset(createTestCRL()); - ASSERT_TRUE(crl); + // Create a test CRL + crl.reset(createTestCRL()); + ASSERT_TRUE(crl); - ScopedFILE in_file(fopen(in_path, "wb")); - ASSERT_TRUE(in_file); - PEM_write_X509_CRL(in_file.get(), crl.get()); - } + ScopedFILE in_file(fopen(in_path, "wb")); + ASSERT_TRUE(in_file); + PEM_write_X509_CRL(in_file.get(), crl.get()); + } - void TearDown() override { - RemoveFile(in_path); - } + void TearDown() override { RemoveFile(in_path); } - char in_path[PATH_MAX]; - bssl::UniquePtr crl; + char in_path[PATH_MAX]; + bssl::UniquePtr crl; }; @@ -118,67 +119,83 @@ TEST_F(CRLTest, CRLTestNoout) { // AWSLC_TOOL_PATH and OPENSSL_TOOL_PATH. class CRLComparisonTest : public ::testing::Test { -protected: - void SetUp() override { - - // Skip gtests if env variables not set - tool_executable_path = getenv("AWSLC_TOOL_PATH"); - openssl_executable_path = getenv("OPENSSL_TOOL_PATH"); - if (tool_executable_path == nullptr || openssl_executable_path == nullptr) { - GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH environment variables are not set"; - } - - ASSERT_GT(createTempFILEpath(in_path), 0u); - ASSERT_GT(createTempFILEpath(out_path_tool), 0u); - ASSERT_GT(createTempFILEpath(out_path_openssl), 0u); - - // Create a test CRL - crl.reset(createTestCRL()); - ASSERT_TRUE(crl); - - ScopedFILE in_file(fopen(in_path, "wb")); - ASSERT_TRUE(in_file); - PEM_write_X509_CRL(in_file.get(), crl.get()); + protected: + void SetUp() override { + // Skip gtests if env variables not set + tool_executable_path = getenv("AWSLC_TOOL_PATH"); + openssl_executable_path = getenv("OPENSSL_TOOL_PATH"); + if (tool_executable_path == nullptr || openssl_executable_path == nullptr) { + GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH " + "environment variables are not set"; } - void TearDown() override { - if (tool_executable_path != nullptr && openssl_executable_path != nullptr) { - RemoveFile(in_path); - RemoveFile(out_path_tool); - RemoveFile(out_path_openssl); - } + ASSERT_GT(createTempFILEpath(in_path), 0u); + ASSERT_GT(createTempFILEpath(out_path_tool), 0u); + ASSERT_GT(createTempFILEpath(out_path_openssl), 0u); + + // Create a test CRL + crl.reset(createTestCRL()); + ASSERT_TRUE(crl); + + ScopedFILE in_file(fopen(in_path, "wb")); + ASSERT_TRUE(in_file); + PEM_write_X509_CRL(in_file.get(), crl.get()); + } + + void TearDown() override { + if (tool_executable_path != nullptr && openssl_executable_path != nullptr) { + RemoveFile(in_path); + RemoveFile(out_path_tool); + RemoveFile(out_path_openssl); } + } - char in_path[PATH_MAX]; - char out_path_tool[PATH_MAX]; - char out_path_openssl[PATH_MAX]; - const char* tool_executable_path; - const char* openssl_executable_path; - std::string tool_output_str; - std::string openssl_output_str; - bssl::UniquePtr crl; + char in_path[PATH_MAX]; + char out_path_tool[PATH_MAX]; + char out_path_openssl[PATH_MAX]; + const char *tool_executable_path; + const char *openssl_executable_path; + std::string tool_output_str; + std::string openssl_output_str; + bssl::UniquePtr crl; }; // Test against OpenSSL output "openssl crl -in file" TEST_F(CRLComparisonTest, CRLToolCompareOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " crl -in " + in_path + " > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " crl -in " + in_path + " > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + std::string tool_command = std::string(tool_executable_path) + " crl -in " + + in_path + " > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " crl -in " + in_path + " > " + + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); } // Test against OpenSSL output "openssl crl -in file -hash -fingerprint" TEST_F(CRLComparisonTest, CRLToolCompareHashFingerprintOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " crl -in " + in_path + " -hash -fingerprint > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " crl -in " + in_path + " -hash -fingerprint > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + std::string tool_command = std::string(tool_executable_path) + " crl -in " + + in_path + " -hash -fingerprint > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " crl -in " + in_path + + " -hash -fingerprint > " + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); } // Test against OpenSSL output "openssl crl -in file -hash -fingerprint -noout" TEST_F(CRLComparisonTest, CRLToolCompareHashFingerprintNoOutOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " crl -in " + in_path + " -hash -fingerprint -noout > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " crl -in " + in_path + " -hash -fingerprint -noout > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + std::string tool_command = std::string(tool_executable_path) + " crl -in " + + in_path + " -hash -fingerprint -noout > " + + out_path_tool; + std::string openssl_command = + std::string(openssl_executable_path) + " crl -in " + in_path + + " -hash -fingerprint -noout > " + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); } diff --git a/tool-openssl/internal.h b/tool-openssl/internal.h index 34cae5dae5..155f47547c 100644 --- a/tool-openssl/internal.h +++ b/tool-openssl/internal.h @@ -4,9 +4,9 @@ #ifndef INTERNAL_H #define INTERNAL_H -#include "../tool/internal.h" #include #include +#include "../tool/internal.h" #if !defined(O_BINARY) #define O_BINARY 0 @@ -19,11 +19,12 @@ struct Tool { tool_func_t func; }; -bool IsNumeric(const std::string& str); +bool IsNumeric(const std::string &str); -X509* CreateAndSignX509Certificate(); +X509 *CreateAndSignX509Certificate(); -bool LoadPrivateKeyAndSignCertificate(X509 *x509, const std::string &signkey_path); +bool LoadPrivateKeyAndSignCertificate(X509 *x509, + const std::string &signkey_path); tool_func_t FindTool(const std::string &name); tool_func_t FindTool(int argc, char **argv, int &starting_arg); @@ -37,4 +38,4 @@ bool VerifyTool(const args_list_t &args); bool VersionTool(const args_list_t &args); bool X509Tool(const args_list_t &args); -#endif //INTERNAL_H +#endif // INTERNAL_H diff --git a/tool-openssl/rsa.cc b/tool-openssl/rsa.cc index 4a1457f76b..12beff0b5e 100644 --- a/tool-openssl/rsa.cc +++ b/tool-openssl/rsa.cc @@ -1,18 +1,19 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include #include +#include #include "internal.h" static const argument_t kArguments[] = { - { "-help", kBooleanArgument, "Display option summary" }, - { "-in", kOptionalArgument, "RSA key input file" }, - { "-out", kOptionalArgument, "Output file to write to" }, - { "-noout", kBooleanArgument, "Prevents output of the encoded version of the RSA key" }, - { "-modulus", kBooleanArgument, "Prints out the value of the modulus of the RSA key" }, - { "", kOptionalArgument, "" } -}; + {"-help", kBooleanArgument, "Display option summary"}, + {"-in", kOptionalArgument, "RSA key input file"}, + {"-out", kOptionalArgument, "Output file to write to"}, + {"-noout", kBooleanArgument, + "Prevents output of the encoded version of the RSA key"}, + {"-modulus", kBooleanArgument, + "Prints out the value of the modulus of the RSA key"}, + {"", kOptionalArgument, ""}}; // Map arguments using tool/args.cc bool rsaTool(const args_list_t &args) { @@ -48,13 +49,16 @@ bool rsaTool(const args_list_t &args) { ScopedFILE in_file(fopen(in_path.c_str(), "rb")); if (!in_file) { - fprintf(stderr, "Error: unable to load RSA key from '%s'\n", in_path.c_str()); + fprintf(stderr, "Error: unable to load RSA key from '%s'\n", + in_path.c_str()); return false; } - bssl::UniquePtr rsa(PEM_read_RSAPrivateKey(in_file.get(), nullptr, nullptr, nullptr)); + bssl::UniquePtr rsa( + PEM_read_RSAPrivateKey(in_file.get(), nullptr, nullptr, nullptr)); if (!rsa) { - fprintf(stderr, "Error: unable to read RSA private key from '%s'\n", in_path.c_str()); + fprintf(stderr, "Error: unable to read RSA private key from '%s'\n", + in_path.c_str()); return false; } @@ -62,7 +66,8 @@ bool rsaTool(const args_list_t &args) { if (!out_path.empty()) { out_file.reset(fopen(out_path.c_str(), "wb")); if (!out_file) { - fprintf(stderr, "Error: unable to open output file '%s'\n", out_path.c_str()); + fprintf(stderr, "Error: unable to open output file '%s'\n", + out_path.c_str()); return false; } } @@ -91,12 +96,15 @@ bool rsaTool(const args_list_t &args) { if (!noout) { if (out_file) { - if (!PEM_write_RSAPrivateKey(out_file.get(), rsa.get(), nullptr, nullptr, 0, nullptr, nullptr)) { - fprintf(stderr, "Error: unable to write RSA private key to '%s'\n", out_path.c_str()); + if (!PEM_write_RSAPrivateKey(out_file.get(), rsa.get(), nullptr, nullptr, + 0, nullptr, nullptr)) { + fprintf(stderr, "Error: unable to write RSA private key to '%s'\n", + out_path.c_str()); return false; } } else { - PEM_write_RSAPrivateKey(stdout, rsa.get(), nullptr, nullptr, 0, nullptr, nullptr); + PEM_write_RSAPrivateKey(stdout, rsa.get(), nullptr, nullptr, 0, nullptr, + nullptr); } } diff --git a/tool-openssl/rsa_test.cc b/tool-openssl/rsa_test.cc index 986821d07a..7dcabe8229 100644 --- a/tool-openssl/rsa_test.cc +++ b/tool-openssl/rsa_test.cc @@ -4,15 +4,17 @@ #include "openssl/rsa.h" #include #include +#include "../crypto/test/test_util.h" #include "internal.h" #include "test_util.h" -#include "../crypto/test/test_util.h" -bool CheckBoundaries(const std::string &content, const std::string &begin1, const std::string &end1, const std::string &begin2, const std::string &end2); +bool CheckBoundaries(const std::string &content, const std::string &begin1, + const std::string &end1, const std::string &begin2, + const std::string &end2); -RSA* CreateRSAKey(); +RSA *CreateRSAKey(); -RSA* CreateRSAKey() { +RSA *CreateRSAKey() { bssl::UniquePtr bn(BN_new()); if (!bn || !BN_set_word(bn.get(), RSA_F4)) { return nullptr; @@ -25,7 +27,7 @@ RSA* CreateRSAKey() { } class RSATest : public ::testing::Test { -protected: + protected: void SetUp() override { ASSERT_GT(createTempFILEpath(in_path), 0u); ASSERT_GT(createTempFILEpath(out_path), 0u); @@ -35,7 +37,8 @@ class RSATest : public ::testing::Test { ScopedFILE in_file(fopen(in_path, "wb")); ASSERT_TRUE(in_file); - ASSERT_TRUE(PEM_write_RSAPrivateKey(in_file.get(), rsa.get(), nullptr, nullptr, 0, nullptr, nullptr)); + ASSERT_TRUE(PEM_write_RSAPrivateKey(in_file.get(), rsa.get(), nullptr, + nullptr, 0, nullptr, nullptr)); } void TearDown() override { RemoveFile(in_path); @@ -55,7 +58,8 @@ TEST_F(RSATest, RSAToolInOutTest) { { ScopedFILE out_file(fopen(out_path, "rb")); ASSERT_TRUE(out_file); - bssl::UniquePtr parsed_rsa(PEM_read_RSAPrivateKey(out_file.get(), nullptr, nullptr, nullptr)); + bssl::UniquePtr parsed_rsa( + PEM_read_RSAPrivateKey(out_file.get(), nullptr, nullptr, nullptr)); ASSERT_TRUE(parsed_rsa); } } @@ -78,10 +82,10 @@ TEST_F(RSATest, RSAToolNooutTest) { // -------------------- RSA Option Usage Error Tests -------------------------- class RSAOptionUsageErrorsTest : public RSATest { -protected: - void TestOptionUsageErrors(const std::vector& args) { + protected: + void TestOptionUsageErrors(const std::vector &args) { args_list_t c_args; - for (const auto& arg : args) { + for (const auto &arg : args) { c_args.push_back(arg.c_str()); } bool result = rsaTool(c_args); @@ -92,10 +96,10 @@ class RSAOptionUsageErrorsTest : public RSATest { // Test missing -in required option TEST_F(RSAOptionUsageErrorsTest, RequiredOptionTests) { std::vector> testparams = { - {"-out", "output.pem"}, - {"-modulus"}, + {"-out", "output.pem"}, + {"-modulus"}, }; - for (const auto& args : testparams) { + for (const auto &args : testparams) { TestOptionUsageErrors(args); } } @@ -106,14 +110,14 @@ TEST_F(RSAOptionUsageErrorsTest, RequiredOptionTests) { // AWSLC_TOOL_PATH and OPENSSL_TOOL_PATH. class RSAComparisonTest : public ::testing::Test { -protected: + protected: void SetUp() override { - // Skip gtests if env variables not set tool_executable_path = getenv("AWSLC_TOOL_PATH"); openssl_executable_path = getenv("OPENSSL_TOOL_PATH"); if (tool_executable_path == nullptr || openssl_executable_path == nullptr) { - GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH environment variables are not set"; + GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH " + "environment variables are not set"; } ASSERT_GT(createTempFILEpath(in_path), 0u); @@ -125,7 +129,8 @@ class RSAComparisonTest : public ::testing::Test { ScopedFILE in_file(fopen(in_path, "wb")); ASSERT_TRUE(in_file); - ASSERT_TRUE(PEM_write_RSAPrivateKey(in_file.get(), rsa.get(), nullptr, nullptr, 0, nullptr, nullptr)); + ASSERT_TRUE(PEM_write_RSAPrivateKey(in_file.get(), rsa.get(), nullptr, + nullptr, 0, nullptr, nullptr)); } void TearDown() override { @@ -140,8 +145,8 @@ class RSAComparisonTest : public ::testing::Test { char out_path_tool[PATH_MAX]; char out_path_openssl[PATH_MAX]; bssl::UniquePtr rsa; - const char* tool_executable_path; - const char* openssl_executable_path; + const char *tool_executable_path; + const char *openssl_executable_path; std::string tool_output_str; std::string openssl_output_str; }; @@ -154,34 +159,52 @@ const std::string BEGIN = "-----BEGIN PRIVATE KEY-----"; const std::string END = "-----END PRIVATE KEY-----"; const std::string MODULUS = "Modulus="; -// OpenSSL versions 3.1.0 and later change PEM outputs from "BEGIN RSA PRIVATE KEY" to "BEGIN PRIVATE KEY" -bool CheckBoundaries(const std::string &content, const std::string &begin1, const std::string &end1, const std::string &begin2, const std::string &end2) { - return (content.compare(0, begin1.size(), begin1) == 0 && content.compare(content.size() - end1.size(), end1.size(), end1) == 0) || - (content.compare(0, begin2.size(), begin2) == 0 && content.compare(content.size() - end2.size(), end2.size(), end2) == 0); +// OpenSSL versions 3.1.0 and later change PEM outputs from "BEGIN RSA PRIVATE +// KEY" to "BEGIN PRIVATE KEY" +bool CheckBoundaries(const std::string &content, const std::string &begin1, + const std::string &end1, const std::string &begin2, + const std::string &end2) { + return (content.compare(0, begin1.size(), begin1) == 0 && + content.compare(content.size() - end1.size(), end1.size(), end1) == + 0) || + (content.compare(0, begin2.size(), begin2) == 0 && + content.compare(content.size() - end2.size(), end2.size(), end2) == + 0); } // Test against OpenSSL output "openssl rsa -in file -modulus" // Rsa private key is printed to stdin TEST_F(RSAComparisonTest, RSAToolCompareModulusOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " rsa -in " + in_path + " > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " rsa -in " + in_path + " > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " rsa -in " + + in_path + " > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " rsa -in " + in_path + " > " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); trim(tool_output_str); ASSERT_TRUE(CheckBoundaries(tool_output_str, RSA_BEGIN, RSA_END, BEGIN, END)); trim(openssl_output_str); - ASSERT_TRUE(CheckBoundaries(openssl_output_str, RSA_BEGIN, RSA_END, BEGIN, END)); + ASSERT_TRUE( + CheckBoundaries(openssl_output_str, RSA_BEGIN, RSA_END, BEGIN, END)); } // Test against OpenSSL output "openssl rsa -in file -modulus -noout" // Only modulus is printed to stdin TEST_F(RSAComparisonTest, RSAToolCompareModulusNooutOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " rsa -in " + in_path + " -modulus -noout > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " rsa -in " + in_path + " -modulus -noout > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " rsa -in " + + in_path + " -modulus -noout > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " rsa -in " + in_path + " -modulus -noout > " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } @@ -189,10 +212,15 @@ TEST_F(RSAComparisonTest, RSAToolCompareModulusNooutOpenSSL) { // Test against OpenSSL output "openssl rsa -in file -modulus -out out_file" // Modulus and rsa private key are printed to output file TEST_F(RSAComparisonTest, RSAToolCompareModulusOutOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " rsa -in " + in_path + " -modulus -out " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " rsa -in " + in_path + " -modulus -out " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " rsa -in " + + in_path + " -modulus -out " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " rsa -in " + in_path + " -modulus -out " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ScopedFILE tool_out_file(fopen(out_path_tool, "rb")); ASSERT_TRUE(tool_out_file); @@ -205,16 +233,23 @@ TEST_F(RSAComparisonTest, RSAToolCompareModulusOutOpenSSL) { ASSERT_TRUE(CheckBoundaries(tool_output_str, MODULUS, RSA_END, MODULUS, END)); trim(openssl_output_str); - ASSERT_TRUE(CheckBoundaries(openssl_output_str, MODULUS, RSA_END, MODULUS, END)); + ASSERT_TRUE( + CheckBoundaries(openssl_output_str, MODULUS, RSA_END, MODULUS, END)); } -// Test against OpenSSL output "openssl rsa -in file -modulus -out out_file -noout" -// Only modulus is printed to output file +// Test against OpenSSL output "openssl rsa -in file -modulus -out out_file +// -noout" Only modulus is printed to output file TEST_F(RSAComparisonTest, RSAToolCompareModulusOutNooutOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " rsa -in " + in_path + " -modulus -out " + out_path_tool + " -noout"; - std::string openssl_command = std::string(openssl_executable_path) + " rsa -in " + in_path + " -modulus -out " + out_path_openssl + " -noout"; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + std::string tool_command = std::string(tool_executable_path) + " rsa -in " + + in_path + " -modulus -out " + out_path_tool + + " -noout"; + std::string openssl_command = std::string(openssl_executable_path) + + " rsa -in " + in_path + " -modulus -out " + + out_path_openssl + " -noout"; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ScopedFILE tool_out_file(fopen(out_path_tool, "rb")); ASSERT_TRUE(tool_out_file); diff --git a/tool-openssl/s_client.cc b/tool-openssl/s_client.cc index d6e414a727..2c1d348ad6 100644 --- a/tool-openssl/s_client.cc +++ b/tool-openssl/s_client.cc @@ -3,29 +3,32 @@ #include #include -#include "internal.h" #include "../tool/internal.h" +#include "internal.h" static const argument_t kArguments[] = { - { "-help", kBooleanArgument, "Display option summary" }, - { "-connect", kRequiredArgument, - "The hostname and port of the server to connect to, e.g. foo.com:443" }, - { "-CAfile", kOptionalArgument, - "A file containing trusted certificates to use during server authentication " - "and to use when attempting to build the client certificate chain. " }, - { "-CApath", kOptionalArgument, - "The directory to use for server certificate verification. " }, - { "-showcerts", kBooleanArgument, - "Displays the server certificate list as sent by the server: it only " - "consists of certificates the server has sent (in the order the server " - "has sent them). It is not a verified chain. " }, - { "-verify", kOptionalArgument, - "The verify depth to use. This specifies the maximum length of the server " - "certificate chain and turns on server certificate verification. " - "Currently the verify operation continues after errors so all the problems " - "with a certificate chain can be seen. As a side effect the connection will " - "never fail due to a server certificate verify failure." }, - { "", kOptionalArgument, "" }, + {"-help", kBooleanArgument, "Display option summary"}, + {"-connect", kRequiredArgument, + "The hostname and port of the server to connect to, e.g. foo.com:443"}, + {"-CAfile", kOptionalArgument, + "A file containing trusted certificates to use during server " + "authentication " + "and to use when attempting to build the client certificate chain. "}, + {"-CApath", kOptionalArgument, + "The directory to use for server certificate verification. "}, + {"-showcerts", kBooleanArgument, + "Displays the server certificate list as sent by the server: it only " + "consists of certificates the server has sent (in the order the server " + "has sent them). It is not a verified chain. "}, + {"-verify", kOptionalArgument, + "The verify depth to use. This specifies the maximum length of the server " + "certificate chain and turns on server certificate verification. " + "Currently the verify operation continues after errors so all the " + "problems " + "with a certificate chain can be seen. As a side effect the connection " + "will " + "never fail due to a server certificate verify failure."}, + {"", kOptionalArgument, ""}, }; bool SClientTool(const args_list_t &args) { @@ -38,7 +41,7 @@ bool SClientTool(const args_list_t &args) { return false; } - if(args_map.count("help")) { + if (args_map.count("help")) { fprintf(stderr, "Usage: s_client [options] [host:port]\n"); PrintUsage(kArguments); return false; diff --git a/tool-openssl/s_client_test.cc b/tool-openssl/s_client_test.cc index 205509e6ad..180af8b058 100644 --- a/tool-openssl/s_client_test.cc +++ b/tool-openssl/s_client_test.cc @@ -2,8 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR ISC #include -#include "internal.h" #include +#include "internal.h" // Test -connect TEST(SClientTest, SClientConnect) { @@ -32,4 +32,3 @@ TEST(SClientTest, SClientConnectVerifyShowcerts) { bool result = SClientTool(args); ASSERT_TRUE(result); } - diff --git a/tool-openssl/test_util.h b/tool-openssl/test_util.h index 7c9036b29e..a280717141 100644 --- a/tool-openssl/test_util.h +++ b/tool-openssl/test_util.h @@ -5,29 +5,32 @@ #define TEST_UTIL_H #include -#include -#include +#include #include +#include #include #include -#include -#include +#include -// Helper function to trim whitespace from both ends of a string to test comparison output +// Helper function to trim whitespace from both ends of a string to test +// comparison output static inline std::string &trim(std::string &s) { s.erase(s.begin(), std::find_if(s.begin(), s.end(), [](unsigned char ch) { - return !std::isspace(static_cast(ch)); - })); - s.erase(std::find_if(s.rbegin(), s.rend(), [](unsigned char ch) { - return !std::isspace(static_cast(ch)); - }).base(), s.end()); + return !std::isspace(static_cast(ch)); + })); + s.erase(std::find_if(s.rbegin(), s.rend(), + [](unsigned char ch) { + return !std::isspace(static_cast(ch)); + }) + .base(), + s.end()); return s; } // Helper function to read file content into a string -inline std::string ReadFileToString(const std::string& file_path) { +inline std::string ReadFileToString(const std::string &file_path) { std::ifstream file_stream(file_path, std::ios::binary); if (!file_stream) { return ""; @@ -37,9 +40,12 @@ inline std::string ReadFileToString(const std::string& file_path) { return buffer.str(); } -inline void RunCommandsAndCompareOutput(const std::string &tool_command, const std::string &openssl_command, - const std::string &out_path_tool, const std::string &out_path_openssl, - std::string &tool_output_str, std::string &openssl_output_str) { +inline void RunCommandsAndCompareOutput(const std::string &tool_command, + const std::string &openssl_command, + const std::string &out_path_tool, + const std::string &out_path_openssl, + std::string &tool_output_str, + std::string &openssl_output_str) { int tool_result = system(tool_command.c_str()); ASSERT_EQ(tool_result, 0) << "AWS-LC tool command failed: " << tool_command; @@ -47,15 +53,20 @@ inline void RunCommandsAndCompareOutput(const std::string &tool_command, const s ASSERT_EQ(openssl_result, 0) << "OpenSSL command failed: " << openssl_command; std::ifstream tool_output(out_path_tool); - tool_output_str = std::string((std::istreambuf_iterator(tool_output)), std::istreambuf_iterator()); + tool_output_str = std::string((std::istreambuf_iterator(tool_output)), + std::istreambuf_iterator()); std::ifstream openssl_output(out_path_openssl); - openssl_output_str = std::string((std::istreambuf_iterator(openssl_output)), std::istreambuf_iterator()); + openssl_output_str = + std::string((std::istreambuf_iterator(openssl_output)), + std::istreambuf_iterator()); - std::cout << "AWS-LC tool output:" << std::endl << tool_output_str << std::endl; - std::cout << "OpenSSL output:" << std::endl << openssl_output_str << std::endl; + std::cout << "AWS-LC tool output:" << std::endl + << tool_output_str << std::endl; + std::cout << "OpenSSL output:" << std::endl + << openssl_output_str << std::endl; } -inline void RemoveFile(const char* path) { +inline void RemoveFile(const char *path) { struct stat buffer; if (path != nullptr && stat(path, &buffer) == 0) { if (remove(path) != 0) { @@ -65,6 +76,6 @@ inline void RemoveFile(const char* path) { } // OpenSSL versions 3.1.0 and later change from "(stdin)= " to "MD5(stdin) =" -std::string GetHash(const std::string& str); +std::string GetHash(const std::string &str); -#endif //TEST_UTIL_H +#endif // TEST_UTIL_H diff --git a/tool-openssl/verify.cc b/tool-openssl/verify.cc index 98cf080d55..b87bb62a7d 100644 --- a/tool-openssl/verify.cc +++ b/tool-openssl/verify.cc @@ -2,8 +2,8 @@ // SPDX-License-Identifier: Apache-2.0 OR ISC #include -#include #include +#include #include "internal.h" // TO-DO: We do not support using a default trust store, therefore -CAfile must @@ -34,7 +34,8 @@ static X509_STORE *setup_verification_store(std::string CAfile) { if (!CAfile.empty()) { lookup = X509_STORE_add_lookup(store.get(), X509_LOOKUP_file()); - if (!lookup || !X509_LOOKUP_load_file(lookup, CAfile.c_str(), X509_FILETYPE_PEM)) { + if (!lookup || + !X509_LOOKUP_load_file(lookup, CAfile.c_str(), X509_FILETYPE_PEM)) { fprintf(stderr, "Error loading file %s\n", CAfile.c_str()); return nullptr; } @@ -55,16 +56,14 @@ static int cb(int ok, X509_STORE_CTX *ctx) { X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); if (current_cert != NULL) { - X509_NAME_print_ex_fp(stderr, - X509_get_subject_name(current_cert), - 0, XN_FLAG_ONELINE); + X509_NAME_print_ex_fp(stderr, X509_get_subject_name(current_cert), 0, + XN_FLAG_ONELINE); fprintf(stderr, "\n"); } fprintf(stderr, "%serror %d at %d depth lookup: %s\n", - X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "", - cert_error, - X509_STORE_CTX_get_error_depth(ctx), - X509_verify_cert_error_string(cert_error)); + X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "", + cert_error, X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(cert_error)); /* * Pretend that some errors are ok, so they don't stop further @@ -93,7 +92,7 @@ static int cb(int ok, X509_STORE_CTX *ctx) { return ok; } -static int check(X509_STORE *ctx, const char* chainfile, const char *certfile) { +static int check(X509_STORE *ctx, const char *chainfile, const char *certfile) { bssl::UniquePtr chain(sk_X509_new_null()); bssl::UniquePtr cert; int i = 0, ret = 0; @@ -106,8 +105,9 @@ static int check(X509_STORE *ctx, const char* chainfile, const char *certfile) { } bssl::UniquePtr chain_bio(BIO_new_fp(chain_file.get(), BIO_NOCLOSE)); size_t count = 0; - while(1) { - bssl::UniquePtr chain_cert(PEM_read_bio_X509(chain_bio.get(), NULL, NULL, NULL)); + while (1) { + bssl::UniquePtr chain_cert( + PEM_read_bio_X509(chain_bio.get(), NULL, NULL, NULL)); if (chain_cert.get() == nullptr) { uint32_t error = ERR_peek_last_error(); if (ERR_GET_LIB(error) == ERR_LIB_PEM && @@ -119,7 +119,7 @@ static int check(X509_STORE *ctx, const char* chainfile, const char *certfile) { chainfile); return 0; } - if(!sk_X509_push(chain.get(), chain_cert.release())) { + if (!sk_X509_push(chain.get(), chain_cert.release())) { return 0; } count++; @@ -146,14 +146,13 @@ static int check(X509_STORE *ctx, const char* chainfile, const char *certfile) { bssl::UniquePtr store_ctx(X509_STORE_CTX_new()); if (store_ctx == nullptr || store_ctx.get() == nullptr) { fprintf(stderr, "error %s: X.509 store context allocation failed\n", - (certfile == nullptr) ? "stdin" : certfile); + (certfile == nullptr) ? "stdin" : certfile); return 0; } if (!X509_STORE_CTX_init(store_ctx.get(), ctx, cert.get(), chain.get())) { - fprintf(stderr, - "error %s: X.509 store context initialization failed\n", - (certfile == nullptr) ? "stdin" : certfile); + fprintf(stderr, "error %s: X.509 store context initialization failed\n", + (certfile == nullptr) ? "stdin" : certfile); return 0; } @@ -162,9 +161,8 @@ static int check(X509_STORE *ctx, const char* chainfile, const char *certfile) { fprintf(stdout, "%s: OK\n", (certfile == nullptr) ? "stdin" : certfile); ret = 1; } else { - fprintf(stderr, - "error %s: verification failed\n", - (certfile == nullptr) ? "stdin" : certfile); + fprintf(stderr, "error %s: verification failed\n", + (certfile == nullptr) ? "stdin" : certfile); } return ret; @@ -181,7 +179,8 @@ bool VerifyTool(const args_list_t &args) { if (parsed_args.count("-help") || parsed_args.size() == 0) { fprintf(stderr, "Usage: verify [options] [cert.pem...]\n" - "Certificates must be in PEM format. They can be specified in one or more files.\n" + "Certificates must be in PEM format. They can be specified in one " + "or more files.\n" "If no files are specified, the tool will read from stdin.\n\n" "Valid options are:\n"); PrintUsage(kArguments); @@ -202,7 +201,9 @@ bool VerifyTool(const args_list_t &args) { int ret = 1; - const char *chain = parsed_args.count("-untrusted") ? parsed_args["-untrusted"].c_str() : NULL; + const char *chain = parsed_args.count("-untrusted") + ? parsed_args["-untrusted"].c_str() + : NULL; // No additional file or certs provided, read from stdin if (extra_args.size() == 0) { diff --git a/tool-openssl/verify_test.cc b/tool-openssl/verify_test.cc index 3c905aefdf..555e91adda 100644 --- a/tool-openssl/verify_test.cc +++ b/tool-openssl/verify_test.cc @@ -1,48 +1,49 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include "openssl/x509.h" #include #include +#include "../crypto/test/test_util.h" #include "internal.h" +#include "openssl/x509.h" #include "test_util.h" -#include "../crypto/test/test_util.h" class VerifyTest : public ::testing::Test { -protected: - void SetUp() override { - ASSERT_GT(createTempFILEpath(ca_path), 0u); - ASSERT_GT(createTempFILEpath(chain_path), 0u); - ASSERT_GT(createTempFILEpath(in_path), 0u); - - bssl::UniquePtr x509(CreateAndSignX509Certificate()); - ASSERT_TRUE(x509); - - ScopedFILE in_file(fopen(in_path, "wb")); - ASSERT_TRUE(in_file); - ASSERT_TRUE(PEM_write_X509(in_file.get(), x509.get())); - - ScopedFILE ca_file(fopen(ca_path, "wb")); - ASSERT_TRUE(ca_file); - ASSERT_TRUE(PEM_write_X509(ca_file.get(), x509.get())); - - ScopedFILE chain_file(fopen(chain_path, "wb")); - ASSERT_TRUE(chain_file); - ASSERT_TRUE(PEM_write_X509(chain_file.get(), x509.get())); - } - void TearDown() override { - RemoveFile(ca_path); - RemoveFile(chain_path); - RemoveFile(in_path); - } - char ca_path[PATH_MAX]; - char chain_path[PATH_MAX]; - char in_path[PATH_MAX]; + protected: + void SetUp() override { + ASSERT_GT(createTempFILEpath(ca_path), 0u); + ASSERT_GT(createTempFILEpath(chain_path), 0u); + ASSERT_GT(createTempFILEpath(in_path), 0u); + + bssl::UniquePtr x509(CreateAndSignX509Certificate()); + ASSERT_TRUE(x509); + + ScopedFILE in_file(fopen(in_path, "wb")); + ASSERT_TRUE(in_file); + ASSERT_TRUE(PEM_write_X509(in_file.get(), x509.get())); + + ScopedFILE ca_file(fopen(ca_path, "wb")); + ASSERT_TRUE(ca_file); + ASSERT_TRUE(PEM_write_X509(ca_file.get(), x509.get())); + + ScopedFILE chain_file(fopen(chain_path, "wb")); + ASSERT_TRUE(chain_file); + ASSERT_TRUE(PEM_write_X509(chain_file.get(), x509.get())); + } + void TearDown() override { + RemoveFile(ca_path); + RemoveFile(chain_path); + RemoveFile(in_path); + } + char ca_path[PATH_MAX]; + char chain_path[PATH_MAX]; + char in_path[PATH_MAX]; }; -// ----------------------------- Verify Option Tests ----------------------------- +// ----------------------------- Verify Option Tests +// ----------------------------- // Test -CAfile with self-signed certificate TEST_F(VerifyTest, VerifyTestSelfSignedCertWithCAfileTest) { @@ -51,7 +52,7 @@ TEST_F(VerifyTest, VerifyTestSelfSignedCertWithCAfileTest) { ASSERT_TRUE(result); } -// Test certificate without -CAfile +// Test certificate without -CAfile TEST_F(VerifyTest, VerifyTestSelfSignedCertWithoutCAfile) { args_list_t args = {in_path}; bool result = VerifyTool(args); @@ -72,66 +73,73 @@ TEST_F(VerifyTest, VerifyTestSelfSignedCertWithCAFileAndUntrustedChain) { ASSERT_TRUE(result); } -// -------------------- Verify OpenSSL Comparison Tests -------------------------- +// -------------------- Verify OpenSSL Comparison Tests +// -------------------------- // Comparison tests cannot run without set up of environment variables: // AWSLC_TOOL_PATH and OPENSSL_TOOL_PATH. class VerifyComparisonTest : public ::testing::Test { -protected: - void SetUp() override { - - // Skip gtests if env variables not set - tool_executable_path = getenv("AWSLC_TOOL_PATH"); - openssl_executable_path = getenv("OPENSSL_TOOL_PATH"); - if (tool_executable_path == nullptr || openssl_executable_path == nullptr) { - GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH environment variables are not set"; - } - - ASSERT_GT(createTempFILEpath(in_path), 0u); - ASSERT_GT(createTempFILEpath(ca_path), 0u); - ASSERT_GT(createTempFILEpath(out_path_tool), 0u); - ASSERT_GT(createTempFILEpath(out_path_openssl), 0u); - - x509.reset(CreateAndSignX509Certificate()); - ASSERT_TRUE(x509); - - ScopedFILE in_file(fopen(in_path, "wb")); - ASSERT_TRUE(in_file); - ASSERT_TRUE(PEM_write_X509(in_file.get(), x509.get())); - - ScopedFILE ca_file(fopen(ca_path, "wb")); - ASSERT_TRUE(ca_file); - ASSERT_TRUE(PEM_write_X509(ca_file.get(), x509.get())); + protected: + void SetUp() override { + // Skip gtests if env variables not set + tool_executable_path = getenv("AWSLC_TOOL_PATH"); + openssl_executable_path = getenv("OPENSSL_TOOL_PATH"); + if (tool_executable_path == nullptr || openssl_executable_path == nullptr) { + GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH " + "environment variables are not set"; } - void TearDown() override { - if (tool_executable_path != nullptr && openssl_executable_path != nullptr) { - RemoveFile(in_path); - RemoveFile(out_path_tool); - RemoveFile(out_path_openssl); - RemoveFile(ca_path); - } - } + ASSERT_GT(createTempFILEpath(in_path), 0u); + ASSERT_GT(createTempFILEpath(ca_path), 0u); + ASSERT_GT(createTempFILEpath(out_path_tool), 0u); + ASSERT_GT(createTempFILEpath(out_path_openssl), 0u); + + x509.reset(CreateAndSignX509Certificate()); + ASSERT_TRUE(x509); + + ScopedFILE in_file(fopen(in_path, "wb")); + ASSERT_TRUE(in_file); + ASSERT_TRUE(PEM_write_X509(in_file.get(), x509.get())); + + ScopedFILE ca_file(fopen(ca_path, "wb")); + ASSERT_TRUE(ca_file); + ASSERT_TRUE(PEM_write_X509(ca_file.get(), x509.get())); + } - char in_path[PATH_MAX]; - char ca_path[PATH_MAX]; - char out_path_tool[PATH_MAX]; - char out_path_openssl[PATH_MAX]; - bssl::UniquePtr x509; - const char* tool_executable_path; - const char* openssl_executable_path; - std::string tool_output_str; - std::string openssl_output_str; + void TearDown() override { + if (tool_executable_path != nullptr && openssl_executable_path != nullptr) { + RemoveFile(in_path); + RemoveFile(out_path_tool); + RemoveFile(out_path_openssl); + RemoveFile(ca_path); + } + } + + char in_path[PATH_MAX]; + char ca_path[PATH_MAX]; + char out_path_tool[PATH_MAX]; + char out_path_openssl[PATH_MAX]; + bssl::UniquePtr x509; + const char *tool_executable_path; + const char *openssl_executable_path; + std::string tool_output_str; + std::string openssl_output_str; }; // Test against OpenSSL with -CAfile & self-signed cert fed in as a file // "openssl verify -CAfile cert.pem cert.pem" TEST_F(VerifyComparisonTest, VerifyToolOpenSSLCAFileSelfSignedComparison) { - std::string tool_command = std::string(tool_executable_path) + " verify -CAfile " + ca_path + " " + in_path + " &> " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " verify -CAfile " + ca_path + " " + in_path + " &> " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + + " verify -CAfile " + ca_path + " " + in_path + + " &> " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " verify -CAfile " + ca_path + " " + in_path + + " &> " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } @@ -139,10 +147,16 @@ TEST_F(VerifyComparisonTest, VerifyToolOpenSSLCAFileSelfSignedComparison) { // Test against OpenSSL with -CAfile & 2 self-signed cert fed in as files // "openssl verify -CAfile cert.pem cert.pem cert.pem" TEST_F(VerifyComparisonTest, VerifyToolOpenSSLCAFileMultipleFilesComparison) { - std::string tool_command = std::string(tool_executable_path) + " verify -CAfile " + ca_path + " " + in_path + " " + in_path + " &> " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " verify -CAfile " + ca_path + " " + in_path + " " + in_path + " &> " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + + " verify -CAfile " + ca_path + " " + in_path + + " " + in_path + " &> " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " verify -CAfile " + ca_path + " " + in_path + + " " + in_path + " &> " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } @@ -150,10 +164,18 @@ TEST_F(VerifyComparisonTest, VerifyToolOpenSSLCAFileMultipleFilesComparison) { // Test against OpenSSL with -CAfile & self-signed cert fed through stdin // "cat cert.pem | openssl verify -CAfile cert.pem" TEST_F(VerifyComparisonTest, VerifyToolOpenSSLCAFileSelfSignedStdinComparison) { - std::string tool_command = "cat " + std::string(ca_path) + " | " + std::string(tool_executable_path) + " verify -CAfile " + ca_path + " &> " + out_path_tool; - std::string openssl_command = "cat " + std::string(ca_path) + " | " + std::string(openssl_executable_path) + " verify -CAfile " + ca_path + " &> " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + std::string tool_command = "cat " + std::string(ca_path) + " | " + + std::string(tool_executable_path) + + " verify -CAfile " + ca_path + " &> " + + out_path_tool; + std::string openssl_command = "cat " + std::string(ca_path) + " | " + + std::string(openssl_executable_path) + + " verify -CAfile " + ca_path + " &> " + + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } diff --git a/tool-openssl/version.cc b/tool-openssl/version.cc index 7643ba5337..c1f2a8c1a2 100644 --- a/tool-openssl/version.cc +++ b/tool-openssl/version.cc @@ -4,9 +4,7 @@ #include #include "internal.h" -static const argument_t kArguments[] = { - { "", kOptionalArgument, "" } -}; +static const argument_t kArguments[] = {{"", kOptionalArgument, ""}}; bool VersionTool(const args_list_t &args) { args_map_t parsed_args; diff --git a/tool-openssl/x509.cc b/tool-openssl/x509.cc index 037dc6f664..7b6b62a10e 100644 --- a/tool-openssl/x509.cc +++ b/tool-openssl/x509.cc @@ -1,41 +1,59 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include #include #include -#include "internal.h" +#include #include #include +#include "internal.h" static const argument_t kArguments[] = { - { "-help", kBooleanArgument, "Display option summary" }, - { "-in", kOptionalArgument, "Certificate input, or CSR input file with -req" }, - { "-req", kBooleanArgument, "Input is a CSR file (rather than a certificate)" }, - { "-signkey", kOptionalArgument, "Causes input file to be self signed using supplied private key" }, - { "-out", kOptionalArgument, "Filepath to write all output to, if not set write to stdout" }, - { "-noout", kBooleanArgument, "Prevents output of the encoded version of the certificate" }, - { "-dates", kBooleanArgument, "Print the start and expiry dates of a certificate" }, - { "-modulus", kBooleanArgument, "Prints out value of the modulus of the public key contained in the certificate" }, - { "-subject", kBooleanArgument, "Prints the subject name"}, - { "-subject_hash", kBooleanArgument, "Prints subject hash value"}, - { "-subject_hash_old", kBooleanArgument, "Prints old OpenSSL style (MD5) subject hash value"}, - { "-fingerprint", kBooleanArgument, "Prints the certificate fingerprint"}, - { "-checkend", kOptionalArgument, "Check whether cert expires in the next arg seconds" }, - { "-days", kOptionalArgument, "Number of days until newly generated certificate expires - default 30" }, - { "-text", kBooleanArgument, "Pretty print the contents of the certificate"}, - { "-inform", kOptionalArgument, "This specifies the input format normally the command will expect an X509 " - "certificate but this can change if other options such as -req are present. " - "The DER format is the DER encoding of the certificate and PEM is the base64 " - "encoding of the DER encoding with header and footer lines added. The default " - "format is PEM."}, - { "-enddate", kBooleanArgument, "Prints out the expiry date of the certificate, that is the notAfter date."}, - { "", kOptionalArgument, "" } -}; - -static bool WriteSignedCertificate(X509 *x509, bssl::UniquePtr &output_bio, const std::string &out_path) { + {"-help", kBooleanArgument, "Display option summary"}, + {"-in", kOptionalArgument, + "Certificate input, or CSR input file with -req"}, + {"-req", kBooleanArgument, + "Input is a CSR file (rather than a certificate)"}, + {"-signkey", kOptionalArgument, + "Causes input file to be self signed using supplied private key"}, + {"-out", kOptionalArgument, + "Filepath to write all output to, if not set write to stdout"}, + {"-noout", kBooleanArgument, + "Prevents output of the encoded version of the certificate"}, + {"-dates", kBooleanArgument, + "Print the start and expiry dates of a certificate"}, + {"-modulus", kBooleanArgument, + "Prints out value of the modulus of the public key contained in the " + "certificate"}, + {"-subject", kBooleanArgument, "Prints the subject name"}, + {"-subject_hash", kBooleanArgument, "Prints subject hash value"}, + {"-subject_hash_old", kBooleanArgument, + "Prints old OpenSSL style (MD5) subject hash value"}, + {"-fingerprint", kBooleanArgument, "Prints the certificate fingerprint"}, + {"-checkend", kOptionalArgument, + "Check whether cert expires in the next arg seconds"}, + {"-days", kOptionalArgument, + "Number of days until newly generated certificate expires - default 30"}, + {"-text", kBooleanArgument, "Pretty print the contents of the certificate"}, + {"-inform", kOptionalArgument, + "This specifies the input format normally the command will expect an X509 " + "certificate but this can change if other options such as -req are " + "present. " + "The DER format is the DER encoding of the certificate and PEM is the " + "base64 " + "encoding of the DER encoding with header and footer lines added. The " + "default " + "format is PEM."}, + {"-enddate", kBooleanArgument, + "Prints out the expiry date of the certificate, that is the notAfter " + "date."}, + {"", kOptionalArgument, ""}}; + +static bool WriteSignedCertificate(X509 *x509, bssl::UniquePtr &output_bio, + const std::string &out_path) { if (!PEM_write_bio_X509(output_bio.get(), x509)) { - fprintf(stderr, "Error: error writing certificate to '%s'\n", out_path.c_str()); + fprintf(stderr, "Error: error writing certificate to '%s'\n", + out_path.c_str()); ERR_print_errors_fp(stderr); return false; } @@ -43,35 +61,41 @@ static bool WriteSignedCertificate(X509 *x509, bssl::UniquePtr &output_bio, } static bool isCharUpperCaseEqual(char a, char b) { - return ::toupper(a) == ::toupper(b); + return ::toupper(a) == ::toupper(b); } static bool isStringUpperCaseEqual(const std::string &a, const std::string &b) { - return a.size() == b.size() && std::equal(a.begin(), a.end(), b.begin(), isCharUpperCaseEqual); + return a.size() == b.size() && + std::equal(a.begin(), a.end(), b.begin(), isCharUpperCaseEqual); } -bool LoadPrivateKeyAndSignCertificate(X509 *x509, const std::string &signkey_path) { +bool LoadPrivateKeyAndSignCertificate(X509 *x509, + const std::string &signkey_path) { ScopedFILE signkey_file(fopen(signkey_path.c_str(), "rb")); if (!signkey_file) { - fprintf(stderr, "Error: unable to load private key from '%s'\n", signkey_path.c_str()); + fprintf(stderr, "Error: unable to load private key from '%s'\n", + signkey_path.c_str()); return false; } - bssl::UniquePtr pkey(PEM_read_PrivateKey(signkey_file.get(), nullptr, nullptr, nullptr)); + bssl::UniquePtr pkey( + PEM_read_PrivateKey(signkey_file.get(), nullptr, nullptr, nullptr)); if (!pkey) { - fprintf(stderr, "Error: error reading private key from '%s'\n", signkey_path.c_str()); + fprintf(stderr, "Error: error reading private key from '%s'\n", + signkey_path.c_str()); ERR_print_errors_fp(stderr); return false; } // TODO: make customizable with -digest option if (!X509_sign(x509, pkey.get(), EVP_sha256())) { - fprintf(stderr, "Error: error signing certificate with key from '%s'\n", signkey_path.c_str()); + fprintf(stderr, "Error: error signing certificate with key from '%s'\n", + signkey_path.c_str()); ERR_print_errors_fp(stderr); return false; } return true; } -bool IsNumeric(const std::string& str) { +bool IsNumeric(const std::string &str) { return !str.empty() && std::all_of(str.begin(), str.end(), ::isdigit); } @@ -87,8 +111,8 @@ bool X509Tool(const args_list_t &args) { std::string in_path, out_path, signkey_path, checkend_str, days_str, inform; bool noout = false, modulus = false, dates = false, req = false, help = false, - text = false, subject = false, fingerprint = false, enddate = false, - subject_hash = false, subject_hash_old = false; + text = false, subject = false, fingerprint = false, enddate = false, + subject_hash = false, subject_hash_old = false; std::unique_ptr checkend, days; GetBoolArgument(&help, "-help", parsed_args); @@ -122,21 +146,28 @@ bool X509Tool(const args_list_t &args) { // -req must include -signkey if (req && signkey_path.empty()) { - fprintf(stderr, "Error: '-req' option must be used with '-signkey' option\n"); + fprintf(stderr, + "Error: '-req' option must be used with '-signkey' option\n"); return false; } // Check for mutually exclusive options - if (req && (dates || parsed_args.count("-checkend"))){ - fprintf(stderr, "Error: '-req' option cannot be used with '-dates' and '-checkend' options\n"); + if (req && (dates || parsed_args.count("-checkend"))) { + fprintf(stderr, + "Error: '-req' option cannot be used with '-dates' and '-checkend' " + "options\n"); return false; } - if (!signkey_path.empty() && (dates || parsed_args.count("-checkend"))){ - fprintf(stderr, "Error: '-signkey' option cannot be used with '-dates' and '-checkend' options\n"); + if (!signkey_path.empty() && (dates || parsed_args.count("-checkend"))) { + fprintf(stderr, + "Error: '-signkey' option cannot be used with '-dates' and " + "'-checkend' options\n"); return false; } - if (parsed_args.count("-days") && (dates || parsed_args.count("-checkend"))){ - fprintf(stderr, "Error: '-days' option cannot be used with '-dates' and '-checkend' options\n"); + if (parsed_args.count("-days") && (dates || parsed_args.count("-checkend"))) { + fprintf(stderr, + "Error: '-days' option cannot be used with '-dates' and " + "'-checkend' options\n"); return false; } @@ -144,7 +175,9 @@ bool X509Tool(const args_list_t &args) { if (parsed_args.count("-checkend")) { checkend_str = parsed_args["-checkend"]; if (!IsNumeric(checkend_str)) { - fprintf(stderr, "Error: '-checkend' option must include a non-negative integer\n"); + fprintf( + stderr, + "Error: '-checkend' option must include a non-negative integer\n"); return false; } checkend.reset(new unsigned(std::stoul(checkend_str))); @@ -154,16 +187,20 @@ bool X509Tool(const args_list_t &args) { if (parsed_args.count("-days")) { days_str = parsed_args["-days"]; if (!IsNumeric(days_str) || std::stoul(days_str) == 0) { - fprintf(stderr, "Error: '-days' option must include a positive integer\n"); + fprintf(stderr, + "Error: '-days' option must include a positive integer\n"); return false; } days.reset(new unsigned(std::stoul(days_str))); } // Check -inform has a valid value - if(!inform.empty()) { - if (!isStringUpperCaseEqual(inform, "DER") && !isStringUpperCaseEqual(inform, "PEM")) { - fprintf(stderr, "Error: '-inform' option must specify a valid encoding DER|PEM\n"); + if (!inform.empty()) { + if (!isStringUpperCaseEqual(inform, "DER") && + !isStringUpperCaseEqual(inform, "PEM")) { + fprintf( + stderr, + "Error: '-inform' option must specify a valid encoding DER|PEM\n"); return false; } } @@ -175,7 +212,8 @@ bool X509Tool(const args_list_t &args) { } else { in_file.reset(fopen(in_path.c_str(), "rb")); if (!in_file) { - fprintf(stderr, "Error: unable to load certificate from '%s'\n", in_path.c_str()); + fprintf(stderr, "Error: unable to load certificate from '%s'\n", + in_path.c_str()); return false; } } @@ -202,7 +240,8 @@ bool X509Tool(const args_list_t &args) { } // Set the subject from CSR - if (!X509_set_subject_name(x509.get(), X509_REQ_get_subject_name(csr.get()))) { + if (!X509_set_subject_name(x509.get(), + X509_REQ_get_subject_name(csr.get()))) { fprintf(stderr, "Error: unable to set subject name from CSR\n"); return false; } @@ -215,7 +254,8 @@ bool X509Tool(const args_list_t &args) { } // Set issuer name - if (!X509_set_issuer_name(x509.get(), X509_REQ_get_subject_name(csr.get()))) { + if (!X509_set_issuer_name(x509.get(), + X509_REQ_get_subject_name(csr.get()))) { fprintf(stderr, "Error: unable to set issuer name\n"); return false; } @@ -223,7 +263,8 @@ bool X509Tool(const args_list_t &args) { // Set validity period, default 30 days if not specified unsigned valid_days = days ? *days : 30; if (!X509_gmtime_adj(X509_getm_notBefore(x509.get()), 0) || - !X509_gmtime_adj(X509_getm_notAfter(x509.get()), 60 * 60 * 24 * valid_days)) { + !X509_gmtime_adj(X509_getm_notAfter(x509.get()), + 60 * 60 * 24 * valid_days)) { fprintf(stderr, "Error: unable to set validity period\n"); return false; } @@ -248,7 +289,8 @@ bool X509Tool(const args_list_t &args) { } if (!x509) { - fprintf(stderr, "Error: error parsing certificate from '%s'\n", in_path.c_str()); + fprintf(stderr, "Error: error parsing certificate from '%s'\n", + in_path.c_str()); ERR_print_errors_fp(stderr); return false; } @@ -288,7 +330,7 @@ bool X509Tool(const args_list_t &args) { } } - if(text) { + if (text) { X509_print(output_bio.get(), x509.get()); } @@ -313,20 +355,22 @@ bool X509Tool(const args_list_t &args) { fprintf(stderr, "Error: unable to obtain digest\n"); return false; } - BIO_printf(output_bio.get(), "%s Fingerprint=", - OBJ_nid2sn(EVP_MD_type(digest))); + BIO_printf(output_bio.get(), + "%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(digest))); for (int j = 0; j < (int)out_len; j++) { - BIO_printf(output_bio.get(), "%02X%c", md[j], (j + 1 == (int)out_len) - ? '\n' : ':'); + BIO_printf(output_bio.get(), "%02X%c", md[j], + (j + 1 == (int)out_len) ? '\n' : ':'); } } if (subject_hash) { - BIO_printf(output_bio.get(), "%08x\n", X509_subject_name_hash(x509.get())); + BIO_printf(output_bio.get(), "%08x\n", + X509_subject_name_hash(x509.get())); } - if(subject_hash_old) { - BIO_printf(output_bio.get(), "%08x\n", X509_subject_name_hash_old(x509.get())); + if (subject_hash_old) { + BIO_printf(output_bio.get(), "%08x\n", + X509_subject_name_hash_old(x509.get())); } if (dates) { @@ -346,10 +390,12 @@ bool X509Tool(const args_list_t &args) { } if (checkend) { - bssl::UniquePtr current_time(ASN1_TIME_set(nullptr, std::time(nullptr))); + bssl::UniquePtr current_time( + ASN1_TIME_set(nullptr, std::time(nullptr))); ASN1_TIME *end_time = X509_getm_notAfter(x509.get()); int days_left, seconds_left; - if (!ASN1_TIME_diff(&days_left, &seconds_left, current_time.get(), end_time)) { + if (!ASN1_TIME_diff(&days_left, &seconds_left, current_time.get(), + end_time)) { fprintf(stderr, "Error: failed to calculate time difference\n"); return false; } diff --git a/tool-openssl/x509_test.cc b/tool-openssl/x509_test.cc index 5e5d48c963..7e8fc391c7 100644 --- a/tool-openssl/x509_test.cc +++ b/tool-openssl/x509_test.cc @@ -4,79 +4,83 @@ #include "openssl/x509.h" #include #include +#include +#include "../crypto/test/test_util.h" #include "internal.h" #include "test_util.h" -#include "../crypto/test/test_util.h" -#include - X509* CreateAndSignX509Certificate() { - bssl::UniquePtr x509(X509_new()); - if (!x509) return nullptr; +X509 *CreateAndSignX509Certificate() { + bssl::UniquePtr x509(X509_new()); + if (!x509) + return nullptr; - // Set version to X509v3 - X509_set_version(x509.get(), X509_VERSION_3); + // Set version to X509v3 + X509_set_version(x509.get(), X509_VERSION_3); - // Set validity period for 30 days - if (!X509_gmtime_adj(X509_getm_notBefore(x509.get()), 0) || - !X509_gmtime_adj(X509_getm_notAfter(x509.get()), 60 * 60 * 24 * 30L)) { - return nullptr; - } + // Set validity period for 30 days + if (!X509_gmtime_adj(X509_getm_notBefore(x509.get()), 0) || + !X509_gmtime_adj(X509_getm_notAfter(x509.get()), 60 * 60 * 24 * 30L)) { + return nullptr; + } - bssl::UniquePtr pkey(EVP_PKEY_new()); - if (!pkey) { - return nullptr; - } - bssl::UniquePtr rsa(RSA_new()); - bssl::UniquePtr bn(BN_new()); - if (!bn || !BN_set_word(bn.get(), RSA_F4) || - !RSA_generate_key_ex(rsa.get(), 2048, bn.get(), nullptr) || - !EVP_PKEY_assign_RSA(pkey.get(), rsa.release())) { - return nullptr; - } - if (!X509_set_pubkey(x509.get(), pkey.get())) { - return nullptr; - } + bssl::UniquePtr pkey(EVP_PKEY_new()); + if (!pkey) { + return nullptr; + } + bssl::UniquePtr rsa(RSA_new()); + bssl::UniquePtr bn(BN_new()); + if (!bn || !BN_set_word(bn.get(), RSA_F4) || + !RSA_generate_key_ex(rsa.get(), 2048, bn.get(), nullptr) || + !EVP_PKEY_assign_RSA(pkey.get(), rsa.release())) { + return nullptr; + } + if (!X509_set_pubkey(x509.get(), pkey.get())) { + return nullptr; + } - X509_NAME *subject_name = X509_NAME_new(); - if (!X509_NAME_add_entry_by_NID( + X509_NAME *subject_name = X509_NAME_new(); + if (!X509_NAME_add_entry_by_NID( subject_name, NID_organizationName, MBSTRING_UTF8, - reinterpret_cast("Org"), /*len=*/-1, /*loc=*/-1, + reinterpret_cast("Org"), /*len=*/-1, + /*loc=*/-1, /*set=*/0) || - !X509_NAME_add_entry_by_NID( + !X509_NAME_add_entry_by_NID( subject_name, NID_commonName, MBSTRING_UTF8, - reinterpret_cast("Name"), /*len=*/-1, /*loc=*/-1, + reinterpret_cast("Name"), /*len=*/-1, + /*loc=*/-1, /*set=*/0)) { - return nullptr; - } - - // self-signed - if (!X509_set_subject_name(x509.get(), subject_name) || - !X509_set_issuer_name(x509.get(), subject_name)) { - return nullptr; - }; - X509_NAME_free(subject_name); - - // Add X509v3 extensions - X509V3_CTX ctx; - X509V3_set_ctx_nodb(&ctx); - X509V3_set_ctx(&ctx, x509.get(), x509.get(), nullptr, nullptr, 0); - - X509_EXTENSION *ext; - if (!(ext = X509V3_EXT_conf_nid(nullptr, &ctx, NID_basic_constraints, const_cast("critical,CA:TRUE"))) || - !X509_add_ext(x509.get(), ext, -1)) { - return nullptr; - } - X509_EXTENSION_free(ext); + return nullptr; + } - if (X509_sign(x509.get(), pkey.get(), EVP_sha256()) <= 0) { - return nullptr; - } + // self-signed + if (!X509_set_subject_name(x509.get(), subject_name) || + !X509_set_issuer_name(x509.get(), subject_name)) { + return nullptr; + }; + X509_NAME_free(subject_name); + + // Add X509v3 extensions + X509V3_CTX ctx; + X509V3_set_ctx_nodb(&ctx); + X509V3_set_ctx(&ctx, x509.get(), x509.get(), nullptr, nullptr, 0); + + X509_EXTENSION *ext; + if (!(ext = X509V3_EXT_conf_nid(nullptr, &ctx, NID_basic_constraints, + const_cast("critical,CA:TRUE"))) || + !X509_add_ext(x509.get(), ext, -1)) { + return nullptr; + } + X509_EXTENSION_free(ext); - return x509.release(); + if (X509_sign(x509.get(), pkey.get(), EVP_sha256()) <= 0) { + return nullptr; } + return x509.release(); +} + class X509Test : public ::testing::Test { -protected: + protected: void SetUp() override { ASSERT_GT(createTempFILEpath(in_path), 0u); ASSERT_GT(createTempFILEpath(csr_path), 0u); @@ -89,12 +93,14 @@ class X509Test : public ::testing::Test { bssl::UniquePtr rsa(RSA_new()); ASSERT_TRUE(rsa); bssl::UniquePtr bn(BN_new()); - ASSERT_TRUE(bn && rsa && BN_set_word(bn.get(), RSA_F4) && RSA_generate_key_ex(rsa.get(), 2048, bn.get(), nullptr)); + ASSERT_TRUE(bn && rsa && BN_set_word(bn.get(), RSA_F4) && + RSA_generate_key_ex(rsa.get(), 2048, bn.get(), nullptr)); ASSERT_TRUE(EVP_PKEY_assign_RSA(pkey.get(), rsa.release())); ScopedFILE signkey_file(fopen(signkey_path, "wb")); ASSERT_TRUE(signkey_file); - ASSERT_TRUE(PEM_write_PrivateKey(signkey_file.get(), pkey.get(), nullptr, nullptr, 0, nullptr, nullptr)); + ASSERT_TRUE(PEM_write_PrivateKey(signkey_file.get(), pkey.get(), nullptr, + nullptr, 0, nullptr, nullptr)); bssl::UniquePtr x509(CreateAndSignX509Certificate()); ASSERT_TRUE(x509); @@ -116,7 +122,6 @@ class X509Test : public ::testing::Test { ScopedFILE csr_file(fopen(csr_path, "wb")); ASSERT_TRUE(csr_file); ASSERT_TRUE(PEM_write_X509_REQ(csr_file.get(), csr.get())); - } void TearDown() override { RemoveFile(in_path); @@ -143,7 +148,8 @@ TEST_F(X509Test, X509ToolInOutTest) { { ScopedFILE out_file(fopen(out_path, "rb")); ASSERT_TRUE(out_file); - bssl::UniquePtr parsed_x509(PEM_read_X509(out_file.get(), nullptr, nullptr, nullptr)); + bssl::UniquePtr parsed_x509( + PEM_read_X509(out_file.get(), nullptr, nullptr, nullptr)); ASSERT_TRUE(parsed_x509); } } @@ -189,7 +195,8 @@ TEST_F(X509Test, X509ToolSignkeyTest) { // Test -days TEST_F(X509Test, X509ToolDaysTest) { - args_list_t args = {"-in", in_path, "-out", out_path, "-signkey", signkey_path, "-days", "365"}; + args_list_t args = {"-in", in_path, "-out", out_path, + "-signkey", signkey_path, "-days", "365"}; bool result = X509Tool(args); ASSERT_TRUE(result); } @@ -228,7 +235,8 @@ TEST_F(X509Test, X509ToolCheckendTest) { // Test -req TEST_F(X509Test, X509ToolReqTest) { - args_list_t args = {"-in", csr_path, "-req", "-signkey", signkey_path, "-out", out_path}; + args_list_t args = {"-in", csr_path, "-req", "-signkey", + signkey_path, "-out", out_path}; bool result = X509Tool(args); ASSERT_TRUE(result); } @@ -236,10 +244,10 @@ TEST_F(X509Test, X509ToolReqTest) { // -------------------- X590 Option Usage Error Tests -------------------------- class X509OptionUsageErrorsTest : public X509Test { -protected: - void TestOptionUsageErrors(const std::vector& args) { + protected: + void TestOptionUsageErrors(const std::vector &args) { args_list_t c_args; - for (const auto& arg : args) { + for (const auto &arg : args) { c_args.push_back(arg.c_str()); } bool result = X509Tool(c_args); @@ -250,14 +258,14 @@ class X509OptionUsageErrorsTest : public X509Test { // Test mutually exclusive options TEST_F(X509OptionUsageErrorsTest, MutuallyExclusiveOptionsTests) { std::vector> testparams = { - {"-in", in_path, "-req", "-signkey", signkey_path, "-dates"}, - {"-in", in_path, "-req", "-signkey", signkey_path, "-checkend", "3600"}, - {"-in", in_path, "-signkey", signkey_path, "-dates"}, - {"-in", in_path, "-signkey", signkey_path, "-checkend", "3600"}, - {"-in", in_path, "-days", "365", "-dates"}, - {"-in", in_path, "-days", "365", "-checkend", "3600"}, + {"-in", in_path, "-req", "-signkey", signkey_path, "-dates"}, + {"-in", in_path, "-req", "-signkey", signkey_path, "-checkend", "3600"}, + {"-in", in_path, "-signkey", signkey_path, "-dates"}, + {"-in", in_path, "-signkey", signkey_path, "-checkend", "3600"}, + {"-in", in_path, "-days", "365", "-dates"}, + {"-in", in_path, "-days", "365", "-checkend", "3600"}, }; - for (const auto& args : testparams) { + for (const auto &args : testparams) { TestOptionUsageErrors(args); } } @@ -265,24 +273,24 @@ TEST_F(X509OptionUsageErrorsTest, MutuallyExclusiveOptionsTests) { // Test -req without -signkey TEST_F(X509OptionUsageErrorsTest, RequiredOptionTests) { std::vector> testparams = { - {"-in", in_path, "-req"}, + {"-in", in_path, "-req"}, }; - for (const auto& args : testparams) { + for (const auto &args : testparams) { TestOptionUsageErrors(args); } } -// Test argument errors for -days: !<0 || non-integer, -checkend: !<=0 || non-integer, -inform != {DER, PEM} +// Test argument errors for -days: !<0 || non-integer, -checkend: !<=0 || +// non-integer, -inform != {DER, PEM} TEST_F(X509OptionUsageErrorsTest, DaysAndCheckendArgTests) { std::vector> testparams = { - {"-in", in_path, "-checkend", "abc"}, - {"-in", in_path, "-checkend", "-1"}, - {"-in", in_path, "-signkey", signkey_path, "-days", "abc"}, - {"-in", in_path, "-signkey", signkey_path, "-days", "0"}, - {"-in", in_path, "-signkey", signkey_path, "-days", "-1.7"}, - {"-in", in_path, "-inform", "RANDOM"} - }; - for (const auto& args : testparams) { + {"-in", in_path, "-checkend", "abc"}, + {"-in", in_path, "-checkend", "-1"}, + {"-in", in_path, "-signkey", signkey_path, "-days", "abc"}, + {"-in", in_path, "-signkey", signkey_path, "-days", "0"}, + {"-in", in_path, "-signkey", signkey_path, "-days", "-1.7"}, + {"-in", in_path, "-inform", "RANDOM"}}; + for (const auto &args : testparams) { TestOptionUsageErrors(args); } } @@ -294,14 +302,14 @@ TEST_F(X509OptionUsageErrorsTest, DaysAndCheckendArgTests) { // AWSLC_TOOL_PATH and OPENSSL_TOOL_PATH. class X509ComparisonTest : public ::testing::Test { -protected: + protected: void SetUp() override { - // Skip gtests if env variables not set tool_executable_path = getenv("AWSLC_TOOL_PATH"); openssl_executable_path = getenv("OPENSSL_TOOL_PATH"); if (tool_executable_path == nullptr || openssl_executable_path == nullptr) { - GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH environment variables are not set"; + GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH " + "environment variables are not set"; } ASSERT_GT(createTempFILEpath(in_path), 0u); @@ -326,12 +334,14 @@ class X509ComparisonTest : public ::testing::Test { ASSERT_TRUE(pkey); bssl::UniquePtr rsa(RSA_new()); bssl::UniquePtr bn(BN_new()); - ASSERT_TRUE(bn && BN_set_word(bn.get(), RSA_F4) && RSA_generate_key_ex(rsa.get(), 2048, bn.get(), nullptr)); + ASSERT_TRUE(bn && BN_set_word(bn.get(), RSA_F4) && + RSA_generate_key_ex(rsa.get(), 2048, bn.get(), nullptr)); ASSERT_TRUE(EVP_PKEY_assign_RSA(pkey.get(), rsa.release())); ScopedFILE signkey_file(fopen(signkey_path, "wb")); ASSERT_TRUE(signkey_file); - ASSERT_TRUE(PEM_write_PrivateKey(signkey_file.get(), pkey.get(), nullptr, nullptr, 0, nullptr, nullptr)); + ASSERT_TRUE(PEM_write_PrivateKey(signkey_file.get(), pkey.get(), nullptr, + nullptr, 0, nullptr, nullptr)); csr.reset(X509_REQ_new()); ASSERT_TRUE(csr); @@ -362,8 +372,8 @@ class X509ComparisonTest : public ::testing::Test { char der_cert_path[PATH_MAX]; bssl::UniquePtr x509; bssl::UniquePtr csr; - const char* tool_executable_path; - const char* openssl_executable_path; + const char *tool_executable_path; + const char *openssl_executable_path; std::string tool_output_str; std::string openssl_output_str; }; @@ -375,8 +385,10 @@ static std::string normalize_subject(std::string input) { if (subject_start != std::string::npos) { size_t line_end = input.find('\n', subject_start); if (line_end != std::string::npos) { - std::string subject_line = input.substr(subject_start, line_end - subject_start); - subject_line.erase(remove(subject_line.begin(), subject_line.end(), ' '), subject_line.end()); + std::string subject_line = + input.substr(subject_start, line_end - subject_start); + subject_line.erase(remove(subject_line.begin(), subject_line.end(), ' '), + subject_line.end()); input.replace(subject_start, line_end - subject_start, subject_line); } } @@ -389,12 +401,18 @@ const std::string CERT_END = "-----END CERTIFICATE-----"; // Test against OpenSSL output "openssl x509 -in file -text -noout" TEST_F(X509ComparisonTest, X509ToolCompareTextOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -text -noout> " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -text -noout > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); - - // OpenSSL 3.0+ include an additional "Signature Value" header before printing the signature + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -text -noout> " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + " -text -noout > " + + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); + + // OpenSSL 3.0+ include an additional "Signature Value" header before printing + // the signature const char *signature_string = "Signature Value:"; size_t index = openssl_output_str.find(signature_string); if (index != std::string::npos) { @@ -402,97 +420,148 @@ TEST_F(X509ComparisonTest, X509ToolCompareTextOpenSSL) { } // OpenSSL disagrees on what the Subject Public Key Info headers should be - const char* rsa_public_key = "RSA Public-Key:"; + const char *rsa_public_key = "RSA Public-Key:"; index = openssl_output_str.find(rsa_public_key); if (index != std::string::npos) { openssl_output_str.replace(index, strlen(rsa_public_key), "Public-Key:"); } // OpenSSL versions disagree on the amount of indentation of certain fields - tool_output_str.erase(remove_if(tool_output_str.begin(), tool_output_str.end(), isspace), tool_output_str.end()); - openssl_output_str.erase(remove_if(openssl_output_str.begin(), openssl_output_str.end(), isspace), openssl_output_str.end()); + tool_output_str.erase( + remove_if(tool_output_str.begin(), tool_output_str.end(), isspace), + tool_output_str.end()); + openssl_output_str.erase( + remove_if(openssl_output_str.begin(), openssl_output_str.end(), isspace), + openssl_output_str.end()); ASSERT_EQ(tool_output_str, openssl_output_str); } // Test against OpenSSL output "openssl x509 -in file -modulus" TEST_F(X509ComparisonTest, X509ToolCompareModulusOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -modulus > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -modulus > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -modulus > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + " -modulus > " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -modulus -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -modulus -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -modulus -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + in_path + " -modulus -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } // Test against OpenSSL output "openssl x509 -in file -subject" TEST_F(X509ComparisonTest, X509ToolCompareSubjectOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -subject > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -subject > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); - - // OpenSSL master and versions <= 3.2 have differences in spacing for the subject field + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -subject > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + " -subject > " + + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); + + // OpenSSL master and versions <= 3.2 have differences in spacing for the + // subject field tool_output_str = normalize_subject(tool_output_str); openssl_output_str = normalize_subject(openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -subject -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -subject -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -subject -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + in_path + " -subject -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); - // OpenSSL master and versions <= 3.2 have differences in spacing for the subject field + // OpenSSL master and versions <= 3.2 have differences in spacing for the + // subject field tool_output_str = normalize_subject(tool_output_str); openssl_output_str = normalize_subject(openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } -// Test against OpenSSL output "openssl x509 -in file -fingerprint -subject_hash -subject_hash_old" +// Test against OpenSSL output "openssl x509 -in file -fingerprint -subject_hash +// -subject_hash_old" TEST_F(X509ComparisonTest, X509ToolCompareFingerprintOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -fingerprint -subject_hash -subject_hash_old > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -fingerprint -subject_hash -subject_hash_old > " + out_path_openssl; + std::string tool_command = + std::string(tool_executable_path) + " x509 -in " + in_path + + " -fingerprint -subject_hash -subject_hash_old > " + out_path_tool; + std::string openssl_command = + std::string(openssl_executable_path) + " x509 -in " + in_path + + " -fingerprint -subject_hash -subject_hash_old > " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -fingerprint -subject_hash -subject_hash_old -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -fingerprint -subject_hash -subject_hash_old -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -fingerprint -subject_hash -subject_hash_old -out " + + out_path_tool; + openssl_command = + std::string(openssl_executable_path) + " x509 -in " + in_path + + " -fingerprint -subject_hash -subject_hash_old -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } -// Test against OpenSSL output "openssl x509 -in file -noout -subject -fingerprint" +// Test against OpenSSL output "openssl x509 -in file -noout -subject +// -fingerprint" TEST_F(X509ComparisonTest, X509ToolCompareSubjectFingerprintOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -noout -subject -fingerprint > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -noout -subject -fingerprint > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); - - // OpenSSL master and versions <= 3.2 have differences in spacing for the subject field + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -noout -subject -fingerprint > " + + out_path_tool; + std::string openssl_command = + std::string(openssl_executable_path) + " x509 -in " + in_path + + " -noout -subject -fingerprint > " + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); + + // OpenSSL master and versions <= 3.2 have differences in spacing for the + // subject field tool_output_str = normalize_subject(tool_output_str); openssl_output_str = normalize_subject(openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -noout -subject -fingerprint -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -noout -subject -fingerprint -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -noout -subject -fingerprint -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + in_path + " -noout -subject -fingerprint -out " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); - // OpenSSL master and versions <= 3.2 have differences in spacing for the subject field + // OpenSSL master and versions <= 3.2 have differences in spacing for the + // subject field tool_output_str = normalize_subject(tool_output_str); openssl_output_str = normalize_subject(openssl_output_str); @@ -501,111 +570,183 @@ TEST_F(X509ComparisonTest, X509ToolCompareSubjectFingerprintOpenSSL) { // Test against OpenSSL output "openssl x509 -in in_file -checkend 0" TEST_F(X509ComparisonTest, X509ToolCompareCheckendOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -checkend 0 > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -checkend 0 > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -checkend 0 > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + " -checkend 0 > " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } -// Test against OpenSSL output "openssl x509 -req -in csr_file -signkey private_key_file -days 80 -out out_file" +// Test against OpenSSL output "openssl x509 -req -in csr_file -signkey +// private_key_file -days 80 -out out_file" TEST_F(X509ComparisonTest, X509ToolCompareReqSignkeyDaysOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -req -in " + csr_path + " -signkey " + signkey_path + " -days 80 -out " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -req -in " + csr_path + " -signkey " + signkey_path + " -days 80 -out " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); - // Certificates will not be identical, therefore testing that cert header and footer are present + std::string tool_command = std::string(tool_executable_path) + + " x509 -req -in " + csr_path + " -signkey " + + signkey_path + " -days 80 -out " + out_path_tool; + std::string openssl_command = + std::string(openssl_executable_path) + " x509 -req -in " + csr_path + + " -signkey " + signkey_path + " -days 80 -out " + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); + // Certificates will not be identical, therefore testing that cert header and + // footer are present trim(tool_output_str); ASSERT_EQ(tool_output_str.compare(0, CERT_BEGIN.size(), CERT_BEGIN), 0); - ASSERT_EQ(tool_output_str.compare(tool_output_str.size() - CERT_END.size(), CERT_END.size(), CERT_END), 0); + ASSERT_EQ(tool_output_str.compare(tool_output_str.size() - CERT_END.size(), + CERT_END.size(), CERT_END), + 0); trim(openssl_output_str); ASSERT_EQ(openssl_output_str.compare(0, CERT_BEGIN.size(), CERT_BEGIN), 0); - ASSERT_EQ(openssl_output_str.compare(openssl_output_str.size() - CERT_END.size(), CERT_END.size(), CERT_END), 0); + ASSERT_EQ( + openssl_output_str.compare(openssl_output_str.size() - CERT_END.size(), + CERT_END.size(), CERT_END), + 0); } // Test against OpenSSL output "openssl x509 -in file -dates -noout" TEST_F(X509ComparisonTest, X509ToolCompareDatesNooutOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -dates -noout > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -dates -noout > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -dates -noout > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + " -dates -noout > " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -dates -noout -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -dates -noout -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -dates -noout -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + in_path + " -dates -noout -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } -// Test against OpenSSL output "openssl x509 -in file -dates -enddate", notAfter date should only be printed out once +// Test against OpenSSL output "openssl x509 -in file -dates -enddate", notAfter +// date should only be printed out once TEST_F(X509ComparisonTest, X509ToolCompareDatesEnddateOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -dates -enddate > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -dates -enddate > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -dates -enddate > " + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + " -dates -enddate > " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -dates -enddate -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -dates -enddate -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -dates -enddate -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + in_path + " -dates -enddate -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } // Test against OpenSSL output "openssl x509 -in file -inform DER -enddate" TEST_F(X509ComparisonTest, X509ToolCompareInformDEREnddateOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + der_cert_path + " -inform DER -enddate > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + der_cert_path + " -inform DER -enddate > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + der_cert_path + " -inform DER -enddate > " + + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + der_cert_path + + " -inform DER -enddate > " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + der_cert_path + " -inform DER -enddate -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + der_cert_path + " -inform DER -enddate -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + + der_cert_path + " -inform DER -enddate -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + der_cert_path + " -inform DER -enddate -out " + + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } // Test against OpenSSL output "openssl x509 -in file -inform DER -enddate" TEST_F(X509ComparisonTest, X509ToolCompareInformPEMEnddateOpenSSL) { - std::string tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -inform PEM -enddate > " + out_path_tool; - std::string openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -inform PEM -enddate > " + out_path_openssl; + std::string tool_command = std::string(tool_executable_path) + " x509 -in " + + in_path + " -inform PEM -enddate > " + + out_path_tool; + std::string openssl_command = std::string(openssl_executable_path) + + " x509 -in " + in_path + + " -inform PEM -enddate > " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + " -inform PEM -enddate -out " + out_path_tool; - openssl_command = std::string(openssl_executable_path) + " x509 -in " + in_path + " -inform PEM -enddate -out " + out_path_openssl; + tool_command = std::string(tool_executable_path) + " x509 -in " + in_path + + " -inform PEM -enddate -out " + out_path_tool; + openssl_command = std::string(openssl_executable_path) + " x509 -in " + + in_path + " -inform PEM -enddate -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } -// Test against OpenSSL output reading from stdin "openssl x509 -fingerprint -dates" +// Test against OpenSSL output reading from stdin "openssl x509 -fingerprint +// -dates" TEST_F(X509ComparisonTest, X509ToolCompareStdinFingerprintDatesOpenSSL) { - std::string tool_command = "cat " + std::string(in_path) + " | " + std::string(tool_executable_path) + " x509 -fingerprint -dates > " + out_path_tool; - std::string openssl_command = "cat " + std::string(in_path) + " | " + std::string(openssl_executable_path) + " x509 -fingerprint -dates > " + out_path_openssl; - - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + std::string tool_command = "cat " + std::string(in_path) + " | " + + std::string(tool_executable_path) + + " x509 -fingerprint -dates > " + out_path_tool; + std::string openssl_command = "cat " + std::string(in_path) + " | " + + std::string(openssl_executable_path) + + " x509 -fingerprint -dates > " + + out_path_openssl; + + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); - tool_command = "cat " + std::string(in_path) + " | " + std::string(tool_executable_path) + " x509 -fingerprint -dates -out " + out_path_tool; - openssl_command = "cat " + std::string(in_path) + " | " + std::string(openssl_executable_path) + " x509 -fingerprint -dates -out " + out_path_openssl; + tool_command = "cat " + std::string(in_path) + " | " + + std::string(tool_executable_path) + + " x509 -fingerprint -dates -out " + out_path_tool; + openssl_command = "cat " + std::string(in_path) + " | " + + std::string(openssl_executable_path) + + " x509 -fingerprint -dates -out " + out_path_openssl; - RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str); + RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, + out_path_openssl, tool_output_str, + openssl_output_str); ASSERT_EQ(tool_output_str, openssl_output_str); } diff --git a/tool/args.cc b/tool/args.cc index 9581430cd9..8beec46448 100644 --- a/tool/args.cc +++ b/tool/args.cc @@ -23,14 +23,13 @@ #include "internal.h" -bool IsFlag(const std::string& arg) { +bool IsFlag(const std::string &arg) { return arg.length() > 1 && arg[0] == '-'; } -bool ParseKeyValueArguments(args_map_t &out_args, - args_list_t &extra_args, - const args_list_t &args, - const argument_t *templates) { +bool ParseKeyValueArguments(args_map_t &out_args, args_list_t &extra_args, + const args_list_t &args, + const argument_t *templates) { out_args.clear(); extra_args.clear(); @@ -45,7 +44,7 @@ bool ParseKeyValueArguments(args_map_t &out_args, } if (templ == nullptr) { - if(IsFlag(arg)) { + if (IsFlag(arg)) { fprintf(stderr, "Unknown flag: %s\n", arg.c_str()); return false; } @@ -89,8 +88,7 @@ void PrintUsage(const argument_t *templates) { } bool GetUnsigned(unsigned *out, const std::string &arg_name, - unsigned default_value, - const args_map_t &args) { + unsigned default_value, const args_map_t &args) { const auto &it = args.find(arg_name); if (it == args.end()) { *out = default_value; @@ -118,7 +116,6 @@ bool GetUnsigned(unsigned *out, const std::string &arg_name, bool GetString(std::string *out, const std::string &arg_name, std::string default_value, const args_map_t &args) { - const auto &it = args.find(arg_name); if (it == args.end()) { *out = default_value; @@ -133,7 +130,6 @@ bool GetString(std::string *out, const std::string &arg_name, bool GetBoolArgument(bool *out, const std::string &arg_name, const args_map_t &args) { - const auto &it = args.find(arg_name); if (it == args.end()) { // Boolean argument not found @@ -144,4 +140,3 @@ bool GetBoolArgument(bool *out, const std::string &arg_name, return true; } - diff --git a/tool/benchmark.cc b/tool/benchmark.cc index ecf74e2e38..361c362ee8 100644 --- a/tool/benchmark.cc +++ b/tool/benchmark.cc @@ -1,14 +1,17 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 OR ISC -#include "internal.h" #include +#include "internal.h" int main(int argc, char **argv) { unsigned long build_version = OPENSSL_VERSION_NUMBER; unsigned long runtime_version = SSLeay(); if (build_version != runtime_version) { - fprintf(stderr, "Incorrect version number detected, built with %lx, loaded %lx at runtime.", build_version, runtime_version); + fprintf(stderr, + "Incorrect version number detected, built with %lx, loaded %lx at " + "runtime.", + build_version, runtime_version); return 1; } args_list_t args; diff --git a/tool/bssl_bm.h b/tool/bssl_bm.h index 2671b162f6..5ee23b7fc2 100644 --- a/tool/bssl_bm.h +++ b/tool/bssl_bm.h @@ -8,14 +8,15 @@ #include #include #include -#include +#include #include +#include #include #include -#include #include -#include #include +#include +#include #include #include #include @@ -25,17 +26,16 @@ #include #include #include -#include #if defined(INTERNAL_TOOL) #include <../crypto/ec_extra/internal.h> #include <../crypto/trust_token/internal.h> #if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) #include "../third_party/jitterentropy/jitterentropy.h" -#endif // FIPS_ENTROPY_SOURCE_JITTER_CPU -#endif // INTERNAL_TOOL +#endif // FIPS_ENTROPY_SOURCE_JITTER_CPU +#endif // INTERNAL_TOOL #define BM_NAMESPACE bssl #define BM_ECDSA_size(key) ECDSA_size(key) -#endif //OPENSSL_HEADER_TOOL_BSSLBM_H +#endif // OPENSSL_HEADER_TOOL_BSSLBM_H diff --git a/tool/ciphers.cc b/tool/ciphers.cc index 0a35ce2638..d9e6d788e2 100644 --- a/tool/ciphers.cc +++ b/tool/ciphers.cc @@ -20,27 +20,32 @@ #include -#include "internal.h" #include "../ssl/internal.h" +#include "internal.h" static const argument_t kArguments[] = { { - "-openssl-name", kBooleanArgument, + "-openssl-name", + kBooleanArgument, "Print OpenSSL-style cipher names instead of IETF cipher names.", }, { - "-cipher-query", kOptionalArgument, + "-cipher-query", + kOptionalArgument, "An OpenSSL-style cipher suite string that is matched against " "supported ciphers. Defaults to \"ALL\".", }, { - "-print-all", kBooleanArgument, + "-print-all", + kBooleanArgument, "Prints all supported AWS-LC libssl ciphers for all TLS versions. " "If this option is used, all other options are ignored, except for " "-openssl-name.", }, { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; @@ -73,7 +78,8 @@ bool Ciphers(const std::vector &args) { // Use a lambda to conditionally initialise const. const std::string ciphers_string = [&] { std::string non_const_ciphers_string; - if (!GetString(&non_const_ciphers_string, "-cipher-query", "ALL", args_map)) { + if (!GetString(&non_const_ciphers_string, "-cipher-query", "ALL", + args_map)) { // Return an empty string from lambda as error. This also captures the // case where the argument of |-cipher-query| is empty, which we can // regard as an error. @@ -83,7 +89,8 @@ bool Ciphers(const std::vector &args) { }(); if (ciphers_string.empty()) { - fprintf(stderr, "Error parsing -cipher-query: Query cipher string is empty\n"); + fprintf(stderr, + "Error parsing -cipher-query: Query cipher string is empty\n"); return false; } diff --git a/tool/client.cc b/tool/client.cc index 2ef0ccf5a7..d8da111fc5 100644 --- a/tool/client.cc +++ b/tool/client.cc @@ -19,9 +19,7 @@ #if !defined(OPENSSL_WINDOWS) #include #include -static int closesocket(int sock) { - return close(sock); -} +static int closesocket(int sock) { return close(sock); } #else OPENSSL_MSVC_PRAGMA(warning(push, 3)) #include @@ -39,92 +37,119 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) static const argument_t kArguments[] = { { - "-connect", kRequiredArgument, + "-connect", + kRequiredArgument, "The hostname and port of the server to connect to, e.g. foo.com:443", }, { - "-cipher", kOptionalArgument, + "-cipher", + kOptionalArgument, "An OpenSSL-style cipher suite string that configures the offered " "ciphers", }, { - "-curves", kOptionalArgument, + "-curves", + kOptionalArgument, "An OpenSSL-style ECDH curves list that configures the offered curves", }, { - "-sigalgs", kOptionalArgument, + "-sigalgs", + kOptionalArgument, "An OpenSSL-style signature algorithms list that configures the " "signature algorithm preferences", }, { - "-max-version", kOptionalArgument, + "-max-version", + kOptionalArgument, "The maximum acceptable protocol version", }, { - "-min-version", kOptionalArgument, + "-min-version", + kOptionalArgument, "The minimum acceptable protocol version", }, { - "-server-name", kOptionalArgument, "The server name to advertise", + "-server-name", + kOptionalArgument, + "The server name to advertise", }, { - "-ech-grease", kBooleanArgument, "Enable ECH GREASE", + "-ech-grease", + kBooleanArgument, + "Enable ECH GREASE", }, { - "-ech-config-list", kOptionalArgument, + "-ech-config-list", + kOptionalArgument, "Path to file containing serialized ECHConfigs", }, { - "-select-next-proto", kOptionalArgument, + "-select-next-proto", + kOptionalArgument, "An NPN protocol to select if the server supports NPN", }, { - "-alpn-protos", kOptionalArgument, + "-alpn-protos", + kOptionalArgument, "A comma-separated list of ALPN protocols to advertise", }, { - "-fallback-scsv", kBooleanArgument, "Enable FALLBACK_SCSV", + "-fallback-scsv", + kBooleanArgument, + "Enable FALLBACK_SCSV", }, { - "-ocsp-stapling", kBooleanArgument, + "-ocsp-stapling", + kBooleanArgument, "Advertise support for OCSP stabling", }, { - "-signed-certificate-timestamps", kBooleanArgument, + "-signed-certificate-timestamps", + kBooleanArgument, "Advertise support for signed certificate timestamps", }, { - "-channel-id-key", kOptionalArgument, + "-channel-id-key", + kOptionalArgument, "The key to use for signing a channel ID", }, { - "-false-start", kBooleanArgument, "Enable False Start", + "-false-start", + kBooleanArgument, + "Enable False Start", }, { - "-session-in", kOptionalArgument, + "-session-in", + kOptionalArgument, "A file containing a session to resume.", }, { - "-session-out", kOptionalArgument, + "-session-out", + kOptionalArgument, "A file to write the negotiated session to.", }, { - "-key", kOptionalArgument, + "-key", + kOptionalArgument, "PEM-encoded file containing the private key.", }, { - "-cert", kOptionalArgument, + "-cert", + kOptionalArgument, "PEM-encoded file containing the leaf certificate and optional " "certificate chain. This is taken from the -key argument if this " "argument is not provided.", }, { - "-starttls", kOptionalArgument, + "-starttls", + kOptionalArgument, "A STARTTLS mini-protocol to run before the TLS handshake. Supported" " values: 'smtp'", }, { - "-grease", kBooleanArgument, "Enable GREASE", + "-grease", + kBooleanArgument, + "Enable GREASE", }, { "-permute-extensions", @@ -132,40 +157,50 @@ static const argument_t kArguments[] = { "Permute extensions in handshake messages", }, { - "-test-resumption", kBooleanArgument, + "-test-resumption", + kBooleanArgument, "Connect to the server twice. The first connection is closed once a " "session is established. The second connection offers it.", }, { - "-root-certs", kOptionalArgument, + "-root-certs", + kOptionalArgument, "A filename containing one or more PEM root certificates. Implies that " "verification is required.", }, { - "-root-cert-dir", kOptionalArgument, + "-root-cert-dir", + kOptionalArgument, "A directory containing one or more root certificate PEM files in " "OpenSSL's hashed-directory format. Implies that verification is " "required.", }, { - "-early-data", kOptionalArgument, "Enable early data. The argument to " + "-early-data", + kOptionalArgument, + "Enable early data. The argument to " "this flag is the early data to send or if it starts with '@', the " "file to read from for early data.", }, { - "-http-tunnel", kOptionalArgument, + "-http-tunnel", + kOptionalArgument, "An HTTP proxy server to tunnel the TCP connection through", }, { - "-renegotiate-freely", kBooleanArgument, + "-renegotiate-freely", + kBooleanArgument, "Allow renegotiations from the peer.", }, { - "-debug", kBooleanArgument, + "-debug", + kBooleanArgument, "Print debug information about the handshake", }, { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; @@ -174,13 +209,14 @@ static bssl::UniquePtr LoadPrivateKey(const std::string &file) { if (!bio || !BIO_read_filename(bio.get(), file.c_str())) { return nullptr; } - bssl::UniquePtr pkey(PEM_read_bio_PrivateKey(bio.get(), nullptr, - nullptr, nullptr)); + bssl::UniquePtr pkey( + PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); return pkey; } -static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen, - const uint8_t* in, unsigned inlen, void* arg) { +static int NextProtoSelectCallback(SSL *ssl, uint8_t **out, uint8_t *outlen, + const uint8_t *in, unsigned inlen, + void *arg) { *out = reinterpret_cast(arg); *outlen = strlen(reinterpret_cast(arg)); return SSL_TLSEXT_ERR_OK; @@ -268,13 +304,15 @@ static void PrintOpenSSLConnectionInfo(SSL *ssl, bool show_certs) { fprintf(stdout, "---\nCertificate chain\n"); for (size_t i = 0; i < sk_X509_num(sk); i++) { fprintf(stdout, "%2zu s:", i); - if (X509_NAME_print_ex_fp(stdout, X509_get_subject_name(sk_X509_value(sk, i)), - 0, XN_FLAG_ONELINE) < 0) { + if (X509_NAME_print_ex_fp(stdout, + X509_get_subject_name(sk_X509_value(sk, i)), 0, + XN_FLAG_ONELINE) < 0) { fprintf(stderr, "Error: Printing subject name failed"); } fprintf(stdout, "\n i:"); - if (X509_NAME_print_ex_fp(stdout, X509_get_issuer_name(sk_X509_value(sk, i)), - 0, XN_FLAG_ONELINE) < 0) { + if (X509_NAME_print_ex_fp(stdout, + X509_get_issuer_name(sk_X509_value(sk, i)), 0, + XN_FLAG_ONELINE) < 0) { fprintf(stderr, "Error: Printing issuer name failed"); } fprintf(stdout, "\n"); @@ -290,13 +328,13 @@ static void PrintOpenSSLConnectionInfo(SSL *ssl, bool show_certs) { fprintf(stdout, "Server certificate\n"); PEM_write_X509(stdout, peer.get()); fprintf(stdout, "subject="); - if (X509_NAME_print_ex_fp(stdout, X509_get_subject_name(peer.get()), - 0, XN_FLAG_ONELINE) < 0) { + if (X509_NAME_print_ex_fp(stdout, X509_get_subject_name(peer.get()), 0, + XN_FLAG_ONELINE) < 0) { fprintf(stderr, "Error: Printing subject name failed"); } fprintf(stdout, "\n\nissuer="); - if (X509_NAME_print_ex_fp(stdout, X509_get_issuer_name(peer.get()), - 0, XN_FLAG_ONELINE) < 0) { + if (X509_NAME_print_ex_fp(stdout, X509_get_issuer_name(peer.get()), 0, + XN_FLAG_ONELINE) < 0) { fprintf(stderr, "Error: Printing issuer name failed"); } fprintf(stdout, "\n\n---\n"); @@ -304,22 +342,24 @@ static void PrintOpenSSLConnectionInfo(SSL *ssl, bool show_certs) { fprintf(stdout, "no peer certificate available\n"); } - // TODO (aws-lc): we are missing some functions needed to print the following data + // TODO (aws-lc): we are missing some functions needed to print the following + // data // print_ca_names(bio, s); // ssl_print_sigalgs(bio, s); // ssl_print_tmp_key(bio, s); fprintf(stdout, - "---\nSSL handshake has read %d bytes " - "and written %d bytes\n", - (int)BIO_number_read(SSL_get_rbio(ssl)), - (int)BIO_number_written(SSL_get_wbio(ssl))); + "---\nSSL handshake has read %d bytes " + "and written %d bytes\n", + (int)BIO_number_read(SSL_get_rbio(ssl)), + (int)BIO_number_written(SSL_get_wbio(ssl))); print_verify_details(ssl); } static bool DoConnection(SSL_CTX *ctx, std::map args_map, - bool (*cb)(SSL *ssl, int sock), bool is_openssl_s_client) { + bool (*cb)(SSL *ssl, int sock), + bool is_openssl_s_client) { int sock = -1; if (args_map.count("-http-tunnel") != 0) { if (!Connect(&sock, args_map["-http-tunnel"], is_openssl_s_client)) { @@ -339,7 +379,7 @@ static bool DoConnection(SSL_CTX *ctx, } if (args_map.count("-starttls") != 0) { - const std::string& starttls = args_map["-starttls"]; + const std::string &starttls = args_map["-starttls"]; if (starttls == "smtp") { if (!DoSMTPStartTLS(sock)) { closesocket(sock); @@ -382,15 +422,15 @@ static bool DoConnection(SSL_CTX *ctx, } if (args_map.count("-session-in") != 0) { - bssl::UniquePtr in(BIO_new_file(args_map["-session-in"].c_str(), - "rb")); + bssl::UniquePtr in( + BIO_new_file(args_map["-session-in"].c_str(), "rb")); if (!in) { fprintf(stderr, "Error reading session\n"); ERR_print_errors_fp(stderr); return false; } - bssl::UniquePtr session(PEM_read_bio_SSL_SESSION(in.get(), - nullptr, nullptr, nullptr)); + bssl::UniquePtr session( + PEM_read_bio_SSL_SESSION(in.get(), nullptr, nullptr, nullptr)); if (!session) { fprintf(stderr, "Error reading session\n"); ERR_print_errors_fp(stderr); @@ -448,7 +488,7 @@ static bool DoConnection(SSL_CTX *ctx, fprintf(stderr, "Connected.\n"); bssl::UniquePtr bio_stderr(BIO_new_fp(stderr, BIO_NOCLOSE)); PrintConnectionInfo(bio_stderr.get(), ssl.get()); - } else { // print for openssl + } else { // print for openssl PrintOpenSSLConnectionInfo(ssl.get(), args_map.count("-showcerts")); } @@ -469,8 +509,7 @@ static void InfoCallback(const SSL *ssl, int type, int value) { } } -static int verify_cb(int ok, X509_STORE_CTX *ctx) -{ +static int verify_cb(int ok, X509_STORE_CTX *ctx) { X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); int err = X509_STORE_CTX_get_error(ctx); int depth = X509_STORE_CTX_get_error_depth(ctx); @@ -478,9 +517,8 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx) BIO_printf(bio_err.get(), "depth=%d ", depth); if (err_cert != NULL) { - X509_NAME_print_ex(bio_err.get(), - X509_get_subject_name(err_cert), - 0, XN_FLAG_ONELINE); + X509_NAME_print_ex(bio_err.get(), X509_get_subject_name(err_cert), 0, + XN_FLAG_ONELINE); BIO_puts(bio_err.get(), "\n"); } else { BIO_puts(bio_err.get(), "\n"); @@ -496,8 +534,8 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: if (err_cert != NULL) { BIO_puts(bio_err.get(), "issuer= "); - X509_NAME_print_ex(bio_err.get(), X509_get_issuer_name(err_cert), - 0, XN_FLAG_ONELINE); + X509_NAME_print_ex(bio_err.get(), X509_get_issuer_name(err_cert), 0, + XN_FLAG_ONELINE); BIO_puts(bio_err.get(), "\n"); } ok = 1; @@ -542,7 +580,8 @@ bool Client(const std::vector &args) { return DoClient(args_map, false); } -bool DoClient(std::map args_map, bool is_openssl_s_client) { +bool DoClient(std::map args_map, + bool is_openssl_s_client) { if (!InitSocketLibrary()) { return false; } @@ -727,8 +766,8 @@ bool DoClient(std::map args_map, bool is_openssl_s_cli } if (!certPathFlag.empty()) { - if (!SSL_CTX_load_verify_locations( - ctx.get(), nullptr, args_map[certPathFlag].c_str())) { + if (!SSL_CTX_load_verify_locations(ctx.get(), nullptr, + args_map[certPathFlag].c_str())) { fprintf(stderr, "Failed to load root certificates.\n"); ERR_print_errors_fp(stderr); return false; @@ -738,14 +777,15 @@ bool DoClient(std::map args_map, bool is_openssl_s_cli if (args_map.count("-verify") != 0) { unsigned int depth; if (!GetUnsigned(&depth, "-verify", 0, args_map)) { - fprintf(stderr, "s_client: Can't parse \"%s\" as a number\n", args_map.find("-verify")->second.c_str()); + fprintf(stderr, "s_client: Can't parse \"%s\" as a number\n", + args_map.find("-verify")->second.c_str()); return false; } fprintf(stdout, "verify depth is %d\n", (int)depth); verify = SSL_VERIFY_PEER; } - if (is_openssl_s_client) { // openssl tool + if (is_openssl_s_client) { // openssl tool SSL_CTX_set_verify(ctx.get(), verify, verify_cb); } else { SSL_CTX_set_verify(ctx.get(), verify, nullptr); @@ -766,7 +806,8 @@ bool DoClient(std::map args_map, bool is_openssl_s_cli return false; } - if (!DoConnection(ctx.get(), args_map, &WaitForSession, is_openssl_s_client)) { + if (!DoConnection(ctx.get(), args_map, &WaitForSession, + is_openssl_s_client)) { return false; } } diff --git a/tool/const.cc b/tool/const.cc index 9259e8514f..1c088ba8b7 100644 --- a/tool/const.cc +++ b/tool/const.cc @@ -123,156 +123,157 @@ const uint8_t kDERRSAPrivate2048[] = { const size_t kDERRSAPrivate2048Len = sizeof(kDERRSAPrivate2048); // Generation method: -// openssl genrsa 3072 | openssl rsa -outform der | xxd -i > ../rsa_key_3072_bits +// openssl genrsa 3072 | openssl rsa -outform der | xxd -i > +// ../rsa_key_3072_bits const uint8_t kDERRSAPrivate3072[] = { - 0x30, 0x82, 0x06, 0xe2, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x81, 0x00, - 0xc5, 0x51, 0x94, 0x20, 0xb9, 0xf7, 0x97, 0x52, 0x00, 0x8a, 0x1d, 0x00, - 0x40, 0xb9, 0x02, 0xdc, 0x72, 0x6b, 0xa7, 0xf2, 0x3c, 0x83, 0x0b, 0xa0, - 0xd7, 0x28, 0xf1, 0x0a, 0x04, 0x29, 0x31, 0xbe, 0x3e, 0xfe, 0x19, 0x3c, - 0x82, 0x9e, 0xec, 0x0e, 0x51, 0xa5, 0xee, 0x2d, 0x62, 0x62, 0x7f, 0xab, - 0xe7, 0x7b, 0xae, 0x9d, 0xae, 0xd2, 0x6a, 0xe4, 0xcc, 0xd3, 0xec, 0x21, - 0xb9, 0x00, 0xd1, 0x5b, 0x96, 0xe9, 0x3e, 0x1f, 0xa2, 0xba, 0xf7, 0x71, - 0x46, 0x75, 0xc8, 0x6c, 0x8c, 0x51, 0x8b, 0xcd, 0x84, 0xaf, 0x9c, 0xd4, - 0x5e, 0xe9, 0x03, 0x73, 0x09, 0x87, 0x46, 0xfd, 0x10, 0x46, 0x2c, 0x1a, - 0xc5, 0x54, 0x3d, 0x7d, 0x73, 0x68, 0xab, 0x7f, 0xa0, 0xa2, 0x9b, 0xcf, - 0xb2, 0x8a, 0x35, 0x45, 0xd6, 0x19, 0x3a, 0x79, 0x50, 0x1a, 0xc3, 0xdf, - 0xb8, 0x74, 0x39, 0xe1, 0x43, 0xa6, 0x8a, 0xb0, 0x0d, 0xca, 0x59, 0x2f, - 0x0f, 0x8a, 0xa2, 0xf2, 0x21, 0x01, 0xf2, 0xf0, 0x5c, 0xb7, 0xd3, 0x7a, - 0x24, 0x58, 0xf4, 0xd7, 0x7d, 0x34, 0x23, 0xa1, 0xa2, 0x75, 0xd5, 0x27, - 0x76, 0x8b, 0x9e, 0x04, 0xec, 0x96, 0xa0, 0x30, 0x27, 0x52, 0x37, 0xd3, - 0xa5, 0x1c, 0xed, 0x03, 0x55, 0x4d, 0xf0, 0x59, 0xd5, 0x75, 0x94, 0x9d, - 0x41, 0x68, 0xe3, 0x8c, 0x0e, 0xc6, 0x9a, 0x06, 0xed, 0x96, 0xd9, 0x2d, - 0xd6, 0x23, 0x1e, 0x11, 0xc6, 0x1a, 0x7a, 0x42, 0x9c, 0xf9, 0xc8, 0x1d, - 0xa0, 0x97, 0x93, 0xca, 0xbb, 0x7b, 0xf7, 0x25, 0xab, 0x46, 0xbb, 0x2d, - 0x9a, 0x45, 0xca, 0x39, 0xaa, 0xd8, 0x6c, 0x22, 0x56, 0x10, 0x1f, 0xc2, - 0x9f, 0x61, 0x0c, 0x74, 0x93, 0x28, 0xd4, 0xd9, 0xc9, 0xb8, 0x68, 0xad, - 0x2d, 0x2e, 0x79, 0x6e, 0xf8, 0x60, 0xbc, 0x40, 0x23, 0x08, 0x04, 0xf9, - 0x17, 0x5c, 0x6b, 0x9d, 0xd7, 0x50, 0x1a, 0x66, 0x29, 0xf5, 0xab, 0xbd, - 0x03, 0x88, 0x48, 0xf1, 0x25, 0xad, 0xe0, 0x96, 0x7a, 0xad, 0x7f, 0x8d, - 0x38, 0x3b, 0x87, 0x88, 0x4f, 0x2f, 0x61, 0xc3, 0xe7, 0xdf, 0x28, 0xf6, - 0xe3, 0x56, 0x26, 0x5a, 0x03, 0xf4, 0x16, 0xfb, 0x6a, 0xc4, 0xee, 0x74, - 0xe5, 0x3a, 0x26, 0x6b, 0xb4, 0x44, 0x26, 0xb3, 0xad, 0x46, 0x72, 0x96, - 0x5d, 0xe7, 0x8f, 0x85, 0x8c, 0x0d, 0x5d, 0x08, 0x50, 0x6e, 0x63, 0xd1, - 0x1b, 0x84, 0x3a, 0x9e, 0xfc, 0x2b, 0x4a, 0x34, 0x58, 0xef, 0xe4, 0xcf, - 0x58, 0xb8, 0x5d, 0x3c, 0xb2, 0x81, 0x4c, 0x8e, 0x6d, 0x53, 0x45, 0x45, - 0x1d, 0x7e, 0x69, 0x6a, 0x17, 0x29, 0x4c, 0xdc, 0xb3, 0xc6, 0x0f, 0xb8, - 0x8a, 0x94, 0x69, 0x7f, 0xed, 0xd0, 0xef, 0xc6, 0x6b, 0x59, 0xce, 0xbc, - 0xde, 0x0e, 0xc2, 0xed, 0x4b, 0x9e, 0xad, 0x0d, 0xf2, 0x18, 0xda, 0x19, - 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x80, 0x06, 0xac, 0xc8, - 0xcf, 0x06, 0x9b, 0x7a, 0x91, 0xfa, 0x94, 0xb1, 0x80, 0x75, 0xb0, 0x0c, - 0x89, 0xba, 0x91, 0x2b, 0xc0, 0x45, 0x0d, 0xc5, 0xd1, 0xee, 0x15, 0x63, - 0x7a, 0x0c, 0x43, 0xfc, 0x7b, 0xcc, 0x13, 0xba, 0x74, 0xd2, 0x92, 0x5f, - 0xb7, 0xe8, 0x49, 0x2d, 0xb2, 0x79, 0x56, 0x8d, 0xad, 0x1a, 0x0a, 0x94, - 0x10, 0x9f, 0x7e, 0x5c, 0xc1, 0x5a, 0xb0, 0x7c, 0x97, 0x73, 0x73, 0xb4, - 0xa1, 0x5d, 0x8c, 0x8c, 0x5e, 0x73, 0x99, 0xd1, 0x8f, 0x12, 0x6c, 0x1f, - 0x98, 0x94, 0x72, 0x99, 0xc1, 0x1d, 0x10, 0xf7, 0xc4, 0x33, 0x65, 0xbc, - 0x89, 0x22, 0xb4, 0x61, 0xd1, 0x63, 0xc0, 0x8b, 0xf3, 0x67, 0xe3, 0x7e, - 0xa5, 0x04, 0xc7, 0x70, 0xad, 0xc3, 0x98, 0x5c, 0x9e, 0xfd, 0x12, 0x31, - 0xd5, 0x27, 0xf5, 0xf8, 0x85, 0x6c, 0x11, 0x4b, 0xb9, 0x00, 0xbb, 0x65, - 0xcd, 0xda, 0x05, 0x03, 0x42, 0x0b, 0x65, 0x61, 0xf8, 0xf6, 0x94, 0xa1, - 0x08, 0x81, 0xd7, 0x58, 0x09, 0x8b, 0x89, 0x68, 0x6d, 0x04, 0x57, 0xc2, - 0x08, 0x9c, 0x22, 0xac, 0x65, 0xe6, 0x62, 0x08, 0x10, 0xea, 0xb0, 0xb4, - 0x6a, 0xc4, 0x3a, 0x20, 0x37, 0x20, 0xcd, 0x66, 0x38, 0x11, 0xa8, 0xd5, - 0xd7, 0xbc, 0x06, 0x03, 0xf0, 0x76, 0x09, 0x21, 0x3a, 0xe4, 0xa0, 0x90, - 0xba, 0x07, 0x31, 0xee, 0xb9, 0xf7, 0x45, 0x98, 0x19, 0x26, 0x89, 0x11, - 0xdb, 0x7e, 0xe2, 0xda, 0xcf, 0xdb, 0xe1, 0x1d, 0x36, 0xe9, 0x19, 0x62, - 0x52, 0xd2, 0x44, 0x9a, 0xd3, 0xd4, 0x01, 0x5d, 0xc7, 0x87, 0x58, 0x40, - 0x0d, 0x8a, 0x4e, 0x6c, 0x56, 0x35, 0xbc, 0xac, 0x6a, 0xf1, 0xe8, 0x74, - 0x5c, 0x63, 0x1a, 0xbd, 0x16, 0x76, 0x76, 0xb3, 0x00, 0xed, 0x64, 0x18, - 0x65, 0xb7, 0x4e, 0x77, 0x0c, 0x2c, 0x07, 0x92, 0x1b, 0xc8, 0xb9, 0x0b, - 0xf8, 0x1e, 0x48, 0x25, 0x77, 0x31, 0x9c, 0x18, 0xd4, 0xab, 0x42, 0x2c, - 0x67, 0x21, 0x3e, 0x9f, 0x0c, 0xa7, 0xd6, 0x10, 0xef, 0xc5, 0x7a, 0x69, - 0x9d, 0xc5, 0x35, 0x16, 0xd6, 0xfa, 0xc1, 0xb6, 0x89, 0x80, 0x2b, 0x2f, - 0xfb, 0xea, 0x2f, 0xe0, 0x21, 0x7f, 0x8c, 0xb2, 0xcd, 0x89, 0x3f, 0xae, - 0x6c, 0x20, 0x74, 0xf8, 0x1f, 0x4c, 0xee, 0x3a, 0xd0, 0x01, 0x87, 0x78, - 0x91, 0x18, 0xfb, 0xb2, 0xa8, 0x29, 0xe1, 0xad, 0x5d, 0xc1, 0xfd, 0x25, - 0x4d, 0x2a, 0xeb, 0x32, 0xa5, 0x7d, 0x91, 0x69, 0x55, 0xdf, 0xb2, 0x8b, - 0xa7, 0xb7, 0x66, 0xef, 0xea, 0x2c, 0xb0, 0xa5, 0x8a, 0x60, 0x85, 0x24, - 0xb1, 0xf8, 0x3d, 0x86, 0x18, 0x0c, 0xbf, 0x95, 0xe3, 0xa6, 0x6a, 0xdc, - 0x5f, 0x1d, 0x60, 0xa3, 0x2b, 0xfc, 0xd9, 0x62, 0xf3, 0xf8, 0x33, 0xda, - 0xdf, 0x66, 0x0e, 0xd1, 0x8d, 0xde, 0xa4, 0x85, 0x91, 0x02, 0x81, 0xc1, - 0x00, 0xfd, 0x9f, 0x90, 0xce, 0x5c, 0x74, 0xba, 0xa4, 0xcf, 0x20, 0x70, - 0x87, 0x48, 0x84, 0x2b, 0xb1, 0x0b, 0x1d, 0x02, 0x57, 0x47, 0xeb, 0xf3, - 0x0e, 0x99, 0x7c, 0x39, 0xbe, 0x40, 0x5c, 0x57, 0xec, 0x43, 0x6e, 0x91, - 0x15, 0x5c, 0xb2, 0x86, 0x31, 0x02, 0x24, 0xd6, 0x89, 0x1e, 0x01, 0x84, - 0xb6, 0xd4, 0x14, 0x5c, 0x98, 0x1c, 0x73, 0x40, 0xd1, 0xc5, 0xbc, 0xf8, - 0x9e, 0xdf, 0xbd, 0xd3, 0x78, 0x25, 0xa6, 0x5a, 0x20, 0xb6, 0x82, 0x74, - 0xa3, 0x5d, 0x39, 0x22, 0x9f, 0x8c, 0xe4, 0x46, 0xa8, 0x76, 0x0b, 0x62, - 0xcd, 0xa4, 0xf7, 0x25, 0xba, 0xfc, 0x7b, 0xbb, 0x02, 0xfe, 0xe0, 0xa7, - 0x86, 0x97, 0xd9, 0xae, 0x58, 0x35, 0x61, 0xfb, 0x4f, 0x6e, 0xb5, 0xc6, - 0x97, 0x35, 0x35, 0xe7, 0xd9, 0x9c, 0x4f, 0xc9, 0x1d, 0xae, 0x33, 0xea, - 0x67, 0x0c, 0x5a, 0x7f, 0xa9, 0x4f, 0x6b, 0x1e, 0xe8, 0x2f, 0x11, 0x83, - 0x55, 0x55, 0xc7, 0xbc, 0xd5, 0x32, 0x73, 0x7b, 0xd0, 0xf9, 0x32, 0x2a, - 0x94, 0x5a, 0xd5, 0x81, 0xa4, 0x19, 0x20, 0x34, 0xe3, 0xc3, 0xde, 0x6e, - 0x99, 0x13, 0x64, 0x78, 0x83, 0xa7, 0x5d, 0xe3, 0xcf, 0xcf, 0x12, 0x00, - 0xd3, 0xc3, 0xfb, 0xed, 0xce, 0x4b, 0xa2, 0x23, 0x5c, 0x8b, 0x9f, 0x25, - 0x76, 0x58, 0x56, 0xa5, 0x31, 0xa0, 0x0e, 0xc6, 0x67, 0x84, 0xaf, 0x5f, - 0xd5, 0x02, 0x81, 0xc1, 0x00, 0xc7, 0x2a, 0xf0, 0x9e, 0x6f, 0x08, 0xbe, - 0x08, 0x6b, 0x78, 0x73, 0x69, 0xbc, 0x62, 0xea, 0xe7, 0xda, 0x3c, 0xe1, - 0x96, 0x84, 0xef, 0x2f, 0xf1, 0x25, 0x88, 0x64, 0x82, 0xfe, 0xde, 0x9e, - 0x02, 0xcb, 0x83, 0xa1, 0xe3, 0x9c, 0x20, 0x3b, 0x92, 0x7e, 0xc1, 0xb0, - 0xcf, 0x82, 0x96, 0x81, 0x29, 0x74, 0xd0, 0x01, 0x25, 0xe0, 0x2d, 0xdf, - 0xd1, 0x50, 0x81, 0x6b, 0x58, 0x28, 0x83, 0x25, 0xcf, 0xc1, 0x1b, 0x0e, - 0xc0, 0xa6, 0x74, 0x6f, 0x3f, 0x0d, 0x53, 0xec, 0x51, 0x2c, 0xf7, 0x4b, - 0x43, 0x04, 0xaa, 0x56, 0x45, 0x96, 0xf0, 0xe2, 0xa5, 0x9f, 0x0b, 0x67, - 0x77, 0xa1, 0xe6, 0x39, 0x03, 0x70, 0x79, 0x1a, 0x3b, 0x85, 0xd9, 0x16, - 0x16, 0x06, 0x32, 0xae, 0x21, 0xcf, 0x48, 0xc1, 0xc4, 0xaf, 0x18, 0x70, - 0xf4, 0x37, 0x03, 0xc8, 0x03, 0x66, 0x65, 0x71, 0xb6, 0xe0, 0x47, 0xc1, - 0x33, 0x95, 0x32, 0xee, 0xa2, 0xe0, 0x4e, 0x4c, 0x54, 0x8f, 0x21, 0xbe, - 0x5f, 0xa7, 0x75, 0xcc, 0xc9, 0xd3, 0x75, 0xb2, 0x57, 0xb2, 0x97, 0x8e, - 0xef, 0x87, 0x4c, 0x2a, 0x80, 0x62, 0x60, 0x78, 0x1a, 0xa3, 0x1f, 0x51, - 0xc6, 0x3e, 0x3c, 0x5b, 0x31, 0x69, 0xd0, 0x2a, 0x2c, 0x86, 0x26, 0xe2, - 0x0c, 0xcd, 0x35, 0xe4, 0x5b, 0x0e, 0xeb, 0x60, 0x72, 0x3d, 0x07, 0xeb, - 0xa6, 0xc0, 0x46, 0x77, 0x35, 0x02, 0x81, 0xc0, 0x7e, 0xbf, 0x6f, 0xae, - 0xb1, 0xa5, 0xe4, 0x60, 0xd8, 0xe2, 0x6d, 0x5a, 0x2e, 0x73, 0x5f, 0x22, - 0x6b, 0x5b, 0x64, 0x00, 0x1a, 0x81, 0x60, 0x46, 0xbb, 0x8d, 0xc9, 0x8d, - 0xba, 0xbc, 0x6b, 0x74, 0x37, 0x7e, 0xda, 0x22, 0xc2, 0xe0, 0xb5, 0x0f, - 0x68, 0xf2, 0xe0, 0x04, 0x46, 0x6a, 0x9b, 0xd8, 0x82, 0xc4, 0x6a, 0x41, - 0xda, 0x75, 0xfe, 0xbe, 0xd7, 0x03, 0x49, 0x7c, 0x9c, 0x74, 0x51, 0x6a, - 0x89, 0xe6, 0x48, 0xc4, 0x70, 0x71, 0x61, 0xb9, 0x02, 0xad, 0xbb, 0x0f, - 0xe1, 0x69, 0x73, 0xa6, 0x5c, 0xd7, 0xf3, 0xd8, 0xb1, 0xc8, 0x91, 0xa2, - 0x90, 0xeb, 0x84, 0xda, 0x4a, 0x66, 0x1b, 0x52, 0xb8, 0x30, 0xa1, 0x60, - 0x93, 0xcd, 0x13, 0xba, 0xee, 0xa9, 0x09, 0x46, 0x27, 0xe1, 0x78, 0xac, - 0xd7, 0xe1, 0x47, 0xb0, 0xfd, 0x8e, 0x14, 0x66, 0xcb, 0x55, 0xae, 0xd6, - 0xfe, 0x49, 0x9a, 0x78, 0x8e, 0x8d, 0x42, 0x05, 0x33, 0x89, 0x4e, 0x65, - 0x7d, 0x81, 0x19, 0x2f, 0xa6, 0x59, 0xdb, 0xcd, 0xa8, 0x57, 0x6b, 0x22, - 0x87, 0x2c, 0x01, 0x42, 0x92, 0x70, 0x66, 0xf5, 0x39, 0x2b, 0xcc, 0xce, - 0x7e, 0xa5, 0xfd, 0x63, 0xad, 0x28, 0x62, 0x21, 0x72, 0xa0, 0x44, 0x88, - 0x04, 0x64, 0x53, 0x27, 0xbc, 0xdf, 0x1b, 0xe9, 0xb8, 0xdc, 0x14, 0x52, - 0x68, 0x9a, 0xf9, 0xac, 0x62, 0x33, 0x02, 0xc1, 0x02, 0x81, 0xc0, 0x48, - 0xd5, 0x3d, 0x14, 0xd3, 0x09, 0xe1, 0x64, 0x76, 0xd8, 0x9f, 0x6c, 0x05, - 0x46, 0x2f, 0x1d, 0x06, 0x43, 0xc9, 0x43, 0x1f, 0xed, 0xd0, 0x1c, 0x61, - 0x5b, 0x55, 0x56, 0x4a, 0x19, 0xe2, 0xb2, 0xa6, 0xf5, 0xc6, 0x17, 0xd4, - 0x1a, 0x3d, 0x6e, 0xbf, 0x07, 0xd9, 0xbe, 0xa8, 0xc4, 0x9d, 0x0b, 0x29, - 0xfa, 0x7e, 0xd0, 0xf9, 0x00, 0x0d, 0x9f, 0x1f, 0xcf, 0x94, 0x0f, 0xb3, - 0x10, 0xf2, 0x9c, 0xdc, 0xc3, 0x26, 0x4b, 0xf1, 0x13, 0x17, 0x33, 0x79, - 0x8e, 0x3d, 0x17, 0x1a, 0x58, 0x7c, 0x9f, 0x4f, 0x6f, 0x73, 0x09, 0x13, - 0xbf, 0x97, 0x42, 0x75, 0xbc, 0xd7, 0xe3, 0x79, 0xc3, 0x15, 0x0a, 0x5a, - 0xf1, 0x0e, 0x54, 0xc2, 0x07, 0xb6, 0xf9, 0xea, 0xde, 0x51, 0xab, 0x6f, - 0x7f, 0xed, 0xcc, 0x1d, 0x33, 0xd4, 0xea, 0x99, 0xcb, 0xba, 0x32, 0xf4, - 0x19, 0x18, 0xd2, 0x85, 0x85, 0xf7, 0xf3, 0x03, 0x16, 0x93, 0x09, 0xe0, - 0xf9, 0x01, 0x14, 0xd3, 0x1a, 0xc5, 0xe1, 0x78, 0xfd, 0xad, 0x1c, 0x09, - 0x46, 0x3b, 0x27, 0xb2, 0xd9, 0x95, 0x9d, 0xa6, 0x5e, 0x86, 0x14, 0x58, - 0xe5, 0x6a, 0x46, 0x63, 0x6c, 0xaa, 0x9c, 0xd2, 0x59, 0x84, 0x07, 0xb7, - 0xe8, 0x35, 0xe3, 0xfe, 0x52, 0xed, 0xcb, 0x3c, 0xa7, 0xfe, 0x90, 0x06, - 0x0e, 0xb1, 0x40, 0x55, 0x6d, 0x36, 0x11, 0xce, 0xb2, 0x76, 0x19, 0x02, - 0x81, 0xc0, 0x59, 0x1d, 0x95, 0x01, 0x18, 0xfc, 0x85, 0x88, 0xeb, 0x2e, - 0x6e, 0x67, 0x9e, 0xa3, 0xb6, 0x0f, 0x61, 0xc5, 0xb8, 0xb3, 0xb0, 0x74, - 0xf0, 0x70, 0xa8, 0x90, 0xc8, 0x44, 0x0d, 0x1e, 0xe0, 0x6e, 0x80, 0x12, - 0xa1, 0x01, 0x50, 0x28, 0xd6, 0xcb, 0x1b, 0x0e, 0xdd, 0x85, 0x95, 0x40, - 0x27, 0x56, 0x5e, 0xea, 0xee, 0x3e, 0x85, 0xcb, 0x91, 0xaf, 0xeb, 0x9f, - 0x44, 0x4f, 0x78, 0x81, 0xee, 0xa1, 0x65, 0x40, 0x1e, 0xfd, 0x67, 0xf8, - 0x3d, 0x41, 0x65, 0x67, 0xc8, 0xd9, 0x13, 0xaa, 0x56, 0xd8, 0x95, 0x15, - 0x48, 0x65, 0x5b, 0x3d, 0xf5, 0xc4, 0x39, 0x73, 0x69, 0xb6, 0xef, 0x96, - 0x31, 0x87, 0xe5, 0x6d, 0x47, 0x4c, 0x86, 0xab, 0x27, 0x2f, 0xab, 0x5c, - 0x15, 0x57, 0x7a, 0x03, 0xaf, 0x80, 0x3d, 0xb9, 0x39, 0x01, 0x2b, 0x44, - 0x7e, 0x9d, 0x24, 0xac, 0x66, 0x5d, 0xda, 0x0b, 0x40, 0x57, 0x09, 0xf3, - 0x91, 0x01, 0x21, 0x4f, 0x79, 0xd5, 0x1f, 0x28, 0x56, 0x78, 0x48, 0x5d, - 0xa4, 0xcb, 0xd2, 0x27, 0x3f, 0x1e, 0x0b, 0x42, 0x5a, 0xe1, 0x4f, 0x30, - 0x55, 0x35, 0x47, 0xae, 0x60, 0x88, 0xd4, 0x4b, 0x37, 0x98, 0x60, 0x54, - 0x07, 0x06, 0xdc, 0x99, 0x74, 0x31, 0xd3, 0x55, 0xd9, 0x77, 0x01, 0x17, - 0x49, 0x74, 0x4b, 0xcd, 0xd6, 0x77, 0xd5, 0x4c, 0xd5, 0x43, 0xf1, 0x07, - 0x14, 0x7a + 0x30, 0x82, 0x06, 0xe2, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x81, 0x00, + 0xc5, 0x51, 0x94, 0x20, 0xb9, 0xf7, 0x97, 0x52, 0x00, 0x8a, 0x1d, 0x00, + 0x40, 0xb9, 0x02, 0xdc, 0x72, 0x6b, 0xa7, 0xf2, 0x3c, 0x83, 0x0b, 0xa0, + 0xd7, 0x28, 0xf1, 0x0a, 0x04, 0x29, 0x31, 0xbe, 0x3e, 0xfe, 0x19, 0x3c, + 0x82, 0x9e, 0xec, 0x0e, 0x51, 0xa5, 0xee, 0x2d, 0x62, 0x62, 0x7f, 0xab, + 0xe7, 0x7b, 0xae, 0x9d, 0xae, 0xd2, 0x6a, 0xe4, 0xcc, 0xd3, 0xec, 0x21, + 0xb9, 0x00, 0xd1, 0x5b, 0x96, 0xe9, 0x3e, 0x1f, 0xa2, 0xba, 0xf7, 0x71, + 0x46, 0x75, 0xc8, 0x6c, 0x8c, 0x51, 0x8b, 0xcd, 0x84, 0xaf, 0x9c, 0xd4, + 0x5e, 0xe9, 0x03, 0x73, 0x09, 0x87, 0x46, 0xfd, 0x10, 0x46, 0x2c, 0x1a, + 0xc5, 0x54, 0x3d, 0x7d, 0x73, 0x68, 0xab, 0x7f, 0xa0, 0xa2, 0x9b, 0xcf, + 0xb2, 0x8a, 0x35, 0x45, 0xd6, 0x19, 0x3a, 0x79, 0x50, 0x1a, 0xc3, 0xdf, + 0xb8, 0x74, 0x39, 0xe1, 0x43, 0xa6, 0x8a, 0xb0, 0x0d, 0xca, 0x59, 0x2f, + 0x0f, 0x8a, 0xa2, 0xf2, 0x21, 0x01, 0xf2, 0xf0, 0x5c, 0xb7, 0xd3, 0x7a, + 0x24, 0x58, 0xf4, 0xd7, 0x7d, 0x34, 0x23, 0xa1, 0xa2, 0x75, 0xd5, 0x27, + 0x76, 0x8b, 0x9e, 0x04, 0xec, 0x96, 0xa0, 0x30, 0x27, 0x52, 0x37, 0xd3, + 0xa5, 0x1c, 0xed, 0x03, 0x55, 0x4d, 0xf0, 0x59, 0xd5, 0x75, 0x94, 0x9d, + 0x41, 0x68, 0xe3, 0x8c, 0x0e, 0xc6, 0x9a, 0x06, 0xed, 0x96, 0xd9, 0x2d, + 0xd6, 0x23, 0x1e, 0x11, 0xc6, 0x1a, 0x7a, 0x42, 0x9c, 0xf9, 0xc8, 0x1d, + 0xa0, 0x97, 0x93, 0xca, 0xbb, 0x7b, 0xf7, 0x25, 0xab, 0x46, 0xbb, 0x2d, + 0x9a, 0x45, 0xca, 0x39, 0xaa, 0xd8, 0x6c, 0x22, 0x56, 0x10, 0x1f, 0xc2, + 0x9f, 0x61, 0x0c, 0x74, 0x93, 0x28, 0xd4, 0xd9, 0xc9, 0xb8, 0x68, 0xad, + 0x2d, 0x2e, 0x79, 0x6e, 0xf8, 0x60, 0xbc, 0x40, 0x23, 0x08, 0x04, 0xf9, + 0x17, 0x5c, 0x6b, 0x9d, 0xd7, 0x50, 0x1a, 0x66, 0x29, 0xf5, 0xab, 0xbd, + 0x03, 0x88, 0x48, 0xf1, 0x25, 0xad, 0xe0, 0x96, 0x7a, 0xad, 0x7f, 0x8d, + 0x38, 0x3b, 0x87, 0x88, 0x4f, 0x2f, 0x61, 0xc3, 0xe7, 0xdf, 0x28, 0xf6, + 0xe3, 0x56, 0x26, 0x5a, 0x03, 0xf4, 0x16, 0xfb, 0x6a, 0xc4, 0xee, 0x74, + 0xe5, 0x3a, 0x26, 0x6b, 0xb4, 0x44, 0x26, 0xb3, 0xad, 0x46, 0x72, 0x96, + 0x5d, 0xe7, 0x8f, 0x85, 0x8c, 0x0d, 0x5d, 0x08, 0x50, 0x6e, 0x63, 0xd1, + 0x1b, 0x84, 0x3a, 0x9e, 0xfc, 0x2b, 0x4a, 0x34, 0x58, 0xef, 0xe4, 0xcf, + 0x58, 0xb8, 0x5d, 0x3c, 0xb2, 0x81, 0x4c, 0x8e, 0x6d, 0x53, 0x45, 0x45, + 0x1d, 0x7e, 0x69, 0x6a, 0x17, 0x29, 0x4c, 0xdc, 0xb3, 0xc6, 0x0f, 0xb8, + 0x8a, 0x94, 0x69, 0x7f, 0xed, 0xd0, 0xef, 0xc6, 0x6b, 0x59, 0xce, 0xbc, + 0xde, 0x0e, 0xc2, 0xed, 0x4b, 0x9e, 0xad, 0x0d, 0xf2, 0x18, 0xda, 0x19, + 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x80, 0x06, 0xac, 0xc8, + 0xcf, 0x06, 0x9b, 0x7a, 0x91, 0xfa, 0x94, 0xb1, 0x80, 0x75, 0xb0, 0x0c, + 0x89, 0xba, 0x91, 0x2b, 0xc0, 0x45, 0x0d, 0xc5, 0xd1, 0xee, 0x15, 0x63, + 0x7a, 0x0c, 0x43, 0xfc, 0x7b, 0xcc, 0x13, 0xba, 0x74, 0xd2, 0x92, 0x5f, + 0xb7, 0xe8, 0x49, 0x2d, 0xb2, 0x79, 0x56, 0x8d, 0xad, 0x1a, 0x0a, 0x94, + 0x10, 0x9f, 0x7e, 0x5c, 0xc1, 0x5a, 0xb0, 0x7c, 0x97, 0x73, 0x73, 0xb4, + 0xa1, 0x5d, 0x8c, 0x8c, 0x5e, 0x73, 0x99, 0xd1, 0x8f, 0x12, 0x6c, 0x1f, + 0x98, 0x94, 0x72, 0x99, 0xc1, 0x1d, 0x10, 0xf7, 0xc4, 0x33, 0x65, 0xbc, + 0x89, 0x22, 0xb4, 0x61, 0xd1, 0x63, 0xc0, 0x8b, 0xf3, 0x67, 0xe3, 0x7e, + 0xa5, 0x04, 0xc7, 0x70, 0xad, 0xc3, 0x98, 0x5c, 0x9e, 0xfd, 0x12, 0x31, + 0xd5, 0x27, 0xf5, 0xf8, 0x85, 0x6c, 0x11, 0x4b, 0xb9, 0x00, 0xbb, 0x65, + 0xcd, 0xda, 0x05, 0x03, 0x42, 0x0b, 0x65, 0x61, 0xf8, 0xf6, 0x94, 0xa1, + 0x08, 0x81, 0xd7, 0x58, 0x09, 0x8b, 0x89, 0x68, 0x6d, 0x04, 0x57, 0xc2, + 0x08, 0x9c, 0x22, 0xac, 0x65, 0xe6, 0x62, 0x08, 0x10, 0xea, 0xb0, 0xb4, + 0x6a, 0xc4, 0x3a, 0x20, 0x37, 0x20, 0xcd, 0x66, 0x38, 0x11, 0xa8, 0xd5, + 0xd7, 0xbc, 0x06, 0x03, 0xf0, 0x76, 0x09, 0x21, 0x3a, 0xe4, 0xa0, 0x90, + 0xba, 0x07, 0x31, 0xee, 0xb9, 0xf7, 0x45, 0x98, 0x19, 0x26, 0x89, 0x11, + 0xdb, 0x7e, 0xe2, 0xda, 0xcf, 0xdb, 0xe1, 0x1d, 0x36, 0xe9, 0x19, 0x62, + 0x52, 0xd2, 0x44, 0x9a, 0xd3, 0xd4, 0x01, 0x5d, 0xc7, 0x87, 0x58, 0x40, + 0x0d, 0x8a, 0x4e, 0x6c, 0x56, 0x35, 0xbc, 0xac, 0x6a, 0xf1, 0xe8, 0x74, + 0x5c, 0x63, 0x1a, 0xbd, 0x16, 0x76, 0x76, 0xb3, 0x00, 0xed, 0x64, 0x18, + 0x65, 0xb7, 0x4e, 0x77, 0x0c, 0x2c, 0x07, 0x92, 0x1b, 0xc8, 0xb9, 0x0b, + 0xf8, 0x1e, 0x48, 0x25, 0x77, 0x31, 0x9c, 0x18, 0xd4, 0xab, 0x42, 0x2c, + 0x67, 0x21, 0x3e, 0x9f, 0x0c, 0xa7, 0xd6, 0x10, 0xef, 0xc5, 0x7a, 0x69, + 0x9d, 0xc5, 0x35, 0x16, 0xd6, 0xfa, 0xc1, 0xb6, 0x89, 0x80, 0x2b, 0x2f, + 0xfb, 0xea, 0x2f, 0xe0, 0x21, 0x7f, 0x8c, 0xb2, 0xcd, 0x89, 0x3f, 0xae, + 0x6c, 0x20, 0x74, 0xf8, 0x1f, 0x4c, 0xee, 0x3a, 0xd0, 0x01, 0x87, 0x78, + 0x91, 0x18, 0xfb, 0xb2, 0xa8, 0x29, 0xe1, 0xad, 0x5d, 0xc1, 0xfd, 0x25, + 0x4d, 0x2a, 0xeb, 0x32, 0xa5, 0x7d, 0x91, 0x69, 0x55, 0xdf, 0xb2, 0x8b, + 0xa7, 0xb7, 0x66, 0xef, 0xea, 0x2c, 0xb0, 0xa5, 0x8a, 0x60, 0x85, 0x24, + 0xb1, 0xf8, 0x3d, 0x86, 0x18, 0x0c, 0xbf, 0x95, 0xe3, 0xa6, 0x6a, 0xdc, + 0x5f, 0x1d, 0x60, 0xa3, 0x2b, 0xfc, 0xd9, 0x62, 0xf3, 0xf8, 0x33, 0xda, + 0xdf, 0x66, 0x0e, 0xd1, 0x8d, 0xde, 0xa4, 0x85, 0x91, 0x02, 0x81, 0xc1, + 0x00, 0xfd, 0x9f, 0x90, 0xce, 0x5c, 0x74, 0xba, 0xa4, 0xcf, 0x20, 0x70, + 0x87, 0x48, 0x84, 0x2b, 0xb1, 0x0b, 0x1d, 0x02, 0x57, 0x47, 0xeb, 0xf3, + 0x0e, 0x99, 0x7c, 0x39, 0xbe, 0x40, 0x5c, 0x57, 0xec, 0x43, 0x6e, 0x91, + 0x15, 0x5c, 0xb2, 0x86, 0x31, 0x02, 0x24, 0xd6, 0x89, 0x1e, 0x01, 0x84, + 0xb6, 0xd4, 0x14, 0x5c, 0x98, 0x1c, 0x73, 0x40, 0xd1, 0xc5, 0xbc, 0xf8, + 0x9e, 0xdf, 0xbd, 0xd3, 0x78, 0x25, 0xa6, 0x5a, 0x20, 0xb6, 0x82, 0x74, + 0xa3, 0x5d, 0x39, 0x22, 0x9f, 0x8c, 0xe4, 0x46, 0xa8, 0x76, 0x0b, 0x62, + 0xcd, 0xa4, 0xf7, 0x25, 0xba, 0xfc, 0x7b, 0xbb, 0x02, 0xfe, 0xe0, 0xa7, + 0x86, 0x97, 0xd9, 0xae, 0x58, 0x35, 0x61, 0xfb, 0x4f, 0x6e, 0xb5, 0xc6, + 0x97, 0x35, 0x35, 0xe7, 0xd9, 0x9c, 0x4f, 0xc9, 0x1d, 0xae, 0x33, 0xea, + 0x67, 0x0c, 0x5a, 0x7f, 0xa9, 0x4f, 0x6b, 0x1e, 0xe8, 0x2f, 0x11, 0x83, + 0x55, 0x55, 0xc7, 0xbc, 0xd5, 0x32, 0x73, 0x7b, 0xd0, 0xf9, 0x32, 0x2a, + 0x94, 0x5a, 0xd5, 0x81, 0xa4, 0x19, 0x20, 0x34, 0xe3, 0xc3, 0xde, 0x6e, + 0x99, 0x13, 0x64, 0x78, 0x83, 0xa7, 0x5d, 0xe3, 0xcf, 0xcf, 0x12, 0x00, + 0xd3, 0xc3, 0xfb, 0xed, 0xce, 0x4b, 0xa2, 0x23, 0x5c, 0x8b, 0x9f, 0x25, + 0x76, 0x58, 0x56, 0xa5, 0x31, 0xa0, 0x0e, 0xc6, 0x67, 0x84, 0xaf, 0x5f, + 0xd5, 0x02, 0x81, 0xc1, 0x00, 0xc7, 0x2a, 0xf0, 0x9e, 0x6f, 0x08, 0xbe, + 0x08, 0x6b, 0x78, 0x73, 0x69, 0xbc, 0x62, 0xea, 0xe7, 0xda, 0x3c, 0xe1, + 0x96, 0x84, 0xef, 0x2f, 0xf1, 0x25, 0x88, 0x64, 0x82, 0xfe, 0xde, 0x9e, + 0x02, 0xcb, 0x83, 0xa1, 0xe3, 0x9c, 0x20, 0x3b, 0x92, 0x7e, 0xc1, 0xb0, + 0xcf, 0x82, 0x96, 0x81, 0x29, 0x74, 0xd0, 0x01, 0x25, 0xe0, 0x2d, 0xdf, + 0xd1, 0x50, 0x81, 0x6b, 0x58, 0x28, 0x83, 0x25, 0xcf, 0xc1, 0x1b, 0x0e, + 0xc0, 0xa6, 0x74, 0x6f, 0x3f, 0x0d, 0x53, 0xec, 0x51, 0x2c, 0xf7, 0x4b, + 0x43, 0x04, 0xaa, 0x56, 0x45, 0x96, 0xf0, 0xe2, 0xa5, 0x9f, 0x0b, 0x67, + 0x77, 0xa1, 0xe6, 0x39, 0x03, 0x70, 0x79, 0x1a, 0x3b, 0x85, 0xd9, 0x16, + 0x16, 0x06, 0x32, 0xae, 0x21, 0xcf, 0x48, 0xc1, 0xc4, 0xaf, 0x18, 0x70, + 0xf4, 0x37, 0x03, 0xc8, 0x03, 0x66, 0x65, 0x71, 0xb6, 0xe0, 0x47, 0xc1, + 0x33, 0x95, 0x32, 0xee, 0xa2, 0xe0, 0x4e, 0x4c, 0x54, 0x8f, 0x21, 0xbe, + 0x5f, 0xa7, 0x75, 0xcc, 0xc9, 0xd3, 0x75, 0xb2, 0x57, 0xb2, 0x97, 0x8e, + 0xef, 0x87, 0x4c, 0x2a, 0x80, 0x62, 0x60, 0x78, 0x1a, 0xa3, 0x1f, 0x51, + 0xc6, 0x3e, 0x3c, 0x5b, 0x31, 0x69, 0xd0, 0x2a, 0x2c, 0x86, 0x26, 0xe2, + 0x0c, 0xcd, 0x35, 0xe4, 0x5b, 0x0e, 0xeb, 0x60, 0x72, 0x3d, 0x07, 0xeb, + 0xa6, 0xc0, 0x46, 0x77, 0x35, 0x02, 0x81, 0xc0, 0x7e, 0xbf, 0x6f, 0xae, + 0xb1, 0xa5, 0xe4, 0x60, 0xd8, 0xe2, 0x6d, 0x5a, 0x2e, 0x73, 0x5f, 0x22, + 0x6b, 0x5b, 0x64, 0x00, 0x1a, 0x81, 0x60, 0x46, 0xbb, 0x8d, 0xc9, 0x8d, + 0xba, 0xbc, 0x6b, 0x74, 0x37, 0x7e, 0xda, 0x22, 0xc2, 0xe0, 0xb5, 0x0f, + 0x68, 0xf2, 0xe0, 0x04, 0x46, 0x6a, 0x9b, 0xd8, 0x82, 0xc4, 0x6a, 0x41, + 0xda, 0x75, 0xfe, 0xbe, 0xd7, 0x03, 0x49, 0x7c, 0x9c, 0x74, 0x51, 0x6a, + 0x89, 0xe6, 0x48, 0xc4, 0x70, 0x71, 0x61, 0xb9, 0x02, 0xad, 0xbb, 0x0f, + 0xe1, 0x69, 0x73, 0xa6, 0x5c, 0xd7, 0xf3, 0xd8, 0xb1, 0xc8, 0x91, 0xa2, + 0x90, 0xeb, 0x84, 0xda, 0x4a, 0x66, 0x1b, 0x52, 0xb8, 0x30, 0xa1, 0x60, + 0x93, 0xcd, 0x13, 0xba, 0xee, 0xa9, 0x09, 0x46, 0x27, 0xe1, 0x78, 0xac, + 0xd7, 0xe1, 0x47, 0xb0, 0xfd, 0x8e, 0x14, 0x66, 0xcb, 0x55, 0xae, 0xd6, + 0xfe, 0x49, 0x9a, 0x78, 0x8e, 0x8d, 0x42, 0x05, 0x33, 0x89, 0x4e, 0x65, + 0x7d, 0x81, 0x19, 0x2f, 0xa6, 0x59, 0xdb, 0xcd, 0xa8, 0x57, 0x6b, 0x22, + 0x87, 0x2c, 0x01, 0x42, 0x92, 0x70, 0x66, 0xf5, 0x39, 0x2b, 0xcc, 0xce, + 0x7e, 0xa5, 0xfd, 0x63, 0xad, 0x28, 0x62, 0x21, 0x72, 0xa0, 0x44, 0x88, + 0x04, 0x64, 0x53, 0x27, 0xbc, 0xdf, 0x1b, 0xe9, 0xb8, 0xdc, 0x14, 0x52, + 0x68, 0x9a, 0xf9, 0xac, 0x62, 0x33, 0x02, 0xc1, 0x02, 0x81, 0xc0, 0x48, + 0xd5, 0x3d, 0x14, 0xd3, 0x09, 0xe1, 0x64, 0x76, 0xd8, 0x9f, 0x6c, 0x05, + 0x46, 0x2f, 0x1d, 0x06, 0x43, 0xc9, 0x43, 0x1f, 0xed, 0xd0, 0x1c, 0x61, + 0x5b, 0x55, 0x56, 0x4a, 0x19, 0xe2, 0xb2, 0xa6, 0xf5, 0xc6, 0x17, 0xd4, + 0x1a, 0x3d, 0x6e, 0xbf, 0x07, 0xd9, 0xbe, 0xa8, 0xc4, 0x9d, 0x0b, 0x29, + 0xfa, 0x7e, 0xd0, 0xf9, 0x00, 0x0d, 0x9f, 0x1f, 0xcf, 0x94, 0x0f, 0xb3, + 0x10, 0xf2, 0x9c, 0xdc, 0xc3, 0x26, 0x4b, 0xf1, 0x13, 0x17, 0x33, 0x79, + 0x8e, 0x3d, 0x17, 0x1a, 0x58, 0x7c, 0x9f, 0x4f, 0x6f, 0x73, 0x09, 0x13, + 0xbf, 0x97, 0x42, 0x75, 0xbc, 0xd7, 0xe3, 0x79, 0xc3, 0x15, 0x0a, 0x5a, + 0xf1, 0x0e, 0x54, 0xc2, 0x07, 0xb6, 0xf9, 0xea, 0xde, 0x51, 0xab, 0x6f, + 0x7f, 0xed, 0xcc, 0x1d, 0x33, 0xd4, 0xea, 0x99, 0xcb, 0xba, 0x32, 0xf4, + 0x19, 0x18, 0xd2, 0x85, 0x85, 0xf7, 0xf3, 0x03, 0x16, 0x93, 0x09, 0xe0, + 0xf9, 0x01, 0x14, 0xd3, 0x1a, 0xc5, 0xe1, 0x78, 0xfd, 0xad, 0x1c, 0x09, + 0x46, 0x3b, 0x27, 0xb2, 0xd9, 0x95, 0x9d, 0xa6, 0x5e, 0x86, 0x14, 0x58, + 0xe5, 0x6a, 0x46, 0x63, 0x6c, 0xaa, 0x9c, 0xd2, 0x59, 0x84, 0x07, 0xb7, + 0xe8, 0x35, 0xe3, 0xfe, 0x52, 0xed, 0xcb, 0x3c, 0xa7, 0xfe, 0x90, 0x06, + 0x0e, 0xb1, 0x40, 0x55, 0x6d, 0x36, 0x11, 0xce, 0xb2, 0x76, 0x19, 0x02, + 0x81, 0xc0, 0x59, 0x1d, 0x95, 0x01, 0x18, 0xfc, 0x85, 0x88, 0xeb, 0x2e, + 0x6e, 0x67, 0x9e, 0xa3, 0xb6, 0x0f, 0x61, 0xc5, 0xb8, 0xb3, 0xb0, 0x74, + 0xf0, 0x70, 0xa8, 0x90, 0xc8, 0x44, 0x0d, 0x1e, 0xe0, 0x6e, 0x80, 0x12, + 0xa1, 0x01, 0x50, 0x28, 0xd6, 0xcb, 0x1b, 0x0e, 0xdd, 0x85, 0x95, 0x40, + 0x27, 0x56, 0x5e, 0xea, 0xee, 0x3e, 0x85, 0xcb, 0x91, 0xaf, 0xeb, 0x9f, + 0x44, 0x4f, 0x78, 0x81, 0xee, 0xa1, 0x65, 0x40, 0x1e, 0xfd, 0x67, 0xf8, + 0x3d, 0x41, 0x65, 0x67, 0xc8, 0xd9, 0x13, 0xaa, 0x56, 0xd8, 0x95, 0x15, + 0x48, 0x65, 0x5b, 0x3d, 0xf5, 0xc4, 0x39, 0x73, 0x69, 0xb6, 0xef, 0x96, + 0x31, 0x87, 0xe5, 0x6d, 0x47, 0x4c, 0x86, 0xab, 0x27, 0x2f, 0xab, 0x5c, + 0x15, 0x57, 0x7a, 0x03, 0xaf, 0x80, 0x3d, 0xb9, 0x39, 0x01, 0x2b, 0x44, + 0x7e, 0x9d, 0x24, 0xac, 0x66, 0x5d, 0xda, 0x0b, 0x40, 0x57, 0x09, 0xf3, + 0x91, 0x01, 0x21, 0x4f, 0x79, 0xd5, 0x1f, 0x28, 0x56, 0x78, 0x48, 0x5d, + 0xa4, 0xcb, 0xd2, 0x27, 0x3f, 0x1e, 0x0b, 0x42, 0x5a, 0xe1, 0x4f, 0x30, + 0x55, 0x35, 0x47, 0xae, 0x60, 0x88, 0xd4, 0x4b, 0x37, 0x98, 0x60, 0x54, + 0x07, 0x06, 0xdc, 0x99, 0x74, 0x31, 0xd3, 0x55, 0xd9, 0x77, 0x01, 0x17, + 0x49, 0x74, 0x4b, 0xcd, 0xd6, 0x77, 0xd5, 0x4c, 0xd5, 0x43, 0xf1, 0x07, + 0x14, 0x7a }; @@ -480,396 +481,396 @@ const uint8_t kDERRSAPrivate4096[] = { const size_t kDERRSAPrivate4096Len = sizeof(kDERRSAPrivate4096); // Generation method: -// openssl genrsa 8192 | openssl rsa -outform der | xxd -i > ../rsa_key_8192_bits +// openssl genrsa 8192 | openssl rsa -outform der | xxd -i > +// ../rsa_key_8192_bits const uint8_t kDERRSAPrivate8192[] = { - 0x30, 0x82, 0x12, 0x2a, 0x02, 0x01, 0x00, 0x02, 0x82, 0x04, 0x01, 0x00, - 0xbc, 0x0c, 0x4e, 0xa4, 0x74, 0x61, 0xa3, 0xe8, 0x73, 0x85, 0x65, 0xea, - 0x6f, 0x7c, 0x4e, 0xf1, 0x9f, 0xef, 0x84, 0x17, 0x7f, 0x96, 0xf6, 0xa5, - 0xd9, 0x6c, 0x4a, 0x1a, 0x5c, 0x30, 0x61, 0xbe, 0x00, 0x85, 0x57, 0x38, - 0x01, 0xd7, 0x34, 0xf0, 0x6c, 0x30, 0xbb, 0xfc, 0xaa, 0xa3, 0x53, 0x2c, - 0xe9, 0xf7, 0x31, 0x4b, 0x40, 0x06, 0xb0, 0xaf, 0xe6, 0x38, 0x81, 0xbb, - 0x4e, 0x9a, 0x34, 0x56, 0xfa, 0x3f, 0xf4, 0x3c, 0x49, 0x70, 0x02, 0x8d, - 0xa3, 0x22, 0x49, 0x6b, 0x32, 0x81, 0x6f, 0x94, 0xb8, 0x24, 0x05, 0x8e, - 0xbb, 0xd4, 0x00, 0x33, 0x59, 0x30, 0xe9, 0xde, 0xf5, 0x74, 0x92, 0xee, - 0x92, 0x10, 0xd4, 0xd3, 0xfe, 0xc7, 0xb7, 0x61, 0x44, 0xaa, 0xf2, 0x8a, - 0xed, 0x7e, 0x26, 0x07, 0xea, 0x61, 0x3b, 0xf4, 0x8d, 0xac, 0x0f, 0xba, - 0x95, 0xb7, 0x37, 0xfe, 0x21, 0x56, 0x13, 0x30, 0xaa, 0x6f, 0xf2, 0x82, - 0xdf, 0xca, 0xa1, 0x26, 0xac, 0x44, 0x24, 0x15, 0xca, 0x22, 0x16, 0x02, - 0xeb, 0x10, 0x8d, 0x08, 0xf4, 0xd5, 0x80, 0x95, 0x56, 0x30, 0xa7, 0xb9, - 0x28, 0xed, 0x75, 0x95, 0x54, 0xd0, 0xc1, 0xaf, 0x28, 0x4b, 0xd0, 0x78, - 0x56, 0x2b, 0xca, 0x68, 0x07, 0x49, 0x39, 0xae, 0x17, 0x39, 0x6c, 0xb4, - 0x5a, 0xdb, 0x1e, 0x2b, 0xd5, 0xe1, 0x9b, 0x7f, 0x90, 0x66, 0xd9, 0x3b, - 0x7d, 0x17, 0xb3, 0x8d, 0xb5, 0xa3, 0x0f, 0x73, 0x72, 0xce, 0x14, 0x91, - 0x63, 0x33, 0x60, 0xf5, 0xc7, 0x32, 0x6c, 0xb3, 0x20, 0x49, 0xf1, 0xef, - 0x7e, 0xd7, 0x6d, 0x18, 0x93, 0x10, 0xa4, 0xae, 0xa3, 0xb2, 0x5a, 0x89, - 0x3e, 0xdc, 0xde, 0x0e, 0xec, 0xd1, 0xb4, 0x55, 0x82, 0x9b, 0xd5, 0xd0, - 0x3d, 0x64, 0x12, 0xdd, 0x90, 0x9b, 0x25, 0x01, 0x3f, 0xa3, 0x2a, 0x8e, - 0xd5, 0x22, 0x4c, 0x7b, 0xf3, 0xef, 0x51, 0x73, 0x6d, 0x21, 0x14, 0x75, - 0xbd, 0x2e, 0x32, 0xcb, 0xe7, 0xfe, 0x9f, 0x80, 0x2d, 0x2e, 0xa9, 0x1b, - 0xbe, 0x3f, 0xcd, 0xb4, 0x7b, 0x37, 0xf5, 0xd4, 0x4e, 0xc7, 0x36, 0x5c, - 0x6e, 0x7b, 0x72, 0x9f, 0xfe, 0x74, 0x3e, 0xa8, 0x7f, 0x39, 0x31, 0xa2, - 0x87, 0x12, 0x05, 0x23, 0x77, 0xac, 0x44, 0xd4, 0xbc, 0x21, 0x5c, 0x3e, - 0x91, 0xc5, 0x98, 0x96, 0x0c, 0x1c, 0xce, 0xd3, 0x71, 0x0b, 0x0f, 0x73, - 0x18, 0xbc, 0x0a, 0xa9, 0x8b, 0x76, 0x03, 0x46, 0x04, 0xa4, 0x59, 0xa0, - 0x2b, 0xe2, 0xff, 0x53, 0x4a, 0xc2, 0xf0, 0x29, 0xe3, 0x84, 0x55, 0x9d, - 0x5c, 0x6d, 0xf8, 0xf6, 0x39, 0xaa, 0xc4, 0x6f, 0xaa, 0x0b, 0x4d, 0x8d, - 0xa7, 0xb6, 0x27, 0x68, 0x27, 0xc9, 0x63, 0x51, 0xec, 0x8c, 0xde, 0xd0, - 0x4d, 0xb0, 0xf8, 0x8d, 0x35, 0x30, 0x35, 0xe4, 0xa0, 0xb1, 0xef, 0x8d, - 0xfd, 0xdd, 0x47, 0x08, 0xb1, 0x00, 0x13, 0x46, 0xad, 0xf7, 0x44, 0x15, - 0xab, 0xdf, 0xe7, 0xcf, 0xaa, 0xf2, 0xe2, 0x20, 0x8d, 0x28, 0x31, 0x23, - 0x01, 0x75, 0x7d, 0x1f, 0x96, 0x32, 0x4a, 0x8b, 0xb5, 0x2e, 0x34, 0x06, - 0xa5, 0xea, 0x27, 0x52, 0xf6, 0xc3, 0xaa, 0x30, 0x06, 0x21, 0x0f, 0x18, - 0xae, 0xae, 0x26, 0x13, 0xf0, 0xab, 0x4b, 0x11, 0x05, 0x0c, 0x6e, 0xd8, - 0x09, 0xdb, 0xdf, 0xca, 0xee, 0x7c, 0x66, 0x7c, 0x50, 0xbb, 0x34, 0xf9, - 0x4b, 0x91, 0x93, 0xce, 0x43, 0xcb, 0x38, 0xf3, 0xf0, 0x24, 0x7c, 0x3e, - 0xea, 0x33, 0x4a, 0xcd, 0x35, 0x33, 0x83, 0xe2, 0xe2, 0xf9, 0xe0, 0x81, - 0x13, 0xb9, 0xbb, 0x4e, 0xb0, 0xf5, 0x16, 0x41, 0x23, 0x59, 0xab, 0x98, - 0x4a, 0x16, 0xb3, 0x79, 0xce, 0x41, 0xc7, 0x34, 0x74, 0xdc, 0x2f, 0xac, - 0xca, 0x41, 0xf7, 0x38, 0xbe, 0xf6, 0xc6, 0xb7, 0x49, 0x01, 0x2e, 0x77, - 0x40, 0x7a, 0x9a, 0x74, 0x1f, 0x81, 0x46, 0x26, 0xd6, 0x8f, 0xdb, 0xc6, - 0x53, 0xdb, 0xc6, 0x69, 0xe5, 0xfa, 0x90, 0xe6, 0xe6, 0xce, 0xf9, 0xbe, - 0x02, 0xda, 0x93, 0xf7, 0xb1, 0xae, 0xf4, 0x85, 0x1d, 0xff, 0xec, 0xfc, - 0x35, 0x7b, 0xc9, 0x70, 0xf4, 0x75, 0xcd, 0xd3, 0xe3, 0x0a, 0x83, 0x4f, - 0xa1, 0xf4, 0x8e, 0x2d, 0x03, 0x98, 0x65, 0xb8, 0xc0, 0x39, 0x81, 0x8a, - 0xdc, 0xf2, 0x1a, 0xe5, 0x41, 0xd2, 0x2c, 0x6b, 0x05, 0x92, 0x3f, 0x29, - 0xe2, 0x4a, 0xc6, 0xf0, 0x5e, 0xfd, 0xe3, 0xa8, 0xa8, 0x1a, 0xc0, 0xe7, - 0xaa, 0x14, 0xd2, 0xd0, 0xff, 0x9f, 0x8d, 0xba, 0x9b, 0x3f, 0xce, 0x8d, - 0x0f, 0x95, 0x29, 0xe2, 0x1c, 0xf9, 0x7a, 0x6c, 0x04, 0x8a, 0x06, 0xcf, - 0x69, 0x80, 0xa8, 0x1d, 0xc7, 0x37, 0xeb, 0x14, 0x6a, 0x47, 0x64, 0x12, - 0xd3, 0x13, 0x35, 0x8b, 0x64, 0x47, 0x0a, 0x64, 0x51, 0x1c, 0x0e, 0x37, - 0x67, 0x99, 0x74, 0x80, 0xe9, 0x13, 0xf4, 0xad, 0xe7, 0x1c, 0xdc, 0x85, - 0x81, 0x95, 0xa1, 0xb9, 0xf3, 0x4a, 0xe9, 0xe6, 0x7d, 0x0c, 0x8f, 0xc1, - 0x6e, 0xae, 0xbb, 0x6b, 0xa9, 0xd9, 0x89, 0xcf, 0xb5, 0xc5, 0x88, 0x72, - 0xfa, 0xbd, 0xe5, 0xb3, 0x09, 0x21, 0x03, 0xb7, 0x0a, 0xfa, 0x9a, 0x2e, - 0x23, 0xfa, 0x75, 0xbd, 0xf7, 0x3d, 0xcf, 0xda, 0x70, 0xe9, 0x58, 0x4c, - 0x91, 0xd2, 0xb0, 0x21, 0xde, 0xc2, 0xe1, 0xd3, 0x2d, 0x90, 0x42, 0xcf, - 0x9c, 0xb0, 0x79, 0x8b, 0xa5, 0xf2, 0xaa, 0xd0, 0xc8, 0xd9, 0x1e, 0x8e, - 0x94, 0xde, 0x48, 0x95, 0x74, 0xc7, 0x63, 0x70, 0x7b, 0x20, 0xda, 0x24, - 0xba, 0x21, 0xd0, 0x24, 0x1a, 0x81, 0x99, 0x8d, 0xc6, 0x69, 0x0e, 0x6e, - 0x2a, 0xa6, 0x7f, 0xac, 0x08, 0xc9, 0x2a, 0x54, 0xd5, 0xd1, 0x8a, 0xc6, - 0xbc, 0xae, 0x24, 0xa5, 0x81, 0x3e, 0x3f, 0xea, 0xc3, 0x93, 0xef, 0x8a, - 0x53, 0x40, 0xb4, 0x2e, 0x80, 0xe4, 0xbe, 0xab, 0xbb, 0x97, 0x0c, 0x10, - 0x19, 0xab, 0x69, 0xc5, 0xfb, 0x05, 0x33, 0x86, 0x04, 0x57, 0x7b, 0x46, - 0x64, 0xb8, 0x71, 0x7c, 0xa3, 0x00, 0x9e, 0x63, 0x2c, 0x82, 0xe8, 0x3f, - 0x2a, 0x54, 0x40, 0x5d, 0x6c, 0xc9, 0x91, 0x37, 0x82, 0x5b, 0x4e, 0x34, - 0x6a, 0x0c, 0xe9, 0x34, 0xf6, 0xe3, 0x97, 0x3f, 0xc9, 0xb2, 0x44, 0xb3, - 0x7f, 0x1e, 0x61, 0xc9, 0x43, 0xfd, 0x78, 0xdd, 0xa1, 0x3a, 0x0a, 0xba, - 0x03, 0xfc, 0xb5, 0x36, 0x93, 0x0c, 0xf8, 0xec, 0x00, 0x71, 0x8f, 0x97, - 0xee, 0xc4, 0x81, 0xa7, 0x2e, 0x69, 0xf8, 0xb7, 0xc1, 0xc1, 0xe4, 0xb5, - 0x11, 0x27, 0x4f, 0x24, 0xae, 0xe6, 0xba, 0x85, 0xd1, 0xa0, 0x29, 0x29, - 0x98, 0xe5, 0xda, 0x13, 0x0b, 0xb2, 0x07, 0x09, 0x8b, 0xee, 0x97, 0x35, - 0x0f, 0xb0, 0x86, 0xe7, 0x84, 0xf5, 0xae, 0x69, 0x30, 0x40, 0x97, 0x19, - 0x03, 0x62, 0xd8, 0x79, 0xcd, 0x42, 0x72, 0xac, 0xae, 0xec, 0x92, 0x40, - 0x72, 0xa0, 0xcd, 0x13, 0x40, 0xd6, 0x10, 0x00, 0xdf, 0x3e, 0x0e, 0x35, - 0x61, 0xfd, 0xb3, 0x99, 0x6b, 0xe3, 0x27, 0x08, 0x04, 0xe9, 0xce, 0x6a, - 0xca, 0x1c, 0x7c, 0xad, 0x5e, 0xf3, 0xdc, 0x4a, 0xd1, 0x47, 0x95, 0x20, - 0x87, 0xb4, 0x02, 0xf5, 0x2a, 0x66, 0x93, 0x00, 0xbe, 0x98, 0xf1, 0xb1, - 0x4d, 0x7e, 0xe5, 0x2a, 0xb3, 0xa9, 0x91, 0xe8, 0x08, 0xcd, 0x4d, 0xe6, - 0xef, 0x0c, 0x7d, 0x96, 0x7b, 0x9c, 0xa4, 0x0a, 0xf6, 0x5a, 0xb2, 0x1d, - 0x63, 0x7a, 0x88, 0x61, 0x84, 0x80, 0x11, 0x44, 0x0c, 0x8a, 0x95, 0x62, - 0xa6, 0x56, 0xba, 0x81, 0xe2, 0xb1, 0x25, 0x0a, 0x07, 0xcc, 0xa8, 0xac, - 0x33, 0x83, 0x86, 0x83, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x04, - 0x00, 0x78, 0xc4, 0x8a, 0xa9, 0x11, 0x59, 0x37, 0xb3, 0xec, 0xa4, 0xea, - 0x5c, 0x12, 0x37, 0x4a, 0x57, 0xe1, 0x38, 0x28, 0xa4, 0x12, 0xbb, 0xf8, - 0x31, 0x71, 0x1e, 0x1b, 0xc5, 0x2c, 0x19, 0xa2, 0x5c, 0x2c, 0xe7, 0x75, - 0xa9, 0x31, 0x7d, 0x6d, 0xb1, 0x4e, 0x3a, 0x4a, 0x30, 0xad, 0xc1, 0xf0, - 0x83, 0xf2, 0xca, 0x5f, 0x2d, 0x0d, 0xb4, 0x7e, 0x3a, 0xa9, 0x66, 0xf6, - 0xe2, 0x3d, 0x4b, 0xc9, 0x7b, 0x66, 0x82, 0x36, 0x2f, 0x95, 0x96, 0x4a, - 0xfd, 0x7d, 0x9c, 0x62, 0x7c, 0x66, 0xd6, 0x3b, 0xbb, 0xce, 0x3a, 0xcc, - 0x1a, 0xeb, 0xc3, 0xee, 0x51, 0x0b, 0xe1, 0xdf, 0x00, 0xe2, 0xb0, 0x78, - 0x40, 0xa1, 0x2c, 0x10, 0x13, 0x0a, 0x18, 0x67, 0x4c, 0x1f, 0x96, 0x8d, - 0xe7, 0xed, 0x38, 0x4b, 0xe2, 0x5f, 0x83, 0x0c, 0xc7, 0x35, 0x49, 0x20, - 0x5c, 0xdb, 0x13, 0xec, 0xf0, 0xd7, 0xa5, 0xf8, 0xf3, 0x13, 0x32, 0x8c, - 0x13, 0xc2, 0xf7, 0xd6, 0x61, 0x08, 0xd7, 0x46, 0x39, 0x7c, 0x34, 0x41, - 0xe0, 0xa3, 0xe8, 0x60, 0x3b, 0x35, 0x49, 0xfc, 0xa7, 0x6b, 0xd0, 0x19, - 0x97, 0x4f, 0x92, 0x99, 0x26, 0x4b, 0x6f, 0x3a, 0x44, 0x6c, 0x63, 0xac, - 0x41, 0xec, 0x4d, 0x79, 0x53, 0x30, 0x02, 0xb5, 0xf9, 0x79, 0x4e, 0xd6, - 0xe2, 0x49, 0x4b, 0x59, 0xe8, 0x1b, 0x17, 0x26, 0x0f, 0x59, 0xc4, 0xc3, - 0x94, 0x71, 0xf5, 0x0b, 0xca, 0x61, 0xb1, 0x94, 0x15, 0xb7, 0xd0, 0x63, - 0xe3, 0x2f, 0x4b, 0x6a, 0xe4, 0xcd, 0x86, 0x33, 0xcb, 0x22, 0x5c, 0x7a, - 0xf5, 0x2d, 0x87, 0xda, 0xb7, 0xa2, 0x93, 0x58, 0xc0, 0x13, 0xbf, 0x52, - 0x67, 0xbc, 0x28, 0x8a, 0xb0, 0x19, 0x25, 0x60, 0x64, 0x5e, 0x5a, 0x08, - 0x8a, 0x11, 0x33, 0x38, 0xee, 0x74, 0x95, 0x3e, 0xc1, 0xbb, 0x85, 0xe5, - 0xaa, 0x0f, 0x75, 0x54, 0x9b, 0x72, 0x80, 0xea, 0xd5, 0x6f, 0x6b, 0x84, - 0x41, 0x4d, 0x3a, 0xe3, 0x42, 0x92, 0xfe, 0xb2, 0x9e, 0xd5, 0xe5, 0x96, - 0x93, 0x8b, 0xae, 0x5c, 0x44, 0xa1, 0xb1, 0xc1, 0xbe, 0x14, 0xcd, 0xd9, - 0xba, 0xa8, 0xf5, 0xbd, 0x1a, 0xc5, 0x87, 0x10, 0x4a, 0x94, 0x52, 0x3d, - 0xef, 0x3c, 0x41, 0xb5, 0x6d, 0x1e, 0xc9, 0x52, 0xf7, 0x30, 0xcf, 0x57, - 0xf7, 0x93, 0x14, 0xcc, 0xb6, 0xe8, 0x96, 0x83, 0xb9, 0xc5, 0x6a, 0xae, - 0x04, 0x64, 0x09, 0x37, 0xeb, 0xc4, 0xf6, 0x08, 0x8a, 0x2a, 0x27, 0x06, - 0xac, 0x58, 0x23, 0x13, 0x89, 0x01, 0x85, 0x8a, 0x49, 0xcc, 0xa5, 0x4b, - 0x7a, 0xa1, 0x46, 0xbb, 0x52, 0x1e, 0x9c, 0xee, 0x45, 0x2c, 0x76, 0xcf, - 0xda, 0xbe, 0xaf, 0xbc, 0x45, 0x26, 0xf0, 0x2e, 0x4a, 0x09, 0xda, 0x3a, - 0xaa, 0x9a, 0x8a, 0xa2, 0x45, 0xc5, 0xb7, 0xed, 0x94, 0xa4, 0x23, 0x42, - 0x4e, 0xf5, 0x8f, 0xeb, 0xb3, 0xc8, 0x40, 0xdd, 0x20, 0x52, 0x4f, 0x6f, - 0xb9, 0x5f, 0x45, 0x90, 0x11, 0x8d, 0x9f, 0x28, 0xdc, 0x70, 0xeb, 0x34, - 0x0b, 0x60, 0x3f, 0x7d, 0x19, 0x11, 0x13, 0xc1, 0x4e, 0x52, 0x10, 0x97, - 0x37, 0x01, 0xcd, 0x0c, 0x6e, 0x3a, 0xae, 0x54, 0x99, 0x3d, 0x06, 0x74, - 0x34, 0x8c, 0xd2, 0xa8, 0xff, 0xbb, 0x5b, 0xb6, 0xfc, 0xfa, 0x3a, 0x0e, - 0xe1, 0xce, 0x0b, 0x18, 0x81, 0xb2, 0x81, 0xd0, 0x2b, 0xdc, 0x89, 0x2e, - 0x2f, 0x40, 0x7a, 0x00, 0xeb, 0xc2, 0x1c, 0x3c, 0xba, 0x65, 0x2a, 0x79, - 0x64, 0xca, 0x72, 0x20, 0x83, 0x03, 0xbc, 0xce, 0xe1, 0xa2, 0x95, 0x89, - 0xba, 0x3b, 0xd9, 0xd7, 0x52, 0x65, 0x51, 0x31, 0x76, 0xa9, 0xe6, 0x47, - 0xce, 0xa9, 0x1e, 0x45, 0x2b, 0x5f, 0xec, 0x5c, 0xab, 0xf2, 0xb5, 0x0a, - 0x25, 0x35, 0x4c, 0x02, 0x22, 0xbe, 0x79, 0xac, 0x0a, 0x26, 0x0a, 0x4d, - 0xba, 0x1d, 0xc0, 0x4c, 0xd5, 0x32, 0xaf, 0x19, 0x9b, 0xb2, 0xc8, 0xde, - 0x27, 0xad, 0x45, 0x81, 0xbe, 0x0a, 0xaa, 0x57, 0xf1, 0x77, 0x5a, 0x2c, - 0xd9, 0x54, 0xc9, 0x4d, 0xc4, 0x96, 0x0e, 0x8a, 0x5e, 0x8b, 0xee, 0x34, - 0x8d, 0xc7, 0x88, 0x3f, 0xaf, 0xab, 0x3f, 0x6c, 0x4f, 0x39, 0xf0, 0x2d, - 0xd0, 0x4a, 0xbb, 0xa0, 0xd7, 0xf5, 0x9f, 0x14, 0x01, 0x86, 0xa8, 0x2c, - 0x7a, 0x86, 0xd8, 0x34, 0x6a, 0x68, 0x2d, 0xac, 0x77, 0xce, 0xc9, 0xf9, - 0xa7, 0x3a, 0x40, 0xa1, 0x9b, 0x4c, 0x6b, 0x6f, 0x33, 0x45, 0x3f, 0xb5, - 0x11, 0xd3, 0x6a, 0x00, 0x78, 0x5c, 0xcd, 0x7f, 0x60, 0x91, 0x53, 0xe3, - 0xc8, 0x7c, 0x23, 0x7a, 0x74, 0xae, 0xf4, 0x49, 0x39, 0x77, 0xaf, 0xa4, - 0x1f, 0xc5, 0x1b, 0x81, 0x57, 0x43, 0x53, 0x83, 0x7c, 0xb9, 0xaf, 0x6f, - 0xeb, 0xef, 0xb3, 0xdf, 0xc2, 0x88, 0x9d, 0x37, 0x87, 0xe9, 0x93, 0xd4, - 0xe0, 0x11, 0x9d, 0x25, 0x04, 0xf7, 0x51, 0x7d, 0x14, 0xdc, 0x42, 0xb9, - 0xba, 0x54, 0x13, 0x2a, 0xf3, 0xd8, 0x07, 0x9c, 0x6b, 0x26, 0xbf, 0x33, - 0xb6, 0xda, 0x07, 0x84, 0x50, 0x89, 0x91, 0xd4, 0xe2, 0x0b, 0x02, 0xbe, - 0x67, 0xc0, 0x24, 0xd1, 0x4f, 0x47, 0x47, 0x6f, 0xbb, 0x0c, 0xc3, 0x62, - 0x22, 0xcd, 0xec, 0xdd, 0x11, 0x0c, 0x49, 0x78, 0x0e, 0x54, 0x08, 0x6b, - 0x67, 0x54, 0x6f, 0xe1, 0xe9, 0xdb, 0x7d, 0x31, 0xf4, 0xa7, 0x72, 0x5e, - 0x8a, 0xcb, 0x20, 0x26, 0x7b, 0x57, 0xf9, 0x1e, 0x73, 0xf1, 0x4f, 0x7d, - 0x4c, 0x52, 0xce, 0x82, 0x68, 0x8b, 0xe7, 0x2f, 0x9d, 0x59, 0xa3, 0xa8, - 0x68, 0xcf, 0x64, 0x96, 0x5c, 0x41, 0x2d, 0x6c, 0xa2, 0x26, 0xd6, 0x96, - 0xbd, 0xee, 0x2a, 0x91, 0x14, 0x8b, 0x59, 0x9f, 0xdb, 0x1d, 0x42, 0x8a, - 0x75, 0xfa, 0xde, 0x88, 0x9d, 0x98, 0xac, 0x63, 0x68, 0x5e, 0x0e, 0x8a, - 0x72, 0x8b, 0xe3, 0xd7, 0x62, 0xf6, 0x21, 0x6e, 0x72, 0x14, 0xc0, 0x99, - 0xaf, 0xc4, 0x56, 0x67, 0x4a, 0xe3, 0xf4, 0x5c, 0x80, 0x21, 0xef, 0x1e, - 0x6c, 0x45, 0x66, 0x1c, 0x40, 0x1d, 0xaa, 0xfa, 0x2b, 0xeb, 0x5c, 0x79, - 0x7a, 0x9a, 0x3a, 0x59, 0x25, 0x48, 0x08, 0x01, 0x51, 0x95, 0xed, 0x46, - 0x67, 0x14, 0x73, 0xfc, 0x53, 0xa0, 0xe8, 0x48, 0x54, 0x5d, 0x43, 0x8d, - 0xcf, 0x21, 0x84, 0x88, 0xd1, 0x4a, 0x33, 0xf3, 0x4d, 0xdd, 0x66, 0xe6, - 0x64, 0x74, 0x97, 0x6e, 0x79, 0x70, 0x98, 0x30, 0x12, 0x12, 0x86, 0x45, - 0x94, 0x24, 0x3a, 0x08, 0xbc, 0x57, 0x01, 0x44, 0x65, 0x5e, 0x07, 0x20, - 0xd4, 0xa8, 0xaf, 0x0f, 0xc4, 0x51, 0x39, 0xdd, 0x8c, 0x76, 0x33, 0x03, - 0x36, 0x59, 0x80, 0xcb, 0x56, 0xf6, 0x71, 0x6f, 0x18, 0xda, 0xf3, 0x1c, - 0x3a, 0x53, 0x6f, 0xec, 0x95, 0x8c, 0x8d, 0x9f, 0xa9, 0x15, 0x63, 0xfe, - 0x0e, 0xc7, 0x10, 0x88, 0xde, 0xaf, 0x78, 0x40, 0xef, 0x76, 0xa3, 0x47, - 0x01, 0x66, 0x93, 0xcf, 0x5f, 0x65, 0x19, 0xbb, 0x7a, 0x96, 0x4c, 0x5c, - 0xc7, 0x12, 0xdd, 0xd2, 0xef, 0x22, 0x77, 0xb1, 0xec, 0xc1, 0xbe, 0xbe, - 0x85, 0x9d, 0x84, 0x70, 0x5e, 0xc8, 0x67, 0x80, 0x0b, 0x9b, 0x9e, 0x9b, - 0x46, 0x42, 0x0c, 0x4a, 0x01, 0xdd, 0x8a, 0xba, 0x59, 0x6a, 0xe2, 0x22, - 0x92, 0xca, 0xc0, 0xb3, 0x28, 0x2a, 0x15, 0x17, 0x94, 0xd6, 0xc5, 0x99, - 0x5c, 0xf8, 0xd9, 0xd1, 0xfe, 0xad, 0x5e, 0x4a, 0xd9, 0x13, 0x0a, 0xf0, - 0x8d, 0xd7, 0xf5, 0x86, 0x1a, 0x46, 0x6a, 0x7a, 0x16, 0x25, 0x42, 0xf6, - 0xe9, 0x5b, 0x32, 0xdd, 0x70, 0x1c, 0x16, 0xd3, 0x44, 0x12, 0xce, 0xc2, - 0x52, 0x3b, 0x22, 0x3b, 0xb1, 0x02, 0x82, 0x02, 0x01, 0x00, 0xdf, 0x4b, - 0x49, 0x8c, 0x8d, 0xcc, 0xfb, 0x17, 0xd5, 0x5e, 0x61, 0x17, 0x41, 0x87, - 0x22, 0xfd, 0x50, 0xdf, 0x53, 0xa8, 0x8a, 0xf1, 0xa9, 0x72, 0x2c, 0x1e, - 0x13, 0x78, 0x00, 0x3a, 0x14, 0xbc, 0x17, 0x90, 0x4c, 0x15, 0x61, 0x2c, - 0x63, 0x94, 0xce, 0x04, 0x12, 0xf9, 0x1a, 0xc3, 0xbf, 0xbd, 0xb1, 0x95, - 0x0d, 0x18, 0xfb, 0xfa, 0xa4, 0x42, 0x15, 0xf6, 0x18, 0xb4, 0xb5, 0x52, - 0x0d, 0x93, 0xcc, 0x61, 0x10, 0x7c, 0x38, 0x4c, 0xef, 0x1e, 0x2d, 0x28, - 0xe4, 0x33, 0x51, 0x21, 0x7c, 0x1b, 0x18, 0x03, 0x7e, 0x64, 0x27, 0xa3, - 0xbd, 0x5d, 0xd7, 0xcd, 0xaf, 0xd1, 0x40, 0xe1, 0xbb, 0x61, 0xd7, 0xbe, - 0x55, 0xa0, 0x9a, 0xfd, 0xaf, 0x53, 0xfe, 0x66, 0x7d, 0xb5, 0x26, 0x8a, - 0x49, 0x19, 0x59, 0xdb, 0x37, 0x48, 0xda, 0x01, 0xc1, 0x75, 0x6b, 0xfe, - 0x72, 0xf7, 0x27, 0xfc, 0x22, 0x48, 0x4a, 0xd4, 0x89, 0xf1, 0x3d, 0xdd, - 0x0d, 0x06, 0x02, 0x3f, 0xf6, 0x71, 0xb8, 0x0f, 0x2b, 0x8f, 0xa8, 0x53, - 0x2c, 0xa8, 0x37, 0xe9, 0xbf, 0x9c, 0xb2, 0xd8, 0x9c, 0x56, 0xcc, 0x74, - 0xe1, 0x0a, 0x69, 0x20, 0xaf, 0x9c, 0xed, 0x5e, 0x15, 0x3e, 0xd9, 0xe0, - 0x76, 0x06, 0x49, 0x25, 0x07, 0x9d, 0xe2, 0xa4, 0xf7, 0xe3, 0x2d, 0x6d, - 0xcf, 0x8d, 0x93, 0x66, 0x23, 0xd8, 0x16, 0x59, 0x78, 0xef, 0xad, 0xf8, - 0x7c, 0xa1, 0xc6, 0xab, 0x3f, 0x4a, 0xf0, 0x19, 0xe6, 0x5b, 0xb2, 0x5a, - 0x2b, 0x00, 0x15, 0x12, 0xe3, 0xb7, 0xf4, 0xcb, 0x77, 0x2b, 0x75, 0x89, - 0xec, 0xdc, 0x4e, 0x3e, 0xe7, 0x51, 0x6a, 0xf9, 0x6f, 0x8a, 0x0c, 0xea, - 0x45, 0x7e, 0x3c, 0x16, 0x9e, 0x4d, 0xf6, 0x6a, 0x83, 0x9a, 0x16, 0x8d, - 0xa8, 0xaa, 0x01, 0x04, 0xc4, 0x1c, 0xac, 0xc9, 0x73, 0xb8, 0xe3, 0x11, - 0xc0, 0x78, 0x65, 0xf6, 0x75, 0xd2, 0x33, 0x40, 0x9f, 0xe4, 0x63, 0x15, - 0xb4, 0xf3, 0xd9, 0x63, 0x54, 0xbd, 0x04, 0x94, 0xb0, 0xf7, 0xa0, 0x40, - 0x0d, 0xf2, 0x88, 0x9b, 0xea, 0xa8, 0x0d, 0x14, 0x60, 0xea, 0x11, 0x4f, - 0x4f, 0xcf, 0x7c, 0xd1, 0x58, 0xb1, 0x8b, 0xa6, 0x0a, 0x3e, 0x3b, 0xf1, - 0xeb, 0xde, 0x27, 0x3e, 0xb0, 0xdf, 0xc5, 0x81, 0x6e, 0xee, 0x44, 0x3a, - 0xae, 0x3e, 0xa0, 0x90, 0x16, 0x9f, 0x2b, 0x28, 0x43, 0xf4, 0xbb, 0x36, - 0xc7, 0x67, 0x80, 0x98, 0x48, 0x2c, 0x73, 0x59, 0x0f, 0x6a, 0x46, 0x4a, - 0xc8, 0xef, 0x24, 0x81, 0x86, 0x8c, 0xa6, 0x68, 0xaa, 0xc8, 0x4f, 0x4d, - 0xb3, 0x8b, 0x19, 0xed, 0xd4, 0x9e, 0x03, 0x6b, 0xec, 0x51, 0x2f, 0xa3, - 0x58, 0xcb, 0x42, 0x97, 0xc7, 0xfd, 0x69, 0xec, 0x06, 0xf0, 0xf6, 0xa5, - 0xc7, 0xd9, 0x49, 0x5a, 0x56, 0x2c, 0x2e, 0xf4, 0x3b, 0xaa, 0x0b, 0xe3, - 0x03, 0x6b, 0x0b, 0x5d, 0x11, 0x50, 0x86, 0x22, 0x3e, 0x6c, 0x38, 0xeb, - 0x4b, 0x45, 0x1b, 0x98, 0x2d, 0x37, 0x35, 0x72, 0xc5, 0x5f, 0x50, 0x8b, - 0xc2, 0x74, 0x00, 0xc5, 0xe3, 0xcf, 0xe0, 0xed, 0x9d, 0x99, 0x58, 0x25, - 0xd6, 0xfa, 0xd9, 0xb2, 0x44, 0x93, 0xe4, 0x33, 0xc8, 0xf7, 0xcb, 0xf1, - 0x5b, 0x09, 0xce, 0x62, 0xab, 0xac, 0x61, 0xcf, 0xc4, 0xf2, 0xd7, 0xca, - 0x86, 0x46, 0xe8, 0x10, 0x11, 0xf7, 0xfe, 0x39, 0x87, 0x1c, 0xea, 0x59, - 0x64, 0x54, 0x18, 0xe2, 0x8d, 0x8b, 0x8d, 0x59, 0xb4, 0x77, 0xe8, 0xf6, - 0x15, 0x17, 0x04, 0x93, 0x22, 0x44, 0xc2, 0x4c, 0x80, 0xf5, 0xe7, 0x2b, - 0xae, 0x21, 0x14, 0x83, 0x78, 0x35, 0x5a, 0x7f, 0xc7, 0xd7, 0x83, 0xa6, - 0x3a, 0xa4, 0xd6, 0xce, 0x07, 0x8c, 0x37, 0x71, 0x25, 0xd0, 0x3b, 0xf5, - 0x21, 0xd1, 0xb9, 0x4a, 0x38, 0xdb, 0x02, 0x82, 0x02, 0x01, 0x00, 0xd7, - 0x97, 0x6c, 0x4d, 0x1e, 0xa0, 0x0e, 0x28, 0xdd, 0xc3, 0xe9, 0x38, 0xf0, - 0x93, 0x79, 0x05, 0x47, 0x71, 0x1d, 0x1c, 0xcb, 0x8f, 0xde, 0x25, 0x22, - 0x43, 0x70, 0xb9, 0x10, 0xf2, 0x6f, 0x5e, 0xe7, 0xb1, 0x7a, 0x29, 0x53, - 0x95, 0xbe, 0x42, 0x77, 0x2d, 0x9c, 0x34, 0x80, 0x3c, 0x5b, 0xb1, 0x8a, - 0x7d, 0x63, 0x7a, 0x1a, 0xb7, 0x1a, 0x09, 0xa4, 0x2b, 0xd0, 0x17, 0xc3, - 0x7c, 0xab, 0xa1, 0xf0, 0xb5, 0x77, 0x5d, 0xa4, 0x2e, 0x94, 0x8d, 0xfc, - 0x5a, 0x7c, 0xc4, 0x82, 0x87, 0x2c, 0x9a, 0xb1, 0x20, 0xff, 0x19, 0x1b, - 0x8b, 0xf4, 0x12, 0xe3, 0xe9, 0x62, 0x53, 0x82, 0x71, 0x22, 0x62, 0x4b, - 0xe9, 0x6c, 0xd4, 0x64, 0xe6, 0x44, 0x0f, 0xf9, 0x9f, 0xc3, 0xdd, 0x35, - 0xfa, 0xc1, 0x33, 0x2f, 0x90, 0x93, 0x58, 0x2a, 0xe0, 0x33, 0xae, 0x08, - 0xad, 0xbd, 0xac, 0x67, 0xfc, 0x17, 0x54, 0x26, 0xeb, 0xd3, 0x53, 0xaa, - 0x4f, 0x13, 0xda, 0xad, 0x47, 0x34, 0x7c, 0x8f, 0xee, 0x55, 0x4e, 0xdf, - 0x1e, 0xff, 0x81, 0xa0, 0xc2, 0xf5, 0xa3, 0x77, 0x08, 0x66, 0x84, 0xc3, - 0xd1, 0x11, 0x0f, 0x63, 0x3b, 0xa3, 0xee, 0xd0, 0xb5, 0xbb, 0xd0, 0xb4, - 0xbe, 0x78, 0x89, 0xc3, 0x97, 0x63, 0x01, 0x75, 0x4b, 0x98, 0x1a, 0x13, - 0xba, 0x99, 0x2a, 0x16, 0x18, 0x54, 0xce, 0x4d, 0x18, 0x03, 0x58, 0xc7, - 0x4a, 0x90, 0x61, 0xa1, 0x45, 0x0c, 0x2a, 0x86, 0x8f, 0x73, 0xb4, 0x1a, - 0x03, 0xe5, 0x3c, 0x24, 0xef, 0x95, 0x73, 0xf0, 0xde, 0x77, 0x67, 0x1d, - 0xd9, 0x55, 0x2e, 0x94, 0x88, 0x4b, 0xce, 0x91, 0x67, 0xf1, 0x48, 0x0c, - 0xf9, 0x81, 0xeb, 0x82, 0x8d, 0xee, 0x20, 0xf4, 0xe9, 0x4e, 0x18, 0x35, - 0x65, 0x86, 0x2e, 0x99, 0x24, 0x7d, 0x50, 0x03, 0xe2, 0x03, 0x0f, 0x4f, - 0xbb, 0x6e, 0x50, 0x3a, 0x74, 0xae, 0xd1, 0x8b, 0x8b, 0x50, 0x1c, 0x43, - 0xb4, 0xb4, 0x94, 0xb8, 0xe6, 0x5c, 0x61, 0x06, 0x0b, 0x8c, 0xf4, 0x90, - 0xfb, 0x00, 0x21, 0xf2, 0x1f, 0x22, 0xf3, 0x04, 0x58, 0xb7, 0xf7, 0x29, - 0xe7, 0xc4, 0x55, 0xfb, 0xb2, 0xcd, 0x8d, 0xa4, 0x49, 0x91, 0x3c, 0xd0, - 0xd6, 0xa2, 0xc4, 0x69, 0x5d, 0x84, 0xbd, 0x4f, 0x6b, 0xa5, 0x8a, 0x23, - 0xcd, 0xcb, 0x1c, 0xba, 0x25, 0xc2, 0xdd, 0x57, 0x50, 0xec, 0xe6, 0x24, - 0x05, 0x3d, 0xf6, 0x98, 0x97, 0x7e, 0x57, 0xe9, 0xfd, 0xf4, 0x03, 0x83, - 0xc7, 0x6c, 0xc9, 0x54, 0x01, 0xec, 0x95, 0xfd, 0xfa, 0x91, 0x30, 0x8d, - 0x70, 0xd0, 0x15, 0x68, 0xa0, 0x5d, 0xea, 0x12, 0x09, 0xf4, 0x8a, 0xb5, - 0xa3, 0x21, 0x64, 0xf8, 0xa8, 0x86, 0x0e, 0x67, 0xa4, 0x39, 0x59, 0x3c, - 0xdb, 0xc0, 0xc4, 0x95, 0x28, 0x16, 0x89, 0x5c, 0x11, 0x1e, 0x8c, 0x23, - 0x64, 0x9c, 0x12, 0x15, 0x25, 0xf5, 0x07, 0xc9, 0x21, 0x40, 0xf4, 0x82, - 0xe9, 0x15, 0x18, 0x16, 0x7b, 0xe5, 0x99, 0xc6, 0x7c, 0xd0, 0x8d, 0x18, - 0x95, 0xb4, 0xbb, 0xef, 0x07, 0x51, 0x97, 0xac, 0x51, 0xdc, 0xd6, 0x65, - 0xeb, 0xf8, 0xe6, 0x70, 0xa4, 0x1a, 0x77, 0x0c, 0x6d, 0x60, 0xad, 0x10, - 0x62, 0xd2, 0xc2, 0x93, 0x09, 0x3f, 0x1a, 0xee, 0x71, 0xbd, 0xe6, 0xec, - 0x89, 0xb2, 0xa1, 0x5d, 0xb1, 0x36, 0x74, 0x5b, 0xe3, 0x6d, 0x25, 0x55, - 0xa7, 0x27, 0xfa, 0x54, 0x2f, 0xf1, 0x75, 0x10, 0x7e, 0x36, 0xec, 0x03, - 0x7b, 0x6d, 0x21, 0x0a, 0x7e, 0x28, 0x18, 0xc4, 0x3c, 0xb3, 0xde, 0xcf, - 0xbe, 0xa2, 0x6b, 0x80, 0xba, 0x88, 0x00, 0x89, 0xce, 0x43, 0x34, 0x3a, - 0x72, 0x81, 0x05, 0x94, 0xec, 0x51, 0x67, 0xad, 0xeb, 0xa8, 0x2e, 0x8f, - 0xcc, 0x47, 0x9b, 0xf5, 0xd5, 0x25, 0x79, 0x02, 0x82, 0x02, 0x01, 0x00, - 0x94, 0x9a, 0x47, 0x2d, 0x5a, 0x25, 0x63, 0xa9, 0x9d, 0xdf, 0x3c, 0xa0, - 0x3c, 0x84, 0xd1, 0xdd, 0x61, 0xd7, 0xee, 0x96, 0x09, 0x3a, 0x00, 0xf9, - 0xb1, 0xb0, 0xa6, 0x66, 0x43, 0x48, 0x64, 0x0a, 0x35, 0x68, 0x5b, 0xaa, - 0x12, 0xcc, 0x76, 0xcd, 0x4e, 0x39, 0xd9, 0xe2, 0x9c, 0x54, 0x4f, 0xa3, - 0xcf, 0xae, 0x11, 0x54, 0x62, 0x45, 0x90, 0xd1, 0x46, 0x4a, 0x4c, 0x70, - 0xdf, 0x06, 0xe7, 0x70, 0x48, 0x21, 0x04, 0xd6, 0x96, 0xa5, 0x64, 0xb1, - 0x61, 0x7e, 0x88, 0x38, 0x3a, 0xb3, 0x1d, 0x23, 0xee, 0xdc, 0x4c, 0x5e, - 0x1d, 0x1f, 0x54, 0x64, 0x42, 0xbd, 0x69, 0x57, 0xca, 0x65, 0x2f, 0xce, - 0x52, 0xc5, 0x21, 0xb9, 0x4b, 0xcc, 0xae, 0xc5, 0x28, 0x56, 0x4f, 0x2c, - 0xa2, 0xa4, 0x7f, 0x37, 0x76, 0xdc, 0x74, 0x33, 0x70, 0x9a, 0xa0, 0x84, - 0x23, 0xc5, 0xe7, 0xfe, 0xe2, 0x46, 0x63, 0x0e, 0x57, 0x76, 0x91, 0x02, - 0xd2, 0x97, 0xed, 0x15, 0xe5, 0xa3, 0x69, 0xc0, 0x8e, 0xac, 0xd1, 0xe1, - 0xbe, 0x34, 0xf4, 0x50, 0x53, 0x3d, 0xa5, 0xbe, 0x84, 0x2b, 0xb2, 0x07, - 0xf5, 0xf3, 0x86, 0xdc, 0xe5, 0xcf, 0xd1, 0xef, 0x8e, 0xed, 0x01, 0x18, - 0x9d, 0xe9, 0x4a, 0xc2, 0xae, 0x25, 0x0d, 0xa7, 0x9e, 0x71, 0x09, 0x63, - 0xd0, 0x14, 0xf7, 0x7f, 0x11, 0xec, 0x74, 0xc8, 0x57, 0x3f, 0x5e, 0x43, - 0xac, 0x34, 0xe5, 0xc4, 0xc8, 0x31, 0xa9, 0x62, 0x96, 0xdd, 0xb5, 0xb7, - 0xaa, 0xbf, 0x65, 0x44, 0x9d, 0xc1, 0xbf, 0x78, 0xea, 0x5a, 0x0a, 0x4a, - 0x0a, 0xe4, 0x2a, 0x95, 0x07, 0x21, 0xc7, 0xd2, 0x20, 0x6e, 0x36, 0x33, - 0xda, 0x9a, 0x82, 0x7b, 0x1b, 0x44, 0x36, 0x40, 0x4e, 0x50, 0xde, 0x9a, - 0x4a, 0x8e, 0x26, 0x04, 0x55, 0xbf, 0x35, 0x40, 0x9c, 0x21, 0x49, 0x79, - 0x6e, 0xec, 0x9e, 0x79, 0xc1, 0xe9, 0xbe, 0xc9, 0x90, 0x40, 0x5e, 0xe8, - 0xa0, 0xa4, 0x8e, 0x93, 0x86, 0x46, 0x1b, 0xdb, 0xdb, 0x53, 0x95, 0x5e, - 0x86, 0xf0, 0x7a, 0x17, 0xc1, 0xa0, 0x7a, 0x0f, 0x32, 0xfd, 0x2f, 0xee, - 0x36, 0x6c, 0xe1, 0x01, 0x85, 0xe0, 0xd0, 0xb4, 0xff, 0xea, 0x15, 0x81, - 0x0b, 0x65, 0xda, 0x02, 0x33, 0x7d, 0xfe, 0x3a, 0x3d, 0xf8, 0x00, 0xba, - 0x62, 0xff, 0xe6, 0x7c, 0x59, 0x60, 0xeb, 0x1d, 0x2c, 0x9c, 0x94, 0x75, - 0x27, 0xae, 0xb2, 0x10, 0x08, 0xbd, 0xcf, 0xb2, 0x7d, 0x65, 0x74, 0xe3, - 0xd6, 0x39, 0xe8, 0xf5, 0x76, 0x07, 0x19, 0x63, 0x3b, 0x50, 0x06, 0xf0, - 0x5e, 0x0e, 0xa9, 0x01, 0x56, 0xd5, 0x37, 0x9d, 0x9d, 0x4b, 0x52, 0xaf, - 0x49, 0x13, 0xdd, 0x81, 0x10, 0x25, 0x70, 0xfc, 0x0e, 0x64, 0xfc, 0xcd, - 0x9a, 0x68, 0x03, 0xd3, 0x70, 0x84, 0xc5, 0x3a, 0x8c, 0x59, 0x0f, 0xe8, - 0x00, 0x17, 0x29, 0x6c, 0x30, 0xd8, 0xd4, 0x30, 0x11, 0xc4, 0x72, 0x64, - 0x95, 0x90, 0xc9, 0xbc, 0x09, 0x3c, 0x42, 0x43, 0x2e, 0xb7, 0xdd, 0xf0, - 0xab, 0xeb, 0x07, 0x13, 0x2a, 0x7c, 0x88, 0x3b, 0x0d, 0x47, 0x35, 0x8e, - 0x1a, 0xe2, 0xbb, 0xea, 0x9f, 0xbc, 0x8a, 0xf5, 0x1d, 0x76, 0xf5, 0x35, - 0x2c, 0x2d, 0xc8, 0xd7, 0x82, 0xd9, 0x99, 0xc4, 0x94, 0x27, 0xb0, 0xbb, - 0xa8, 0xae, 0xe8, 0xa4, 0x01, 0xc6, 0xc8, 0x1e, 0x91, 0xba, 0xf9, 0x57, - 0x5e, 0x02, 0xf5, 0xc9, 0x1d, 0xf2, 0x90, 0x1e, 0xa2, 0x88, 0x63, 0x99, - 0x35, 0x99, 0xa7, 0xb9, 0x74, 0xda, 0xf2, 0x80, 0x6e, 0x0a, 0x79, 0xfc, - 0xac, 0xc7, 0x1e, 0x10, 0x77, 0xd5, 0x72, 0xc7, 0x97, 0x1d, 0xd9, 0x02, - 0x6d, 0x63, 0xd0, 0x3d, 0x69, 0x93, 0x1d, 0xe4, 0xcb, 0xf4, 0xea, 0x24, - 0x65, 0xf2, 0xa2, 0x7a, 0x2f, 0x64, 0xdc, 0xe7, 0x02, 0x82, 0x02, 0x01, - 0x00, 0xb9, 0x65, 0x68, 0x26, 0xf1, 0x9d, 0x26, 0x50, 0x12, 0x55, 0x35, - 0x2c, 0x58, 0x06, 0x19, 0xde, 0x66, 0x4f, 0x69, 0x7f, 0xa7, 0xb6, 0x32, - 0x8c, 0xb0, 0x68, 0x5a, 0x79, 0x6b, 0x8f, 0x70, 0x22, 0xa7, 0x10, 0x42, - 0x43, 0x63, 0xb3, 0xb4, 0x07, 0xa8, 0x41, 0x3a, 0xc1, 0x13, 0x3d, 0xd4, - 0x84, 0x5a, 0xd9, 0xf5, 0x3f, 0xbd, 0xd5, 0x93, 0xb8, 0x92, 0xcb, 0x72, - 0x89, 0xdc, 0xfc, 0x4b, 0x04, 0x59, 0xe1, 0x53, 0xa2, 0xdd, 0x5b, 0x89, - 0x38, 0x88, 0xb8, 0xaf, 0xee, 0xb5, 0x68, 0xd4, 0xfc, 0xba, 0x31, 0xeb, - 0xed, 0x85, 0x78, 0xd7, 0x0d, 0x9f, 0x9c, 0xc5, 0x87, 0x96, 0xf6, 0xff, - 0x60, 0x94, 0x73, 0x49, 0xb9, 0x64, 0x83, 0x78, 0x28, 0x5c, 0xbb, 0xfd, - 0x4d, 0x2f, 0xec, 0x51, 0x54, 0x59, 0x24, 0xf4, 0xf0, 0xae, 0xfe, 0x5a, - 0xb2, 0xe0, 0x97, 0xb8, 0x32, 0x98, 0xc1, 0x7a, 0xb6, 0x4d, 0x3a, 0x23, - 0x63, 0x21, 0x64, 0x1b, 0x68, 0xc3, 0xf6, 0x25, 0xb6, 0xb0, 0x77, 0x7e, - 0x38, 0xf3, 0x3a, 0xce, 0xf2, 0x84, 0x72, 0xe3, 0x96, 0x0c, 0xf8, 0xd6, - 0x60, 0x79, 0x9c, 0x42, 0x15, 0x7f, 0x7a, 0x7c, 0x41, 0x14, 0x8e, 0x13, - 0xd3, 0x28, 0x7b, 0x5b, 0x60, 0xed, 0x28, 0x34, 0x65, 0xbe, 0x9e, 0xa1, - 0x50, 0x5b, 0x82, 0xed, 0xcf, 0xf9, 0x6c, 0x37, 0x11, 0xa9, 0xce, 0x6a, - 0xa2, 0x5f, 0xcf, 0x49, 0x56, 0x0b, 0xbf, 0x3a, 0xf5, 0x1e, 0xfe, 0x21, - 0xbb, 0xd1, 0x5b, 0x64, 0x38, 0x52, 0x73, 0x0d, 0x8c, 0xc4, 0xa8, 0x2a, - 0xfa, 0x2b, 0xfb, 0x07, 0x7b, 0xa5, 0x13, 0x88, 0x4d, 0x3d, 0x51, 0xab, - 0x76, 0x10, 0x62, 0x48, 0x4d, 0x64, 0xd9, 0xf4, 0xdb, 0xb6, 0x81, 0x23, - 0x3d, 0x42, 0x3d, 0xea, 0x24, 0x0c, 0x62, 0x0a, 0xb9, 0x52, 0x7d, 0x7b, - 0xb0, 0x21, 0x1a, 0xc7, 0x84, 0x8a, 0xa0, 0x68, 0xed, 0x9e, 0x18, 0xd1, - 0x6d, 0x5c, 0xf3, 0xfb, 0x0e, 0xa1, 0xea, 0xc7, 0xaa, 0x4f, 0xee, 0x82, - 0xea, 0x95, 0xfa, 0xa3, 0x64, 0x8d, 0xb8, 0x24, 0xef, 0xe2, 0xdf, 0x00, - 0x64, 0xb6, 0x4e, 0xae, 0xd2, 0x5a, 0x3e, 0xaa, 0xf1, 0x91, 0x44, 0x0a, - 0x77, 0xc8, 0x07, 0xab, 0xb5, 0x47, 0xfe, 0xb9, 0xf5, 0xaa, 0x64, 0xa1, - 0xd8, 0xa7, 0x6d, 0x83, 0xab, 0x52, 0x90, 0xc2, 0x80, 0x61, 0x64, 0x20, - 0x34, 0xd0, 0xe9, 0x09, 0x1e, 0x14, 0x9e, 0xc2, 0x71, 0x8b, 0xb1, 0x6d, - 0xb3, 0xd0, 0x11, 0x21, 0x06, 0x09, 0x0e, 0x16, 0x8b, 0xed, 0xfb, 0x19, - 0xfc, 0x2c, 0xc5, 0xc4, 0xcb, 0x84, 0x4b, 0xd4, 0x37, 0x44, 0x07, 0xf7, - 0x99, 0x89, 0x15, 0x9d, 0xd4, 0x1c, 0xd9, 0x9f, 0x5e, 0xa7, 0xd5, 0xdb, - 0xd3, 0x57, 0xb8, 0x8a, 0x8f, 0x02, 0xcd, 0x94, 0x83, 0xce, 0xfe, 0x91, - 0xcc, 0x65, 0x6b, 0x51, 0xa3, 0x63, 0x38, 0x5e, 0xfc, 0xb1, 0x03, 0xbd, - 0xbe, 0x07, 0x0d, 0xb5, 0xac, 0x1f, 0x39, 0xb0, 0x7a, 0x8a, 0xec, 0x2e, - 0xd4, 0x07, 0x3e, 0x46, 0x4c, 0x0f, 0x03, 0xb6, 0x30, 0xbe, 0x69, 0x2f, - 0x85, 0xd7, 0xe4, 0x13, 0x08, 0xe7, 0xf8, 0xd7, 0x21, 0x65, 0x38, 0x72, - 0x18, 0xa1, 0xac, 0xba, 0x1d, 0xc5, 0x20, 0x00, 0x7a, 0x82, 0x6e, 0xa1, - 0xa6, 0x01, 0xe7, 0x70, 0x0b, 0xc0, 0x6c, 0x72, 0xad, 0xa1, 0x8f, 0x73, - 0xfe, 0xd5, 0x27, 0x88, 0x03, 0x87, 0x7e, 0x2b, 0x20, 0x46, 0x6c, 0xa3, - 0x82, 0x56, 0x84, 0x3f, 0x96, 0x58, 0x55, 0xa0, 0xd9, 0x9b, 0x77, 0xb0, - 0x1e, 0x7d, 0x7c, 0x2c, 0x64, 0x52, 0x31, 0x16, 0x5f, 0x90, 0x22, 0x26, - 0x3c, 0xb5, 0xbe, 0x5e, 0x21, 0x94, 0xad, 0x9c, 0x5b, 0x92, 0x7e, 0xc3, - 0x04, 0x37, 0x78, 0xae, 0x63, 0xfa, 0x05, 0xaf, 0xd1, 0x02, 0x82, 0x02, - 0x01, 0x00, 0x86, 0xf2, 0xb0, 0x69, 0x17, 0x39, 0xa4, 0x5d, 0x3c, 0x4e, - 0x5c, 0x8c, 0x07, 0x91, 0x7f, 0x8a, 0x2b, 0x47, 0xd0, 0x6c, 0x60, 0xf7, - 0x23, 0x4c, 0x53, 0x31, 0xae, 0x27, 0xbe, 0x13, 0x07, 0x52, 0xe9, 0x9a, - 0x5c, 0xb3, 0xb6, 0x4d, 0x21, 0x7c, 0xf0, 0x0b, 0x68, 0x99, 0xa9, 0xc2, - 0x07, 0xc0, 0x26, 0xa9, 0x90, 0x15, 0x86, 0xde, 0x72, 0x1a, 0x3e, 0x80, - 0x03, 0x2e, 0xc4, 0xa8, 0xec, 0xd1, 0x23, 0x72, 0x85, 0xd7, 0x46, 0x4e, - 0xb0, 0xac, 0x92, 0x50, 0xa3, 0xb9, 0x80, 0x97, 0xe4, 0x01, 0x67, 0xad, - 0xd2, 0xf8, 0xc6, 0x64, 0x85, 0x0a, 0xde, 0x7a, 0xe5, 0xc0, 0xc9, 0xe7, - 0xf0, 0x09, 0x13, 0xcc, 0xb8, 0x43, 0x52, 0x1d, 0x0d, 0xbb, 0x25, 0x85, - 0xdf, 0xe1, 0xaa, 0x27, 0x59, 0xaf, 0x4b, 0xf4, 0xc7, 0x31, 0x25, 0xab, - 0x19, 0xaf, 0xf9, 0x3c, 0x3e, 0x35, 0x78, 0x0e, 0xe2, 0x0e, 0xa4, 0xc9, - 0x23, 0xd2, 0x0f, 0x29, 0xa0, 0x85, 0x7c, 0xd6, 0xc6, 0xb6, 0x73, 0x0e, - 0xca, 0x66, 0x2c, 0xa3, 0x90, 0x9c, 0xe5, 0xd1, 0x2e, 0xfd, 0x99, 0x7d, - 0x30, 0x1f, 0xd5, 0xb2, 0x73, 0xa0, 0x74, 0x2a, 0xdc, 0xa0, 0x9d, 0x31, - 0x00, 0x2f, 0xf0, 0x05, 0x33, 0xc0, 0xca, 0x85, 0x71, 0x86, 0xed, 0x31, - 0x8e, 0x22, 0xe4, 0x47, 0x00, 0xb1, 0x30, 0x1c, 0xc9, 0xaa, 0x97, 0x3a, - 0x5f, 0x0d, 0x18, 0x7a, 0xc0, 0x35, 0x89, 0x3b, 0xed, 0x1d, 0x01, 0xb6, - 0x55, 0x4c, 0x57, 0x90, 0xf2, 0x0e, 0xe3, 0x9c, 0x23, 0x6f, 0xd2, 0xc0, - 0x2b, 0x4b, 0x4d, 0x7a, 0xb6, 0x00, 0xa5, 0x30, 0xdd, 0xce, 0xfa, 0x6b, - 0x9b, 0xee, 0x63, 0xa8, 0xea, 0xd5, 0xeb, 0x6c, 0xfe, 0x8a, 0x93, 0xf4, - 0x19, 0x1c, 0xe3, 0x90, 0x1c, 0x30, 0xc0, 0xb6, 0xc5, 0xec, 0xdf, 0x55, - 0xe3, 0x43, 0xd5, 0x2f, 0xc8, 0x72, 0xbb, 0x14, 0x7d, 0x4b, 0x6c, 0x44, - 0x72, 0xef, 0x1f, 0x4f, 0x47, 0xe8, 0xd3, 0xb0, 0x32, 0x51, 0x1a, 0x3f, - 0x4e, 0xba, 0xd5, 0x2f, 0x68, 0xcf, 0x84, 0xa0, 0x8b, 0x3b, 0xd4, 0x89, - 0x90, 0xe0, 0xd1, 0xfa, 0x64, 0xd8, 0x34, 0x26, 0x19, 0xbf, 0x4f, 0xb0, - 0xb1, 0x7d, 0xc4, 0x8f, 0xe3, 0x4a, 0x4e, 0x24, 0x8d, 0xed, 0xc2, 0x38, - 0x62, 0x6c, 0x21, 0x17, 0x25, 0x5a, 0x51, 0x02, 0x9d, 0xc9, 0x12, 0xd6, - 0x9e, 0x80, 0x68, 0x83, 0x3d, 0xf0, 0xdd, 0x90, 0x3d, 0xa4, 0x9f, 0xf4, - 0x73, 0xa9, 0x9d, 0x20, 0x86, 0x12, 0xd5, 0x58, 0x25, 0xc0, 0x79, 0xcf, - 0xf5, 0x24, 0x1b, 0x6c, 0x2d, 0xf4, 0x6c, 0x28, 0xb7, 0x38, 0x2b, 0x80, - 0xb4, 0xa8, 0x02, 0xd9, 0x41, 0x3e, 0x78, 0x04, 0xa2, 0x72, 0xd4, 0x41, - 0x20, 0xfc, 0xbf, 0x72, 0x6c, 0x5a, 0x92, 0x49, 0x8c, 0x42, 0x2a, 0xd4, - 0x93, 0x8a, 0xee, 0x2d, 0x01, 0xe6, 0x18, 0xbb, 0x59, 0xa1, 0x35, 0x60, - 0x3c, 0x24, 0x22, 0x3b, 0x64, 0xc3, 0xa0, 0xb8, 0x46, 0x3b, 0x96, 0x74, - 0xf5, 0xd1, 0x15, 0xcb, 0x34, 0xcb, 0x2d, 0xc0, 0x05, 0x62, 0xe1, 0x2c, - 0x36, 0x27, 0x9c, 0x5c, 0xb9, 0x08, 0xef, 0x90, 0x85, 0xfa, 0xcc, 0x23, - 0x72, 0x09, 0x9a, 0x05, 0x52, 0xff, 0xee, 0x34, 0x4f, 0xae, 0xc3, 0x4d, - 0xcc, 0x7d, 0xaa, 0xf3, 0xdc, 0xe8, 0xe6, 0xa8, 0xb6, 0xa8, 0x23, 0x98, - 0x23, 0x32, 0xab, 0x92, 0xd6, 0x27, 0xcd, 0x8a, 0x0a, 0xe3, 0x41, 0x25, - 0x96, 0x0b, 0xfc, 0xa7, 0x57, 0x07, 0x89, 0x56, 0x49, 0x3b, 0x0d, 0xb6, - 0x56, 0x3f, 0x1d, 0x0c, 0x14, 0xae, 0xf7, 0xd9, 0x88, 0xb1, 0xdd, 0x75, - 0xde, 0x3c, 0xcd, 0xc1, 0x3a, 0x20, 0x5a, 0x39, 0x91, 0x36, 0xb9, 0xda, - 0x88, 0xc0, 0x26, 0xe1, 0xbb, 0x69, 0xe9, 0x0a, 0x7f, 0xe7 -}; + 0x30, 0x82, 0x12, 0x2a, 0x02, 0x01, 0x00, 0x02, 0x82, 0x04, 0x01, 0x00, + 0xbc, 0x0c, 0x4e, 0xa4, 0x74, 0x61, 0xa3, 0xe8, 0x73, 0x85, 0x65, 0xea, + 0x6f, 0x7c, 0x4e, 0xf1, 0x9f, 0xef, 0x84, 0x17, 0x7f, 0x96, 0xf6, 0xa5, + 0xd9, 0x6c, 0x4a, 0x1a, 0x5c, 0x30, 0x61, 0xbe, 0x00, 0x85, 0x57, 0x38, + 0x01, 0xd7, 0x34, 0xf0, 0x6c, 0x30, 0xbb, 0xfc, 0xaa, 0xa3, 0x53, 0x2c, + 0xe9, 0xf7, 0x31, 0x4b, 0x40, 0x06, 0xb0, 0xaf, 0xe6, 0x38, 0x81, 0xbb, + 0x4e, 0x9a, 0x34, 0x56, 0xfa, 0x3f, 0xf4, 0x3c, 0x49, 0x70, 0x02, 0x8d, + 0xa3, 0x22, 0x49, 0x6b, 0x32, 0x81, 0x6f, 0x94, 0xb8, 0x24, 0x05, 0x8e, + 0xbb, 0xd4, 0x00, 0x33, 0x59, 0x30, 0xe9, 0xde, 0xf5, 0x74, 0x92, 0xee, + 0x92, 0x10, 0xd4, 0xd3, 0xfe, 0xc7, 0xb7, 0x61, 0x44, 0xaa, 0xf2, 0x8a, + 0xed, 0x7e, 0x26, 0x07, 0xea, 0x61, 0x3b, 0xf4, 0x8d, 0xac, 0x0f, 0xba, + 0x95, 0xb7, 0x37, 0xfe, 0x21, 0x56, 0x13, 0x30, 0xaa, 0x6f, 0xf2, 0x82, + 0xdf, 0xca, 0xa1, 0x26, 0xac, 0x44, 0x24, 0x15, 0xca, 0x22, 0x16, 0x02, + 0xeb, 0x10, 0x8d, 0x08, 0xf4, 0xd5, 0x80, 0x95, 0x56, 0x30, 0xa7, 0xb9, + 0x28, 0xed, 0x75, 0x95, 0x54, 0xd0, 0xc1, 0xaf, 0x28, 0x4b, 0xd0, 0x78, + 0x56, 0x2b, 0xca, 0x68, 0x07, 0x49, 0x39, 0xae, 0x17, 0x39, 0x6c, 0xb4, + 0x5a, 0xdb, 0x1e, 0x2b, 0xd5, 0xe1, 0x9b, 0x7f, 0x90, 0x66, 0xd9, 0x3b, + 0x7d, 0x17, 0xb3, 0x8d, 0xb5, 0xa3, 0x0f, 0x73, 0x72, 0xce, 0x14, 0x91, + 0x63, 0x33, 0x60, 0xf5, 0xc7, 0x32, 0x6c, 0xb3, 0x20, 0x49, 0xf1, 0xef, + 0x7e, 0xd7, 0x6d, 0x18, 0x93, 0x10, 0xa4, 0xae, 0xa3, 0xb2, 0x5a, 0x89, + 0x3e, 0xdc, 0xde, 0x0e, 0xec, 0xd1, 0xb4, 0x55, 0x82, 0x9b, 0xd5, 0xd0, + 0x3d, 0x64, 0x12, 0xdd, 0x90, 0x9b, 0x25, 0x01, 0x3f, 0xa3, 0x2a, 0x8e, + 0xd5, 0x22, 0x4c, 0x7b, 0xf3, 0xef, 0x51, 0x73, 0x6d, 0x21, 0x14, 0x75, + 0xbd, 0x2e, 0x32, 0xcb, 0xe7, 0xfe, 0x9f, 0x80, 0x2d, 0x2e, 0xa9, 0x1b, + 0xbe, 0x3f, 0xcd, 0xb4, 0x7b, 0x37, 0xf5, 0xd4, 0x4e, 0xc7, 0x36, 0x5c, + 0x6e, 0x7b, 0x72, 0x9f, 0xfe, 0x74, 0x3e, 0xa8, 0x7f, 0x39, 0x31, 0xa2, + 0x87, 0x12, 0x05, 0x23, 0x77, 0xac, 0x44, 0xd4, 0xbc, 0x21, 0x5c, 0x3e, + 0x91, 0xc5, 0x98, 0x96, 0x0c, 0x1c, 0xce, 0xd3, 0x71, 0x0b, 0x0f, 0x73, + 0x18, 0xbc, 0x0a, 0xa9, 0x8b, 0x76, 0x03, 0x46, 0x04, 0xa4, 0x59, 0xa0, + 0x2b, 0xe2, 0xff, 0x53, 0x4a, 0xc2, 0xf0, 0x29, 0xe3, 0x84, 0x55, 0x9d, + 0x5c, 0x6d, 0xf8, 0xf6, 0x39, 0xaa, 0xc4, 0x6f, 0xaa, 0x0b, 0x4d, 0x8d, + 0xa7, 0xb6, 0x27, 0x68, 0x27, 0xc9, 0x63, 0x51, 0xec, 0x8c, 0xde, 0xd0, + 0x4d, 0xb0, 0xf8, 0x8d, 0x35, 0x30, 0x35, 0xe4, 0xa0, 0xb1, 0xef, 0x8d, + 0xfd, 0xdd, 0x47, 0x08, 0xb1, 0x00, 0x13, 0x46, 0xad, 0xf7, 0x44, 0x15, + 0xab, 0xdf, 0xe7, 0xcf, 0xaa, 0xf2, 0xe2, 0x20, 0x8d, 0x28, 0x31, 0x23, + 0x01, 0x75, 0x7d, 0x1f, 0x96, 0x32, 0x4a, 0x8b, 0xb5, 0x2e, 0x34, 0x06, + 0xa5, 0xea, 0x27, 0x52, 0xf6, 0xc3, 0xaa, 0x30, 0x06, 0x21, 0x0f, 0x18, + 0xae, 0xae, 0x26, 0x13, 0xf0, 0xab, 0x4b, 0x11, 0x05, 0x0c, 0x6e, 0xd8, + 0x09, 0xdb, 0xdf, 0xca, 0xee, 0x7c, 0x66, 0x7c, 0x50, 0xbb, 0x34, 0xf9, + 0x4b, 0x91, 0x93, 0xce, 0x43, 0xcb, 0x38, 0xf3, 0xf0, 0x24, 0x7c, 0x3e, + 0xea, 0x33, 0x4a, 0xcd, 0x35, 0x33, 0x83, 0xe2, 0xe2, 0xf9, 0xe0, 0x81, + 0x13, 0xb9, 0xbb, 0x4e, 0xb0, 0xf5, 0x16, 0x41, 0x23, 0x59, 0xab, 0x98, + 0x4a, 0x16, 0xb3, 0x79, 0xce, 0x41, 0xc7, 0x34, 0x74, 0xdc, 0x2f, 0xac, + 0xca, 0x41, 0xf7, 0x38, 0xbe, 0xf6, 0xc6, 0xb7, 0x49, 0x01, 0x2e, 0x77, + 0x40, 0x7a, 0x9a, 0x74, 0x1f, 0x81, 0x46, 0x26, 0xd6, 0x8f, 0xdb, 0xc6, + 0x53, 0xdb, 0xc6, 0x69, 0xe5, 0xfa, 0x90, 0xe6, 0xe6, 0xce, 0xf9, 0xbe, + 0x02, 0xda, 0x93, 0xf7, 0xb1, 0xae, 0xf4, 0x85, 0x1d, 0xff, 0xec, 0xfc, + 0x35, 0x7b, 0xc9, 0x70, 0xf4, 0x75, 0xcd, 0xd3, 0xe3, 0x0a, 0x83, 0x4f, + 0xa1, 0xf4, 0x8e, 0x2d, 0x03, 0x98, 0x65, 0xb8, 0xc0, 0x39, 0x81, 0x8a, + 0xdc, 0xf2, 0x1a, 0xe5, 0x41, 0xd2, 0x2c, 0x6b, 0x05, 0x92, 0x3f, 0x29, + 0xe2, 0x4a, 0xc6, 0xf0, 0x5e, 0xfd, 0xe3, 0xa8, 0xa8, 0x1a, 0xc0, 0xe7, + 0xaa, 0x14, 0xd2, 0xd0, 0xff, 0x9f, 0x8d, 0xba, 0x9b, 0x3f, 0xce, 0x8d, + 0x0f, 0x95, 0x29, 0xe2, 0x1c, 0xf9, 0x7a, 0x6c, 0x04, 0x8a, 0x06, 0xcf, + 0x69, 0x80, 0xa8, 0x1d, 0xc7, 0x37, 0xeb, 0x14, 0x6a, 0x47, 0x64, 0x12, + 0xd3, 0x13, 0x35, 0x8b, 0x64, 0x47, 0x0a, 0x64, 0x51, 0x1c, 0x0e, 0x37, + 0x67, 0x99, 0x74, 0x80, 0xe9, 0x13, 0xf4, 0xad, 0xe7, 0x1c, 0xdc, 0x85, + 0x81, 0x95, 0xa1, 0xb9, 0xf3, 0x4a, 0xe9, 0xe6, 0x7d, 0x0c, 0x8f, 0xc1, + 0x6e, 0xae, 0xbb, 0x6b, 0xa9, 0xd9, 0x89, 0xcf, 0xb5, 0xc5, 0x88, 0x72, + 0xfa, 0xbd, 0xe5, 0xb3, 0x09, 0x21, 0x03, 0xb7, 0x0a, 0xfa, 0x9a, 0x2e, + 0x23, 0xfa, 0x75, 0xbd, 0xf7, 0x3d, 0xcf, 0xda, 0x70, 0xe9, 0x58, 0x4c, + 0x91, 0xd2, 0xb0, 0x21, 0xde, 0xc2, 0xe1, 0xd3, 0x2d, 0x90, 0x42, 0xcf, + 0x9c, 0xb0, 0x79, 0x8b, 0xa5, 0xf2, 0xaa, 0xd0, 0xc8, 0xd9, 0x1e, 0x8e, + 0x94, 0xde, 0x48, 0x95, 0x74, 0xc7, 0x63, 0x70, 0x7b, 0x20, 0xda, 0x24, + 0xba, 0x21, 0xd0, 0x24, 0x1a, 0x81, 0x99, 0x8d, 0xc6, 0x69, 0x0e, 0x6e, + 0x2a, 0xa6, 0x7f, 0xac, 0x08, 0xc9, 0x2a, 0x54, 0xd5, 0xd1, 0x8a, 0xc6, + 0xbc, 0xae, 0x24, 0xa5, 0x81, 0x3e, 0x3f, 0xea, 0xc3, 0x93, 0xef, 0x8a, + 0x53, 0x40, 0xb4, 0x2e, 0x80, 0xe4, 0xbe, 0xab, 0xbb, 0x97, 0x0c, 0x10, + 0x19, 0xab, 0x69, 0xc5, 0xfb, 0x05, 0x33, 0x86, 0x04, 0x57, 0x7b, 0x46, + 0x64, 0xb8, 0x71, 0x7c, 0xa3, 0x00, 0x9e, 0x63, 0x2c, 0x82, 0xe8, 0x3f, + 0x2a, 0x54, 0x40, 0x5d, 0x6c, 0xc9, 0x91, 0x37, 0x82, 0x5b, 0x4e, 0x34, + 0x6a, 0x0c, 0xe9, 0x34, 0xf6, 0xe3, 0x97, 0x3f, 0xc9, 0xb2, 0x44, 0xb3, + 0x7f, 0x1e, 0x61, 0xc9, 0x43, 0xfd, 0x78, 0xdd, 0xa1, 0x3a, 0x0a, 0xba, + 0x03, 0xfc, 0xb5, 0x36, 0x93, 0x0c, 0xf8, 0xec, 0x00, 0x71, 0x8f, 0x97, + 0xee, 0xc4, 0x81, 0xa7, 0x2e, 0x69, 0xf8, 0xb7, 0xc1, 0xc1, 0xe4, 0xb5, + 0x11, 0x27, 0x4f, 0x24, 0xae, 0xe6, 0xba, 0x85, 0xd1, 0xa0, 0x29, 0x29, + 0x98, 0xe5, 0xda, 0x13, 0x0b, 0xb2, 0x07, 0x09, 0x8b, 0xee, 0x97, 0x35, + 0x0f, 0xb0, 0x86, 0xe7, 0x84, 0xf5, 0xae, 0x69, 0x30, 0x40, 0x97, 0x19, + 0x03, 0x62, 0xd8, 0x79, 0xcd, 0x42, 0x72, 0xac, 0xae, 0xec, 0x92, 0x40, + 0x72, 0xa0, 0xcd, 0x13, 0x40, 0xd6, 0x10, 0x00, 0xdf, 0x3e, 0x0e, 0x35, + 0x61, 0xfd, 0xb3, 0x99, 0x6b, 0xe3, 0x27, 0x08, 0x04, 0xe9, 0xce, 0x6a, + 0xca, 0x1c, 0x7c, 0xad, 0x5e, 0xf3, 0xdc, 0x4a, 0xd1, 0x47, 0x95, 0x20, + 0x87, 0xb4, 0x02, 0xf5, 0x2a, 0x66, 0x93, 0x00, 0xbe, 0x98, 0xf1, 0xb1, + 0x4d, 0x7e, 0xe5, 0x2a, 0xb3, 0xa9, 0x91, 0xe8, 0x08, 0xcd, 0x4d, 0xe6, + 0xef, 0x0c, 0x7d, 0x96, 0x7b, 0x9c, 0xa4, 0x0a, 0xf6, 0x5a, 0xb2, 0x1d, + 0x63, 0x7a, 0x88, 0x61, 0x84, 0x80, 0x11, 0x44, 0x0c, 0x8a, 0x95, 0x62, + 0xa6, 0x56, 0xba, 0x81, 0xe2, 0xb1, 0x25, 0x0a, 0x07, 0xcc, 0xa8, 0xac, + 0x33, 0x83, 0x86, 0x83, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x04, + 0x00, 0x78, 0xc4, 0x8a, 0xa9, 0x11, 0x59, 0x37, 0xb3, 0xec, 0xa4, 0xea, + 0x5c, 0x12, 0x37, 0x4a, 0x57, 0xe1, 0x38, 0x28, 0xa4, 0x12, 0xbb, 0xf8, + 0x31, 0x71, 0x1e, 0x1b, 0xc5, 0x2c, 0x19, 0xa2, 0x5c, 0x2c, 0xe7, 0x75, + 0xa9, 0x31, 0x7d, 0x6d, 0xb1, 0x4e, 0x3a, 0x4a, 0x30, 0xad, 0xc1, 0xf0, + 0x83, 0xf2, 0xca, 0x5f, 0x2d, 0x0d, 0xb4, 0x7e, 0x3a, 0xa9, 0x66, 0xf6, + 0xe2, 0x3d, 0x4b, 0xc9, 0x7b, 0x66, 0x82, 0x36, 0x2f, 0x95, 0x96, 0x4a, + 0xfd, 0x7d, 0x9c, 0x62, 0x7c, 0x66, 0xd6, 0x3b, 0xbb, 0xce, 0x3a, 0xcc, + 0x1a, 0xeb, 0xc3, 0xee, 0x51, 0x0b, 0xe1, 0xdf, 0x00, 0xe2, 0xb0, 0x78, + 0x40, 0xa1, 0x2c, 0x10, 0x13, 0x0a, 0x18, 0x67, 0x4c, 0x1f, 0x96, 0x8d, + 0xe7, 0xed, 0x38, 0x4b, 0xe2, 0x5f, 0x83, 0x0c, 0xc7, 0x35, 0x49, 0x20, + 0x5c, 0xdb, 0x13, 0xec, 0xf0, 0xd7, 0xa5, 0xf8, 0xf3, 0x13, 0x32, 0x8c, + 0x13, 0xc2, 0xf7, 0xd6, 0x61, 0x08, 0xd7, 0x46, 0x39, 0x7c, 0x34, 0x41, + 0xe0, 0xa3, 0xe8, 0x60, 0x3b, 0x35, 0x49, 0xfc, 0xa7, 0x6b, 0xd0, 0x19, + 0x97, 0x4f, 0x92, 0x99, 0x26, 0x4b, 0x6f, 0x3a, 0x44, 0x6c, 0x63, 0xac, + 0x41, 0xec, 0x4d, 0x79, 0x53, 0x30, 0x02, 0xb5, 0xf9, 0x79, 0x4e, 0xd6, + 0xe2, 0x49, 0x4b, 0x59, 0xe8, 0x1b, 0x17, 0x26, 0x0f, 0x59, 0xc4, 0xc3, + 0x94, 0x71, 0xf5, 0x0b, 0xca, 0x61, 0xb1, 0x94, 0x15, 0xb7, 0xd0, 0x63, + 0xe3, 0x2f, 0x4b, 0x6a, 0xe4, 0xcd, 0x86, 0x33, 0xcb, 0x22, 0x5c, 0x7a, + 0xf5, 0x2d, 0x87, 0xda, 0xb7, 0xa2, 0x93, 0x58, 0xc0, 0x13, 0xbf, 0x52, + 0x67, 0xbc, 0x28, 0x8a, 0xb0, 0x19, 0x25, 0x60, 0x64, 0x5e, 0x5a, 0x08, + 0x8a, 0x11, 0x33, 0x38, 0xee, 0x74, 0x95, 0x3e, 0xc1, 0xbb, 0x85, 0xe5, + 0xaa, 0x0f, 0x75, 0x54, 0x9b, 0x72, 0x80, 0xea, 0xd5, 0x6f, 0x6b, 0x84, + 0x41, 0x4d, 0x3a, 0xe3, 0x42, 0x92, 0xfe, 0xb2, 0x9e, 0xd5, 0xe5, 0x96, + 0x93, 0x8b, 0xae, 0x5c, 0x44, 0xa1, 0xb1, 0xc1, 0xbe, 0x14, 0xcd, 0xd9, + 0xba, 0xa8, 0xf5, 0xbd, 0x1a, 0xc5, 0x87, 0x10, 0x4a, 0x94, 0x52, 0x3d, + 0xef, 0x3c, 0x41, 0xb5, 0x6d, 0x1e, 0xc9, 0x52, 0xf7, 0x30, 0xcf, 0x57, + 0xf7, 0x93, 0x14, 0xcc, 0xb6, 0xe8, 0x96, 0x83, 0xb9, 0xc5, 0x6a, 0xae, + 0x04, 0x64, 0x09, 0x37, 0xeb, 0xc4, 0xf6, 0x08, 0x8a, 0x2a, 0x27, 0x06, + 0xac, 0x58, 0x23, 0x13, 0x89, 0x01, 0x85, 0x8a, 0x49, 0xcc, 0xa5, 0x4b, + 0x7a, 0xa1, 0x46, 0xbb, 0x52, 0x1e, 0x9c, 0xee, 0x45, 0x2c, 0x76, 0xcf, + 0xda, 0xbe, 0xaf, 0xbc, 0x45, 0x26, 0xf0, 0x2e, 0x4a, 0x09, 0xda, 0x3a, + 0xaa, 0x9a, 0x8a, 0xa2, 0x45, 0xc5, 0xb7, 0xed, 0x94, 0xa4, 0x23, 0x42, + 0x4e, 0xf5, 0x8f, 0xeb, 0xb3, 0xc8, 0x40, 0xdd, 0x20, 0x52, 0x4f, 0x6f, + 0xb9, 0x5f, 0x45, 0x90, 0x11, 0x8d, 0x9f, 0x28, 0xdc, 0x70, 0xeb, 0x34, + 0x0b, 0x60, 0x3f, 0x7d, 0x19, 0x11, 0x13, 0xc1, 0x4e, 0x52, 0x10, 0x97, + 0x37, 0x01, 0xcd, 0x0c, 0x6e, 0x3a, 0xae, 0x54, 0x99, 0x3d, 0x06, 0x74, + 0x34, 0x8c, 0xd2, 0xa8, 0xff, 0xbb, 0x5b, 0xb6, 0xfc, 0xfa, 0x3a, 0x0e, + 0xe1, 0xce, 0x0b, 0x18, 0x81, 0xb2, 0x81, 0xd0, 0x2b, 0xdc, 0x89, 0x2e, + 0x2f, 0x40, 0x7a, 0x00, 0xeb, 0xc2, 0x1c, 0x3c, 0xba, 0x65, 0x2a, 0x79, + 0x64, 0xca, 0x72, 0x20, 0x83, 0x03, 0xbc, 0xce, 0xe1, 0xa2, 0x95, 0x89, + 0xba, 0x3b, 0xd9, 0xd7, 0x52, 0x65, 0x51, 0x31, 0x76, 0xa9, 0xe6, 0x47, + 0xce, 0xa9, 0x1e, 0x45, 0x2b, 0x5f, 0xec, 0x5c, 0xab, 0xf2, 0xb5, 0x0a, + 0x25, 0x35, 0x4c, 0x02, 0x22, 0xbe, 0x79, 0xac, 0x0a, 0x26, 0x0a, 0x4d, + 0xba, 0x1d, 0xc0, 0x4c, 0xd5, 0x32, 0xaf, 0x19, 0x9b, 0xb2, 0xc8, 0xde, + 0x27, 0xad, 0x45, 0x81, 0xbe, 0x0a, 0xaa, 0x57, 0xf1, 0x77, 0x5a, 0x2c, + 0xd9, 0x54, 0xc9, 0x4d, 0xc4, 0x96, 0x0e, 0x8a, 0x5e, 0x8b, 0xee, 0x34, + 0x8d, 0xc7, 0x88, 0x3f, 0xaf, 0xab, 0x3f, 0x6c, 0x4f, 0x39, 0xf0, 0x2d, + 0xd0, 0x4a, 0xbb, 0xa0, 0xd7, 0xf5, 0x9f, 0x14, 0x01, 0x86, 0xa8, 0x2c, + 0x7a, 0x86, 0xd8, 0x34, 0x6a, 0x68, 0x2d, 0xac, 0x77, 0xce, 0xc9, 0xf9, + 0xa7, 0x3a, 0x40, 0xa1, 0x9b, 0x4c, 0x6b, 0x6f, 0x33, 0x45, 0x3f, 0xb5, + 0x11, 0xd3, 0x6a, 0x00, 0x78, 0x5c, 0xcd, 0x7f, 0x60, 0x91, 0x53, 0xe3, + 0xc8, 0x7c, 0x23, 0x7a, 0x74, 0xae, 0xf4, 0x49, 0x39, 0x77, 0xaf, 0xa4, + 0x1f, 0xc5, 0x1b, 0x81, 0x57, 0x43, 0x53, 0x83, 0x7c, 0xb9, 0xaf, 0x6f, + 0xeb, 0xef, 0xb3, 0xdf, 0xc2, 0x88, 0x9d, 0x37, 0x87, 0xe9, 0x93, 0xd4, + 0xe0, 0x11, 0x9d, 0x25, 0x04, 0xf7, 0x51, 0x7d, 0x14, 0xdc, 0x42, 0xb9, + 0xba, 0x54, 0x13, 0x2a, 0xf3, 0xd8, 0x07, 0x9c, 0x6b, 0x26, 0xbf, 0x33, + 0xb6, 0xda, 0x07, 0x84, 0x50, 0x89, 0x91, 0xd4, 0xe2, 0x0b, 0x02, 0xbe, + 0x67, 0xc0, 0x24, 0xd1, 0x4f, 0x47, 0x47, 0x6f, 0xbb, 0x0c, 0xc3, 0x62, + 0x22, 0xcd, 0xec, 0xdd, 0x11, 0x0c, 0x49, 0x78, 0x0e, 0x54, 0x08, 0x6b, + 0x67, 0x54, 0x6f, 0xe1, 0xe9, 0xdb, 0x7d, 0x31, 0xf4, 0xa7, 0x72, 0x5e, + 0x8a, 0xcb, 0x20, 0x26, 0x7b, 0x57, 0xf9, 0x1e, 0x73, 0xf1, 0x4f, 0x7d, + 0x4c, 0x52, 0xce, 0x82, 0x68, 0x8b, 0xe7, 0x2f, 0x9d, 0x59, 0xa3, 0xa8, + 0x68, 0xcf, 0x64, 0x96, 0x5c, 0x41, 0x2d, 0x6c, 0xa2, 0x26, 0xd6, 0x96, + 0xbd, 0xee, 0x2a, 0x91, 0x14, 0x8b, 0x59, 0x9f, 0xdb, 0x1d, 0x42, 0x8a, + 0x75, 0xfa, 0xde, 0x88, 0x9d, 0x98, 0xac, 0x63, 0x68, 0x5e, 0x0e, 0x8a, + 0x72, 0x8b, 0xe3, 0xd7, 0x62, 0xf6, 0x21, 0x6e, 0x72, 0x14, 0xc0, 0x99, + 0xaf, 0xc4, 0x56, 0x67, 0x4a, 0xe3, 0xf4, 0x5c, 0x80, 0x21, 0xef, 0x1e, + 0x6c, 0x45, 0x66, 0x1c, 0x40, 0x1d, 0xaa, 0xfa, 0x2b, 0xeb, 0x5c, 0x79, + 0x7a, 0x9a, 0x3a, 0x59, 0x25, 0x48, 0x08, 0x01, 0x51, 0x95, 0xed, 0x46, + 0x67, 0x14, 0x73, 0xfc, 0x53, 0xa0, 0xe8, 0x48, 0x54, 0x5d, 0x43, 0x8d, + 0xcf, 0x21, 0x84, 0x88, 0xd1, 0x4a, 0x33, 0xf3, 0x4d, 0xdd, 0x66, 0xe6, + 0x64, 0x74, 0x97, 0x6e, 0x79, 0x70, 0x98, 0x30, 0x12, 0x12, 0x86, 0x45, + 0x94, 0x24, 0x3a, 0x08, 0xbc, 0x57, 0x01, 0x44, 0x65, 0x5e, 0x07, 0x20, + 0xd4, 0xa8, 0xaf, 0x0f, 0xc4, 0x51, 0x39, 0xdd, 0x8c, 0x76, 0x33, 0x03, + 0x36, 0x59, 0x80, 0xcb, 0x56, 0xf6, 0x71, 0x6f, 0x18, 0xda, 0xf3, 0x1c, + 0x3a, 0x53, 0x6f, 0xec, 0x95, 0x8c, 0x8d, 0x9f, 0xa9, 0x15, 0x63, 0xfe, + 0x0e, 0xc7, 0x10, 0x88, 0xde, 0xaf, 0x78, 0x40, 0xef, 0x76, 0xa3, 0x47, + 0x01, 0x66, 0x93, 0xcf, 0x5f, 0x65, 0x19, 0xbb, 0x7a, 0x96, 0x4c, 0x5c, + 0xc7, 0x12, 0xdd, 0xd2, 0xef, 0x22, 0x77, 0xb1, 0xec, 0xc1, 0xbe, 0xbe, + 0x85, 0x9d, 0x84, 0x70, 0x5e, 0xc8, 0x67, 0x80, 0x0b, 0x9b, 0x9e, 0x9b, + 0x46, 0x42, 0x0c, 0x4a, 0x01, 0xdd, 0x8a, 0xba, 0x59, 0x6a, 0xe2, 0x22, + 0x92, 0xca, 0xc0, 0xb3, 0x28, 0x2a, 0x15, 0x17, 0x94, 0xd6, 0xc5, 0x99, + 0x5c, 0xf8, 0xd9, 0xd1, 0xfe, 0xad, 0x5e, 0x4a, 0xd9, 0x13, 0x0a, 0xf0, + 0x8d, 0xd7, 0xf5, 0x86, 0x1a, 0x46, 0x6a, 0x7a, 0x16, 0x25, 0x42, 0xf6, + 0xe9, 0x5b, 0x32, 0xdd, 0x70, 0x1c, 0x16, 0xd3, 0x44, 0x12, 0xce, 0xc2, + 0x52, 0x3b, 0x22, 0x3b, 0xb1, 0x02, 0x82, 0x02, 0x01, 0x00, 0xdf, 0x4b, + 0x49, 0x8c, 0x8d, 0xcc, 0xfb, 0x17, 0xd5, 0x5e, 0x61, 0x17, 0x41, 0x87, + 0x22, 0xfd, 0x50, 0xdf, 0x53, 0xa8, 0x8a, 0xf1, 0xa9, 0x72, 0x2c, 0x1e, + 0x13, 0x78, 0x00, 0x3a, 0x14, 0xbc, 0x17, 0x90, 0x4c, 0x15, 0x61, 0x2c, + 0x63, 0x94, 0xce, 0x04, 0x12, 0xf9, 0x1a, 0xc3, 0xbf, 0xbd, 0xb1, 0x95, + 0x0d, 0x18, 0xfb, 0xfa, 0xa4, 0x42, 0x15, 0xf6, 0x18, 0xb4, 0xb5, 0x52, + 0x0d, 0x93, 0xcc, 0x61, 0x10, 0x7c, 0x38, 0x4c, 0xef, 0x1e, 0x2d, 0x28, + 0xe4, 0x33, 0x51, 0x21, 0x7c, 0x1b, 0x18, 0x03, 0x7e, 0x64, 0x27, 0xa3, + 0xbd, 0x5d, 0xd7, 0xcd, 0xaf, 0xd1, 0x40, 0xe1, 0xbb, 0x61, 0xd7, 0xbe, + 0x55, 0xa0, 0x9a, 0xfd, 0xaf, 0x53, 0xfe, 0x66, 0x7d, 0xb5, 0x26, 0x8a, + 0x49, 0x19, 0x59, 0xdb, 0x37, 0x48, 0xda, 0x01, 0xc1, 0x75, 0x6b, 0xfe, + 0x72, 0xf7, 0x27, 0xfc, 0x22, 0x48, 0x4a, 0xd4, 0x89, 0xf1, 0x3d, 0xdd, + 0x0d, 0x06, 0x02, 0x3f, 0xf6, 0x71, 0xb8, 0x0f, 0x2b, 0x8f, 0xa8, 0x53, + 0x2c, 0xa8, 0x37, 0xe9, 0xbf, 0x9c, 0xb2, 0xd8, 0x9c, 0x56, 0xcc, 0x74, + 0xe1, 0x0a, 0x69, 0x20, 0xaf, 0x9c, 0xed, 0x5e, 0x15, 0x3e, 0xd9, 0xe0, + 0x76, 0x06, 0x49, 0x25, 0x07, 0x9d, 0xe2, 0xa4, 0xf7, 0xe3, 0x2d, 0x6d, + 0xcf, 0x8d, 0x93, 0x66, 0x23, 0xd8, 0x16, 0x59, 0x78, 0xef, 0xad, 0xf8, + 0x7c, 0xa1, 0xc6, 0xab, 0x3f, 0x4a, 0xf0, 0x19, 0xe6, 0x5b, 0xb2, 0x5a, + 0x2b, 0x00, 0x15, 0x12, 0xe3, 0xb7, 0xf4, 0xcb, 0x77, 0x2b, 0x75, 0x89, + 0xec, 0xdc, 0x4e, 0x3e, 0xe7, 0x51, 0x6a, 0xf9, 0x6f, 0x8a, 0x0c, 0xea, + 0x45, 0x7e, 0x3c, 0x16, 0x9e, 0x4d, 0xf6, 0x6a, 0x83, 0x9a, 0x16, 0x8d, + 0xa8, 0xaa, 0x01, 0x04, 0xc4, 0x1c, 0xac, 0xc9, 0x73, 0xb8, 0xe3, 0x11, + 0xc0, 0x78, 0x65, 0xf6, 0x75, 0xd2, 0x33, 0x40, 0x9f, 0xe4, 0x63, 0x15, + 0xb4, 0xf3, 0xd9, 0x63, 0x54, 0xbd, 0x04, 0x94, 0xb0, 0xf7, 0xa0, 0x40, + 0x0d, 0xf2, 0x88, 0x9b, 0xea, 0xa8, 0x0d, 0x14, 0x60, 0xea, 0x11, 0x4f, + 0x4f, 0xcf, 0x7c, 0xd1, 0x58, 0xb1, 0x8b, 0xa6, 0x0a, 0x3e, 0x3b, 0xf1, + 0xeb, 0xde, 0x27, 0x3e, 0xb0, 0xdf, 0xc5, 0x81, 0x6e, 0xee, 0x44, 0x3a, + 0xae, 0x3e, 0xa0, 0x90, 0x16, 0x9f, 0x2b, 0x28, 0x43, 0xf4, 0xbb, 0x36, + 0xc7, 0x67, 0x80, 0x98, 0x48, 0x2c, 0x73, 0x59, 0x0f, 0x6a, 0x46, 0x4a, + 0xc8, 0xef, 0x24, 0x81, 0x86, 0x8c, 0xa6, 0x68, 0xaa, 0xc8, 0x4f, 0x4d, + 0xb3, 0x8b, 0x19, 0xed, 0xd4, 0x9e, 0x03, 0x6b, 0xec, 0x51, 0x2f, 0xa3, + 0x58, 0xcb, 0x42, 0x97, 0xc7, 0xfd, 0x69, 0xec, 0x06, 0xf0, 0xf6, 0xa5, + 0xc7, 0xd9, 0x49, 0x5a, 0x56, 0x2c, 0x2e, 0xf4, 0x3b, 0xaa, 0x0b, 0xe3, + 0x03, 0x6b, 0x0b, 0x5d, 0x11, 0x50, 0x86, 0x22, 0x3e, 0x6c, 0x38, 0xeb, + 0x4b, 0x45, 0x1b, 0x98, 0x2d, 0x37, 0x35, 0x72, 0xc5, 0x5f, 0x50, 0x8b, + 0xc2, 0x74, 0x00, 0xc5, 0xe3, 0xcf, 0xe0, 0xed, 0x9d, 0x99, 0x58, 0x25, + 0xd6, 0xfa, 0xd9, 0xb2, 0x44, 0x93, 0xe4, 0x33, 0xc8, 0xf7, 0xcb, 0xf1, + 0x5b, 0x09, 0xce, 0x62, 0xab, 0xac, 0x61, 0xcf, 0xc4, 0xf2, 0xd7, 0xca, + 0x86, 0x46, 0xe8, 0x10, 0x11, 0xf7, 0xfe, 0x39, 0x87, 0x1c, 0xea, 0x59, + 0x64, 0x54, 0x18, 0xe2, 0x8d, 0x8b, 0x8d, 0x59, 0xb4, 0x77, 0xe8, 0xf6, + 0x15, 0x17, 0x04, 0x93, 0x22, 0x44, 0xc2, 0x4c, 0x80, 0xf5, 0xe7, 0x2b, + 0xae, 0x21, 0x14, 0x83, 0x78, 0x35, 0x5a, 0x7f, 0xc7, 0xd7, 0x83, 0xa6, + 0x3a, 0xa4, 0xd6, 0xce, 0x07, 0x8c, 0x37, 0x71, 0x25, 0xd0, 0x3b, 0xf5, + 0x21, 0xd1, 0xb9, 0x4a, 0x38, 0xdb, 0x02, 0x82, 0x02, 0x01, 0x00, 0xd7, + 0x97, 0x6c, 0x4d, 0x1e, 0xa0, 0x0e, 0x28, 0xdd, 0xc3, 0xe9, 0x38, 0xf0, + 0x93, 0x79, 0x05, 0x47, 0x71, 0x1d, 0x1c, 0xcb, 0x8f, 0xde, 0x25, 0x22, + 0x43, 0x70, 0xb9, 0x10, 0xf2, 0x6f, 0x5e, 0xe7, 0xb1, 0x7a, 0x29, 0x53, + 0x95, 0xbe, 0x42, 0x77, 0x2d, 0x9c, 0x34, 0x80, 0x3c, 0x5b, 0xb1, 0x8a, + 0x7d, 0x63, 0x7a, 0x1a, 0xb7, 0x1a, 0x09, 0xa4, 0x2b, 0xd0, 0x17, 0xc3, + 0x7c, 0xab, 0xa1, 0xf0, 0xb5, 0x77, 0x5d, 0xa4, 0x2e, 0x94, 0x8d, 0xfc, + 0x5a, 0x7c, 0xc4, 0x82, 0x87, 0x2c, 0x9a, 0xb1, 0x20, 0xff, 0x19, 0x1b, + 0x8b, 0xf4, 0x12, 0xe3, 0xe9, 0x62, 0x53, 0x82, 0x71, 0x22, 0x62, 0x4b, + 0xe9, 0x6c, 0xd4, 0x64, 0xe6, 0x44, 0x0f, 0xf9, 0x9f, 0xc3, 0xdd, 0x35, + 0xfa, 0xc1, 0x33, 0x2f, 0x90, 0x93, 0x58, 0x2a, 0xe0, 0x33, 0xae, 0x08, + 0xad, 0xbd, 0xac, 0x67, 0xfc, 0x17, 0x54, 0x26, 0xeb, 0xd3, 0x53, 0xaa, + 0x4f, 0x13, 0xda, 0xad, 0x47, 0x34, 0x7c, 0x8f, 0xee, 0x55, 0x4e, 0xdf, + 0x1e, 0xff, 0x81, 0xa0, 0xc2, 0xf5, 0xa3, 0x77, 0x08, 0x66, 0x84, 0xc3, + 0xd1, 0x11, 0x0f, 0x63, 0x3b, 0xa3, 0xee, 0xd0, 0xb5, 0xbb, 0xd0, 0xb4, + 0xbe, 0x78, 0x89, 0xc3, 0x97, 0x63, 0x01, 0x75, 0x4b, 0x98, 0x1a, 0x13, + 0xba, 0x99, 0x2a, 0x16, 0x18, 0x54, 0xce, 0x4d, 0x18, 0x03, 0x58, 0xc7, + 0x4a, 0x90, 0x61, 0xa1, 0x45, 0x0c, 0x2a, 0x86, 0x8f, 0x73, 0xb4, 0x1a, + 0x03, 0xe5, 0x3c, 0x24, 0xef, 0x95, 0x73, 0xf0, 0xde, 0x77, 0x67, 0x1d, + 0xd9, 0x55, 0x2e, 0x94, 0x88, 0x4b, 0xce, 0x91, 0x67, 0xf1, 0x48, 0x0c, + 0xf9, 0x81, 0xeb, 0x82, 0x8d, 0xee, 0x20, 0xf4, 0xe9, 0x4e, 0x18, 0x35, + 0x65, 0x86, 0x2e, 0x99, 0x24, 0x7d, 0x50, 0x03, 0xe2, 0x03, 0x0f, 0x4f, + 0xbb, 0x6e, 0x50, 0x3a, 0x74, 0xae, 0xd1, 0x8b, 0x8b, 0x50, 0x1c, 0x43, + 0xb4, 0xb4, 0x94, 0xb8, 0xe6, 0x5c, 0x61, 0x06, 0x0b, 0x8c, 0xf4, 0x90, + 0xfb, 0x00, 0x21, 0xf2, 0x1f, 0x22, 0xf3, 0x04, 0x58, 0xb7, 0xf7, 0x29, + 0xe7, 0xc4, 0x55, 0xfb, 0xb2, 0xcd, 0x8d, 0xa4, 0x49, 0x91, 0x3c, 0xd0, + 0xd6, 0xa2, 0xc4, 0x69, 0x5d, 0x84, 0xbd, 0x4f, 0x6b, 0xa5, 0x8a, 0x23, + 0xcd, 0xcb, 0x1c, 0xba, 0x25, 0xc2, 0xdd, 0x57, 0x50, 0xec, 0xe6, 0x24, + 0x05, 0x3d, 0xf6, 0x98, 0x97, 0x7e, 0x57, 0xe9, 0xfd, 0xf4, 0x03, 0x83, + 0xc7, 0x6c, 0xc9, 0x54, 0x01, 0xec, 0x95, 0xfd, 0xfa, 0x91, 0x30, 0x8d, + 0x70, 0xd0, 0x15, 0x68, 0xa0, 0x5d, 0xea, 0x12, 0x09, 0xf4, 0x8a, 0xb5, + 0xa3, 0x21, 0x64, 0xf8, 0xa8, 0x86, 0x0e, 0x67, 0xa4, 0x39, 0x59, 0x3c, + 0xdb, 0xc0, 0xc4, 0x95, 0x28, 0x16, 0x89, 0x5c, 0x11, 0x1e, 0x8c, 0x23, + 0x64, 0x9c, 0x12, 0x15, 0x25, 0xf5, 0x07, 0xc9, 0x21, 0x40, 0xf4, 0x82, + 0xe9, 0x15, 0x18, 0x16, 0x7b, 0xe5, 0x99, 0xc6, 0x7c, 0xd0, 0x8d, 0x18, + 0x95, 0xb4, 0xbb, 0xef, 0x07, 0x51, 0x97, 0xac, 0x51, 0xdc, 0xd6, 0x65, + 0xeb, 0xf8, 0xe6, 0x70, 0xa4, 0x1a, 0x77, 0x0c, 0x6d, 0x60, 0xad, 0x10, + 0x62, 0xd2, 0xc2, 0x93, 0x09, 0x3f, 0x1a, 0xee, 0x71, 0xbd, 0xe6, 0xec, + 0x89, 0xb2, 0xa1, 0x5d, 0xb1, 0x36, 0x74, 0x5b, 0xe3, 0x6d, 0x25, 0x55, + 0xa7, 0x27, 0xfa, 0x54, 0x2f, 0xf1, 0x75, 0x10, 0x7e, 0x36, 0xec, 0x03, + 0x7b, 0x6d, 0x21, 0x0a, 0x7e, 0x28, 0x18, 0xc4, 0x3c, 0xb3, 0xde, 0xcf, + 0xbe, 0xa2, 0x6b, 0x80, 0xba, 0x88, 0x00, 0x89, 0xce, 0x43, 0x34, 0x3a, + 0x72, 0x81, 0x05, 0x94, 0xec, 0x51, 0x67, 0xad, 0xeb, 0xa8, 0x2e, 0x8f, + 0xcc, 0x47, 0x9b, 0xf5, 0xd5, 0x25, 0x79, 0x02, 0x82, 0x02, 0x01, 0x00, + 0x94, 0x9a, 0x47, 0x2d, 0x5a, 0x25, 0x63, 0xa9, 0x9d, 0xdf, 0x3c, 0xa0, + 0x3c, 0x84, 0xd1, 0xdd, 0x61, 0xd7, 0xee, 0x96, 0x09, 0x3a, 0x00, 0xf9, + 0xb1, 0xb0, 0xa6, 0x66, 0x43, 0x48, 0x64, 0x0a, 0x35, 0x68, 0x5b, 0xaa, + 0x12, 0xcc, 0x76, 0xcd, 0x4e, 0x39, 0xd9, 0xe2, 0x9c, 0x54, 0x4f, 0xa3, + 0xcf, 0xae, 0x11, 0x54, 0x62, 0x45, 0x90, 0xd1, 0x46, 0x4a, 0x4c, 0x70, + 0xdf, 0x06, 0xe7, 0x70, 0x48, 0x21, 0x04, 0xd6, 0x96, 0xa5, 0x64, 0xb1, + 0x61, 0x7e, 0x88, 0x38, 0x3a, 0xb3, 0x1d, 0x23, 0xee, 0xdc, 0x4c, 0x5e, + 0x1d, 0x1f, 0x54, 0x64, 0x42, 0xbd, 0x69, 0x57, 0xca, 0x65, 0x2f, 0xce, + 0x52, 0xc5, 0x21, 0xb9, 0x4b, 0xcc, 0xae, 0xc5, 0x28, 0x56, 0x4f, 0x2c, + 0xa2, 0xa4, 0x7f, 0x37, 0x76, 0xdc, 0x74, 0x33, 0x70, 0x9a, 0xa0, 0x84, + 0x23, 0xc5, 0xe7, 0xfe, 0xe2, 0x46, 0x63, 0x0e, 0x57, 0x76, 0x91, 0x02, + 0xd2, 0x97, 0xed, 0x15, 0xe5, 0xa3, 0x69, 0xc0, 0x8e, 0xac, 0xd1, 0xe1, + 0xbe, 0x34, 0xf4, 0x50, 0x53, 0x3d, 0xa5, 0xbe, 0x84, 0x2b, 0xb2, 0x07, + 0xf5, 0xf3, 0x86, 0xdc, 0xe5, 0xcf, 0xd1, 0xef, 0x8e, 0xed, 0x01, 0x18, + 0x9d, 0xe9, 0x4a, 0xc2, 0xae, 0x25, 0x0d, 0xa7, 0x9e, 0x71, 0x09, 0x63, + 0xd0, 0x14, 0xf7, 0x7f, 0x11, 0xec, 0x74, 0xc8, 0x57, 0x3f, 0x5e, 0x43, + 0xac, 0x34, 0xe5, 0xc4, 0xc8, 0x31, 0xa9, 0x62, 0x96, 0xdd, 0xb5, 0xb7, + 0xaa, 0xbf, 0x65, 0x44, 0x9d, 0xc1, 0xbf, 0x78, 0xea, 0x5a, 0x0a, 0x4a, + 0x0a, 0xe4, 0x2a, 0x95, 0x07, 0x21, 0xc7, 0xd2, 0x20, 0x6e, 0x36, 0x33, + 0xda, 0x9a, 0x82, 0x7b, 0x1b, 0x44, 0x36, 0x40, 0x4e, 0x50, 0xde, 0x9a, + 0x4a, 0x8e, 0x26, 0x04, 0x55, 0xbf, 0x35, 0x40, 0x9c, 0x21, 0x49, 0x79, + 0x6e, 0xec, 0x9e, 0x79, 0xc1, 0xe9, 0xbe, 0xc9, 0x90, 0x40, 0x5e, 0xe8, + 0xa0, 0xa4, 0x8e, 0x93, 0x86, 0x46, 0x1b, 0xdb, 0xdb, 0x53, 0x95, 0x5e, + 0x86, 0xf0, 0x7a, 0x17, 0xc1, 0xa0, 0x7a, 0x0f, 0x32, 0xfd, 0x2f, 0xee, + 0x36, 0x6c, 0xe1, 0x01, 0x85, 0xe0, 0xd0, 0xb4, 0xff, 0xea, 0x15, 0x81, + 0x0b, 0x65, 0xda, 0x02, 0x33, 0x7d, 0xfe, 0x3a, 0x3d, 0xf8, 0x00, 0xba, + 0x62, 0xff, 0xe6, 0x7c, 0x59, 0x60, 0xeb, 0x1d, 0x2c, 0x9c, 0x94, 0x75, + 0x27, 0xae, 0xb2, 0x10, 0x08, 0xbd, 0xcf, 0xb2, 0x7d, 0x65, 0x74, 0xe3, + 0xd6, 0x39, 0xe8, 0xf5, 0x76, 0x07, 0x19, 0x63, 0x3b, 0x50, 0x06, 0xf0, + 0x5e, 0x0e, 0xa9, 0x01, 0x56, 0xd5, 0x37, 0x9d, 0x9d, 0x4b, 0x52, 0xaf, + 0x49, 0x13, 0xdd, 0x81, 0x10, 0x25, 0x70, 0xfc, 0x0e, 0x64, 0xfc, 0xcd, + 0x9a, 0x68, 0x03, 0xd3, 0x70, 0x84, 0xc5, 0x3a, 0x8c, 0x59, 0x0f, 0xe8, + 0x00, 0x17, 0x29, 0x6c, 0x30, 0xd8, 0xd4, 0x30, 0x11, 0xc4, 0x72, 0x64, + 0x95, 0x90, 0xc9, 0xbc, 0x09, 0x3c, 0x42, 0x43, 0x2e, 0xb7, 0xdd, 0xf0, + 0xab, 0xeb, 0x07, 0x13, 0x2a, 0x7c, 0x88, 0x3b, 0x0d, 0x47, 0x35, 0x8e, + 0x1a, 0xe2, 0xbb, 0xea, 0x9f, 0xbc, 0x8a, 0xf5, 0x1d, 0x76, 0xf5, 0x35, + 0x2c, 0x2d, 0xc8, 0xd7, 0x82, 0xd9, 0x99, 0xc4, 0x94, 0x27, 0xb0, 0xbb, + 0xa8, 0xae, 0xe8, 0xa4, 0x01, 0xc6, 0xc8, 0x1e, 0x91, 0xba, 0xf9, 0x57, + 0x5e, 0x02, 0xf5, 0xc9, 0x1d, 0xf2, 0x90, 0x1e, 0xa2, 0x88, 0x63, 0x99, + 0x35, 0x99, 0xa7, 0xb9, 0x74, 0xda, 0xf2, 0x80, 0x6e, 0x0a, 0x79, 0xfc, + 0xac, 0xc7, 0x1e, 0x10, 0x77, 0xd5, 0x72, 0xc7, 0x97, 0x1d, 0xd9, 0x02, + 0x6d, 0x63, 0xd0, 0x3d, 0x69, 0x93, 0x1d, 0xe4, 0xcb, 0xf4, 0xea, 0x24, + 0x65, 0xf2, 0xa2, 0x7a, 0x2f, 0x64, 0xdc, 0xe7, 0x02, 0x82, 0x02, 0x01, + 0x00, 0xb9, 0x65, 0x68, 0x26, 0xf1, 0x9d, 0x26, 0x50, 0x12, 0x55, 0x35, + 0x2c, 0x58, 0x06, 0x19, 0xde, 0x66, 0x4f, 0x69, 0x7f, 0xa7, 0xb6, 0x32, + 0x8c, 0xb0, 0x68, 0x5a, 0x79, 0x6b, 0x8f, 0x70, 0x22, 0xa7, 0x10, 0x42, + 0x43, 0x63, 0xb3, 0xb4, 0x07, 0xa8, 0x41, 0x3a, 0xc1, 0x13, 0x3d, 0xd4, + 0x84, 0x5a, 0xd9, 0xf5, 0x3f, 0xbd, 0xd5, 0x93, 0xb8, 0x92, 0xcb, 0x72, + 0x89, 0xdc, 0xfc, 0x4b, 0x04, 0x59, 0xe1, 0x53, 0xa2, 0xdd, 0x5b, 0x89, + 0x38, 0x88, 0xb8, 0xaf, 0xee, 0xb5, 0x68, 0xd4, 0xfc, 0xba, 0x31, 0xeb, + 0xed, 0x85, 0x78, 0xd7, 0x0d, 0x9f, 0x9c, 0xc5, 0x87, 0x96, 0xf6, 0xff, + 0x60, 0x94, 0x73, 0x49, 0xb9, 0x64, 0x83, 0x78, 0x28, 0x5c, 0xbb, 0xfd, + 0x4d, 0x2f, 0xec, 0x51, 0x54, 0x59, 0x24, 0xf4, 0xf0, 0xae, 0xfe, 0x5a, + 0xb2, 0xe0, 0x97, 0xb8, 0x32, 0x98, 0xc1, 0x7a, 0xb6, 0x4d, 0x3a, 0x23, + 0x63, 0x21, 0x64, 0x1b, 0x68, 0xc3, 0xf6, 0x25, 0xb6, 0xb0, 0x77, 0x7e, + 0x38, 0xf3, 0x3a, 0xce, 0xf2, 0x84, 0x72, 0xe3, 0x96, 0x0c, 0xf8, 0xd6, + 0x60, 0x79, 0x9c, 0x42, 0x15, 0x7f, 0x7a, 0x7c, 0x41, 0x14, 0x8e, 0x13, + 0xd3, 0x28, 0x7b, 0x5b, 0x60, 0xed, 0x28, 0x34, 0x65, 0xbe, 0x9e, 0xa1, + 0x50, 0x5b, 0x82, 0xed, 0xcf, 0xf9, 0x6c, 0x37, 0x11, 0xa9, 0xce, 0x6a, + 0xa2, 0x5f, 0xcf, 0x49, 0x56, 0x0b, 0xbf, 0x3a, 0xf5, 0x1e, 0xfe, 0x21, + 0xbb, 0xd1, 0x5b, 0x64, 0x38, 0x52, 0x73, 0x0d, 0x8c, 0xc4, 0xa8, 0x2a, + 0xfa, 0x2b, 0xfb, 0x07, 0x7b, 0xa5, 0x13, 0x88, 0x4d, 0x3d, 0x51, 0xab, + 0x76, 0x10, 0x62, 0x48, 0x4d, 0x64, 0xd9, 0xf4, 0xdb, 0xb6, 0x81, 0x23, + 0x3d, 0x42, 0x3d, 0xea, 0x24, 0x0c, 0x62, 0x0a, 0xb9, 0x52, 0x7d, 0x7b, + 0xb0, 0x21, 0x1a, 0xc7, 0x84, 0x8a, 0xa0, 0x68, 0xed, 0x9e, 0x18, 0xd1, + 0x6d, 0x5c, 0xf3, 0xfb, 0x0e, 0xa1, 0xea, 0xc7, 0xaa, 0x4f, 0xee, 0x82, + 0xea, 0x95, 0xfa, 0xa3, 0x64, 0x8d, 0xb8, 0x24, 0xef, 0xe2, 0xdf, 0x00, + 0x64, 0xb6, 0x4e, 0xae, 0xd2, 0x5a, 0x3e, 0xaa, 0xf1, 0x91, 0x44, 0x0a, + 0x77, 0xc8, 0x07, 0xab, 0xb5, 0x47, 0xfe, 0xb9, 0xf5, 0xaa, 0x64, 0xa1, + 0xd8, 0xa7, 0x6d, 0x83, 0xab, 0x52, 0x90, 0xc2, 0x80, 0x61, 0x64, 0x20, + 0x34, 0xd0, 0xe9, 0x09, 0x1e, 0x14, 0x9e, 0xc2, 0x71, 0x8b, 0xb1, 0x6d, + 0xb3, 0xd0, 0x11, 0x21, 0x06, 0x09, 0x0e, 0x16, 0x8b, 0xed, 0xfb, 0x19, + 0xfc, 0x2c, 0xc5, 0xc4, 0xcb, 0x84, 0x4b, 0xd4, 0x37, 0x44, 0x07, 0xf7, + 0x99, 0x89, 0x15, 0x9d, 0xd4, 0x1c, 0xd9, 0x9f, 0x5e, 0xa7, 0xd5, 0xdb, + 0xd3, 0x57, 0xb8, 0x8a, 0x8f, 0x02, 0xcd, 0x94, 0x83, 0xce, 0xfe, 0x91, + 0xcc, 0x65, 0x6b, 0x51, 0xa3, 0x63, 0x38, 0x5e, 0xfc, 0xb1, 0x03, 0xbd, + 0xbe, 0x07, 0x0d, 0xb5, 0xac, 0x1f, 0x39, 0xb0, 0x7a, 0x8a, 0xec, 0x2e, + 0xd4, 0x07, 0x3e, 0x46, 0x4c, 0x0f, 0x03, 0xb6, 0x30, 0xbe, 0x69, 0x2f, + 0x85, 0xd7, 0xe4, 0x13, 0x08, 0xe7, 0xf8, 0xd7, 0x21, 0x65, 0x38, 0x72, + 0x18, 0xa1, 0xac, 0xba, 0x1d, 0xc5, 0x20, 0x00, 0x7a, 0x82, 0x6e, 0xa1, + 0xa6, 0x01, 0xe7, 0x70, 0x0b, 0xc0, 0x6c, 0x72, 0xad, 0xa1, 0x8f, 0x73, + 0xfe, 0xd5, 0x27, 0x88, 0x03, 0x87, 0x7e, 0x2b, 0x20, 0x46, 0x6c, 0xa3, + 0x82, 0x56, 0x84, 0x3f, 0x96, 0x58, 0x55, 0xa0, 0xd9, 0x9b, 0x77, 0xb0, + 0x1e, 0x7d, 0x7c, 0x2c, 0x64, 0x52, 0x31, 0x16, 0x5f, 0x90, 0x22, 0x26, + 0x3c, 0xb5, 0xbe, 0x5e, 0x21, 0x94, 0xad, 0x9c, 0x5b, 0x92, 0x7e, 0xc3, + 0x04, 0x37, 0x78, 0xae, 0x63, 0xfa, 0x05, 0xaf, 0xd1, 0x02, 0x82, 0x02, + 0x01, 0x00, 0x86, 0xf2, 0xb0, 0x69, 0x17, 0x39, 0xa4, 0x5d, 0x3c, 0x4e, + 0x5c, 0x8c, 0x07, 0x91, 0x7f, 0x8a, 0x2b, 0x47, 0xd0, 0x6c, 0x60, 0xf7, + 0x23, 0x4c, 0x53, 0x31, 0xae, 0x27, 0xbe, 0x13, 0x07, 0x52, 0xe9, 0x9a, + 0x5c, 0xb3, 0xb6, 0x4d, 0x21, 0x7c, 0xf0, 0x0b, 0x68, 0x99, 0xa9, 0xc2, + 0x07, 0xc0, 0x26, 0xa9, 0x90, 0x15, 0x86, 0xde, 0x72, 0x1a, 0x3e, 0x80, + 0x03, 0x2e, 0xc4, 0xa8, 0xec, 0xd1, 0x23, 0x72, 0x85, 0xd7, 0x46, 0x4e, + 0xb0, 0xac, 0x92, 0x50, 0xa3, 0xb9, 0x80, 0x97, 0xe4, 0x01, 0x67, 0xad, + 0xd2, 0xf8, 0xc6, 0x64, 0x85, 0x0a, 0xde, 0x7a, 0xe5, 0xc0, 0xc9, 0xe7, + 0xf0, 0x09, 0x13, 0xcc, 0xb8, 0x43, 0x52, 0x1d, 0x0d, 0xbb, 0x25, 0x85, + 0xdf, 0xe1, 0xaa, 0x27, 0x59, 0xaf, 0x4b, 0xf4, 0xc7, 0x31, 0x25, 0xab, + 0x19, 0xaf, 0xf9, 0x3c, 0x3e, 0x35, 0x78, 0x0e, 0xe2, 0x0e, 0xa4, 0xc9, + 0x23, 0xd2, 0x0f, 0x29, 0xa0, 0x85, 0x7c, 0xd6, 0xc6, 0xb6, 0x73, 0x0e, + 0xca, 0x66, 0x2c, 0xa3, 0x90, 0x9c, 0xe5, 0xd1, 0x2e, 0xfd, 0x99, 0x7d, + 0x30, 0x1f, 0xd5, 0xb2, 0x73, 0xa0, 0x74, 0x2a, 0xdc, 0xa0, 0x9d, 0x31, + 0x00, 0x2f, 0xf0, 0x05, 0x33, 0xc0, 0xca, 0x85, 0x71, 0x86, 0xed, 0x31, + 0x8e, 0x22, 0xe4, 0x47, 0x00, 0xb1, 0x30, 0x1c, 0xc9, 0xaa, 0x97, 0x3a, + 0x5f, 0x0d, 0x18, 0x7a, 0xc0, 0x35, 0x89, 0x3b, 0xed, 0x1d, 0x01, 0xb6, + 0x55, 0x4c, 0x57, 0x90, 0xf2, 0x0e, 0xe3, 0x9c, 0x23, 0x6f, 0xd2, 0xc0, + 0x2b, 0x4b, 0x4d, 0x7a, 0xb6, 0x00, 0xa5, 0x30, 0xdd, 0xce, 0xfa, 0x6b, + 0x9b, 0xee, 0x63, 0xa8, 0xea, 0xd5, 0xeb, 0x6c, 0xfe, 0x8a, 0x93, 0xf4, + 0x19, 0x1c, 0xe3, 0x90, 0x1c, 0x30, 0xc0, 0xb6, 0xc5, 0xec, 0xdf, 0x55, + 0xe3, 0x43, 0xd5, 0x2f, 0xc8, 0x72, 0xbb, 0x14, 0x7d, 0x4b, 0x6c, 0x44, + 0x72, 0xef, 0x1f, 0x4f, 0x47, 0xe8, 0xd3, 0xb0, 0x32, 0x51, 0x1a, 0x3f, + 0x4e, 0xba, 0xd5, 0x2f, 0x68, 0xcf, 0x84, 0xa0, 0x8b, 0x3b, 0xd4, 0x89, + 0x90, 0xe0, 0xd1, 0xfa, 0x64, 0xd8, 0x34, 0x26, 0x19, 0xbf, 0x4f, 0xb0, + 0xb1, 0x7d, 0xc4, 0x8f, 0xe3, 0x4a, 0x4e, 0x24, 0x8d, 0xed, 0xc2, 0x38, + 0x62, 0x6c, 0x21, 0x17, 0x25, 0x5a, 0x51, 0x02, 0x9d, 0xc9, 0x12, 0xd6, + 0x9e, 0x80, 0x68, 0x83, 0x3d, 0xf0, 0xdd, 0x90, 0x3d, 0xa4, 0x9f, 0xf4, + 0x73, 0xa9, 0x9d, 0x20, 0x86, 0x12, 0xd5, 0x58, 0x25, 0xc0, 0x79, 0xcf, + 0xf5, 0x24, 0x1b, 0x6c, 0x2d, 0xf4, 0x6c, 0x28, 0xb7, 0x38, 0x2b, 0x80, + 0xb4, 0xa8, 0x02, 0xd9, 0x41, 0x3e, 0x78, 0x04, 0xa2, 0x72, 0xd4, 0x41, + 0x20, 0xfc, 0xbf, 0x72, 0x6c, 0x5a, 0x92, 0x49, 0x8c, 0x42, 0x2a, 0xd4, + 0x93, 0x8a, 0xee, 0x2d, 0x01, 0xe6, 0x18, 0xbb, 0x59, 0xa1, 0x35, 0x60, + 0x3c, 0x24, 0x22, 0x3b, 0x64, 0xc3, 0xa0, 0xb8, 0x46, 0x3b, 0x96, 0x74, + 0xf5, 0xd1, 0x15, 0xcb, 0x34, 0xcb, 0x2d, 0xc0, 0x05, 0x62, 0xe1, 0x2c, + 0x36, 0x27, 0x9c, 0x5c, 0xb9, 0x08, 0xef, 0x90, 0x85, 0xfa, 0xcc, 0x23, + 0x72, 0x09, 0x9a, 0x05, 0x52, 0xff, 0xee, 0x34, 0x4f, 0xae, 0xc3, 0x4d, + 0xcc, 0x7d, 0xaa, 0xf3, 0xdc, 0xe8, 0xe6, 0xa8, 0xb6, 0xa8, 0x23, 0x98, + 0x23, 0x32, 0xab, 0x92, 0xd6, 0x27, 0xcd, 0x8a, 0x0a, 0xe3, 0x41, 0x25, + 0x96, 0x0b, 0xfc, 0xa7, 0x57, 0x07, 0x89, 0x56, 0x49, 0x3b, 0x0d, 0xb6, + 0x56, 0x3f, 0x1d, 0x0c, 0x14, 0xae, 0xf7, 0xd9, 0x88, 0xb1, 0xdd, 0x75, + 0xde, 0x3c, 0xcd, 0xc1, 0x3a, 0x20, 0x5a, 0x39, 0x91, 0x36, 0xb9, 0xda, + 0x88, 0xc0, 0x26, 0xe1, 0xbb, 0x69, 0xe9, 0x0a, 0x7f, 0xe7}; const size_t kDERRSAPrivate8192Len = sizeof(kDERRSAPrivate8192); diff --git a/tool/digest.cc b/tool/digest.cc index 7ae90a93fd..82ccf94cde 100644 --- a/tool/digest.cc +++ b/tool/digest.cc @@ -46,7 +46,8 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #include "internal.h" -// Source is an awkward expression of a union type in C++: Stdin | File filename. +// Source is an awkward expression of a union type in C++: Stdin | File +// filename. struct Source { enum Type { STDIN, @@ -253,13 +254,12 @@ static bool Check(const CheckModeArguments &args, const EVP_MD *md, const bool overlong = line[len - 1] != '\n' && !feof(file); if (len < hex_size + 2 /* spaces */ + 1 /* filename */ || - line[hex_size] != ' ' || - line[hex_size + 1] != ' ' || - overlong) { + line[hex_size] != ' ' || line[hex_size + 1] != ' ' || overlong) { bad_lines++; if (args.warn) { fprintf(stderr, "%s: %u: improperly formatted line\n", - source.is_stdin() ? kStdinName : source.filename().c_str(), line_no); + source.is_stdin() ? kStdinName : source.filename().c_str(), + line_no); } if (args.strict) { ok = false; @@ -330,8 +330,7 @@ static bool Check(const CheckModeArguments &args, const EVP_MD *md, // DigestSum acts like the coreutils *sum utilites, with the given hash // function. -static bool DigestSum(const EVP_MD *md, - const args_list_t &args) { +static bool DigestSum(const EVP_MD *md, const args_list_t &args) { bool check_mode = false; CheckModeArguments check_args; bool check_mode_args_given = false; diff --git a/tool/file.cc b/tool/file.cc index db3f9dc1b2..162c81ee09 100644 --- a/tool/file.cc +++ b/tool/file.cc @@ -53,8 +53,7 @@ bool ReadAll(std::vector *out, FILE *file) { } } -bool WriteToFile(const std::string &path, const uint8_t *in, - size_t in_len) { +bool WriteToFile(const std::string &path, const uint8_t *in, size_t in_len) { ScopedFILE file(fopen(path.c_str(), "wb")); if (!file) { fprintf(stderr, "Failed to open '%s': %s\n", path.c_str(), strerror(errno)); diff --git a/tool/generate_ech.cc b/tool/generate_ech.cc index 93c6f6bc83..2697fd4e36 100644 --- a/tool/generate_ech.cc +++ b/tool/generate_ech.cc @@ -121,10 +121,11 @@ bool GenerateECH(const std::vector &args) { fprintf(stderr, "Failed to serialize the ECHConfigList\n"); return false; } - if (!WriteToFile( - args_map["-out-ech-config-list"], CBB_data(cbb.get()), CBB_len(cbb.get())) || + if (!WriteToFile(args_map["-out-ech-config-list"], CBB_data(cbb.get()), + CBB_len(cbb.get())) || !WriteToFile(args_map["-out-ech-config"], ech_config, ech_config_len) || - !WriteToFile(args_map["-out-private-key"], private_key, private_key_len)) { + !WriteToFile(args_map["-out-private-key"], private_key, + private_key_len)) { fprintf(stderr, "Failed to write ECHConfig or private key to file\n"); return false; } diff --git a/tool/generate_ed25519.cc b/tool/generate_ed25519.cc index 43e0559880..c5c197ddd0 100644 --- a/tool/generate_ed25519.cc +++ b/tool/generate_ed25519.cc @@ -23,14 +23,19 @@ static const argument_t kArguments[] = { { - "-out-public", kRequiredArgument, "The file to write the public key to", + "-out-public", + kRequiredArgument, + "The file to write the public key to", }, { - "-out-private", kRequiredArgument, + "-out-private", + kRequiredArgument, "The file to write the private key to", }, { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; diff --git a/tool/genrsa.cc b/tool/genrsa.cc index f60dd81ef0..9558a7c899 100644 --- a/tool/genrsa.cc +++ b/tool/genrsa.cc @@ -23,11 +23,14 @@ static const argument_t kArguments[] = { { - "-bits", kOptionalArgument, - "The number of bits in the modulus (default: 2048)", + "-bits", + kOptionalArgument, + "The number of bits in the modulus (default: 2048)", }, { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; diff --git a/tool/internal.h b/tool/internal.h index a4247a3a46..3efa22f965 100644 --- a/tool/internal.h +++ b/tool/internal.h @@ -19,20 +19,18 @@ #if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL) #include -#include #include +#include #endif +#include +#include #include #include #include -#include -#include struct FileCloser { - void operator()(FILE *file) { - fclose(file); - } + void operator()(FILE *file) { fclose(file); } }; using ScopedFILE = std::unique_ptr; @@ -113,30 +111,35 @@ typedef struct argument_t { typedef std::vector args_list_t; typedef std::map args_map_t; -bool IsFlag(const std::string& arg); +bool IsFlag(const std::string &arg); -// ParseKeyValueArguments converts the list of strings |args| ["-filter", "RSA", "-Timeout", "10"] into a map in -// |out_args| of key value pairs {"-filter": "RSA", "-Timeout": "10"}. It uses |templates| to determine what arguments -// are option or required. Any extra arguments that don't look like an unknown flag argument (prefixed by "-" or "--") -// will be appended to extra_args in the order they appear in. -bool ParseKeyValueArguments(args_map_t &out_args, - args_list_t &extra_args, +// ParseKeyValueArguments converts the list of strings |args| ["-filter", "RSA", +// "-Timeout", "10"] into a map in |out_args| of key value pairs {"-filter": +// "RSA", "-Timeout": "10"}. It uses |templates| to determine what arguments are +// option or required. Any extra arguments that don't look like an unknown flag +// argument (prefixed by "-" or "--") will be appended to extra_args in the +// order they appear in. +bool ParseKeyValueArguments(args_map_t &out_args, args_list_t &extra_args, const args_list_t &args, const argument_t *templates); -// PrintUsage prints the description from the list of templates in |templates| to stderr. +// PrintUsage prints the description from the list of templates in |templates| +// to stderr. void PrintUsage(const argument_t *templates); // Get{Unsigned, String} assign |out| the value of |arg_name| from the map // |args| if it is present. If |arg_name| is not found in |args| it assigns // |out| to the |default_value|. -bool GetUnsigned(unsigned *out, const std::string &arg_name, unsigned default_value, const args_map_t &args); -bool GetString(std::string *out, const std::string &arg_name, std::string default_value, const args_map_t &args); +bool GetUnsigned(unsigned *out, const std::string &arg_name, + unsigned default_value, const args_map_t &args); +bool GetString(std::string *out, const std::string &arg_name, + std::string default_value, const args_map_t &args); // GetBoolArgument assigns |out| the value |true| if |arg_name|, of // type |kBooleanArgument|, from the map |args| is present. If |arg_name| is not // found in |args| it assigns |out| to the value |false|. -bool GetBoolArgument(bool *out, const std::string &arg_name, const args_map_t &args); +bool GetBoolArgument(bool *out, const std::string &arg_name, + const args_map_t &args); bool ReadAll(std::vector *out, FILE *in); bool WriteToFile(const std::string &path, const uint8_t *in, size_t in_len); @@ -145,7 +148,8 @@ bool WriteToFile(const std::string &path, const uint8_t *in, size_t in_len); // bssl and openssl tools. It takes an additional parameter |tool| to indicate // which tool's s_client is being invoked. A value of true indicates openssl // and false indicates the internal bssl tool. -bool DoClient(std::map args_map, bool is_openssl_s_client); +bool DoClient(std::map args_map, + bool is_openssl_s_client); bool Ciphers(const std::vector &args); bool Client(const std::vector &args); diff --git a/tool/ossl_bm.h b/tool/ossl_bm.h index e5b874809c..4f2803fc5d 100644 --- a/tool/ossl_bm.h +++ b/tool/ossl_bm.h @@ -31,28 +31,31 @@ inline size_t BM_ECDSA_size(EC_KEY *key) { const int key_size = ECDSA_size(key); assert(key_size >= 0); - return (size_t) key_size; + return (size_t)key_size; } // Rather than depend on headers of AWS-LC the below code is modified from // include/base.h, see that file for detailed comments. namespace ossl { namespace internal { -template struct DeleterImpl { -}; +template +struct DeleterImpl {}; -template struct Deleter { +template +struct Deleter { void operator()(T *ptr) { DeleterImpl::Free(ptr); } }; -#define OSSL_MAKE_DELETER(type, deleter) \ - namespace internal { \ - template <> struct DeleterImpl { \ - static void Free(type *ptr) { deleter(ptr); } \ - }; \ - } -} // namespace internal -template using UniquePtr = std::unique_ptr>; +#define OSSL_MAKE_DELETER(type, deleter) \ + namespace internal { \ + template <> \ + struct DeleterImpl { \ + static void Free(type *ptr) { deleter(ptr); } \ + }; \ + } +} // namespace internal +template +using UniquePtr = std::unique_ptr>; OSSL_MAKE_DELETER(DH, DH_free) OSSL_MAKE_DELETER(RSA, RSA_free) @@ -74,15 +77,16 @@ OSSL_MAKE_DELETER(HMAC_CTX, HMAC_CTX_free) #else OSSL_MAKE_DELETER(EVP_MD_CTX, EVP_MD_CTX_destroy) // This code lets us properly cleanup and delete HMAC_CTX ptrs - namespace internal { - template <> struct DeleterImpl { - static void Free(HMAC_CTX *ptr) { - HMAC_CTX_cleanup(ptr); - delete ptr; - } - }; - } +namespace internal { +template <> +struct DeleterImpl { + static void Free(HMAC_CTX *ptr) { + HMAC_CTX_cleanup(ptr); + delete ptr; + } +}; +} // namespace internal #endif -} // namespace ossl +} // namespace ossl -#endif //OPENSSL_HEADER_TOOL_OSSLBM_H +#endif // OPENSSL_HEADER_TOOL_OSSLBM_H diff --git a/tool/pkcs12.cc b/tool/pkcs12.cc index 42daa3da3d..f1c9cd328a 100644 --- a/tool/pkcs12.cc +++ b/tool/pkcs12.cc @@ -42,11 +42,14 @@ static const argument_t kArguments[] = { { - "-dump", kOptionalArgument, - "Dump the key and contents of the given file to stdout", + "-dump", + kOptionalArgument, + "Dump the key and contents of the given file to stdout", }, { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; diff --git a/tool/rand.cc b/tool/rand.cc index 4f637fdc08..892d7e8821 100644 --- a/tool/rand.cc +++ b/tool/rand.cc @@ -25,12 +25,11 @@ static const argument_t kArguments[] = { + {"-hex", kBooleanArgument, "Hex encoded output."}, { - "-hex", kBooleanArgument, - "Hex encoded output." - }, - { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; @@ -54,8 +53,7 @@ bool Rand(const std::vector &args) { std::map args_map; args_list_t extra_args; - if (!ParseKeyValueArguments(args_map, extra_args, args_copy, - kArguments) || + if (!ParseKeyValueArguments(args_map, extra_args, args_copy, kArguments) || extra_args.size() > 0) { PrintUsage(kArguments); return false; @@ -77,10 +75,10 @@ bool Rand(const std::vector &args) { if (hex) { static const char hextable[16 + 1] = "0123456789abcdef"; for (unsigned i = 0; i < todo; i++) { - hex_buf[i*2] = hextable[buf[i] >> 4]; - hex_buf[i*2 + 1] = hextable[buf[i] & 0xf]; + hex_buf[i * 2] = hextable[buf[i] >> 4]; + hex_buf[i * 2 + 1] = hextable[buf[i] & 0xf]; } - if (fwrite(hex_buf, todo*2, 1, stdout) != 1) { + if (fwrite(hex_buf, todo * 2, 1, stdout) != 1) { return false; } } else { diff --git a/tool/server.cc b/tool/server.cc index 071efefa27..90a5f2c193 100644 --- a/tool/server.cc +++ b/tool/server.cc @@ -27,39 +27,48 @@ static const argument_t kArguments[] = { { - "-accept", kRequiredArgument, + "-accept", + kRequiredArgument, "The port of the server to bind on; eg 45102", }, { - "-cipher", kOptionalArgument, + "-cipher", + kOptionalArgument, "An OpenSSL-style cipher suite string that configures the offered " "ciphers", }, { - "-curves", kOptionalArgument, + "-curves", + kOptionalArgument, "An OpenSSL-style ECDH curves list that configures the offered curves", }, { - "-max-version", kOptionalArgument, + "-max-version", + kOptionalArgument, "The maximum acceptable protocol version", }, { - "-min-version", kOptionalArgument, + "-min-version", + kOptionalArgument, "The minimum acceptable protocol version", }, { - "-key", kOptionalArgument, + "-key", + kOptionalArgument, "PEM-encoded file containing the private key. A self-signed " "certificate is generated at runtime if this argument is not provided.", }, { - "-cert", kOptionalArgument, + "-cert", + kOptionalArgument, "PEM-encoded file containing the leaf certificate and optional " "certificate chain. This is taken from the -key argument if this " "argument is not provided.", }, { - "-ocsp-response", kOptionalArgument, "OCSP response file to send", + "-ocsp-response", + kOptionalArgument, + "OCSP response file to send", }, { "-ech-key", @@ -72,39 +81,47 @@ static const argument_t kArguments[] = { "File containing one ECHConfig.", }, { - "-loop", kBooleanArgument, + "-loop", + kBooleanArgument, "The server will continue accepting new sequential connections.", }, { - "-early-data", kBooleanArgument, "Allow early data", + "-early-data", + kBooleanArgument, + "Allow early data", }, { - "-www", kBooleanArgument, + "-www", + kBooleanArgument, "The server will print connection information in response to a " "HTTP GET request.", }, { - "-debug", kBooleanArgument, + "-debug", + kBooleanArgument, "Print debug information about the handshake", }, { - "-require-any-client-cert", kBooleanArgument, + "-require-any-client-cert", + kBooleanArgument, "The server will require a client certificate.", }, { - "-jdk11-workaround", kBooleanArgument, + "-jdk11-workaround", + kBooleanArgument, "Enable the JDK 11 workaround", }, { - "", kOptionalArgument, "", + "", + kOptionalArgument, + "", }, }; static bool LoadOCSPResponse(SSL_CTX *ctx, const char *filename) { ScopedFILE f(fopen(filename, "rb")); std::vector data; - if (f == nullptr || - !ReadAll(&data, f.get())) { + if (f == nullptr || !ReadAll(&data, f.get())) { fprintf(stderr, "Error reading %s.\n", filename); return false; } @@ -117,7 +134,8 @@ static bool LoadOCSPResponse(SSL_CTX *ctx, const char *filename) { } static bssl::UniquePtr MakeKeyPairForSelfSignedCert() { - bssl::UniquePtr ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + bssl::UniquePtr ec_key( + EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); if (!ec_key || !EC_KEY_generate_key(ec_key.get())) { fprintf(stderr, "Failed to generate key pair.\n"); return nullptr; @@ -157,8 +175,7 @@ static bssl::UniquePtr MakeSelfSignedCert(EVP_PKEY *evp_pkey, // macOS requires an explicit EKU extension. bssl::UniquePtr ekus(sk_ASN1_OBJECT_new_null()); - if (!ekus || - !sk_ASN1_OBJECT_push(ekus.get(), OBJ_nid2obj(NID_server_auth)) || + if (!ekus || !sk_ASN1_OBJECT_push(ekus.get(), OBJ_nid2obj(NID_server_auth)) || !X509_add1_ext_i2d(x509.get(), NID_ext_key_usage, ekus.get(), /*crit=*/1, /*flags=*/0)) { return nullptr; @@ -291,8 +308,7 @@ bool Server(const std::vector &args) { } if (args_map.count("-ech-key") + args_map.count("-ech-config") == 1) { - fprintf(stderr, - "-ech-config and -ech-key must be specified together.\n"); + fprintf(stderr, "-ech-config and -ech-key must be specified together.\n"); return false; } @@ -301,8 +317,7 @@ bool Server(const std::vector &args) { std::string ech_key_path = args_map["-ech-key"]; ScopedFILE ech_key_file(fopen(ech_key_path.c_str(), "rb")); std::vector ech_key; - if (ech_key_file == nullptr || - !ReadAll(&ech_key, ech_key_file.get())) { + if (ech_key_file == nullptr || !ReadAll(&ech_key, ech_key_file.get())) { fprintf(stderr, "Error reading %s\n", ech_key_path.c_str()); return false; } @@ -369,7 +384,8 @@ bool Server(const std::vector &args) { if (args_map.count("-ocsp-response") != 0 && !LoadOCSPResponse(ctx.get(), args_map["-ocsp-response"].c_str())) { - fprintf(stderr, "Failed to load OCSP response: %s\n", args_map["-ocsp-response"].c_str()); + fprintf(stderr, "Failed to load OCSP response: %s\n", + args_map["-ocsp-response"].c_str()); return false; } diff --git a/tool/speed.cc b/tool/speed.cc index 3c67795c9d..4b45a7333e 100644 --- a/tool/speed.cc +++ b/tool/speed.cc @@ -35,10 +35,10 @@ #include #if defined(OPENSSL_IS_AWSLC) -#include "bssl_bm.h" -#include "../crypto/internal.h" -#include #include +#include +#include "../crypto/internal.h" +#include "bssl_bm.h" #elif defined(OPENSSL_IS_BORINGSSL) #define BORINGSSL_BENCHMARK #include "bssl_bm.h" @@ -90,7 +90,8 @@ static inline void *align_pointer(void *ptr, size_t alignment) { #endif -#if defined(OPENSSL_IS_AWSLC) && defined(AARCH64_DIT_SUPPORTED) && (AWSLC_API_VERSION > 30) +#if defined(OPENSSL_IS_AWSLC) && defined(AARCH64_DIT_SUPPORTED) && \ + (AWSLC_API_VERSION > 30) #include "../crypto/fipsmodule/cpucap/internal.h" #define DIT_OPTION #endif @@ -159,13 +160,12 @@ struct TimeResults { } void PrintWithPrimes(const std::string &description, - size_t prime_size) const { + size_t prime_size) const { if (g_print_json) { PrintJSON(description, "primeSizePerCall", prime_size); } else { printf( - "Did %" PRIu64 " %s operations in %" PRIu64 - "us (%.3f ops/sec)\n", + "Did %" PRIu64 " %s operations in %" PRIu64 "us (%.3f ops/sec)\n", num_calls, (description + PrimeLenSuffix(prime_size)).c_str(), us, (static_cast(num_calls) / static_cast(us)) * 1000000); } @@ -190,8 +190,7 @@ struct TimeResults { first_json_printed = true; } - void PrintJSON(const std::string &description, - const std::string &size_label, + void PrintJSON(const std::string &description, const std::string &size_label, size_t size = 0) const { if (first_json_printed) { puts(","); @@ -312,20 +311,23 @@ static bool SpeedRSA(const std::string &selected) { const uint8_t *key; const size_t key_len; } kRSAKeys[] = { - {"RSA 2048", kDERRSAPrivate2048, kDERRSAPrivate2048Len}, - {"RSA 3072", kDERRSAPrivate3072, kDERRSAPrivate3072Len}, - {"RSA 4096", kDERRSAPrivate4096, kDERRSAPrivate4096Len}, - {"RSA 8192", kDERRSAPrivate8192, kDERRSAPrivate8192Len}, + {"RSA 2048", kDERRSAPrivate2048, kDERRSAPrivate2048Len}, + {"RSA 3072", kDERRSAPrivate3072, kDERRSAPrivate3072Len}, + {"RSA 4096", kDERRSAPrivate4096, kDERRSAPrivate4096Len}, + {"RSA 8192", kDERRSAPrivate8192, kDERRSAPrivate8192Len}, }; for (size_t i = 0; i < BM_ARRAY_SIZE(kRSAKeys); i++) { const std::string name = kRSAKeys[i].name; - // d2i_RSAPrivateKey expects to be able to modify the input pointer as it parses the input data and we don't want it - // to modify the original |*key| data. Therefore create a new temp variable that points to the same data and pass - // in the reference to it. As a sanity check make sure |input_key| points to the end of the |*key|. + // d2i_RSAPrivateKey expects to be able to modify the input pointer as it + // parses the input data and we don't want it to modify the original |*key| + // data. Therefore create a new temp variable that points to the same data + // and pass in the reference to it. As a sanity check make sure |input_key| + // points to the end of the |*key|. const uint8_t *input_key = kRSAKeys[i].key; - BM_NAMESPACE::UniquePtr key(d2i_RSAPrivateKey(NULL, &input_key, (long) kRSAKeys[i].key_len)); + BM_NAMESPACE::UniquePtr key( + d2i_RSAPrivateKey(NULL, &input_key, (long)kRSAKeys[i].key_len)); if (key == nullptr) { fprintf(stderr, "Failed to parse %s key.\n", name.c_str()); ERR_print_errors_fp(stderr); @@ -339,12 +341,14 @@ static bool SpeedRSA(const std::string &selected) { TimeResults results; if (!TimeFunction(&results, [&key, &sig, &fake_sha256_hash, &sig_len]() -> bool { - // Usually during RSA signing we're using a long-lived |RSA| that has - // already had all of its |BN_MONT_CTX|s constructed, so it makes - // sense to use |key| directly here. - return RSA_sign(NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash), - sig.get(), &sig_len, key.get()); - })) { + // Usually during RSA signing we're using a long-lived + // |RSA| that has already had all of its |BN_MONT_CTX|s + // constructed, so it makes sense to use |key| directly + // here. + return RSA_sign(NID_sha256, fake_sha256_hash, + sizeof(fake_sha256_hash), sig.get(), + &sig_len, key.get()); + })) { fprintf(stderr, "RSA_sign failed.\n"); ERR_print_errors_fp(stderr); return false; @@ -353,10 +357,10 @@ static bool SpeedRSA(const std::string &selected) { if (!TimeFunction(&results, [&key, &fake_sha256_hash, &sig, sig_len]() -> bool { - return RSA_verify( - NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash), - sig.get(), sig_len, key.get()); - })) { + return RSA_verify(NID_sha256, fake_sha256_hash, + sizeof(fake_sha256_hash), sig.get(), + sig_len, key.get()); + })) { fprintf(stderr, "RSA_verify failed.\n"); ERR_print_errors_fp(stderr); return false; @@ -365,20 +369,21 @@ static bool SpeedRSA(const std::string &selected) { if (!TimeFunction(&results, [&key, &fake_sha256_hash, &sig, sig_len]() -> bool { - // Usually during RSA verification we have to parse an RSA key from a - // certificate or similar, in which case we'd need to construct a new - // RSA key, with a new |BN_MONT_CTX| for the public modulus. If we - // were to use |key| directly instead, then these costs wouldn't be - // accounted for. - BM_NAMESPACE::UniquePtr verify_key(RSA_new()); - if (!verify_key) { - return false; - } + // Usually during RSA verification we have to parse an + // RSA key from a certificate or similar, in which case + // we'd need to construct a new RSA key, with a new + // |BN_MONT_CTX| for the public modulus. If we were to + // use |key| directly instead, then these costs wouldn't + // be accounted for. + BM_NAMESPACE::UniquePtr verify_key(RSA_new()); + if (!verify_key) { + return false; + } #if defined(OPENSSL_1_0_BENCHMARK) - const BIGNUM *temp_n = key.get()->n; - const BIGNUM *temp_e = key.get()->e; - verify_key.get()->n = BN_dup(temp_n); - verify_key.get()->e = BN_dup(temp_e); + const BIGNUM *temp_n = key.get()->n; + const BIGNUM *temp_e = key.get()->e; + verify_key.get()->n = BN_dup(temp_n); + verify_key.get()->e = BN_dup(temp_e); #else const BIGNUM *temp_n = NULL; const BIGNUM *temp_e = NULL; @@ -387,10 +392,10 @@ static bool SpeedRSA(const std::string &selected) { RSA_set0_key(verify_key.get(), BN_dup(temp_n), BN_dup(temp_e), NULL); #endif - return RSA_verify(NID_sha256, fake_sha256_hash, - sizeof(fake_sha256_hash), sig.get(), sig_len, - verify_key.get()); - })) { + return RSA_verify(NID_sha256, fake_sha256_hash, + sizeof(fake_sha256_hash), sig.get(), + sig_len, verify_key.get()); + })) { fprintf(stderr, "RSA_verify failed.\n"); ERR_print_errors_fp(stderr); return false; @@ -437,7 +442,7 @@ static bool SpeedRSAKeyGen(bool is_fips, const std::string &selected) { BM_NAMESPACE::UniquePtr rsa(RSA_new()); const uint64_t iteration_start = time_now(); - if(is_fips){ + if (is_fips) { #if !defined(OPENSSL_BENCHMARK) // RSA_generate_key_fips is AWS-LC specific. if (!RSA_generate_key_fips(rsa.get(), size, nullptr)) { @@ -448,8 +453,7 @@ static bool SpeedRSAKeyGen(bool is_fips, const std::string &selected) { #else return true; #endif - } - else { + } else { if (!RSA_generate_key_ex(rsa.get(), size, e.get(), nullptr)) { fprintf(stderr, "RSA_generate_key_ex failed.\n"); ERR_print_errors_fp(stderr); @@ -496,9 +500,10 @@ static bool SpeedRSAKeyGen(bool is_fips, const std::string &selected) { } static bool SpeedEvpGenericChunk(const EVP_CIPHER *cipher, std::string name, - size_t chunk_byte_len, size_t ad_len, bool encrypt) { + size_t chunk_byte_len, size_t ad_len, + bool encrypt) { int len, result; - int* len_ptr = &len; + int *len_ptr = &len; const size_t key_len = EVP_CIPHER_key_length(cipher); static const unsigned kAlignment = 16; const size_t iv_len = EVP_CIPHER_iv_length(cipher); @@ -508,18 +513,25 @@ static bool SpeedEvpGenericChunk(const EVP_CIPHER *cipher, std::string name, BM_memset(key.get(), 0, key_len); std::unique_ptr nonce(new uint8_t[iv_len]); BM_memset(nonce.get(), 0, iv_len); - std::unique_ptr plaintext_storage(new uint8_t[chunk_byte_len + kAlignment]); - std::unique_ptr ciphertext_storage(new uint8_t[chunk_byte_len + overhead_len + kAlignment]); - std::unique_ptr in2_storage(new uint8_t[chunk_byte_len + overhead_len + kAlignment]); + std::unique_ptr plaintext_storage( + new uint8_t[chunk_byte_len + kAlignment]); + std::unique_ptr ciphertext_storage( + new uint8_t[chunk_byte_len + overhead_len + kAlignment]); + std::unique_ptr in2_storage( + new uint8_t[chunk_byte_len + overhead_len + kAlignment]); std::unique_ptr ad(new uint8_t[ad_len]); BM_memset(ad.get(), 0, ad_len); - std::unique_ptr tag_storage(new uint8_t[overhead_len + kAlignment]); + std::unique_ptr tag_storage( + new uint8_t[overhead_len + kAlignment]); - uint8_t *const plaintext = static_cast(align_pointer(plaintext_storage.get(), kAlignment)); + uint8_t *const plaintext = static_cast( + align_pointer(plaintext_storage.get(), kAlignment)); BM_memset(plaintext, 0, chunk_byte_len); - uint8_t *const ciphertext = static_cast(align_pointer(ciphertext_storage.get(), kAlignment)); + uint8_t *const ciphertext = static_cast( + align_pointer(ciphertext_storage.get(), kAlignment)); BM_memset(ciphertext, 0, chunk_byte_len + overhead_len); - uint8_t *const tag = static_cast(align_pointer(tag_storage.get(), kAlignment)); + uint8_t *const tag = + static_cast(align_pointer(tag_storage.get(), kAlignment)); BM_memset(tag, 0, overhead_len); BM_NAMESPACE::UniquePtr ctx(EVP_CIPHER_CTX_new()); @@ -529,39 +541,49 @@ static bool SpeedEvpGenericChunk(const EVP_CIPHER *cipher, std::string name, std::string encryptName = name + " encrypt"; TimeResults encryptResults; - // Call EVP_EncryptInit_ex once with the cipher and key, the benchmark loop will reuse both - if (!EVP_EncryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get())){ + // Call EVP_EncryptInit_ex once with the cipher and key, the benchmark loop + // will reuse both + if (!EVP_EncryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get())) { fprintf(stderr, "Failed to configure encryption context.\n"); ERR_print_errors_fp(stderr); return false; } - if (!TimeFunction(&encryptResults, [&ctx, chunk_byte_len, plaintext, ciphertext, len_ptr, tag, &nonce, &ad, ad_len, &isAead, &result]() -> bool { - result = EVP_EncryptInit_ex(ctx.get(), NULL, NULL, NULL, nonce.get()); - if (isAead) { - result &= EVP_EncryptUpdate(ctx.get(), NULL, len_ptr, ad.get(), ad_len); - } - result &= EVP_EncryptUpdate(ctx.get(), ciphertext, len_ptr, plaintext, chunk_byte_len); - result &= EVP_EncryptFinal_ex(ctx.get(), ciphertext + *len_ptr, len_ptr); - if (isAead) { - result &= EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, 16, tag); - } - return result; - })) { + if (!TimeFunction(&encryptResults, + [&ctx, chunk_byte_len, plaintext, ciphertext, len_ptr, + tag, &nonce, &ad, ad_len, &isAead, &result]() -> bool { + result = EVP_EncryptInit_ex(ctx.get(), NULL, NULL, NULL, + nonce.get()); + if (isAead) { + result &= EVP_EncryptUpdate(ctx.get(), NULL, len_ptr, + ad.get(), ad_len); + } + result &= + EVP_EncryptUpdate(ctx.get(), ciphertext, len_ptr, + plaintext, chunk_byte_len); + result &= EVP_EncryptFinal_ex( + ctx.get(), ciphertext + *len_ptr, len_ptr); + if (isAead) { + result &= EVP_CIPHER_CTX_ctrl( + ctx.get(), EVP_CTRL_GCM_GET_TAG, 16, tag); + } + return result; + })) { fprintf(stderr, "%s failed.\n", encryptName.c_str()); ERR_print_errors_fp(stderr); return false; } encryptResults.PrintWithBytes(encryptName, chunk_byte_len); - } - else { - result = EVP_EncryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get()); + } else { + result = + EVP_EncryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get()); if (isAead) { result &= EVP_EncryptUpdate(ctx.get(), NULL, len_ptr, ad.get(), ad_len); } - result &= EVP_EncryptUpdate(ctx.get(), ciphertext, len_ptr, plaintext, chunk_byte_len); + result &= EVP_EncryptUpdate(ctx.get(), ciphertext, len_ptr, plaintext, + chunk_byte_len); result &= EVP_EncryptFinal_ex(ctx.get(), ciphertext + *len_ptr, len_ptr); - if(isAead) { + if (isAead) { result &= EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, 16, tag); } @@ -572,24 +594,33 @@ static bool SpeedEvpGenericChunk(const EVP_CIPHER *cipher, std::string name, } std::string decryptName = name + " decrypt"; TimeResults decryptResults; - // Call EVP_DecryptInit_ex once with the cipher and key, the benchmark loop will reuse both - if (!EVP_DecryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get())){ + // Call EVP_DecryptInit_ex once with the cipher and key, the benchmark loop + // will reuse both + if (!EVP_DecryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get())) { fprintf(stderr, "Failed to configure decryption context.\n"); ERR_print_errors_fp(stderr); return false; } - if (!TimeFunction(&decryptResults, [&ctx, chunk_byte_len, plaintext, ciphertext, len_ptr, tag, &nonce, &ad, ad_len, &isAead, &result]() -> bool { - result = EVP_DecryptInit_ex(ctx.get(), NULL, NULL, NULL, nonce.get()); - if(isAead) { - result &= EVP_DecryptUpdate(ctx.get(), NULL, len_ptr, ad.get(), ad_len); - } - result &= EVP_DecryptUpdate(ctx.get(), plaintext, len_ptr, ciphertext, chunk_byte_len); - if (isAead) { - result &= EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, 16, tag); - } - result &= EVP_DecryptFinal_ex(ctx.get(), ciphertext + *len_ptr, len_ptr); - return result; - })) { + if (!TimeFunction(&decryptResults, + [&ctx, chunk_byte_len, plaintext, ciphertext, len_ptr, + tag, &nonce, &ad, ad_len, &isAead, &result]() -> bool { + result = EVP_DecryptInit_ex(ctx.get(), NULL, NULL, NULL, + nonce.get()); + if (isAead) { + result &= EVP_DecryptUpdate(ctx.get(), NULL, len_ptr, + ad.get(), ad_len); + } + result &= + EVP_DecryptUpdate(ctx.get(), plaintext, len_ptr, + ciphertext, chunk_byte_len); + if (isAead) { + result &= EVP_CIPHER_CTX_ctrl( + ctx.get(), EVP_CTRL_GCM_SET_TAG, 16, tag); + } + result &= EVP_DecryptFinal_ex( + ctx.get(), ciphertext + *len_ptr, len_ptr); + return result; + })) { fprintf(stderr, "%s failed.\n", decryptName.c_str()); ERR_print_errors_fp(stderr); return false; @@ -613,12 +644,14 @@ static bool SpeedEvpCipherGeneric(const EVP_CIPHER *cipher, const size_t iv_len = EVP_CIPHER_iv_length(cipher); std::unique_ptr nonce(new uint8_t[iv_len]); if (!TimeFunction(&results, [&]() -> bool { - return EVP_EncryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get());})) { + return EVP_EncryptInit_ex(ctx.get(), cipher, NULL, key.get(), + nonce.get()); + })) { fprintf(stderr, "EVP_EncryptInit_ex failed.\n"); ERR_print_errors_fp(stderr); return false; } - results.Print(name + " encrypt init"); + results.Print(name + " encrypt init"); for (size_t chunk_byte_len : g_chunk_lengths) { if (!SpeedEvpGenericChunk(cipher, name, chunk_byte_len, ad_len, @@ -628,12 +661,14 @@ static bool SpeedEvpCipherGeneric(const EVP_CIPHER *cipher, } if (!TimeFunction(&results, [&]() -> bool { - return EVP_DecryptInit_ex(ctx.get(), cipher, NULL, key.get(), nonce.get());})) { + return EVP_DecryptInit_ex(ctx.get(), cipher, NULL, key.get(), + nonce.get()); + })) { fprintf(stderr, "EVP_DecryptInit_ex failed.\n"); ERR_print_errors_fp(stderr); return false; } - results.Print(name + " decrypt init"); + results.Print(name + " decrypt init"); for (size_t chunk_byte_len : g_chunk_lengths) { if (!SpeedEvpGenericChunk(cipher, name, chunk_byte_len, ad_len, false)) { return false; @@ -743,7 +778,8 @@ static bool SpeedAEADChunk(const EVP_AEAD *aead, std::string name, } static bool SpeedAEAD(const EVP_AEAD *aead, const std::string &name, - size_t ad_len, const std::string &selected, enum evp_aead_direction_t dir) { + size_t ad_len, const std::string &selected, + enum evp_aead_direction_t dir) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } @@ -757,7 +793,7 @@ static bool SpeedAEAD(const EVP_AEAD *aead, const std::string &name, return EVP_AEAD_CTX_init_with_direction( ctx.get(), aead, key.get(), key_len, EVP_AEAD_DEFAULT_TAG_LENGTH, evp_aead_seal); - })) { + })) { fprintf(stderr, "EVP_AEAD_CTX_init_with_direction failed.\n"); ERR_print_errors_fp(stderr); return false; @@ -782,14 +818,15 @@ static bool SpeedAEADSeal(const EVP_AEAD *aead, const std::string &name, return SpeedAEAD(aead, name, ad_len, selected, evp_aead_seal); } #if AWSLC_API_VERSION > 16 -static bool SpeedSingleKEM(const std::string &name, int nid, const std::string &selected) { +static bool SpeedSingleKEM(const std::string &name, int nid, + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } // Key generation (Alice). - BM_NAMESPACE::UniquePtr a_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr)); - if (!a_ctx || - !EVP_PKEY_CTX_kem_set_params(a_ctx.get(), nid) || + BM_NAMESPACE::UniquePtr a_ctx( + EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr)); + if (!a_ctx || !EVP_PKEY_CTX_kem_set_params(a_ctx.get(), nid) || !EVP_PKEY_keygen_init(a_ctx.get())) { return false; } @@ -823,28 +860,34 @@ static bool SpeedSingleKEM(const std::string &name, int nid, const std::string & std::unique_ptr a_ss(new uint8_t[a_ss_len]); // Sanity check (encaps/decaps gives the same shared secret). - if (!EVP_PKEY_encapsulate(b_ctx.get(), b_ct.get(), &b_ct_len, b_ss.get(), &b_ss_len) || - !EVP_PKEY_decapsulate(a_ctx.get(), a_ss.get(), &a_ss_len, b_ct.get(), b_ct_len) || + if (!EVP_PKEY_encapsulate(b_ctx.get(), b_ct.get(), &b_ct_len, b_ss.get(), + &b_ss_len) || + !EVP_PKEY_decapsulate(a_ctx.get(), a_ss.get(), &a_ss_len, b_ct.get(), + b_ct_len) || (a_ss_len != b_ss_len)) { return false; } for (size_t i = 0; i < a_ss_len; i++) { if (a_ss.get()[i] != b_ss.get()[i]) { - return false; + return false; } } // Measure encapsulation and decapsulation performance. - if (!TimeFunction(&results, [&b_ct, &b_ct_len, &b_ss, &b_ss_len, &b_ctx]() -> bool { - return EVP_PKEY_encapsulate(b_ctx.get(), b_ct.get(), &b_ct_len, b_ss.get(), &b_ss_len); - })) { + if (!TimeFunction( + &results, [&b_ct, &b_ct_len, &b_ss, &b_ss_len, &b_ctx]() -> bool { + return EVP_PKEY_encapsulate(b_ctx.get(), b_ct.get(), &b_ct_len, + b_ss.get(), &b_ss_len); + })) { return false; } results.Print(name + " encaps"); - if (!TimeFunction(&results, [&b_ct, &b_ct_len, &a_ss, &a_ss_len, &a_ctx]() -> bool { - return EVP_PKEY_decapsulate(a_ctx.get(), a_ss.get(), &a_ss_len, b_ct.get(), b_ct_len); - })) { + if (!TimeFunction( + &results, [&b_ct, &b_ct_len, &a_ss, &a_ss_len, &a_ctx]() -> bool { + return EVP_PKEY_decapsulate(a_ctx.get(), a_ss.get(), &a_ss_len, + b_ct.get(), b_ct_len); + })) { return false; } results.Print(name + " decaps"); @@ -857,25 +900,26 @@ static bool SpeedSingleKEM(const std::string &name, int nid, const std::string & static bool SpeedKEM(std::string selected) { return #if AWSLC_API_VERSION >= 30 - SpeedSingleKEM("ML-KEM-512", NID_MLKEM512, selected) && - SpeedSingleKEM("ML-KEM-768", NID_MLKEM768, selected) && - SpeedSingleKEM("ML-KEM-1024", NID_MLKEM1024, selected) && + SpeedSingleKEM("ML-KEM-512", NID_MLKEM512, selected) && + SpeedSingleKEM("ML-KEM-768", NID_MLKEM768, selected) && + SpeedSingleKEM("ML-KEM-1024", NID_MLKEM1024, selected) && #endif - SpeedSingleKEM("Kyber512_R3", NID_KYBER512_R3, selected) && - SpeedSingleKEM("Kyber768_R3", NID_KYBER768_R3, selected) && - SpeedSingleKEM("Kyber1024_R3", NID_KYBER1024_R3, selected); + SpeedSingleKEM("Kyber512_R3", NID_KYBER512_R3, selected) && + SpeedSingleKEM("Kyber768_R3", NID_KYBER768_R3, selected) && + SpeedSingleKEM("Kyber1024_R3", NID_KYBER1024_R3, selected); } #if AWSLC_API_VERSION > 31 static bool SpeedDigestSignNID(const std::string &name, int nid, - const std::string &selected) { + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } // Setup CTX for Sign/Verify Operations of type EVP_PKEY_PQDSA - BM_NAMESPACE::UniquePtr pkey_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr)); + BM_NAMESPACE::UniquePtr pkey_ctx( + EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, nullptr)); // Setup CTX for specific signature alg NID EVP_PKEY_CTX_pqdsa_set_params(pkey_ctx.get(), nid); @@ -911,17 +955,21 @@ static bool SpeedDigestSignNID(const std::string &name, int nid, std::unique_ptr signature(new uint8_t[sig_len]); - if (!TimeFunction(&results, [&md_ctx, &signature, &sig_len, msg_len ]() -> bool { - return EVP_DigestSign(md_ctx.get(), signature.get(), &sig_len, msg, msg_len); - })) { + if (!TimeFunction(&results, + [&md_ctx, &signature, &sig_len, msg_len]() -> bool { + return EVP_DigestSign(md_ctx.get(), signature.get(), + &sig_len, msg, msg_len); + })) { return false; } results.Print(name + " signing"); // Verify - if (!TimeFunction(&results, [&md_ctx, &signature, &sig_len, msg_len ]() -> bool { - return EVP_DigestVerify(md_ctx.get(), signature.get(), sig_len, msg, msg_len); - })) { + if (!TimeFunction(&results, + [&md_ctx, &signature, &sig_len, msg_len]() -> bool { + return EVP_DigestVerify(md_ctx.get(), signature.get(), + sig_len, msg, msg_len); + })) { return false; } results.Print(name + " verify"); @@ -1011,7 +1059,7 @@ static bool SpeedAESBlock(const std::string &name, unsigned bits, return true; } -static bool SpeedAES256XTS(const std::string &name, //const size_t in_len, +static bool SpeedAES256XTS(const std::string &name, // const size_t in_len, const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; @@ -1034,7 +1082,8 @@ static bool SpeedAES256XTS(const std::string &name, //const size_t in_len, BM_NAMESPACE::UniquePtr ctx(EVP_CIPHER_CTX_new()); TimeResults results; - // Benchmark just EVP_EncryptInit_ex with the cipher and key, the encrypt benchmark loop will reuse both + // Benchmark just EVP_EncryptInit_ex with the cipher and key, the encrypt + // benchmark loop will reuse both if (!TimeFunction(&results, [&]() -> bool { return EVP_EncryptInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data()); @@ -1071,7 +1120,8 @@ static bool SpeedAES256XTS(const std::string &name, //const size_t in_len, } // Benchmark initialisation and decryption - // Benchmark just EVP_DecryptInit_ex with the cipher and key, the decrypt benchmark loop will reuse both + // Benchmark just EVP_DecryptInit_ex with the cipher and key, the decrypt + // benchmark loop will reuse both if (!TimeFunction(&results, [&]() -> bool { return EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data()); @@ -1205,7 +1255,8 @@ static bool SpeedHmac(const EVP_MD *md, const std::string &name, BM_NAMESPACE::UniquePtr ctx(HMAC_CTX_new()); #endif if (!TimeFunction(&results, [&]() -> bool { - return HMAC_Init_ex(ctx.get(), key.get(), key_len, md, NULL /* ENGINE */); + return HMAC_Init_ex(ctx.get(), key.get(), key_len, md, + NULL /* ENGINE */); })) { fprintf(stderr, "HMAC_Init_ex failed.\n"); ERR_print_errors_fp(stderr); @@ -1223,7 +1274,7 @@ static bool SpeedHmac(const EVP_MD *md, const std::string &name, } static bool SpeedHmacChunkOneShot(const EVP_MD *md, std::string name, - size_t chunk_len) { + size_t chunk_len) { std::unique_ptr input(new uint8_t[chunk_len]); const size_t key_len = EVP_MD_size(md); std::unique_ptr key(new uint8_t[key_len]); @@ -1232,11 +1283,11 @@ static bool SpeedHmacChunkOneShot(const EVP_MD *md, std::string name, TimeResults results; if (!TimeFunction(&results, [&key, key_len, md, chunk_len, &input]() -> bool { - uint8_t digest[EVP_MAX_MD_SIZE] = {0}; unsigned int md_len = EVP_MAX_MD_SIZE; - return HMAC(md, key.get(), key_len, input.get(), chunk_len, digest, &md_len) != nullptr; + return HMAC(md, key.get(), key_len, input.get(), chunk_len, digest, + &md_len) != nullptr; })) { fprintf(stderr, "HMAC_Final failed.\n"); ERR_print_errors_fp(stderr); @@ -1248,7 +1299,7 @@ static bool SpeedHmacChunkOneShot(const EVP_MD *md, std::string name, } static bool SpeedHmacOneShot(const EVP_MD *md, const std::string &name, - const std::string &selected) { + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } @@ -1264,7 +1315,8 @@ static bool SpeedHmacOneShot(const EVP_MD *md, const std::string &name, using RandomFunction = std::function; -static bool SpeedRandomChunk(RandomFunction function, std::string name, size_t chunk_len) { +static bool SpeedRandomChunk(RandomFunction function, std::string name, + size_t chunk_len) { std::unique_ptr output(new uint8_t[chunk_len]); TimeResults results; @@ -1279,7 +1331,8 @@ static bool SpeedRandomChunk(RandomFunction function, std::string name, size_t c return true; } -static bool SpeedRandom(RandomFunction function, const std::string &name, const std::string &selected) { +static bool SpeedRandom(RandomFunction function, const std::string &name, + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } @@ -1298,12 +1351,12 @@ struct curve_config { int nid; }; -curve_config supported_curves[] = {{"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, - {"P-521", NID_secp521r1}, -#if (!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION > 16 - {"secp256k1", NID_secp256k1}, +curve_config supported_curves[] = { + {"P-224", NID_secp224r1}, {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, {"P-521", NID_secp521r1}, +#if (!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)) || \ + AWSLC_API_VERSION > 16 + {"secp256k1", NID_secp256k1}, #endif }; @@ -1314,8 +1367,7 @@ static bool SpeedECDHCurve(const std::string &name, int nid, } BM_NAMESPACE::UniquePtr peer_key(EC_KEY_new_by_curve_name(nid)); - if (!peer_key || - !EC_KEY_generate_key(peer_key.get())) { + if (!peer_key || !EC_KEY_generate_key(peer_key.get())) { fprintf(stderr, "NID %d for %s not supported.\n", nid, name.c_str()); return false; } @@ -1337,8 +1389,7 @@ static bool SpeedECDHCurve(const std::string &name, int nid, TimeResults results; if (!TimeFunction(&results, [nid, peer_value_len, &peer_value]() -> bool { BM_NAMESPACE::UniquePtr key(EC_KEY_new_by_curve_name(nid)); - if (!key || - !EC_KEY_generate_key(key.get())) { + if (!key || !EC_KEY_generate_key(key.get())) { return false; } const EC_GROUP *const group = EC_KEY_get0_group(key.get()); @@ -1367,7 +1418,7 @@ static bool SpeedECDHCurve(const std::string &name, int nid, static bool SpeedECKeyGenerateKey(bool is_fips, const std::string &name, - int nid, const std::string &selected) { + int nid, const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } @@ -1397,13 +1448,14 @@ static bool SpeedECKeyGenerateKey(bool is_fips, const std::string &name, } static bool SpeedECKeyGenCurve(const std::string &name, int nid, - const std::string &selected) { + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } // Setup CTX for EC Operations - BM_NAMESPACE::UniquePtr pkey_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr)); + BM_NAMESPACE::UniquePtr pkey_ctx( + EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr)); // Setup CTX for Keygen Operations if (!pkey_ctx || EVP_PKEY_keygen_init(pkey_ctx.get()) != 1) { @@ -1421,7 +1473,7 @@ static bool SpeedECKeyGenCurve(const std::string &name, int nid, if (!TimeFunction(&results, [&pkey_ctx, &key]() -> bool { return EVP_PKEY_keygen(pkey_ctx.get(), &key); })) { - return false; + return false; } EVP_PKEY_free(key); results.Print(name + " with EVP_PKEY_keygen"); @@ -1435,8 +1487,7 @@ static bool SpeedECDSACurve(const std::string &name, int nid, } BM_NAMESPACE::UniquePtr key(EC_KEY_new_by_curve_name(nid)); - if (!key || - !EC_KEY_generate_key(key.get())) { + if (!key || !EC_KEY_generate_key(key.get())) { return false; } @@ -1471,9 +1522,9 @@ static bool SpeedECDSACurve(const std::string &name, int nid, } static bool SpeedECKeyGenerateKey(bool is_fips, const std::string &selected) { - for (const auto& config : supported_curves) { + for (const auto &config : supported_curves) { std::string message = "Generate " + config.name; - if(!SpeedECKeyGenerateKey(is_fips, message, config.nid, selected)) { + if (!SpeedECKeyGenerateKey(is_fips, message, config.nid, selected)) { return false; } } @@ -1481,9 +1532,9 @@ static bool SpeedECKeyGenerateKey(bool is_fips, const std::string &selected) { } static bool SpeedECDH(const std::string &selected) { - for (const auto& config : supported_curves) { + for (const auto &config : supported_curves) { std::string message = "ECDH " + config.name; - if(!SpeedECDHCurve(message, config.nid, selected)) { + if (!SpeedECDHCurve(message, config.nid, selected)) { return false; } } @@ -1491,9 +1542,9 @@ static bool SpeedECDH(const std::string &selected) { } static bool SpeedECKeyGen(const std::string &selected) { - for (const auto& config : supported_curves) { + for (const auto &config : supported_curves) { std::string message = "Generate " + config.name; - if(!SpeedECKeyGenCurve(message, config.nid, selected)) { + if (!SpeedECKeyGenCurve(message, config.nid, selected)) { return false; } } @@ -1501,9 +1552,9 @@ static bool SpeedECKeyGen(const std::string &selected) { } static bool SpeedECDSA(const std::string &selected) { - for (const auto& config : supported_curves) { + for (const auto &config : supported_curves) { std::string message = "ECDSA " + config.name; - if(!SpeedECDSACurve(message, config.nid, selected)) { + if (!SpeedECDSACurve(message, config.nid, selected)) { return false; } } @@ -1511,8 +1562,7 @@ static bool SpeedECDSA(const std::string &selected) { } #if !defined(OPENSSL_1_0_BENCHMARK) -static EVP_PKEY * evp_generate_key(const int curve_nid) { - +static EVP_PKEY *evp_generate_key(const int curve_nid) { // P NIST curves are abstracted under the same virtual function table which // is configured using |EVP_PKEY_EC|. int local_nid = curve_nid; @@ -1520,7 +1570,8 @@ static EVP_PKEY * evp_generate_key(const int curve_nid) { local_nid = EVP_PKEY_EC; } - BM_NAMESPACE::UniquePtr evp_pkey_ctx(EVP_PKEY_CTX_new_id(local_nid, nullptr)); + BM_NAMESPACE::UniquePtr evp_pkey_ctx( + EVP_PKEY_CTX_new_id(local_nid, nullptr)); if (local_nid == EVP_PKEY_EC) { // Since P NIST curves are abstracted under the same virtual function table, @@ -1528,9 +1579,9 @@ static EVP_PKEY * evp_generate_key(const int curve_nid) { // generate the key. EVP_PKEY *curve = nullptr; if (!EVP_PKEY_paramgen_init(evp_pkey_ctx.get()) || - !EVP_PKEY_CTX_set_ec_paramgen_curve_nid(evp_pkey_ctx.get(), curve_nid) || - !EVP_PKEY_paramgen(evp_pkey_ctx.get(), &curve) || - curve == nullptr) { + !EVP_PKEY_CTX_set_ec_paramgen_curve_nid(evp_pkey_ctx.get(), + curve_nid) || + !EVP_PKEY_paramgen(evp_pkey_ctx.get(), &curve) || curve == nullptr) { return nullptr; } BM_NAMESPACE::UniquePtr curve_uniqueptr(curve); @@ -1554,8 +1605,7 @@ static EVP_PKEY * evp_generate_key(const int curve_nid) { // support a subset of curve types. |SpeedECDH| includes deserialisation of the // peer key. Leaving this out doesn't bias measurements though. static bool SpeedEvpEcdhCurve(const std::string &name, int nid, - const std::string &selected) { - + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } @@ -1572,7 +1622,8 @@ static bool SpeedEvpEcdhCurve(const std::string &name, int nid, // performing key validation. Currently, this is only a problem for the // P NIST curve types. BM_NAMESPACE::UniquePtr only_public_key_evp_pkey(EVP_PKEY_new()); - BM_NAMESPACE::UniquePtr only_public_key_ec_key(EC_KEY_new_by_curve_name(nid)); + BM_NAMESPACE::UniquePtr only_public_key_ec_key( + EC_KEY_new_by_curve_name(nid)); if (only_public_key_ec_key == nullptr || only_public_key_evp_pkey == nullptr) { return false; @@ -1581,8 +1632,9 @@ static bool SpeedEvpEcdhCurve(const std::string &name, int nid, const EC_KEY *peer_key_ec_key = EVP_PKEY_get0_EC_KEY(peer_key.get()); if (peer_key_ec_key == nullptr || !EC_KEY_set_public_key(only_public_key_ec_key.get(), - EC_KEY_get0_public_key(peer_key_ec_key)) || - !EVP_PKEY_assign_EC_KEY(only_public_key_evp_pkey.get(), only_public_key_ec_key.release())) { + EC_KEY_get0_public_key(peer_key_ec_key)) || + !EVP_PKEY_assign_EC_KEY(only_public_key_evp_pkey.get(), + only_public_key_ec_key.release())) { return false; } peer_key.reset(only_public_key_evp_pkey.release()); @@ -1590,41 +1642,43 @@ static bool SpeedEvpEcdhCurve(const std::string &name, int nid, TimeResults results; if (!TimeFunction(&results, [nid, &peer_key]() -> bool { - BM_NAMESPACE::UniquePtr my_key(evp_generate_key(nid)); - + BM_NAMESPACE::UniquePtr my_key(evp_generate_key(nid)); #if defined(OPENSSL_BENCHMARK) - // For AWS-LC EVP_PKEY_derive() calls ECDH_compute_shared_secret() that - // performs the public key check. - if (nid != NID_X25519) { - // For the supported P NIST curves, the peer public key must be validated - // to ensure proper computation. - if (!EC_KEY_check_key(EVP_PKEY_get0_EC_KEY(peer_key.get()))) { - return false; - } - } + // For AWS-LC EVP_PKEY_derive() calls ECDH_compute_shared_secret() that + // performs the public key check. + if (nid != NID_X25519) { + // For the supported P NIST curves, the peer public key must be + // validated to ensure proper computation. + if (!EC_KEY_check_key(EVP_PKEY_get0_EC_KEY(peer_key.get()))) { + return false; + } + } #endif - BM_NAMESPACE::UniquePtr derive_ctx(EVP_PKEY_CTX_new(my_key.get(), NULL)); - if (derive_ctx == nullptr) { - return false; - } + BM_NAMESPACE::UniquePtr derive_ctx( + EVP_PKEY_CTX_new(my_key.get(), NULL)); + if (derive_ctx == nullptr) { + return false; + } - size_t shared_secret_size = 0; - if (!EVP_PKEY_derive_init(derive_ctx.get()) || - !EVP_PKEY_derive_set_peer(derive_ctx.get(), peer_key.get()) || - !EVP_PKEY_derive(derive_ctx.get(), NULL, &shared_secret_size) || - (shared_secret_size == 0)) { - return false; - } + size_t shared_secret_size = 0; + if (!EVP_PKEY_derive_init(derive_ctx.get()) || + !EVP_PKEY_derive_set_peer(derive_ctx.get(), peer_key.get()) || + !EVP_PKEY_derive(derive_ctx.get(), NULL, &shared_secret_size) || + (shared_secret_size == 0)) { + return false; + } - std::unique_ptr shared_secret(new uint8_t[shared_secret_size]); - if (!EVP_PKEY_derive(derive_ctx.get(), shared_secret.get(), &shared_secret_size)) { - return false; - } + std::unique_ptr shared_secret( + new uint8_t[shared_secret_size]); + if (!EVP_PKEY_derive(derive_ctx.get(), shared_secret.get(), + &shared_secret_size)) { + return false; + } - return true; - })) { - return false; + return true; + })) { + return false; } results.Print(name); @@ -1632,17 +1686,17 @@ static bool SpeedEvpEcdhCurve(const std::string &name, int nid, } static bool SpeedEvpEcdh(const std::string &selected) { - for (const auto& config : supported_curves) { - std::string message = "EVP ECDH " + config.name; - if(!SpeedEvpEcdhCurve(message, config.nid, selected)) { - return false; - } + for (const auto &config : supported_curves) { + std::string message = "EVP ECDH " + config.name; + if (!SpeedEvpEcdhCurve(message, config.nid, selected)) { + return false; + } } return SpeedEvpEcdhCurve("EVP ECDH X25519", NID_X25519, selected); } static bool SpeedECPOINTCurve(const std::string &name, int nid, - const std::string &selected) { + const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { return true; } @@ -1659,12 +1713,14 @@ static bool SpeedECPOINTCurve(const std::string &name, int nid, // Generate two random scalars modulo the EC group order. if (!BN_rand_range(scalar0.get(), EC_GROUP_get0_order(group.get())) || !BN_rand_range(scalar1.get(), EC_GROUP_get0_order(group.get()))) { - return false; + return false; } // Generate two random EC point. - EC_POINT_mul(group.get(), pin0.get(), scalar0.get(), nullptr, nullptr, ctx.get()); - EC_POINT_mul(group.get(), pin1.get(), scalar1.get(), nullptr, nullptr, ctx.get()); + EC_POINT_mul(group.get(), pin0.get(), scalar0.get(), nullptr, nullptr, + ctx.get()); + EC_POINT_mul(group.get(), pin1.get(), scalar1.get(), nullptr, nullptr, + ctx.get()); TimeResults results; @@ -1682,7 +1738,8 @@ static bool SpeedECPOINTCurve(const std::string &name, int nid, // Measure point addition. if (!TimeFunction(&results, [&group, &pout, &ctx, &pin0, &pin1]() -> bool { - if (!EC_POINT_add(group.get(), pout.get(), pin0.get(), pin1.get(), ctx.get())) { + if (!EC_POINT_add(group.get(), pout.get(), pin0.get(), pin1.get(), + ctx.get())) { return false; } @@ -1694,7 +1751,8 @@ static bool SpeedECPOINTCurve(const std::string &name, int nid, // Measure scalar multiplication of an arbitrary curve point. if (!TimeFunction(&results, [&group, &pout, &ctx, &pin0, &scalar0]() -> bool { - if (!EC_POINT_mul(group.get(), pout.get(), nullptr, pin0.get(), scalar0.get(), ctx.get())) { + if (!EC_POINT_mul(group.get(), pout.get(), nullptr, pin0.get(), + scalar0.get(), ctx.get())) { return false; } @@ -1706,7 +1764,8 @@ static bool SpeedECPOINTCurve(const std::string &name, int nid, // Measure scalar multiplication of the curve based point. if (!TimeFunction(&results, [&group, &pout, &ctx, &scalar0]() -> bool { - if (!EC_POINT_mul(group.get(), pout.get(), scalar0.get(), nullptr, nullptr, ctx.get())) { + if (!EC_POINT_mul(group.get(), pout.get(), scalar0.get(), nullptr, + nullptr, ctx.get())) { return false; } @@ -1717,13 +1776,15 @@ static bool SpeedECPOINTCurve(const std::string &name, int nid, results.Print(name + " mul base"); // Measure scalar multiplication of based point and arbitrary point. - if (!TimeFunction(&results, [&group, &pout, &pin0, &ctx, &scalar0, &scalar1]() -> bool { - if (!EC_POINT_mul(group.get(), pout.get(), scalar1.get(), pin0.get(), scalar0.get(), ctx.get())) { - return false; - } + if (!TimeFunction(&results, + [&group, &pout, &pin0, &ctx, &scalar0, &scalar1]() -> bool { + if (!EC_POINT_mul(group.get(), pout.get(), scalar1.get(), + pin0.get(), scalar0.get(), ctx.get())) { + return false; + } - return true; - })) { + return true; + })) { return false; } results.Print(name + " mul public"); @@ -1732,19 +1793,21 @@ static bool SpeedECPOINTCurve(const std::string &name, int nid, } static bool SpeedECPOINT(const std::string &selected) { - for (const auto& config : supported_curves) { + for (const auto &config : supported_curves) { std::string message = "EC POINT " + config.name; - if(!SpeedECPOINTCurve(message, config.nid, selected)) { + if (!SpeedECPOINTCurve(message, config.nid, selected)) { return false; } } return true; } -#endif // !defined(OPENSSL_1_0_BENCHMARK) +#endif // !defined(OPENSSL_1_0_BENCHMARK) // Only new AWS-LC (>= 22) and new OpenSSL (>= 1.1.1) support FFDH -#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && !defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION >= 22 +#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && \ + !defined(OPENSSL_IS_AWSLC)) || \ + AWSLC_API_VERSION >= 22 static bool SpeedFFDHGroup(const std::string &name, int nid, const std::string &selected) { if (!selected.empty() && name.find(selected) == std::string::npos) { @@ -1752,7 +1815,7 @@ static bool SpeedFFDHGroup(const std::string &name, int nid, } BM_NAMESPACE::UniquePtr server_dh(DH_new_by_nid(nid)); - if(!DH_generate_key(server_dh.get())) { + if (!DH_generate_key(server_dh.get())) { return false; } const BIGNUM *server_pub = DH_get0_pub_key(server_dh.get()); @@ -1761,11 +1824,14 @@ static bool SpeedFFDHGroup(const std::string &name, int nid, std::unique_ptr shared_secret(new uint8_t[dh_size]); TimeResults results; - if (!TimeFunction(&results, [&shared_secret, &server_pub, &dh_size, &nid]() -> bool { - BM_NAMESPACE::UniquePtr client_dh(DH_new_by_nid(nid)); - return DH_generate_key(client_dh.get()) && - dh_size == DH_compute_key_padded(shared_secret.get(), server_pub, client_dh.get()); - })) { + if (!TimeFunction( + &results, [&shared_secret, &server_pub, &dh_size, &nid]() -> bool { + BM_NAMESPACE::UniquePtr client_dh(DH_new_by_nid(nid)); + return DH_generate_key(client_dh.get()) && + dh_size == DH_compute_key_padded(shared_secret.get(), + server_pub, + client_dh.get()); + })) { return false; } @@ -1777,7 +1843,8 @@ static bool SpeedFFDH(const std::string &selected) { return SpeedFFDHGroup("FFDH 2048", NID_ffdhe2048, selected) && SpeedFFDHGroup("FFDH 4096", NID_ffdhe4096, selected); } -#endif //(!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && !defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION >= 22 +#endif //(!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && + //! defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION >= 22 #if !defined(OPENSSL_BENCHMARK) static bool Speed25519(const std::string &selected) { @@ -1877,23 +1944,22 @@ static bool SpeedSPAKE2(const std::string &selected) { static const uint8_t kAliceName[] = {'A'}; static const uint8_t kBobName[] = {'B'}; static const uint8_t kPassword[] = "password"; - BM_NAMESPACE::UniquePtr alice(SPAKE2_CTX_new(spake2_role_alice, - kAliceName, sizeof(kAliceName), kBobName, - sizeof(kBobName))); + BM_NAMESPACE::UniquePtr alice( + SPAKE2_CTX_new(spake2_role_alice, kAliceName, sizeof(kAliceName), + kBobName, sizeof(kBobName))); uint8_t alice_msg[SPAKE2_MAX_MSG_SIZE]; size_t alice_msg_len; if (!SPAKE2_generate_msg(alice.get(), alice_msg, &alice_msg_len, - sizeof(alice_msg), - kPassword, sizeof(kPassword))) { + sizeof(alice_msg), kPassword, sizeof(kPassword))) { fprintf(stderr, "SPAKE2_generate_msg failed.\n"); return false; } if (!TimeFunction(&results, [&alice_msg, alice_msg_len]() -> bool { - BM_NAMESPACE::UniquePtr bob(SPAKE2_CTX_new(spake2_role_bob, - kBobName, sizeof(kBobName), kAliceName, - sizeof(kAliceName))); + BM_NAMESPACE::UniquePtr bob( + SPAKE2_CTX_new(spake2_role_bob, kBobName, sizeof(kBobName), + kAliceName, sizeof(kAliceName))); uint8_t bob_msg[SPAKE2_MAX_MSG_SIZE], bob_key[64]; size_t bob_msg_len, bob_key_len; if (!SPAKE2_generate_msg(bob.get(), bob_msg, &bob_msg_len, @@ -2064,26 +2130,26 @@ static bool SpeedBase64(const std::string &selected) { } static const char kInput[] = - "MIIDtTCCAp2gAwIBAgIJALW2IrlaBKUhMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV" - "BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX" - "aWRnaXRzIFB0eSBMdGQwHhcNMTYwNzA5MDQzODA5WhcNMTYwODA4MDQzODA5WjBF" - "MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50" - "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB" - "CgKCAQEAugvahBkSAUF1fC49vb1bvlPrcl80kop1iLpiuYoz4Qptwy57+EWssZBc" - "HprZ5BkWf6PeGZ7F5AX1PyJbGHZLqvMCvViP6pd4MFox/igESISEHEixoiXCzepB" - "rhtp5UQSjHD4D4hKtgdMgVxX+LRtwgW3mnu/vBu7rzpr/DS8io99p3lqZ1Aky+aN" - "lcMj6MYy8U+YFEevb/V0lRY9oqwmW7BHnXikm/vi6sjIS350U8zb/mRzYeIs2R65" - "LUduTL50+UMgat9ocewI2dv8aO9Dph+8NdGtg8LFYyTTHcUxJoMr1PTOgnmET19W" - "JH4PrFwk7ZE1QJQQ1L4iKmPeQistuQIDAQABo4GnMIGkMB0GA1UdDgQWBBT5m6Vv" - "zYjVYHG30iBE+j2XDhUE8jB1BgNVHSMEbjBsgBT5m6VvzYjVYHG30iBE+j2XDhUE" - "8qFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV" - "BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALW2IrlaBKUhMAwGA1UdEwQF" - "MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAD7Jg68SArYWlcoHfZAB90Pmyrt5H6D8" - "LRi+W2Ri1fBNxREELnezWJ2scjl4UMcsKYp4Pi950gVN+62IgrImcCNvtb5I1Cfy" - "/MNNur9ffas6X334D0hYVIQTePyFk3umI+2mJQrtZZyMPIKSY/sYGQHhGGX6wGK+" - "GO/og0PQk/Vu6D+GU2XRnDV0YZg1lsAsHd21XryK6fDmNkEMwbIWrts4xc7scRrG" - "HWy+iMf6/7p/Ak/SIicM4XSwmlQ8pPxAZPr+E2LoVd9pMpWUwpW2UbtO5wsGTrY5" - "sO45tFNN/y+jtUheB1C2ijObG/tXELaiyCdM+S/waeuv0MXtI4xnn1A="; + "MIIDtTCCAp2gAwIBAgIJALW2IrlaBKUhMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV" + "BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX" + "aWRnaXRzIFB0eSBMdGQwHhcNMTYwNzA5MDQzODA5WhcNMTYwODA4MDQzODA5WjBF" + "MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50" + "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB" + "CgKCAQEAugvahBkSAUF1fC49vb1bvlPrcl80kop1iLpiuYoz4Qptwy57+EWssZBc" + "HprZ5BkWf6PeGZ7F5AX1PyJbGHZLqvMCvViP6pd4MFox/igESISEHEixoiXCzepB" + "rhtp5UQSjHD4D4hKtgdMgVxX+LRtwgW3mnu/vBu7rzpr/DS8io99p3lqZ1Aky+aN" + "lcMj6MYy8U+YFEevb/V0lRY9oqwmW7BHnXikm/vi6sjIS350U8zb/mRzYeIs2R65" + "LUduTL50+UMgat9ocewI2dv8aO9Dph+8NdGtg8LFYyTTHcUxJoMr1PTOgnmET19W" + "JH4PrFwk7ZE1QJQQ1L4iKmPeQistuQIDAQABo4GnMIGkMB0GA1UdDgQWBBT5m6Vv" + "zYjVYHG30iBE+j2XDhUE8jB1BgNVHSMEbjBsgBT5m6VvzYjVYHG30iBE+j2XDhUE" + "8qFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV" + "BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALW2IrlaBKUhMAwGA1UdEwQF" + "MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAD7Jg68SArYWlcoHfZAB90Pmyrt5H6D8" + "LRi+W2Ri1fBNxREELnezWJ2scjl4UMcsKYp4Pi950gVN+62IgrImcCNvtb5I1Cfy" + "/MNNur9ffas6X334D0hYVIQTePyFk3umI+2mJQrtZZyMPIKSY/sYGQHhGGX6wGK+" + "GO/og0PQk/Vu6D+GU2XRnDV0YZg1lsAsHd21XryK6fDmNkEMwbIWrts4xc7scRrG" + "HWy+iMf6/7p/Ak/SIicM4XSwmlQ8pPxAZPr+E2LoVd9pMpWUwpW2UbtO5wsGTrY5" + "sO45tFNN/y+jtUheB1C2ijObG/tXELaiyCdM+S/waeuv0MXtI4xnn1A="; std::vector out(strlen(kInput)); size_t len; @@ -2357,19 +2423,19 @@ static bool SpeedSelfTest(const std::string &selected) { #if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU) static bool SpeedJitter(size_t chunk_size) { - struct rand_data *jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS); + struct rand_data *jitter_ec = + jent_entropy_collector_alloc(0, JENT_FORCE_FIPS); std::unique_ptr input(new char[chunk_size]); TimeResults results; if (!TimeFunction(&results, [&jitter_ec, &input, chunk_size]() -> bool { - size_t bytes = - jent_read_entropy(jitter_ec, input.get(), chunk_size); + size_t bytes = jent_read_entropy(jitter_ec, input.get(), chunk_size); if (bytes != chunk_size) { return false; } return true; - })){ + })) { jent_entropy_collector_free(jitter_ec); return false; @@ -2395,7 +2461,6 @@ static bool SpeedJitter(std::string selected) { #endif static bool SpeedDHcheck(size_t prime_bit_length) { - TimeResults results; BM_NAMESPACE::UniquePtr dh_params(DH_new()); if (dh_params == nullptr) { @@ -2404,7 +2469,7 @@ static bool SpeedDHcheck(size_t prime_bit_length) { // DH_generate_parameters_ex grows exponentially slower as prime length grows. if (DH_generate_parameters_ex(dh_params.get(), prime_bit_length, - DH_GENERATOR_2, nullptr) != 1) { + DH_GENERATOR_2, nullptr) != 1) { return false; } @@ -2455,9 +2520,10 @@ static bool SpeedPKCS8(const std::string &selected) { ED25519_keypair(pubkey, privkey); - BM_NAMESPACE::UniquePtr key(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, &privkey[0], ED25519_PRIVATE_KEY_SEED_LEN)); + BM_NAMESPACE::UniquePtr key(EVP_PKEY_new_raw_private_key( + EVP_PKEY_ED25519, nullptr, &privkey[0], ED25519_PRIVATE_KEY_SEED_LEN)); - if(!key) { + if (!key) { return false; } @@ -2545,14 +2611,16 @@ static bool SpeedRefcountThreads(std::string name, size_t num_threads) { return false; } std::stringstream ss; - ss << name <<" " << iterations_per_thread << " iterations with " << num_threads << " threads"; + ss << name << " " << iterations_per_thread << " iterations with " + << num_threads << " threads"; results.Print(ss.str()); return true; } static bool SpeedRefcount(const std::string &selected) { - if (!selected.empty() && selected.find("CRYPTO_refcount_inc") == std::string::npos) { + if (!selected.empty() && + selected.find("CRYPTO_refcount_inc") == std::string::npos) { return true; } @@ -2612,12 +2680,9 @@ static const argument_t kArguments[] = { "the JSON field for bytesPerCall will be omitted.", }, #if defined(DIT_OPTION) - { - "-dit", - kBooleanArgument, - "If this flag is set, the DIT flag is set before benchmarking and" - "reset at the end." - }, + {"-dit", kBooleanArgument, + "If this flag is set, the DIT flag is set before benchmarking and" + "reset at the end."}, #endif { "", @@ -2629,14 +2694,14 @@ static const argument_t kArguments[] = { // parseCommaArgument clears |vector| and parses comma-separated input for the // argument |arg_name| in |args_map|. static bool parseCommaArgument(std::vector &vector, - std::map &args_map, const std::string &arg_name) { - + std::map &args_map, + const std::string &arg_name) { vector.clear(); const char *start = args_map[arg_name.c_str()].data(); const char *end = start + args_map[arg_name.c_str()].size(); - const char* current = start; + const char *current = start; while (current < end) { - const char* comma = std::find(current, end, ','); + const char *comma = std::find(current, end, ','); if (comma == current) { // Empty argument found e.g. arg1,arg2,,arg3 fprintf(stderr, "Error parsing %s argument\n", arg_name.c_str()); @@ -2653,8 +2718,7 @@ static bool parseCommaArgument(std::vector &vector, // |in_vector| as a size_t integer and adds the result to |out_vector|. Clears // |out_vector|. static bool parseStringVectorToIntegerVector( - std::vector &in_vector, std::vector &out_vector) { - + std::vector &in_vector, std::vector &out_vector) { out_vector.clear(); for (const std::string &str : in_vector) { errno = 0; @@ -2734,8 +2798,7 @@ bool Speed(const std::vector &args) { if (args_map.count("-chunks") != 0) { std::vector chunkVector; - if (!parseCommaArgument(chunkVector, - args_map, "-chunks")) { + if (!parseCommaArgument(chunkVector, args_map, "-chunks")) { return false; } if (!parseStringVectorToIntegerVector(chunkVector, g_chunk_lengths)) { @@ -2745,8 +2808,7 @@ bool Speed(const std::vector &args) { if (args_map.count("-threads") != 0) { std::vector threadVector; - if (!parseCommaArgument(threadVector, - args_map, "-threads")) { + if (!parseCommaArgument(threadVector, args_map, "-threads")) { return false; } if (!parseStringVectorToIntegerVector(threadVector, g_threads)) { @@ -2756,8 +2818,7 @@ bool Speed(const std::vector &args) { if (args_map.count("-primes") != 0) { std::vector primeVector; - if (!parseCommaArgument(primeVector, - args_map, "-primes")) { + if (!parseCommaArgument(primeVector, args_map, "-primes")) { return false; } if (!parseStringVectorToIntegerVector(primeVector, g_prime_bit_lengths)) { @@ -2765,11 +2826,10 @@ bool Speed(const std::vector &args) { } } #if defined(DIT_OPTION) - armv8_disable_dit(); // disable DIT capability at run-time - armv8_enable_dit(); // enable back DIT capability at run-time + armv8_disable_dit(); // disable DIT capability at run-time + armv8_enable_dit(); // enable back DIT capability at run-time uint64_t original_dit = 0; - if (g_dit) - { + if (g_dit) { original_dit = armv8_set_dit(); } #endif @@ -2795,119 +2855,148 @@ bool Speed(const std::vector &args) { } for (std::string selected : g_filters) { - if(!SpeedAESBlock("AES-128", 128, selected) || - !SpeedAESBlock("AES-192", 192, selected) || - !SpeedAESBlock("AES-256", 256, selected) || - !SpeedEvpCipherGeneric(EVP_aes_128_gcm(), "EVP-AES-128-GCM", kTLSADLen, selected) || - !SpeedEvpCipherGeneric(EVP_aes_192_gcm(), "EVP-AES-192-GCM", kTLSADLen, selected) || - !SpeedEvpCipherGeneric(EVP_aes_256_gcm(), "EVP-AES-256-GCM", kTLSADLen, selected) || - !SpeedEvpCipherGeneric(EVP_aes_128_ctr(), "EVP-AES-128-CTR", kTLSADLen, selected) || - !SpeedEvpCipherGeneric(EVP_aes_192_ctr(), "EVP-AES-192-CTR", kTLSADLen, selected) || - !SpeedEvpCipherGeneric(EVP_aes_256_ctr(), "EVP-AES-256-CTR", kTLSADLen, selected) || - !SpeedAES256XTS("AES-256-XTS", selected) || - // OpenSSL 3.0 doesn't allow MD4 calls + if (!SpeedAESBlock("AES-128", 128, selected) || + !SpeedAESBlock("AES-192", 192, selected) || + !SpeedAESBlock("AES-256", 256, selected) || + !SpeedEvpCipherGeneric(EVP_aes_128_gcm(), "EVP-AES-128-GCM", kTLSADLen, + selected) || + !SpeedEvpCipherGeneric(EVP_aes_192_gcm(), "EVP-AES-192-GCM", kTLSADLen, + selected) || + !SpeedEvpCipherGeneric(EVP_aes_256_gcm(), "EVP-AES-256-GCM", kTLSADLen, + selected) || + !SpeedEvpCipherGeneric(EVP_aes_128_ctr(), "EVP-AES-128-CTR", kTLSADLen, + selected) || + !SpeedEvpCipherGeneric(EVP_aes_192_ctr(), "EVP-AES-192-CTR", kTLSADLen, + selected) || + !SpeedEvpCipherGeneric(EVP_aes_256_ctr(), "EVP-AES-256-CTR", kTLSADLen, + selected) || + !SpeedAES256XTS("AES-256-XTS", selected) || + // OpenSSL 3.0 doesn't allow MD4 calls #if !defined(OPENSSL_3_0_BENCHMARK) - !SpeedHash(EVP_md4(), "MD4", selected) || + !SpeedHash(EVP_md4(), "MD4", selected) || #endif - !SpeedHash(EVP_md5(), "MD5", selected) || - !SpeedHash(EVP_sha1(), "SHA-1", selected) || - !SpeedHash(EVP_sha224(), "SHA-224", selected) || - !SpeedHash(EVP_sha256(), "SHA-256", selected) || - !SpeedHash(EVP_sha384(), "SHA-384", selected) || - !SpeedHash(EVP_sha512(), "SHA-512", selected) || - // OpenSSL 1.0 and BoringSSL don't support SHA3. -#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && !defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION > 16 - !SpeedHash(EVP_sha3_224(), "SHA3-224", selected) || - !SpeedHash(EVP_sha3_256(), "SHA3-256", selected) || - !SpeedHash(EVP_sha3_384(), "SHA3-384", selected) || - !SpeedHash(EVP_sha3_512(), "SHA3-512", selected) || + !SpeedHash(EVP_md5(), "MD5", selected) || + !SpeedHash(EVP_sha1(), "SHA-1", selected) || + !SpeedHash(EVP_sha224(), "SHA-224", selected) || + !SpeedHash(EVP_sha256(), "SHA-256", selected) || + !SpeedHash(EVP_sha384(), "SHA-384", selected) || + !SpeedHash(EVP_sha512(), "SHA-512", selected) || + // OpenSSL 1.0 and BoringSSL don't support SHA3. +#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && \ + !defined(OPENSSL_IS_AWSLC)) || \ + AWSLC_API_VERSION > 16 + !SpeedHash(EVP_sha3_224(), "SHA3-224", selected) || + !SpeedHash(EVP_sha3_256(), "SHA3-256", selected) || + !SpeedHash(EVP_sha3_384(), "SHA3-384", selected) || + !SpeedHash(EVP_sha3_512(), "SHA3-512", selected) || #endif - !SpeedHmac(EVP_md5(), "HMAC-MD5", selected) || - !SpeedHmac(EVP_sha1(), "HMAC-SHA1", selected) || - !SpeedHmac(EVP_sha256(), "HMAC-SHA256", selected) || - !SpeedHmac(EVP_sha384(), "HMAC-SHA384", selected) || - !SpeedHmac(EVP_sha512(), "HMAC-SHA512", selected) || - !SpeedHmacOneShot(EVP_md5(), "HMAC-MD5-OneShot", selected) || - !SpeedHmacOneShot(EVP_sha1(), "HMAC-SHA1-OneShot", selected) || - !SpeedHmacOneShot(EVP_sha256(), "HMAC-SHA256-OneShot", selected) || - !SpeedHmacOneShot(EVP_sha384(), "HMAC-SHA384-OneShot", selected) || - !SpeedHmacOneShot(EVP_sha512(), "HMAC-SHA512-OneShot", selected) || - !SpeedRandom(RAND_bytes, "RNG", selected) || - !SpeedECDH(selected) || - !SpeedECDSA(selected) || - !SpeedECKeyGen(selected) || - !SpeedECKeyGenerateKey(false, selected) || + !SpeedHmac(EVP_md5(), "HMAC-MD5", selected) || + !SpeedHmac(EVP_sha1(), "HMAC-SHA1", selected) || + !SpeedHmac(EVP_sha256(), "HMAC-SHA256", selected) || + !SpeedHmac(EVP_sha384(), "HMAC-SHA384", selected) || + !SpeedHmac(EVP_sha512(), "HMAC-SHA512", selected) || + !SpeedHmacOneShot(EVP_md5(), "HMAC-MD5-OneShot", selected) || + !SpeedHmacOneShot(EVP_sha1(), "HMAC-SHA1-OneShot", selected) || + !SpeedHmacOneShot(EVP_sha256(), "HMAC-SHA256-OneShot", selected) || + !SpeedHmacOneShot(EVP_sha384(), "HMAC-SHA384-OneShot", selected) || + !SpeedHmacOneShot(EVP_sha512(), "HMAC-SHA512-OneShot", selected) || + !SpeedRandom(RAND_bytes, "RNG", selected) || !SpeedECDH(selected) || + !SpeedECDSA(selected) || !SpeedECKeyGen(selected) || + !SpeedECKeyGenerateKey(false, selected) || #if !defined(OPENSSL_1_0_BENCHMARK) - // OpenSSL 1.0.2 is missing functions e.g. |EVP_PKEY_get0_EC_KEY| and - // doesn't implement X255519 either. - !SpeedEvpEcdh(selected) || - !SpeedECPOINT(selected) || - // OpenSSL 1.0 doesn't support Scrypt - !SpeedScrypt(selected) || + // OpenSSL 1.0.2 is missing functions e.g. |EVP_PKEY_get0_EC_KEY| and + // doesn't implement X255519 either. + !SpeedEvpEcdh(selected) || !SpeedECPOINT(selected) || + // OpenSSL 1.0 doesn't support Scrypt + !SpeedScrypt(selected) || #endif -#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && !defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION >= 24 +#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && \ + !defined(OPENSSL_IS_AWSLC)) || \ + AWSLC_API_VERSION >= 24 // BoringSSL doesn't support ChaCha through the EVP_CIPHER API, // OpenSSL 1.0 doesn't support ChaCha at all, // AWS-LC only after API version 24 - !SpeedEvpCipherGeneric(EVP_chacha20_poly1305(), "EVP-ChaCha20-Poly1305", kTLSADLen, selected) || + !SpeedEvpCipherGeneric(EVP_chacha20_poly1305(), "EVP-ChaCha20-Poly1305", + kTLSADLen, selected) || #endif -#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && !defined(OPENSSL_IS_AWSLC)) || AWSLC_API_VERSION >= 22 - // OpenSSL 1.0 and BoringSSL don't support DH_new_by_nid, NID_ffdhe2048, or NID_ffdhe4096 - !SpeedFFDH(selected) || +#if (!defined(OPENSSL_1_0_BENCHMARK) && !defined(BORINGSSL_BENCHMARK) && \ + !defined(OPENSSL_IS_AWSLC)) || \ + AWSLC_API_VERSION >= 22 + // OpenSSL 1.0 and BoringSSL don't support DH_new_by_nid, NID_ffdhe2048, + // or NID_ffdhe4096 + !SpeedFFDH(selected) || #endif - !SpeedRSA(selected) || - !SpeedRSAKeyGen(false, selected) || - !SpeedDHcheck(selected) + !SpeedRSA(selected) || !SpeedRSAKeyGen(false, selected) || + !SpeedDHcheck(selected) #if !defined(OPENSSL_BENCHMARK) - || + || #if AWSLC_API_VERSION > 16 - !SpeedKEM(selected) || + !SpeedKEM(selected) || #endif #if AWSLC_API_VERSION > 31 - !SpeedDigestSign(selected) || + !SpeedDigestSign(selected) || #endif - !SpeedAEADSeal(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, selected) || - !SpeedAEADOpen(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, selected) || - !SpeedAEADSeal(EVP_aead_aes_256_gcm(), "AEAD-AES-256-GCM", kTLSADLen, selected) || - !SpeedAEADOpen(EVP_aead_aes_256_gcm(), "AEAD-AES-256-GCM", kTLSADLen, selected) || - !SpeedAEADSeal(EVP_aead_chacha20_poly1305(), "AEAD-ChaCha20-Poly1305", kTLSADLen, selected) || - !SpeedAEADSeal(EVP_aead_des_ede3_cbc_sha1_tls(), "AEAD-DES-EDE3-CBC-SHA1",kLegacyADLen, selected) || - !SpeedAEADSeal(EVP_aead_aes_128_cbc_sha1_tls(), "AEAD-AES-128-CBC-SHA1",kLegacyADLen, selected) || - !SpeedAEADSeal(EVP_aead_aes_256_cbc_sha1_tls(), "AEAD-AES-256-CBC-SHA1",kLegacyADLen, selected) || - !SpeedAEADOpen(EVP_aead_aes_128_cbc_sha1_tls(), "AEAD-AES-128-CBC-SHA1", kLegacyADLen, selected) || - !SpeedAEADOpen(EVP_aead_aes_256_cbc_sha1_tls(), "AEAD-AES-256-CBC-SHA1", kLegacyADLen, selected) || - !SpeedAEADSeal(EVP_aead_aes_128_gcm_siv(), "AEAD-AES-128-GCM-SIV",kTLSADLen, selected) || - !SpeedAEADSeal(EVP_aead_aes_256_gcm_siv(), "AEAD-AES-256-GCM-SIV",kTLSADLen, selected) || - !SpeedAEADOpen(EVP_aead_aes_128_gcm_siv(), "AEAD-AES-128-GCM-SIV", kTLSADLen, selected) || - !SpeedAEADOpen(EVP_aead_aes_256_gcm_siv(), "AEAD-AES-256-GCM-SIV", kTLSADLen, selected) || - !SpeedAEADSeal(EVP_aead_aes_128_ccm_bluetooth(),"AEAD-AES-128-CCM-Bluetooth", kTLSADLen, selected) || - !Speed25519(selected) || - !SpeedSPAKE2(selected) || - !SpeedRSAKeyGen(true, selected) || - !SpeedHRSS(selected) || - !SpeedHash(EVP_blake2b256(), "BLAKE2b-256", selected) || - !SpeedECKeyGenerateKey(true, selected) || + !SpeedAEADSeal(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, + selected) || + !SpeedAEADOpen(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, + selected) || + !SpeedAEADSeal(EVP_aead_aes_256_gcm(), "AEAD-AES-256-GCM", kTLSADLen, + selected) || + !SpeedAEADOpen(EVP_aead_aes_256_gcm(), "AEAD-AES-256-GCM", kTLSADLen, + selected) || + !SpeedAEADSeal(EVP_aead_chacha20_poly1305(), "AEAD-ChaCha20-Poly1305", + kTLSADLen, selected) || + !SpeedAEADSeal(EVP_aead_des_ede3_cbc_sha1_tls(), + "AEAD-DES-EDE3-CBC-SHA1", kLegacyADLen, selected) || + !SpeedAEADSeal(EVP_aead_aes_128_cbc_sha1_tls(), "AEAD-AES-128-CBC-SHA1", + kLegacyADLen, selected) || + !SpeedAEADSeal(EVP_aead_aes_256_cbc_sha1_tls(), "AEAD-AES-256-CBC-SHA1", + kLegacyADLen, selected) || + !SpeedAEADOpen(EVP_aead_aes_128_cbc_sha1_tls(), "AEAD-AES-128-CBC-SHA1", + kLegacyADLen, selected) || + !SpeedAEADOpen(EVP_aead_aes_256_cbc_sha1_tls(), "AEAD-AES-256-CBC-SHA1", + kLegacyADLen, selected) || + !SpeedAEADSeal(EVP_aead_aes_128_gcm_siv(), "AEAD-AES-128-GCM-SIV", + kTLSADLen, selected) || + !SpeedAEADSeal(EVP_aead_aes_256_gcm_siv(), "AEAD-AES-256-GCM-SIV", + kTLSADLen, selected) || + !SpeedAEADOpen(EVP_aead_aes_128_gcm_siv(), "AEAD-AES-128-GCM-SIV", + kTLSADLen, selected) || + !SpeedAEADOpen(EVP_aead_aes_256_gcm_siv(), "AEAD-AES-256-GCM-SIV", + kTLSADLen, selected) || + !SpeedAEADSeal(EVP_aead_aes_128_ccm_bluetooth(), + "AEAD-AES-128-CCM-Bluetooth", kTLSADLen, selected) || + !Speed25519(selected) || !SpeedSPAKE2(selected) || + !SpeedRSAKeyGen(true, selected) || !SpeedHRSS(selected) || + !SpeedHash(EVP_blake2b256(), "BLAKE2b-256", selected) || + !SpeedECKeyGenerateKey(true, selected) || #if defined(OPENSSL_IS_AWSLC) - !SpeedRefcount(selected) || + !SpeedRefcount(selected) || #endif #if defined(INTERNAL_TOOL) - !SpeedRandom(CRYPTO_sysrand, "CRYPTO_sysrand", selected) || - !SpeedRandom(CRYPTO_sysrand_for_seed, "CRYPTO_sysrand_for_seed", selected) || - !SpeedHashToCurve(selected) || - !SpeedTrustToken("TrustToken-Exp1-Batch1", TRUST_TOKEN_experiment_v1(), 1, selected) || - !SpeedTrustToken("TrustToken-Exp1-Batch10", TRUST_TOKEN_experiment_v1(), 10, selected) || - !SpeedTrustToken("TrustToken-Exp2VOfPRF-Batch1", TRUST_TOKEN_experiment_v2_voprf(), 1, selected) || - !SpeedTrustToken("TrustToken-Exp2VOPRF-Batch10", TRUST_TOKEN_experiment_v2_voprf(), 10, selected) || - !SpeedTrustToken("TrustToken-Exp2PMB-Batch1", TRUST_TOKEN_experiment_v2_pmb(), 1, selected) || - !SpeedTrustToken("TrustToken-Exp2PMB-Batch10", TRUST_TOKEN_experiment_v2_pmb(), 10, selected) || + !SpeedRandom(CRYPTO_sysrand, "CRYPTO_sysrand", selected) || + !SpeedRandom(CRYPTO_sysrand_for_seed, "CRYPTO_sysrand_for_seed", + selected) || + !SpeedHashToCurve(selected) || + !SpeedTrustToken("TrustToken-Exp1-Batch1", TRUST_TOKEN_experiment_v1(), + 1, selected) || + !SpeedTrustToken("TrustToken-Exp1-Batch10", TRUST_TOKEN_experiment_v1(), + 10, selected) || + !SpeedTrustToken("TrustToken-Exp2VOfPRF-Batch1", + TRUST_TOKEN_experiment_v2_voprf(), 1, selected) || + !SpeedTrustToken("TrustToken-Exp2VOPRF-Batch10", + TRUST_TOKEN_experiment_v2_voprf(), 10, selected) || + !SpeedTrustToken("TrustToken-Exp2PMB-Batch1", + TRUST_TOKEN_experiment_v2_pmb(), 1, selected) || + !SpeedTrustToken("TrustToken-Exp2PMB-Batch10", + TRUST_TOKEN_experiment_v2_pmb(), 10, selected) || #endif #if AWSLC_API_VERSION > 16 - !SpeedPKCS8(selected) || + !SpeedPKCS8(selected) || #endif - !SpeedBase64(selected) || - !SpeedSipHash(selected) + !SpeedBase64(selected) || !SpeedSipHash(selected) #endif - ) { + ) { return false; } @@ -2927,9 +3016,8 @@ bool Speed(const std::vector &args) { puts("\n]"); } -#if defined(DIT_OPTION ) - if (g_dit) - { +#if defined(DIT_OPTION) + if (g_dit) { armv8_restore_dit(&original_dit); } #endif diff --git a/tool/tool.cc b/tool/tool.cc index 36e5a9a99e..4d124e3630 100644 --- a/tool/tool.cc +++ b/tool/tool.cc @@ -48,28 +48,28 @@ struct Tool { }; static const Tool kTools[] = { - { "ciphers", Ciphers }, - { "client", Client }, - { "isfips", IsFIPS }, - { "generate-ech", GenerateECH}, - { "generate-ed25519", GenerateEd25519Key }, - { "genrsa", GenerateRSAKey }, - { "md5sum", MD5Sum }, - { "pkcs12", DoPKCS12 }, - { "rand", Rand }, - { "s_client", Client }, - { "s_server", Server }, - { "server", Server }, - { "sha1sum", SHA1Sum }, - { "sha224sum", SHA224Sum }, - { "sha256sum", SHA256Sum }, - { "sha384sum", SHA384Sum }, - { "sha512sum", SHA512Sum }, - { "sha512256sum", SHA512256Sum }, - { "sign", Sign }, - { "speed", Speed }, - { "version", version }, - { "", nullptr }, + {"ciphers", Ciphers}, + {"client", Client}, + {"isfips", IsFIPS}, + {"generate-ech", GenerateECH}, + {"generate-ed25519", GenerateEd25519Key}, + {"genrsa", GenerateRSAKey}, + {"md5sum", MD5Sum}, + {"pkcs12", DoPKCS12}, + {"rand", Rand}, + {"s_client", Client}, + {"s_server", Server}, + {"server", Server}, + {"sha1sum", SHA1Sum}, + {"sha224sum", SHA224Sum}, + {"sha256sum", SHA256Sum}, + {"sha384sum", SHA384Sum}, + {"sha512sum", SHA512Sum}, + {"sha512256sum", SHA512256Sum}, + {"sign", Sign}, + {"speed", Speed}, + {"version", version}, + {"", nullptr}, }; static void usage(const char *name) { @@ -99,7 +99,10 @@ int main(int argc, char **argv) { unsigned long build_version = OPENSSL_VERSION_NUMBER; unsigned long runtime_version = OpenSSL_version_num(); if (build_version != runtime_version) { - fprintf(stderr, "Incorrect version number detected, built with 0x%lx, loaded 0x%lx at runtime.", build_version, runtime_version); + fprintf(stderr, + "Incorrect version number detected, built with 0x%lx, loaded 0x%lx " + "at runtime.", + build_version, runtime_version); return 1; } #if defined(OPENSSL_WINDOWS) diff --git a/tool/transport_common.cc b/tool/transport_common.cc index d53e470d97..41c9622f04 100644 --- a/tool/transport_common.cc +++ b/tool/transport_common.cc @@ -69,9 +69,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) using socket_result_t = int; #else using socket_result_t = ssize_t; -static int closesocket(int sock) { - return close(sock); -} +static int closesocket(int sock) { return close(sock); } #endif bool InitSocketLibrary() { @@ -173,11 +171,11 @@ bool Connect(int *out_sock, const std::string &hostname_and_port, bool quiet) { goto out; } - if(!quiet) { + if (!quiet) { switch (result->ai_family) { case AF_INET: { struct sockaddr_in *sin = - reinterpret_cast(result->ai_addr); + reinterpret_cast(result->ai_addr); fprintf(stderr, "Connecting to %s:%d\n", inet_ntop(result->ai_family, &sin->sin_addr, buf, sizeof(buf)), ntohs(sin->sin_port)); @@ -185,10 +183,11 @@ bool Connect(int *out_sock, const std::string &hostname_and_port, bool quiet) { } case AF_INET6: { struct sockaddr_in6 *sin6 = - reinterpret_cast(result->ai_addr); - fprintf(stderr, "Connecting to [%s]:%d\n", - inet_ntop(result->ai_family, &sin6->sin6_addr, buf, sizeof(buf)), - ntohs(sin6->sin6_port)); + reinterpret_cast(result->ai_addr); + fprintf( + stderr, "Connecting to [%s]:%d\n", + inet_ntop(result->ai_family, &sin6->sin6_addr, buf, sizeof(buf)), + ntohs(sin6->sin6_port)); break; } } @@ -448,11 +447,11 @@ class SocketWaiter { } private: - bool stdin_open_ = true; - int sock_; + bool stdin_open_ = true; + int sock_; }; -#else // OPENSSL_WINDOWs +#else // OPENSSL_WINDOWs class ScopedWSAEVENT { public: @@ -708,11 +707,11 @@ bool TransferData(SSL *ssl, int sock) { return false; } if (pending_write_len == 0) { - #if !defined(OPENSSL_WINDOWS) +#if !defined(OPENSSL_WINDOWS) shutdown(sock, SHUT_WR); - #else +#else shutdown(sock, SD_SEND); - #endif +#endif continue; } } diff --git a/util/asm_dev/armv8/p256/src/beeu_scratch.c b/util/asm_dev/armv8/p256/src/beeu_scratch.c index 125adef3df..1c08e507aa 100644 --- a/util/asm_dev/armv8/p256/src/beeu_scratch.c +++ b/util/asm_dev/armv8/p256/src/beeu_scratch.c @@ -22,60 +22,57 @@ uint64_t bn_add_words(uint64_t *restrict a, const uint64_t *restrict b) { uint64_t c, l, t; c = 0; -// while (n & ~3) { - t = a[0]; - t += c; - c = (t < c); - l = t + b[0]; - c += (l < t); - a[0] = l; - t = a[1]; - t += c; - c = (t < c); - l = t + b[1]; - c += (l < t); - a[1] = l; - t = a[2]; - t += c; - c = (t < c); - l = t + b[2]; - c += (l < t); - a[2] = l; - t = a[3]; - t += c; - c = (t < c); - l = t + b[3]; - c += (l < t); - a[3] = l; -// a += 4; -// } -// while (n) { - t = a[4]; - t += c; - c = (t < c); - l = t + 0; - c += (l < t); - a[4] = l; -// } + // while (n & ~3) { + t = a[0]; + t += c; + c = (t < c); + l = t + b[0]; + c += (l < t); + a[0] = l; + t = a[1]; + t += c; + c = (t < c); + l = t + b[1]; + c += (l < t); + a[1] = l; + t = a[2]; + t += c; + c = (t < c); + l = t + b[2]; + c += (l < t); + a[2] = l; + t = a[3]; + t += c; + c = (t < c); + l = t + b[3]; + c += (l < t); + a[3] = l; + // a += 4; + // } + // while (n) { + t = a[4]; + t += c; + c = (t < c); + l = t + 0; + c += (l < t); + a[4] = l; + // } return (uint64_t)c; } -void bn_shift1_words(uint64_t *restrict a) -{ - a[0] = (a[0] >> 1) | (a[1] << 63); - a[1] = (a[1] >> 1) | (a[2] << 63); - a[2] = (a[2] >> 1) | (a[3] << 63); - a[3] = (a[3] >> 1) | (a[4] << 63); - a[4] >>= 1; +void bn_shift1_words(uint64_t *restrict a) { + a[0] = (a[0] >> 1) | (a[1] << 63); + a[1] = (a[1] >> 1) | (a[2] << 63); + a[2] = (a[2] >> 1) | (a[3] << 63); + a[3] = (a[3] >> 1) | (a[4] << 63); + a[4] >>= 1; } -void bn_shift(uint64_t *restrict a, uint8_t count) -{ - if (count < 64) - { - a[0] = (a[0] >> count) | (a[1] << (64-count)); - a[1] = (a[1] >> count) | (a[2] << (64-count)); - a[2] = (a[2] >> count) | (a[3] << (64-count)); - a[3] >>= count; - } +void bn_shift(uint64_t *restrict a, uint8_t count) { + if (count < 64) { + a[0] = (a[0] >> count) | (a[1] << (64 - count)); + a[1] = (a[1] >> count) | (a[2] << (64 - count)); + a[2] = (a[2] >> count) | (a[3] << (64 - count)); + a[3] >>= count; + } } diff --git a/util/asm_dev/armv8/p256/src/main.c b/util/asm_dev/armv8/p256/src/main.c index f9a1d83f2e..262ae3d1c7 100644 --- a/util/asm_dev/armv8/p256/src/main.c +++ b/util/asm_dev/armv8/p256/src/main.c @@ -14,23 +14,21 @@ #include "p256.h" #ifdef SELECT_FN -#define ENTRY_LONG_SIZE 12 //12 64-bit (long) words, 3 coordinates -#define NUM_ENTRIES 16 +#define ENTRY_LONG_SIZE 12 // 12 64-bit (long) words, 3 coordinates +#define NUM_ENTRIES 16 #define TABLE_LONG_SIZE (NUM_ENTRIES * ENTRY_LONG_SIZE) -#define ENTRY_LONG_SIZE_W7 8 // 2 coordinates -#define NUM_ENTRIES_W7 64 +#define ENTRY_LONG_SIZE_W7 8 // 2 coordinates +#define NUM_ENTRIES_W7 64 #define TABLE_LONG_SIZE_W7 (NUM_ENTRIES_W7 * ENTRY_LONG_SIZE_W7) #endif #ifdef BEEU -#define K_MAX 2000 +#define K_MAX 2000 // P-256 group order in words (little-endian) obtained from debugging // ./third_party/boringssl/crypto/crypto_test --gtest_filter=P256_X86_64Test.* -static const uint64_t order_words[4] = -{ - 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000 -}; +static const uint64_t order_words[4] = {0xf3b9cac2fc632551, 0xbce6faada7179e84, + 0xffffffffffffffff, 0xffffffff00000000}; // In bytes from ec.c //{ // 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, @@ -39,178 +37,156 @@ static const uint64_t order_words[4] = //}; // expected inverse of a = 2, obtained from debugging as above -static const uint64_t out_exp_2[4] = -{ - 0x79dce5617e3192a9, 0xde737d56d38bcf42, 0x7fffffffffffffff, 0x7fffffff80000000 -}; - -static void beeu_print(const int res, const uint64_t out_exp[4], const uint64_t out[4]) -{ - uint32_t k; - if(res == 1) - { - for (k = 0; k < 4; k++) - { - if (out_exp[k] != out[k]) - { - break; - } - printf("k:%d, out_exp: %lX, out: %lX\n", k, out_exp[k], out[k]); - } - printf("out_exp_p: %lX, out_p: %lX\n", (uintptr_t)out_exp, (uintptr_t)out); - - if (4 == k) - { - printf("beeu Test passed\n"); - } +static const uint64_t out_exp_2[4] = {0x79dce5617e3192a9, 0xde737d56d38bcf42, + 0x7fffffffffffffff, 0x7fffffff80000000}; + +static void beeu_print(const int res, const uint64_t out_exp[4], + const uint64_t out[4]) { + uint32_t k; + if (res == 1) { + for (k = 0; k < 4; k++) { + if (out_exp[k] != out[k]) { + break; + } + printf("k:%d, out_exp: %lX, out: %lX\n", k, out_exp[k], out[k]); + } + printf("out_exp_p: %lX, out_p: %lX\n", (uintptr_t)out_exp, (uintptr_t)out); + + if (4 == k) { + printf("beeu Test passed\n"); } + } } #endif -int main() -{ +int main() { #ifdef SELECT_FN - uint32_t index; - uint32_t idx_64; - uint32_t j; + uint32_t index; + uint32_t idx_64; + uint32_t j; - uint64_t table[TABLE_LONG_SIZE]; - uint64_t val[ENTRY_LONG_SIZE]; + uint64_t table[TABLE_LONG_SIZE]; + uint64_t val[ENTRY_LONG_SIZE]; - uint64_t table_w7[TABLE_LONG_SIZE_W7]; - uint64_t val_w7[ENTRY_LONG_SIZE_W7]; + uint64_t table_w7[TABLE_LONG_SIZE_W7]; + uint64_t val_w7[ENTRY_LONG_SIZE_W7]; - uint32_t passed; + uint32_t passed; #endif #ifdef BEEU - uint64_t out[4]; - uint64_t a[4]; - uint64_t out_exp[4]; - uint64_t a_out[4]; - uint64_t k; - int beeu_res; + uint64_t out[4]; + uint64_t a[4]; + uint64_t out_exp[4]; + uint64_t a_out[4]; + uint64_t k; + int beeu_res; #endif #ifdef SELECT_FN - /* - * Test select_w5 - */ - passed = 1; - for(j = 1; j <= TABLE_LONG_SIZE; j++) - { - table[j-1] = (uint64_t)j << 2; - } - - for(index = 1; index <= NUM_ENTRIES; index ++) - { - select_w5(val, table, index); - - // Check the correct entry was selected - for(j = 0; j < ENTRY_LONG_SIZE; j++) - { - // Calculating the index to the 64-bit part of the table entry - idx_64 = ((index-1) * ENTRY_LONG_SIZE) + (uint32_t) j; - if(val[j] != table[idx_64]) - { - printf("Error: difference at index: %d, j: %d, idx_64: %d, val[j]:%lX, table[idx_64]: %lX\n", - index, j, idx_64, val[j], table[idx_64]); - passed = 0; - } + /* + * Test select_w5 + */ + passed = 1; + for (j = 1; j <= TABLE_LONG_SIZE; j++) { + table[j - 1] = (uint64_t)j << 2; + } + + for (index = 1; index <= NUM_ENTRIES; index++) { + select_w5(val, table, index); + + // Check the correct entry was selected + for (j = 0; j < ENTRY_LONG_SIZE; j++) { + // Calculating the index to the 64-bit part of the table entry + idx_64 = ((index - 1) * ENTRY_LONG_SIZE) + (uint32_t)j; + if (val[j] != table[idx_64]) { + printf( + "Error: difference at index: %d, j: %d, idx_64: %d, val[j]:%lX, " + "table[idx_64]: %lX\n", + index, j, idx_64, val[j], table[idx_64]); + passed = 0; } } - if (1 == passed) - { - printf("select_w5 Test passed\n"); - } - - /* - * Test select_w7 - */ - passed = 1; - for(j = 1; j <= TABLE_LONG_SIZE_W7; j++) - { - table_w7[j-1] = (uint64_t)j << 2; - } - - for(index = 1; index <= NUM_ENTRIES_W7; index ++) - { - select_w7(val_w7, table_w7, index); - - // Check the correct entry was selected - for(j = 0; j < ENTRY_LONG_SIZE_W7; j++) - { - // Calculating the index to the 64-bit part of the table entry - idx_64 = ((index-1) * ENTRY_LONG_SIZE_W7) + (uint32_t) j; - if(val_w7[j] != table_w7[idx_64]) - { - printf("Error (w7): difference at index: %d, j: %d, idx_64: %d, val[j]:%lX, table[idx_64]: %lX\n", - index, j, idx_64, val_w7[j], table_w7[idx_64]); - passed = 0; - } + } + if (1 == passed) { + printf("select_w5 Test passed\n"); + } + + /* + * Test select_w7 + */ + passed = 1; + for (j = 1; j <= TABLE_LONG_SIZE_W7; j++) { + table_w7[j - 1] = (uint64_t)j << 2; + } + + for (index = 1; index <= NUM_ENTRIES_W7; index++) { + select_w7(val_w7, table_w7, index); + + // Check the correct entry was selected + for (j = 0; j < ENTRY_LONG_SIZE_W7; j++) { + // Calculating the index to the 64-bit part of the table entry + idx_64 = ((index - 1) * ENTRY_LONG_SIZE_W7) + (uint32_t)j; + if (val_w7[j] != table_w7[idx_64]) { + printf( + "Error (w7): difference at index: %d, j: %d, idx_64: %d, " + "val[j]:%lX, table[idx_64]: %lX\n", + index, j, idx_64, val_w7[j], table_w7[idx_64]); + passed = 0; } } - if (1 == passed) - { - printf("select_w7 Test passed\n"); - } + } + if (1 == passed) { + printf("select_w7 Test passed\n"); + } #endif #ifdef BEEU - /* - * Test beeu - */ - - printf("a = 2\n"); - a[0] = 2; - a[1] = a[2] = a[3] = 0; - - beeu_res = beeu_mod_inverse_vartime(out, a, order_words); - beeu_print(beeu_res, out_exp_2, out); - - printf("a = 1\n"); - a[0] = 1; - out_exp[0] = 1; - out_exp[1] = out_exp[2] = out_exp[3] = 0; - - beeu_res = beeu_mod_inverse_vartime(out, a, order_words); - beeu_print(beeu_res, out_exp, out); - - for (k = 1; k < K_MAX; k++) - { - a[0] = k; - if (k >= (K_MAX >>1)) - { - a[1] = k << 8; - a[2] = k << 32; - a[3] = k << 48; - } else { - a[1] = a[2] = a[3] = 0; - } - // out = a^{-1} mod n - beeu_res = beeu_mod_inverse_vartime(out, a, order_words); - if (beeu_res == 1) - { - // a_out = out^{-1} mod n - beeu_res = beeu_mod_inverse_vartime(a_out, out, order_words); - if (beeu_res != 1 || - a_out[0] != a[0] || - a_out[1] != a[1] || - a_out[2] != a[2] || - a_out[3] != a[3] - ) - { - printf("beeu Test FAILED at k = %ld; a_out != a\n", k); - break; - } - } + /* + * Test beeu + */ + + printf("a = 2\n"); + a[0] = 2; + a[1] = a[2] = a[3] = 0; + + beeu_res = beeu_mod_inverse_vartime(out, a, order_words); + beeu_print(beeu_res, out_exp_2, out); + + printf("a = 1\n"); + a[0] = 1; + out_exp[0] = 1; + out_exp[1] = out_exp[2] = out_exp[3] = 0; + + beeu_res = beeu_mod_inverse_vartime(out, a, order_words); + beeu_print(beeu_res, out_exp, out); + + for (k = 1; k < K_MAX; k++) { + a[0] = k; + if (k >= (K_MAX >> 1)) { + a[1] = k << 8; + a[2] = k << 32; + a[3] = k << 48; + } else { + a[1] = a[2] = a[3] = 0; } - if (k == K_MAX) - { - printf("SUCCESS: %ld beeu tests passed\n", k); + // out = a^{-1} mod n + beeu_res = beeu_mod_inverse_vartime(out, a, order_words); + if (beeu_res == 1) { + // a_out = out^{-1} mod n + beeu_res = beeu_mod_inverse_vartime(a_out, out, order_words); + if (beeu_res != 1 || a_out[0] != a[0] || a_out[1] != a[1] || + a_out[2] != a[2] || a_out[3] != a[3]) { + printf("beeu Test FAILED at k = %ld; a_out != a\n", k); + break; + } } + } + if (k == K_MAX) { + printf("SUCCESS: %ld beeu tests passed\n", k); + } #endif - return 0; + return 0; } diff --git a/util/asm_dev/armv8/p256/src/p256.h b/util/asm_dev/armv8/p256/src/p256.h index 0259875ba0..3d395282cd 100644 --- a/util/asm_dev/armv8/p256/src/p256.h +++ b/util/asm_dev/armv8/p256/src/p256.h @@ -5,15 +5,16 @@ ------------------------------------------------------------------------------------ */ -#define SELECT_FN 1 -#define BEEU 1 +#define SELECT_FN 1 +#define BEEU 1 #ifdef SELECT_FN -void select_w5(uint64_t* restrict val, uint64_t* restrict in_t, uint32_t index); +void select_w5(uint64_t *restrict val, uint64_t *restrict in_t, uint32_t index); -void select_w7(uint64_t* restrict val, uint64_t* restrict in_t, uint32_t index); +void select_w7(uint64_t *restrict val, uint64_t *restrict in_t, uint32_t index); #endif #ifdef BEEU -int beeu_mod_inverse_vartime(uint64_t out[4], const uint64_t a[4], const uint64_t n[4]); +int beeu_mod_inverse_vartime(uint64_t out[4], const uint64_t a[4], + const uint64_t n[4]); #endif diff --git a/util/benchmark/ec/p256_awslc_ossl/src/benchmark.c b/util/benchmark/ec/p256_awslc_ossl/src/benchmark.c index 784b1a35c8..35234fadc8 100644 --- a/util/benchmark/ec/p256_awslc_ossl/src/benchmark.c +++ b/util/benchmark/ec/p256_awslc_ossl/src/benchmark.c @@ -5,94 +5,90 @@ ------------------------------------------------------------------------------------ */ +#include #include +#include +#include #include -#include #include -#include -#include #include "benchmark.h" BIO *bio_out = NULL; BIO *bio_err = NULL; -void open_test_streams(void) -{ - bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); +void open_test_streams(void) { + bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - assert(bio_out != NULL); - assert(bio_err != NULL); + assert(bio_out != NULL); + assert(bio_err != NULL); } -void close_test_streams(void) -{ - (void)BIO_flush(bio_out); - (void)BIO_flush(bio_err); +void close_test_streams(void) { + (void)BIO_flush(bio_out); + (void)BIO_flush(bio_err); - BIO_free_all(bio_out); - BIO_free_all(bio_err); + BIO_free_all(bio_out); + BIO_free_all(bio_err); } -uint64_t time_now(void) -{ - struct timespec ts; - uint64_t ret = 0; +uint64_t time_now(void) { + struct timespec ts; + uint64_t ret = 0; #if defined(AARCH64_COUNTER_TIMER) - int64_t virtual_timer_value; - /* In the following assembly call: - * ISB: Instruction Synchronization Barrier; i.e. ensures the previous instructions - * are done executing and changing the context, e.g. system registers, cache, ... - * before the ones following it, where the context changes would be visible. - * Read CNTVCT_EL0, the counter-timer virtual count register - * similarly to https://github.com/google/benchmark/blob/master/src/cycleclock.h - */ - asm volatile("isb; mrs %0, cntvct_el0" : "=r"(ret)); + int64_t virtual_timer_value; + /* In the following assembly call: + * ISB: Instruction Synchronization Barrier; i.e. ensures the previous + * instructions are done executing and changing the context, e.g. system + * registers, cache, ... before the ones following it, where the context + * changes would be visible. Read CNTVCT_EL0, the counter-timer virtual count + * register similarly to + * https://github.com/google/benchmark/blob/master/src/cycleclock.h + */ + asm volatile("isb; mrs %0, cntvct_el0" : "=r"(ret)); #else - clock_gettime(CLOCK_MONOTONIC, &ts); - ret = ts.tv_sec; - ret *= 1000000; - ret += ts.tv_nsec / 1000; + clock_gettime(CLOCK_MONOTONIC, &ts); + ret = ts.tv_sec; + ret *= 1000000; + ret += ts.tv_nsec / 1000; #endif - return ret; + return ret; } uint64_t calculate_iterations(uint64_t start, uint64_t end, - uint64_t iterations_run, uint64_t usec_desired) -{ - double usec_spent_per_iter; + uint64_t iterations_run, uint64_t usec_desired) { + double usec_spent_per_iter; #if defined(AARCH64_COUNTER_TIMER) - uint64_t timer_freq, usec_spent; + uint64_t timer_freq, usec_spent; - /* Read CNTFRQ_EL0, the counter-timer frequency register */ - asm volatile("mrs %0, cntfrq_el0" : "=r"(timer_freq)); + /* Read CNTFRQ_EL0, the counter-timer frequency register */ + asm volatile("mrs %0, cntfrq_el0" : "=r"(timer_freq)); - usec_spent = ((double)(end - start) / timer_freq) * 1000000; - usec_spent_per_iter = usec_spent / iterations_run; + usec_spent = ((double)(end - start) / timer_freq) * 1000000; + usec_spent_per_iter = usec_spent / iterations_run; #else - usec_spent_per_iter = (double)(end - start) / iterations_run; + usec_spent_per_iter = (double)(end - start) / iterations_run; #endif - uint64_t num_itr = (uint64_t)(usec_desired / usec_spent_per_iter); + uint64_t num_itr = (uint64_t)(usec_desired / usec_spent_per_iter); - return num_itr;/* (uint64_t)(usec_desired / usec_spent_per_iter);*/ + return num_itr; /* (uint64_t)(usec_desired / usec_spent_per_iter);*/ } -void report_results(uint64_t start, uint64_t end, - uint64_t iterations, const char *benchmark) -{ - int64_t usec; +void report_results(uint64_t start, uint64_t end, uint64_t iterations, + const char *benchmark) { + int64_t usec; #if defined(AARCH64_COUNTER_TIMER) - int64_t timer_freq; - /* Read CNTFRQ_EL0, the counter-timer frequency register */ - asm volatile("mrs %0, cntfrq_el0" : "=r"(timer_freq)); + int64_t timer_freq; + /* Read CNTFRQ_EL0, the counter-timer frequency register */ + asm volatile("mrs %0, cntfrq_el0" : "=r"(timer_freq)); - usec = ((double)(end - start) / timer_freq) * 1000000; + usec = ((double)(end - start) / timer_freq) * 1000000; #else - usec = end - start; + usec = end - start; #endif - BIO_printf(bio_out, "%s: %lu operations in %luus (%.1f ops/sec)\n", - benchmark, (unsigned long)iterations, (long unsigned)usec, ((double)iterations/usec) * 1000000); - + BIO_printf(bio_out, "%s: %lu operations in %luus (%.1f ops/sec)\n", benchmark, + (unsigned long)iterations, (long unsigned)usec, + ((double)iterations / usec) * 1000000); } diff --git a/util/benchmark/ec/p256_awslc_ossl/src/benchmark.h b/util/benchmark/ec/p256_awslc_ossl/src/benchmark.h index c006dd12ea..5d46a4b8f5 100644 --- a/util/benchmark/ec/p256_awslc_ossl/src/benchmark.h +++ b/util/benchmark/ec/p256_awslc_ossl/src/benchmark.h @@ -1,15 +1,15 @@ -#include -#include -#include #include +#include +#include +#include #if defined(__aarch64__) && defined(COUNTER_REGISTER) -#define AARCH64_COUNTER_TIMER 1 +#define AARCH64_COUNTER_TIMER 1 #endif -#define NUM_ELEM(x) (sizeof(x)/sizeof((x)[0])) -#define WARM_UP_NUM_ITER 60 -#define DEFAULT_USEC_RUN 100000 /* 100 ms */ +#define NUM_ELEM(x) (sizeof(x) / sizeof((x)[0])) +#define WARM_UP_NUM_ITER 60 +#define DEFAULT_USEC_RUN 100000 /* 100 ms */ /* ------------------------------------------------------------------------------------ @@ -32,13 +32,15 @@ void open_test_streams(void); void close_test_streams(void); /* - * Get the current time, or the current timer counter if available on this platform + * Get the current time, or the current timer counter if available on this + * platform */ uint64_t time_now(void); /* * Calculate the number of iterations to be run - * based on the time taken to run iterations_run and the desired number of microseconds to run + * based on the time taken to run iterations_run and the desired number of + * microseconds to run */ uint64_t calculate_iterations(uint64_t start, uint64_t end, uint64_t iterations_run, uint64_t usec_desired); @@ -46,8 +48,8 @@ uint64_t calculate_iterations(uint64_t start, uint64_t end, /* * Output the benchmark results */ -void report_results(uint64_t start, uint64_t end, - uint64_t iterations, const char *benchmark); +void report_results(uint64_t start, uint64_t end, uint64_t iterations, + const char *benchmark); /* * Benchmark ECDH P-256 */ diff --git a/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdh.c b/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdh.c index fe4ed6ac53..66923a6591 100644 --- a/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdh.c +++ b/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdh.c @@ -5,185 +5,177 @@ ------------------------------------------------------------------------------------ */ -#include #include +#include #ifdef AWSLC_BENCHMARK #include #endif #include "benchmark.h" -#define MAX_ECDH_SIZE 256 - -void benchmark_ecdh_p256(uint64_t msec) -{ - EVP_PKEY_CTX *kctx = NULL; - EVP_PKEY_CTX *test_ctx = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *params = NULL; - EVP_PKEY *key_A = NULL; - EVP_PKEY *key_B = NULL; - unsigned char *secret_a = NULL; - unsigned char *secret_b = NULL; - size_t outlen; - size_t test_outlen; - int ecdh_checks = 1; - uint64_t start, end, num_itr; - uint64_t usec = msec * 1000; - - /* The correctness of the key generation and ECDH key derivation - * is first tested. Benchmarking starts afterwards. - */ - if ( - /* Create the context for parameter generation */ - (NULL == (pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL))) || - /* Initialise the parameter generation */ - (1 != EVP_PKEY_paramgen_init(pctx)) || - /* We're going to use the ANSI X9.62 Prime 256v1 curve */ - (1 != EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1)) || - /* Create the parameter object params */ - (!EVP_PKEY_paramgen(pctx, ¶ms)) ) - { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH EC params init failure.\n"); - ERR_print_errors(bio_err); - +#define MAX_ECDH_SIZE 256 + +void benchmark_ecdh_p256(uint64_t msec) { + EVP_PKEY_CTX *kctx = NULL; + EVP_PKEY_CTX *test_ctx = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *params = NULL; + EVP_PKEY *key_A = NULL; + EVP_PKEY *key_B = NULL; + unsigned char *secret_a = NULL; + unsigned char *secret_b = NULL; + size_t outlen; + size_t test_outlen; + int ecdh_checks = 1; + uint64_t start, end, num_itr; + uint64_t usec = msec * 1000; + + /* The correctness of the key generation and ECDH key derivation + * is first tested. Benchmarking starts afterwards. + */ + if ( + /* Create the context for parameter generation */ + (NULL == (pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL))) || + /* Initialise the parameter generation */ + (1 != EVP_PKEY_paramgen_init(pctx)) || + /* We're going to use the ANSI X9.62 Prime 256v1 curve */ + (1 != + EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1)) || + /* Create the parameter object params */ + (!EVP_PKEY_paramgen(pctx, ¶ms))) { + ecdh_checks = 0; + BIO_printf(bio_err, "ECDH EC params init failure.\n"); + ERR_print_errors(bio_err); + } + + if (1 == ecdh_checks) { + /* Create the context for the key generation */ + kctx = EVP_PKEY_CTX_new(params, NULL); + + if (kctx == NULL || /* keygen ctx is not null */ + EVP_PKEY_keygen_init(kctx) <= 0 /* init keygen ctx */ || + EVP_PKEY_keygen(kctx, &key_B) <= 0 /* generate secret key B (peer) */) { + ecdh_checks = 0; + BIO_printf(bio_err, "ECDH keygen failure.\n"); + ERR_print_errors(bio_err); } - - if (1 == ecdh_checks) - { - /* Create the context for the key generation */ - kctx = EVP_PKEY_CTX_new(params, NULL); - - if (kctx == NULL || /* keygen ctx is not null */ - EVP_PKEY_keygen_init(kctx) <= 0 /* init keygen ctx */ || - EVP_PKEY_keygen(kctx, &key_B) <= 0 /* generate secret key B (peer) */ ) - { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH keygen failure.\n"); - ERR_print_errors(bio_err); - } + } + EVP_PKEY_free(params); + params = NULL; + EVP_PKEY_CTX_free(pctx); + pctx = NULL; + + if (1 == ecdh_checks) { + if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A */ + !(ctx = + EVP_PKEY_CTX_new(key_A, NULL)) || /* derivation ctx from skeyA */ + EVP_PKEY_derive_init(ctx) <= 0 || /* init derivation ctx */ + EVP_PKEY_derive_set_peer(ctx, key_B) <= + 0 || /* set peer pubkey in ctx */ + EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 || /* determine max length */ + outlen == 0 || /* ensure outlen is a valid size */ + outlen > MAX_ECDH_SIZE /* avoid buffer overflow */) { + ecdh_checks = 0; + BIO_printf(bio_err, "ECDH secret length output failure.\n"); + ERR_print_errors(bio_err); } - EVP_PKEY_free(params); - params = NULL; - EVP_PKEY_CTX_free(pctx); - pctx = NULL; - - if (1 == ecdh_checks) - { - - if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A */ - !(ctx = EVP_PKEY_CTX_new(key_A, NULL)) || /* derivation ctx from skeyA */ - EVP_PKEY_derive_init(ctx) <= 0 || /* init derivation ctx */ - EVP_PKEY_derive_set_peer(ctx, key_B) <= 0 || /* set peer pubkey in ctx */ - EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 || /* determine max length */ - outlen == 0 || /* ensure outlen is a valid size */ - outlen > MAX_ECDH_SIZE /* avoid buffer overflow */) - { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH secret length output failure.\n"); - ERR_print_errors(bio_err); - } + } + + if (1 == ecdh_checks) { + /* Allocate buffer for shared secret and test shared secret */ + if (NULL == (secret_a = OPENSSL_malloc(outlen)) || + NULL == (secret_b = OPENSSL_malloc(outlen))) { + ecdh_checks = 0; + BIO_printf(bio_err, "ECDH buffer allocation failure.\n"); + ERR_print_errors(bio_err); } - - if (1 == ecdh_checks) + } + + if (1 == ecdh_checks) { + /* Test the key derivation by computing the shared secret on B's side */ + if (!(test_ctx = EVP_PKEY_CTX_new(key_B, NULL)) || /* test ctx from skeyB */ + !EVP_PKEY_derive_init(test_ctx) || /* init derivation test_ctx */ + !EVP_PKEY_derive_set_peer(test_ctx, + key_A) || /* set peer pubkey in test_ctx */ + !EVP_PKEY_derive(test_ctx, NULL, + &test_outlen) || /* determine max length */ + !EVP_PKEY_derive(ctx, secret_a, &outlen) || /* compute a*B */ + !EVP_PKEY_derive(test_ctx, secret_b, &test_outlen) || /* compute b*A */ + test_outlen != outlen /* compare output length */ + || CRYPTO_memcmp(secret_a, secret_b, + outlen)) /* compare A's and B's shared secret bytes */ { - /* Allocate buffer for shared secret and test shared secret */ - if (NULL == (secret_a = OPENSSL_malloc(outlen)) || - NULL == (secret_b = OPENSSL_malloc(outlen))) - { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH buffer allocation failure.\n"); - ERR_print_errors(bio_err); - } + ecdh_checks = 0; + BIO_printf(bio_err, "ECDH shared secret test failure.\n"); + ERR_print_errors(bio_err); } + } - if (1 == ecdh_checks) - { - /* Test the key derivation by computing the shared secret on B's side */ - if (!(test_ctx = EVP_PKEY_CTX_new(key_B, NULL)) || /* test ctx from skeyB */ - !EVP_PKEY_derive_init(test_ctx) || /* init derivation test_ctx */ - !EVP_PKEY_derive_set_peer(test_ctx, key_A) || /* set peer pubkey in test_ctx */ - !EVP_PKEY_derive(test_ctx, NULL, &test_outlen) || /* determine max length */ - !EVP_PKEY_derive(ctx, secret_a, &outlen) || /* compute a*B */ - !EVP_PKEY_derive(test_ctx, secret_b, &test_outlen) || /* compute b*A */ - test_outlen != outlen /* compare output length */ || - CRYPTO_memcmp(secret_a, secret_b, outlen)) /* compare A's and B's shared secret bytes */ - { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH shared secret test failure.\n"); - ERR_print_errors(bio_err); - } - } - - if (1 == ecdh_checks) - { - /* Test the key derivation after regenerating A's key using the same context */ - if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A again */ - !EVP_PKEY_derive(ctx, secret_a, &outlen) || /* compute a*B */ - !CRYPTO_memcmp(secret_a, secret_b, outlen) || /* ensure not same shared secret as before */ - !EVP_PKEY_derive(test_ctx, secret_b, &test_outlen) || /* compute b*A */ - CRYPTO_memcmp(secret_a, secret_b, outlen)) /* compare A's and B's shared secret bytes */ - { - ecdh_checks = 0; - BIO_printf(bio_err, "ECDH shared secret with new A key test failure.\n"); - ERR_print_errors(bio_err); - } - } - - /* Benchmarking key generation and key derivation together: - * - this follows the speed test of AWS-LC - * - and practically, both operations are done together for ephemeral ECDH; - * for example, in TLS handshake. + if (1 == ecdh_checks) { + /* Test the key derivation after regenerating A's key using the same context */ - if (1 == ecdh_checks) + if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A again */ + !EVP_PKEY_derive(ctx, secret_a, &outlen) || /* compute a*B */ + !CRYPTO_memcmp(secret_a, secret_b, + outlen) || /* ensure not same shared secret as before */ + !EVP_PKEY_derive(test_ctx, secret_b, &test_outlen) || /* compute b*A */ + CRYPTO_memcmp(secret_a, secret_b, + outlen)) /* compare A's and B's shared secret bytes */ { - /* Warm up and instrument the function to calculate how many iterations it should run for */ - start = time_now(); - /* key generation and key derivation on A's side */ - for (int i = 0; i < WARM_UP_NUM_ITER; i++) - { - EVP_PKEY_keygen(kctx, &key_A); - EVP_PKEY_derive(ctx, secret_a, &outlen); - } - end = time_now(); - num_itr = calculate_iterations(start, end, WARM_UP_NUM_ITER, usec); - - start = time_now(); - - /* Benchmark key generation and key derivation on A's side */ - for (int i = 0; i < num_itr; i++) - { - EVP_PKEY_keygen(kctx, &key_A); - EVP_PKEY_derive(ctx, secret_a, &outlen); - } - end = time_now(); - - report_results(start, end, num_itr, "ECDH P-256"); + ecdh_checks = 0; + BIO_printf(bio_err, "ECDH shared secret with new A key test failure.\n"); + ERR_print_errors(bio_err); } - - if (1 == ecdh_checks) - { - BIO_printf(bio_out, "SUCCESS: ECDH Test.\n"); + } + + /* Benchmarking key generation and key derivation together: + * - this follows the speed test of AWS-LC + * - and practically, both operations are done together for ephemeral ECDH; + * for example, in TLS handshake. + */ + if (1 == ecdh_checks) { + /* Warm up and instrument the function to calculate how many iterations it + * should run for */ + start = time_now(); + /* key generation and key derivation on A's side */ + for (int i = 0; i < WARM_UP_NUM_ITER; i++) { + EVP_PKEY_keygen(kctx, &key_A); + EVP_PKEY_derive(ctx, secret_a, &outlen); } + end = time_now(); + num_itr = calculate_iterations(start, end, WARM_UP_NUM_ITER, usec); - EVP_PKEY_free(key_A); - EVP_PKEY_free(key_B); - EVP_PKEY_CTX_free(kctx); - kctx = NULL; - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - EVP_PKEY_CTX_free(test_ctx); - test_ctx = NULL; + start = time_now(); - if (NULL != secret_a) - { - OPENSSL_free(secret_a); - } - - if (NULL != secret_b) - { - OPENSSL_free(secret_b); + /* Benchmark key generation and key derivation on A's side */ + for (int i = 0; i < num_itr; i++) { + EVP_PKEY_keygen(kctx, &key_A); + EVP_PKEY_derive(ctx, secret_a, &outlen); } + end = time_now(); + + report_results(start, end, num_itr, "ECDH P-256"); + } + + if (1 == ecdh_checks) { + BIO_printf(bio_out, "SUCCESS: ECDH Test.\n"); + } + + EVP_PKEY_free(key_A); + EVP_PKEY_free(key_B); + EVP_PKEY_CTX_free(kctx); + kctx = NULL; + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_CTX_free(test_ctx); + test_ctx = NULL; + + if (NULL != secret_a) { + OPENSSL_free(secret_a); + } + + if (NULL != secret_b) { + OPENSSL_free(secret_b); + } } diff --git a/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdsa.c b/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdsa.c index b991e329c4..5aeaf6fde4 100644 --- a/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdsa.c +++ b/util/benchmark/ec/p256_awslc_ossl/src/benchmark_ecdsa.c @@ -5,19 +5,19 @@ ------------------------------------------------------------------------------------ */ -#include /* for memset() */ +#include /* for memset() */ -#include #include #include +#include #ifdef AWSLC_BENCHMARK #include #endif #include "benchmark.h" -#define ECDSA_SIGNATURE_BYTE_SIZE 256 -#define DIGEST_BYTE_SIZE 20 +#define ECDSA_SIGNATURE_BYTE_SIZE 256 +#define DIGEST_BYTE_SIZE 20 /* OPENSSL_memset definition is copied from /boringssl/crypto/internal.h */ static inline void *OPENSSL_memset(void *dst, int c, size_t n) { @@ -28,104 +28,93 @@ static inline void *OPENSSL_memset(void *dst, int c, size_t n) { return memset(dst, c, n); } -void benchmark_ecdsa_p256(uint64_t msec) -{ - EC_KEY *key = NULL; - uint8_t signature[ECDSA_SIGNATURE_BYTE_SIZE]; - uint8_t digest[DIGEST_BYTE_SIZE]; - int ecdsa_checks = 1; - unsigned sig_len; - uint64_t start, now, end, num_itr; - uint64_t usec = msec * 1000; - - /* Instantiate a key on the ANSI X9.62 Prime 256v1 (P-256) curve */ - key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - - if (!key || - /* Generate key */ - !EC_KEY_generate_key(key) || - /* Check key size */ - ECDSA_SIGNATURE_BYTE_SIZE < ECDSA_size(key) - ) - { - ecdsa_checks = 0; - BIO_printf(bio_err, "ECDSA EC key generation failure.\n"); - ERR_print_errors(bio_err); +void benchmark_ecdsa_p256(uint64_t msec) { + EC_KEY *key = NULL; + uint8_t signature[ECDSA_SIGNATURE_BYTE_SIZE]; + uint8_t digest[DIGEST_BYTE_SIZE]; + int ecdsa_checks = 1; + unsigned sig_len; + uint64_t start, now, end, num_itr; + uint64_t usec = msec * 1000; + + /* Instantiate a key on the ANSI X9.62 Prime 256v1 (P-256) curve */ + key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + + if (!key || + /* Generate key */ + !EC_KEY_generate_key(key) || + /* Check key size */ + ECDSA_SIGNATURE_BYTE_SIZE < ECDSA_size(key)) { + ecdsa_checks = 0; + BIO_printf(bio_err, "ECDSA EC key generation failure.\n"); + ERR_print_errors(bio_err); + } + + if (1 == ecdsa_checks) { + /* Pre-fill digest buffer */ + OPENSSL_memset(digest, 42, sizeof(digest)); + + /* Test ECDSA signing and verifying*/ + if (!ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len, key) || + !ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, key)) { + ecdsa_checks = 0; + BIO_printf(bio_err, "ECDSA signing and verifying failure.\n"); + ERR_print_errors(bio_err); } + } - if (1 == ecdsa_checks) - { - /* Pre-fill digest buffer */ - OPENSSL_memset(digest, 42, sizeof(digest)); - - /* Test ECDSA signing and verifying*/ - if (!ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len, key) || - !ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, key) - ) - { - ecdsa_checks = 0; - BIO_printf(bio_err, "ECDSA signing and verifying failure.\n"); - ERR_print_errors(bio_err); - } + if (1 == ecdsa_checks) { + /* + * ECDSA signing + */ + + /* Warm up and instrument the function to calculate how many iterations it + * should run for */ + start = time_now(); + /* key generation and key derivation on A's side */ + for (int i = 0; i < WARM_UP_NUM_ITER; i++) { + ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len, key); + } + end = time_now(); + num_itr = calculate_iterations(start, end, WARM_UP_NUM_ITER, usec); + /* Benchmark ECDSA signing */ + start = time_now(); + for (int i = 0; i < num_itr; i++) { + ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len, key); } + end = time_now(); - if (1 == ecdsa_checks) - { - /* - * ECDSA signing - */ - - /* Warm up and instrument the function to calculate how many iterations it should run for */ - start = time_now(); - /* key generation and key derivation on A's side */ - for (int i = 0; i < WARM_UP_NUM_ITER; i++) - { - ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len, key); - } - end = time_now(); - num_itr = calculate_iterations(start, end, WARM_UP_NUM_ITER, usec); - - /* Benchmark ECDSA signing */ - start = time_now(); - for (int i = 0; i < num_itr; i++) - { - ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len, key); - } - end = time_now(); - - report_results(start, end, num_itr, "ECDSA P-256 sign"); - - /* - * ECDSA verification - */ - - /* Warm up and instrument the function to calculate how many iterations it should run for */ - start = time_now(); - /* key generation and key derivation on A's side */ - for (int i = 0; i < WARM_UP_NUM_ITER; i++) - { - ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, key); - } - end = time_now(); - num_itr = calculate_iterations(start, end, WARM_UP_NUM_ITER, usec); - - /* Benchmark ECDSA verification */ - start = time_now(); - for (int i = 0; i < num_itr; i++) - { - ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, key); - } - - end = time_now(); - - report_results(start, end, num_itr, "ECDSA P-256 verify"); + report_results(start, end, num_itr, "ECDSA P-256 sign"); + + /* + * ECDSA verification + */ + + /* Warm up and instrument the function to calculate how many iterations it + * should run for */ + start = time_now(); + /* key generation and key derivation on A's side */ + for (int i = 0; i < WARM_UP_NUM_ITER; i++) { + ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, key); } + end = time_now(); + num_itr = calculate_iterations(start, end, WARM_UP_NUM_ITER, usec); - if (1 == ecdsa_checks) - { - BIO_printf(bio_out, "SUCCESS: ECDSA Test.\n"); + /* Benchmark ECDSA verification */ + start = time_now(); + for (int i = 0; i < num_itr; i++) { + ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, key); } - EC_KEY_free(key); + end = time_now(); + + report_results(start, end, num_itr, "ECDSA P-256 verify"); + } + + if (1 == ecdsa_checks) { + BIO_printf(bio_out, "SUCCESS: ECDSA Test.\n"); + } + + EC_KEY_free(key); } diff --git a/util/benchmark/ec/p256_awslc_ossl/src/main.c b/util/benchmark/ec/p256_awslc_ossl/src/main.c index 9044fa4141..31a840cc3b 100644 --- a/util/benchmark/ec/p256_awslc_ossl/src/main.c +++ b/util/benchmark/ec/p256_awslc_ossl/src/main.c @@ -5,14 +5,14 @@ ------------------------------------------------------------------------------------ */ -#include #include +#include #include #include "benchmark.h" /* Default number of milliseconds if not provided to the algorithm */ -#define DEFAULT_NUM_MSEC 500 /* 1/2 second */ -#define MAX_NUM_MSEC 60000 /* 60 sec */ +#define DEFAULT_NUM_MSEC 500 /* 1/2 second */ +#define MAX_NUM_MSEC 60000 /* 60 sec */ typedef void (*bench_fn_t)(uint64_t); @@ -21,104 +21,98 @@ bench_fn_t bench_fns[] = { benchmark_ecdsa_p256, }; -#define NUM_BENCH NUM_ELEM(bench_fns) - -const char *bench_choices[NUM_BENCH] = { - "ecdhp256", - "ecdsap256" -}; - -int main(int argc, char *argv[]) -{ - int bench_doit[NUM_BENCH] = {0}; - int i; - int valid_choice = 0; - int choice_made = 0; - uint64_t msec; - - int option; - opterr = 0; - - /* Open output messages streams */ - open_test_streams(); - - /* Set the default number of milliseconds to run the benchmark */ - msec = DEFAULT_NUM_MSEC; - - /* Parse the arguments, if any */ - if (1 != argc) - { - while ((option = getopt(argc, argv, "t:m:")) != -1) - { - //BIO_printf(bio_out,"option: %s %s", option, optarg); - switch (option) - { - case 't': - valid_choice = 0; - /* Check that the benchmark choice is valid */ - for (i = 0; i < NUM_BENCH; i++) { - if (0 == strcmp(optarg, bench_choices[i])) { - /* Mark the benchmark for running */ - bench_doit[i] = 1; - valid_choice = 1; - choice_made = 1; - } - } - /* If the choice is not valid, print the valid choices and exit with an error */ - if (!valid_choice) - { - BIO_printf(bio_err, "\nERROR: Invalid benchmark choice: %s\n" - "Please choose from:\n", optarg); - for (i = 0; i < NUM_BENCH; i++) { - BIO_printf(bio_err, " %s", bench_choices[i]); - } - BIO_printf(bio_err, "\n"); - - return 1; - } - break; - case 'm': - /* Get the number of milliseconds */ - msec = (uint64_t)atoi(optarg); - if ((msec > MAX_NUM_MSEC) || (msec < 1)) - { - BIO_printf(bio_err, "\nERROR: Invalid number of milliseconds\n" - "Please enter a number between 1 and %d:\n", MAX_NUM_MSEC); - return 1; - } - break; - case '?': - BIO_printf(bio_err, "\nERROR: Unknown arguments\n" - "Permissible arguments are:\n" - " ec_benchmark_ [-t ] [-m ]\n"); - return 1; - - default: - return 1; +#define NUM_BENCH NUM_ELEM(bench_fns) + +const char *bench_choices[NUM_BENCH] = {"ecdhp256", "ecdsap256"}; + +int main(int argc, char *argv[]) { + int bench_doit[NUM_BENCH] = {0}; + int i; + int valid_choice = 0; + int choice_made = 0; + uint64_t msec; + + int option; + opterr = 0; + + /* Open output messages streams */ + open_test_streams(); + + /* Set the default number of milliseconds to run the benchmark */ + msec = DEFAULT_NUM_MSEC; + + /* Parse the arguments, if any */ + if (1 != argc) { + while ((option = getopt(argc, argv, "t:m:")) != -1) { + // BIO_printf(bio_out,"option: %s %s", option, optarg); + switch (option) { + case 't': + valid_choice = 0; + /* Check that the benchmark choice is valid */ + for (i = 0; i < NUM_BENCH; i++) { + if (0 == strcmp(optarg, bench_choices[i])) { + /* Mark the benchmark for running */ + bench_doit[i] = 1; + valid_choice = 1; + choice_made = 1; + } + } + /* If the choice is not valid, print the valid choices and exit with + * an error */ + if (!valid_choice) { + BIO_printf(bio_err, + "\nERROR: Invalid benchmark choice: %s\n" + "Please choose from:\n", + optarg); + for (i = 0; i < NUM_BENCH; i++) { + BIO_printf(bio_err, " %s", bench_choices[i]); } - } + BIO_printf(bio_err, "\n"); + + return 1; + } + break; + case 'm': + /* Get the number of milliseconds */ + msec = (uint64_t)atoi(optarg); + if ((msec > MAX_NUM_MSEC) || (msec < 1)) { + BIO_printf(bio_err, + "\nERROR: Invalid number of milliseconds\n" + "Please enter a number between 1 and %d:\n", + MAX_NUM_MSEC); + return 1; + } + break; + case '?': + BIO_printf(bio_err, + "\nERROR: Unknown arguments\n" + "Permissible arguments are:\n" + " ec_benchmark_ [-t ] [-m " + "]\n"); + return 1; + + default: + return 1; + } } + } - /* If there are no arguments, mark all benchmarks for running */ - if (1 != choice_made) - { - for (i = 0; i < NUM_BENCH; i++) - { - bench_doit[i] = 1; - } + /* If there are no arguments, mark all benchmarks for running */ + if (1 != choice_made) { + for (i = 0; i < NUM_BENCH; i++) { + bench_doit[i] = 1; } + } - /* Run the benchmarks marked for running */ - for (i = 0; i < NUM_BENCH; i++) - { - if (bench_doit[i]) - { - bench_fns[i](msec); - } + /* Run the benchmarks marked for running */ + for (i = 0; i < NUM_BENCH; i++) { + if (bench_doit[i]) { + bench_fns[i](msec); } + } - // Close output messages streams - close_test_streams(); + // Close output messages streams + close_test_streams(); - return 0; + return 0; } diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc index beb2b2f1cf..2e9bb37833 100644 --- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc +++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc @@ -14,10 +14,10 @@ #include #include +#include #include #include #include -#include #include @@ -53,12 +53,12 @@ #include #include +#include "../../../../crypto/fipsmodule/curve25519/internal.h" #include "../../../../crypto/fipsmodule/ec/internal.h" #include "../../../../crypto/fipsmodule/hmac/internal.h" -#include "../../../../crypto/fipsmodule/rand/internal.h" -#include "../../../../crypto/fipsmodule/curve25519/internal.h" #include "../../../../crypto/fipsmodule/ml_dsa/ml_dsa.h" #include "../../../../crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h" +#include "../../../../crypto/fipsmodule/rand/internal.h" #include "modulewrapper.h" @@ -3172,15 +3172,13 @@ static bool ML_DSA_KEYGEN(const Span args[], ReplyCallback write_reply) { const Span seed = args[0]; - //init params of the correct size based on provided nid + // init params of the correct size based on provided nid ml_dsa_params params; if (nid == NID_MLDSA44) { ml_dsa_44_params_init(¶ms); - } - else if (nid == NID_MLDSA65) { + } else if (nid == NID_MLDSA65) { ml_dsa_65_params_init(¶ms); - } - else if (nid == NID_MLDSA87) { + } else if (nid == NID_MLDSA87) { ml_dsa_87_params_init(¶ms); } @@ -3190,27 +3188,29 @@ static bool ML_DSA_KEYGEN(const Span args[], // generate the keys if (nid == NID_MLDSA44) { - if (!ml_dsa_44_keypair_internal(public_key.data(), private_key.data(), seed.data())) { + if (!ml_dsa_44_keypair_internal(public_key.data(), private_key.data(), + seed.data())) { return false; } - } - else if (nid == NID_MLDSA65) { - if (!ml_dsa_65_keypair_internal(public_key.data(), private_key.data(), seed.data())) { + } else if (nid == NID_MLDSA65) { + if (!ml_dsa_65_keypair_internal(public_key.data(), private_key.data(), + seed.data())) { return false; } - } - else if (nid == NID_MLDSA87) { - if (!ml_dsa_87_keypair_internal(public_key.data(), private_key.data(), seed.data())) { + } else if (nid == NID_MLDSA87) { + if (!ml_dsa_87_keypair_internal(public_key.data(), private_key.data(), + seed.data())) { return false; } } - return write_reply({Span(public_key.data(), public_key.size()), - Span(private_key.data(), private_key.size())}); + return write_reply( + {Span(public_key.data(), public_key.size()), + Span(private_key.data(), private_key.size())}); } template static bool ML_DSA_SIGGEN(const Span args[], - ReplyCallback write_reply) { + ReplyCallback write_reply) { const Span sk = args[0]; const Span msg = args[1]; const Span mu = args[2]; @@ -3220,11 +3220,9 @@ static bool ML_DSA_SIGGEN(const Span args[], ml_dsa_params params; if (nid == NID_MLDSA44) { ml_dsa_44_params_init(¶ms); - } - else if (nid == NID_MLDSA65) { + } else if (nid == NID_MLDSA65) { ml_dsa_65_params_init(¶ms); - } - else if (nid == NID_MLDSA87) { + } else if (nid == NID_MLDSA87) { ml_dsa_87_params_init(¶ms); } @@ -3235,19 +3233,20 @@ static bool ML_DSA_SIGGEN(const Span args[], if (extmu.data()[0] == 0) { if (nid == NID_MLDSA44) { if (!ml_dsa_44_sign_internal(sk.data(), signature.data(), &signature_len, - msg.data(), msg.size(), nullptr, 0, rnd.data())) { + msg.data(), msg.size(), nullptr, 0, + rnd.data())) { return false; } - } - else if (nid == NID_MLDSA65) { + } else if (nid == NID_MLDSA65) { if (!ml_dsa_65_sign_internal(sk.data(), signature.data(), &signature_len, - msg.data(), msg.size(), nullptr, 0, rnd.data())) { + msg.data(), msg.size(), nullptr, 0, + rnd.data())) { return false; } - } - else if (nid == NID_MLDSA87) { + } else if (nid == NID_MLDSA87) { if (!ml_dsa_87_sign_internal(sk.data(), signature.data(), &signature_len, - msg.data(), msg.size(), nullptr, 0, rnd.data())) { + msg.data(), msg.size(), nullptr, 0, + rnd.data())) { return false; } } @@ -3255,20 +3254,21 @@ static bool ML_DSA_SIGGEN(const Span args[], // generate the signatures digest sign mode (externalmu) else { if (nid == NID_MLDSA44) { - if (!ml_dsa_extmu_44_sign_internal(sk.data(), signature.data(), &signature_len, - mu.data(), mu.size(), nullptr, 0, rnd.data())) { + if (!ml_dsa_extmu_44_sign_internal(sk.data(), signature.data(), + &signature_len, mu.data(), mu.size(), + nullptr, 0, rnd.data())) { return false; } - } - else if (nid == NID_MLDSA65) { - if (!ml_dsa_extmu_65_sign_internal(sk.data(), signature.data(), &signature_len, - mu.data(), mu.size(), nullptr, 0, rnd.data())) { + } else if (nid == NID_MLDSA65) { + if (!ml_dsa_extmu_65_sign_internal(sk.data(), signature.data(), + &signature_len, mu.data(), mu.size(), + nullptr, 0, rnd.data())) { return false; } - } - else if (nid == NID_MLDSA87) { - if (!ml_dsa_extmu_87_sign_internal(sk.data(), signature.data(), &signature_len, - mu.data(), mu.size(), nullptr, 0, rnd.data())) { + } else if (nid == NID_MLDSA87) { + if (!ml_dsa_extmu_87_sign_internal(sk.data(), signature.data(), + &signature_len, mu.data(), mu.size(), + nullptr, 0, rnd.data())) { return false; } } @@ -3278,7 +3278,8 @@ static bool ML_DSA_SIGGEN(const Span args[], } template -static bool ML_DSA_SIGVER(const Span args[], ReplyCallback write_reply) { +static bool ML_DSA_SIGVER(const Span args[], + ReplyCallback write_reply) { const Span sig = args[0]; const Span pk = args[1]; const Span msg = args[2]; @@ -3290,43 +3291,39 @@ static bool ML_DSA_SIGVER(const Span args[], ReplyCallback write_ // verify the signatures raw sign mode if (extmu.data()[0] == 0) { if (nid == NID_MLDSA44) { - if (ml_dsa_44_verify_internal(pk.data(), sig.data(), sig.size(), msg.data(), - msg.size(), nullptr, 0)) { + if (ml_dsa_44_verify_internal(pk.data(), sig.data(), sig.size(), + msg.data(), msg.size(), nullptr, 0)) { reply[0] = 1; } - } - else if (nid == NID_MLDSA65) { - if (ml_dsa_65_verify_internal(pk.data(), sig.data(), sig.size(), msg.data(), - msg.size(), nullptr, 0)) { + } else if (nid == NID_MLDSA65) { + if (ml_dsa_65_verify_internal(pk.data(), sig.data(), sig.size(), + msg.data(), msg.size(), nullptr, 0)) { reply[0] = 1; } - } - else if (nid == NID_MLDSA87) { - if (ml_dsa_87_verify_internal(pk.data(), sig.data(), sig.size(), msg.data(), - msg.size(), nullptr, 0)) { + } else if (nid == NID_MLDSA87) { + if (ml_dsa_87_verify_internal(pk.data(), sig.data(), sig.size(), + msg.data(), msg.size(), nullptr, 0)) { reply[0] = 1; } } } // verify the signatures digest sign mode (externalmu) - else{ + else { if (nid == NID_MLDSA44) { - if (ml_dsa_extmu_44_verify_internal(pk.data(), sig.data(), sig.size(), mu.data(), - mu.size(), nullptr, 0)) { + if (ml_dsa_extmu_44_verify_internal(pk.data(), sig.data(), sig.size(), + mu.data(), mu.size(), nullptr, 0)) { reply[0] = 1; } - } - else if (nid == NID_MLDSA65) { - if (ml_dsa_extmu_65_verify_internal(pk.data(), sig.data(), sig.size(), mu.data(), - mu.size(), nullptr, 0)) { + } else if (nid == NID_MLDSA65) { + if (ml_dsa_extmu_65_verify_internal(pk.data(), sig.data(), sig.size(), + mu.data(), mu.size(), nullptr, 0)) { reply[0] = 1; } - } - else if (nid == NID_MLDSA87) { - if (ml_dsa_extmu_87_verify_internal(pk.data(), sig.data(), sig.size(), mu.data(), - mu.size(), nullptr, 0)) { + } else if (nid == NID_MLDSA87) { + if (ml_dsa_extmu_87_verify_internal(pk.data(), sig.data(), sig.size(), + mu.data(), mu.size(), nullptr, 0)) { reply[0] = 1; - } + } } } return write_reply({Span(reply)}); diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.h b/util/fipstools/acvp/modulewrapper/modulewrapper.h index 4b23c972f1..a406d6d33a 100644 --- a/util/fipstools/acvp/modulewrapper/modulewrapper.h +++ b/util/fipstools/acvp/modulewrapper/modulewrapper.h @@ -40,15 +40,17 @@ class RequestBuffer { static std::unique_ptr New(); }; -// ParseArgsFromStream returns a span of arguments, the first of which is the name -// of the requested function, from |stream|. The return values point into |buffer| -// and so must not be used after |buffer| has been freed or reused for a -// subsequent call. It returns an empty span on error, because std::optional +// ParseArgsFromStream returns a span of arguments, the first of which is the +// name of the requested function, from |stream|. The return values point into +// |buffer| and so must not be used after |buffer| has been freed or reused for +// a subsequent call. It returns an empty span on error, because std::optional // is still too new. -Span> ParseArgsFromStream(std::istream *stream, RequestBuffer *buffer); +Span> ParseArgsFromStream(std::istream *stream, + RequestBuffer *buffer); // WriteReplyToStream writes a reply to the given stream. -bool WriteReplyToStream(std::ostream *stream, const std::vector> &spans); +bool WriteReplyToStream(std::ostream *stream, + const std::vector> &spans); // ReplyCallback is the type of a callback that writes a reply to an ACVP // request. diff --git a/util/fipstools/inject_hash/macho_parser/common.h b/util/fipstools/inject_hash/macho_parser/common.h index d1d81fbaaa..20ced9b10f 100644 --- a/util/fipstools/inject_hash/macho_parser/common.h +++ b/util/fipstools/inject_hash/macho_parser/common.h @@ -8,10 +8,11 @@ #include #include -#define LOG_ERROR(...) do { \ +#define LOG_ERROR(...) \ + do { \ fprintf(stderr, "File: %s, Line: %d, ", __FILE__, __LINE__); \ - fprintf(stderr, __VA_ARGS__); \ - fprintf(stderr, "\n"); \ -} while(0) + fprintf(stderr, __VA_ARGS__); \ + fprintf(stderr, "\n"); \ + } while (0) #endif diff --git a/util/fipstools/inject_hash/macho_parser/macho_parser.c b/util/fipstools/inject_hash/macho_parser/macho_parser.c index b24c343403..944487ac7e 100644 --- a/util/fipstools/inject_hash/macho_parser/macho_parser.c +++ b/util/fipstools/inject_hash/macho_parser/macho_parser.c @@ -11,209 +11,229 @@ #define SYMTABLE_INDEX 2 #define STRTABLE_INDEX 3 -// Documentation for the Mach-O structs can be found in macho-o/loader.h and mach-o/nlist.h +// Documentation for the Mach-O structs can be found in macho-o/loader.h and +// mach-o/nlist.h int read_macho_file(const char *filename, machofile *macho) { - FILE *file = NULL; - struct load_command *load_commands = NULL; - uint32_t bytes_read; - int ret = 0; - - file = fopen(filename, "rb"); - if (file == NULL) { - LOG_ERROR("Error opening file %s", filename); - goto end; - } - - bytes_read = fread(&macho->macho_header, 1, sizeof(struct mach_header_64), file); - if (bytes_read != sizeof(struct mach_header_64)) { - LOG_ERROR("Error reading macho_header from file %s", filename); - goto end; - } - if (macho->macho_header.magic != MH_MAGIC_64) { - LOG_ERROR("File is not a 64-bit Mach-O file"); - goto end; - } - - load_commands = malloc(macho->macho_header.sizeofcmds); - if (load_commands == NULL) { - LOG_ERROR("Error allocating memory for load_commands"); - goto end; - } - bytes_read = fread(load_commands, 1, macho->macho_header.sizeofcmds, file); - if (bytes_read != macho->macho_header.sizeofcmds) { - LOG_ERROR("Error reading load commands from file %s", filename); - goto end; - } - - // We're only looking for __text, __const in the __TEXT segment, and the string & symbol tables - macho->num_sections = 4; - macho->sections = malloc(macho->num_sections * sizeof(section_info)); - if (macho->sections == NULL) { - LOG_ERROR("Error allocating memory for macho sections"); - } - - int text_found = 0; - int const_found = 0; - int symtab_found = 0; - - // mach-o/loader.h explains that cmdsize (and by extension sizeofcmds) must be a multiple of 8 on 64-bit systems. struct load_command will always be 8 bytes. - for (size_t i = 0; i < macho->macho_header.sizeofcmds / sizeof(struct load_command); i += load_commands[i].cmdsize / sizeof(struct load_command)) { - if (load_commands[i].cmd == LC_SEGMENT_64) { - struct segment_command_64 *segment = (struct segment_command_64 *)&load_commands[i]; - if (strcmp(segment->segname, "__TEXT") == 0) { - struct section_64 *sections = (struct section_64 *)&segment[1]; - for (size_t j = 0; j < segment->nsects; j++) { - if (strcmp(sections[j].sectname, "__text") == 0) { - if (text_found == 1) { - LOG_ERROR("Duplicate __text section found"); - goto end; - } - macho->sections[TEXT_INDEX].offset = sections[j].offset; - macho->sections[TEXT_INDEX].size = sections[j].size; - strcpy(macho->sections[TEXT_INDEX].name, sections[j].sectname); - text_found = 1; - } else if (strcmp(sections[j].sectname, "__const") == 0) { - if (const_found == 1) { - LOG_ERROR("Duplicate __const section found"); - goto end; - } - macho->sections[CONST_INDEX].offset = sections[j].offset; - macho->sections[CONST_INDEX].size = sections[j].size; - strcpy(macho->sections[CONST_INDEX].name, sections[j].sectname); - const_found = 1; - } - } + FILE *file = NULL; + struct load_command *load_commands = NULL; + uint32_t bytes_read; + int ret = 0; + + file = fopen(filename, "rb"); + if (file == NULL) { + LOG_ERROR("Error opening file %s", filename); + goto end; + } + + bytes_read = + fread(&macho->macho_header, 1, sizeof(struct mach_header_64), file); + if (bytes_read != sizeof(struct mach_header_64)) { + LOG_ERROR("Error reading macho_header from file %s", filename); + goto end; + } + if (macho->macho_header.magic != MH_MAGIC_64) { + LOG_ERROR("File is not a 64-bit Mach-O file"); + goto end; + } + + load_commands = malloc(macho->macho_header.sizeofcmds); + if (load_commands == NULL) { + LOG_ERROR("Error allocating memory for load_commands"); + goto end; + } + bytes_read = fread(load_commands, 1, macho->macho_header.sizeofcmds, file); + if (bytes_read != macho->macho_header.sizeofcmds) { + LOG_ERROR("Error reading load commands from file %s", filename); + goto end; + } + + // We're only looking for __text, __const in the __TEXT segment, and the + // string & symbol tables + macho->num_sections = 4; + macho->sections = malloc(macho->num_sections * sizeof(section_info)); + if (macho->sections == NULL) { + LOG_ERROR("Error allocating memory for macho sections"); + } + + int text_found = 0; + int const_found = 0; + int symtab_found = 0; + + // mach-o/loader.h explains that cmdsize (and by extension sizeofcmds) must be + // a multiple of 8 on 64-bit systems. struct load_command will always be 8 + // bytes. + for (size_t i = 0; + i < macho->macho_header.sizeofcmds / sizeof(struct load_command); + i += load_commands[i].cmdsize / sizeof(struct load_command)) { + if (load_commands[i].cmd == LC_SEGMENT_64) { + struct segment_command_64 *segment = + (struct segment_command_64 *)&load_commands[i]; + if (strcmp(segment->segname, "__TEXT") == 0) { + struct section_64 *sections = (struct section_64 *)&segment[1]; + for (size_t j = 0; j < segment->nsects; j++) { + if (strcmp(sections[j].sectname, "__text") == 0) { + if (text_found == 1) { + LOG_ERROR("Duplicate __text section found"); + goto end; } - } else if (load_commands[i].cmd == LC_SYMTAB) { - if (symtab_found == 1) { - LOG_ERROR("Duplicate symbol and string tables found"); - goto end; + macho->sections[TEXT_INDEX].offset = sections[j].offset; + macho->sections[TEXT_INDEX].size = sections[j].size; + strcpy(macho->sections[TEXT_INDEX].name, sections[j].sectname); + text_found = 1; + } else if (strcmp(sections[j].sectname, "__const") == 0) { + if (const_found == 1) { + LOG_ERROR("Duplicate __const section found"); + goto end; } - struct symtab_command *symtab = (struct symtab_command *)&load_commands[i]; - macho->sections[SYMTABLE_INDEX].offset = symtab->symoff; - macho->sections[SYMTABLE_INDEX].size = symtab->nsyms * sizeof(struct nlist_64); - strcpy(macho->sections[SYMTABLE_INDEX].name, "__symbol_table"); - macho->sections[STRTABLE_INDEX].offset = symtab->stroff; - macho->sections[STRTABLE_INDEX].size = symtab->strsize; - strcpy(macho->sections[STRTABLE_INDEX].name, "__string_table"); - symtab_found = 1; + macho->sections[CONST_INDEX].offset = sections[j].offset; + macho->sections[CONST_INDEX].size = sections[j].size; + strcpy(macho->sections[CONST_INDEX].name, sections[j].sectname); + const_found = 1; + } } - } - - ret = 1; + } + } else if (load_commands[i].cmd == LC_SYMTAB) { + if (symtab_found == 1) { + LOG_ERROR("Duplicate symbol and string tables found"); + goto end; + } + struct symtab_command *symtab = + (struct symtab_command *)&load_commands[i]; + macho->sections[SYMTABLE_INDEX].offset = symtab->symoff; + macho->sections[SYMTABLE_INDEX].size = + symtab->nsyms * sizeof(struct nlist_64); + strcpy(macho->sections[SYMTABLE_INDEX].name, "__symbol_table"); + macho->sections[STRTABLE_INDEX].offset = symtab->stroff; + macho->sections[STRTABLE_INDEX].size = symtab->strsize; + strcpy(macho->sections[STRTABLE_INDEX].name, "__string_table"); + symtab_found = 1; + } + } + + ret = 1; end: - free(load_commands); - if (file != NULL) { - fclose(file); - } - return ret; + free(load_commands); + if (file != NULL) { + fclose(file); + } + return ret; } void free_macho_file(machofile *macho) { - free(macho->sections); - free(macho); - macho = NULL; + free(macho->sections); + free(macho); + macho = NULL; } -uint8_t* get_macho_section_data(const char *filename, machofile *macho, const char *section_name, size_t *size, uint32_t *offset) { - FILE *file = NULL; - uint8_t *ret = NULL; - uint32_t bytes_read; - - file = fopen(filename, "rb"); - if (file == NULL) { - LOG_ERROR("Error opening file %s", filename); - goto end; - } - - int section_index; - if (strcmp(section_name, "__text") == 0) { - section_index = TEXT_INDEX; - } else if (strcmp(section_name, "__const") == 0) { - section_index = CONST_INDEX; - } else if (strcmp(section_name, "__symbol_table") == 0) { - section_index = SYMTABLE_INDEX; - } else if (strcmp(section_name, "__string_table") == 0) { - section_index = STRTABLE_INDEX; - } else { - LOG_ERROR("Getting invalid macho section data %s", section_name); - goto end; - } - - uint8_t *section_data = malloc(macho->sections[section_index].size); - if (section_data == NULL) { - LOG_ERROR("Error allocating memory for section data"); - goto end; - } - - if (fseek(file, macho->sections[section_index].offset, SEEK_SET) != 0) { - free(section_data); - LOG_ERROR("Failed to seek in file %s", filename); - goto end; - } - bytes_read = fread(section_data, 1, macho->sections[section_index].size, file); - if (bytes_read != macho->sections[section_index].size) { - free(section_data); - LOG_ERROR("Error reading section data from file %s", filename); - goto end; - } - - if (size != NULL) { - *size = macho->sections[section_index].size; - } - if (offset != NULL) { - *offset = macho->sections[section_index].offset; - } - - ret = section_data; +uint8_t *get_macho_section_data(const char *filename, machofile *macho, + const char *section_name, size_t *size, + uint32_t *offset) { + FILE *file = NULL; + uint8_t *ret = NULL; + uint32_t bytes_read; + + file = fopen(filename, "rb"); + if (file == NULL) { + LOG_ERROR("Error opening file %s", filename); + goto end; + } + + int section_index; + if (strcmp(section_name, "__text") == 0) { + section_index = TEXT_INDEX; + } else if (strcmp(section_name, "__const") == 0) { + section_index = CONST_INDEX; + } else if (strcmp(section_name, "__symbol_table") == 0) { + section_index = SYMTABLE_INDEX; + } else if (strcmp(section_name, "__string_table") == 0) { + section_index = STRTABLE_INDEX; + } else { + LOG_ERROR("Getting invalid macho section data %s", section_name); + goto end; + } + + uint8_t *section_data = malloc(macho->sections[section_index].size); + if (section_data == NULL) { + LOG_ERROR("Error allocating memory for section data"); + goto end; + } + + if (fseek(file, macho->sections[section_index].offset, SEEK_SET) != 0) { + free(section_data); + LOG_ERROR("Failed to seek in file %s", filename); + goto end; + } + bytes_read = + fread(section_data, 1, macho->sections[section_index].size, file); + if (bytes_read != macho->sections[section_index].size) { + free(section_data); + LOG_ERROR("Error reading section data from file %s", filename); + goto end; + } + + if (size != NULL) { + *size = macho->sections[section_index].size; + } + if (offset != NULL) { + *offset = macho->sections[section_index].offset; + } + + ret = section_data; end: - if (file != NULL) { - fclose(file); - } - return ret; + if (file != NULL) { + fclose(file); + } + return ret; } -uint32_t find_macho_symbol_index(uint8_t *symbol_table_data, size_t symbol_table_size, uint8_t *string_table_data, size_t string_table_size, const char *symbol_name, uint32_t *base) { - char* string_table = NULL; - uint32_t ret = 0; - - if (symbol_table_data == NULL || string_table_data == NULL) { - LOG_ERROR("Symbol and string table pointers cannot be null to find the symbol index"); - goto end; - } - - string_table = malloc(string_table_size); - if (string_table == NULL) { - LOG_ERROR("Error allocating memory for string table"); - goto end; - } - memcpy(string_table, string_table_data, string_table_size); - - int found = 0; - size_t index = 0; - for (size_t i = 0; i < symbol_table_size / sizeof(struct nlist_64); i++) { - struct nlist_64 *symbol = (struct nlist_64 *)(symbol_table_data + i * sizeof(struct nlist_64)); - if (strcmp(symbol_name, &string_table[symbol->n_un.n_strx]) == 0) { - if (found == 0) { - index = symbol->n_value; - found = 1; - } else { - LOG_ERROR("Duplicate symbol %s found", symbol_name); - goto end; - } - } - } - if (found == 0) { - LOG_ERROR("Requested symbol %s not found", symbol_name); +uint32_t find_macho_symbol_index(uint8_t *symbol_table_data, + size_t symbol_table_size, + uint8_t *string_table_data, + size_t string_table_size, + const char *symbol_name, uint32_t *base) { + char *string_table = NULL; + uint32_t ret = 0; + + if (symbol_table_data == NULL || string_table_data == NULL) { + LOG_ERROR( + "Symbol and string table pointers cannot be null to find the symbol " + "index"); + goto end; + } + + string_table = malloc(string_table_size); + if (string_table == NULL) { + LOG_ERROR("Error allocating memory for string table"); + goto end; + } + memcpy(string_table, string_table_data, string_table_size); + + int found = 0; + size_t index = 0; + for (size_t i = 0; i < symbol_table_size / sizeof(struct nlist_64); i++) { + struct nlist_64 *symbol = + (struct nlist_64 *)(symbol_table_data + i * sizeof(struct nlist_64)); + if (strcmp(symbol_name, &string_table[symbol->n_un.n_strx]) == 0) { + if (found == 0) { + index = symbol->n_value; + found = 1; + } else { + LOG_ERROR("Duplicate symbol %s found", symbol_name); goto end; - } - if (base != NULL) { - index = index - *base; - } - ret = index; + } + } + } + if (found == 0) { + LOG_ERROR("Requested symbol %s not found", symbol_name); + goto end; + } + if (base != NULL) { + index = index - *base; + } + ret = index; end: - free(string_table); - return ret; + free(string_table); + return ret; } diff --git a/util/fipstools/inject_hash/macho_parser/macho_parser.h b/util/fipstools/inject_hash/macho_parser/macho_parser.h index a11463fc87..84ba7f920a 100644 --- a/util/fipstools/inject_hash/macho_parser/macho_parser.h +++ b/util/fipstools/inject_hash/macho_parser/macho_parser.h @@ -4,42 +4,48 @@ #ifndef MACHO_PARSER_H #define MACHO_PARSER_H #ifdef __cplusplus -extern "C" -{ +extern "C" { #endif #include #include typedef struct { - char name[16]; - size_t size; - uint32_t offset; + char name[16]; + size_t size; + uint32_t offset; } section_info; typedef struct { - struct mach_header_64 macho_header; - section_info *sections; - uint32_t num_sections; + struct mach_header_64 macho_header; + section_info *sections; + uint32_t num_sections; } machofile; -// read_macho_file reads a Mach-O file [in] and populates a machofile struct [out] with its contents. -// It returns 0 on failure, 1 on success. +// read_macho_file reads a Mach-O file [in] and populates a machofile struct +// [out] with its contents. It returns 0 on failure, 1 on success. int read_macho_file(const char *filename, machofile *macho); // free_macho_file frees the memory allocated to a machofile struct [in] void free_macho_file(machofile *macho); -// get_macho_section_data retrieves data from a specific section [in] the provided Mach-O file [in]. -// In addition to returning a pointer to the retrieved data, or NULL if it doesn't find said section, -// it also populates the size [out] & offset [out] pointers provided they are not NULL. -uint8_t* get_macho_section_data(const char* filename, machofile *macho, const char *section_name, size_t *size, uint32_t *offset); - -// find_macho_symbol_index finds the index of a symbol [in] in the Mach-O file's [in] symbol table. -// It returns the index on success, and 0 on failure. -uint32_t find_macho_symbol_index(uint8_t *symbol_table_data, size_t symbol_table_size, uint8_t *string_table_data, size_t string_table_size, const char *symbol_name, uint32_t *base); +// get_macho_section_data retrieves data from a specific section [in] the +// provided Mach-O file [in]. In addition to returning a pointer to the +// retrieved data, or NULL if it doesn't find said section, it also populates +// the size [out] & offset [out] pointers provided they are not NULL. +uint8_t *get_macho_section_data(const char *filename, machofile *macho, + const char *section_name, size_t *size, + uint32_t *offset); + +// find_macho_symbol_index finds the index of a symbol [in] in the Mach-O file's +// [in] symbol table. It returns the index on success, and 0 on failure. +uint32_t find_macho_symbol_index(uint8_t *symbol_table_data, + size_t symbol_table_size, + uint8_t *string_table_data, + size_t string_table_size, + const char *symbol_name, uint32_t *base); #ifdef __cplusplus -} // extern "C" +} // extern "C" #endif #endif diff --git a/util/fipstools/inject_hash/macho_parser/tests/macho_tests.cc b/util/fipstools/inject_hash/macho_parser/tests/macho_tests.cc index 38c921ba12..284d05dc18 100644 --- a/util/fipstools/inject_hash/macho_parser/tests/macho_tests.cc +++ b/util/fipstools/inject_hash/macho_parser/tests/macho_tests.cc @@ -18,49 +18,62 @@ constexpr int MachoTestFixture::text_data[TEXT_DATA_SIZE]; constexpr char MachoTestFixture::const_data[CONST_DATA_SIZE]; TEST_F(MachoTestFixture, TestReadMachoFile) { - machofile test_macho_file; - if (!read_macho_file(TEST_FILE, &test_macho_file)) { - LOG_ERROR("Failed to read macho_file"); - } - - EXPECT_TRUE(memcmp(&test_macho_file.macho_header, &expected_macho->macho_header, sizeof(struct mach_header_64)) == 0); - EXPECT_EQ(test_macho_file.num_sections, expected_macho->num_sections); - EXPECT_TRUE(memcmp(test_macho_file.sections, expected_macho->sections, test_macho_file.num_sections * sizeof(section_info)) == 0); + machofile test_macho_file; + if (!read_macho_file(TEST_FILE, &test_macho_file)) { + LOG_ERROR("Failed to read macho_file"); + } + + EXPECT_TRUE(memcmp(&test_macho_file.macho_header, + &expected_macho->macho_header, + sizeof(struct mach_header_64)) == 0); + EXPECT_EQ(test_macho_file.num_sections, expected_macho->num_sections); + EXPECT_TRUE(memcmp(test_macho_file.sections, expected_macho->sections, + test_macho_file.num_sections * sizeof(section_info)) == 0); } TEST_F(MachoTestFixture, TestGetMachoSectionData) { - std::unique_ptr text_section(nullptr); - std::unique_ptr const_section(nullptr); - std::unique_ptr symbol_table(nullptr); - std::unique_ptr string_table(nullptr); - - size_t text_section_size; - size_t const_section_size; - size_t symbol_table_size; - size_t string_table_size; - - text_section.reset(get_macho_section_data(TEST_FILE, expected_macho, "__text", &text_section_size, NULL)); - const_section.reset(get_macho_section_data(TEST_FILE, expected_macho, "__const", &const_section_size, NULL)); - symbol_table.reset(get_macho_section_data(TEST_FILE, expected_macho, "__symbol_table", &symbol_table_size, NULL)); - string_table.reset(get_macho_section_data(TEST_FILE, expected_macho, "__string_table", &string_table_size, NULL)); - - ASSERT_TRUE(memcmp(text_section.get(), text_data, text_section_size) == 0); - ASSERT_TRUE(memcmp(const_section.get(), const_data, const_section_size) == 0); - ASSERT_TRUE(memcmp(symbol_table.get(), expected_symtab, symbol_table_size) == 0); - ASSERT_TRUE(memcmp(string_table.get(), expected_strtab, string_table_size) == 0); + std::unique_ptr text_section(nullptr); + std::unique_ptr const_section(nullptr); + std::unique_ptr symbol_table(nullptr); + std::unique_ptr string_table(nullptr); + + size_t text_section_size; + size_t const_section_size; + size_t symbol_table_size; + size_t string_table_size; + + text_section.reset(get_macho_section_data(TEST_FILE, expected_macho, "__text", + &text_section_size, NULL)); + const_section.reset(get_macho_section_data( + TEST_FILE, expected_macho, "__const", &const_section_size, NULL)); + symbol_table.reset(get_macho_section_data( + TEST_FILE, expected_macho, "__symbol_table", &symbol_table_size, NULL)); + string_table.reset(get_macho_section_data( + TEST_FILE, expected_macho, "__string_table", &string_table_size, NULL)); + + ASSERT_TRUE(memcmp(text_section.get(), text_data, text_section_size) == 0); + ASSERT_TRUE(memcmp(const_section.get(), const_data, const_section_size) == 0); + ASSERT_TRUE(memcmp(symbol_table.get(), expected_symtab, symbol_table_size) == + 0); + ASSERT_TRUE(memcmp(string_table.get(), expected_strtab, string_table_size) == + 0); } TEST_F(MachoTestFixture, TestFindMachoSymbolIndex) { - std::unique_ptr symbol_table(nullptr); - std::unique_ptr string_table(nullptr); + std::unique_ptr symbol_table(nullptr); + std::unique_ptr string_table(nullptr); - size_t symbol_table_size; - size_t string_table_size; + size_t symbol_table_size; + size_t string_table_size; - symbol_table.reset(get_macho_section_data(TEST_FILE, expected_macho, "__symbol_table", &symbol_table_size, NULL)); - string_table.reset(get_macho_section_data(TEST_FILE, expected_macho, "__string_table", &string_table_size, NULL)); + symbol_table.reset(get_macho_section_data( + TEST_FILE, expected_macho, "__symbol_table", &symbol_table_size, NULL)); + string_table.reset(get_macho_section_data( + TEST_FILE, expected_macho, "__string_table", &string_table_size, NULL)); - uint32_t symbol1_index = find_macho_symbol_index(symbol_table.get(), symbol_table_size, string_table.get(), string_table_size, "symbol1", NULL); + uint32_t symbol1_index = find_macho_symbol_index( + symbol_table.get(), symbol_table_size, string_table.get(), + string_table_size, "symbol1", NULL); - ASSERT_EQ(symbol1_index, expected_symbol1_ind); + ASSERT_EQ(symbol1_index, expected_symbol1_ind); } diff --git a/util/fipstools/inject_hash/macho_parser/tests/macho_tests.h b/util/fipstools/inject_hash/macho_parser/tests/macho_tests.h index 33783f60a5..367ffeee22 100644 --- a/util/fipstools/inject_hash/macho_parser/tests/macho_tests.h +++ b/util/fipstools/inject_hash/macho_parser/tests/macho_tests.h @@ -12,267 +12,278 @@ #define NUM_SYMS 2 class MachoTestFixture : public ::testing::Test { -protected: - static machofile *expected_macho; - static struct nlist_64 *expected_symtab; - static constexpr char expected_strtab[] = "__text\0__const\0symbol1\0symbol2\0"; - static constexpr int text_data[] = { 0xC3 }; - static constexpr char const_data[] = "hi"; - static uint32_t expected_symbol1_ind; - static uint32_t expected_symbol2_ind; - - static uint32_t FindSymbolIndex(const char *strtab, const char *symbol_name) { - const char *symbol = strtab; - uint32_t index = 0; - - while (*symbol != '\0') { - if (strcmp(symbol, symbol_name) == 0) { - return index; - } - - index += strlen(symbol) + 1; - symbol += strlen(symbol) + 1; - } - - return UINT32_MAX; + protected: + static machofile *expected_macho; + static struct nlist_64 *expected_symtab; + static constexpr char expected_strtab[] = + "__text\0__const\0symbol1\0symbol2\0"; + static constexpr int text_data[] = {0xC3}; + static constexpr char const_data[] = "hi"; + static uint32_t expected_symbol1_ind; + static uint32_t expected_symbol2_ind; + + static uint32_t FindSymbolIndex(const char *strtab, const char *symbol_name) { + const char *symbol = strtab; + uint32_t index = 0; + + while (*symbol != '\0') { + if (strcmp(symbol, symbol_name) == 0) { + return index; + } + + index += strlen(symbol) + 1; + symbol += strlen(symbol) + 1; } - static void SetUpTestSuite() { - bool fail = true; - section_info *expected_text_section = NULL; - section_info *expected_const_section = NULL; - section_info *expected_symbol_table = NULL; - section_info *expected_string_table = NULL; - section_info *expected_sections = NULL; - - struct nlist_64 symbol1; - struct nlist_64 symbol2; - - static FILE *file = fopen(TEST_FILE, "wb"); - if (file == NULL) { - LOG_ERROR("Error with fopen() on %s file", TEST_FILE); - } - - uint32_t header_sizeofcmds = sizeof(struct segment_command_64) + 2 * sizeof(struct section_64) + sizeof(struct symtab_command); - uint32_t header_ncmds = 2; - struct mach_header_64 test_header = { - .magic = MH_MAGIC_64, - .ncmds = header_ncmds, - .sizeofcmds = header_sizeofcmds, - }; - - uint32_t text_segment_cmdsize = sizeof(struct segment_command_64) + 2 * sizeof(struct section_64); - uint32_t text_segment_nsects = 2; - struct segment_command_64 test_text_segment = { - .cmd = LC_SEGMENT_64, - .cmdsize = text_segment_cmdsize, - .segname = "__TEXT", - .nsects = text_segment_nsects, - }; - - uint32_t text_section_offset = sizeof(struct mach_header_64) + sizeof(struct segment_command_64) + 2 * sizeof(struct section_64) + sizeof(struct symtab_command); - uint64_t text_section_size = TEXT_DATA_SIZE; // {0xC3} - struct section_64 test_text_section = { - .sectname = "__text", - .size = text_section_size, - .offset = text_section_offset, - }; - - uint32_t const_section_offset = text_section_offset + text_section_size; - uint64_t const_section_size = CONST_DATA_SIZE; // "hi" - struct section_64 test_const_section = { - .sectname = "__const", - .size = const_section_size, - .offset = const_section_offset, - }; - - uint32_t symtab_command_symoff = const_section_offset + const_section_size; - uint32_t symtab_command_stroff = symtab_command_symoff + NUM_SYMS * sizeof(struct nlist_64); - uint32_t symtab_command_strsize = 32; - struct symtab_command test_symtab_command = { - .cmd = LC_SYMTAB, - .cmdsize = sizeof(struct symtab_command), - .symoff = symtab_command_symoff, - .nsyms = NUM_SYMS, - .stroff = symtab_command_stroff, - .strsize = symtab_command_strsize, - }; - - if (fwrite(&test_header, sizeof(struct mach_header_64), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - if (fwrite(&test_text_segment, sizeof(struct segment_command_64), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - if (fwrite(&test_text_section, sizeof(struct section_64), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - if (fwrite(&test_const_section, sizeof(struct section_64), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - if (fwrite(&test_symtab_command, sizeof(struct symtab_command), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - - if (fseek(file, test_text_section.offset, SEEK_SET) != 0) { - LOG_ERROR("Failed to seek in file %s", TEST_FILE); - goto end; - } - if (fwrite(text_data, sizeof(text_data), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - - if (fseek(file, test_const_section.offset, SEEK_SET) != 0) { - LOG_ERROR("Failed to seek in file %s", TEST_FILE); - goto end; - } - if (fwrite(const_data, sizeof(const_data), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - - expected_symbol1_ind = FindSymbolIndex(expected_strtab, "symbol1"); - if (expected_symbol1_ind == UINT32_MAX) { - LOG_ERROR("symbol1 not found in expected string table"); - goto end; - } - symbol1 = { - .n_un = {.n_strx = expected_symbol1_ind}, - .n_type = 0, - .n_sect = 1, - .n_desc = 0, - .n_value = expected_symbol1_ind, - }; - - expected_symbol2_ind = FindSymbolIndex(expected_strtab, "symbol2"); - if (expected_symbol2_ind == UINT32_MAX) { - LOG_ERROR("symbol2 not found in expected string table"); - goto end; - } - symbol2 = { - .n_un = {.n_strx = expected_symbol2_ind}, - .n_type = 0, - .n_sect = 2, - .n_desc = 0, - .n_value = expected_symbol2_ind, - }; - - if (fseek(file, symtab_command_symoff, SEEK_SET) != 0) { - LOG_ERROR("Failed to seek in file %s", TEST_FILE); - goto end; - } - if (fwrite(&symbol1, sizeof(struct nlist_64), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - if (fwrite(&symbol2, sizeof(struct nlist_64), 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - - if (fseek(file, symtab_command_stroff, SEEK_SET) != 0) { - LOG_ERROR("Failed to seek in file %s", TEST_FILE); - goto end; - } - if (fwrite(expected_strtab, symtab_command_strsize, 1, file) != 1) { - LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); - goto end; - } - - if (fclose(file) != 0) { - LOG_ERROR("Error closing file\n"); - goto end; - } - - // We use calloc for the below four calls to ensure that the untouched parts are zeroized, - // as we will later memcmp the data to what we've read from the file. - expected_text_section = (section_info*) calloc(1, sizeof(section_info)); - if (expected_text_section == NULL) { - LOG_ERROR(" Error allocating memory for expected text section"); - goto end; - } - strcpy(expected_text_section->name, "__text"); - expected_text_section->size = text_section_size; - expected_text_section->offset = text_section_offset; - - expected_const_section = (section_info*) calloc(1, sizeof(section_info)); - if (expected_const_section == NULL) { - LOG_ERROR(" Error allocating memory for expected const section"); - goto end; - } - strcpy(expected_const_section->name, "__const"); - expected_const_section->size = const_section_size; - expected_const_section->offset = const_section_offset; - - expected_symbol_table = (section_info*) calloc(1, sizeof(section_info)); - if (expected_symbol_table == NULL) { - LOG_ERROR(" Error allocating memory for expected symbol table"); - goto end; - } - strcpy(expected_symbol_table->name, "__symbol_table"); - expected_symbol_table->size = NUM_SYMS * sizeof(struct nlist_64); - expected_symbol_table->offset = symtab_command_symoff; - - expected_string_table = (section_info*) calloc(1, sizeof(section_info)); - if (expected_string_table == NULL) { - LOG_ERROR(" Error allocating memory for expected string table"); - goto end; - } - strcpy(expected_string_table->name, "__string_table"); - expected_string_table->size = symtab_command_strsize; - expected_string_table->offset = symtab_command_stroff; - - expected_sections = (section_info*) malloc(sizeof(section_info) * 4); - if (expected_sections == NULL) { - LOG_ERROR("Error allocating memory for expected sections"); - goto end; - } - memcpy(&expected_sections[0], expected_text_section, sizeof(section_info)); - memcpy(&expected_sections[1], expected_const_section, sizeof(section_info)); - memcpy(&expected_sections[2], expected_symbol_table, sizeof(section_info)); - memcpy(&expected_sections[3], expected_string_table, sizeof(section_info)); - - expected_macho = (machofile*) malloc(sizeof(machofile)); - if (expected_macho == NULL) { - LOG_ERROR("Error allocating memory for expected macho file struct"); - goto end; - } - expected_macho->macho_header = test_header; - expected_macho->num_sections = 4; - expected_macho->sections = expected_sections; - - expected_symtab = (struct nlist_64*) malloc(NUM_SYMS * sizeof(struct nlist_64)); - if (expected_symtab == NULL) { - LOG_ERROR("Error allocating memory for expected symbol table struct"); - goto end; - } - expected_symtab[0] = symbol1; - expected_symtab[1] = symbol2; - - fail = false; -end: - if (fail) { - free(expected_sections); - free(expected_macho); - free(expected_symtab); - } - free(expected_text_section); - free(expected_const_section); - free(expected_symbol_table); - free(expected_string_table); + return UINT32_MAX; + } + + static void SetUpTestSuite() { + bool fail = true; + section_info *expected_text_section = NULL; + section_info *expected_const_section = NULL; + section_info *expected_symbol_table = NULL; + section_info *expected_string_table = NULL; + section_info *expected_sections = NULL; + + struct nlist_64 symbol1; + struct nlist_64 symbol2; + + static FILE *file = fopen(TEST_FILE, "wb"); + if (file == NULL) { + LOG_ERROR("Error with fopen() on %s file", TEST_FILE); + } + + uint32_t header_sizeofcmds = sizeof(struct segment_command_64) + + 2 * sizeof(struct section_64) + + sizeof(struct symtab_command); + uint32_t header_ncmds = 2; + struct mach_header_64 test_header = { + .magic = MH_MAGIC_64, + .ncmds = header_ncmds, + .sizeofcmds = header_sizeofcmds, + }; + + uint32_t text_segment_cmdsize = + sizeof(struct segment_command_64) + 2 * sizeof(struct section_64); + uint32_t text_segment_nsects = 2; + struct segment_command_64 test_text_segment = { + .cmd = LC_SEGMENT_64, + .cmdsize = text_segment_cmdsize, + .segname = "__TEXT", + .nsects = text_segment_nsects, + }; + + uint32_t text_section_offset = + sizeof(struct mach_header_64) + sizeof(struct segment_command_64) + + 2 * sizeof(struct section_64) + sizeof(struct symtab_command); + uint64_t text_section_size = TEXT_DATA_SIZE; // {0xC3} + struct section_64 test_text_section = { + .sectname = "__text", + .size = text_section_size, + .offset = text_section_offset, + }; + + uint32_t const_section_offset = text_section_offset + text_section_size; + uint64_t const_section_size = CONST_DATA_SIZE; // "hi" + struct section_64 test_const_section = { + .sectname = "__const", + .size = const_section_size, + .offset = const_section_offset, + }; + + uint32_t symtab_command_symoff = const_section_offset + const_section_size; + uint32_t symtab_command_stroff = + symtab_command_symoff + NUM_SYMS * sizeof(struct nlist_64); + uint32_t symtab_command_strsize = 32; + struct symtab_command test_symtab_command = { + .cmd = LC_SYMTAB, + .cmdsize = sizeof(struct symtab_command), + .symoff = symtab_command_symoff, + .nsyms = NUM_SYMS, + .stroff = symtab_command_stroff, + .strsize = symtab_command_strsize, + }; + + if (fwrite(&test_header, sizeof(struct mach_header_64), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + if (fwrite(&test_text_segment, sizeof(struct segment_command_64), 1, + file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + if (fwrite(&test_text_section, sizeof(struct section_64), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + if (fwrite(&test_const_section, sizeof(struct section_64), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + if (fwrite(&test_symtab_command, sizeof(struct symtab_command), 1, file) != + 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + + if (fseek(file, test_text_section.offset, SEEK_SET) != 0) { + LOG_ERROR("Failed to seek in file %s", TEST_FILE); + goto end; + } + if (fwrite(text_data, sizeof(text_data), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + + if (fseek(file, test_const_section.offset, SEEK_SET) != 0) { + LOG_ERROR("Failed to seek in file %s", TEST_FILE); + goto end; + } + if (fwrite(const_data, sizeof(const_data), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + + expected_symbol1_ind = FindSymbolIndex(expected_strtab, "symbol1"); + if (expected_symbol1_ind == UINT32_MAX) { + LOG_ERROR("symbol1 not found in expected string table"); + goto end; + } + symbol1 = { + .n_un = {.n_strx = expected_symbol1_ind}, + .n_type = 0, + .n_sect = 1, + .n_desc = 0, + .n_value = expected_symbol1_ind, + }; + + expected_symbol2_ind = FindSymbolIndex(expected_strtab, "symbol2"); + if (expected_symbol2_ind == UINT32_MAX) { + LOG_ERROR("symbol2 not found in expected string table"); + goto end; + } + symbol2 = { + .n_un = {.n_strx = expected_symbol2_ind}, + .n_type = 0, + .n_sect = 2, + .n_desc = 0, + .n_value = expected_symbol2_ind, + }; + + if (fseek(file, symtab_command_symoff, SEEK_SET) != 0) { + LOG_ERROR("Failed to seek in file %s", TEST_FILE); + goto end; + } + if (fwrite(&symbol1, sizeof(struct nlist_64), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + if (fwrite(&symbol2, sizeof(struct nlist_64), 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + + if (fseek(file, symtab_command_stroff, SEEK_SET) != 0) { + LOG_ERROR("Failed to seek in file %s", TEST_FILE); + goto end; + } + if (fwrite(expected_strtab, symtab_command_strsize, 1, file) != 1) { + LOG_ERROR("Error occurred while writing to file %s", TEST_FILE); + goto end; + } + + if (fclose(file) != 0) { + LOG_ERROR("Error closing file\n"); + goto end; } - static void TearDownTestSuite() { - free_macho_file(expected_macho); - free(expected_symtab); - if (remove(TEST_FILE) != 0) { - LOG_ERROR("Error deleting %s", TEST_FILE); - } + // We use calloc for the below four calls to ensure that the untouched parts + // are zeroized, as we will later memcmp the data to what we've read from + // the file. + expected_text_section = (section_info *)calloc(1, sizeof(section_info)); + if (expected_text_section == NULL) { + LOG_ERROR(" Error allocating memory for expected text section"); + goto end; + } + strcpy(expected_text_section->name, "__text"); + expected_text_section->size = text_section_size; + expected_text_section->offset = text_section_offset; + + expected_const_section = (section_info *)calloc(1, sizeof(section_info)); + if (expected_const_section == NULL) { + LOG_ERROR(" Error allocating memory for expected const section"); + goto end; + } + strcpy(expected_const_section->name, "__const"); + expected_const_section->size = const_section_size; + expected_const_section->offset = const_section_offset; + + expected_symbol_table = (section_info *)calloc(1, sizeof(section_info)); + if (expected_symbol_table == NULL) { + LOG_ERROR(" Error allocating memory for expected symbol table"); + goto end; + } + strcpy(expected_symbol_table->name, "__symbol_table"); + expected_symbol_table->size = NUM_SYMS * sizeof(struct nlist_64); + expected_symbol_table->offset = symtab_command_symoff; + + expected_string_table = (section_info *)calloc(1, sizeof(section_info)); + if (expected_string_table == NULL) { + LOG_ERROR(" Error allocating memory for expected string table"); + goto end; + } + strcpy(expected_string_table->name, "__string_table"); + expected_string_table->size = symtab_command_strsize; + expected_string_table->offset = symtab_command_stroff; + + expected_sections = (section_info *)malloc(sizeof(section_info) * 4); + if (expected_sections == NULL) { + LOG_ERROR("Error allocating memory for expected sections"); + goto end; + } + memcpy(&expected_sections[0], expected_text_section, sizeof(section_info)); + memcpy(&expected_sections[1], expected_const_section, sizeof(section_info)); + memcpy(&expected_sections[2], expected_symbol_table, sizeof(section_info)); + memcpy(&expected_sections[3], expected_string_table, sizeof(section_info)); + + expected_macho = (machofile *)malloc(sizeof(machofile)); + if (expected_macho == NULL) { + LOG_ERROR("Error allocating memory for expected macho file struct"); + goto end; + } + expected_macho->macho_header = test_header; + expected_macho->num_sections = 4; + expected_macho->sections = expected_sections; + + expected_symtab = + (struct nlist_64 *)malloc(NUM_SYMS * sizeof(struct nlist_64)); + if (expected_symtab == NULL) { + LOG_ERROR("Error allocating memory for expected symbol table struct"); + goto end; + } + expected_symtab[0] = symbol1; + expected_symtab[1] = symbol2; + + fail = false; + end: + if (fail) { + free(expected_sections); + free(expected_macho); + free(expected_symtab); + } + free(expected_text_section); + free(expected_const_section); + free(expected_symbol_table); + free(expected_string_table); + } + + static void TearDownTestSuite() { + free_macho_file(expected_macho); + free(expected_symtab); + if (remove(TEST_FILE) != 0) { + LOG_ERROR("Error deleting %s", TEST_FILE); } + } }; diff --git a/util/fipstools/test_fips.c b/util/fipstools/test_fips.c index 9abf2f67cc..206fec534b 100644 --- a/util/fipstools/test_fips.c +++ b/util/fipstools/test_fips.c @@ -60,7 +60,7 @@ int main(int argc, char **argv) { goto err; } printf("Module version: %" PRIu32 "\n", module_version); -#endif //BORINGSSL_FIPS_140_3 +#endif // BORINGSSL_FIPS_140_3 static const uint8_t kAESKey[16] = "BoringCrypto Key"; static const uint8_t kPlaintext[64] = @@ -146,8 +146,8 @@ int main(int argc, char **argv) { printf("About to AES-GCM open "); hexdump(output, out_len); if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce, - EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), - output, out_len, NULL, 0)) { + EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), output, + out_len, NULL, 0)) { printf("AES-GCM decrypt failed\n"); goto err; } @@ -159,7 +159,8 @@ int main(int argc, char **argv) { /* AES-CCM */ OPENSSL_memset(nonce, 0, sizeof(nonce)); - if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_ccm_bluetooth(), kAESKey, sizeof(kAESKey), 0, NULL)) { + if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_ccm_bluetooth(), kAESKey, + sizeof(kAESKey), 0, NULL)) { fprintf(stderr, "EVP_AED_CTX_init for AES-128-CCM failed.\n"); goto err; } @@ -168,9 +169,10 @@ int main(int argc, char **argv) { OPENSSL_memset(aes_iv, 0, sizeof(aes_iv)); printf("About to AES-CCM seal "); hexdump(kPlaintext, sizeof(kPlaintext)); - if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce, - EVP_AEAD_nonce_length(EVP_aead_aes_128_ccm_bluetooth()), - kPlaintext, sizeof(kPlaintext), NULL, 0)) { + if (!EVP_AEAD_CTX_seal( + &aead_ctx, output, &out_len, sizeof(output), nonce, + EVP_AEAD_nonce_length(EVP_aead_aes_128_ccm_bluetooth()), kPlaintext, + sizeof(kPlaintext), NULL, 0)) { fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-CCM failed.\n"); goto err; } @@ -185,15 +187,16 @@ int main(int argc, char **argv) { } printf("About to AES-CCM open "); hexdump(output, out_len); - if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce, - EVP_AEAD_nonce_length(EVP_aead_aes_128_ccm_bluetooth()), - output, out_len, NULL, 0)) { + if (!EVP_AEAD_CTX_open( + &aead_ctx, output, &out_len, sizeof(output), nonce, + EVP_AEAD_nonce_length(EVP_aead_aes_128_ccm_bluetooth()), output, + out_len, NULL, 0)) { fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-CCM failed.\n"); goto err; } printf(" got "); hexdump(output, out_len); - + OPENSSL_cleanse(&aes_key, sizeof(aes_key)); EVP_AEAD_CTX_zero(&aead_ctx); @@ -207,7 +210,8 @@ int main(int argc, char **argv) { printf("About to AES-ECB encrypt "); hexdump(kPlaintext, sizeof(kPlaintext)); for (size_t j = 0; j < sizeof(kPlaintext) / 16; j++) { - AES_ecb_encrypt(&kPlaintext[j * 16], &output[j * 16], &aes_key, AES_ENCRYPT); + AES_ecb_encrypt(&kPlaintext[j * 16], &output[j * 16], &aes_key, + AES_ENCRYPT); } printf(" got "); hexdump(output, sizeof(kPlaintext)); @@ -240,7 +244,8 @@ int main(int argc, char **argv) { } printf("About to AES-CTR Encrypt "); hexdump(kPlaintext, sizeof(kPlaintext)); - AES_ctr128_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv, ecount_buf, &num); + AES_ctr128_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv, + ecount_buf, &num); printf(" got "); hexdump(output, sizeof(kPlaintext)); @@ -249,7 +254,8 @@ int main(int argc, char **argv) { OPENSSL_memset(aes_iv, 0, sizeof(aes_iv)); printf("About to AES-CTR Decrypt "); hexdump(output, sizeof(kPlaintext)); - AES_ctr128_encrypt(output, output, sizeof(kPlaintext), &aes_key, aes_iv, ecount_buf, &num); + AES_ctr128_encrypt(output, output, sizeof(kPlaintext), &aes_key, aes_iv, + ecount_buf, &num); printf(" got "); hexdump(output, sizeof(kPlaintext)); @@ -262,7 +268,8 @@ int main(int argc, char **argv) { } printf("About to AES-KW Wrap "); hexdump(kPlaintext, sizeof(kPlaintext)); - out_len = AES_wrap_key(&aes_key, NULL, output, kPlaintext, sizeof(kPlaintext)); + out_len = + AES_wrap_key(&aes_key, NULL, output, kPlaintext, sizeof(kPlaintext)); printf(" got "); hexdump(output, out_len); @@ -298,8 +305,8 @@ int main(int argc, char **argv) { memcpy(&des_iv, &kDESIV, sizeof(des_iv)); printf("About to 3DES-CBC decrypt "); hexdump(kPlaintext, sizeof(kPlaintext)); - DES_ede3_cbc_encrypt(output, output, sizeof(kPlaintext), &des1, - &des2, &des3, &des_iv, DES_DECRYPT); + DES_ede3_cbc_encrypt(output, output, sizeof(kPlaintext), &des1, &des2, &des3, + &des_iv, DES_DECRYPT); printf(" got "); hexdump(output, sizeof(kPlaintext)); @@ -389,9 +396,8 @@ int main(int argc, char **argv) { hexdump(kPlaintextSHA256, sizeof(kPlaintextSHA256)); ECDSA_SIG *sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key); - if (sig == NULL || - !ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig, - ec_key)) { + if (sig == NULL || !ECDSA_do_verify(kPlaintextSHA256, + sizeof(kPlaintextSHA256), sig, ec_key)) { printf("ECDSA Sign/Verify PWCT failed.\n"); goto err; } @@ -406,8 +412,10 @@ int main(int argc, char **argv) { uint8_t ed_private_key[ED25519_PRIVATE_KEY_LEN]; ED25519_keypair(ed_public_key, ed_private_key); uint8_t ed_signature[ED25519_SIGNATURE_LEN]; - if (!ED25519_sign(ed_signature,kPlaintextSHA256, sizeof(kPlaintextSHA256), ed_private_key) || - !ED25519_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), ed_signature, ed_public_key)) { + if (!ED25519_sign(ed_signature, kPlaintextSHA256, sizeof(kPlaintextSHA256), + ed_private_key) || + !ED25519_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), ed_signature, + ed_public_key)) { printf("ED25519 Sign/Verify PWCT failed.\n"); goto err; } @@ -418,12 +426,15 @@ int main(int argc, char **argv) { printf("About to Ed25519ph sign "); hexdump(kPlaintextSHA256, sizeof(kPlaintextSHA256)); uint8_t ed25519_ph_context[32] = { - 0xfe, 0x52, 0xbb, 0xd2, 0x45, 0x54, 0x46, 0xad, 0xa5, 0x24, 0x6b, 0x5a, - 0xf3, 0xba, 0x82, 0x93, 0x9c, 0xed, 0xa6, 0xa1, 0x8f, 0x59, 0xd3, 0x37, - 0x48, 0xde, 0x40, 0x7a, 0xfe, 0x31, 0x48, 0xd1 - }; - if (!ED25519ph_sign(ed_signature, kPlaintextSHA256, sizeof(kPlaintextSHA256), ed_private_key, ed25519_ph_context, sizeof(ed25519_ph_context)) || - !ED25519ph_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), ed_signature, ed_public_key, ed25519_ph_context, sizeof(ed25519_ph_context))) { + 0xfe, 0x52, 0xbb, 0xd2, 0x45, 0x54, 0x46, 0xad, 0xa5, 0x24, 0x6b, + 0x5a, 0xf3, 0xba, 0x82, 0x93, 0x9c, 0xed, 0xa6, 0xa1, 0x8f, 0x59, + 0xd3, 0x37, 0x48, 0xde, 0x40, 0x7a, 0xfe, 0x31, 0x48, 0xd1}; + if (!ED25519ph_sign(ed_signature, kPlaintextSHA256, sizeof(kPlaintextSHA256), + ed_private_key, ed25519_ph_context, + sizeof(ed25519_ph_context)) || + !ED25519ph_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), + ed_signature, ed_public_key, ed25519_ph_context, + sizeof(ed25519_ph_context))) { printf("ED25519ph Sign/Verify PWCT failed.\n"); goto err; } @@ -435,13 +446,13 @@ int main(int argc, char **argv) { EVP_PKEY *kem_raw = NULL; EVP_PKEY_CTX *kem_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, NULL); if (kem_ctx == NULL || !EVP_PKEY_CTX_kem_set_params(kem_ctx, NID_MLKEM512) || - !EVP_PKEY_keygen_init(kem_ctx) || - !EVP_PKEY_keygen(kem_ctx, &kem_raw)) { + !EVP_PKEY_keygen_init(kem_ctx) || !EVP_PKEY_keygen(kem_ctx, &kem_raw)) { printf("ML-KEM keygen failed.\n"); goto err; } printf("Generated public key: "); - hexdump(kem_raw->pkey.kem_key->public_key, kem_raw->pkey.kem_key->kem->public_key_len); + hexdump(kem_raw->pkey.kem_key->public_key, + kem_raw->pkey.kem_key->kem->public_key_len); EVP_PKEY_free(kem_raw); EVP_PKEY_CTX_free(kem_ctx); @@ -450,13 +461,13 @@ int main(int argc, char **argv) { EVP_PKEY *dsa_raw = NULL; EVP_PKEY_CTX *dsa_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_PQDSA, NULL); if (dsa_ctx == NULL || !EVP_PKEY_CTX_pqdsa_set_params(dsa_ctx, NID_MLDSA44) || - !EVP_PKEY_keygen_init(dsa_ctx) || - !EVP_PKEY_keygen(dsa_ctx, &dsa_raw)) { + !EVP_PKEY_keygen_init(dsa_ctx) || !EVP_PKEY_keygen(dsa_ctx, &dsa_raw)) { printf("ML-DSA keygen failed.\n"); goto err; - } + } printf("Generated public key: "); - hexdump(dsa_raw->pkey.pqdsa_key->public_key, dsa_raw->pkey.pqdsa_key->pqdsa->public_key_len); + hexdump(dsa_raw->pkey.pqdsa_key->public_key, + dsa_raw->pkey.pqdsa_key->pqdsa->public_key_len); EVP_PKEY_free(dsa_raw); EVP_PKEY_CTX_free(dsa_ctx); @@ -494,10 +505,8 @@ int main(int argc, char **argv) { /* FFDH */ printf("About to compute FFDH key-agreement:\n"); DH *dh = DH_get_rfc7919_2048(); - uint8_t dh_result[2048/8]; - if (!dh || - !DH_generate_key(dh) || - sizeof(dh_result) != DH_size(dh) || + uint8_t dh_result[2048 / 8]; + if (!dh || !DH_generate_key(dh) || sizeof(dh_result) != DH_size(dh) || DH_compute_key_padded(dh_result, DH_get0_pub_key(dh), dh) != sizeof(dh_result)) { fprintf(stderr, "FFDH failed.\n");