diff --git a/contrib/bearssl/.gitignore b/contrib/bearssl/.gitignore
new file mode 100644
index 000000000000..7da362eddc00
--- /dev/null
+++ b/contrib/bearssl/.gitignore
@@ -0,0 +1,6 @@
+/build/
+/libbearssl.a
+/brssl
+/testcrypto
+/testspeed
+/testx509
diff --git a/contrib/bearssl/T0Comp.exe b/contrib/bearssl/T0Comp.exe
index 67eba109800e..de2364d69e07 100755
Binary files a/contrib/bearssl/T0Comp.exe and b/contrib/bearssl/T0Comp.exe differ
diff --git a/contrib/bearssl/flist b/contrib/bearssl/flist
new file mode 100644
index 000000000000..9751ad231065
--- /dev/null
+++ b/contrib/bearssl/flist
@@ -0,0 +1,459 @@
+T0/BlobWriter.cs
+T0/CPU.cs
+T0/CodeElement.cs
+T0/CodeElementJump.cs
+T0/CodeElementUInt.cs
+T0/CodeElementUIntExpr.cs
+T0/CodeElementUIntInt.cs
+T0/CodeElementUIntUInt.cs
+T0/ConstData.cs
+T0/Opcode.cs
+T0/OpcodeCall.cs
+T0/OpcodeConst.cs
+T0/OpcodeGetLocal.cs
+T0/OpcodeJump.cs
+T0/OpcodeJumpIf.cs
+T0/OpcodeJumpIfNot.cs
+T0/OpcodeJumpUncond.cs
+T0/OpcodePutLocal.cs
+T0/OpcodeRet.cs
+T0/SType.cs
+T0/T0Comp.cs
+T0/TPointerBase.cs
+T0/TPointerBlob.cs
+T0/TPointerExpr.cs
+T0/TPointerNull.cs
+T0/TPointerXT.cs
+T0/TValue.cs
+T0/Word.cs
+T0/WordBuilder.cs
+T0/WordData.cs
+T0/WordInterpreted.cs
+T0/WordNative.cs
+T0/kern.t0
+conf/Unix.mk
+conf/Unix32.mk
+conf/UnixClang.mk
+conf/Win.mk
+conf/samd20.mk
+inc/bearssl.h
+inc/bearssl_aead.h
+inc/bearssl_block.h
+inc/bearssl_ec.h
+inc/bearssl_hash.h
+inc/bearssl_hmac.h
+inc/bearssl_kdf.h
+inc/bearssl_pem.h
+inc/bearssl_prf.h
+inc/bearssl_rand.h
+inc/bearssl_rsa.h
+inc/bearssl_ssl.h
+inc/bearssl_x509.h
+mk/Defaults.mk
+mk/NMake.mk
+mk/Rules.mk
+mk/SingleUnix.mk
+mk/mkT0.cmd
+mk/mkT0.sh
+mk/mkrules.sh
+samples/README.txt
+samples/cert-ee-ec+rsa.pem
+samples/cert-ee-ec.pem
+samples/cert-ee-rsa.pem
+samples/cert-ica-ec.pem
+samples/cert-ica-rsa.pem
+samples/cert-root-ec.pem
+samples/cert-root-rsa.pem
+samples/chain-ec+rsa.h
+samples/chain-ec.h
+samples/chain-rsa.h
+samples/client_basic.c
+samples/custom_profile.c
+samples/key-ec.h
+samples/key-ee-ec.pem
+samples/key-ee-rsa.pem
+samples/key-ica-ec.pem
+samples/key-ica-rsa.pem
+samples/key-root-ec.pem
+samples/key-root-rsa.pem
+samples/key-rsa.h
+samples/server_basic.c
+src/aead/ccm.c
+src/aead/eax.c
+src/aead/gcm.c
+src/codec/ccopy.c
+src/codec/dec16be.c
+src/codec/dec16le.c
+src/codec/dec32be.c
+src/codec/dec32le.c
+src/codec/dec64be.c
+src/codec/dec64le.c
+src/codec/enc16be.c
+src/codec/enc16le.c
+src/codec/enc32be.c
+src/codec/enc32le.c
+src/codec/enc64be.c
+src/codec/enc64le.c
+src/codec/pemdec.c
+src/codec/pemdec.t0
+src/codec/pemenc.c
+src/config.h
+src/ec/ec_all_m15.c
+src/ec/ec_all_m31.c
+src/ec/ec_c25519_i15.c
+src/ec/ec_c25519_i31.c
+src/ec/ec_c25519_m15.c
+src/ec/ec_c25519_m31.c
+src/ec/ec_c25519_m62.c
+src/ec/ec_c25519_m64.c
+src/ec/ec_curve25519.c
+src/ec/ec_default.c
+src/ec/ec_keygen.c
+src/ec/ec_p256_m15.c
+src/ec/ec_p256_m31.c
+src/ec/ec_p256_m62.c
+src/ec/ec_p256_m64.c
+src/ec/ec_prime_i15.c
+src/ec/ec_prime_i31.c
+src/ec/ec_pubkey.c
+src/ec/ec_secp256r1.c
+src/ec/ec_secp384r1.c
+src/ec/ec_secp521r1.c
+src/ec/ecdsa_atr.c
+src/ec/ecdsa_default_sign_asn1.c
+src/ec/ecdsa_default_sign_raw.c
+src/ec/ecdsa_default_vrfy_asn1.c
+src/ec/ecdsa_default_vrfy_raw.c
+src/ec/ecdsa_i15_bits.c
+src/ec/ecdsa_i15_sign_asn1.c
+src/ec/ecdsa_i15_sign_raw.c
+src/ec/ecdsa_i15_vrfy_asn1.c
+src/ec/ecdsa_i15_vrfy_raw.c
+src/ec/ecdsa_i31_bits.c
+src/ec/ecdsa_i31_sign_asn1.c
+src/ec/ecdsa_i31_sign_raw.c
+src/ec/ecdsa_i31_vrfy_asn1.c
+src/ec/ecdsa_i31_vrfy_raw.c
+src/ec/ecdsa_rta.c
+src/hash/dig_oid.c
+src/hash/dig_size.c
+src/hash/ghash_ctmul.c
+src/hash/ghash_ctmul32.c
+src/hash/ghash_ctmul64.c
+src/hash/ghash_pclmul.c
+src/hash/ghash_pwr8.c
+src/hash/md5.c
+src/hash/md5sha1.c
+src/hash/mgf1.c
+src/hash/multihash.c
+src/hash/sha1.c
+src/hash/sha2big.c
+src/hash/sha2small.c
+src/inner.h
+src/int/i15_add.c
+src/int/i15_bitlen.c
+src/int/i15_decmod.c
+src/int/i15_decode.c
+src/int/i15_decred.c
+src/int/i15_encode.c
+src/int/i15_fmont.c
+src/int/i15_iszero.c
+src/int/i15_moddiv.c
+src/int/i15_modpow.c
+src/int/i15_modpow2.c
+src/int/i15_montmul.c
+src/int/i15_mulacc.c
+src/int/i15_muladd.c
+src/int/i15_ninv15.c
+src/int/i15_reduce.c
+src/int/i15_rshift.c
+src/int/i15_sub.c
+src/int/i15_tmont.c
+src/int/i31_add.c
+src/int/i31_bitlen.c
+src/int/i31_decmod.c
+src/int/i31_decode.c
+src/int/i31_decred.c
+src/int/i31_encode.c
+src/int/i31_fmont.c
+src/int/i31_iszero.c
+src/int/i31_moddiv.c
+src/int/i31_modpow.c
+src/int/i31_modpow2.c
+src/int/i31_montmul.c
+src/int/i31_mulacc.c
+src/int/i31_muladd.c
+src/int/i31_ninv31.c
+src/int/i31_reduce.c
+src/int/i31_rshift.c
+src/int/i31_sub.c
+src/int/i31_tmont.c
+src/int/i32_add.c
+src/int/i32_bitlen.c
+src/int/i32_decmod.c
+src/int/i32_decode.c
+src/int/i32_decred.c
+src/int/i32_div32.c
+src/int/i32_encode.c
+src/int/i32_fmont.c
+src/int/i32_iszero.c
+src/int/i32_modpow.c
+src/int/i32_montmul.c
+src/int/i32_mulacc.c
+src/int/i32_muladd.c
+src/int/i32_ninv32.c
+src/int/i32_reduce.c
+src/int/i32_sub.c
+src/int/i32_tmont.c
+src/int/i62_modpow2.c
+src/kdf/hkdf.c
+src/kdf/shake.c
+src/mac/hmac.c
+src/mac/hmac_ct.c
+src/rand/aesctr_drbg.c
+src/rand/hmac_drbg.c
+src/rand/sysrng.c
+src/rsa/rsa_default_keygen.c
+src/rsa/rsa_default_modulus.c
+src/rsa/rsa_default_oaep_decrypt.c
+src/rsa/rsa_default_oaep_encrypt.c
+src/rsa/rsa_default_pkcs1_sign.c
+src/rsa/rsa_default_pkcs1_vrfy.c
+src/rsa/rsa_default_priv.c
+src/rsa/rsa_default_privexp.c
+src/rsa/rsa_default_pss_sign.c
+src/rsa/rsa_default_pss_vrfy.c
+src/rsa/rsa_default_pub.c
+src/rsa/rsa_default_pubexp.c
+src/rsa/rsa_i15_keygen.c
+src/rsa/rsa_i15_modulus.c
+src/rsa/rsa_i15_oaep_decrypt.c
+src/rsa/rsa_i15_oaep_encrypt.c
+src/rsa/rsa_i15_pkcs1_sign.c
+src/rsa/rsa_i15_pkcs1_vrfy.c
+src/rsa/rsa_i15_priv.c
+src/rsa/rsa_i15_privexp.c
+src/rsa/rsa_i15_pss_sign.c
+src/rsa/rsa_i15_pss_vrfy.c
+src/rsa/rsa_i15_pub.c
+src/rsa/rsa_i15_pubexp.c
+src/rsa/rsa_i31_keygen.c
+src/rsa/rsa_i31_keygen_inner.c
+src/rsa/rsa_i31_modulus.c
+src/rsa/rsa_i31_oaep_decrypt.c
+src/rsa/rsa_i31_oaep_encrypt.c
+src/rsa/rsa_i31_pkcs1_sign.c
+src/rsa/rsa_i31_pkcs1_vrfy.c
+src/rsa/rsa_i31_priv.c
+src/rsa/rsa_i31_privexp.c
+src/rsa/rsa_i31_pss_sign.c
+src/rsa/rsa_i31_pss_vrfy.c
+src/rsa/rsa_i31_pub.c
+src/rsa/rsa_i31_pubexp.c
+src/rsa/rsa_i32_oaep_decrypt.c
+src/rsa/rsa_i32_oaep_encrypt.c
+src/rsa/rsa_i32_pkcs1_sign.c
+src/rsa/rsa_i32_pkcs1_vrfy.c
+src/rsa/rsa_i32_priv.c
+src/rsa/rsa_i32_pss_sign.c
+src/rsa/rsa_i32_pss_vrfy.c
+src/rsa/rsa_i32_pub.c
+src/rsa/rsa_i62_keygen.c
+src/rsa/rsa_i62_oaep_decrypt.c
+src/rsa/rsa_i62_oaep_encrypt.c
+src/rsa/rsa_i62_pkcs1_sign.c
+src/rsa/rsa_i62_pkcs1_vrfy.c
+src/rsa/rsa_i62_priv.c
+src/rsa/rsa_i62_pss_sign.c
+src/rsa/rsa_i62_pss_vrfy.c
+src/rsa/rsa_i62_pub.c
+src/rsa/rsa_oaep_pad.c
+src/rsa/rsa_oaep_unpad.c
+src/rsa/rsa_pkcs1_sig_pad.c
+src/rsa/rsa_pkcs1_sig_unpad.c
+src/rsa/rsa_pss_sig_pad.c
+src/rsa/rsa_pss_sig_unpad.c
+src/rsa/rsa_ssl_decrypt.c
+src/settings.c
+src/ssl/prf.c
+src/ssl/prf_md5sha1.c
+src/ssl/prf_sha256.c
+src/ssl/prf_sha384.c
+src/ssl/ssl_ccert_single_ec.c
+src/ssl/ssl_ccert_single_rsa.c
+src/ssl/ssl_client.c
+src/ssl/ssl_client_default_rsapub.c
+src/ssl/ssl_client_full.c
+src/ssl/ssl_engine.c
+src/ssl/ssl_engine_default_aescbc.c
+src/ssl/ssl_engine_default_aesccm.c
+src/ssl/ssl_engine_default_aesgcm.c
+src/ssl/ssl_engine_default_chapol.c
+src/ssl/ssl_engine_default_descbc.c
+src/ssl/ssl_engine_default_ec.c
+src/ssl/ssl_engine_default_ecdsa.c
+src/ssl/ssl_engine_default_rsavrfy.c
+src/ssl/ssl_hashes.c
+src/ssl/ssl_hs_client.c
+src/ssl/ssl_hs_client.t0
+src/ssl/ssl_hs_common.t0
+src/ssl/ssl_hs_server.c
+src/ssl/ssl_hs_server.t0
+src/ssl/ssl_io.c
+src/ssl/ssl_keyexport.c
+src/ssl/ssl_lru.c
+src/ssl/ssl_rec_cbc.c
+src/ssl/ssl_rec_ccm.c
+src/ssl/ssl_rec_chapol.c
+src/ssl/ssl_rec_gcm.c
+src/ssl/ssl_scert_single_ec.c
+src/ssl/ssl_scert_single_rsa.c
+src/ssl/ssl_server.c
+src/ssl/ssl_server_full_ec.c
+src/ssl/ssl_server_full_rsa.c
+src/ssl/ssl_server_mine2c.c
+src/ssl/ssl_server_mine2g.c
+src/ssl/ssl_server_minf2c.c
+src/ssl/ssl_server_minf2g.c
+src/ssl/ssl_server_minr2g.c
+src/ssl/ssl_server_minu2g.c
+src/ssl/ssl_server_minv2g.c
+src/symcipher/aes_big_cbcdec.c
+src/symcipher/aes_big_cbcenc.c
+src/symcipher/aes_big_ctr.c
+src/symcipher/aes_big_ctrcbc.c
+src/symcipher/aes_big_dec.c
+src/symcipher/aes_big_enc.c
+src/symcipher/aes_common.c
+src/symcipher/aes_ct.c
+src/symcipher/aes_ct64.c
+src/symcipher/aes_ct64_cbcdec.c
+src/symcipher/aes_ct64_cbcenc.c
+src/symcipher/aes_ct64_ctr.c
+src/symcipher/aes_ct64_ctrcbc.c
+src/symcipher/aes_ct64_dec.c
+src/symcipher/aes_ct64_enc.c
+src/symcipher/aes_ct_cbcdec.c
+src/symcipher/aes_ct_cbcenc.c
+src/symcipher/aes_ct_ctr.c
+src/symcipher/aes_ct_ctrcbc.c
+src/symcipher/aes_ct_dec.c
+src/symcipher/aes_ct_enc.c
+src/symcipher/aes_pwr8.c
+src/symcipher/aes_pwr8_cbcdec.c
+src/symcipher/aes_pwr8_cbcenc.c
+src/symcipher/aes_pwr8_ctr.c
+src/symcipher/aes_pwr8_ctrcbc.c
+src/symcipher/aes_small_cbcdec.c
+src/symcipher/aes_small_cbcenc.c
+src/symcipher/aes_small_ctr.c
+src/symcipher/aes_small_ctrcbc.c
+src/symcipher/aes_small_dec.c
+src/symcipher/aes_small_enc.c
+src/symcipher/aes_x86ni.c
+src/symcipher/aes_x86ni_cbcdec.c
+src/symcipher/aes_x86ni_cbcenc.c
+src/symcipher/aes_x86ni_ctr.c
+src/symcipher/aes_x86ni_ctrcbc.c
+src/symcipher/chacha20_ct.c
+src/symcipher/chacha20_sse2.c
+src/symcipher/des_ct.c
+src/symcipher/des_ct_cbcdec.c
+src/symcipher/des_ct_cbcenc.c
+src/symcipher/des_support.c
+src/symcipher/des_tab.c
+src/symcipher/des_tab_cbcdec.c
+src/symcipher/des_tab_cbcenc.c
+src/symcipher/poly1305_ctmul.c
+src/symcipher/poly1305_ctmul32.c
+src/symcipher/poly1305_ctmulq.c
+src/symcipher/poly1305_i15.c
+src/x509/asn1.t0
+src/x509/asn1enc.c
+src/x509/encode_ec_pk8der.c
+src/x509/encode_ec_rawder.c
+src/x509/encode_rsa_pk8der.c
+src/x509/encode_rsa_rawder.c
+src/x509/skey_decoder.c
+src/x509/skey_decoder.t0
+src/x509/x509_decoder.c
+src/x509/x509_decoder.t0
+src/x509/x509_knownkey.c
+src/x509/x509_minimal.c
+src/x509/x509_minimal.t0
+src/x509/x509_minimal_full.c
+test/test_crypto.c
+test/test_math.c
+test/test_speed.c
+test/test_x509.c
+test/x509/alltests.txt
+test/x509/dn-ee.der
+test/x509/dn-ica1.der
+test/x509/dn-ica2.der
+test/x509/dn-root-new.der
+test/x509/dn-root.der
+test/x509/ee-badsig1.crt
+test/x509/ee-badsig2.crt
+test/x509/ee-cp1.crt
+test/x509/ee-cp2.crt
+test/x509/ee-cp3.crt
+test/x509/ee-cp4.crt
+test/x509/ee-dates.crt
+test/x509/ee-md5.crt
+test/x509/ee-names.crt
+test/x509/ee-names2.crt
+test/x509/ee-names3.crt
+test/x509/ee-names4.crt
+test/x509/ee-p256-sha1.crt
+test/x509/ee-p256-sha224.crt
+test/x509/ee-p256-sha256.crt
+test/x509/ee-p256-sha384.crt
+test/x509/ee-p256-sha512.crt
+test/x509/ee-p256.crt
+test/x509/ee-p384.crt
+test/x509/ee-p521.crt
+test/x509/ee-sha1.crt
+test/x509/ee-sha224.crt
+test/x509/ee-sha384.crt
+test/x509/ee-sha512.crt
+test/x509/ee-trailing.crt
+test/x509/ee.crt
+test/x509/ica1-1016.crt
+test/x509/ica1-1017.crt
+test/x509/ica1-4096.crt
+test/x509/ica1-p256.crt
+test/x509/ica1-p384.crt
+test/x509/ica1-p521.crt
+test/x509/ica1.crt
+test/x509/ica2-1016.crt
+test/x509/ica2-1017.crt
+test/x509/ica2-4096.crt
+test/x509/ica2-notCA.crt
+test/x509/ica2-p256.crt
+test/x509/ica2-p384.crt
+test/x509/ica2-p521.crt
+test/x509/ica2.crt
+test/x509/junk.crt
+test/x509/names.crt
+test/x509/root-p256.crt
+test/x509/root-p384.crt
+test/x509/root-p521.crt
+test/x509/root.crt
+tools/brssl.c
+tools/brssl.h
+tools/certs.c
+tools/chain.c
+tools/client.c
+tools/errors.c
+tools/files.c
+tools/impl.c
+tools/keys.c
+tools/names.c
+tools/server.c
+tools/skey.c
+tools/sslio.c
+tools/ta.c
+tools/twrch.c
+tools/vector.c
+tools/verify.c
+tools/xmem.c
diff --git a/contrib/bearssl/inc/bearssl_ec.h b/contrib/bearssl/inc/bearssl_ec.h
index f954309eb6c1..acd3a2bf5a55 100644
--- a/contrib/bearssl/inc/bearssl_ec.h
+++ b/contrib/bearssl/inc/bearssl_ec.h
@@ -1,967 +1,967 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef BR_BEARSSL_EC_H__
#define BR_BEARSSL_EC_H__
#include <stddef.h>
#include <stdint.h>
#include "bearssl_rand.h"
#ifdef __cplusplus
extern "C" {
#endif
/** \file bearssl_ec.h
*
* # Elliptic Curves
*
* This file documents the EC implementations provided with BearSSL, and
* ECDSA.
*
* ## Elliptic Curve API
*
* Only "named curves" are supported. Each EC implementation supports
* one or several named curves, identified by symbolic identifiers.
* These identifiers are small integers, that correspond to the values
* registered by the
* [IANA](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8).
*
* Since all currently defined elliptic curve identifiers are in the 0..31
* range, it is convenient to encode support of some curves in a 32-bit
* word, such that bit x corresponds to curve of identifier x.
*
* An EC implementation is incarnated by a `br_ec_impl` instance, that
* offers the following fields:
*
* - `supported_curves`
*
* A 32-bit word that documents the identifiers of the curves supported
* by this implementation.
*
* - `generator()`
*
* Callback method that returns a pointer to the conventional generator
* point for that curve.
*
* - `order()`
*
* Callback method that returns a pointer to the subgroup order for
* that curve. That value uses unsigned big-endian encoding.
*
* - `xoff()`
*
* Callback method that returns the offset and length of the X
* coordinate in an encoded point.
*
* - `mul()`
*
* Multiply a curve point with an integer.
*
* - `mulgen()`
*
* Multiply the curve generator with an integer. This may be faster
* than the generic `mul()`.
*
* - `muladd()`
*
* Multiply two curve points by two integers, and return the sum of
* the two products.
*
* All curve points are represented in uncompressed format. The `mul()`
* and `muladd()` methods take care to validate that the provided points
* are really part of the relevant curve subgroup.
*
* For all point multiplication functions, the following holds:
*
* - Functions validate that the provided points are valid members
* of the relevant curve subgroup. An error is reported if that is
* not the case.
*
* - Processing is constant-time, even if the point operands are not
* valid. This holds for both the source and resulting points, and
* the multipliers (integers). Only the byte length of the provided
* multiplier arrays (not their actual value length in bits) may
* leak through timing-based side channels.
*
* - The multipliers (integers) MUST be lower than the subgroup order.
* If this property is not met, then the result is indeterminate,
- * but an error value is not ncessearily returned.
+ * but an error value is not necessarily returned.
*
*
* ## ECDSA
*
* ECDSA signatures have two standard formats, called "raw" and "asn1".
* Internally, such a signature is a pair of modular integers `(r,s)`.
* The "raw" format is the concatenation of the unsigned big-endian
* encodings of these two integers, possibly left-padded with zeros so
* that they have the same encoded length. The "asn1" format is the
* DER encoding of an ASN.1 structure that contains the two integer
* values:
*
* ECDSASignature ::= SEQUENCE {
* r INTEGER,
* s INTEGER
* }
*
* In general, in all of X.509 and SSL/TLS, the "asn1" format is used.
* BearSSL offers ECDSA implementations for both formats; conversion
* functions between the two formats are also provided. Conversion of a
* "raw" format signature into "asn1" may enlarge a signature by no more
* than 9 bytes for all supported curves; conversely, conversion of an
* "asn1" signature to "raw" may expand the signature but the "raw"
* length will never be more than twice the length of the "asn1" length
* (and usually it will be shorter).
*
* Note that for a given signature, the "raw" format is not fully
* deterministic, in that it does not enforce a minimal common length.
*/
/*
* Standard curve ID. These ID are equal to the assigned numerical
* identifiers assigned to these curves for TLS:
* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
*/
/** \brief Identifier for named curve sect163k1. */
#define BR_EC_sect163k1 1
/** \brief Identifier for named curve sect163r1. */
#define BR_EC_sect163r1 2
/** \brief Identifier for named curve sect163r2. */
#define BR_EC_sect163r2 3
/** \brief Identifier for named curve sect193r1. */
#define BR_EC_sect193r1 4
/** \brief Identifier for named curve sect193r2. */
#define BR_EC_sect193r2 5
/** \brief Identifier for named curve sect233k1. */
#define BR_EC_sect233k1 6
/** \brief Identifier for named curve sect233r1. */
#define BR_EC_sect233r1 7
/** \brief Identifier for named curve sect239k1. */
#define BR_EC_sect239k1 8
/** \brief Identifier for named curve sect283k1. */
#define BR_EC_sect283k1 9
/** \brief Identifier for named curve sect283r1. */
#define BR_EC_sect283r1 10
/** \brief Identifier for named curve sect409k1. */
#define BR_EC_sect409k1 11
/** \brief Identifier for named curve sect409r1. */
#define BR_EC_sect409r1 12
/** \brief Identifier for named curve sect571k1. */
#define BR_EC_sect571k1 13
/** \brief Identifier for named curve sect571r1. */
#define BR_EC_sect571r1 14
/** \brief Identifier for named curve secp160k1. */
#define BR_EC_secp160k1 15
/** \brief Identifier for named curve secp160r1. */
#define BR_EC_secp160r1 16
/** \brief Identifier for named curve secp160r2. */
#define BR_EC_secp160r2 17
/** \brief Identifier for named curve secp192k1. */
#define BR_EC_secp192k1 18
/** \brief Identifier for named curve secp192r1. */
#define BR_EC_secp192r1 19
/** \brief Identifier for named curve secp224k1. */
#define BR_EC_secp224k1 20
/** \brief Identifier for named curve secp224r1. */
#define BR_EC_secp224r1 21
/** \brief Identifier for named curve secp256k1. */
#define BR_EC_secp256k1 22
/** \brief Identifier for named curve secp256r1. */
#define BR_EC_secp256r1 23
/** \brief Identifier for named curve secp384r1. */
#define BR_EC_secp384r1 24
/** \brief Identifier for named curve secp521r1. */
#define BR_EC_secp521r1 25
/** \brief Identifier for named curve brainpoolP256r1. */
#define BR_EC_brainpoolP256r1 26
/** \brief Identifier for named curve brainpoolP384r1. */
#define BR_EC_brainpoolP384r1 27
/** \brief Identifier for named curve brainpoolP512r1. */
#define BR_EC_brainpoolP512r1 28
/** \brief Identifier for named curve Curve25519. */
#define BR_EC_curve25519 29
/** \brief Identifier for named curve Curve448. */
#define BR_EC_curve448 30
/**
* \brief Structure for an EC public key.
*/
typedef struct {
/** \brief Identifier for the curve used by this key. */
int curve;
/** \brief Public curve point (uncompressed format). */
unsigned char *q;
/** \brief Length of public curve point (in bytes). */
size_t qlen;
} br_ec_public_key;
/**
* \brief Structure for an EC private key.
*
* The private key is an integer modulo the curve subgroup order. The
* encoding below tolerates extra leading zeros. In general, it is
* recommended that the private key has the same length as the curve
* subgroup order.
*/
typedef struct {
/** \brief Identifier for the curve used by this key. */
int curve;
/** \brief Private key (integer, unsigned big-endian encoding). */
unsigned char *x;
/** \brief Private key length (in bytes). */
size_t xlen;
} br_ec_private_key;
/**
* \brief Type for an EC implementation.
*/
typedef struct {
/**
* \brief Supported curves.
*
* This word is a bitfield: bit `x` is set if the curve of ID `x`
* is supported. E.g. an implementation supporting both NIST P-256
* (secp256r1, ID 23) and NIST P-384 (secp384r1, ID 24) will have
* value `0x01800000` in this field.
*/
uint32_t supported_curves;
/**
* \brief Get the conventional generator.
*
* This function returns the conventional generator (encoded
* curve point) for the specified curve. This function MUST NOT
* be called if the curve is not supported.
*
* \param curve curve identifier.
* \param len receiver for the encoded generator length (in bytes).
* \return the encoded generator.
*/
const unsigned char *(*generator)(int curve, size_t *len);
/**
* \brief Get the subgroup order.
*
* This function returns the order of the subgroup generated by
* the conventional generator, for the specified curve. Unsigned
* big-endian encoding is used. This function MUST NOT be called
* if the curve is not supported.
*
* \param curve curve identifier.
* \param len receiver for the encoded order length (in bytes).
* \return the encoded order.
*/
const unsigned char *(*order)(int curve, size_t *len);
/**
* \brief Get the offset and length for the X coordinate.
*
* This function returns the offset and length (in bytes) of
* the X coordinate in an encoded non-zero point.
*
* \param curve curve identifier.
* \param len receiver for the X coordinate length (in bytes).
* \return the offset for the X coordinate (in bytes).
*/
size_t (*xoff)(int curve, size_t *len);
/**
* \brief Multiply a curve point by an integer.
*
* The source point is provided in array `G` (of size `Glen` bytes);
* the multiplication result is written over it. The multiplier
* `x` (of size `xlen` bytes) uses unsigned big-endian encoding.
*
* Rules:
*
* - The specified curve MUST be supported.
*
* - The source point must be a valid point on the relevant curve
* subgroup (and not the "point at infinity" either). If this is
* not the case, then this function returns an error (0).
*
* - The multiplier integer MUST be non-zero and less than the
* curve subgroup order. If this property does not hold, then
* the result is indeterminate and an error code is not
* guaranteed.
*
* Returned value is 1 on success, 0 on error. On error, the
* contents of `G` are indeterminate.
*
* \param G point to multiply.
* \param Glen length of the encoded point (in bytes).
* \param x multiplier (unsigned big-endian).
* \param xlen multiplier length (in bytes).
* \param curve curve identifier.
* \return 1 on success, 0 on error.
*/
uint32_t (*mul)(unsigned char *G, size_t Glen,
const unsigned char *x, size_t xlen, int curve);
/**
* \brief Multiply the generator by an integer.
*
* The multiplier MUST be non-zero and less than the curve
* subgroup order. Results are indeterminate if this property
* does not hold.
*
* \param R output buffer for the point.
* \param x multiplier (unsigned big-endian).
* \param xlen multiplier length (in bytes).
* \param curve curve identifier.
* \return encoded result point length (in bytes).
*/
size_t (*mulgen)(unsigned char *R,
const unsigned char *x, size_t xlen, int curve);
/**
* \brief Multiply two points by two integers and add the
* results.
*
* The point `x*A + y*B` is computed and written back in the `A`
* array.
*
* Rules:
*
* - The specified curve MUST be supported.
*
* - The source points (`A` and `B`) must be valid points on
* the relevant curve subgroup (and not the "point at
* infinity" either). If this is not the case, then this
* function returns an error (0).
*
* - If the `B` pointer is `NULL`, then the conventional
* subgroup generator is used. With some implementations,
* this may be faster than providing a pointer to the
* generator.
*
* - The multiplier integers (`x` and `y`) MUST be non-zero
* and less than the curve subgroup order. If either integer
* is zero, then an error is reported, but if one of them is
* not lower than the subgroup order, then the result is
* indeterminate and an error code is not guaranteed.
*
* - If the final result is the point at infinity, then an
* error is returned.
*
* Returned value is 1 on success, 0 on error. On error, the
* contents of `A` are indeterminate.
*
* \param A first point to multiply.
* \param B second point to multiply (`NULL` for the generator).
* \param len common length of the encoded points (in bytes).
* \param x multiplier for `A` (unsigned big-endian).
* \param xlen length of multiplier for `A` (in bytes).
* \param y multiplier for `A` (unsigned big-endian).
* \param ylen length of multiplier for `A` (in bytes).
* \param curve curve identifier.
* \return 1 on success, 0 on error.
*/
uint32_t (*muladd)(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve);
} br_ec_impl;
/**
* \brief EC implementation "i31".
*
* This implementation internally uses generic code for modular integers,
* with a representation as sequences of 31-bit words. It supports secp256r1,
* secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).
*/
extern const br_ec_impl br_ec_prime_i31;
/**
* \brief EC implementation "i15".
*
* This implementation internally uses generic code for modular integers,
* with a representation as sequences of 15-bit words. It supports secp256r1,
* secp384r1 and secp521r1 (aka NIST curves P-256, P-384 and P-521).
*/
extern const br_ec_impl br_ec_prime_i15;
/**
* \brief EC implementation "m15" for P-256.
*
* This implementation uses specialised code for curve secp256r1 (also
* known as NIST P-256), with optional Karatsuba decomposition, and fast
* modular reduction thanks to the field modulus special format. Only
* 32-bit multiplications are used (with 32-bit results, not 64-bit).
*/
extern const br_ec_impl br_ec_p256_m15;
/**
* \brief EC implementation "m31" for P-256.
*
* This implementation uses specialised code for curve secp256r1 (also
* known as NIST P-256), relying on multiplications of 31-bit values
* (MUL31).
*/
extern const br_ec_impl br_ec_p256_m31;
/**
* \brief EC implementation "m62" (specialised code) for P-256.
*
* This implementation uses custom code relying on multiplication of
* integers up to 64 bits, with a 128-bit result. This implementation is
* defined only on platforms that offer the 64x64->128 multiplication
* support; use `br_ec_p256_m62_get()` to dynamically obtain a pointer
* to that implementation.
*/
extern const br_ec_impl br_ec_p256_m62;
/**
* \brief Get the "m62" implementation of P-256, if available.
*
* \return the implementation, or 0.
*/
const br_ec_impl *br_ec_p256_m62_get(void);
/**
* \brief EC implementation "m64" (specialised code) for P-256.
*
* This implementation uses custom code relying on multiplication of
* integers up to 64 bits, with a 128-bit result. This implementation is
* defined only on platforms that offer the 64x64->128 multiplication
* support; use `br_ec_p256_m64_get()` to dynamically obtain a pointer
* to that implementation.
*/
extern const br_ec_impl br_ec_p256_m64;
/**
* \brief Get the "m64" implementation of P-256, if available.
*
* \return the implementation, or 0.
*/
const br_ec_impl *br_ec_p256_m64_get(void);
/**
* \brief EC implementation "i15" (generic code) for Curve25519.
*
* This implementation uses the generic code for modular integers (with
* 15-bit words) to support Curve25519. Due to the specificities of the
* curve definition, the following applies:
*
* - `muladd()` is not implemented (the function returns 0 systematically).
* - `order()` returns 2^255-1, since the point multiplication algorithm
* accepts any 32-bit integer as input (it clears the top bit and low
* three bits systematically).
*/
extern const br_ec_impl br_ec_c25519_i15;
/**
* \brief EC implementation "i31" (generic code) for Curve25519.
*
* This implementation uses the generic code for modular integers (with
* 31-bit words) to support Curve25519. Due to the specificities of the
* curve definition, the following applies:
*
* - `muladd()` is not implemented (the function returns 0 systematically).
* - `order()` returns 2^255-1, since the point multiplication algorithm
* accepts any 32-bit integer as input (it clears the top bit and low
* three bits systematically).
*/
extern const br_ec_impl br_ec_c25519_i31;
/**
* \brief EC implementation "m15" (specialised code) for Curve25519.
*
* This implementation uses custom code relying on multiplication of
* integers up to 15 bits. Due to the specificities of the curve
* definition, the following applies:
*
* - `muladd()` is not implemented (the function returns 0 systematically).
* - `order()` returns 2^255-1, since the point multiplication algorithm
* accepts any 32-bit integer as input (it clears the top bit and low
* three bits systematically).
*/
extern const br_ec_impl br_ec_c25519_m15;
/**
* \brief EC implementation "m31" (specialised code) for Curve25519.
*
* This implementation uses custom code relying on multiplication of
* integers up to 31 bits. Due to the specificities of the curve
* definition, the following applies:
*
* - `muladd()` is not implemented (the function returns 0 systematically).
* - `order()` returns 2^255-1, since the point multiplication algorithm
* accepts any 32-bit integer as input (it clears the top bit and low
* three bits systematically).
*/
extern const br_ec_impl br_ec_c25519_m31;
/**
* \brief EC implementation "m62" (specialised code) for Curve25519.
*
* This implementation uses custom code relying on multiplication of
* integers up to 62 bits, with a 124-bit result. This implementation is
* defined only on platforms that offer the 64x64->128 multiplication
* support; use `br_ec_c25519_m62_get()` to dynamically obtain a pointer
* to that implementation. Due to the specificities of the curve
* definition, the following applies:
*
* - `muladd()` is not implemented (the function returns 0 systematically).
* - `order()` returns 2^255-1, since the point multiplication algorithm
* accepts any 32-bit integer as input (it clears the top bit and low
* three bits systematically).
*/
extern const br_ec_impl br_ec_c25519_m62;
/**
* \brief Get the "m62" implementation of Curve25519, if available.
*
* \return the implementation, or 0.
*/
const br_ec_impl *br_ec_c25519_m62_get(void);
/**
* \brief EC implementation "m64" (specialised code) for Curve25519.
*
* This implementation uses custom code relying on multiplication of
* integers up to 64 bits, with a 128-bit result. This implementation is
* defined only on platforms that offer the 64x64->128 multiplication
* support; use `br_ec_c25519_m64_get()` to dynamically obtain a pointer
* to that implementation. Due to the specificities of the curve
* definition, the following applies:
*
* - `muladd()` is not implemented (the function returns 0 systematically).
* - `order()` returns 2^255-1, since the point multiplication algorithm
* accepts any 32-bit integer as input (it clears the top bit and low
* three bits systematically).
*/
extern const br_ec_impl br_ec_c25519_m64;
/**
* \brief Get the "m64" implementation of Curve25519, if available.
*
* \return the implementation, or 0.
*/
const br_ec_impl *br_ec_c25519_m64_get(void);
/**
* \brief Aggregate EC implementation "m15".
*
* This implementation is a wrapper for:
*
* - `br_ec_c25519_m15` for Curve25519
* - `br_ec_p256_m15` for NIST P-256
* - `br_ec_prime_i15` for other curves (NIST P-384 and NIST-P512)
*/
extern const br_ec_impl br_ec_all_m15;
/**
* \brief Aggregate EC implementation "m31".
*
* This implementation is a wrapper for:
*
* - `br_ec_c25519_m31` for Curve25519
* - `br_ec_p256_m31` for NIST P-256
* - `br_ec_prime_i31` for other curves (NIST P-384 and NIST-P512)
*/
extern const br_ec_impl br_ec_all_m31;
/**
* \brief Get the "default" EC implementation for the current system.
*
* This returns a pointer to the preferred implementation on the
* current system.
*
* \return the default EC implementation.
*/
const br_ec_impl *br_ec_get_default(void);
/**
* \brief Convert a signature from "raw" to "asn1".
*
* Conversion is done "in place" and the new length is returned.
* Conversion may enlarge the signature, but by no more than 9 bytes at
* most. On error, 0 is returned (error conditions include an odd raw
* signature length, or an oversized integer).
*
* \param sig signature to convert.
* \param sig_len signature length (in bytes).
* \return the new signature length, or 0 on error.
*/
size_t br_ecdsa_raw_to_asn1(void *sig, size_t sig_len);
/**
* \brief Convert a signature from "asn1" to "raw".
*
* Conversion is done "in place" and the new length is returned.
* Conversion may enlarge the signature, but the new signature length
* will be less than twice the source length at most. On error, 0 is
* returned (error conditions include an invalid ASN.1 structure or an
* oversized integer).
*
* \param sig signature to convert.
* \param sig_len signature length (in bytes).
* \return the new signature length, or 0 on error.
*/
size_t br_ecdsa_asn1_to_raw(void *sig, size_t sig_len);
/**
* \brief Type for an ECDSA signer function.
*
* A pointer to the EC implementation is provided. The hash value is
* assumed to have the length inferred from the designated hash function
* class.
*
* Signature is written in the buffer pointed to by `sig`, and the length
* (in bytes) is returned. On error, nothing is written in the buffer,
* and 0 is returned. This function returns 0 if the specified curve is
* not supported by the provided EC implementation.
*
* The signature format is either "raw" or "asn1", depending on the
* implementation; maximum length is predictable from the implemented
* curve:
*
* | curve | raw | asn1 |
* | :--------- | --: | ---: |
* | NIST P-256 | 64 | 72 |
* | NIST P-384 | 96 | 104 |
* | NIST P-521 | 132 | 139 |
*
* \param impl EC implementation to use.
* \param hf hash function used to process the data.
* \param hash_value signed data (hashed).
* \param sk EC private key.
* \param sig destination buffer.
* \return the signature length (in bytes), or 0 on error.
*/
typedef size_t (*br_ecdsa_sign)(const br_ec_impl *impl,
const br_hash_class *hf, const void *hash_value,
const br_ec_private_key *sk, void *sig);
/**
* \brief Type for an ECDSA signature verification function.
*
* A pointer to the EC implementation is provided. The hashed value,
* computed over the purportedly signed data, is also provided with
* its length.
*
* The signature format is either "raw" or "asn1", depending on the
* implementation.
*
* Returned value is 1 on success (valid signature), 0 on error. This
* function returns 0 if the specified curve is not supported by the
* provided EC implementation.
*
* \param impl EC implementation to use.
* \param hash signed data (hashed).
* \param hash_len hash value length (in bytes).
* \param pk EC public key.
* \param sig signature.
* \param sig_len signature length (in bytes).
* \return 1 on success, 0 on error.
*/
typedef uint32_t (*br_ecdsa_vrfy)(const br_ec_impl *impl,
const void *hash, size_t hash_len,
const br_ec_public_key *pk, const void *sig, size_t sig_len);
/**
* \brief ECDSA signature generator, "i31" implementation, "asn1" format.
*
* \see br_ecdsa_sign()
*
* \param impl EC implementation to use.
* \param hf hash function used to process the data.
* \param hash_value signed data (hashed).
* \param sk EC private key.
* \param sig destination buffer.
* \return the signature length (in bytes), or 0 on error.
*/
size_t br_ecdsa_i31_sign_asn1(const br_ec_impl *impl,
const br_hash_class *hf, const void *hash_value,
const br_ec_private_key *sk, void *sig);
/**
* \brief ECDSA signature generator, "i31" implementation, "raw" format.
*
* \see br_ecdsa_sign()
*
* \param impl EC implementation to use.
* \param hf hash function used to process the data.
* \param hash_value signed data (hashed).
* \param sk EC private key.
* \param sig destination buffer.
* \return the signature length (in bytes), or 0 on error.
*/
size_t br_ecdsa_i31_sign_raw(const br_ec_impl *impl,
const br_hash_class *hf, const void *hash_value,
const br_ec_private_key *sk, void *sig);
/**
* \brief ECDSA signature verifier, "i31" implementation, "asn1" format.
*
* \see br_ecdsa_vrfy()
*
* \param impl EC implementation to use.
* \param hash signed data (hashed).
* \param hash_len hash value length (in bytes).
* \param pk EC public key.
* \param sig signature.
* \param sig_len signature length (in bytes).
* \return 1 on success, 0 on error.
*/
uint32_t br_ecdsa_i31_vrfy_asn1(const br_ec_impl *impl,
const void *hash, size_t hash_len,
const br_ec_public_key *pk, const void *sig, size_t sig_len);
/**
* \brief ECDSA signature verifier, "i31" implementation, "raw" format.
*
* \see br_ecdsa_vrfy()
*
* \param impl EC implementation to use.
* \param hash signed data (hashed).
* \param hash_len hash value length (in bytes).
* \param pk EC public key.
* \param sig signature.
* \param sig_len signature length (in bytes).
* \return 1 on success, 0 on error.
*/
uint32_t br_ecdsa_i31_vrfy_raw(const br_ec_impl *impl,
const void *hash, size_t hash_len,
const br_ec_public_key *pk, const void *sig, size_t sig_len);
/**
* \brief ECDSA signature generator, "i15" implementation, "asn1" format.
*
* \see br_ecdsa_sign()
*
* \param impl EC implementation to use.
* \param hf hash function used to process the data.
* \param hash_value signed data (hashed).
* \param sk EC private key.
* \param sig destination buffer.
* \return the signature length (in bytes), or 0 on error.
*/
size_t br_ecdsa_i15_sign_asn1(const br_ec_impl *impl,
const br_hash_class *hf, const void *hash_value,
const br_ec_private_key *sk, void *sig);
/**
* \brief ECDSA signature generator, "i15" implementation, "raw" format.
*
* \see br_ecdsa_sign()
*
* \param impl EC implementation to use.
* \param hf hash function used to process the data.
* \param hash_value signed data (hashed).
* \param sk EC private key.
* \param sig destination buffer.
* \return the signature length (in bytes), or 0 on error.
*/
size_t br_ecdsa_i15_sign_raw(const br_ec_impl *impl,
const br_hash_class *hf, const void *hash_value,
const br_ec_private_key *sk, void *sig);
/**
* \brief ECDSA signature verifier, "i15" implementation, "asn1" format.
*
* \see br_ecdsa_vrfy()
*
* \param impl EC implementation to use.
* \param hash signed data (hashed).
* \param hash_len hash value length (in bytes).
* \param pk EC public key.
* \param sig signature.
* \param sig_len signature length (in bytes).
* \return 1 on success, 0 on error.
*/
uint32_t br_ecdsa_i15_vrfy_asn1(const br_ec_impl *impl,
const void *hash, size_t hash_len,
const br_ec_public_key *pk, const void *sig, size_t sig_len);
/**
* \brief ECDSA signature verifier, "i15" implementation, "raw" format.
*
* \see br_ecdsa_vrfy()
*
* \param impl EC implementation to use.
* \param hash signed data (hashed).
* \param hash_len hash value length (in bytes).
* \param pk EC public key.
* \param sig signature.
* \param sig_len signature length (in bytes).
* \return 1 on success, 0 on error.
*/
uint32_t br_ecdsa_i15_vrfy_raw(const br_ec_impl *impl,
const void *hash, size_t hash_len,
const br_ec_public_key *pk, const void *sig, size_t sig_len);
/**
* \brief Get "default" ECDSA implementation (signer, asn1 format).
*
* This returns the preferred implementation of ECDSA signature generation
* ("asn1" output format) on the current system.
*
* \return the default implementation.
*/
br_ecdsa_sign br_ecdsa_sign_asn1_get_default(void);
/**
* \brief Get "default" ECDSA implementation (signer, raw format).
*
* This returns the preferred implementation of ECDSA signature generation
* ("raw" output format) on the current system.
*
* \return the default implementation.
*/
br_ecdsa_sign br_ecdsa_sign_raw_get_default(void);
/**
* \brief Get "default" ECDSA implementation (verifier, asn1 format).
*
* This returns the preferred implementation of ECDSA signature verification
* ("asn1" output format) on the current system.
*
* \return the default implementation.
*/
br_ecdsa_vrfy br_ecdsa_vrfy_asn1_get_default(void);
/**
* \brief Get "default" ECDSA implementation (verifier, raw format).
*
* This returns the preferred implementation of ECDSA signature verification
* ("raw" output format) on the current system.
*
* \return the default implementation.
*/
br_ecdsa_vrfy br_ecdsa_vrfy_raw_get_default(void);
/**
* \brief Maximum size for EC private key element buffer.
*
* This is the largest number of bytes that `br_ec_keygen()` may need or
* ever return.
*/
#define BR_EC_KBUF_PRIV_MAX_SIZE 72
/**
* \brief Maximum size for EC public key element buffer.
*
* This is the largest number of bytes that `br_ec_compute_public()` may
* need or ever return.
*/
#define BR_EC_KBUF_PUB_MAX_SIZE 145
/**
* \brief Generate a new EC private key.
*
* If the specified `curve` is not supported by the elliptic curve
* implementation (`impl`), then this function returns zero.
*
* The `sk` structure fields are set to the new private key data. In
* particular, `sk.x` is made to point to the provided key buffer (`kbuf`),
* in which the actual private key data is written. That buffer is assumed
* to be large enough. The `BR_EC_KBUF_PRIV_MAX_SIZE` defines the maximum
* size for all supported curves.
*
* The number of bytes used in `kbuf` is returned. If `kbuf` is `NULL`, then
* the private key is not actually generated, and `sk` may also be `NULL`;
* the minimum length for `kbuf` is still computed and returned.
*
* If `sk` is `NULL` but `kbuf` is not `NULL`, then the private key is
* still generated and stored in `kbuf`.
*
* \param rng_ctx source PRNG context (already initialized).
* \param impl the elliptic curve implementation.
* \param sk the private key structure to fill, or `NULL`.
* \param kbuf the key element buffer, or `NULL`.
* \param curve the curve identifier.
* \return the key data length (in bytes), or zero.
*/
size_t br_ec_keygen(const br_prng_class **rng_ctx,
const br_ec_impl *impl, br_ec_private_key *sk,
void *kbuf, int curve);
/**
* \brief Compute EC public key from EC private key.
*
* This function uses the provided elliptic curve implementation (`impl`)
* to compute the public key corresponding to the private key held in `sk`.
* The public key point is written into `kbuf`, which is then linked from
* the `*pk` structure. The size of the public key point, i.e. the number
* of bytes used in `kbuf`, is returned.
*
* If `kbuf` is `NULL`, then the public key point is NOT computed, and
* the public key structure `*pk` is unmodified (`pk` may be `NULL` in
* that case). The size of the public key point is still returned.
*
* If `pk` is `NULL` but `kbuf` is not `NULL`, then the public key
* point is computed and stored in `kbuf`, and its size is returned.
*
* If the curve used by the private key is not supported by the curve
* implementation, then this function returns zero.
*
* The private key MUST be valid. An off-range private key value is not
* necessarily detected, and leads to unpredictable results.
*
* \param impl the elliptic curve implementation.
* \param pk the public key structure to fill (or `NULL`).
* \param kbuf the public key point buffer (or `NULL`).
* \param sk the source private key.
* \return the public key point length (in bytes), or zero.
*/
size_t br_ec_compute_pub(const br_ec_impl *impl, br_ec_public_key *pk,
void *kbuf, const br_ec_private_key *sk);
#ifdef __cplusplus
}
#endif
#endif
diff --git a/contrib/bearssl/inc/bearssl_hash.h b/contrib/bearssl/inc/bearssl_hash.h
index 3b15ba7ca487..ca4fa26cc4aa 100644
--- a/contrib/bearssl/inc/bearssl_hash.h
+++ b/contrib/bearssl/inc/bearssl_hash.h
@@ -1,1346 +1,1346 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef BR_BEARSSL_HASH_H__
#define BR_BEARSSL_HASH_H__
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
/** \file bearssl_hash.h
*
* # Hash Functions
*
* This file documents the API for hash functions.
*
*
* ## Procedural API
*
* For each implemented hash function, of name "`xxx`", the following
* elements are defined:
*
* - `br_xxx_vtable`
*
* An externally defined instance of `br_hash_class`.
*
* - `br_xxx_SIZE`
*
* A macro that evaluates to the output size (in bytes) of the
* hash function.
*
* - `br_xxx_ID`
*
* A macro that evaluates to a symbolic identifier for the hash
* function. Such identifiers are used with HMAC and signature
* algorithm implementations.
*
* NOTE: for the "standard" hash functions defined in [the TLS
* standard](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1),
* the symbolic identifiers match the constants used in TLS, i.e.
* 1 to 6 for MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512,
* respectively.
*
* - `br_xxx_context`
*
* Context for an ongoing computation. It is allocated by the
* caller, and a pointer to it is passed to all functions. A
* context contains no interior pointer, so it can be moved around
* and cloned (with a simple `memcpy()` or equivalent) in order to
* capture the function state at some point. Computations that use
* distinct context structures are independent of each other. The
* first field of `br_xxx_context` is always a pointer to the
* `br_xxx_vtable` structure; `br_xxx_init()` sets that pointer.
*
* - `br_xxx_init(br_xxx_context *ctx)`
*
* Initialise the provided context. Previous contents of the structure
* are ignored. This calls resets the context to the start of a new
* hash computation; it also sets the first field of the context
* structure (called `vtable`) to a pointer to the statically
* allocated constant `br_xxx_vtable` structure.
*
* - `br_xxx_update(br_xxx_context *ctx, const void *data, size_t len)`
*
* Add some more bytes to the hash computation represented by the
* provided context.
*
* - `br_xxx_out(const br_xxx_context *ctx, void *out)`
*
* Complete the hash computation and write the result in the provided
* buffer. The output buffer MUST be large enough to accommodate the
* result. The context is NOT modified by this operation, so this
* function can be used to get a "partial hash" while still keeping
* the possibility of adding more bytes to the input.
*
* - `br_xxx_state(const br_xxx_context *ctx, void *out)`
*
* Get a copy of the "current state" for the computation so far. For
* MD functions (MD5, SHA-1, SHA-2 family), this is the running state
* resulting from the processing of the last complete input block.
* Returned value is the current input length (in bytes).
*
* - `br_xxx_set_state(br_xxx_context *ctx, const void *stb, uint64_t count)`
*
* Set the internal state to the provided values. The 'stb' and
* 'count' values shall match that which was obtained from
* `br_xxx_state()`. This restores the hash state only if the state
* values were at an appropriate block boundary. This does NOT set
* the `vtable` pointer in the context.
*
* Context structures can be discarded without any explicit deallocation.
* Hash function implementations are purely software and don't reserve
* any resources outside of the context structure itself.
*
*
* ## Object-Oriented API
*
* For each hash function that follows the procedural API described
* above, an object-oriented API is also provided. In that API, function
* pointers from the vtable (`br_xxx_vtable`) are used. The vtable
* incarnates object-oriented programming. An introduction on the OOP
* concept used here can be read on the BearSSL Web site:<br />
* [https://www.bearssl.org/oop.html](https://www.bearssl.org/oop.html)
*
* The vtable offers functions called `init()`, `update()`, `out()`,
* `set()` and `set_state()`, which are in fact the functions from
* the procedural API. That vtable also contains two informative fields:
*
* - `context_size`
*
* The size of the context structure (`br_xxx_context`), in bytes.
* This can be used by generic implementations to perform dynamic
* context allocation.
*
* - `desc`
*
* A "descriptor" field that encodes some information on the hash
* function: symbolic identifier, output size, state size,
* internal block size, details on the padding.
*
* Users of this object-oriented API (in particular generic HMAC
* implementations) may make the following assumptions:
*
* - Hash output size is no more than 64 bytes.
* - Hash internal state size is no more than 64 bytes.
* - Internal block size is a power of two, no less than 16 and no more
* than 256.
*
*
* ## Implemented Hash Functions
*
* Implemented hash functions are:
*
* | Function | Name | Output length | State length |
* | :-------- | :------ | :-----------: | :----------: |
* | MD5 | md5 | 16 | 16 |
* | SHA-1 | sha1 | 20 | 20 |
* | SHA-224 | sha224 | 28 | 32 |
* | SHA-256 | sha256 | 32 | 32 |
* | SHA-384 | sha384 | 48 | 64 |
* | SHA-512 | sha512 | 64 | 64 |
* | MD5+SHA-1 | md5sha1 | 36 | 36 |
*
* (MD5+SHA-1 is the concatenation of MD5 and SHA-1 computed over the
* same input; in the implementation, the internal data buffer is
* shared, thus making it more memory-efficient than separate MD5 and
* SHA-1. It can be useful in implementing SSL 3.0, TLS 1.0 and TLS
* 1.1.)
*
*
* ## Multi-Hasher
*
* An aggregate hasher is provided, that can compute several standard
* hash functions in parallel. It uses `br_multihash_context` and a
* procedural API. It is configured with the implementations (the vtables)
* that it should use; it will then compute all these hash functions in
* parallel, on the same input. It is meant to be used in cases when the
* hash of an object will be used, but the exact hash function is not
* known yet (typically, streamed processing on X.509 certificates).
*
* Only the standard hash functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384
* and SHA-512) are supported by the multi-hasher.
*
*
* ## GHASH
*
* GHASH is not a generic hash function; it is a _universal_ hash function,
* which, as the name does not say, means that it CANNOT be used in most
* places where a hash function is needed. GHASH is used within the GCM
* encryption mode, to provide the checked integrity functionality.
*
* A GHASH implementation is basically a function that uses the type defined
* in this file under the name `br_ghash`:
*
* typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
*
* The `y` pointer refers to a 16-byte value which is used as input, and
* receives the output of the GHASH invocation. `h` is a 16-byte secret
* value (that serves as key). `data` and `len` define the input data.
*
* Three GHASH implementations are provided, all constant-time, based on
* the use of integer multiplications with appropriate masking to cancel
* carry propagation.
*/
/**
* \brief Class type for hash function implementations.
*
* A `br_hash_class` instance references the methods implementing a hash
* function. Constant instances of this structure are defined for each
* implemented hash function. Such instances are also called "vtables".
*
* Vtables are used to support object-oriented programming, as
* described on [the BearSSL Web site](https://www.bearssl.org/oop.html).
*/
typedef struct br_hash_class_ br_hash_class;
struct br_hash_class_ {
/**
* \brief Size (in bytes) of the context structure appropriate for
* computing this hash function.
*/
size_t context_size;
/**
* \brief Descriptor word that contains information about the hash
* function.
*
* For each word `xxx` described below, use `BR_HASHDESC_xxx_OFF`
* and `BR_HASHDESC_xxx_MASK` to access the specific value, as
* follows:
*
* (hf->desc >> BR_HASHDESC_xxx_OFF) & BR_HASHDESC_xxx_MASK
*
* The defined elements are:
*
* - `ID`: the symbolic identifier for the function, as defined
* in [TLS](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)
* (MD5 = 1, SHA-1 = 2,...).
*
* - `OUT`: hash output size, in bytes.
*
* - `STATE`: internal running state size, in bytes.
*
* - `LBLEN`: base-2 logarithm for the internal block size, as
* defined for HMAC processing (this is 6 for MD5, SHA-1, SHA-224
* and SHA-256, since these functions use 64-byte blocks; for
* SHA-384 and SHA-512, this is 7, corresponding to their
* 128-byte blocks).
*
* The descriptor may contain a few other flags.
*/
uint32_t desc;
/**
* \brief Initialisation method.
*
* This method takes as parameter a pointer to a context area,
* that it initialises. The first field of the context is set
* to this vtable; other elements are initialised for a new hash
* computation.
*
* \param ctx pointer to (the first field of) the context.
*/
void (*init)(const br_hash_class **ctx);
/**
* \brief Data injection method.
*
* The `len` bytes starting at address `data` are injected into
* the running hash computation incarnated by the specified
* context. The context is updated accordingly. It is allowed
* to have `len == 0`, in which case `data` is ignored (and could
* be `NULL`), and nothing happens.
* on the input data.
*
* \param ctx pointer to (the first field of) the context.
* \param data pointer to the first data byte to inject.
* \param len number of bytes to inject.
*/
void (*update)(const br_hash_class **ctx, const void *data, size_t len);
/**
* \brief Produce hash output.
*
* The hash output corresponding to all data bytes injected in the
* context since the last `init()` call is computed, and written
* in the buffer pointed to by `dst`. The hash output size depends
* on the implemented hash function (e.g. 16 bytes for MD5).
* The context is _not_ modified by this call, so further bytes
* may be afterwards injected to continue the current computation.
*
* \param ctx pointer to (the first field of) the context.
* \param dst destination buffer for the hash output.
*/
void (*out)(const br_hash_class *const *ctx, void *dst);
/**
* \brief Get running state.
*
* This method saves the current running state into the `dst`
* buffer. What constitutes the "running state" depends on the
* hash function; for Merkle-Damgård hash functions (like
* MD5 or SHA-1), this is the output obtained after processing
* each block. The number of bytes injected so far is returned.
* The context is not modified by this call.
*
* \param ctx pointer to (the first field of) the context.
* \param dst destination buffer for the state.
* \return the injected total byte length.
*/
uint64_t (*state)(const br_hash_class *const *ctx, void *dst);
/**
* \brief Set running state.
*
* This methods replaces the running state for the function.
*
* \param ctx pointer to (the first field of) the context.
* \param stb source buffer for the state.
* \param count injected total byte length.
*/
void (*set_state)(const br_hash_class **ctx,
const void *stb, uint64_t count);
};
#ifndef BR_DOXYGEN_IGNORE
#define BR_HASHDESC_ID(id) ((uint32_t)(id) << BR_HASHDESC_ID_OFF)
#define BR_HASHDESC_ID_OFF 0
#define BR_HASHDESC_ID_MASK 0xFF
#define BR_HASHDESC_OUT(size) ((uint32_t)(size) << BR_HASHDESC_OUT_OFF)
#define BR_HASHDESC_OUT_OFF 8
#define BR_HASHDESC_OUT_MASK 0x7F
#define BR_HASHDESC_STATE(size) ((uint32_t)(size) << BR_HASHDESC_STATE_OFF)
#define BR_HASHDESC_STATE_OFF 15
#define BR_HASHDESC_STATE_MASK 0xFF
#define BR_HASHDESC_LBLEN(ls) ((uint32_t)(ls) << BR_HASHDESC_LBLEN_OFF)
#define BR_HASHDESC_LBLEN_OFF 23
#define BR_HASHDESC_LBLEN_MASK 0x0F
#define BR_HASHDESC_MD_PADDING ((uint32_t)1 << 28)
#define BR_HASHDESC_MD_PADDING_128 ((uint32_t)1 << 29)
#define BR_HASHDESC_MD_PADDING_BE ((uint32_t)1 << 30)
#endif
/*
* Specific hash functions.
*
* Rules for contexts:
* -- No interior pointer.
* -- No pointer to external dynamically allocated resources.
* -- First field is called 'vtable' and is a pointer to a
* const-qualified br_hash_class instance (pointer is set by init()).
* -- SHA-224 and SHA-256 contexts are identical.
* -- SHA-384 and SHA-512 contexts are identical.
*
* Thus, contexts can be moved and cloned to capture the hash function
* current state; and there is no need for any explicit "release" function.
*/
/**
* \brief Symbolic identifier for MD5.
*/
#define br_md5_ID 1
/**
* \brief MD5 output size (in bytes).
*/
#define br_md5_SIZE 16
/**
* \brief Constant vtable for MD5.
*/
extern const br_hash_class br_md5_vtable;
/**
* \brief MD5 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val[4];
#endif
} br_md5_context;
/**
* \brief MD5 context initialisation.
*
* This function initialises or resets a context for a new MD5
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_md5_init(br_md5_context *ctx);
/**
* \brief Inject some data bytes in a running MD5 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_md5_update(br_md5_context *ctx, const void *data, size_t len);
/**
* \brief Compute MD5 output.
*
* The MD5 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_md5_out(const br_md5_context *ctx, void *out);
/**
* \brief Save MD5 running state.
*
* The running state for MD5 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_md5_state(const br_md5_context *ctx, void *out);
/**
* \brief Restore MD5 running state.
*
* The running state for MD5 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_md5_set_state(br_md5_context *ctx, const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-1.
*/
#define br_sha1_ID 2
/**
* \brief SHA-1 output size (in bytes).
*/
#define br_sha1_SIZE 20
/**
* \brief Constant vtable for SHA-1.
*/
extern const br_hash_class br_sha1_vtable;
/**
* \brief SHA-1 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val[5];
#endif
} br_sha1_context;
/**
* \brief SHA-1 context initialisation.
*
* This function initialises or resets a context for a new SHA-1
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha1_init(br_sha1_context *ctx);
/**
* \brief Inject some data bytes in a running SHA-1 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha1_update(br_sha1_context *ctx, const void *data, size_t len);
/**
* \brief Compute SHA-1 output.
*
* The SHA-1 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha1_out(const br_sha1_context *ctx, void *out);
/**
* \brief Save SHA-1 running state.
*
* The running state for SHA-1 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha1_state(const br_sha1_context *ctx, void *out);
/**
* \brief Restore SHA-1 running state.
*
* The running state for SHA-1 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha1_set_state(br_sha1_context *ctx, const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-224.
*/
#define br_sha224_ID 3
/**
* \brief SHA-224 output size (in bytes).
*/
#define br_sha224_SIZE 28
/**
* \brief Constant vtable for SHA-224.
*/
extern const br_hash_class br_sha224_vtable;
/**
* \brief SHA-224 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val[8];
#endif
} br_sha224_context;
/**
* \brief SHA-224 context initialisation.
*
* This function initialises or resets a context for a new SHA-224
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha224_init(br_sha224_context *ctx);
/**
* \brief Inject some data bytes in a running SHA-224 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha224_update(br_sha224_context *ctx, const void *data, size_t len);
/**
* \brief Compute SHA-224 output.
*
* The SHA-224 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha224_out(const br_sha224_context *ctx, void *out);
/**
* \brief Save SHA-224 running state.
*
* The running state for SHA-224 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha224_state(const br_sha224_context *ctx, void *out);
/**
* \brief Restore SHA-224 running state.
*
* The running state for SHA-224 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha224_set_state(br_sha224_context *ctx,
const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-256.
*/
#define br_sha256_ID 4
/**
* \brief SHA-256 output size (in bytes).
*/
#define br_sha256_SIZE 32
/**
* \brief Constant vtable for SHA-256.
*/
extern const br_hash_class br_sha256_vtable;
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief SHA-256 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
} br_sha256_context;
#else
typedef br_sha224_context br_sha256_context;
#endif
/**
* \brief SHA-256 context initialisation.
*
* This function initialises or resets a context for a new SHA-256
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha256_init(br_sha256_context *ctx);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Inject some data bytes in a running SHA-256 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len);
#else
#define br_sha256_update br_sha224_update
#endif
/**
* \brief Compute SHA-256 output.
*
* The SHA-256 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha256_out(const br_sha256_context *ctx, void *out);
-#if BR_DOXYGEN_IGNORE
+#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Save SHA-256 running state.
*
* The running state for SHA-256 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha256_state(const br_sha256_context *ctx, void *out);
#else
#define br_sha256_state br_sha224_state
#endif
-#if BR_DOXYGEN_IGNORE
+#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Restore SHA-256 running state.
*
* The running state for SHA-256 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha256_set_state(br_sha256_context *ctx,
const void *stb, uint64_t count);
#else
#define br_sha256_set_state br_sha224_set_state
#endif
/**
* \brief Symbolic identifier for SHA-384.
*/
#define br_sha384_ID 5
/**
* \brief SHA-384 output size (in bytes).
*/
#define br_sha384_SIZE 48
/**
* \brief Constant vtable for SHA-384.
*/
extern const br_hash_class br_sha384_vtable;
/**
* \brief SHA-384 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[128];
uint64_t count;
uint64_t val[8];
#endif
} br_sha384_context;
/**
* \brief SHA-384 context initialisation.
*
* This function initialises or resets a context for a new SHA-384
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha384_init(br_sha384_context *ctx);
/**
* \brief Inject some data bytes in a running SHA-384 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha384_update(br_sha384_context *ctx, const void *data, size_t len);
/**
* \brief Compute SHA-384 output.
*
* The SHA-384 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha384_out(const br_sha384_context *ctx, void *out);
/**
* \brief Save SHA-384 running state.
*
* The running state for SHA-384 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha384_state(const br_sha384_context *ctx, void *out);
/**
* \brief Restore SHA-384 running state.
*
* The running state for SHA-384 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha384_set_state(br_sha384_context *ctx,
const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-512.
*/
#define br_sha512_ID 6
/**
* \brief SHA-512 output size (in bytes).
*/
#define br_sha512_SIZE 64
/**
* \brief Constant vtable for SHA-512.
*/
extern const br_hash_class br_sha512_vtable;
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief SHA-512 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
} br_sha512_context;
#else
typedef br_sha384_context br_sha512_context;
#endif
/**
* \brief SHA-512 context initialisation.
*
* This function initialises or resets a context for a new SHA-512
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha512_init(br_sha512_context *ctx);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Inject some data bytes in a running SHA-512 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha512_update(br_sha512_context *ctx, const void *data, size_t len);
#else
#define br_sha512_update br_sha384_update
#endif
/**
* \brief Compute SHA-512 output.
*
* The SHA-512 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha512_out(const br_sha512_context *ctx, void *out);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Save SHA-512 running state.
*
* The running state for SHA-512 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha512_state(const br_sha512_context *ctx, void *out);
#else
#define br_sha512_state br_sha384_state
#endif
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Restore SHA-512 running state.
*
* The running state for SHA-512 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha512_set_state(br_sha512_context *ctx,
const void *stb, uint64_t count);
#else
#define br_sha512_set_state br_sha384_set_state
#endif
/*
* "md5sha1" is a special hash function that computes both MD5 and SHA-1
* on the same input, and produces a 36-byte output (MD5 and SHA-1
* concatenation, in that order). State size is also 36 bytes.
*/
/**
* \brief Symbolic identifier for MD5+SHA-1.
*
* MD5+SHA-1 is the concatenation of MD5 and SHA-1, computed over the
* same input. It is not one of the functions identified in TLS, so
* we give it a symbolic identifier of value 0.
*/
#define br_md5sha1_ID 0
/**
* \brief MD5+SHA-1 output size (in bytes).
*/
#define br_md5sha1_SIZE 36
/**
* \brief Constant vtable for MD5+SHA-1.
*/
extern const br_hash_class br_md5sha1_vtable;
/**
* \brief MD5+SHA-1 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val_md5[4];
uint32_t val_sha1[5];
#endif
} br_md5sha1_context;
/**
* \brief MD5+SHA-1 context initialisation.
*
* This function initialises or resets a context for a new SHA-512
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_md5sha1_init(br_md5sha1_context *ctx);
/**
* \brief Inject some data bytes in a running MD5+SHA-1 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_md5sha1_update(br_md5sha1_context *ctx, const void *data, size_t len);
/**
* \brief Compute MD5+SHA-1 output.
*
* The MD5+SHA-1 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_md5sha1_out(const br_md5sha1_context *ctx, void *out);
/**
* \brief Save MD5+SHA-1 running state.
*
* The running state for MD5+SHA-1 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_md5sha1_state(const br_md5sha1_context *ctx, void *out);
/**
* \brief Restore MD5+SHA-1 running state.
*
* The running state for MD5+SHA-1 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_md5sha1_set_state(br_md5sha1_context *ctx,
const void *stb, uint64_t count);
/**
* \brief Aggregate context for configurable hash function support.
*
* The `br_hash_compat_context` type is a type which is large enough to
* serve as context for all standard hash functions defined above.
*/
typedef union {
const br_hash_class *vtable;
br_md5_context md5;
br_sha1_context sha1;
br_sha224_context sha224;
br_sha256_context sha256;
br_sha384_context sha384;
br_sha512_context sha512;
br_md5sha1_context md5sha1;
} br_hash_compat_context;
/*
* The multi-hasher is a construct that handles hashing of the same input
* data with several hash functions, with a single shared input buffer.
* It can handle MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
* simultaneously, though which functions are activated depends on
* the set implementation pointers.
*/
/**
* \brief Multi-hasher context structure.
*
* The multi-hasher runs up to six hash functions in the standard TLS list
* (MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512) in parallel, over
* the same input.
*
* The multi-hasher does _not_ follow the OOP structure with a vtable.
* Instead, it is configured with the vtables of the hash functions it
* should run. Structure fields are not supposed to be accessed directly.
*/
typedef struct {
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[128];
uint64_t count;
uint32_t val_32[25];
uint64_t val_64[16];
const br_hash_class *impl[6];
#endif
} br_multihash_context;
/**
* \brief Clear a multi-hasher context.
*
* This should always be called once on a given context, _before_ setting
* the implementation pointers.
*
* \param ctx the multi-hasher context.
*/
void br_multihash_zero(br_multihash_context *ctx);
/**
* \brief Set a hash function implementation.
*
* Implementations shall be set _after_ clearing the context (with
* `br_multihash_zero()`) but _before_ initialising the computation
* (with `br_multihash_init()`). The hash function implementation
* MUST be one of the standard hash functions (MD5, SHA-1, SHA-224,
* SHA-256, SHA-384 or SHA-512); it may also be `NULL` to remove
* an implementation from the multi-hasher.
*
* \param ctx the multi-hasher context.
* \param id the hash function symbolic identifier.
* \param impl the hash function vtable, or `NULL`.
*/
static inline void
br_multihash_setimpl(br_multihash_context *ctx,
int id, const br_hash_class *impl)
{
/*
* This code relies on hash functions ID being values 1 to 6,
* in the MD5 to SHA-512 order.
*/
ctx->impl[id - 1] = impl;
}
/**
* \brief Get a hash function implementation.
*
* This function returns the currently configured vtable for a given
* hash function (by symbolic ID). If no such function was configured in
* the provided multi-hasher context, then this function returns `NULL`.
*
* \param ctx the multi-hasher context.
* \param id the hash function symbolic identifier.
* \return the hash function vtable, or `NULL`.
*/
static inline const br_hash_class *
br_multihash_getimpl(const br_multihash_context *ctx, int id)
{
return ctx->impl[id - 1];
}
/**
* \brief Reset a multi-hasher context.
*
* This function prepares the context for a new hashing computation,
* for all implementations configured at that point.
*
* \param ctx the multi-hasher context.
*/
void br_multihash_init(br_multihash_context *ctx);
/**
* \brief Inject some data bytes in a running multi-hashing computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_multihash_update(br_multihash_context *ctx,
const void *data, size_t len);
/**
* \brief Compute a hash output from a multi-hasher.
*
* The hash output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `dst`. The hash
* function to use is identified by `id` and must be one of the standard
* hash functions. If that hash function was indeed configured in the
* multi-hasher context, the corresponding hash value is written in
* `dst` and its length (in bytes) is returned. If the hash function
* was _not_ configured, then nothing is written in `dst` and 0 is
* returned.
*
* The context itself is not modified, so extra bytes may be injected
* afterwards to continue the hash computations.
*
* \param ctx pointer to the context structure.
* \param id the hash function symbolic identifier.
* \param dst destination buffer for the hash output.
* \return the hash output length (in bytes), or 0.
*/
size_t br_multihash_out(const br_multihash_context *ctx, int id, void *dst);
/**
* \brief Type for a GHASH implementation.
*
* GHASH is a sort of keyed hash meant to be used to implement GCM in
* combination with a block cipher (with 16-byte blocks).
*
* The `y` array has length 16 bytes and is used for input and output; in
* a complete GHASH run, it starts with an all-zero value. `h` is a 16-byte
* value that serves as key (it is derived from the encryption key in GCM,
* using the block cipher). The data length (`len`) is expressed in bytes.
* The `y` array is updated.
*
* If the data length is not a multiple of 16, then the data is implicitly
* padded with zeros up to the next multiple of 16. Thus, when using GHASH
* in GCM, this method may be called twice, for the associated data and
* for the ciphertext, respectively; the zero-padding implements exactly
* the GCM rules.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using multiplications (mixed 32-bit).
*
* This implementation uses multiplications of 32-bit values, with a
* 64-bit result. It is constant-time (if multiplications are
* constant-time).
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_ctmul(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using multiplications (strict 32-bit).
*
* This implementation uses multiplications of 32-bit values, with a
* 32-bit result. It is usually somewhat slower than `br_ghash_ctmul()`,
* but it is expected to be faster on architectures for which the
* 32-bit multiplication opcode does not yield the upper 32 bits of the
* product. It is constant-time (if multiplications are constant-time).
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_ctmul32(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using multiplications (64-bit).
*
* This implementation uses multiplications of 64-bit values, with a
* 64-bit result. It is constant-time (if multiplications are
* constant-time). It is substantially faster than `br_ghash_ctmul()`
* and `br_ghash_ctmul32()` on most 64-bit architectures.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_ctmul64(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using the `pclmulqdq` opcode (part of the
* AES-NI instructions).
*
* This implementation is available only on x86 platforms where the
* compiler supports the relevant intrinsic functions. Even if the
* compiler supports these functions, the local CPU might not support
* the `pclmulqdq` opcode, meaning that a call will fail with an
* illegal instruction exception. To safely obtain a pointer to this
* function when supported (or 0 otherwise), use `br_ghash_pclmul_get()`.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_pclmul(void *y, const void *h, const void *data, size_t len);
/**
* \brief Obtain the `pclmul` GHASH implementation, if available.
*
* If the `pclmul` implementation was compiled in the library (depending
* on the compiler abilities) _and_ the local CPU appears to support the
* opcode, then this function will return a pointer to the
* `br_ghash_pclmul()` function. Otherwise, it will return `0`.
*
* \return the `pclmul` GHASH implementation, or `0`.
*/
br_ghash br_ghash_pclmul_get(void);
/**
* \brief GHASH implementation using the POWER8 opcodes.
*
* This implementation is available only on POWER8 platforms (and later).
* To safely obtain a pointer to this function when supported (or 0
* otherwise), use `br_ghash_pwr8_get()`.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_pwr8(void *y, const void *h, const void *data, size_t len);
/**
* \brief Obtain the `pwr8` GHASH implementation, if available.
*
* If the `pwr8` implementation was compiled in the library (depending
* on the compiler abilities) _and_ the local CPU appears to support the
* opcode, then this function will return a pointer to the
* `br_ghash_pwr8()` function. Otherwise, it will return `0`.
*
* \return the `pwr8` GHASH implementation, or `0`.
*/
br_ghash br_ghash_pwr8_get(void);
#ifdef __cplusplus
}
#endif
#endif
diff --git a/contrib/bearssl/inc/bearssl_ssl.h b/contrib/bearssl/inc/bearssl_ssl.h
index 8c8c86bdb50a..e91df4755690 100644
--- a/contrib/bearssl/inc/bearssl_ssl.h
+++ b/contrib/bearssl/inc/bearssl_ssl.h
@@ -1,4296 +1,4296 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef BR_BEARSSL_SSL_H__
#define BR_BEARSSL_SSL_H__
#include <stddef.h>
#include <stdint.h>
#include "bearssl_block.h"
#include "bearssl_hash.h"
#include "bearssl_hmac.h"
#include "bearssl_prf.h"
#include "bearssl_rand.h"
#include "bearssl_x509.h"
#ifdef __cplusplus
extern "C" {
#endif
/** \file bearssl_ssl.h
*
* # SSL
*
* For an overview of the SSL/TLS API, see [the BearSSL Web
* site](https://www.bearssl.org/api1.html).
*
* The `BR_TLS_*` constants correspond to the standard cipher suites and
* their values in the [IANA
* registry](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4).
*
* The `BR_ALERT_*` constants are for standard TLS alert messages. When
* a fatal alert message is sent of received, then the SSL engine context
* status is set to the sum of that alert value (an integer in the 0..255
* range) and a fixed offset (`BR_ERR_SEND_FATAL_ALERT` for a sent alert,
* `BR_ERR_RECV_FATAL_ALERT` for a received alert).
*/
/** \brief Optimal input buffer size. */
#define BR_SSL_BUFSIZE_INPUT (16384 + 325)
/** \brief Optimal output buffer size. */
#define BR_SSL_BUFSIZE_OUTPUT (16384 + 85)
/** \brief Optimal buffer size for monodirectional engine
(shared input/output buffer). */
#define BR_SSL_BUFSIZE_MONO BR_SSL_BUFSIZE_INPUT
/** \brief Optimal buffer size for bidirectional engine
(single buffer split into two separate input/output buffers). */
#define BR_SSL_BUFSIZE_BIDI (BR_SSL_BUFSIZE_INPUT + BR_SSL_BUFSIZE_OUTPUT)
/*
* Constants for known SSL/TLS protocol versions (SSL 3.0, TLS 1.0, TLS 1.1
* and TLS 1.2). Note that though there is a constant for SSL 3.0, that
* protocol version is not actually supported.
*/
/** \brief Protocol version: SSL 3.0 (unsupported). */
#define BR_SSL30 0x0300
/** \brief Protocol version: TLS 1.0. */
#define BR_TLS10 0x0301
/** \brief Protocol version: TLS 1.1. */
#define BR_TLS11 0x0302
/** \brief Protocol version: TLS 1.2. */
#define BR_TLS12 0x0303
/*
* Error constants. They are used to report the reason why a context has
* been marked as failed.
*
* Implementation note: SSL-level error codes should be in the 1..31
* range. The 32..63 range is for certificate decoding and validation
* errors. Received fatal alerts imply an error code in the 256..511 range.
*/
/** \brief SSL status: no error so far (0). */
#define BR_ERR_OK 0
/** \brief SSL status: caller-provided parameter is incorrect. */
#define BR_ERR_BAD_PARAM 1
/** \brief SSL status: operation requested by the caller cannot be applied
with the current context state (e.g. reading data while outgoing data
is waiting to be sent). */
#define BR_ERR_BAD_STATE 2
/** \brief SSL status: incoming protocol or record version is unsupported. */
#define BR_ERR_UNSUPPORTED_VERSION 3
/** \brief SSL status: incoming record version does not match the expected
version. */
#define BR_ERR_BAD_VERSION 4
/** \brief SSL status: incoming record length is invalid. */
#define BR_ERR_BAD_LENGTH 5
/** \brief SSL status: incoming record is too large to be processed, or
buffer is too small for the handshake message to send. */
#define BR_ERR_TOO_LARGE 6
/** \brief SSL status: decryption found an invalid padding, or the record
MAC is not correct. */
#define BR_ERR_BAD_MAC 7
/** \brief SSL status: no initial entropy was provided, and none can be
obtained from the OS. */
#define BR_ERR_NO_RANDOM 8
/** \brief SSL status: incoming record type is unknown. */
#define BR_ERR_UNKNOWN_TYPE 9
/** \brief SSL status: incoming record or message has wrong type with
regards to the current engine state. */
#define BR_ERR_UNEXPECTED 10
/** \brief SSL status: ChangeCipherSpec message from the peer has invalid
contents. */
#define BR_ERR_BAD_CCS 12
/** \brief SSL status: alert message from the peer has invalid contents
(odd length). */
#define BR_ERR_BAD_ALERT 13
/** \brief SSL status: incoming handshake message decoding failed. */
#define BR_ERR_BAD_HANDSHAKE 14
/** \brief SSL status: ServerHello contains a session ID which is larger
than 32 bytes. */
#define BR_ERR_OVERSIZED_ID 15
/** \brief SSL status: server wants to use a cipher suite that we did
not claim to support. This is also reported if we tried to advertise
a cipher suite that we do not support. */
#define BR_ERR_BAD_CIPHER_SUITE 16
/** \brief SSL status: server wants to use a compression that we did not
claim to support. */
#define BR_ERR_BAD_COMPRESSION 17
/** \brief SSL status: server's max fragment length does not match
client's. */
#define BR_ERR_BAD_FRAGLEN 18
/** \brief SSL status: secure renegotiation failed. */
#define BR_ERR_BAD_SECRENEG 19
/** \brief SSL status: server sent an extension type that we did not
announce, or used the same extension type several times in a single
ServerHello. */
#define BR_ERR_EXTRA_EXTENSION 20
/** \brief SSL status: invalid Server Name Indication contents (when
used by the server, this extension shall be empty). */
#define BR_ERR_BAD_SNI 21
/** \brief SSL status: invalid ServerHelloDone from the server (length
is not 0). */
#define BR_ERR_BAD_HELLO_DONE 22
/** \brief SSL status: internal limit exceeded (e.g. server's public key
is too large). */
#define BR_ERR_LIMIT_EXCEEDED 23
/** \brief SSL status: Finished message from peer does not match the
expected value. */
#define BR_ERR_BAD_FINISHED 24
/** \brief SSL status: session resumption attempt with distinct version
or cipher suite. */
#define BR_ERR_RESUME_MISMATCH 25
/** \brief SSL status: unsupported or invalid algorithm (ECDHE curve,
signature algorithm, hash function). */
#define BR_ERR_INVALID_ALGORITHM 26
/** \brief SSL status: invalid signature (on ServerKeyExchange from
server, or in CertificateVerify from client). */
#define BR_ERR_BAD_SIGNATURE 27
/** \brief SSL status: peer's public key does not have the proper type
or is not allowed for requested operation. */
#define BR_ERR_WRONG_KEY_USAGE 28
/** \brief SSL status: client did not send a certificate upon request,
or the client certificate could not be validated. */
#define BR_ERR_NO_CLIENT_AUTH 29
/** \brief SSL status: I/O error or premature close on underlying
transport stream. This error code is set only by the simplified
I/O API ("br_sslio_*"). */
#define BR_ERR_IO 31
/** \brief SSL status: base value for a received fatal alert.
When a fatal alert is received from the peer, the alert value
is added to this constant. */
#define BR_ERR_RECV_FATAL_ALERT 256
/** \brief SSL status: base value for a sent fatal alert.
When a fatal alert is sent to the peer, the alert value is added
to this constant. */
#define BR_ERR_SEND_FATAL_ALERT 512
/* ===================================================================== */
/**
* \brief Decryption engine for SSL.
*
* When processing incoming records, the SSL engine will use a decryption
* engine that uses a specific context structure, and has a set of
* methods (a vtable) that follows this template.
*
* The decryption engine is responsible for applying decryption, verifying
* MAC, and keeping track of the record sequence number.
*/
typedef struct br_sslrec_in_class_ br_sslrec_in_class;
struct br_sslrec_in_class_ {
/**
* \brief Context size (in bytes).
*/
size_t context_size;
/**
* \brief Test validity of the incoming record length.
*
* This function returns 1 if the announced length for an
* incoming record is valid, 0 otherwise,
*
* \param ctx decryption engine context.
* \param record_len incoming record length.
* \return 1 of a valid length, 0 otherwise.
*/
int (*check_length)(const br_sslrec_in_class *const *ctx,
size_t record_len);
/**
* \brief Decrypt the incoming record.
*
* This function may assume that the record length is valid
* (it has been previously tested with `check_length()`).
* Decryption is done in place; `*len` is updated with the
* cleartext length, and the address of the first plaintext
* byte is returned. If the record is correct but empty, then
* `*len` is set to 0 and a non-`NULL` pointer is returned.
*
* On decryption/MAC error, `NULL` is returned.
*
* \param ctx decryption engine context.
* \param record_type record type (23 for application data, etc).
* \param version record version.
* \param payload address of encrypted payload.
* \param len pointer to payload length (updated).
* \return pointer to plaintext, or `NULL` on error.
*/
unsigned char *(*decrypt)(const br_sslrec_in_class **ctx,
int record_type, unsigned version,
void *payload, size_t *len);
};
/**
* \brief Encryption engine for SSL.
*
* When building outgoing records, the SSL engine will use an encryption
* engine that uses a specific context structure, and has a set of
* methods (a vtable) that follows this template.
*
* The encryption engine is responsible for applying encryption and MAC,
* and keeping track of the record sequence number.
*/
typedef struct br_sslrec_out_class_ br_sslrec_out_class;
struct br_sslrec_out_class_ {
/**
* \brief Context size (in bytes).
*/
size_t context_size;
/**
* \brief Compute maximum plaintext sizes and offsets.
*
* When this function is called, the `*start` and `*end`
* values contain offsets designating the free area in the
* outgoing buffer for plaintext data; that free area is
* preceded by a 5-byte space which will receive the record
* header.
*
* The `max_plaintext()` function is responsible for adjusting
* both `*start` and `*end` to make room for any record-specific
* header, MAC, padding, and possible split.
*
* \param ctx encryption engine context.
* \param start pointer to start of plaintext offset (updated).
* \param end pointer to start of plaintext offset (updated).
*/
void (*max_plaintext)(const br_sslrec_out_class *const *ctx,
size_t *start, size_t *end);
/**
* \brief Perform record encryption.
*
* This function encrypts the record. The plaintext address and
* length are provided. Returned value is the start of the
* encrypted record (or sequence of records, if a split was
* performed), _including_ the 5-byte header, and `*len` is
* adjusted to the total size of the record(s), there again
* including the header(s).
*
* \param ctx decryption engine context.
* \param record_type record type (23 for application data, etc).
* \param version record version.
* \param plaintext address of plaintext.
* \param len pointer to plaintext length (updated).
* \return pointer to start of built record.
*/
unsigned char *(*encrypt)(const br_sslrec_out_class **ctx,
int record_type, unsigned version,
void *plaintext, size_t *len);
};
/**
* \brief Context for a no-encryption engine.
*
* The no-encryption engine processes outgoing records during the initial
* handshake, before encryption is applied.
*/
typedef struct {
/** \brief No-encryption engine vtable. */
const br_sslrec_out_class *vtable;
} br_sslrec_out_clear_context;
/** \brief Static, constant vtable for the no-encryption engine. */
extern const br_sslrec_out_class br_sslrec_out_clear_vtable;
/* ===================================================================== */
/**
* \brief Record decryption engine class, for CBC mode.
*
* This class type extends the decryption engine class with an
* initialisation method that receives the parameters needed
* for CBC processing: block cipher implementation, block cipher key,
* HMAC parameters (hash function, key, MAC length), and IV. If the
* IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
*/
typedef struct br_sslrec_in_cbc_class_ br_sslrec_in_cbc_class;
struct br_sslrec_in_cbc_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_in_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param bc_impl block cipher implementation (CBC decryption).
* \param bc_key block cipher key.
* \param bc_key_len block cipher key length (in bytes).
* \param dig_impl hash function for HMAC.
* \param mac_key HMAC key.
* \param mac_key_len HMAC key length (in bytes).
* \param mac_out_len HMAC output length (in bytes).
* \param iv initial IV (or `NULL`).
*/
void (*init)(const br_sslrec_in_cbc_class **ctx,
const br_block_cbcdec_class *bc_impl,
const void *bc_key, size_t bc_key_len,
const br_hash_class *dig_impl,
const void *mac_key, size_t mac_key_len, size_t mac_out_len,
const void *iv);
};
/**
* \brief Record encryption engine class, for CBC mode.
*
* This class type extends the encryption engine class with an
* initialisation method that receives the parameters needed
* for CBC processing: block cipher implementation, block cipher key,
* HMAC parameters (hash function, key, MAC length), and IV. If the
* IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
*/
typedef struct br_sslrec_out_cbc_class_ br_sslrec_out_cbc_class;
struct br_sslrec_out_cbc_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_out_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param bc_impl block cipher implementation (CBC encryption).
* \param bc_key block cipher key.
* \param bc_key_len block cipher key length (in bytes).
* \param dig_impl hash function for HMAC.
* \param mac_key HMAC key.
* \param mac_key_len HMAC key length (in bytes).
* \param mac_out_len HMAC output length (in bytes).
* \param iv initial IV (or `NULL`).
*/
void (*init)(const br_sslrec_out_cbc_class **ctx,
const br_block_cbcenc_class *bc_impl,
const void *bc_key, size_t bc_key_len,
const br_hash_class *dig_impl,
const void *mac_key, size_t mac_key_len, size_t mac_out_len,
const void *iv);
};
/**
* \brief Context structure for decrypting incoming records with
* CBC + HMAC.
*
* The first field points to the vtable. The other fields are opaque
* and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_sslrec_in_cbc_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
uint64_t seq;
union {
const br_block_cbcdec_class *vtable;
br_aes_gen_cbcdec_keys aes;
br_des_gen_cbcdec_keys des;
} bc;
br_hmac_key_context mac;
size_t mac_len;
unsigned char iv[16];
int explicit_IV;
#endif
} br_sslrec_in_cbc_context;
/**
* \brief Static, constant vtable for record decryption with CBC.
*/
extern const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable;
/**
* \brief Context structure for encrypting outgoing records with
* CBC + HMAC.
*
* The first field points to the vtable. The other fields are opaque
* and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_sslrec_out_cbc_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
uint64_t seq;
union {
const br_block_cbcenc_class *vtable;
br_aes_gen_cbcenc_keys aes;
br_des_gen_cbcenc_keys des;
} bc;
br_hmac_key_context mac;
size_t mac_len;
unsigned char iv[16];
int explicit_IV;
#endif
} br_sslrec_out_cbc_context;
/**
* \brief Static, constant vtable for record encryption with CBC.
*/
extern const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable;
/* ===================================================================== */
/**
* \brief Record decryption engine class, for GCM mode.
*
* This class type extends the decryption engine class with an
* initialisation method that receives the parameters needed
* for GCM processing: block cipher implementation, block cipher key,
* GHASH implementation, and 4-byte IV.
*/
typedef struct br_sslrec_in_gcm_class_ br_sslrec_in_gcm_class;
struct br_sslrec_in_gcm_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_in_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param bc_impl block cipher implementation (CTR).
* \param key block cipher key.
* \param key_len block cipher key length (in bytes).
* \param gh_impl GHASH implementation.
* \param iv static IV (4 bytes).
*/
void (*init)(const br_sslrec_in_gcm_class **ctx,
const br_block_ctr_class *bc_impl,
const void *key, size_t key_len,
br_ghash gh_impl,
const void *iv);
};
/**
* \brief Record encryption engine class, for GCM mode.
*
* This class type extends the encryption engine class with an
* initialisation method that receives the parameters needed
* for GCM processing: block cipher implementation, block cipher key,
* GHASH implementation, and 4-byte IV.
*/
typedef struct br_sslrec_out_gcm_class_ br_sslrec_out_gcm_class;
struct br_sslrec_out_gcm_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_out_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param bc_impl block cipher implementation (CTR).
* \param key block cipher key.
* \param key_len block cipher key length (in bytes).
* \param gh_impl GHASH implementation.
* \param iv static IV (4 bytes).
*/
void (*init)(const br_sslrec_out_gcm_class **ctx,
const br_block_ctr_class *bc_impl,
const void *key, size_t key_len,
br_ghash gh_impl,
const void *iv);
};
/**
* \brief Context structure for processing records with GCM.
*
* The same context structure is used for encrypting and decrypting.
*
* The first field points to the vtable. The other fields are opaque
* and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
union {
const void *gen;
const br_sslrec_in_gcm_class *in;
const br_sslrec_out_gcm_class *out;
} vtable;
#ifndef BR_DOXYGEN_IGNORE
uint64_t seq;
union {
const br_block_ctr_class *vtable;
br_aes_gen_ctr_keys aes;
} bc;
br_ghash gh;
unsigned char iv[4];
unsigned char h[16];
#endif
} br_sslrec_gcm_context;
/**
* \brief Static, constant vtable for record decryption with GCM.
*/
extern const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable;
/**
* \brief Static, constant vtable for record encryption with GCM.
*/
extern const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable;
/* ===================================================================== */
/**
* \brief Record decryption engine class, for ChaCha20+Poly1305.
*
* This class type extends the decryption engine class with an
* initialisation method that receives the parameters needed
* for ChaCha20+Poly1305 processing: ChaCha20 implementation,
* Poly1305 implementation, key, and 12-byte IV.
*/
typedef struct br_sslrec_in_chapol_class_ br_sslrec_in_chapol_class;
struct br_sslrec_in_chapol_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_in_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param ichacha ChaCha20 implementation.
* \param ipoly Poly1305 implementation.
* \param key secret key (32 bytes).
* \param iv static IV (12 bytes).
*/
void (*init)(const br_sslrec_in_chapol_class **ctx,
br_chacha20_run ichacha,
br_poly1305_run ipoly,
const void *key, const void *iv);
};
/**
* \brief Record encryption engine class, for ChaCha20+Poly1305.
*
* This class type extends the encryption engine class with an
* initialisation method that receives the parameters needed
* for ChaCha20+Poly1305 processing: ChaCha20 implementation,
* Poly1305 implementation, key, and 12-byte IV.
*/
typedef struct br_sslrec_out_chapol_class_ br_sslrec_out_chapol_class;
struct br_sslrec_out_chapol_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_out_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param ichacha ChaCha20 implementation.
* \param ipoly Poly1305 implementation.
* \param key secret key (32 bytes).
* \param iv static IV (12 bytes).
*/
void (*init)(const br_sslrec_out_chapol_class **ctx,
br_chacha20_run ichacha,
br_poly1305_run ipoly,
const void *key, const void *iv);
};
/**
* \brief Context structure for processing records with ChaCha20+Poly1305.
*
* The same context structure is used for encrypting and decrypting.
*
* The first field points to the vtable. The other fields are opaque
* and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
union {
const void *gen;
const br_sslrec_in_chapol_class *in;
const br_sslrec_out_chapol_class *out;
} vtable;
#ifndef BR_DOXYGEN_IGNORE
uint64_t seq;
unsigned char key[32];
unsigned char iv[12];
br_chacha20_run ichacha;
br_poly1305_run ipoly;
#endif
} br_sslrec_chapol_context;
/**
* \brief Static, constant vtable for record decryption with ChaCha20+Poly1305.
*/
extern const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable;
/**
* \brief Static, constant vtable for record encryption with ChaCha20+Poly1305.
*/
extern const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable;
/* ===================================================================== */
/**
* \brief Record decryption engine class, for CCM mode.
*
* This class type extends the decryption engine class with an
* initialisation method that receives the parameters needed
* for CCM processing: block cipher implementation, block cipher key,
* and 4-byte IV.
*/
typedef struct br_sslrec_in_ccm_class_ br_sslrec_in_ccm_class;
struct br_sslrec_in_ccm_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_in_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param bc_impl block cipher implementation (CTR+CBC).
* \param key block cipher key.
* \param key_len block cipher key length (in bytes).
* \param iv static IV (4 bytes).
* \param tag_len tag length (in bytes)
*/
void (*init)(const br_sslrec_in_ccm_class **ctx,
const br_block_ctrcbc_class *bc_impl,
const void *key, size_t key_len,
const void *iv, size_t tag_len);
};
/**
* \brief Record encryption engine class, for CCM mode.
*
* This class type extends the encryption engine class with an
* initialisation method that receives the parameters needed
* for CCM processing: block cipher implementation, block cipher key,
* and 4-byte IV.
*/
typedef struct br_sslrec_out_ccm_class_ br_sslrec_out_ccm_class;
struct br_sslrec_out_ccm_class_ {
/**
* \brief Superclass, as first vtable field.
*/
br_sslrec_out_class inner;
/**
* \brief Engine initialisation method.
*
* This method sets the vtable field in the context.
*
* \param ctx context to initialise.
* \param bc_impl block cipher implementation (CTR+CBC).
* \param key block cipher key.
* \param key_len block cipher key length (in bytes).
* \param iv static IV (4 bytes).
* \param tag_len tag length (in bytes)
*/
void (*init)(const br_sslrec_out_ccm_class **ctx,
const br_block_ctrcbc_class *bc_impl,
const void *key, size_t key_len,
const void *iv, size_t tag_len);
};
/**
* \brief Context structure for processing records with CCM.
*
* The same context structure is used for encrypting and decrypting.
*
* The first field points to the vtable. The other fields are opaque
* and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
union {
const void *gen;
const br_sslrec_in_ccm_class *in;
const br_sslrec_out_ccm_class *out;
} vtable;
#ifndef BR_DOXYGEN_IGNORE
uint64_t seq;
union {
const br_block_ctrcbc_class *vtable;
br_aes_gen_ctrcbc_keys aes;
} bc;
unsigned char iv[4];
size_t tag_len;
#endif
} br_sslrec_ccm_context;
/**
* \brief Static, constant vtable for record decryption with CCM.
*/
extern const br_sslrec_in_ccm_class br_sslrec_in_ccm_vtable;
/**
* \brief Static, constant vtable for record encryption with CCM.
*/
extern const br_sslrec_out_ccm_class br_sslrec_out_ccm_vtable;
/* ===================================================================== */
/**
* \brief Type for session parameters, to be saved for session resumption.
*/
typedef struct {
/** \brief Session ID buffer. */
unsigned char session_id[32];
/** \brief Session ID length (in bytes, at most 32). */
unsigned char session_id_len;
/** \brief Protocol version. */
uint16_t version;
/** \brief Cipher suite. */
uint16_t cipher_suite;
/** \brief Master secret. */
unsigned char master_secret[48];
} br_ssl_session_parameters;
#ifndef BR_DOXYGEN_IGNORE
/*
* Maximum number of cipher suites supported by a client or server.
*/
#define BR_MAX_CIPHER_SUITES 48
#endif
/**
* \brief Context structure for SSL engine.
*
* This strucuture is common to the client and server; both the client
* context (`br_ssl_client_context`) and the server context
* (`br_ssl_server_context`) include a `br_ssl_engine_context` as their
* first field.
*
* The engine context manages records, including alerts, closures, and
* transitions to new encryption/MAC algorithms. Processing of handshake
* records is delegated to externally provided code. This structure
* should not be used directly.
*
* Structure contents are opaque and shall not be accessed directly.
*/
typedef struct {
#ifndef BR_DOXYGEN_IGNORE
/*
* The error code. When non-zero, then the state is "failed" and
* no I/O may occur until reset.
*/
int err;
/*
* Configured I/O buffers. They are either disjoint, or identical.
*/
unsigned char *ibuf, *obuf;
size_t ibuf_len, obuf_len;
/*
* Maximum fragment length applies to outgoing records; incoming
* records can be processed as long as they fit in the input
* buffer. It is guaranteed that incoming records at least as big
* as max_frag_len can be processed.
*/
uint16_t max_frag_len;
unsigned char log_max_frag_len;
unsigned char peer_log_max_frag_len;
/*
* Buffering management registers.
*/
size_t ixa, ixb, ixc;
size_t oxa, oxb, oxc;
unsigned char iomode;
unsigned char incrypt;
/*
* Shutdown flag: when set to non-zero, incoming record bytes
* will not be accepted anymore. This is used after a close_notify
* has been received: afterwards, the engine no longer claims that
* it could receive bytes from the transport medium.
*/
unsigned char shutdown_recv;
/*
* 'record_type_in' is set to the incoming record type when the
* record header has been received.
* 'record_type_out' is used to make the next outgoing record
* header when it is ready to go.
*/
unsigned char record_type_in, record_type_out;
/*
* When a record is received, its version is extracted:
* -- if 'version_in' is 0, then it is set to the received version;
* -- otherwise, if the received version is not identical to
* the 'version_in' contents, then a failure is reported.
*
* This implements the SSL requirement that all records shall
* use the negotiated protocol version, once decided (in the
* ServerHello). It is up to the handshake handler to adjust this
* field when necessary.
*/
uint16_t version_in;
/*
* 'version_out' is used when the next outgoing record is ready
* to go.
*/
uint16_t version_out;
/*
* Record handler contexts.
*/
union {
const br_sslrec_in_class *vtable;
br_sslrec_in_cbc_context cbc;
br_sslrec_gcm_context gcm;
br_sslrec_chapol_context chapol;
br_sslrec_ccm_context ccm;
} in;
union {
const br_sslrec_out_class *vtable;
br_sslrec_out_clear_context clear;
br_sslrec_out_cbc_context cbc;
br_sslrec_gcm_context gcm;
br_sslrec_chapol_context chapol;
br_sslrec_ccm_context ccm;
} out;
/*
* The "application data" flag. Value:
* 0 handshake is in process, no application data acceptable
* 1 application data can be sent and received
* 2 closing, no application data can be sent, but some
* can still be received (and discarded)
*/
unsigned char application_data;
/*
* Context RNG.
*
* rng_init_done is initially 0. It is set to 1 when the
* basic structure of the RNG is set, and 2 when some
* entropy has been pushed in. The value 2 marks the RNG
* as "properly seeded".
*
* rng_os_rand_done is initially 0. It is set to 1 when
* some seeding from the OS or hardware has been attempted.
*/
br_hmac_drbg_context rng;
int rng_init_done;
int rng_os_rand_done;
/*
* Supported minimum and maximum versions, and cipher suites.
*/
uint16_t version_min;
uint16_t version_max;
uint16_t suites_buf[BR_MAX_CIPHER_SUITES];
unsigned char suites_num;
/*
* For clients, the server name to send as a SNI extension. For
* servers, the name received in the SNI extension (if any).
*/
char server_name[256];
/*
* "Security parameters". These are filled by the handshake
* handler, and used when switching encryption state.
*/
unsigned char client_random[32];
unsigned char server_random[32];
br_ssl_session_parameters session;
/*
* ECDHE elements: curve and point from the peer. The server also
* uses that buffer for the point to send to the client.
*/
unsigned char ecdhe_curve;
unsigned char ecdhe_point[133];
unsigned char ecdhe_point_len;
/*
* Secure renegotiation (RFC 5746): 'reneg' can be:
* 0 first handshake (server support is not known)
* 1 peer does not support secure renegotiation
* 2 peer supports secure renegotiation
*
* The saved_finished buffer contains the client and the
* server "Finished" values from the last handshake, in
* that order (12 bytes each).
*/
unsigned char reneg;
unsigned char saved_finished[24];
/*
* Behavioural flags.
*/
uint32_t flags;
/*
* Context variables for the handshake processor. The 'pad' must
* be large enough to accommodate an RSA-encrypted pre-master
* secret, or an RSA signature; since we want to support up to
* RSA-4096, this means at least 512 bytes. (Other pad usages
* require its length to be at least 256.)
*/
struct {
uint32_t *dp;
uint32_t *rp;
const unsigned char *ip;
} cpu;
uint32_t dp_stack[32];
uint32_t rp_stack[32];
unsigned char pad[512];
unsigned char *hbuf_in, *hbuf_out, *saved_hbuf_out;
size_t hlen_in, hlen_out;
void (*hsrun)(void *ctx);
/*
* The 'action' value communicates OOB information between the
* engine and the handshake processor.
*
* From the engine:
* 0 invocation triggered by I/O
* 1 invocation triggered by explicit close
* 2 invocation triggered by explicit renegotiation
*/
unsigned char action;
/*
* State for alert messages. Value is either 0, or the value of
* the alert level byte (level is either 1 for warning, or 2 for
* fatal; we convert all other values to 'fatal').
*/
unsigned char alert;
/*
* Closure flags. This flag is set when a close_notify has been
* received from the peer.
*/
unsigned char close_received;
/*
* Multi-hasher for the handshake messages. The handshake handler
* is responsible for resetting it when appropriate.
*/
br_multihash_context mhash;
/*
* Pointer to the X.509 engine. The engine is supposed to be
* already initialized. It is used to validate the peer's
* certificate.
*/
const br_x509_class **x509ctx;
/*
* Certificate chain to send. This is used by both client and
* server, when they send their respective Certificate messages.
* If chain_len is 0, then chain may be NULL.
*/
const br_x509_certificate *chain;
size_t chain_len;
const unsigned char *cert_cur;
size_t cert_len;
/*
* List of supported protocol names (ALPN extension). If unset,
* (number of names is 0), then:
* - the client sends no ALPN extension;
* - the server ignores any incoming ALPN extension.
*
* Otherwise:
* - the client sends an ALPN extension with all the names;
* - the server selects the first protocol in its list that
* the client also supports, or fails (fatal alert 120)
* if the client sends an ALPN extension and there is no
* match.
*
* The 'selected_protocol' field contains 1+n if the matching
* name has index n in the list (the value is 0 if no match was
* performed, e.g. the peer did not send an ALPN extension).
*/
const char **protocol_names;
uint16_t protocol_names_num;
uint16_t selected_protocol;
/*
* Pointers to implementations; left to NULL for unsupported
* functions. For the raw hash functions, implementations are
* referenced from the multihasher (mhash field).
*/
br_tls_prf_impl prf10;
br_tls_prf_impl prf_sha256;
br_tls_prf_impl prf_sha384;
const br_block_cbcenc_class *iaes_cbcenc;
const br_block_cbcdec_class *iaes_cbcdec;
const br_block_ctr_class *iaes_ctr;
const br_block_ctrcbc_class *iaes_ctrcbc;
const br_block_cbcenc_class *ides_cbcenc;
const br_block_cbcdec_class *ides_cbcdec;
br_ghash ighash;
br_chacha20_run ichacha;
br_poly1305_run ipoly;
const br_sslrec_in_cbc_class *icbc_in;
const br_sslrec_out_cbc_class *icbc_out;
const br_sslrec_in_gcm_class *igcm_in;
const br_sslrec_out_gcm_class *igcm_out;
const br_sslrec_in_chapol_class *ichapol_in;
const br_sslrec_out_chapol_class *ichapol_out;
const br_sslrec_in_ccm_class *iccm_in;
const br_sslrec_out_ccm_class *iccm_out;
const br_ec_impl *iec;
br_rsa_pkcs1_vrfy irsavrfy;
br_ecdsa_vrfy iecdsa;
#endif
} br_ssl_engine_context;
/**
* \brief Get currently defined engine behavioural flags.
*
* \param cc SSL engine context.
* \return the flags.
*/
static inline uint32_t
br_ssl_engine_get_flags(br_ssl_engine_context *cc)
{
return cc->flags;
}
/**
* \brief Set all engine behavioural flags.
*
* \param cc SSL engine context.
* \param flags new value for all flags.
*/
static inline void
br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags)
{
cc->flags = flags;
}
/**
* \brief Set some engine behavioural flags.
*
* The flags set in the `flags` parameter are set in the context; other
* flags are untouched.
*
* \param cc SSL engine context.
* \param flags additional set flags.
*/
static inline void
br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags)
{
cc->flags |= flags;
}
/**
* \brief Clear some engine behavioural flags.
*
* The flags set in the `flags` parameter are cleared from the context; other
* flags are untouched.
*
* \param cc SSL engine context.
* \param flags flags to remove.
*/
static inline void
br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags)
{
cc->flags &= ~flags;
}
/**
* \brief Behavioural flag: enforce server preferences.
*
* If this flag is set, then the server will enforce its own cipher suite
* preference order; otherwise, it follows the client preferences.
*/
#define BR_OPT_ENFORCE_SERVER_PREFERENCES ((uint32_t)1 << 0)
/**
* \brief Behavioural flag: disable renegotiation.
*
* If this flag is set, then renegotiations are rejected unconditionally:
* they won't be honoured if asked for programmatically, and requests from
* the peer are rejected.
*/
#define BR_OPT_NO_RENEGOTIATION ((uint32_t)1 << 1)
/**
* \brief Behavioural flag: tolerate lack of client authentication.
*
* If this flag is set in a server and the server requests a client
* certificate, but the authentication fails (the client does not send
* a certificate, or the client's certificate chain cannot be validated),
* then the connection keeps on. Without this flag, a failed client
* authentication terminates the connection.
*
* Notes:
*
* - If the client's certificate can be validated and its public key is
* supported, then a wrong signature value terminates the connection
* regardless of that flag.
*
* - If using full-static ECDH, then a failure to validate the client's
* certificate prevents the handshake from succeeding.
*/
#define BR_OPT_TOLERATE_NO_CLIENT_AUTH ((uint32_t)1 << 2)
/**
* \brief Behavioural flag: fail on application protocol mismatch.
*
* The ALPN extension ([RFC 7301](https://tools.ietf.org/html/rfc7301))
* allows the client to send a list of application protocol names, and
* the server to select one. A mismatch is one of the following occurrences:
*
* - On the client: the client sends a list of names, the server
* responds with a protocol name which is _not_ part of the list of
* names sent by the client.
*
* - On the server: the client sends a list of names, and the server
* is also configured with a list of names, but there is no common
* protocol name between the two lists.
*
* Normal behaviour in case of mismatch is to report no matching name
* (`br_ssl_engine_get_selected_protocol()` returns `NULL`) and carry on.
* If the flag is set, then a mismatch implies a protocol failure (if
* the mismatch is detected by the server, it will send a fatal alert).
*
* Note: even with this flag, `br_ssl_engine_get_selected_protocol()`
* may still return `NULL` if the client or the server does not send an
* ALPN extension at all.
*/
#define BR_OPT_FAIL_ON_ALPN_MISMATCH ((uint32_t)1 << 3)
/**
* \brief Set the minimum and maximum supported protocol versions.
*
* The two provided versions MUST be supported by the implementation
* (i.e. TLS 1.0, 1.1 and 1.2), and `version_max` MUST NOT be lower
* than `version_min`.
*
* \param cc SSL engine context.
* \param version_min minimum supported TLS version.
* \param version_max maximum supported TLS version.
*/
static inline void
br_ssl_engine_set_versions(br_ssl_engine_context *cc,
unsigned version_min, unsigned version_max)
{
- cc->version_min = version_min;
- cc->version_max = version_max;
+ cc->version_min = (uint16_t)version_min;
+ cc->version_max = (uint16_t)version_max;
}
/**
* \brief Set the list of cipher suites advertised by this context.
*
* The provided array is copied into the context. It is the caller
* responsibility to ensure that all provided suites will be supported
* by the context. The engine context has enough room to receive _all_
* suites supported by the implementation. The provided array MUST NOT
* contain duplicates.
*
* If the engine is for a client, the "signaling" pseudo-cipher suite
* `TLS_FALLBACK_SCSV` can be added at the end of the list, if the
* calling application is performing a voluntary downgrade (voluntary
* downgrades are not recommended, but if such a downgrade is done, then
* adding the fallback pseudo-suite is a good idea).
*
* \param cc SSL engine context.
* \param suites cipher suites.
* \param suites_num number of cipher suites.
*/
void br_ssl_engine_set_suites(br_ssl_engine_context *cc,
const uint16_t *suites, size_t suites_num);
/**
* \brief Set the X.509 engine.
*
* The caller shall ensure that the X.509 engine is properly initialised.
*
* \param cc SSL engine context.
* \param x509ctx X.509 certificate validation context.
*/
static inline void
br_ssl_engine_set_x509(br_ssl_engine_context *cc, const br_x509_class **x509ctx)
{
cc->x509ctx = x509ctx;
}
/**
* \brief Set the supported protocol names.
*
* Protocol names are part of the ALPN extension ([RFC
* 7301](https://tools.ietf.org/html/rfc7301)). Each protocol name is a
* character string, containing no more than 255 characters (256 with the
* terminating zero). When names are set, then:
*
* - The client will send an ALPN extension, containing the names. If
* the server responds with an ALPN extension, the client will verify
* that the response contains one of its name, and report that name
* through `br_ssl_engine_get_selected_protocol()`.
*
* - The server will parse incoming ALPN extension (from clients), and
* try to find a common protocol; if none is found, the connection
* is aborted with a fatal alert. On match, a response ALPN extension
* is sent, and name is reported through
* `br_ssl_engine_get_selected_protocol()`.
*
* The provided array is linked in, and must remain valid while the
* connection is live.
*
* Names MUST NOT be empty. Names MUST NOT be longer than 255 characters
* (excluding the terminating 0).
*
* \param ctx SSL engine context.
* \param names list of protocol names (zero-terminated).
* \param num number of protocol names (MUST be 1 or more).
*/
static inline void
br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx,
const char **names, size_t num)
{
ctx->protocol_names = names;
- ctx->protocol_names_num = num;
+ ctx->protocol_names_num = (uint16_t)num;
}
/**
* \brief Get the selected protocol.
*
* If this context was initialised with a non-empty list of protocol
* names, and both client and server sent ALPN extensions during the
* handshake, and a common name was found, then that name is returned.
* Otherwise, `NULL` is returned.
*
* The returned pointer is one of the pointers provided to the context
* with `br_ssl_engine_set_protocol_names()`.
*
* \return the selected protocol, or `NULL`.
*/
static inline const char *
br_ssl_engine_get_selected_protocol(br_ssl_engine_context *ctx)
{
unsigned k;
k = ctx->selected_protocol;
return (k == 0 || k == 0xFFFF) ? NULL : ctx->protocol_names[k - 1];
}
/**
* \brief Set a hash function implementation (by ID).
*
* Hash functions set with this call will be used for SSL/TLS specific
* usages, not X.509 certificate validation. Only "standard" hash functions
* may be set (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512). If `impl`
* is `NULL`, then the hash function support is removed, not added.
*
* \param ctx SSL engine context.
* \param id hash function identifier.
* \param impl hash function implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_hash(br_ssl_engine_context *ctx,
int id, const br_hash_class *impl)
{
br_multihash_setimpl(&ctx->mhash, id, impl);
}
/**
* \brief Get a hash function implementation (by ID).
*
* This function retrieves a hash function implementation which was
* set with `br_ssl_engine_set_hash()`.
*
* \param ctx SSL engine context.
* \param id hash function identifier.
* \return the hash function implementation (or `NULL`).
*/
static inline const br_hash_class *
br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id)
{
return br_multihash_getimpl(&ctx->mhash, id);
}
/**
* \brief Set the PRF implementation (for TLS 1.0 and 1.1).
*
* This function sets (or removes, if `impl` is `NULL`) the implementation
* for the PRF used in TLS 1.0 and 1.1.
*
* \param cc SSL engine context.
* \param impl PRF implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl)
{
cc->prf10 = impl;
}
/**
* \brief Set the PRF implementation with SHA-256 (for TLS 1.2).
*
* This function sets (or removes, if `impl` is `NULL`) the implementation
* for the SHA-256 variant of the PRF used in TLS 1.2.
*
* \param cc SSL engine context.
* \param impl PRF implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl)
{
cc->prf_sha256 = impl;
}
/**
* \brief Set the PRF implementation with SHA-384 (for TLS 1.2).
*
* This function sets (or removes, if `impl` is `NULL`) the implementation
* for the SHA-384 variant of the PRF used in TLS 1.2.
*
* \param cc SSL engine context.
* \param impl PRF implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_prf_sha384(br_ssl_engine_context *cc, br_tls_prf_impl impl)
{
cc->prf_sha384 = impl;
}
/**
* \brief Set the AES/CBC implementations.
*
* \param cc SSL engine context.
* \param impl_enc AES/CBC encryption implementation (or `NULL`).
* \param impl_dec AES/CBC decryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_aes_cbc(br_ssl_engine_context *cc,
const br_block_cbcenc_class *impl_enc,
const br_block_cbcdec_class *impl_dec)
{
cc->iaes_cbcenc = impl_enc;
cc->iaes_cbcdec = impl_dec;
}
/**
* \brief Set the "default" AES/CBC implementations.
*
* This function configures in the engine the AES implementations that
* should provide best runtime performance on the local system, while
* still being safe (in particular, constant-time). It also sets the
* handlers for CBC records.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_aes_cbc(br_ssl_engine_context *cc);
/**
* \brief Set the AES/CTR implementation.
*
* \param cc SSL engine context.
* \param impl AES/CTR encryption/decryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_aes_ctr(br_ssl_engine_context *cc,
const br_block_ctr_class *impl)
{
cc->iaes_ctr = impl;
}
/**
* \brief Set the "default" implementations for AES/GCM (AES/CTR + GHASH).
*
* This function configures in the engine the AES/CTR and GHASH
* implementation that should provide best runtime performance on the local
* system, while still being safe (in particular, constant-time). It also
* sets the handlers for GCM records.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_aes_gcm(br_ssl_engine_context *cc);
/**
* \brief Set the DES/CBC implementations.
*
* \param cc SSL engine context.
* \param impl_enc DES/CBC encryption implementation (or `NULL`).
* \param impl_dec DES/CBC decryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_des_cbc(br_ssl_engine_context *cc,
const br_block_cbcenc_class *impl_enc,
const br_block_cbcdec_class *impl_dec)
{
cc->ides_cbcenc = impl_enc;
cc->ides_cbcdec = impl_dec;
}
/**
* \brief Set the "default" DES/CBC implementations.
*
* This function configures in the engine the DES implementations that
* should provide best runtime performance on the local system, while
* still being safe (in particular, constant-time). It also sets the
* handlers for CBC records.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_des_cbc(br_ssl_engine_context *cc);
/**
* \brief Set the GHASH implementation (used in GCM mode).
*
* \param cc SSL engine context.
* \param impl GHASH implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_ghash(br_ssl_engine_context *cc, br_ghash impl)
{
cc->ighash = impl;
}
/**
* \brief Set the ChaCha20 implementation.
*
* \param cc SSL engine context.
* \param ichacha ChaCha20 implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_chacha20(br_ssl_engine_context *cc,
br_chacha20_run ichacha)
{
cc->ichacha = ichacha;
}
/**
* \brief Set the Poly1305 implementation.
*
* \param cc SSL engine context.
* \param ipoly Poly1305 implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_poly1305(br_ssl_engine_context *cc,
br_poly1305_run ipoly)
{
cc->ipoly = ipoly;
}
/**
* \brief Set the "default" ChaCha20 and Poly1305 implementations.
*
* This function configures in the engine the ChaCha20 and Poly1305
* implementations that should provide best runtime performance on the
* local system, while still being safe (in particular, constant-time).
* It also sets the handlers for ChaCha20+Poly1305 records.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc);
/**
* \brief Set the AES/CTR+CBC implementation.
*
* \param cc SSL engine context.
* \param impl AES/CTR+CBC encryption/decryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_aes_ctrcbc(br_ssl_engine_context *cc,
const br_block_ctrcbc_class *impl)
{
cc->iaes_ctrcbc = impl;
}
/**
* \brief Set the "default" implementations for AES/CCM.
*
* This function configures in the engine the AES/CTR+CBC
* implementation that should provide best runtime performance on the local
* system, while still being safe (in particular, constant-time). It also
* sets the handlers for CCM records.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc);
/**
* \brief Set the record encryption and decryption engines for CBC + HMAC.
*
* \param cc SSL engine context.
* \param impl_in record CBC decryption implementation (or `NULL`).
* \param impl_out record CBC encryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_cbc(br_ssl_engine_context *cc,
const br_sslrec_in_cbc_class *impl_in,
const br_sslrec_out_cbc_class *impl_out)
{
cc->icbc_in = impl_in;
cc->icbc_out = impl_out;
}
/**
* \brief Set the record encryption and decryption engines for GCM.
*
* \param cc SSL engine context.
* \param impl_in record GCM decryption implementation (or `NULL`).
* \param impl_out record GCM encryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_gcm(br_ssl_engine_context *cc,
const br_sslrec_in_gcm_class *impl_in,
const br_sslrec_out_gcm_class *impl_out)
{
cc->igcm_in = impl_in;
cc->igcm_out = impl_out;
}
/**
* \brief Set the record encryption and decryption engines for CCM.
*
* \param cc SSL engine context.
* \param impl_in record CCM decryption implementation (or `NULL`).
* \param impl_out record CCM encryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_ccm(br_ssl_engine_context *cc,
const br_sslrec_in_ccm_class *impl_in,
const br_sslrec_out_ccm_class *impl_out)
{
cc->iccm_in = impl_in;
cc->iccm_out = impl_out;
}
/**
* \brief Set the record encryption and decryption engines for
* ChaCha20+Poly1305.
*
* \param cc SSL engine context.
* \param impl_in record ChaCha20 decryption implementation (or `NULL`).
* \param impl_out record ChaCha20 encryption implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_chapol(br_ssl_engine_context *cc,
const br_sslrec_in_chapol_class *impl_in,
const br_sslrec_out_chapol_class *impl_out)
{
cc->ichapol_in = impl_in;
cc->ichapol_out = impl_out;
}
/**
* \brief Set the EC implementation.
*
* The elliptic curve implementation will be used for ECDH and ECDHE
* cipher suites, and for ECDSA support.
*
* \param cc SSL engine context.
* \param iec EC implementation (or `NULL`).
*/
static inline void
br_ssl_engine_set_ec(br_ssl_engine_context *cc, const br_ec_impl *iec)
{
cc->iec = iec;
}
/**
* \brief Set the "default" EC implementation.
*
* This function sets the elliptic curve implementation for ECDH and
* ECDHE cipher suites, and for ECDSA support. It selects the fastest
* implementation on the current system.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_ec(br_ssl_engine_context *cc);
/**
* \brief Get the EC implementation configured in the provided engine.
*
* \param cc SSL engine context.
* \return the EC implementation.
*/
static inline const br_ec_impl *
br_ssl_engine_get_ec(br_ssl_engine_context *cc)
{
return cc->iec;
}
/**
* \brief Set the RSA signature verification implementation.
*
* On the client, this is used to verify the server's signature on its
* ServerKeyExchange message (for ECDHE_RSA cipher suites). On the server,
* this is used to verify the client's CertificateVerify message (if a
* client certificate is requested, and that certificate contains a RSA key).
*
* \param cc SSL engine context.
* \param irsavrfy RSA signature verification implementation.
*/
static inline void
br_ssl_engine_set_rsavrfy(br_ssl_engine_context *cc, br_rsa_pkcs1_vrfy irsavrfy)
{
cc->irsavrfy = irsavrfy;
}
/**
* \brief Set the "default" RSA implementation (signature verification).
*
* This function sets the RSA implementation (signature verification)
* to the fastest implementation available on the current platform.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_rsavrfy(br_ssl_engine_context *cc);
/**
* \brief Get the RSA implementation (signature verification) configured
* in the provided engine.
*
* \param cc SSL engine context.
* \return the RSA signature verification implementation.
*/
static inline br_rsa_pkcs1_vrfy
br_ssl_engine_get_rsavrfy(br_ssl_engine_context *cc)
{
return cc->irsavrfy;
}
/*
* \brief Set the ECDSA implementation (signature verification).
*
* On the client, this is used to verify the server's signature on its
* ServerKeyExchange message (for ECDHE_ECDSA cipher suites). On the server,
* this is used to verify the client's CertificateVerify message (if a
* client certificate is requested, that certificate contains an EC key,
* and full-static ECDH is not used).
*
* The ECDSA implementation will use the EC core implementation configured
* in the engine context.
*
* \param cc client context.
* \param iecdsa ECDSA verification implementation.
*/
static inline void
br_ssl_engine_set_ecdsa(br_ssl_engine_context *cc, br_ecdsa_vrfy iecdsa)
{
cc->iecdsa = iecdsa;
}
/**
* \brief Set the "default" ECDSA implementation (signature verification).
*
* This function sets the ECDSA implementation (signature verification)
* to the fastest implementation available on the current platform. This
* call also sets the elliptic curve implementation itself, there again
* to the fastest EC implementation available.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_set_default_ecdsa(br_ssl_engine_context *cc);
/**
* \brief Get the ECDSA implementation (signature verification) configured
* in the provided engine.
*
* \param cc SSL engine context.
* \return the ECDSA signature verification implementation.
*/
static inline br_ecdsa_vrfy
br_ssl_engine_get_ecdsa(br_ssl_engine_context *cc)
{
return cc->iecdsa;
}
/**
* \brief Set the I/O buffer for the SSL engine.
*
* Once this call has been made, `br_ssl_client_reset()` or
* `br_ssl_server_reset()` MUST be called before using the context.
*
* The provided buffer will be used as long as the engine context is
* used. The caller is responsible for keeping it available.
*
* If `bidi` is 0, then the engine will operate in half-duplex mode
* (it won't be able to send data while there is unprocessed incoming
* data in the buffer, and it won't be able to receive data while there
* is unsent data in the buffer). The optimal buffer size in half-duplex
* mode is `BR_SSL_BUFSIZE_MONO`; if the buffer is larger, then extra
* bytes are ignored. If the buffer is smaller, then this limits the
* capacity of the engine to support all allowed record sizes.
*
* If `bidi` is 1, then the engine will split the buffer into two
* parts, for separate handling of outgoing and incoming data. This
* enables full-duplex processing, but requires more RAM. The optimal
* buffer size in full-duplex mode is `BR_SSL_BUFSIZE_BIDI`; if the
* buffer is larger, then extra bytes are ignored. If the buffer is
* smaller, then the split will favour the incoming part, so that
* interoperability is maximised.
*
* \param cc SSL engine context
* \param iobuf I/O buffer.
* \param iobuf_len I/O buffer length (in bytes).
* \param bidi non-zero for full-duplex mode.
*/
void br_ssl_engine_set_buffer(br_ssl_engine_context *cc,
void *iobuf, size_t iobuf_len, int bidi);
/**
* \brief Set the I/O buffers for the SSL engine.
*
* Once this call has been made, `br_ssl_client_reset()` or
* `br_ssl_server_reset()` MUST be called before using the context.
*
* This function is similar to `br_ssl_engine_set_buffer()`, except
* that it enforces full-duplex mode, and the two I/O buffers are
* provided as separate chunks.
*
* The macros `BR_SSL_BUFSIZE_INPUT` and `BR_SSL_BUFSIZE_OUTPUT`
* evaluate to the optimal (maximum) sizes for the input and output
* buffer, respectively.
*
* \param cc SSL engine context
* \param ibuf input buffer.
* \param ibuf_len input buffer length (in bytes).
* \param obuf output buffer.
* \param obuf_len output buffer length (in bytes).
*/
void br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *cc,
void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len);
/**
* \brief Inject some "initial entropy" in the context.
*
* This entropy will be added to what can be obtained from the
* underlying operating system, if that OS is supported.
*
* This function may be called several times; all injected entropy chunks
* are cumulatively mixed.
*
* If entropy gathering from the OS is supported and compiled in, then this
* step is optional. Otherwise, it is mandatory to inject randomness, and
* the caller MUST take care to push (as one or several successive calls)
* enough entropy to achieve cryptographic resistance (at least 80 bits,
* preferably 128 or more). The engine will report an error if no entropy
* was provided and none can be obtained from the OS.
*
* Take care that this function cannot assess the cryptographic quality of
* the provided bytes.
*
* In all generality, "entropy" must here be considered to mean "that
* which the attacker cannot predict". If your OS/architecture does not
* have a suitable source of randomness, then you can make do with the
* combination of a large enough secret value (possibly a copy of an
* asymmetric private key that you also store on the system) AND a
* non-repeating value (e.g. current time, provided that the local clock
* cannot be reset or altered by the attacker).
*
* \param cc SSL engine context.
* \param data extra entropy to inject.
* \param len length of the extra data (in bytes).
*/
void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
const void *data, size_t len);
/**
* \brief Get the "server name" in this engine.
*
* For clients, this is the name provided with `br_ssl_client_reset()`;
* for servers, this is the name received from the client as part of the
* ClientHello message. If there is no such name (e.g. the client did
* not send an SNI extension) then the returned string is empty
* (returned pointer points to a byte of value 0).
*
* The returned pointer refers to a buffer inside the context, which may
* be overwritten as part of normal SSL activity (even within the same
* connection, if a renegotiation occurs).
*
* \param cc SSL engine context.
* \return the server name (possibly empty).
*/
static inline const char *
br_ssl_engine_get_server_name(const br_ssl_engine_context *cc)
{
return cc->server_name;
}
/**
* \brief Get the protocol version.
*
* This function returns the protocol version that is used by the
* engine. That value is set after sending (for a server) or receiving
* (for a client) the ServerHello message.
*
* \param cc SSL engine context.
* \return the protocol version.
*/
static inline unsigned
br_ssl_engine_get_version(const br_ssl_engine_context *cc)
{
return cc->session.version;
}
/**
* \brief Get a copy of the session parameters.
*
* The session parameters are filled during the handshake, so this
* function shall not be called before completion of the handshake.
* The initial handshake is completed when the context first allows
* application data to be injected.
*
* This function copies the current session parameters into the provided
* structure. Beware that the session parameters include the master
* secret, which is sensitive data, to handle with great care.
*
* \param cc SSL engine context.
* \param pp destination structure for the session parameters.
*/
static inline void
br_ssl_engine_get_session_parameters(const br_ssl_engine_context *cc,
br_ssl_session_parameters *pp)
{
memcpy(pp, &cc->session, sizeof *pp);
}
/**
* \brief Set the session parameters to the provided values.
*
* This function is meant to be used in the client, before doing a new
* handshake; a session resumption will be attempted with these
* parameters. In the server, this function has no effect.
*
* \param cc SSL engine context.
* \param pp source structure for the session parameters.
*/
static inline void
br_ssl_engine_set_session_parameters(br_ssl_engine_context *cc,
const br_ssl_session_parameters *pp)
{
memcpy(&cc->session, pp, sizeof *pp);
}
/**
* \brief Get identifier for the curve used for key exchange.
*
* If the cipher suite uses ECDHE, then this function returns the
* identifier for the curve used for transient parameters. This is
* defined during the course of the handshake, when the ServerKeyExchange
* is sent (on the server) or received (on the client). If the
* cipher suite does not use ECDHE (e.g. static ECDH, or RSA key
* exchange), then this value is indeterminate.
*
* @param cc SSL engine context.
* @return the ECDHE curve identifier.
*/
static inline int
br_ssl_engine_get_ecdhe_curve(br_ssl_engine_context *cc)
{
return cc->ecdhe_curve;
}
/**
* \brief Get the current engine state.
*
* An SSL engine (client or server) has, at any time, a state which is
* the combination of zero, one or more of these flags:
*
* - `BR_SSL_CLOSED`
*
* Engine is finished, no more I/O (until next reset).
*
* - `BR_SSL_SENDREC`
*
* Engine has some bytes to send to the peer.
*
* - `BR_SSL_RECVREC`
*
* Engine expects some bytes from the peer.
*
* - `BR_SSL_SENDAPP`
*
* Engine may receive application data to send (or flush).
*
* - `BR_SSL_RECVAPP`
*
* Engine has obtained some application data from the peer,
* that should be read by the caller.
*
* If no flag at all is set (state value is 0), then the engine is not
* fully initialised yet.
*
* The `BR_SSL_CLOSED` flag is exclusive; when it is set, no other flag
* is set. To distinguish between a normal closure and an error, use
* `br_ssl_engine_last_error()`.
*
* Generally speaking, `BR_SSL_SENDREC` and `BR_SSL_SENDAPP` are mutually
* exclusive: the input buffer, at any point, either accumulates
* plaintext data, or contains an assembled record that is being sent.
* Similarly, `BR_SSL_RECVREC` and `BR_SSL_RECVAPP` are mutually exclusive.
* This may change in a future library version.
*
* \param cc SSL engine context.
* \return the current engine state.
*/
unsigned br_ssl_engine_current_state(const br_ssl_engine_context *cc);
/** \brief SSL engine state: closed or failed. */
#define BR_SSL_CLOSED 0x0001
/** \brief SSL engine state: record data is ready to be sent to the peer. */
#define BR_SSL_SENDREC 0x0002
/** \brief SSL engine state: engine may receive records from the peer. */
#define BR_SSL_RECVREC 0x0004
/** \brief SSL engine state: engine may accept application data to send. */
#define BR_SSL_SENDAPP 0x0008
/** \brief SSL engine state: engine has received application data. */
#define BR_SSL_RECVAPP 0x0010
/**
* \brief Get the engine error indicator.
*
* The error indicator is `BR_ERR_OK` (0) if no error was encountered
* since the last call to `br_ssl_client_reset()` or
* `br_ssl_server_reset()`. Other status values are "sticky": they
* remain set, and prevent all I/O activity, until cleared. Only the
* reset calls clear the error indicator.
*
* \param cc SSL engine context.
* \return 0, or a non-zero error code.
*/
static inline int
br_ssl_engine_last_error(const br_ssl_engine_context *cc)
{
return cc->err;
}
/*
* There are four I/O operations, each identified by a symbolic name:
*
* sendapp inject application data in the engine
* recvapp retrieving application data from the engine
* sendrec sending records on the transport medium
* recvrec receiving records from the transport medium
*
* Terminology works thus: in a layered model where the SSL engine sits
* between the application and the network, "send" designates operations
* where bytes flow from application to network, and "recv" for the
* reverse operation. Application data (the plaintext that is to be
* conveyed through SSL) is "app", while encrypted records are "rec".
* Note that from the SSL engine point of view, "sendapp" and "recvrec"
* designate bytes that enter the engine ("inject" operation), while
* "recvapp" and "sendrec" designate bytes that exit the engine
* ("extract" operation).
*
* For the operation 'xxx', two functions are defined:
*
* br_ssl_engine_xxx_buf
* Returns a pointer and length to the buffer to use for that
* operation. '*len' is set to the number of bytes that may be read
* from the buffer (extract operation) or written to the buffer
* (inject operation). If no byte may be exchanged for that operation
* at that point, then '*len' is set to zero, and NULL is returned.
* The engine state is unmodified by this call.
*
* br_ssl_engine_xxx_ack
* Informs the engine that 'len' bytes have been read from the buffer
* (extract operation) or written to the buffer (inject operation).
* The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed
* that which was obtained from a preceding br_ssl_engine_xxx_buf()
* call.
*/
/**
* \brief Get buffer for application data to send.
*
* If the engine is ready to accept application data to send to the
* peer, then this call returns a pointer to the buffer where such
* data shall be written, and its length is written in `*len`.
* Otherwise, `*len` is set to 0 and `NULL` is returned.
*
* \param cc SSL engine context.
* \param len receives the application data output buffer length, or 0.
* \return the application data output buffer, or `NULL`.
*/
unsigned char *br_ssl_engine_sendapp_buf(
const br_ssl_engine_context *cc, size_t *len);
/**
* \brief Inform the engine of some new application data.
*
* After writing `len` bytes in the buffer returned by
* `br_ssl_engine_sendapp_buf()`, the application shall call this
* function to trigger any relevant processing. The `len` parameter
* MUST NOT be 0, and MUST NOT exceed the value obtained in the
* `br_ssl_engine_sendapp_buf()` call.
*
* \param cc SSL engine context.
* \param len number of bytes pushed (not zero).
*/
void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len);
/**
* \brief Get buffer for received application data.
*
- * If the engine has received application data from the peer, hen this
+ * If the engine has received application data from the peer, then this
* call returns a pointer to the buffer from where such data shall be
* read, and its length is written in `*len`. Otherwise, `*len` is set
* to 0 and `NULL` is returned.
*
* \param cc SSL engine context.
* \param len receives the application data input buffer length, or 0.
* \return the application data input buffer, or `NULL`.
*/
unsigned char *br_ssl_engine_recvapp_buf(
const br_ssl_engine_context *cc, size_t *len);
/**
* \brief Acknowledge some received application data.
*
* After reading `len` bytes from the buffer returned by
* `br_ssl_engine_recvapp_buf()`, the application shall call this
* function to trigger any relevant processing. The `len` parameter
* MUST NOT be 0, and MUST NOT exceed the value obtained in the
* `br_ssl_engine_recvapp_buf()` call.
*
* \param cc SSL engine context.
* \param len number of bytes read (not zero).
*/
void br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len);
/**
* \brief Get buffer for record data to send.
*
* If the engine has prepared some records to send to the peer, then this
* call returns a pointer to the buffer from where such data shall be
* read, and its length is written in `*len`. Otherwise, `*len` is set
* to 0 and `NULL` is returned.
*
* \param cc SSL engine context.
* \param len receives the record data output buffer length, or 0.
* \return the record data output buffer, or `NULL`.
*/
unsigned char *br_ssl_engine_sendrec_buf(
const br_ssl_engine_context *cc, size_t *len);
/**
* \brief Acknowledge some sent record data.
*
* After reading `len` bytes from the buffer returned by
* `br_ssl_engine_sendrec_buf()`, the application shall call this
* function to trigger any relevant processing. The `len` parameter
* MUST NOT be 0, and MUST NOT exceed the value obtained in the
* `br_ssl_engine_sendrec_buf()` call.
*
* \param cc SSL engine context.
* \param len number of bytes read (not zero).
*/
void br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len);
/**
* \brief Get buffer for incoming records.
*
* If the engine is ready to accept records from the peer, then this
* call returns a pointer to the buffer where such data shall be
* written, and its length is written in `*len`. Otherwise, `*len` is
* set to 0 and `NULL` is returned.
*
* \param cc SSL engine context.
* \param len receives the record data input buffer length, or 0.
* \return the record data input buffer, or `NULL`.
*/
unsigned char *br_ssl_engine_recvrec_buf(
const br_ssl_engine_context *cc, size_t *len);
/**
* \brief Inform the engine of some new record data.
*
* After writing `len` bytes in the buffer returned by
* `br_ssl_engine_recvrec_buf()`, the application shall call this
* function to trigger any relevant processing. The `len` parameter
* MUST NOT be 0, and MUST NOT exceed the value obtained in the
* `br_ssl_engine_recvrec_buf()` call.
*
* \param cc SSL engine context.
* \param len number of bytes pushed (not zero).
*/
void br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len);
/**
* \brief Flush buffered application data.
*
* If some application data has been buffered in the engine, then wrap
* it into a record and mark it for sending. If no application data has
* been buffered but the engine would be ready to accept some, AND the
* `force` parameter is non-zero, then an empty record is assembled and
* marked for sending. In all other cases, this function does nothing.
*
* Empty records are technically legal, but not all existing SSL/TLS
* implementations support them. Empty records can be useful as a
* transparent "keep-alive" mechanism to maintain some low-level
* network activity.
*
* \param cc SSL engine context.
* \param force non-zero to force sending an empty record.
*/
void br_ssl_engine_flush(br_ssl_engine_context *cc, int force);
/**
* \brief Initiate a closure.
*
* If, at that point, the context is open and in ready state, then a
* `close_notify` alert is assembled and marked for sending; this
* triggers the closure protocol. Otherwise, no such alert is assembled.
*
* \param cc SSL engine context.
*/
void br_ssl_engine_close(br_ssl_engine_context *cc);
/**
* \brief Initiate a renegotiation.
*
* If the engine is failed or closed, or if the peer is known not to
* support secure renegotiation (RFC 5746), or if renegotiations have
* been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there
* is buffered incoming application data, then this function returns 0
* and nothing else happens.
*
* Otherwise, this function returns 1, and a renegotiation attempt is
* triggered (if a handshake is already ongoing at that point, then
* no new handshake is triggered).
*
* \param cc SSL engine context.
* \return 1 on success, 0 on error.
*/
int br_ssl_engine_renegotiate(br_ssl_engine_context *cc);
/**
* \brief Export key material from a connected SSL engine (RFC 5705).
*
* This calls compute a secret key of arbitrary length from the master
* secret of a connected SSL engine. If the provided context is not
* currently in "application data" state (initial handshake is not
* finished, another handshake is ongoing, or the connection failed or
* was closed), then this function returns 0. Otherwise, a secret key of
* length `len` bytes is computed and written in the buffer pointed to
* by `dst`, and 1 is returned.
*
* The computed key follows the specification described in RFC 5705.
* That RFC includes two key computations, with and without a "context
* value". If `context` is `NULL`, then the variant without context is
* used; otherwise, the `context_len` bytes located at the address
* pointed to by `context` are used in the computation. Note that it
* is possible to have a "with context" key with a context length of
* zero bytes, by setting `context` to a non-`NULL` value but
* `context_len` to 0.
*
* When context bytes are used, the context length MUST NOT exceed
* 65535 bytes.
*
* \param cc SSL engine context.
* \param dst destination buffer for exported key.
* \param len exported key length (in bytes).
* \param label disambiguation label.
* \param context context value (or `NULL`).
* \param context_len context length (in bytes).
* \return 1 on success, 0 on error.
*/
int br_ssl_key_export(br_ssl_engine_context *cc,
void *dst, size_t len, const char *label,
const void *context, size_t context_len);
/*
* Pre-declaration for the SSL client context.
*/
typedef struct br_ssl_client_context_ br_ssl_client_context;
/**
* \brief Type for the client certificate, if requested by the server.
*/
typedef struct {
/**
* \brief Authentication type.
*
* This is either `BR_AUTH_RSA` (RSA signature), `BR_AUTH_ECDSA`
* (ECDSA signature), or `BR_AUTH_ECDH` (static ECDH key exchange).
*/
int auth_type;
/**
* \brief Hash function for computing the CertificateVerify.
*
* This is the symbolic identifier for the hash function that
* will be used to produce the hash of handshake messages, to
* be signed into the CertificateVerify. For full static ECDH
* (client and server certificates are both EC in the same
* curve, and static ECDH is used), this value is set to -1.
*
* Take care that with TLS 1.0 and 1.1, that value MUST match
* the protocol requirements: value must be 0 (MD5+SHA-1) for
* a RSA signature, or 2 (SHA-1) for an ECDSA signature. Only
* TLS 1.2 allows for other hash functions.
*/
int hash_id;
/**
* \brief Certificate chain to send to the server.
*
* This is an array of `br_x509_certificate` objects, each
* normally containing a DER-encoded certificate. The client
* code does not try to decode these elements. If there is no
* chain to send to the server, then this pointer shall be
* set to `NULL`.
*/
const br_x509_certificate *chain;
/**
* \brief Certificate chain length (number of certificates).
*
* If there is no chain to send to the server, then this value
* shall be set to 0.
*/
size_t chain_len;
} br_ssl_client_certificate;
/*
* Note: the constants below for signatures match the TLS constants.
*/
/** \brief Client authentication type: static ECDH. */
#define BR_AUTH_ECDH 0
/** \brief Client authentication type: RSA signature. */
#define BR_AUTH_RSA 1
/** \brief Client authentication type: ECDSA signature. */
#define BR_AUTH_ECDSA 3
/**
* \brief Class type for a certificate handler (client side).
*
* A certificate handler selects a client certificate chain to send to
* the server, upon explicit request from that server. It receives
* the list of trust anchor DN from the server, and supported types
* of certificates and signatures, and returns the chain to use. It
* is also invoked to perform the corresponding private key operation
* (a signature, or an ECDH computation).
*
* The SSL client engine will first push the trust anchor DN with
* `start_name_list()`, `start_name()`, `append_name()`, `end_name()`
* and `end_name_list()`. Then it will call `choose()`, to select the
* actual chain (and signature/hash algorithms). Finally, it will call
* either `do_sign()` or `do_keyx()`, depending on the algorithm choices.
*/
typedef struct br_ssl_client_certificate_class_ br_ssl_client_certificate_class;
struct br_ssl_client_certificate_class_ {
/**
* \brief Context size (in bytes).
*/
size_t context_size;
/**
* \brief Begin reception of a list of trust anchor names. This
* is called while parsing the incoming CertificateRequest.
*
* \param pctx certificate handler context.
*/
void (*start_name_list)(const br_ssl_client_certificate_class **pctx);
/**
* \brief Begin reception of a new trust anchor name.
*
* The total encoded name length is provided; it is less than
* 65535 bytes.
*
* \param pctx certificate handler context.
* \param len encoded name length (in bytes).
*/
void (*start_name)(const br_ssl_client_certificate_class **pctx,
size_t len);
/**
* \brief Receive some more bytes for the current trust anchor name.
*
* The provided reference (`data`) points to a transient buffer
* they may be reused as soon as this function returns. The chunk
* length (`len`) is never zero.
*
* \param pctx certificate handler context.
* \param data anchor name chunk.
* \param len anchor name chunk length (in bytes).
*/
void (*append_name)(const br_ssl_client_certificate_class **pctx,
const unsigned char *data, size_t len);
/**
* \brief End current trust anchor name.
*
* This function is called when all the encoded anchor name data
* has been provided.
*
* \param pctx certificate handler context.
*/
void (*end_name)(const br_ssl_client_certificate_class **pctx);
/**
* \brief End list of trust anchor names.
*
* This function is called when all the anchor names in the
* CertificateRequest message have been obtained.
*
* \param pctx certificate handler context.
*/
void (*end_name_list)(const br_ssl_client_certificate_class **pctx);
/**
* \brief Select client certificate and algorithms.
*
* This callback function shall fill the provided `choices`
* structure with the selected algorithms and certificate chain.
* The `hash_id`, `chain` and `chain_len` fields must be set. If
* the client cannot or does not wish to send a certificate,
* then it shall set `chain` to `NULL` and `chain_len` to 0.
*
* The `auth_types` parameter describes the authentication types,
* signature algorithms and hash functions that are supported by
* both the client context and the server, and compatible with
* the current protocol version. This is a bit field with the
* following contents:
*
* - If RSA signatures with hash function x are supported, then
* bit x is set.
*
* - If ECDSA signatures with hash function x are supported,
* then bit 8+x is set.
*
* - If static ECDH is supported, with a RSA-signed certificate,
* then bit 16 is set.
*
* - If static ECDH is supported, with an ECDSA-signed certificate,
* then bit 17 is set.
*
* Notes:
*
* - When using TLS 1.0 or 1.1, the hash function for RSA
* signatures is always the special MD5+SHA-1 (id 0), and the
* hash function for ECDSA signatures is always SHA-1 (id 2).
*
* - When using TLS 1.2, the list of hash functions is trimmed
* down to include only hash functions that the client context
* can support. The actual server list can be obtained with
* `br_ssl_client_get_server_hashes()`; that list may be used
* to select the certificate chain to send to the server.
*
* \param pctx certificate handler context.
* \param cc SSL client context.
* \param auth_types supported authentication types and algorithms.
* \param choices destination structure for the policy choices.
*/
void (*choose)(const br_ssl_client_certificate_class **pctx,
const br_ssl_client_context *cc, uint32_t auth_types,
br_ssl_client_certificate *choices);
/**
* \brief Perform key exchange (client part).
*
* This callback is invoked in case of a full static ECDH key
* exchange:
*
* - the cipher suite uses `ECDH_RSA` or `ECDH_ECDSA`;
*
* - the server requests a client certificate;
*
* - the client has, and sends, a client certificate that
* uses an EC key in the same curve as the server's key,
* and chooses static ECDH (the `hash_id` field in the choice
* structure was set to -1).
*
* In that situation, this callback is invoked to compute the
* client-side ECDH: the provided `data` (of length `*len` bytes)
* is the server's public key point (as decoded from its
* certificate), and the client shall multiply that point with
* its own private key, and write back the X coordinate of the
* resulting point in the same buffer, starting at offset 0.
* The `*len` value shall be modified to designate the actual
* length of the X coordinate.
*
* The callback must uphold the following:
*
* - If the input array does not have the proper length for
* an encoded curve point, then an error (0) shall be reported.
*
* - If the input array has the proper length, then processing
* MUST be constant-time, even if the data is not a valid
* encoded point.
*
* - This callback MUST check that the input point is valid.
*
* Returned value is 1 on success, 0 on error.
*
* \param pctx certificate handler context.
* \param data server public key point.
* \param len public key point length / X coordinate length.
* \return 1 on success, 0 on error.
*/
uint32_t (*do_keyx)(const br_ssl_client_certificate_class **pctx,
unsigned char *data, size_t *len);
/**
* \brief Perform a signature (client authentication).
*
* This callback is invoked when a client certificate was sent,
* and static ECDH is not used. It shall compute a signature,
* using the client's private key, over the provided hash value
* (which is the hash of all previous handshake messages).
*
* On input, the hash value to sign is in `data`, of size
* `hv_len`; the involved hash function is identified by
* `hash_id`. The signature shall be computed and written
* back into `data`; the total size of that buffer is `len`
* bytes.
*
* This callback shall verify that the signature length does not
* exceed `len` bytes, and abstain from writing the signature if
* it does not fit.
*
* For RSA signatures, the `hash_id` may be 0, in which case
* this is the special header-less signature specified in TLS 1.0
* and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1
* v1.5 signatures shall be computed.
*
* For ECDSA signatures, the signature value shall use the ASN.1
* based encoding.
*
* Returned value is the signature length (in bytes), or 0 on error.
*
* \param pctx certificate handler context.
* \param hash_id hash function identifier.
* \param hv_len hash value length (in bytes).
* \param data input/output buffer (hash value, then signature).
* \param len total buffer length (in bytes).
* \return signature length (in bytes) on success, or 0 on error.
*/
size_t (*do_sign)(const br_ssl_client_certificate_class **pctx,
int hash_id, size_t hv_len, unsigned char *data, size_t len);
};
/**
* \brief A single-chain RSA client certificate handler.
*
* This handler uses a single certificate chain, with a RSA
* signature. The list of trust anchor DN is ignored.
*
* Apart from the first field (vtable pointer), its contents are
* opaque and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_ssl_client_certificate_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
const br_x509_certificate *chain;
size_t chain_len;
const br_rsa_private_key *sk;
br_rsa_pkcs1_sign irsasign;
#endif
} br_ssl_client_certificate_rsa_context;
/**
* \brief A single-chain EC client certificate handler.
*
* This handler uses a single certificate chain, with a RSA
* signature. The list of trust anchor DN is ignored.
*
* This handler may support both static ECDH, and ECDSA signatures
* (either usage may be selectively disabled).
*
* Apart from the first field (vtable pointer), its contents are
* opaque and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_ssl_client_certificate_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
const br_x509_certificate *chain;
size_t chain_len;
const br_ec_private_key *sk;
unsigned allowed_usages;
unsigned issuer_key_type;
const br_multihash_context *mhash;
const br_ec_impl *iec;
br_ecdsa_sign iecdsa;
#endif
} br_ssl_client_certificate_ec_context;
/**
* \brief Context structure for a SSL client.
*
* The first field (called `eng`) is the SSL engine; all functions that
* work on a `br_ssl_engine_context` structure shall take as parameter
* a pointer to that field. The other structure fields are opaque and
* must not be accessed directly.
*/
struct br_ssl_client_context_ {
/**
* \brief The encapsulated engine context.
*/
br_ssl_engine_context eng;
#ifndef BR_DOXYGEN_IGNORE
/*
* Minimum ClientHello length; padding with an extension (RFC
* 7685) is added if necessary to match at least that length.
* Such padding is nominally unnecessary, but it has been used
* to work around some server implementation bugs.
*/
uint16_t min_clienthello_len;
/*
* Bit field for algoithms (hash + signature) supported by the
* server when requesting a client certificate.
*/
uint32_t hashes;
/*
* Server's public key curve.
*/
int server_curve;
/*
* Context for certificate handler.
*/
const br_ssl_client_certificate_class **client_auth_vtable;
/*
* Client authentication type.
*/
unsigned char auth_type;
/*
* Hash function to use for the client signature. This is 0xFF
* if static ECDH is used.
*/
unsigned char hash_id;
/*
* For the core certificate handlers, thus avoiding (in most
* cases) the need for an externally provided policy context.
*/
union {
const br_ssl_client_certificate_class *vtable;
br_ssl_client_certificate_rsa_context single_rsa;
br_ssl_client_certificate_ec_context single_ec;
} client_auth;
/*
* Implementations.
*/
br_rsa_public irsapub;
#endif
};
/**
* \brief Get the hash functions and signature algorithms supported by
* the server.
*
* This value is a bit field:
*
* - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
* then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
* or 2 to 6 for the SHA family).
*
* - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
* is set.
*
* - Newer algorithms are symbolic 16-bit identifiers that do not
* represent signature algorithm and hash function separately. If
* the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
* range, then bit `16+x` is set.
*
* "New algorithms" are currently defined only in draft documents, so
* this support is subject to possible change. Right now (early 2017),
* this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
* on Curve448) to bit 24. If the identifiers on the wire change in
* future document, then the decoding mechanism in BearSSL will be
* amended to keep mapping ed25519 and ed448 on bits 23 and 24,
* respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
* guaranteed yet.
*
* \param cc client context.
* \return the server-supported hash functions and signature algorithms.
*/
static inline uint32_t
br_ssl_client_get_server_hashes(const br_ssl_client_context *cc)
{
return cc->hashes;
}
/**
* \brief Get the server key curve.
*
* This function returns the ID for the curve used by the server's public
* key. This is set when the server's certificate chain is processed;
* this value is 0 if the server's key is not an EC key.
*
* \return the server's public key curve ID, or 0.
*/
static inline int
br_ssl_client_get_server_curve(const br_ssl_client_context *cc)
{
return cc->server_curve;
}
/*
* Each br_ssl_client_init_xxx() function sets the list of supported
* cipher suites and used implementations, as specified by the profile
* name 'xxx'. Defined profile names are:
*
* full all supported versions and suites; constant-time implementations
* TODO: add other profiles
*/
/**
* \brief SSL client profile: full.
*
* This function initialises the provided SSL client context with
* all supported algorithms and cipher suites. It also initialises
* a companion X.509 validation engine with all supported algorithms,
* and the provided trust anchors; the X.509 engine will be used by
* the client context to validate the server's certificate.
*
* \param cc client context to initialise.
* \param xc X.509 validation context to initialise.
* \param trust_anchors trust anchors to use.
* \param trust_anchors_num number of trust anchors.
*/
void br_ssl_client_init_full(br_ssl_client_context *cc,
br_x509_minimal_context *xc,
const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
/**
* \brief Clear the complete contents of a SSL client context.
*
* Everything is cleared, including the reference to the configured buffer,
* implementations, cipher suites and state. This is a preparatory step
* to assembling a custom profile.
*
* \param cc client context to clear.
*/
void br_ssl_client_zero(br_ssl_client_context *cc);
/**
* \brief Set an externally provided client certificate handler context.
*
* The handler's methods are invoked when the server requests a client
* certificate.
*
* \param cc client context.
* \param pctx certificate handler context (pointer to its vtable field).
*/
static inline void
br_ssl_client_set_client_certificate(br_ssl_client_context *cc,
const br_ssl_client_certificate_class **pctx)
{
cc->client_auth_vtable = pctx;
}
/**
* \brief Set the RSA public-key operations implementation.
*
* This will be used to encrypt the pre-master secret with the server's
* RSA public key (RSA-encryption cipher suites only).
*
* \param cc client context.
* \param irsapub RSA public-key encryption implementation.
*/
static inline void
br_ssl_client_set_rsapub(br_ssl_client_context *cc, br_rsa_public irsapub)
{
cc->irsapub = irsapub;
}
/**
* \brief Set the "default" RSA implementation for public-key operations.
*
* This sets the RSA implementation in the client context (for encrypting
* the pre-master secret, in `TLS_RSA_*` cipher suites) to the fastest
* available on the current platform.
*
* \param cc client context.
*/
void br_ssl_client_set_default_rsapub(br_ssl_client_context *cc);
/**
* \brief Set the minimum ClientHello length (RFC 7685 padding).
*
* If this value is set and the ClientHello would be shorter, then
* the Pad ClientHello extension will be added with enough padding bytes
* to reach the target size. Because of the extension header, the resulting
* size will sometimes be slightly more than `len` bytes if the target
* size cannot be exactly met.
*
* The target length relates to the _contents_ of the ClientHello, not
* counting its 4-byte header. For instance, if `len` is set to 512,
* then the padding will bring the ClientHello size to 516 bytes with its
* header, and 521 bytes when counting the 5-byte record header.
*
* \param cc client context.
* \param len minimum ClientHello length (in bytes).
*/
static inline void
br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len)
{
cc->min_clienthello_len = len;
}
/**
* \brief Prepare or reset a client context for a new connection.
*
* The `server_name` parameter is used to fill the SNI extension; the
* X.509 "minimal" engine will also match that name against the server
* names included in the server's certificate. If the parameter is
* `NULL` then no SNI extension will be sent, and the X.509 "minimal"
* engine (if used for server certificate validation) will not check
* presence of any specific name in the received certificate.
*
* Therefore, setting the `server_name` to `NULL` shall be reserved
* to cases where alternate or additional methods are used to ascertain
* that the right server public key is used (e.g. a "known key" model).
*
* If `resume_session` is non-zero and the context was previously used
* then the session parameters may be reused (depending on whether the
* server previously sent a non-empty session ID, and accepts the session
* resumption). The session parameters for session resumption can also
* be set explicitly with `br_ssl_engine_set_session_parameters()`.
*
* On failure, the context is marked as failed, and this function
* returns 0. A possible failure condition is when no initial entropy
* was injected, and none could be obtained from the OS (either OS
* randomness gathering is not supported, or it failed).
*
* \param cc client context.
* \param server_name target server name, or `NULL`.
* \param resume_session non-zero to try session resumption.
* \return 0 on failure, 1 on success.
*/
int br_ssl_client_reset(br_ssl_client_context *cc,
const char *server_name, int resume_session);
/**
* \brief Forget any session in the context.
*
* This means that the next handshake that uses this context will
* necessarily be a full handshake (this applies both to new connections
* and to renegotiations).
*
* \param cc client context.
*/
static inline void
br_ssl_client_forget_session(br_ssl_client_context *cc)
{
cc->eng.session.session_id_len = 0;
}
/**
* \brief Set client certificate chain and key (single RSA case).
*
* This function sets a client certificate chain, that the client will
* send to the server whenever a client certificate is requested. This
* certificate uses an RSA public key; the corresponding private key is
* invoked for authentication. Trust anchor names sent by the server are
* ignored.
*
* The provided chain and private key are linked in the client context;
* they must remain valid as long as they may be used, i.e. normally
* for the duration of the connection, since they might be invoked
* again upon renegotiations.
*
* \param cc SSL client context.
* \param chain client certificate chain (SSL order: EE comes first).
* \param chain_len client chain length (number of certificates).
* \param sk client private key.
* \param irsasign RSA signature implementation (PKCS#1 v1.5).
*/
void br_ssl_client_set_single_rsa(br_ssl_client_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_rsa_private_key *sk, br_rsa_pkcs1_sign irsasign);
/*
* \brief Set the client certificate chain and key (single EC case).
*
* This function sets a client certificate chain, that the client will
* send to the server whenever a client certificate is requested. This
* certificate uses an EC public key; the corresponding private key is
* invoked for authentication. Trust anchor names sent by the server are
* ignored.
*
* The provided chain and private key are linked in the client context;
* they must remain valid as long as they may be used, i.e. normally
* for the duration of the connection, since they might be invoked
* again upon renegotiations.
*
* The `allowed_usages` is a combination of usages, namely
* `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`. The `BR_KEYTYPE_KEYX`
* value allows full static ECDH, while the `BR_KEYTYPE_SIGN` value
* allows ECDSA signatures. If ECDSA signatures are used, then an ECDSA
* signature implementation must be provided; otherwise, the `iecdsa`
* parameter may be 0.
*
* The `cert_issuer_key_type` value is either `BR_KEYTYPE_RSA` or
* `BR_KEYTYPE_EC`; it is the type of the public key used the the CA
* that issued (signed) the client certificate. That value is used with
* full static ECDH: support of the certificate by the server depends
* on how the certificate was signed. (Note: when using TLS 1.2, this
* parameter is ignored; but its value matters for TLS 1.0 and 1.1.)
*
* \param cc server context.
* \param chain server certificate chain to send.
* \param chain_len chain length (number of certificates).
* \param sk server private key (EC).
* \param allowed_usages allowed private key usages.
* \param cert_issuer_key_type issuing CA's key type.
* \param iec EC core implementation.
* \param iecdsa ECDSA signature implementation ("asn1" format).
*/
void br_ssl_client_set_single_ec(br_ssl_client_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_ec_private_key *sk, unsigned allowed_usages,
unsigned cert_issuer_key_type,
const br_ec_impl *iec, br_ecdsa_sign iecdsa);
/**
* \brief Type for a "translated cipher suite", as an array of two
* 16-bit integers.
*
* The first element is the cipher suite identifier (as used on the wire).
* The second element is the concatenation of four 4-bit elements which
* characterise the cipher suite contents. In most to least significant
* order, these 4-bit elements are:
*
* - Bits 12 to 15: key exchange + server key type
*
* | val | symbolic constant | suite type | details |
* | :-- | :----------------------- | :---------- | :----------------------------------------------- |
* | 0 | `BR_SSLKEYX_RSA` | RSA | RSA key exchange, key is RSA (encryption) |
* | 1 | `BR_SSLKEYX_ECDHE_RSA` | ECDHE_RSA | ECDHE key exchange, key is RSA (signature) |
* | 2 | `BR_SSLKEYX_ECDHE_ECDSA` | ECDHE_ECDSA | ECDHE key exchange, key is EC (signature) |
* | 3 | `BR_SSLKEYX_ECDH_RSA` | ECDH_RSA | Key is EC (key exchange), cert signed with RSA |
* | 4 | `BR_SSLKEYX_ECDH_ECDSA` | ECDH_ECDSA | Key is EC (key exchange), cert signed with ECDSA |
*
* - Bits 8 to 11: symmetric encryption algorithm
*
* | val | symbolic constant | symmetric encryption | key strength (bits) |
* | :-- | :--------------------- | :------------------- | :------------------ |
* | 0 | `BR_SSLENC_3DES_CBC` | 3DES/CBC | 168 |
* | 1 | `BR_SSLENC_AES128_CBC` | AES-128/CBC | 128 |
* | 2 | `BR_SSLENC_AES256_CBC` | AES-256/CBC | 256 |
* | 3 | `BR_SSLENC_AES128_GCM` | AES-128/GCM | 128 |
* | 4 | `BR_SSLENC_AES256_GCM` | AES-256/GCM | 256 |
* | 5 | `BR_SSLENC_CHACHA20` | ChaCha20/Poly1305 | 256 |
*
* - Bits 4 to 7: MAC algorithm
*
* | val | symbolic constant | MAC type | details |
* | :-- | :----------------- | :----------- | :------------------------------------ |
* | 0 | `BR_SSLMAC_AEAD` | AEAD | No dedicated MAC (encryption is AEAD) |
* | 2 | `BR_SSLMAC_SHA1` | HMAC/SHA-1 | Value matches `br_sha1_ID` |
* | 4 | `BR_SSLMAC_SHA256` | HMAC/SHA-256 | Value matches `br_sha256_ID` |
* | 5 | `BR_SSLMAC_SHA384` | HMAC/SHA-384 | Value matches `br_sha384_ID` |
*
* - Bits 0 to 3: hash function for PRF when used with TLS-1.2
*
* | val | symbolic constant | hash function | details |
* | :-- | :----------------- | :------------ | :----------------------------------- |
* | 4 | `BR_SSLPRF_SHA256` | SHA-256 | Value matches `br_sha256_ID` |
* | 5 | `BR_SSLPRF_SHA384` | SHA-384 | Value matches `br_sha384_ID` |
*
* For instance, cipher suite `TLS_RSA_WITH_AES_128_GCM_SHA256` has
* standard identifier 0x009C, and is translated to 0x0304, for, in
* that order: RSA key exchange (0), AES-128/GCM (3), AEAD integrity (0),
* SHA-256 in the TLS PRF (4).
*/
typedef uint16_t br_suite_translated[2];
#ifndef BR_DOXYGEN_IGNORE
/*
* Constants are already documented in the br_suite_translated type.
*/
#define BR_SSLKEYX_RSA 0
#define BR_SSLKEYX_ECDHE_RSA 1
#define BR_SSLKEYX_ECDHE_ECDSA 2
#define BR_SSLKEYX_ECDH_RSA 3
#define BR_SSLKEYX_ECDH_ECDSA 4
#define BR_SSLENC_3DES_CBC 0
#define BR_SSLENC_AES128_CBC 1
#define BR_SSLENC_AES256_CBC 2
#define BR_SSLENC_AES128_GCM 3
#define BR_SSLENC_AES256_GCM 4
#define BR_SSLENC_CHACHA20 5
#define BR_SSLMAC_AEAD 0
#define BR_SSLMAC_SHA1 br_sha1_ID
#define BR_SSLMAC_SHA256 br_sha256_ID
#define BR_SSLMAC_SHA384 br_sha384_ID
#define BR_SSLPRF_SHA256 br_sha256_ID
#define BR_SSLPRF_SHA384 br_sha384_ID
#endif
/*
* Pre-declaration for the SSL server context.
*/
typedef struct br_ssl_server_context_ br_ssl_server_context;
/**
* \brief Type for the server policy choices, taken after analysis of
* the client message (ClientHello).
*/
typedef struct {
/**
* \brief Cipher suite to use with that client.
*/
uint16_t cipher_suite;
/**
* \brief Hash function or algorithm for signing the ServerKeyExchange.
*
* This parameter is ignored for `TLS_RSA_*` and `TLS_ECDH_*`
* cipher suites; it is used only for `TLS_ECDHE_*` suites, in
* which the server _signs_ the ephemeral EC Diffie-Hellman
* parameters sent to the client.
*
* This identifier must be one of the following values:
*
* - `0xFF00 + id`, where `id` is a hash function identifier
* (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions);
*
* - a full 16-bit identifier, lower than `0xFF00`.
*
* If the first option is used, then the SSL engine will
* compute the hash of the data that is to be signed, with the
* designated hash function. The `do_sign()` method will be
* invoked with that hash value provided in the the `data`
* buffer.
*
* If the second option is used, then the SSL engine will NOT
* compute a hash on the data; instead, it will provide the
* to-be-signed data itself in `data`, i.e. the concatenation of
* the client random, server random, and encoded ECDH
* parameters. Furthermore, with TLS-1.2 and later, the 16-bit
* identifier will be used "as is" in the protocol, in the
* SignatureAndHashAlgorithm; for instance, `0x0401` stands for
* RSA PKCS#1 v1.5 signature (the `01`) with SHA-256 as hash
* function (the `04`).
*
* Take care that with TLS 1.0 and 1.1, the hash function is
* constrainted by the protocol: RSA signature must use
* MD5+SHA-1 (so use `0xFF00`), while ECDSA must use SHA-1
* (`0xFF02`). Since TLS 1.0 and 1.1 don't include a
* SignatureAndHashAlgorithm field in their ServerKeyExchange
* messages, any value below `0xFF00` will be usable to send the
* raw ServerKeyExchange data to the `do_sign()` callback, but
* that callback must still follow the protocol requirements
* when generating the signature.
*/
unsigned algo_id;
/**
* \brief Certificate chain to send to the client.
*
* This is an array of `br_x509_certificate` objects, each
* normally containing a DER-encoded certificate. The server
* code does not try to decode these elements.
*/
const br_x509_certificate *chain;
/**
* \brief Certificate chain length (number of certificates).
*/
size_t chain_len;
} br_ssl_server_choices;
/**
* \brief Class type for a policy handler (server side).
*
* A policy handler selects the policy parameters for a connection
* (cipher suite and other algorithms, and certificate chain to send to
* the client); it also performs the server-side computations involving
* its permanent private key.
*
* The SSL server engine will invoke first `choose()`, once the
* ClientHello message has been received, then either `do_keyx()`
* `do_sign()`, depending on the cipher suite.
*/
typedef struct br_ssl_server_policy_class_ br_ssl_server_policy_class;
struct br_ssl_server_policy_class_ {
/**
* \brief Context size (in bytes).
*/
size_t context_size;
/**
* \brief Select algorithms and certificates for this connection.
*
* This callback function shall fill the provided `choices`
* structure with the policy choices for this connection. This
* entails selecting the cipher suite, hash function for signing
* the ServerKeyExchange (applicable only to ECDHE cipher suites),
* and certificate chain to send.
*
* The callback receives a pointer to the server context that
* contains the relevant data. In particular, the functions
* `br_ssl_server_get_client_suites()`,
* `br_ssl_server_get_client_hashes()` and
* `br_ssl_server_get_client_curves()` can be used to obtain
* the cipher suites, hash functions and elliptic curves
* supported by both the client and server, respectively. The
* `br_ssl_engine_get_version()` and `br_ssl_engine_get_server_name()`
* functions yield the protocol version and requested server name
* (SNI), respectively.
*
* This function may modify its context structure (`pctx`) in
* arbitrary ways to keep track of its own choices.
*
* This function shall return 1 if appropriate policy choices
* could be made, or 0 if this connection cannot be pursued.
*
* \param pctx policy context.
* \param cc SSL server context.
* \param choices destination structure for the policy choices.
* \return 1 on success, 0 on error.
*/
int (*choose)(const br_ssl_server_policy_class **pctx,
const br_ssl_server_context *cc,
br_ssl_server_choices *choices);
/**
* \brief Perform key exchange (server part).
*
* This callback is invoked to perform the server-side cryptographic
* operation for a key exchange that is not ECDHE. This callback
* uses the private key.
*
* **For RSA key exchange**, the provided `data` (of length `*len`
* bytes) shall be decrypted with the server's private key, and
* the 48-byte premaster secret copied back to the first 48 bytes
* of `data`.
*
* - The caller makes sure that `*len` is at least 59 bytes.
*
* - This callback MUST check that the provided length matches
* that of the key modulus; it shall report an error otherwise.
*
* - If the length matches that of the RSA key modulus, then
* processing MUST be constant-time, even if decryption fails,
* or the padding is incorrect, or the plaintext message length
* is not exactly 48 bytes.
*
* - This callback needs not check the two first bytes of the
* obtained pre-master secret (the caller will do that).
*
* - If an error is reported (0), then what the callback put
* in the first 48 bytes of `data` is unimportant (the caller
* will use random bytes instead).
*
* **For ECDH key exchange**, the provided `data` (of length `*len`
* bytes) is the elliptic curve point from the client. The
* callback shall multiply it with its private key, and store
* the resulting X coordinate in `data`, starting at offset 0,
* and set `*len` to the length of the X coordinate.
*
* - If the input array does not have the proper length for
* an encoded curve point, then an error (0) shall be reported.
*
* - If the input array has the proper length, then processing
* MUST be constant-time, even if the data is not a valid
* encoded point.
*
* - This callback MUST check that the input point is valid.
*
* Returned value is 1 on success, 0 on error.
*
* \param pctx policy context.
* \param data key exchange data from the client.
* \param len key exchange data length (in bytes).
* \return 1 on success, 0 on error.
*/
uint32_t (*do_keyx)(const br_ssl_server_policy_class **pctx,
unsigned char *data, size_t *len);
/**
* \brief Perform a signature (for a ServerKeyExchange message).
*
* This callback function is invoked for ECDHE cipher suites. On
* input, the hash value or message to sign is in `data`, of
* size `hv_len`; the involved hash function or algorithm is
* identified by `algo_id`. The signature shall be computed and
* written back into `data`; the total size of that buffer is
* `len` bytes.
*
* This callback shall verify that the signature length does not
* exceed `len` bytes, and abstain from writing the signature if
* it does not fit.
*
* The `algo_id` value matches that which was written in the
* `choices` structures by the `choose()` callback. This will be
* one of the following:
*
* - `0xFF00 + id` for a hash function identifier `id`. In
* that case, the `data` buffer contains a hash value
* already computed over the data that is to be signed,
* of length `hv_len`. The `id` may be 0 to designate the
* special MD5+SHA-1 concatenation (old-style RSA signing).
*
* - Another value, lower than `0xFF00`. The `data` buffer
* then contains the raw, non-hashed data to be signed
* (concatenation of the client and server randoms and
* ECDH parameters). The callback is responsible to apply
* any relevant hashing as part of the signing process.
*
* Returned value is the signature length (in bytes), or 0 on error.
*
* \param pctx policy context.
* \param algo_id hash function / algorithm identifier.
* \param data input/output buffer (message/hash, then signature).
* \param hv_len hash value or message length (in bytes).
* \param len total buffer length (in bytes).
* \return signature length (in bytes) on success, or 0 on error.
*/
size_t (*do_sign)(const br_ssl_server_policy_class **pctx,
unsigned algo_id,
unsigned char *data, size_t hv_len, size_t len);
};
/**
* \brief A single-chain RSA policy handler.
*
* This policy context uses a single certificate chain, and a RSA
* private key. The context can be restricted to only signatures or
* only key exchange.
*
* Apart from the first field (vtable pointer), its contents are
* opaque and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_ssl_server_policy_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
const br_x509_certificate *chain;
size_t chain_len;
const br_rsa_private_key *sk;
unsigned allowed_usages;
br_rsa_private irsacore;
br_rsa_pkcs1_sign irsasign;
#endif
} br_ssl_server_policy_rsa_context;
/**
* \brief A single-chain EC policy handler.
*
* This policy context uses a single certificate chain, and an EC
* private key. The context can be restricted to only signatures or
* only key exchange.
*
* Due to how TLS is defined, this context must be made aware whether
* the server certificate was itself signed with RSA or ECDSA. The code
* does not try to decode the certificate to obtain that information.
*
* Apart from the first field (vtable pointer), its contents are
* opaque and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_ssl_server_policy_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
const br_x509_certificate *chain;
size_t chain_len;
const br_ec_private_key *sk;
unsigned allowed_usages;
unsigned cert_issuer_key_type;
const br_multihash_context *mhash;
const br_ec_impl *iec;
br_ecdsa_sign iecdsa;
#endif
} br_ssl_server_policy_ec_context;
/**
* \brief Class type for a session parameter cache.
*
* Session parameters are saved in the cache with `save()`, and
* retrieved with `load()`. The cache implementation can apply any
* storage and eviction strategy that it sees fit. The SSL server
* context that performs the request is provided, so that its
* functionalities may be used by the implementation (e.g. hash
* functions or random number generation).
*/
typedef struct br_ssl_session_cache_class_ br_ssl_session_cache_class;
struct br_ssl_session_cache_class_ {
/**
* \brief Context size (in bytes).
*/
size_t context_size;
/**
* \brief Record a session.
*
* This callback should record the provided session parameters.
* The `params` structure is transient, so its contents shall
* be copied into the cache. The session ID has been randomly
* generated and always has length exactly 32 bytes.
*
* \param ctx session cache context.
* \param server_ctx SSL server context.
* \param params session parameters to save.
*/
void (*save)(const br_ssl_session_cache_class **ctx,
br_ssl_server_context *server_ctx,
const br_ssl_session_parameters *params);
/**
* \brief Lookup a session in the cache.
*
* The session ID to lookup is in `params` and always has length
* exactly 32 bytes. If the session parameters are found in the
* cache, then the parameters shall be copied into the `params`
* structure. Returned value is 1 on successful lookup, 0
* otherwise.
*
* \param ctx session cache context.
* \param server_ctx SSL server context.
* \param params destination for session parameters.
* \return 1 if found, 0 otherwise.
*/
int (*load)(const br_ssl_session_cache_class **ctx,
br_ssl_server_context *server_ctx,
br_ssl_session_parameters *params);
};
/**
* \brief Context for a basic cache system.
*
* The system stores session parameters in a buffer provided at
* initialisation time. Each entry uses exactly 100 bytes, and
* buffer sizes up to 4294967295 bytes are supported.
*
* Entries are evicted with a LRU (Least Recently Used) policy. A
* search tree is maintained to keep lookups fast even with large
* caches.
*
* Apart from the first field (vtable pointer), the structure
* contents are opaque and shall not be accessed directly.
*/
typedef struct {
/** \brief Pointer to vtable. */
const br_ssl_session_cache_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char *store;
size_t store_len, store_ptr;
unsigned char index_key[32];
const br_hash_class *hash;
int init_done;
uint32_t head, tail, root;
#endif
} br_ssl_session_cache_lru;
/**
* \brief Initialise a LRU session cache with the provided storage space.
*
* The provided storage space must remain valid as long as the cache
* is used. Arbitrary lengths are supported, up to 4294967295 bytes;
* each entry uses up exactly 100 bytes.
*
* \param cc session cache context.
* \param store storage space for cached entries.
* \param store_len storage space length (in bytes).
*/
void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc,
unsigned char *store, size_t store_len);
/**
* \brief Forget an entry in an LRU session cache.
*
* The session cache context must have been initialised. The entry
* with the provided session ID (of exactly 32 bytes) is looked for
* in the cache; if located, it is disabled.
*
* \param cc session cache context.
* \param id session ID to forget.
*/
void br_ssl_session_cache_lru_forget(
br_ssl_session_cache_lru *cc, const unsigned char *id);
/**
* \brief Context structure for a SSL server.
*
* The first field (called `eng`) is the SSL engine; all functions that
* work on a `br_ssl_engine_context` structure shall take as parameter
* a pointer to that field. The other structure fields are opaque and
* must not be accessed directly.
*/
struct br_ssl_server_context_ {
/**
* \brief The encapsulated engine context.
*/
br_ssl_engine_context eng;
#ifndef BR_DOXYGEN_IGNORE
/*
* Maximum version from the client.
*/
uint16_t client_max_version;
/*
* Session cache.
*/
const br_ssl_session_cache_class **cache_vtable;
/*
* Translated cipher suites supported by the client. The list
* is trimmed to include only the cipher suites that the
* server also supports; they are in the same order as in the
* client message.
*/
br_suite_translated client_suites[BR_MAX_CIPHER_SUITES];
unsigned char client_suites_num;
/*
* Hash functions supported by the client, with ECDSA and RSA
* (bit mask). For hash function with id 'x', set bit index is
* x for RSA, x+8 for ECDSA. For newer algorithms, with ID
* 0x08**, bit 16+k is set for algorithm 0x0800+k.
*/
uint32_t hashes;
/*
* Curves supported by the client (bit mask, for named curves).
*/
uint32_t curves;
/*
* Context for chain handler.
*/
const br_ssl_server_policy_class **policy_vtable;
uint16_t sign_hash_id;
/*
* For the core handlers, thus avoiding (in most cases) the
* need for an externally provided policy context.
*/
union {
const br_ssl_server_policy_class *vtable;
br_ssl_server_policy_rsa_context single_rsa;
br_ssl_server_policy_ec_context single_ec;
} chain_handler;
/*
* Buffer for the ECDHE private key.
*/
unsigned char ecdhe_key[70];
size_t ecdhe_key_len;
/*
* Trust anchor names for client authentication. "ta_names" and
* "tas" cannot be both non-NULL.
*/
const br_x500_name *ta_names;
const br_x509_trust_anchor *tas;
size_t num_tas;
size_t cur_dn_index;
const unsigned char *cur_dn;
size_t cur_dn_len;
/*
* Buffer for the hash value computed over all handshake messages
* prior to CertificateVerify, and identifier for the hash function.
*/
unsigned char hash_CV[64];
size_t hash_CV_len;
int hash_CV_id;
/*
* Server-specific implementations.
* (none for now)
*/
#endif
};
/*
* Each br_ssl_server_init_xxx() function sets the list of supported
* cipher suites and used implementations, as specified by the profile
* name 'xxx'. Defined profile names are:
*
* full_rsa all supported algorithm, server key type is RSA
* full_ec all supported algorithm, server key type is EC
* TODO: add other profiles
*
* Naming scheme for "minimal" profiles: min123
*
* -- character 1: key exchange
* r = RSA
* e = ECDHE_RSA
* f = ECDHE_ECDSA
* u = ECDH_RSA
* v = ECDH_ECDSA
* -- character 2: version / PRF
* 0 = TLS 1.0 / 1.1 with MD5+SHA-1
* 2 = TLS 1.2 with SHA-256
* 3 = TLS 1.2 with SHA-384
* -- character 3: encryption
* a = AES/CBC
* d = 3DES/CBC
* g = AES/GCM
* c = ChaCha20+Poly1305
*/
/**
* \brief SSL server profile: full_rsa.
*
* This function initialises the provided SSL server context with
* all supported algorithms and cipher suites that rely on a RSA
* key pair.
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk RSA private key.
*/
void br_ssl_server_init_full_rsa(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_rsa_private_key *sk);
/**
* \brief SSL server profile: full_ec.
*
* This function initialises the provided SSL server context with
* all supported algorithms and cipher suites that rely on an EC
* key pair.
*
* The key type of the CA that issued the server's certificate must
* be provided, since it matters for ECDH cipher suites (ECDH_RSA
* suites require a RSA-powered CA). The key type is either
* `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`.
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len chain length (number of certificates).
* \param cert_issuer_key_type certificate issuer's key type.
* \param sk EC private key.
*/
void br_ssl_server_init_full_ec(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
unsigned cert_issuer_key_type, const br_ec_private_key *sk);
/**
* \brief SSL server profile: minr2g.
*
* This profile uses only TLS_RSA_WITH_AES_128_GCM_SHA256. Server key is
* RSA, and RSA key exchange is used (not forward secure, but uses little
* CPU in the client).
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk RSA private key.
*/
void br_ssl_server_init_minr2g(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_rsa_private_key *sk);
/**
* \brief SSL server profile: mine2g.
*
* This profile uses only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Server key
* is RSA, and ECDHE key exchange is used. This suite provides forward
* security, with a higher CPU expense on the client, and a somewhat
* larger code footprint (compared to "minr2g").
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk RSA private key.
*/
void br_ssl_server_init_mine2g(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_rsa_private_key *sk);
/**
* \brief SSL server profile: minf2g.
*
* This profile uses only TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
* Server key is EC, and ECDHE key exchange is used. This suite provides
* forward security, with a higher CPU expense on the client and server
* (by a factor of about 3 to 4), and a somewhat larger code footprint
* (compared to "minu2g" and "minv2g").
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk EC private key.
*/
void br_ssl_server_init_minf2g(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_ec_private_key *sk);
/**
* \brief SSL server profile: minu2g.
*
* This profile uses only TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256.
* Server key is EC, and ECDH key exchange is used; the issuing CA used
* a RSA key.
*
* The "minu2g" and "minv2g" profiles do not provide forward secrecy,
* but are the lightest on the server (for CPU usage), and are rather
* inexpensive on the client as well.
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk EC private key.
*/
void br_ssl_server_init_minu2g(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_ec_private_key *sk);
/**
* \brief SSL server profile: minv2g.
*
* This profile uses only TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256.
* Server key is EC, and ECDH key exchange is used; the issuing CA used
* an EC key.
*
* The "minu2g" and "minv2g" profiles do not provide forward secrecy,
* but are the lightest on the server (for CPU usage), and are rather
* inexpensive on the client as well.
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk EC private key.
*/
void br_ssl_server_init_minv2g(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_ec_private_key *sk);
/**
* \brief SSL server profile: mine2c.
*
* This profile uses only TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
* Server key is RSA, and ECDHE key exchange is used. This suite
* provides forward security.
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk RSA private key.
*/
void br_ssl_server_init_mine2c(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_rsa_private_key *sk);
/**
* \brief SSL server profile: minf2c.
*
* This profile uses only TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
* Server key is EC, and ECDHE key exchange is used. This suite provides
* forward security.
*
* \param cc server context to initialise.
* \param chain server certificate chain.
* \param chain_len certificate chain length (number of certificate).
* \param sk EC private key.
*/
void br_ssl_server_init_minf2c(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_ec_private_key *sk);
/**
* \brief Get the supported client suites.
*
* This function shall be called only after the ClientHello has been
* processed, typically from the policy engine. The returned array
* contains the cipher suites that are supported by both the client
* and the server; these suites are in client preference order, unless
* the `BR_OPT_ENFORCE_SERVER_PREFERENCES` flag was set, in which case
* they are in server preference order.
*
* The suites are _translated_, which means that each suite is given
* as two 16-bit integers: the standard suite identifier, and its
* translated version, broken down into its individual components,
* as explained with the `br_suite_translated` type.
*
* The returned array is allocated in the context and will be rewritten
* by each handshake.
*
* \param cc server context.
* \param num receives the array size (number of suites).
* \return the translated common cipher suites, in preference order.
*/
static inline const br_suite_translated *
br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num)
{
*num = cc->client_suites_num;
return cc->client_suites;
}
/**
* \brief Get the hash functions and signature algorithms supported by
* the client.
*
* This value is a bit field:
*
* - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
* then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
* or 2 to 6 for the SHA family).
*
* - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
* is set.
*
* - Newer algorithms are symbolic 16-bit identifiers that do not
* represent signature algorithm and hash function separately. If
* the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
* range, then bit `16+x` is set.
*
* "New algorithms" are currently defined only in draft documents, so
* this support is subject to possible change. Right now (early 2017),
* this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
* on Curve448) to bit 24. If the identifiers on the wire change in
* future document, then the decoding mechanism in BearSSL will be
* amended to keep mapping ed25519 and ed448 on bits 23 and 24,
* respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
* guaranteed yet.
*
* \param cc server context.
* \return the client-supported hash functions and signature algorithms.
*/
static inline uint32_t
br_ssl_server_get_client_hashes(const br_ssl_server_context *cc)
{
return cc->hashes;
}
/**
* \brief Get the elliptic curves supported by the client.
*
* This is a bit field (bit x is set if curve of ID x is supported).
*
* \param cc server context.
* \return the client-supported elliptic curves.
*/
static inline uint32_t
br_ssl_server_get_client_curves(const br_ssl_server_context *cc)
{
return cc->curves;
}
/**
* \brief Clear the complete contents of a SSL server context.
*
* Everything is cleared, including the reference to the configured buffer,
* implementations, cipher suites and state. This is a preparatory step
* to assembling a custom profile.
*
* \param cc server context to clear.
*/
void br_ssl_server_zero(br_ssl_server_context *cc);
/**
* \brief Set an externally provided policy context.
*
* The policy context's methods are invoked to decide the cipher suite
* and certificate chain, and to perform operations involving the server's
* private key.
*
* \param cc server context.
* \param pctx policy context (pointer to its vtable field).
*/
static inline void
br_ssl_server_set_policy(br_ssl_server_context *cc,
const br_ssl_server_policy_class **pctx)
{
cc->policy_vtable = pctx;
}
/**
* \brief Set the server certificate chain and key (single RSA case).
*
* This function uses a policy context included in the server context.
* It configures use of a single server certificate chain with a RSA
* private key. The `allowed_usages` is a combination of usages, namely
* `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
* the corresponding cipher suites (i.e. `TLS_RSA_*` use the RSA key for
* key exchange, while `TLS_ECDHE_RSA_*` use the RSA key for signatures).
*
* \param cc server context.
* \param chain server certificate chain to send to the client.
* \param chain_len chain length (number of certificates).
* \param sk server private key (RSA).
* \param allowed_usages allowed private key usages.
* \param irsacore RSA core implementation.
* \param irsasign RSA signature implementation (PKCS#1 v1.5).
*/
void br_ssl_server_set_single_rsa(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_rsa_private_key *sk, unsigned allowed_usages,
br_rsa_private irsacore, br_rsa_pkcs1_sign irsasign);
/**
* \brief Set the server certificate chain and key (single EC case).
*
* This function uses a policy context included in the server context.
* It configures use of a single server certificate chain with an EC
* private key. The `allowed_usages` is a combination of usages, namely
* `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
* the corresponding cipher suites (i.e. `TLS_ECDH_*` use the EC key for
* key exchange, while `TLS_ECDHE_ECDSA_*` use the EC key for signatures).
*
* In order to support `TLS_ECDH_*` cipher suites (non-ephemeral ECDH),
* the algorithm type of the key used by the issuing CA to sign the
* server's certificate must be provided, as `cert_issuer_key_type`
* parameter (this value is either `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`).
*
* \param cc server context.
* \param chain server certificate chain to send.
* \param chain_len chain length (number of certificates).
* \param sk server private key (EC).
* \param allowed_usages allowed private key usages.
* \param cert_issuer_key_type issuing CA's key type.
* \param iec EC core implementation.
* \param iecdsa ECDSA signature implementation ("asn1" format).
*/
void br_ssl_server_set_single_ec(br_ssl_server_context *cc,
const br_x509_certificate *chain, size_t chain_len,
const br_ec_private_key *sk, unsigned allowed_usages,
unsigned cert_issuer_key_type,
const br_ec_impl *iec, br_ecdsa_sign iecdsa);
/**
* \brief Activate client certificate authentication.
*
* The trust anchor encoded X.500 names (DN) to send to the client are
* provided. A client certificate will be requested and validated through
* the X.509 validator configured in the SSL engine. If `num` is 0, then
* client certificate authentication is disabled.
*
* If the client does not send a certificate, or on validation failure,
* the handshake aborts. Unauthenticated clients can be tolerated by
* setting the `BR_OPT_TOLERATE_NO_CLIENT_AUTH` flag.
*
* The provided array is linked in, not copied, so that pointer must
* remain valid as long as anchor names may be used.
*
* \param cc server context.
* \param ta_names encoded trust anchor names.
* \param num number of encoded trust anchor names.
*/
static inline void
br_ssl_server_set_trust_anchor_names(br_ssl_server_context *cc,
const br_x500_name *ta_names, size_t num)
{
cc->ta_names = ta_names;
cc->tas = NULL;
cc->num_tas = num;
}
/**
* \brief Activate client certificate authentication.
*
* This is a variant for `br_ssl_server_set_trust_anchor_names()`: the
* trust anchor names are provided not as an array of stand-alone names
* (`br_x500_name` structures), but as an array of trust anchors
* (`br_x509_trust_anchor` structures). The server engine itself will
* only use the `dn` field of each trust anchor. This is meant to allow
* defining a single array of trust anchors, to be used here and in the
* X.509 validation engine itself.
*
* The provided array is linked in, not copied, so that pointer must
* remain valid as long as anchor names may be used.
*
* \param cc server context.
* \param tas trust anchors (only names are used).
* \param num number of trust anchors.
*/
static inline void
br_ssl_server_set_trust_anchor_names_alt(br_ssl_server_context *cc,
const br_x509_trust_anchor *tas, size_t num)
{
cc->ta_names = NULL;
cc->tas = tas;
cc->num_tas = num;
}
/**
* \brief Configure the cache for session parameters.
*
* The cache context is provided as a pointer to its first field (vtable
* pointer).
*
* \param cc server context.
* \param vtable session cache context.
*/
static inline void
br_ssl_server_set_cache(br_ssl_server_context *cc,
const br_ssl_session_cache_class **vtable)
{
cc->cache_vtable = vtable;
}
/**
* \brief Prepare or reset a server context for handling an incoming client.
*
* \param cc server context.
* \return 1 on success, 0 on error.
*/
int br_ssl_server_reset(br_ssl_server_context *cc);
/* ===================================================================== */
/*
* Context for the simplified I/O context. The transport medium is accessed
* through the low_read() and low_write() callback functions, each with
* its own opaque context pointer.
*
* low_read() read some bytes, at most 'len' bytes, into data[]. The
* returned value is the number of read bytes, or -1 on error.
* The 'len' parameter is guaranteed never to exceed 20000,
* so the length always fits in an 'int' on all platforms.
*
* low_write() write up to 'len' bytes, to be read from data[]. The
* returned value is the number of written bytes, or -1 on
* error. The 'len' parameter is guaranteed never to exceed
* 20000, so the length always fits in an 'int' on all
* parameters.
*
* A socket closure (if the transport medium is a socket) should be reported
* as an error (-1). The callbacks shall endeavour to block until at least
* one byte can be read or written; a callback returning 0 at times is
* acceptable, but this normally leads to the callback being immediately
* called again, so the callback should at least always try to block for
* some time if no I/O can take place.
*
* The SSL engine naturally applies some buffering, so the callbacks need
* not apply buffers of their own.
*/
/**
* \brief Context structure for the simplified SSL I/O wrapper.
*
* This structure is initialised with `br_sslio_init()`. Its contents
* are opaque and shall not be accessed directly.
*/
typedef struct {
#ifndef BR_DOXYGEN_IGNORE
br_ssl_engine_context *engine;
int (*low_read)(void *read_context,
unsigned char *data, size_t len);
void *read_context;
int (*low_write)(void *write_context,
const unsigned char *data, size_t len);
void *write_context;
#endif
} br_sslio_context;
/**
* \brief Initialise a simplified I/O wrapper context.
*
* The simplified I/O wrapper offers a simpler read/write API for a SSL
* engine (client or server), using the provided callback functions for
* reading data from, or writing data to, the transport medium.
*
* The callback functions have the following semantics:
*
* - Each callback receives an opaque context value (of type `void *`)
* that the callback may use arbitrarily (or possibly ignore).
*
* - `low_read()` reads at least one byte, at most `len` bytes, from
* the transport medium. Read bytes shall be written in `data`.
*
* - `low_write()` writes at least one byte, at most `len` bytes, unto
* the transport medium. The bytes to write are read from `data`.
*
* - The `len` parameter is never zero, and is always lower than 20000.
*
* - The number of processed bytes (read or written) is returned. Since
* that number is less than 20000, it always fits on an `int`.
*
* - On error, the callbacks return -1. Reaching end-of-stream is an
* error. Errors are permanent: the SSL connection is terminated.
*
* - Callbacks SHOULD NOT return 0. This is tolerated, as long as
* callbacks endeavour to block for some non-negligible amount of
* time until at least one byte can be sent or received (if a
* callback returns 0, then the wrapper invokes it again
* immediately).
*
* - Callbacks MAY return as soon as at least one byte is processed;
* they MAY also insist on reading or writing _all_ requested bytes.
* Since SSL is a self-terminated protocol (each record has a length
* header), this does not change semantics.
*
* - Callbacks need not apply any buffering (for performance) since SSL
* itself uses buffers.
*
* \param ctx wrapper context to initialise.
* \param engine SSL engine to wrap.
* \param low_read callback for reading data from the transport.
* \param read_context context pointer for `low_read()`.
* \param low_write callback for writing data on the transport.
* \param write_context context pointer for `low_write()`.
*/
void br_sslio_init(br_sslio_context *ctx,
br_ssl_engine_context *engine,
int (*low_read)(void *read_context,
unsigned char *data, size_t len),
void *read_context,
int (*low_write)(void *write_context,
const unsigned char *data, size_t len),
void *write_context);
/**
* \brief Read some application data from a SSL connection.
*
* If `len` is zero, then this function returns 0 immediately. In
* all other cases, it never returns 0.
*
* This call returns only when at least one byte has been obtained.
* Returned value is the number of bytes read, or -1 on error. The
* number of bytes always fits on an 'int' (data from a single SSL/TLS
* record is returned).
*
* On error or SSL closure, this function returns -1. The caller should
* inspect the error status on the SSL engine to distinguish between
* normal closure and error.
*
* \param cc SSL wrapper context.
* \param dst destination buffer for application data.
* \param len maximum number of bytes to obtain.
* \return number of bytes obtained, or -1 on error.
*/
int br_sslio_read(br_sslio_context *cc, void *dst, size_t len);
/**
* \brief Read application data from a SSL connection.
*
* This calls returns only when _all_ requested `len` bytes are read,
* or an error is reached. Returned value is 0 on success, -1 on error.
* A normal (verified) SSL closure before that many bytes are obtained
* is reported as an error by this function.
*
* \param cc SSL wrapper context.
* \param dst destination buffer for application data.
* \param len number of bytes to obtain.
* \return 0 on success, or -1 on error.
*/
int br_sslio_read_all(br_sslio_context *cc, void *dst, size_t len);
/**
* \brief Write some application data unto a SSL connection.
*
* If `len` is zero, then this function returns 0 immediately. In
* all other cases, it never returns 0.
*
* This call returns only when at least one byte has been written.
* Returned value is the number of bytes written, or -1 on error. The
* number of bytes always fits on an 'int' (less than 20000).
*
* On error or SSL closure, this function returns -1. The caller should
* inspect the error status on the SSL engine to distinguish between
* normal closure and error.
*
* **Important:** SSL is buffered; a "written" byte is a byte that was
* injected into the wrapped SSL engine, but this does not necessarily mean
* that it has been scheduled for sending. Use `br_sslio_flush()` to
* ensure that all pending data has been sent to the transport medium.
*
* \param cc SSL wrapper context.
* \param src source buffer for application data.
* \param len maximum number of bytes to write.
* \return number of bytes written, or -1 on error.
*/
int br_sslio_write(br_sslio_context *cc, const void *src, size_t len);
/**
* \brief Write application data unto a SSL connection.
*
* This calls returns only when _all_ requested `len` bytes have been
* written, or an error is reached. Returned value is 0 on success, -1
* on error. A normal (verified) SSL closure before that many bytes are
* written is reported as an error by this function.
*
* **Important:** SSL is buffered; a "written" byte is a byte that was
* injected into the wrapped SSL engine, but this does not necessarily mean
* that it has been scheduled for sending. Use `br_sslio_flush()` to
* ensure that all pending data has been sent to the transport medium.
*
* \param cc SSL wrapper context.
* \param src source buffer for application data.
* \param len number of bytes to write.
* \return 0 on success, or -1 on error.
*/
int br_sslio_write_all(br_sslio_context *cc, const void *src, size_t len);
/**
* \brief Flush pending data.
*
* This call makes sure that any buffered application data in the
* provided context (including the wrapped SSL engine) has been sent
* to the transport medium (i.e. accepted by the `low_write()` callback
* method). If there is no such pending data, then this function does
* nothing (and returns a success, i.e. 0).
*
* If the underlying transport medium has its own buffers, then it is
* up to the caller to ensure the corresponding flushing.
*
* Returned value is 0 on success, -1 on error.
*
* \param cc SSL wrapper context.
* \return 0 on success, or -1 on error.
*/
int br_sslio_flush(br_sslio_context *cc);
/**
* \brief Close the SSL connection.
*
* This call runs the SSL closure protocol (sending a `close_notify`,
* receiving the response `close_notify`). When it returns, the SSL
* connection is finished. It is still up to the caller to manage the
* possible transport-level termination, if applicable (alternatively,
* the underlying transport stream may be reused for non-SSL messages).
*
* Returned value is 0 on success, -1 on error. A failure by the peer
* to process the complete closure protocol (i.e. sending back the
* `close_notify`) is an error.
*
* \param cc SSL wrapper context.
* \return 0 on success, or -1 on error.
*/
int br_sslio_close(br_sslio_context *cc);
/* ===================================================================== */
/*
* Symbolic constants for cipher suites.
*/
/* From RFC 5246 */
#define BR_TLS_NULL_WITH_NULL_NULL 0x0000
#define BR_TLS_RSA_WITH_NULL_MD5 0x0001
#define BR_TLS_RSA_WITH_NULL_SHA 0x0002
#define BR_TLS_RSA_WITH_NULL_SHA256 0x003B
#define BR_TLS_RSA_WITH_RC4_128_MD5 0x0004
#define BR_TLS_RSA_WITH_RC4_128_SHA 0x0005
#define BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A
#define BR_TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
#define BR_TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
#define BR_TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
#define BR_TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
#define BR_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D
#define BR_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010
#define BR_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013
#define BR_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
#define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030
#define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031
#define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032
#define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
#define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036
#define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037
#define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
#define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
#define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E
#define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F
#define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040
#define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
#define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068
#define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069
#define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A
#define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
#define BR_TLS_DH_anon_WITH_RC4_128_MD5 0x0018
#define BR_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B
#define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
#define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
#define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C
#define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D
/* From RFC 4492 */
#define BR_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001
#define BR_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002
#define BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
#define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
#define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
#define BR_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006
#define BR_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007
#define BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
#define BR_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B
#define BR_TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C
#define BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
#define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
#define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
#define BR_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010
#define BR_TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011
#define BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
#define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
#define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
#define BR_TLS_ECDH_anon_WITH_NULL_SHA 0xC015
#define BR_TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016
#define BR_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017
#define BR_TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
#define BR_TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
/* From RFC 5288 */
#define BR_TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
#define BR_TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
#define BR_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
#define BR_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
#define BR_TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0
#define BR_TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1
#define BR_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
#define BR_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
#define BR_TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4
#define BR_TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5
#define BR_TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6
#define BR_TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7
/* From RFC 5289 */
#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
#define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025
#define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026
#define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
#define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
#define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029
#define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A
#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
#define BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
#define BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E
#define BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
#define BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
#define BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
#define BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032
/* From RFC 6655 and 7251 */
#define BR_TLS_RSA_WITH_AES_128_CCM 0xC09C
#define BR_TLS_RSA_WITH_AES_256_CCM 0xC09D
#define BR_TLS_RSA_WITH_AES_128_CCM_8 0xC0A0
#define BR_TLS_RSA_WITH_AES_256_CCM_8 0xC0A1
#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD
#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF
/* From RFC 7905 */
#define BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8
#define BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
#define BR_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA
#define BR_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB
#define BR_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC
#define BR_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD
#define BR_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE
/* From RFC 7507 */
#define BR_TLS_FALLBACK_SCSV 0x5600
/*
* Symbolic constants for alerts.
*/
#define BR_ALERT_CLOSE_NOTIFY 0
#define BR_ALERT_UNEXPECTED_MESSAGE 10
#define BR_ALERT_BAD_RECORD_MAC 20
#define BR_ALERT_RECORD_OVERFLOW 22
#define BR_ALERT_DECOMPRESSION_FAILURE 30
#define BR_ALERT_HANDSHAKE_FAILURE 40
#define BR_ALERT_BAD_CERTIFICATE 42
#define BR_ALERT_UNSUPPORTED_CERTIFICATE 43
#define BR_ALERT_CERTIFICATE_REVOKED 44
#define BR_ALERT_CERTIFICATE_EXPIRED 45
#define BR_ALERT_CERTIFICATE_UNKNOWN 46
#define BR_ALERT_ILLEGAL_PARAMETER 47
#define BR_ALERT_UNKNOWN_CA 48
#define BR_ALERT_ACCESS_DENIED 49
#define BR_ALERT_DECODE_ERROR 50
#define BR_ALERT_DECRYPT_ERROR 51
#define BR_ALERT_PROTOCOL_VERSION 70
#define BR_ALERT_INSUFFICIENT_SECURITY 71
#define BR_ALERT_INTERNAL_ERROR 80
#define BR_ALERT_USER_CANCELED 90
#define BR_ALERT_NO_RENEGOTIATION 100
#define BR_ALERT_UNSUPPORTED_EXTENSION 110
#define BR_ALERT_NO_APPLICATION_PROTOCOL 120
#ifdef __cplusplus
}
#endif
#endif
diff --git a/contrib/bearssl/inc/bearssl_x509.h b/contrib/bearssl/inc/bearssl_x509.h
index 49d2fba0d5bc..7668e1de53a2 100644
--- a/contrib/bearssl/inc/bearssl_x509.h
+++ b/contrib/bearssl/inc/bearssl_x509.h
@@ -1,1397 +1,1474 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef BR_BEARSSL_X509_H__
#define BR_BEARSSL_X509_H__
#include <stddef.h>
#include <stdint.h>
#include "bearssl_ec.h"
#include "bearssl_hash.h"
#include "bearssl_rsa.h"
#ifdef __cplusplus
extern "C" {
#endif
/** \file bearssl_x509.h
*
* # X.509 Certificate Chain Processing
*
* An X.509 processing engine receives an X.509 chain, chunk by chunk,
* as received from a SSL/TLS client or server (the client receives the
* server's certificate chain, and the server receives the client's
* certificate chain if it requested a client certificate). The chain
* is thus injected in the engine in SSL order (end-entity first).
*
* The engine's job is to return the public key to use for SSL/TLS.
* How exactly that key is obtained and verified is entirely up to the
* engine.
*
* **The "known key" engine** returns a public key which is already known
* from out-of-band information (e.g. the client _remembers_ the key from
* a previous connection, as in the usual SSH model). This is the simplest
* engine since it simply ignores the chain, thereby avoiding the need
* for any decoding logic.
*
* **The "minimal" engine** implements minimal X.509 decoding and chain
* validation:
*
* - The provided chain should validate "as is". There is no attempt
* at reordering, skipping or downloading extra certificates.
*
* - X.509 v1, v2 and v3 certificates are supported.
*
* - Trust anchors are a DN and a public key. Each anchor is either a
* "CA" anchor, or a non-CA.
*
* - If the end-entity certificate matches a non-CA anchor (subject DN
* is equal to the non-CA name, and public key is also identical to
* the anchor key), then this is a _direct trust_ case and the
* remaining certificates are ignored.
*
* - Unless direct trust is applied, the chain must be verifiable up to
* a certificate whose issuer DN matches the DN from a "CA" trust anchor,
* and whose signature is verifiable against that anchor's public key.
* Subsequent certificates in the chain are ignored.
*
* - The engine verifies subject/issuer DN matching, and enforces
* processing of Basic Constraints and Key Usage extensions. The
* Authority Key Identifier, Subject Key Identifier, Issuer Alt Name,
* Subject Directory Attribute, CRL Distribution Points, Freshest CRL,
* Authority Info Access and Subject Info Access extensions are
* ignored. The Subject Alt Name is decoded for the end-entity
* certificate under some conditions (see below). Other extensions
* are ignored if non-critical, or imply chain rejection if critical.
*
* - The Subject Alt Name extension is parsed for names of type `dNSName`
* when decoding the end-entity certificate, and only if there is a
* server name to match. If there is no SAN extension, then the
* Common Name from the subjectDN is used. That name matching is
* case-insensitive and honours a single starting wildcard (i.e. if
* the name in the certificate starts with "`*.`" then this matches
* any word as first element). Note: this name matching is performed
* also in the "direct trust" model.
*
* - DN matching is byte-to-byte equality (a future version might
* include some limited processing for case-insensitive matching and
* whitespace normalisation).
*
* - Successful validation produces a public key type but also a set
* of allowed usages (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
* The caller is responsible for checking that the key type and
* usages are compatible with the expected values (e.g. with the
* selected cipher suite, when the client validates the server's
* certificate).
*
* **Important caveats:**
*
* - The "minimal" engine does not check revocation status. The relevant
* extensions are ignored, and CRL or OCSP responses are not gathered
* or checked.
*
* - The "minimal" engine does not currently support Name Constraints
* (some basic functionality to handle sub-domains may be added in a
* later version).
*
* - The decoder is not "validating" in the sense that it won't reject
* some certificates with invalid field values when these fields are
* not actually processed.
*/
/*
* X.509 error codes are in the 32..63 range.
*/
/** \brief X.509 status: validation was successful; this is not actually
an error. */
#define BR_ERR_X509_OK 32
/** \brief X.509 status: invalid value in an ASN.1 structure. */
#define BR_ERR_X509_INVALID_VALUE 33
/** \brief X.509 status: truncated certificate. */
#define BR_ERR_X509_TRUNCATED 34
/** \brief X.509 status: empty certificate chain (no certificate at all). */
#define BR_ERR_X509_EMPTY_CHAIN 35
/** \brief X.509 status: decoding error: inner element extends beyond
outer element size. */
#define BR_ERR_X509_INNER_TRUNC 36
/** \brief X.509 status: decoding error: unsupported tag class (application
or private). */
#define BR_ERR_X509_BAD_TAG_CLASS 37
/** \brief X.509 status: decoding error: unsupported tag value. */
#define BR_ERR_X509_BAD_TAG_VALUE 38
/** \brief X.509 status: decoding error: indefinite length. */
#define BR_ERR_X509_INDEFINITE_LENGTH 39
/** \brief X.509 status: decoding error: extraneous element. */
#define BR_ERR_X509_EXTRA_ELEMENT 40
/** \brief X.509 status: decoding error: unexpected element. */
#define BR_ERR_X509_UNEXPECTED 41
/** \brief X.509 status: decoding error: expected constructed element, but
is primitive. */
#define BR_ERR_X509_NOT_CONSTRUCTED 42
/** \brief X.509 status: decoding error: expected primitive element, but
is constructed. */
#define BR_ERR_X509_NOT_PRIMITIVE 43
/** \brief X.509 status: decoding error: BIT STRING length is not multiple
of 8. */
#define BR_ERR_X509_PARTIAL_BYTE 44
/** \brief X.509 status: decoding error: BOOLEAN value has invalid length. */
#define BR_ERR_X509_BAD_BOOLEAN 45
/** \brief X.509 status: decoding error: value is off-limits. */
#define BR_ERR_X509_OVERFLOW 46
/** \brief X.509 status: invalid distinguished name. */
#define BR_ERR_X509_BAD_DN 47
/** \brief X.509 status: invalid date/time representation. */
#define BR_ERR_X509_BAD_TIME 48
/** \brief X.509 status: certificate contains unsupported features that
cannot be ignored. */
#define BR_ERR_X509_UNSUPPORTED 49
/** \brief X.509 status: key or signature size exceeds internal limits. */
#define BR_ERR_X509_LIMIT_EXCEEDED 50
/** \brief X.509 status: key type does not match that which was expected. */
#define BR_ERR_X509_WRONG_KEY_TYPE 51
/** \brief X.509 status: signature is invalid. */
#define BR_ERR_X509_BAD_SIGNATURE 52
/** \brief X.509 status: validation time is unknown. */
#define BR_ERR_X509_TIME_UNKNOWN 53
/** \brief X.509 status: certificate is expired or not yet valid. */
#define BR_ERR_X509_EXPIRED 54
/** \brief X.509 status: issuer/subject DN mismatch in the chain. */
#define BR_ERR_X509_DN_MISMATCH 55
/** \brief X.509 status: expected server name was not found in the chain. */
#define BR_ERR_X509_BAD_SERVER_NAME 56
/** \brief X.509 status: unknown critical extension in certificate. */
#define BR_ERR_X509_CRITICAL_EXTENSION 57
/** \brief X.509 status: not a CA, or path length constraint violation */
#define BR_ERR_X509_NOT_CA 58
/** \brief X.509 status: Key Usage extension prohibits intended usage. */
#define BR_ERR_X509_FORBIDDEN_KEY_USAGE 59
/** \brief X.509 status: public key found in certificate is too small. */
#define BR_ERR_X509_WEAK_PUBLIC_KEY 60
/** \brief X.509 status: chain could not be linked to a trust anchor. */
#define BR_ERR_X509_NOT_TRUSTED 62
/**
* \brief Aggregate structure for public keys.
*/
typedef struct {
/** \brief Key type: `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC` */
unsigned char key_type;
/** \brief Actual public key. */
union {
/** \brief RSA public key. */
br_rsa_public_key rsa;
/** \brief EC public key. */
br_ec_public_key ec;
} key;
} br_x509_pkey;
/**
* \brief Distinguished Name (X.500) structure.
*
* The DN is DER-encoded.
*/
typedef struct {
/** \brief Encoded DN data. */
unsigned char *data;
/** \brief Encoded DN length (in bytes). */
size_t len;
} br_x500_name;
/**
* \brief Trust anchor structure.
*/
typedef struct {
/** \brief Encoded DN (X.500 name). */
br_x500_name dn;
/** \brief Anchor flags (e.g. `BR_X509_TA_CA`). */
unsigned flags;
/** \brief Anchor public key. */
br_x509_pkey pkey;
} br_x509_trust_anchor;
/**
* \brief Trust anchor flag: CA.
*
* A "CA" anchor is deemed fit to verify signatures on certificates.
* A "non-CA" anchor is accepted only for direct trust (server's
* certificate name and key match the anchor).
*/
#define BR_X509_TA_CA 0x0001
/*
* Key type: combination of a basic key type (low 4 bits) and some
* optional flags.
*
* For a public key, the basic key type only is set.
*
* For an expected key type, the flags indicate the intended purpose(s)
* for the key; the basic key type may be set to 0 to indicate that any
* key type compatible with the indicated purpose is acceptable.
*/
/** \brief Key type: algorithm is RSA. */
#define BR_KEYTYPE_RSA 1
/** \brief Key type: algorithm is EC. */
#define BR_KEYTYPE_EC 2
/**
* \brief Key type: usage is "key exchange".
*
* This value is combined (with bitwise OR) with the algorithm
* (`BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`) when informing the X.509
* validation engine that it should find a public key of that type,
* fit for key exchanges (e.g. `TLS_RSA_*` and `TLS_ECDH_*` cipher
* suites).
*/
#define BR_KEYTYPE_KEYX 0x10
/**
* \brief Key type: usage is "signature".
*
* This value is combined (with bitwise OR) with the algorithm
* (`BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`) when informing the X.509
* validation engine that it should find a public key of that type,
* fit for signatures (e.g. `TLS_ECDHE_*` cipher suites).
*/
#define BR_KEYTYPE_SIGN 0x20
/*
* start_chain Called when a new chain is started. If 'server_name'
* is not NULL and non-empty, then it is a name that
* should be looked for in the EE certificate (in the
* SAN extension as dNSName, or in the subjectDN's CN
* if there is no SAN extension).
* The caller ensures that the provided 'server_name'
* pointer remains valid throughout validation.
*
* start_cert Begins a new certificate in the chain. The provided
* length is in bytes; this is the total certificate length.
*
* append Get some additional bytes for the current certificate.
*
* end_cert Ends the current certificate.
*
* end_chain Called at the end of the chain. Returned value is
* 0 on success, or a non-zero error code.
*
* get_pkey Returns the EE certificate public key.
*
* For a complete chain, start_chain() and end_chain() are always
* called. For each certificate, start_cert(), some append() calls, then
* end_cert() are called, in that order. There may be no append() call
* at all if the certificate is empty (which is not valid but may happen
* if the peer sends exactly that).
*
* get_pkey() shall return a pointer to a structure that is valid as
* long as a new chain is not started. This may be a sub-structure
* within the context for the engine. This function MAY return a valid
* pointer to a public key even in some cases of validation failure,
* depending on the validation engine.
*/
/**
* \brief Class type for an X.509 engine.
*
* A certificate chain validation uses a caller-allocated context, which
* contains the running state for that validation. Methods are called
* in due order:
*
* - `start_chain()` is called at the start of the validation.
* - Certificates are processed one by one, in SSL order (end-entity
* comes first). For each certificate, the following methods are
* called:
*
* - `start_cert()` at the beginning of the certificate.
* - `append()` is called zero, one or more times, to provide
* the certificate (possibly in chunks).
* - `end_cert()` at the end of the certificate.
*
* - `end_chain()` is called when the last certificate in the chain
* was processed.
* - `get_pkey()` is called after chain processing, if the chain
* validation was successful.
*
* A context structure may be reused; the `start_chain()` method shall
* ensure (re)initialisation.
*/
typedef struct br_x509_class_ br_x509_class;
struct br_x509_class_ {
/**
* \brief X.509 context size, in bytes.
*/
size_t context_size;
/**
* \brief Start a new chain.
*
* This method shall set the vtable (first field) of the context
* structure.
*
* The `server_name`, if not `NULL`, will be considered as a
* fully qualified domain name, to be matched against the `dNSName`
* elements of the end-entity certificate's SAN extension (if there
* is no SAN, then the Common Name from the subjectDN will be used).
* If `server_name` is `NULL` then no such matching is performed.
*
* \param ctx validation context.
* \param server_name server name to match (or `NULL`).
*/
void (*start_chain)(const br_x509_class **ctx,
const char *server_name);
/**
* \brief Start a new certificate.
*
* \param ctx validation context.
* \param length new certificate length (in bytes).
*/
void (*start_cert)(const br_x509_class **ctx, uint32_t length);
/**
* \brief Receive some bytes for the current certificate.
*
* This function may be called several times in succession for
* a given certificate. The caller guarantees that for each
* call, `len` is not zero, and the sum of all chunk lengths
* for a certificate matches the total certificate length which
* was provided in the previous `start_cert()` call.
*
* If the new certificate is empty (no byte at all) then this
* function won't be called at all.
*
* \param ctx validation context.
* \param buf certificate data chunk.
* \param len certificate data chunk length (in bytes).
*/
void (*append)(const br_x509_class **ctx,
const unsigned char *buf, size_t len);
/**
* \brief Finish the current certificate.
*
* This function is called when the end of the current certificate
* is reached.
*
* \param ctx validation context.
*/
void (*end_cert)(const br_x509_class **ctx);
/**
* \brief Finish the chain.
*
* This function is called at the end of the chain. It shall
* return either 0 if the validation was successful, or a
* non-zero error code. The `BR_ERR_X509_*` constants are
* error codes, though other values may be possible.
*
* \param ctx validation context.
* \return 0 on success, or a non-zero error code.
*/
unsigned (*end_chain)(const br_x509_class **ctx);
/**
* \brief Get the resulting end-entity public key.
*
* The decoded public key is returned. The returned pointer
* may be valid only as long as the context structure is
* unmodified, i.e. it may cease to be valid if the context
* is released or reused.
*
* This function _may_ return `NULL` if the validation failed.
* However, returning a public key does not mean that the
* validation was wholly successful; some engines may return
* a decoded public key even if the chain did not end on a
* trusted anchor.
*
* If validation succeeded and `usage` is not `NULL`, then
* `*usage` is filled with a combination of `BR_KEYTYPE_SIGN`
* and/or `BR_KEYTYPE_KEYX` that specifies the validated key
* usage types. It is the caller's responsibility to check
* that value against the intended use of the public key.
*
* \param ctx validation context.
* \return the end-entity public key, or `NULL`.
*/
const br_x509_pkey *(*get_pkey)(
const br_x509_class *const *ctx, unsigned *usages);
};
/**
* \brief The "known key" X.509 engine structure.
*
* The structure contents are opaque (they shall not be accessed directly),
* except for the first field (the vtable).
*
* The "known key" engine returns an externally configured public key,
* and totally ignores the certificate contents.
*/
typedef struct {
/** \brief Reference to the context vtable. */
const br_x509_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
br_x509_pkey pkey;
unsigned usages;
#endif
} br_x509_knownkey_context;
/**
* \brief Class instance for the "known key" X.509 engine.
*/
extern const br_x509_class br_x509_knownkey_vtable;
/**
* \brief Initialize a "known key" X.509 engine with a known RSA public key.
*
* The `usages` parameter indicates the allowed key usages for that key
* (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
*
* The provided pointers are linked in, not copied, so they must remain
* valid while the public key may be in usage.
*
* \param ctx context to initialise.
* \param pk known public key.
* \param usages allowed key usages.
*/
void br_x509_knownkey_init_rsa(br_x509_knownkey_context *ctx,
const br_rsa_public_key *pk, unsigned usages);
/**
* \brief Initialize a "known key" X.509 engine with a known EC public key.
*
* The `usages` parameter indicates the allowed key usages for that key
* (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
*
* The provided pointers are linked in, not copied, so they must remain
* valid while the public key may be in usage.
*
* \param ctx context to initialise.
* \param pk known public key.
* \param usages allowed key usages.
*/
void br_x509_knownkey_init_ec(br_x509_knownkey_context *ctx,
const br_ec_public_key *pk, unsigned usages);
#ifndef BR_DOXYGEN_IGNORE
/*
* The minimal X.509 engine has some state buffers which must be large
* enough to simultaneously accommodate:
* -- the public key extracted from the current certificate;
* -- the signature on the current certificate or on the previous
* certificate;
* -- the public key extracted from the EE certificate.
*
* We store public key elements in their raw unsigned big-endian
* encoding. We want to support up to RSA-4096 with a short (up to 64
* bits) public exponent, thus a buffer for a public key must have
* length at least 520 bytes. Similarly, a RSA-4096 signature has length
* 512 bytes.
*
* Though RSA public exponents can formally be as large as the modulus
* (mathematically, even larger exponents would work, but PKCS#1 forbids
* them), exponents that do not fit on 32 bits are extremely rare,
* notably because some widespread implementations (e.g. Microsoft's
* CryptoAPI) don't support them. Moreover, large public exponent do not
* seem to imply any tangible security benefit, and they increase the
* cost of public key operations. The X.509 "minimal" engine will tolerate
* public exponents of arbitrary size as long as the modulus and the
* exponent can fit together in the dedicated buffer.
*
* EC public keys are shorter than RSA public keys; even with curve
* NIST P-521 (the largest curve we care to support), a public key is
* encoded over 133 bytes only.
*/
#define BR_X509_BUFSIZE_KEY 520
#define BR_X509_BUFSIZE_SIG 512
#endif
/**
* \brief Type for receiving a name element.
*
* An array of such structures can be provided to the X.509 decoding
* engines. If the specified elements are found in the certificate
* subject DN or the SAN extension, then the name contents are copied
* as zero-terminated strings into the buffer.
*
* The decoder converts TeletexString and BMPString to UTF8String, and
* ensures that the resulting string is zero-terminated. If the string
* does not fit in the provided buffer, then the copy is aborted and an
* error is reported.
*/
typedef struct {
/**
* \brief Element OID.
*
* For X.500 name elements (to be extracted from the subject DN),
* this is the encoded OID for the requested name element; the
* first byte shall contain the length of the DER-encoded OID
* value, followed by the OID value (for instance, OID 2.5.4.3,
* for id-at-commonName, will be `03 55 04 03`). This is
* equivalent to full DER encoding with the length but without
* the tag.
*
* For SAN name elements, the first byte (`oid[0]`) has value 0,
* followed by another byte that matches the expected GeneralName
* tag. Allowed second byte values are then:
*
* - 1: `rfc822Name`
*
* - 2: `dNSName`
*
* - 6: `uniformResourceIdentifier`
*
* - 0: `otherName`
*
* If first and second byte are 0, then this is a SAN element of
* type `otherName`; the `oid[]` array should then contain, right
* after the two bytes of value 0, an encoded OID (with the same
* conventions as for X.500 name elements). If a match is found
* for that OID, then the corresponding name element will be
* extracted, as long as it is a supported string type.
*/
const unsigned char *oid;
/**
* \brief Destination buffer.
*/
char *buf;
/**
* \brief Length (in bytes) of the destination buffer.
*
* The buffer MUST NOT be smaller than 1 byte.
*/
size_t len;
/**
* \brief Decoding status.
*
* Status is 0 if the name element was not found, 1 if it was
* found and decoded, or -1 on error. Error conditions include
* an unrecognised encoding, an invalid encoding, or a string
* too large for the destination buffer.
*/
int status;
} br_name_element;
+/**
+ * \brief Callback for validity date checks.
+ *
+ * The function receives as parameter an arbitrary user-provided context,
+ * and the notBefore and notAfter dates specified in an X.509 certificate,
+ * both expressed as a number of days and a number of seconds:
+ *
+ * - Days are counted in a proleptic Gregorian calendar since
+ * January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";
+ * it is also traditionally known as "1 BC".
+ *
+ * - Seconds are counted since midnight, from 0 to 86400 (a count of
+ * 86400 is possible only if a leap second happened).
+ *
+ * Each date and time is understood in the UTC time zone. The "Unix
+ * Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528 and
+ * seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is
+ * days=584754, seconds=0.
+ *
+ * This function must return -1 if the current date is strictly before
+ * the "notBefore" time, or +1 if the current date is strictly after the
+ * "notAfter" time. If neither condition holds, then the function returns
+ * 0, which means that the current date falls within the validity range of
+ * the certificate. If the function returns a value distinct from -1, 0
+ * and +1, then this is interpreted as an unavailability of the current
+ * time, which normally ends the validation process with a
+ * `BR_ERR_X509_TIME_UNKNOWN` error.
+ *
+ * During path validation, this callback will be invoked for each
+ * considered X.509 certificate. Validation fails if any of the calls
+ * returns a non-zero value.
+ *
+ * The context value is an abritrary pointer set by the caller when
+ * configuring this callback.
+ *
+ * \param tctx context pointer.
+ * \param not_before_days notBefore date (days since Jan 1st, 0 AD).
+ * \param not_before_seconds notBefore time (seconds, at most 86400).
+ * \param not_after_days notAfter date (days since Jan 1st, 0 AD).
+ * \param not_after_seconds notAfter time (seconds, at most 86400).
+ * \return -1, 0 or +1.
+ */
+typedef int (*br_x509_time_check)(void *tctx,
+ uint32_t not_before_days, uint32_t not_before_seconds,
+ uint32_t not_after_days, uint32_t not_after_seconds);
+
/**
* \brief The "minimal" X.509 engine structure.
*
* The structure contents are opaque (they shall not be accessed directly),
* except for the first field (the vtable).
*
* The "minimal" engine performs a rudimentary but serviceable X.509 path
* validation.
*/
typedef struct {
const br_x509_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
/* Structure for returning the EE public key. */
br_x509_pkey pkey;
/* CPU for the T0 virtual machine. */
struct {
uint32_t *dp;
uint32_t *rp;
const unsigned char *ip;
} cpu;
- uint32_t dp_stack[32];
- uint32_t rp_stack[32];
+ uint32_t dp_stack[31];
+ uint32_t rp_stack[31];
int err;
/* Server name to match with the SAN / CN of the EE certificate. */
const char *server_name;
/* Validated key usages. */
unsigned char key_usages;
/* Explicitly set date and time. */
uint32_t days, seconds;
/* Current certificate length (in bytes). Set to 0 when the
certificate has been fully processed. */
uint32_t cert_length;
/* Number of certificates processed so far in the current chain.
It is incremented at the end of the processing of a certificate,
so it is 0 for the EE. */
uint32_t num_certs;
/* Certificate data chunk. */
const unsigned char *hbuf;
size_t hlen;
/* The pad serves as destination for various operations. */
unsigned char pad[256];
/* Buffer for EE public key data. */
unsigned char ee_pkey_data[BR_X509_BUFSIZE_KEY];
/* Buffer for currently decoded public key. */
unsigned char pkey_data[BR_X509_BUFSIZE_KEY];
/* Signature type: signer key type, offset to the hash
function OID (in the T0 data block) and hash function
output length (TBS hash length). */
unsigned char cert_signer_key_type;
uint16_t cert_sig_hash_oid;
unsigned char cert_sig_hash_len;
/* Current/last certificate signature. */
unsigned char cert_sig[BR_X509_BUFSIZE_SIG];
uint16_t cert_sig_len;
/* Minimum RSA key length (difference in bytes from 128). */
int16_t min_rsa_size;
/* Configured trust anchors. */
const br_x509_trust_anchor *trust_anchors;
size_t trust_anchors_num;
/*
* Multi-hasher for the TBS.
*/
unsigned char do_mhash;
br_multihash_context mhash;
unsigned char tbs_hash[64];
/*
* Simple hasher for the subject/issuer DN.
*/
unsigned char do_dn_hash;
const br_hash_class *dn_hash_impl;
br_hash_compat_context dn_hash;
unsigned char current_dn_hash[64];
unsigned char next_dn_hash[64];
unsigned char saved_dn_hash[64];
/*
* Name elements to gather.
*/
br_name_element *name_elts;
size_t num_name_elts;
+ /*
+ * Callback function (and context) to get the current date.
+ */
+ void *itime_ctx;
+ br_x509_time_check itime;
+
/*
* Public key cryptography implementations (signature verification).
*/
br_rsa_pkcs1_vrfy irsa;
br_ecdsa_vrfy iecdsa;
const br_ec_impl *iec;
#endif
} br_x509_minimal_context;
/**
* \brief Class instance for the "minimal" X.509 engine.
*/
extern const br_x509_class br_x509_minimal_vtable;
/**
* \brief Initialise a "minimal" X.509 engine.
*
* The `dn_hash_impl` parameter shall be a hash function internally used
* to match X.500 names (subject/issuer DN, and anchor names). Any standard
* hash function may be used, but a collision-resistant hash function is
* advised.
*
* After initialization, some implementations for signature verification
* (hash functions and signature algorithms) MUST be added.
*
* \param ctx context to initialise.
* \param dn_hash_impl hash function for DN comparisons.
* \param trust_anchors trust anchors.
* \param trust_anchors_num number of trust anchors.
*/
void br_x509_minimal_init(br_x509_minimal_context *ctx,
const br_hash_class *dn_hash_impl,
const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
/**
* \brief Set a supported hash function in an X.509 "minimal" engine.
*
* Hash functions are used with signature verification algorithms.
* Once initialised (with `br_x509_minimal_init()`), the context must
* be configured with the hash functions it shall support for that
* purpose. The hash function identifier MUST be one of the standard
* hash function identifiers (1 to 6, for MD5, SHA-1, SHA-224, SHA-256,
* SHA-384 and SHA-512).
*
* If `impl` is `NULL`, this _removes_ support for the designated
* hash function.
*
* \param ctx validation context.
* \param id hash function identifier (from 1 to 6).
* \param impl hash function implementation (or `NULL`).
*/
static inline void
br_x509_minimal_set_hash(br_x509_minimal_context *ctx,
int id, const br_hash_class *impl)
{
br_multihash_setimpl(&ctx->mhash, id, impl);
}
/**
* \brief Set a RSA signature verification implementation in the X.509
* "minimal" engine.
*
* Once initialised (with `br_x509_minimal_init()`), the context must
* be configured with the signature verification implementations that
* it is supposed to support. If `irsa` is `0`, then the RSA support
* is disabled.
*
* \param ctx validation context.
* \param irsa RSA signature verification implementation (or `0`).
*/
static inline void
br_x509_minimal_set_rsa(br_x509_minimal_context *ctx,
br_rsa_pkcs1_vrfy irsa)
{
ctx->irsa = irsa;
}
/**
* \brief Set a ECDSA signature verification implementation in the X.509
* "minimal" engine.
*
* Once initialised (with `br_x509_minimal_init()`), the context must
* be configured with the signature verification implementations that
* it is supposed to support.
*
* If `iecdsa` is `0`, then this call disables ECDSA support; in that
* case, `iec` may be `NULL`. Otherwise, `iecdsa` MUST point to a function
* that verifies ECDSA signatures with format "asn1", and it will use
* `iec` as underlying elliptic curve support.
*
* \param ctx validation context.
* \param iec elliptic curve implementation (or `NULL`).
* \param iecdsa ECDSA implementation (or `0`).
*/
static inline void
br_x509_minimal_set_ecdsa(br_x509_minimal_context *ctx,
const br_ec_impl *iec, br_ecdsa_vrfy iecdsa)
{
ctx->iecdsa = iecdsa;
ctx->iec = iec;
}
/**
* \brief Initialise a "minimal" X.509 engine with default algorithms.
*
* This function performs the same job as `br_x509_minimal_init()`, but
* also sets implementations for RSA, ECDSA, and the standard hash
* functions.
*
* \param ctx context to initialise.
* \param trust_anchors trust anchors.
* \param trust_anchors_num number of trust anchors.
*/
void br_x509_minimal_init_full(br_x509_minimal_context *ctx,
const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
/**
* \brief Set the validation time for the X.509 "minimal" engine.
*
* The validation time is set as two 32-bit integers, for days and
* seconds since a fixed epoch:
*
* - Days are counted in a proleptic Gregorian calendar since
* January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";
* it is also traditionally known as "1 BC".
*
* - Seconds are counted since midnight, from 0 to 86400 (a count of
* 86400 is possible only if a leap second happened).
*
- * The validation date and time is understood in the UTC time zone.
+ * The validation date and time is understood in the UTC time zone. The
+ * "Unix Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528
+ * and seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is
+ * days=584754, seconds=0.
*
* If the validation date and time are not explicitly set, but BearSSL
* was compiled with support for the system clock on the underlying
* platform, then the current time will automatically be used. Otherwise,
* not setting the validation date and time implies a validation
* failure (except in case of direct trust of the EE key).
*
* \param ctx validation context.
* \param days days since January 1st, 0 AD (Gregorian calendar).
* \param seconds seconds since midnight (0 to 86400).
*/
static inline void
br_x509_minimal_set_time(br_x509_minimal_context *ctx,
uint32_t days, uint32_t seconds)
{
ctx->days = days;
ctx->seconds = seconds;
+ ctx->itime = 0;
+}
+
+/**
+ * \brief Set the validity range callback function for the X.509
+ * "minimal" engine.
+ *
+ * The provided function will be invoked to check whether the validation
+ * date is within the validity range for a given X.509 certificate; a
+ * call will be issued for each considered certificate. The provided
+ * context pointer (itime_ctx) will be passed as first parameter to the
+ * callback.
+ *
+ * \param tctx context for callback invocation.
+ * \param cb callback function.
+ */
+static inline void
+br_x509_minimal_set_time_callback(br_x509_minimal_context *ctx,
+ void *itime_ctx, br_x509_time_check itime)
+{
+ ctx->itime_ctx = itime_ctx;
+ ctx->itime = itime;
}
/**
* \brief Set the minimal acceptable length for RSA keys (X.509 "minimal"
* engine).
*
* The RSA key length is expressed in bytes. The default minimum key
* length is 128 bytes, corresponding to 1017 bits. RSA keys shorter
* than the configured length will be rejected, implying validation
* failure. This setting applies to keys extracted from certificates
* (both end-entity, and intermediate CA) but not to "CA" trust anchors.
*
* \param ctx validation context.
* \param byte_length minimum RSA key length, **in bytes** (not bits).
*/
static inline void
br_x509_minimal_set_minrsa(br_x509_minimal_context *ctx, int byte_length)
{
ctx->min_rsa_size = (int16_t)(byte_length - 128);
}
/**
* \brief Set the name elements to gather.
*
* The provided array is linked in the context. The elements are
* gathered from the EE certificate. If the same element type is
* requested several times, then the relevant structures will be filled
* in the order the matching values are encountered in the certificate.
*
* \param ctx validation context.
* \param elts array of name element structures to fill.
* \param num_elts number of name element structures to fill.
*/
static inline void
br_x509_minimal_set_name_elements(br_x509_minimal_context *ctx,
br_name_element *elts, size_t num_elts)
{
ctx->name_elts = elts;
ctx->num_name_elts = num_elts;
}
/**
* \brief X.509 decoder context.
*
* This structure is _not_ for X.509 validation, but for extracting
* names and public keys from encoded certificates. Intended usage is
* to use (self-signed) certificates as trust anchors.
*
* Contents are opaque and shall not be accessed directly.
*/
typedef struct {
#ifndef BR_DOXYGEN_IGNORE
/* Structure for returning the public key. */
br_x509_pkey pkey;
/* CPU for the T0 virtual machine. */
struct {
uint32_t *dp;
uint32_t *rp;
const unsigned char *ip;
} cpu;
uint32_t dp_stack[32];
uint32_t rp_stack[32];
int err;
/* The pad serves as destination for various operations. */
unsigned char pad[256];
/* Flag set when decoding succeeds. */
unsigned char decoded;
/* Validity dates. */
uint32_t notbefore_days, notbefore_seconds;
uint32_t notafter_days, notafter_seconds;
/* The "CA" flag. This is set to true if the certificate contains
a Basic Constraints extension that asserts CA status. */
unsigned char isCA;
/* DN processing: the subject DN is extracted and pushed to the
provided callback. */
unsigned char copy_dn;
void *append_dn_ctx;
void (*append_dn)(void *ctx, const void *buf, size_t len);
/* Certificate data chunk. */
const unsigned char *hbuf;
size_t hlen;
/* Buffer for decoded public key. */
unsigned char pkey_data[BR_X509_BUFSIZE_KEY];
/* Type of key and hash function used in the certificate signature. */
unsigned char signer_key_type;
unsigned char signer_hash_id;
#endif
} br_x509_decoder_context;
/**
* \brief Initialise an X.509 decoder context for processing a new
* certificate.
*
* The `append_dn()` callback (with opaque context `append_dn_ctx`)
* will be invoked to receive, chunk by chunk, the certificate's
* subject DN. If `append_dn` is `0` then the subject DN will be
* ignored.
*
* \param ctx X.509 decoder context to initialise.
* \param append_dn DN receiver callback (or `0`).
* \param append_dn_ctx context for the DN receiver callback.
*/
void br_x509_decoder_init(br_x509_decoder_context *ctx,
void (*append_dn)(void *ctx, const void *buf, size_t len),
void *append_dn_ctx);
/**
* \brief Push some certificate bytes into a decoder context.
*
* If `len` is non-zero, then that many bytes are pushed, from address
* `data`, into the provided decoder context.
*
* \param ctx X.509 decoder context.
* \param data certificate data chunk.
* \param len certificate data chunk length (in bytes).
*/
void br_x509_decoder_push(br_x509_decoder_context *ctx,
const void *data, size_t len);
/**
* \brief Obtain the decoded public key.
*
* Returned value is a pointer to a structure internal to the decoder
* context; releasing or reusing the decoder context invalidates that
* structure.
*
* If decoding was not finished, or failed, then `NULL` is returned.
*
* \param ctx X.509 decoder context.
* \return the public key, or `NULL` on unfinished/error.
*/
static inline br_x509_pkey *
br_x509_decoder_get_pkey(br_x509_decoder_context *ctx)
{
if (ctx->decoded && ctx->err == 0) {
return &ctx->pkey;
} else {
return NULL;
}
}
/**
* \brief Get decoder error status.
*
* If no error was reported yet but the certificate decoding is not
* finished, then the error code is `BR_ERR_X509_TRUNCATED`. If decoding
* was successful, then 0 is returned.
*
* \param ctx X.509 decoder context.
* \return 0 on successful decoding, or a non-zero error code.
*/
static inline int
br_x509_decoder_last_error(br_x509_decoder_context *ctx)
{
if (ctx->err != 0) {
return ctx->err;
}
if (!ctx->decoded) {
return BR_ERR_X509_TRUNCATED;
}
return 0;
}
/**
* \brief Get the "isCA" flag from an X.509 decoder context.
*
* This flag is set if the decoded certificate claims to be a CA through
* a Basic Constraints extension. This flag should not be read before
* decoding completed successfully.
*
* \param ctx X.509 decoder context.
* \return the "isCA" flag.
*/
static inline int
br_x509_decoder_isCA(br_x509_decoder_context *ctx)
{
return ctx->isCA;
}
/**
* \brief Get the issuing CA key type (type of algorithm used to sign the
* decoded certificate).
*
* This is `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. The value 0 is returned
* if the signature type was not recognised.
*
* \param ctx X.509 decoder context.
* \return the issuing CA key type.
*/
static inline int
br_x509_decoder_get_signer_key_type(br_x509_decoder_context *ctx)
{
return ctx->signer_key_type;
}
/**
* \brief Get the identifier for the hash function used to sign the decoded
* certificate.
*
* This is 0 if the hash function was not recognised.
*
* \param ctx X.509 decoder context.
* \return the signature hash function identifier.
*/
static inline int
br_x509_decoder_get_signer_hash_id(br_x509_decoder_context *ctx)
{
return ctx->signer_hash_id;
}
/**
* \brief Type for an X.509 certificate (DER-encoded).
*/
typedef struct {
/** \brief The DER-encoded certificate data. */
unsigned char *data;
/** \brief The DER-encoded certificate length (in bytes). */
size_t data_len;
} br_x509_certificate;
/**
* \brief Private key decoder context.
*
* The private key decoder recognises RSA and EC private keys, either in
* their raw, DER-encoded format, or wrapped in an unencrypted PKCS#8
* archive (again DER-encoded).
*
* Structure contents are opaque and shall not be accessed directly.
*/
typedef struct {
#ifndef BR_DOXYGEN_IGNORE
/* Structure for returning the private key. */
union {
br_rsa_private_key rsa;
br_ec_private_key ec;
} key;
/* CPU for the T0 virtual machine. */
struct {
uint32_t *dp;
uint32_t *rp;
const unsigned char *ip;
} cpu;
uint32_t dp_stack[32];
uint32_t rp_stack[32];
int err;
/* Private key data chunk. */
const unsigned char *hbuf;
size_t hlen;
/* The pad serves as destination for various operations. */
unsigned char pad[256];
/* Decoded key type; 0 until decoding is complete. */
unsigned char key_type;
/* Buffer for the private key elements. It shall be large enough
to accommodate all elements for a RSA-4096 private key (roughly
five 2048-bit integers, possibly a bit more). */
unsigned char key_data[3 * BR_X509_BUFSIZE_SIG];
#endif
} br_skey_decoder_context;
/**
* \brief Initialise a private key decoder context.
*
* \param ctx key decoder context to initialise.
*/
void br_skey_decoder_init(br_skey_decoder_context *ctx);
/**
* \brief Push some data bytes into a private key decoder context.
*
* If `len` is non-zero, then that many data bytes, starting at address
* `data`, are pushed into the decoder.
*
* \param ctx key decoder context.
* \param data private key data chunk.
* \param len private key data chunk length (in bytes).
*/
void br_skey_decoder_push(br_skey_decoder_context *ctx,
const void *data, size_t len);
/**
* \brief Get the decoding status for a private key.
*
* Decoding status is 0 on success, or a non-zero error code. If the
* decoding is unfinished when this function is called, then the
* status code `BR_ERR_X509_TRUNCATED` is returned.
*
* \param ctx key decoder context.
* \return 0 on successful decoding, or a non-zero error code.
*/
static inline int
br_skey_decoder_last_error(const br_skey_decoder_context *ctx)
{
if (ctx->err != 0) {
return ctx->err;
}
if (ctx->key_type == 0) {
return BR_ERR_X509_TRUNCATED;
}
return 0;
}
/**
* \brief Get the decoded private key type.
*
* Private key type is `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. If decoding is
* not finished or failed, then 0 is returned.
*
* \param ctx key decoder context.
* \return decoded private key type, or 0.
*/
static inline int
br_skey_decoder_key_type(const br_skey_decoder_context *ctx)
{
if (ctx->err == 0) {
return ctx->key_type;
} else {
return 0;
}
}
/**
* \brief Get the decoded RSA private key.
*
* This function returns `NULL` if the decoding failed, or is not
* finished, or the key is not RSA. The returned pointer references
* structures within the context that can become invalid if the context
* is reused or released.
*
* \param ctx key decoder context.
* \return decoded RSA private key, or `NULL`.
*/
static inline const br_rsa_private_key *
br_skey_decoder_get_rsa(const br_skey_decoder_context *ctx)
{
if (ctx->err == 0 && ctx->key_type == BR_KEYTYPE_RSA) {
return &ctx->key.rsa;
} else {
return NULL;
}
}
/**
* \brief Get the decoded EC private key.
*
* This function returns `NULL` if the decoding failed, or is not
* finished, or the key is not EC. The returned pointer references
* structures within the context that can become invalid if the context
* is reused or released.
*
* \param ctx key decoder context.
* \return decoded EC private key, or `NULL`.
*/
static inline const br_ec_private_key *
br_skey_decoder_get_ec(const br_skey_decoder_context *ctx)
{
if (ctx->err == 0 && ctx->key_type == BR_KEYTYPE_EC) {
return &ctx->key.ec;
} else {
return NULL;
}
}
/**
* \brief Encode an RSA private key (raw DER format).
*
* This function encodes the provided key into the "raw" format specified
* in PKCS#1 (RFC 8017, Appendix C, type `RSAPrivateKey`), with DER
* encoding rules.
*
* The key elements are:
*
* - `sk`: the private key (`p`, `q`, `dp`, `dq` and `iq`)
*
* - `pk`: the public key (`n` and `e`)
*
* - `d` (size: `dlen` bytes): the private exponent
*
* The public key elements, and the private exponent `d`, can be
* recomputed from the private key (see `br_rsa_compute_modulus()`,
* `br_rsa_compute_pubexp()` and `br_rsa_compute_privexp()`).
*
* If `dest` is not `NULL`, then the encoded key is written at that
* address, and the encoded length (in bytes) is returned. If `dest` is
* `NULL`, then nothing is written, but the encoded length is still
* computed and returned.
*
* \param dest the destination buffer (or `NULL`).
* \param sk the RSA private key.
* \param pk the RSA public key.
* \param d the RSA private exponent.
* \param dlen the RSA private exponent length (in bytes).
* \return the encoded key length (in bytes).
*/
size_t br_encode_rsa_raw_der(void *dest, const br_rsa_private_key *sk,
const br_rsa_public_key *pk, const void *d, size_t dlen);
/**
* \brief Encode an RSA private key (PKCS#8 DER format).
*
* This function encodes the provided key into the PKCS#8 format
* (RFC 5958, type `OneAsymmetricKey`). It wraps around the "raw DER"
* format for the RSA key, as implemented by `br_encode_rsa_raw_der()`.
*
* The key elements are:
*
* - `sk`: the private key (`p`, `q`, `dp`, `dq` and `iq`)
*
* - `pk`: the public key (`n` and `e`)
*
* - `d` (size: `dlen` bytes): the private exponent
*
* The public key elements, and the private exponent `d`, can be
* recomputed from the private key (see `br_rsa_compute_modulus()`,
* `br_rsa_compute_pubexp()` and `br_rsa_compute_privexp()`).
*
* If `dest` is not `NULL`, then the encoded key is written at that
* address, and the encoded length (in bytes) is returned. If `dest` is
* `NULL`, then nothing is written, but the encoded length is still
* computed and returned.
*
* \param dest the destination buffer (or `NULL`).
* \param sk the RSA private key.
* \param pk the RSA public key.
* \param d the RSA private exponent.
* \param dlen the RSA private exponent length (in bytes).
* \return the encoded key length (in bytes).
*/
size_t br_encode_rsa_pkcs8_der(void *dest, const br_rsa_private_key *sk,
const br_rsa_public_key *pk, const void *d, size_t dlen);
/**
* \brief Encode an EC private key (raw DER format).
*
* This function encodes the provided key into the "raw" format specified
* in RFC 5915 (type `ECPrivateKey`), with DER encoding rules.
*
* The private key is provided in `sk`, the public key being `pk`. If
* `pk` is `NULL`, then the encoded key will not include the public key
* in its `publicKey` field (which is nominally optional).
*
* If `dest` is not `NULL`, then the encoded key is written at that
* address, and the encoded length (in bytes) is returned. If `dest` is
* `NULL`, then nothing is written, but the encoded length is still
* computed and returned.
*
* If the key cannot be encoded (e.g. because there is no known OBJECT
* IDENTIFIER for the used curve), then 0 is returned.
*
* \param dest the destination buffer (or `NULL`).
* \param sk the EC private key.
* \param pk the EC public key (or `NULL`).
* \return the encoded key length (in bytes), or 0.
*/
size_t br_encode_ec_raw_der(void *dest,
const br_ec_private_key *sk, const br_ec_public_key *pk);
/**
* \brief Encode an EC private key (PKCS#8 DER format).
*
* This function encodes the provided key into the PKCS#8 format
* (RFC 5958, type `OneAsymmetricKey`). The curve is identified
* by an OID provided as parameters to the `privateKeyAlgorithm`
* field. The private key value (contents of the `privateKey` field)
* contains the DER encoding of the `ECPrivateKey` type defined in
* RFC 5915, without the `parameters` field (since they would be
* redundant with the information in `privateKeyAlgorithm`).
*
* The private key is provided in `sk`, the public key being `pk`. If
* `pk` is not `NULL`, then the encoded public key is included in the
* `publicKey` field of the private key value (but not in the `publicKey`
* field of the PKCS#8 `OneAsymmetricKey` wrapper).
*
* If `dest` is not `NULL`, then the encoded key is written at that
* address, and the encoded length (in bytes) is returned. If `dest` is
* `NULL`, then nothing is written, but the encoded length is still
* computed and returned.
*
* If the key cannot be encoded (e.g. because there is no known OBJECT
* IDENTIFIER for the used curve), then 0 is returned.
*
* \param dest the destination buffer (or `NULL`).
* \param sk the EC private key.
* \param pk the EC public key (or `NULL`).
* \return the encoded key length (in bytes), or 0.
*/
size_t br_encode_ec_pkcs8_der(void *dest,
const br_ec_private_key *sk, const br_ec_public_key *pk);
/**
* \brief PEM banner for RSA private key (raw).
*/
#define BR_ENCODE_PEM_RSA_RAW "RSA PRIVATE KEY"
/**
* \brief PEM banner for EC private key (raw).
*/
#define BR_ENCODE_PEM_EC_RAW "EC PRIVATE KEY"
/**
* \brief PEM banner for an RSA or EC private key in PKCS#8 format.
*/
#define BR_ENCODE_PEM_PKCS8 "PRIVATE KEY"
#ifdef __cplusplus
}
#endif
#endif
diff --git a/contrib/bearssl/src/config.h b/contrib/bearssl/src/config.h
index 8ea4d8af8d61..94627a23c038 100644
--- a/contrib/bearssl/src/config.h
+++ b/contrib/bearssl/src/config.h
@@ -1,229 +1,247 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef CONFIG_H__
#define CONFIG_H__
/*
* This file contains compile-time flags that can override the
* autodetection performed in relevant files. Each flag is a macro; it
* deactivates the feature if defined to 0, activates it if defined to a
* non-zero integer (normally 1). If the macro is not defined, then
* autodetection applies.
*/
/*
* When BR_64 is enabled, 64-bit integer types are assumed to be
* efficient (i.e. the architecture has 64-bit registers and can
* do 64-bit operations as fast as 32-bit operations).
*
#define BR_64 1
*/
/*
* When BR_LOMUL is enabled, then multiplications of 32-bit values whose
* result are truncated to the low 32 bits are assumed to be
* substantially more efficient than 32-bit multiplications that yield
* 64-bit results. This is typically the case on low-end ARM Cortex M
* systems (M0, M0+, M1, and arguably M3 and M4 as well).
*
#define BR_LOMUL 1
*/
/*
* When BR_SLOW_MUL is enabled, multiplications are assumed to be
* substantially slow with regards to other integer operations, thus
* making it worth to make more operations for a given task if it allows
* using less multiplications.
*
#define BR_SLOW_MUL 1
*/
/*
* When BR_SLOW_MUL15 is enabled, short multplications (on 15-bit words)
* are assumed to be substantially slow with regards to other integer
* operations, thus making it worth to make more integer operations if
* it allows using less multiplications.
*
#define BR_SLOW_MUL15 1
*/
/*
* When BR_CT_MUL31 is enabled, multiplications of 31-bit values (used
* in the "i31" big integer implementation) use an alternate implementation
* which is slower and larger than the normal multiplication, but should
* ensure constant-time multiplications even on architectures where the
* multiplication opcode takes a variable number of cycles to complete.
*
#define BR_CT_MUL31 1
*/
/*
* When BR_CT_MUL15 is enabled, multiplications of 15-bit values (held
* in 32-bit words) use an alternate implementation which is slower and
* larger than the normal multiplication, but should ensure
* constant-time multiplications on most/all architectures where the
* basic multiplication is not constant-time.
#define BR_CT_MUL15 1
*/
/*
* When BR_NO_ARITH_SHIFT is enabled, arithmetic right shifts (with sign
* extension) are performed with a sequence of operations which is bigger
* and slower than a simple right shift on a signed value. This avoids
* relying on an implementation-defined behaviour. However, most if not
* all C compilers use sign extension for right shifts on signed values,
* so this alternate macro is disabled by default.
#define BR_NO_ARITH_SHIFT 1
*/
/*
* When BR_RDRAND is enabled, the SSL engine will use the RDRAND opcode
* to automatically obtain quality randomness for seeding its internal
* PRNG. Since that opcode is present only in recent x86 CPU, its
* support is dynamically tested; if the current CPU does not support
* it, then another random source will be used, such as /dev/urandom or
* CryptGenRandom().
*
#define BR_RDRAND 1
*/
+/*
+ * When BR_USE_GETENTROPY is enabled, the SSL engine will use the
+ * getentropy() function to obtain quality randomness for seeding its
+ * internal PRNG. On Linux and FreeBSD, getentropy() is implemented by
+ * the standard library with the system call getrandom(); on OpenBSD,
+ * getentropy() is the system call, and there is no getrandom() wrapper,
+ * hence the use of the getentropy() function for maximum portability.
+ *
+ * If the getentropy() call fails, and BR_USE_URANDOM is not explicitly
+ * disabled, then /dev/urandom will be used as a fallback mechanism. On
+ * FreeBSD and OpenBSD, this does not change much, since /dev/urandom
+ * will block if not enough entropy has been obtained since last boot.
+ * On Linux, /dev/urandom might not block, which can be troublesome in
+ * early boot stages, which is why getentropy() is preferred.
+ *
+#define BR_USE_GETENTROPY 1
+ */
+
/*
* When BR_USE_URANDOM is enabled, the SSL engine will use /dev/urandom
- * to automatically obtain quality randomness for seedings its internal
+ * to automatically obtain quality randomness for seeding its internal
* PRNG.
*
#define BR_USE_URANDOM 1
*/
/*
* When BR_USE_WIN32_RAND is enabled, the SSL engine will use the Win32
* (CryptoAPI) functions (CryptAcquireContext(), CryptGenRandom()...) to
- * automatically obtain quality randomness for seedings its internal PRNG.
+ * automatically obtain quality randomness for seeding its internal PRNG.
*
* Note: if both BR_USE_URANDOM and BR_USE_WIN32_RAND are defined, the
* former takes precedence.
*
#define BR_USE_WIN32_RAND 1
*/
/*
* When BR_USE_UNIX_TIME is enabled, the X.509 validation engine obtains
* the current time from the OS by calling time(), and assuming that the
* returned value (a 'time_t') is an integer that counts time in seconds
* since the Unix Epoch (Jan 1st, 1970, 00:00 UTC).
*
#define BR_USE_UNIX_TIME 1
*/
/*
* When BR_USE_WIN32_TIME is enabled, the X.509 validation engine obtains
* the current time from the OS by calling the Win32 function
* GetSystemTimeAsFileTime().
*
* Note: if both BR_USE_UNIX_TIME and BR_USE_WIN32_TIME are defined, the
* former takes precedence.
*
#define BR_USE_WIN32_TIME 1
*/
/*
* When BR_ARMEL_CORTEXM_GCC is enabled, some operations are replaced with
* inline assembly which is shorter and/or faster. This should be used
* only when all of the following are true:
* - target architecture is ARM in Thumb mode
* - target endianness is little-endian
* - compiler is GCC (or GCC-compatible for inline assembly syntax)
*
* This is meant for the low-end cores (Cortex M0, M0+, M1, M3).
* Note: if BR_LOMUL is not explicitly enabled or disabled, then
* enabling BR_ARMEL_CORTEXM_GCC also enables BR_LOMUL.
*
#define BR_ARMEL_CORTEXM_GCC 1
*/
/*
* When BR_AES_X86NI is enabled, the AES implementation using the x86 "NI"
* instructions (dedicated AES opcodes) will be compiled. If this is not
* enabled explicitly, then that AES implementation will be compiled only
* if a compatible compiler is detected. If set explicitly to 0, the
* implementation will not be compiled at all.
*
#define BR_AES_X86NI 1
*/
/*
* When BR_SSE2 is enabled, SSE2 intrinsics will be used for some
* algorithm implementations that use them (e.g. chacha20_sse2). If this
* is not enabled explicitly, then support for SSE2 intrinsics will be
* automatically detected. If set explicitly to 0, then SSE2 code will
* not be compiled at all.
*
#define BR_SSE2 1
*/
/*
* When BR_POWER8 is enabled, the AES implementation using the POWER ISA
* 2.07 opcodes (available on POWER8 processors and later) is compiled.
* If this is not enabled explicitly, then that implementation will be
* compiled only if a compatible compiler is detected, _and_ the target
* architecture is POWER8 or later.
*
#define BR_POWER8 1
*/
/*
* When BR_INT128 is enabled, then code using the 'unsigned __int64'
* and 'unsigned __int128' types will be used to leverage 64x64->128
* unsigned multiplications. This should work with GCC and compatible
* compilers on 64-bit architectures.
*
#define BR_INT128 1
*/
/*
* When BR_UMUL128 is enabled, then code using the '_umul128()' and
* '_addcarry_u64()' intrinsics will be used to implement 64x64->128
* unsigned multiplications. This should work on Visual C on x64 systems.
*
#define BR_UMUL128 1
*/
/*
* When BR_LE_UNALIGNED is enabled, then the current architecture is
* assumed to use little-endian encoding for integers, and to tolerate
* unaligned accesses with no or minimal time penalty.
*
#define BR_LE_UNALIGNED 1
*/
/*
* When BR_BE_UNALIGNED is enabled, then the current architecture is
* assumed to use big-endian encoding for integers, and to tolerate
* unaligned accesses with no or minimal time penalty.
*
#define BR_BE_UNALIGNED 1
*/
#endif
diff --git a/contrib/bearssl/src/ec/ec_c25519_m64.c b/contrib/bearssl/src/ec/ec_c25519_m64.c
index 7e7f12f7e3ad..df4883467d4a 100644
--- a/contrib/bearssl/src/ec/ec_c25519_m64.c
+++ b/contrib/bearssl/src/ec/ec_c25519_m64.c
@@ -1,835 +1,831 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
#if BR_INT128 || BR_UMUL128
#if BR_UMUL128
#include <intrin.h>
#endif
static const unsigned char GEN[] = {
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
static const unsigned char ORDER[] = {
0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
static const unsigned char *
api_generator(int curve, size_t *len)
{
(void)curve;
*len = 32;
return GEN;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
(void)curve;
*len = 32;
return ORDER;
}
static size_t
api_xoff(int curve, size_t *len)
{
(void)curve;
*len = 32;
return 0;
}
/*
* A field element is encoded as four 64-bit integers, in basis 2^63.
* Operations return partially reduced values, which may range up to
* 2^255+37.
*/
#define MASK63 (((uint64_t)1 << 63) - (uint64_t)1)
/*
* Swap two field elements, conditionally on a flag.
*/
static inline void
f255_cswap(uint64_t *a, uint64_t *b, uint32_t ctl)
{
uint64_t m, w;
m = -(uint64_t)ctl;
w = m & (a[0] ^ b[0]); a[0] ^= w; b[0] ^= w;
w = m & (a[1] ^ b[1]); a[1] ^= w; b[1] ^= w;
w = m & (a[2] ^ b[2]); a[2] ^= w; b[2] ^= w;
w = m & (a[3] ^ b[3]); a[3] ^= w; b[3] ^= w;
}
/*
* Addition in the field.
*/
static inline void
f255_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
#if BR_INT128
uint64_t t0, t1, t2, t3, cc;
unsigned __int128 z;
z = (unsigned __int128)a[0] + (unsigned __int128)b[0];
t0 = (uint64_t)z;
z = (unsigned __int128)a[1] + (unsigned __int128)b[1] + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)a[2] + (unsigned __int128)b[2] + (z >> 64);
t2 = (uint64_t)z;
z = (unsigned __int128)a[3] + (unsigned __int128)b[3] + (z >> 64);
t3 = (uint64_t)z & MASK63;
cc = (uint64_t)(z >> 63);
/*
* Since operands are at most 2^255+37, the sum is at most
* 2^256+74; thus, the carry cc is equal to 0, 1 or 2.
*
* We use: 2^255 = 19 mod p.
* Since we add 0, 19 or 38 to a value that fits on 255 bits,
* the result is at most 2^255+37.
*/
z = (unsigned __int128)t0 + (unsigned __int128)(19 * cc);
d[0] = (uint64_t)z;
z = (unsigned __int128)t1 + (z >> 64);
d[1] = (uint64_t)z;
z = (unsigned __int128)t2 + (z >> 64);
d[2] = (uint64_t)z;
d[3] = t3 + (uint64_t)(z >> 64);
#elif BR_UMUL128
uint64_t t0, t1, t2, t3, cc;
unsigned char k;
k = _addcarry_u64(0, a[0], b[0], &t0);
k = _addcarry_u64(k, a[1], b[1], &t1);
k = _addcarry_u64(k, a[2], b[2], &t2);
k = _addcarry_u64(k, a[3], b[3], &t3);
cc = (k << 1) + (t3 >> 63);
t3 &= MASK63;
/*
* Since operands are at most 2^255+37, the sum is at most
* 2^256+74; thus, the carry cc is equal to 0, 1 or 2.
*
* We use: 2^255 = 19 mod p.
* Since we add 0, 19 or 38 to a value that fits on 255 bits,
* the result is at most 2^255+37.
*/
k = _addcarry_u64(0, t0, 19 * cc, &d[0]);
k = _addcarry_u64(k, t1, 0, &d[1]);
k = _addcarry_u64(k, t2, 0, &d[2]);
(void)_addcarry_u64(k, t3, 0, &d[3]);
#endif
}
/*
* Subtraction.
- * On input, limbs must fit on 60 bits each. On output, result is
- * partially reduced, with max value 2^255+19456; moreover, all
- * limbs will fit on 51 bits, except the low limb, which may have
- * value up to 2^51+19455.
*/
static inline void
f255_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
#if BR_INT128
/*
* We compute t = 2^256 - 38 + a - b, which is necessarily
* positive but lower than 2^256 + 2^255, since a <= 2^255 + 37
* and b <= 2^255 + 37. We then subtract 0, p or 2*p, depending
* on the two upper bits of t (bits 255 and 256).
*/
uint64_t t0, t1, t2, t3, t4, cc;
unsigned __int128 z;
z = (unsigned __int128)a[0] - (unsigned __int128)b[0] - 38;
t0 = (uint64_t)z;
cc = -(uint64_t)(z >> 64);
z = (unsigned __int128)a[1] - (unsigned __int128)b[1]
- (unsigned __int128)cc;
t1 = (uint64_t)z;
cc = -(uint64_t)(z >> 64);
z = (unsigned __int128)a[2] - (unsigned __int128)b[2]
- (unsigned __int128)cc;
t2 = (uint64_t)z;
cc = -(uint64_t)(z >> 64);
z = (unsigned __int128)a[3] - (unsigned __int128)b[3]
- (unsigned __int128)cc;
t3 = (uint64_t)z;
t4 = 1 + (uint64_t)(z >> 64);
/*
* We have a 257-bit result. The two top bits can be 00, 01 or 10,
* but not 11 (value t <= 2^256 - 38 + 2^255 + 37 = 2^256 + 2^255 - 1).
* Therefore, we can truncate to 255 bits, and add 0, 19 or 38.
* This guarantees that the result is at most 2^255+37.
*/
cc = (38 & -t4) + (19 & -(t3 >> 63));
t3 &= MASK63;
z = (unsigned __int128)t0 + (unsigned __int128)cc;
d[0] = (uint64_t)z;
z = (unsigned __int128)t1 + (z >> 64);
d[1] = (uint64_t)z;
z = (unsigned __int128)t2 + (z >> 64);
d[2] = (uint64_t)z;
d[3] = t3 + (uint64_t)(z >> 64);
#elif BR_UMUL128
/*
* We compute t = 2^256 - 38 + a - b, which is necessarily
* positive but lower than 2^256 + 2^255, since a <= 2^255 + 37
* and b <= 2^255 + 37. We then subtract 0, p or 2*p, depending
* on the two upper bits of t (bits 255 and 256).
*/
uint64_t t0, t1, t2, t3, t4;
unsigned char k;
k = _subborrow_u64(0, a[0], b[0], &t0);
k = _subborrow_u64(k, a[1], b[1], &t1);
k = _subborrow_u64(k, a[2], b[2], &t2);
k = _subborrow_u64(k, a[3], b[3], &t3);
(void)_subborrow_u64(k, 1, 0, &t4);
k = _subborrow_u64(0, t0, 38, &t0);
k = _subborrow_u64(k, t1, 0, &t1);
k = _subborrow_u64(k, t2, 0, &t2);
k = _subborrow_u64(k, t3, 0, &t3);
(void)_subborrow_u64(k, t4, 0, &t4);
/*
* We have a 257-bit result. The two top bits can be 00, 01 or 10,
* but not 11 (value t <= 2^256 - 38 + 2^255 + 37 = 2^256 + 2^255 - 1).
* Therefore, we can truncate to 255 bits, and add 0, 19 or 38.
* This guarantees that the result is at most 2^255+37.
*/
t4 = (38 & -t4) + (19 & -(t3 >> 63));
t3 &= MASK63;
k = _addcarry_u64(0, t0, t4, &d[0]);
k = _addcarry_u64(k, t1, 0, &d[1]);
k = _addcarry_u64(k, t2, 0, &d[2]);
(void)_addcarry_u64(k, t3, 0, &d[3]);
#endif
}
/*
* Multiplication.
*/
static inline void
f255_mul(uint64_t *d, uint64_t *a, uint64_t *b)
{
#if BR_INT128
unsigned __int128 z;
uint64_t t0, t1, t2, t3, t4, t5, t6, t7, th;
/*
* Compute the product a*b over plain integers.
*/
z = (unsigned __int128)a[0] * (unsigned __int128)b[0];
t0 = (uint64_t)z;
z = (unsigned __int128)a[0] * (unsigned __int128)b[1] + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)a[0] * (unsigned __int128)b[2] + (z >> 64);
t2 = (uint64_t)z;
z = (unsigned __int128)a[0] * (unsigned __int128)b[3] + (z >> 64);
t3 = (uint64_t)z;
t4 = (uint64_t)(z >> 64);
z = (unsigned __int128)a[1] * (unsigned __int128)b[0]
+ (unsigned __int128)t1;
t1 = (uint64_t)z;
z = (unsigned __int128)a[1] * (unsigned __int128)b[1]
+ (unsigned __int128)t2 + (z >> 64);
t2 = (uint64_t)z;
z = (unsigned __int128)a[1] * (unsigned __int128)b[2]
+ (unsigned __int128)t3 + (z >> 64);
t3 = (uint64_t)z;
z = (unsigned __int128)a[1] * (unsigned __int128)b[3]
+ (unsigned __int128)t4 + (z >> 64);
t4 = (uint64_t)z;
t5 = (uint64_t)(z >> 64);
z = (unsigned __int128)a[2] * (unsigned __int128)b[0]
+ (unsigned __int128)t2;
t2 = (uint64_t)z;
z = (unsigned __int128)a[2] * (unsigned __int128)b[1]
+ (unsigned __int128)t3 + (z >> 64);
t3 = (uint64_t)z;
z = (unsigned __int128)a[2] * (unsigned __int128)b[2]
+ (unsigned __int128)t4 + (z >> 64);
t4 = (uint64_t)z;
z = (unsigned __int128)a[2] * (unsigned __int128)b[3]
+ (unsigned __int128)t5 + (z >> 64);
t5 = (uint64_t)z;
t6 = (uint64_t)(z >> 64);
z = (unsigned __int128)a[3] * (unsigned __int128)b[0]
+ (unsigned __int128)t3;
t3 = (uint64_t)z;
z = (unsigned __int128)a[3] * (unsigned __int128)b[1]
+ (unsigned __int128)t4 + (z >> 64);
t4 = (uint64_t)z;
z = (unsigned __int128)a[3] * (unsigned __int128)b[2]
+ (unsigned __int128)t5 + (z >> 64);
t5 = (uint64_t)z;
z = (unsigned __int128)a[3] * (unsigned __int128)b[3]
+ (unsigned __int128)t6 + (z >> 64);
t6 = (uint64_t)z;
t7 = (uint64_t)(z >> 64);
/*
* Modulo p, we have:
*
* 2^255 = 19
* 2^510 = 19*19 = 361
*
* We split the intermediate t into three parts, in basis
* 2^255. The low one will be in t0..t3; the middle one in t4..t7.
* The upper one can only be a single bit (th), since the
* multiplication operands are at most 2^255+37 each.
*/
th = t7 >> 62;
t7 = ((t7 << 1) | (t6 >> 63)) & MASK63;
t6 = (t6 << 1) | (t5 >> 63);
t5 = (t5 << 1) | (t4 >> 63);
t4 = (t4 << 1) | (t3 >> 63);
t3 &= MASK63;
/*
* Multiply the middle part (t4..t7) by 19. We truncate it to
* 255 bits; the extra bits will go along with th.
*/
z = (unsigned __int128)t4 * 19;
t4 = (uint64_t)z;
z = (unsigned __int128)t5 * 19 + (z >> 64);
t5 = (uint64_t)z;
z = (unsigned __int128)t6 * 19 + (z >> 64);
t6 = (uint64_t)z;
z = (unsigned __int128)t7 * 19 + (z >> 64);
t7 = (uint64_t)z & MASK63;
th = (361 & -th) + (19 * (uint64_t)(z >> 63));
/*
* Add elements together.
* At this point:
* t0..t3 fits on 255 bits.
* t4..t7 fits on 255 bits.
* th <= 361 + 342 = 703.
*/
z = (unsigned __int128)t0 + (unsigned __int128)t4
+ (unsigned __int128)th;
t0 = (uint64_t)z;
z = (unsigned __int128)t1 + (unsigned __int128)t5 + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)t2 + (unsigned __int128)t6 + (z >> 64);
t2 = (uint64_t)z;
z = (unsigned __int128)t3 + (unsigned __int128)t7 + (z >> 64);
t3 = (uint64_t)z & MASK63;
th = (uint64_t)(z >> 63);
/*
* Since the sum is at most 2^256 + 703, the two upper bits, in th,
* can only have value 0, 1 or 2. We just add th*19, which
* guarantees a result of at most 2^255+37.
*/
z = (unsigned __int128)t0 + (19 * th);
d[0] = (uint64_t)z;
z = (unsigned __int128)t1 + (z >> 64);
d[1] = (uint64_t)z;
z = (unsigned __int128)t2 + (z >> 64);
d[2] = (uint64_t)z;
d[3] = t3 + (uint64_t)(z >> 64);
#elif BR_UMUL128
uint64_t t0, t1, t2, t3, t4, t5, t6, t7, th;
uint64_t h0, h1, h2, h3;
unsigned char k;
/*
* Compute the product a*b over plain integers.
*/
t0 = _umul128(a[0], b[0], &h0);
t1 = _umul128(a[0], b[1], &h1);
k = _addcarry_u64(0, t1, h0, &t1);
t2 = _umul128(a[0], b[2], &h2);
k = _addcarry_u64(k, t2, h1, &t2);
t3 = _umul128(a[0], b[3], &h3);
k = _addcarry_u64(k, t3, h2, &t3);
(void)_addcarry_u64(k, h3, 0, &t4);
k = _addcarry_u64(0, _umul128(a[1], b[0], &h0), t1, &t1);
k = _addcarry_u64(k, _umul128(a[1], b[1], &h1), t2, &t2);
k = _addcarry_u64(k, _umul128(a[1], b[2], &h2), t3, &t3);
k = _addcarry_u64(k, _umul128(a[1], b[3], &h3), t4, &t4);
t5 = k;
k = _addcarry_u64(0, t2, h0, &t2);
k = _addcarry_u64(k, t3, h1, &t3);
k = _addcarry_u64(k, t4, h2, &t4);
(void)_addcarry_u64(k, t5, h3, &t5);
k = _addcarry_u64(0, _umul128(a[2], b[0], &h0), t2, &t2);
k = _addcarry_u64(k, _umul128(a[2], b[1], &h1), t3, &t3);
k = _addcarry_u64(k, _umul128(a[2], b[2], &h2), t4, &t4);
k = _addcarry_u64(k, _umul128(a[2], b[3], &h3), t5, &t5);
t6 = k;
k = _addcarry_u64(0, t3, h0, &t3);
k = _addcarry_u64(k, t4, h1, &t4);
k = _addcarry_u64(k, t5, h2, &t5);
(void)_addcarry_u64(k, t6, h3, &t6);
k = _addcarry_u64(0, _umul128(a[3], b[0], &h0), t3, &t3);
k = _addcarry_u64(k, _umul128(a[3], b[1], &h1), t4, &t4);
k = _addcarry_u64(k, _umul128(a[3], b[2], &h2), t5, &t5);
k = _addcarry_u64(k, _umul128(a[3], b[3], &h3), t6, &t6);
t7 = k;
k = _addcarry_u64(0, t4, h0, &t4);
k = _addcarry_u64(k, t5, h1, &t5);
k = _addcarry_u64(k, t6, h2, &t6);
(void)_addcarry_u64(k, t7, h3, &t7);
/*
* Modulo p, we have:
*
* 2^255 = 19
* 2^510 = 19*19 = 361
*
* We split the intermediate t into three parts, in basis
* 2^255. The low one will be in t0..t3; the middle one in t4..t7.
* The upper one can only be a single bit (th), since the
* multiplication operands are at most 2^255+37 each.
*/
th = t7 >> 62;
t7 = ((t7 << 1) | (t6 >> 63)) & MASK63;
t6 = (t6 << 1) | (t5 >> 63);
t5 = (t5 << 1) | (t4 >> 63);
t4 = (t4 << 1) | (t3 >> 63);
t3 &= MASK63;
/*
* Multiply the middle part (t4..t7) by 19. We truncate it to
* 255 bits; the extra bits will go along with th.
*/
t4 = _umul128(t4, 19, &h0);
t5 = _umul128(t5, 19, &h1);
t6 = _umul128(t6, 19, &h2);
t7 = _umul128(t7, 19, &h3);
k = _addcarry_u64(0, t5, h0, &t5);
k = _addcarry_u64(k, t6, h1, &t6);
k = _addcarry_u64(k, t7, h2, &t7);
(void)_addcarry_u64(k, h3, 0, &h3);
th = (361 & -th) + (19 * ((h3 << 1) + (t7 >> 63)));
t7 &= MASK63;
/*
* Add elements together.
* At this point:
* t0..t3 fits on 255 bits.
* t4..t7 fits on 255 bits.
* th <= 361 + 342 = 703.
*/
k = _addcarry_u64(0, t0, t4, &t0);
k = _addcarry_u64(k, t1, t5, &t1);
k = _addcarry_u64(k, t2, t6, &t2);
k = _addcarry_u64(k, t3, t7, &t3);
t4 = k;
k = _addcarry_u64(0, t0, th, &t0);
k = _addcarry_u64(k, t1, 0, &t1);
k = _addcarry_u64(k, t2, 0, &t2);
k = _addcarry_u64(k, t3, 0, &t3);
(void)_addcarry_u64(k, t4, 0, &t4);
th = (t4 << 1) + (t3 >> 63);
t3 &= MASK63;
/*
* Since the sum is at most 2^256 + 703, the two upper bits, in th,
* can only have value 0, 1 or 2. We just add th*19, which
* guarantees a result of at most 2^255+37.
*/
k = _addcarry_u64(0, t0, 19 * th, &d[0]);
k = _addcarry_u64(k, t1, 0, &d[1]);
k = _addcarry_u64(k, t2, 0, &d[2]);
(void)_addcarry_u64(k, t3, 0, &d[3]);
#endif
}
/*
* Multiplication by A24 = 121665.
*/
static inline void
f255_mul_a24(uint64_t *d, const uint64_t *a)
{
#if BR_INT128
uint64_t t0, t1, t2, t3;
unsigned __int128 z;
z = (unsigned __int128)a[0] * 121665;
t0 = (uint64_t)z;
z = (unsigned __int128)a[1] * 121665 + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)a[2] * 121665 + (z >> 64);
t2 = (uint64_t)z;
z = (unsigned __int128)a[3] * 121665 + (z >> 64);
t3 = (uint64_t)z & MASK63;
z = (unsigned __int128)t0 + (19 * (uint64_t)(z >> 63));
t0 = (uint64_t)z;
z = (unsigned __int128)t1 + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)t2 + (z >> 64);
t2 = (uint64_t)z;
t3 = t3 + (uint64_t)(z >> 64);
z = (unsigned __int128)t0 + (19 & -(t3 >> 63));
d[0] = (uint64_t)z;
z = (unsigned __int128)t1 + (z >> 64);
d[1] = (uint64_t)z;
z = (unsigned __int128)t2 + (z >> 64);
d[2] = (uint64_t)z;
d[3] = (t3 & MASK63) + (uint64_t)(z >> 64);
#elif BR_UMUL128
uint64_t t0, t1, t2, t3, t4, h0, h1, h2, h3;
unsigned char k;
t0 = _umul128(a[0], 121665, &h0);
t1 = _umul128(a[1], 121665, &h1);
k = _addcarry_u64(0, t1, h0, &t1);
t2 = _umul128(a[2], 121665, &h2);
k = _addcarry_u64(k, t2, h1, &t2);
t3 = _umul128(a[3], 121665, &h3);
k = _addcarry_u64(k, t3, h2, &t3);
(void)_addcarry_u64(k, h3, 0, &t4);
t4 = (t4 << 1) + (t3 >> 63);
t3 &= MASK63;
k = _addcarry_u64(0, t0, 19 * t4, &t0);
k = _addcarry_u64(k, t1, 0, &t1);
k = _addcarry_u64(k, t2, 0, &t2);
(void)_addcarry_u64(k, t3, 0, &t3);
t4 = 19 & -(t3 >> 63);
t3 &= MASK63;
k = _addcarry_u64(0, t0, t4, &d[0]);
k = _addcarry_u64(k, t1, 0, &d[1]);
k = _addcarry_u64(k, t2, 0, &d[2]);
(void)_addcarry_u64(k, t3, 0, &d[3]);
#endif
}
/*
* Finalize reduction.
*/
static inline void
f255_final_reduce(uint64_t *a)
{
#if BR_INT128
uint64_t t0, t1, t2, t3, m;
unsigned __int128 z;
/*
* We add 19. If the result (in t) is below 2^255, then a[]
* is already less than 2^255-19, thus already reduced.
* Otherwise, we subtract 2^255 from t[], in which case we
* have t = a - (2^255-19), and that's our result.
*/
z = (unsigned __int128)a[0] + 19;
t0 = (uint64_t)z;
z = (unsigned __int128)a[1] + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)a[2] + (z >> 64);
t2 = (uint64_t)z;
t3 = a[3] + (uint64_t)(z >> 64);
m = -(t3 >> 63);
t3 &= MASK63;
a[0] ^= m & (a[0] ^ t0);
a[1] ^= m & (a[1] ^ t1);
a[2] ^= m & (a[2] ^ t2);
a[3] ^= m & (a[3] ^ t3);
#elif BR_UMUL128
uint64_t t0, t1, t2, t3, m;
unsigned char k;
/*
* We add 19. If the result (in t) is below 2^255, then a[]
* is already less than 2^255-19, thus already reduced.
* Otherwise, we subtract 2^255 from t[], in which case we
* have t = a - (2^255-19), and that's our result.
*/
k = _addcarry_u64(0, a[0], 19, &t0);
k = _addcarry_u64(k, a[1], 0, &t1);
k = _addcarry_u64(k, a[2], 0, &t2);
(void)_addcarry_u64(k, a[3], 0, &t3);
m = -(t3 >> 63);
t3 &= MASK63;
a[0] ^= m & (a[0] ^ t0);
a[1] ^= m & (a[1] ^ t1);
a[2] ^= m & (a[2] ^ t2);
a[3] ^= m & (a[3] ^ t3);
#endif
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *kb, size_t kblen, int curve)
{
unsigned char k[32];
uint64_t x1[4], x2[4], z2[4], x3[4], z3[4];
uint32_t swap;
int i;
(void)curve;
/*
* Points are encoded over exactly 32 bytes. Multipliers must fit
* in 32 bytes as well.
*/
if (Glen != 32 || kblen > 32) {
return 0;
}
/*
* RFC 7748 mandates that the high bit of the last point byte must
* be ignored/cleared.
*/
x1[0] = br_dec64le(&G[ 0]);
x1[1] = br_dec64le(&G[ 8]);
x1[2] = br_dec64le(&G[16]);
x1[3] = br_dec64le(&G[24]) & MASK63;
/*
* We can use memset() to clear values, because exact-width types
* like uint64_t are guaranteed to have no padding bits or
* trap representations.
*/
memset(x2, 0, sizeof x2);
x2[0] = 1;
memset(z2, 0, sizeof z2);
memcpy(x3, x1, sizeof x1);
memcpy(z3, x2, sizeof x2);
/*
* The multiplier is provided in big-endian notation, and
* possibly shorter than 32 bytes.
*/
memset(k, 0, (sizeof k) - kblen);
memcpy(k + (sizeof k) - kblen, kb, kblen);
k[31] &= 0xF8;
k[0] &= 0x7F;
k[0] |= 0x40;
swap = 0;
for (i = 254; i >= 0; i --) {
uint64_t a[4], aa[4], b[4], bb[4], e[4];
uint64_t c[4], d[4], da[4], cb[4];
uint32_t kt;
kt = (k[31 - (i >> 3)] >> (i & 7)) & 1;
swap ^= kt;
f255_cswap(x2, x3, swap);
f255_cswap(z2, z3, swap);
swap = kt;
/* A = x_2 + z_2 */
f255_add(a, x2, z2);
/* AA = A^2 */
f255_mul(aa, a, a);
/* B = x_2 - z_2 */
f255_sub(b, x2, z2);
/* BB = B^2 */
f255_mul(bb, b, b);
/* E = AA - BB */
f255_sub(e, aa, bb);
/* C = x_3 + z_3 */
f255_add(c, x3, z3);
/* D = x_3 - z_3 */
f255_sub(d, x3, z3);
/* DA = D * A */
f255_mul(da, d, a);
/* CB = C * B */
f255_mul(cb, c, b);
/* x_3 = (DA + CB)^2 */
f255_add(x3, da, cb);
f255_mul(x3, x3, x3);
/* z_3 = x_1 * (DA - CB)^2 */
f255_sub(z3, da, cb);
f255_mul(z3, z3, z3);
f255_mul(z3, x1, z3);
/* x_2 = AA * BB */
f255_mul(x2, aa, bb);
/* z_2 = E * (AA + a24 * E) */
f255_mul_a24(z2, e);
f255_add(z2, aa, z2);
f255_mul(z2, e, z2);
}
f255_cswap(x2, x3, swap);
f255_cswap(z2, z3, swap);
/*
* Compute 1/z2 = z2^(p-2). Since p = 2^255-19, we can mutualize
* most non-squarings. We use x1 and x3, now useless, as temporaries.
*/
memcpy(x1, z2, sizeof z2);
for (i = 0; i < 15; i ++) {
f255_mul(x1, x1, x1);
f255_mul(x1, x1, z2);
}
memcpy(x3, x1, sizeof x1);
for (i = 0; i < 14; i ++) {
int j;
for (j = 0; j < 16; j ++) {
f255_mul(x3, x3, x3);
}
f255_mul(x3, x3, x1);
}
for (i = 14; i >= 0; i --) {
f255_mul(x3, x3, x3);
if ((0xFFEB >> i) & 1) {
f255_mul(x3, z2, x3);
}
}
/*
* Compute x2/z2. We have 1/z2 in x3.
*/
f255_mul(x2, x2, x3);
f255_final_reduce(x2);
/*
* Encode the final x2 value in little-endian.
*/
br_enc64le(G, x2[0]);
br_enc64le(G + 8, x2[1]);
br_enc64le(G + 16, x2[2]);
br_enc64le(G + 24, x2[3]);
return 1;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *x, size_t xlen, int curve)
{
const unsigned char *G;
size_t Glen;
G = api_generator(curve, &Glen);
memcpy(R, G, Glen);
api_mul(R, Glen, x, xlen, curve);
return Glen;
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
/*
* We don't implement this method, since it is used for ECDSA
* only, and there is no ECDSA over Curve25519 (which instead
* uses EdDSA).
*/
(void)A;
(void)B;
(void)len;
(void)x;
(void)xlen;
(void)y;
(void)ylen;
(void)curve;
return 0;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_c25519_m64 = {
(uint32_t)0x20000000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
/* see bearssl_ec.h */
const br_ec_impl *
br_ec_c25519_m64_get(void)
{
return &br_ec_c25519_m64;
}
#else
/* see bearssl_ec.h */
const br_ec_impl *
br_ec_c25519_m64_get(void)
{
return 0;
}
#endif
diff --git a/contrib/bearssl/src/ec/ec_p256_m15.c b/contrib/bearssl/src/ec/ec_p256_m15.c
index 8d68d1d21bdb..05800d87f46a 100644
--- a/contrib/bearssl/src/ec/ec_p256_m15.c
+++ b/contrib/bearssl/src/ec/ec_p256_m15.c
@@ -1,2130 +1,2124 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/*
* If BR_NO_ARITH_SHIFT is undefined, or defined to 0, then we _assume_
* that right-shifting a signed negative integer copies the sign bit
* (arithmetic right-shift). This is "implementation-defined behaviour",
* i.e. it is not undefined, but it may differ between compilers. Each
* compiler is supposed to document its behaviour in that respect. GCC
* explicitly defines that an arithmetic right shift is used. We expect
* all other compilers to do the same, because underlying CPU offer an
* arithmetic right shift opcode that could not be used otherwise.
*/
#if BR_NO_ARITH_SHIFT
#define ARSH(x, n) (((uint32_t)(x) >> (n)) \
| ((-((uint32_t)(x) >> 31)) << (32 - (n))))
#else
#define ARSH(x, n) ((*(int32_t *)&(x)) >> (n))
#endif
/*
* Convert an integer from unsigned big-endian encoding to a sequence of
* 13-bit words in little-endian order. The final "partial" word is
* returned.
*/
static uint32_t
be8_to_le13(uint32_t *dst, const unsigned char *src, size_t len)
{
uint32_t acc;
int acc_len;
acc = 0;
acc_len = 0;
while (len -- > 0) {
acc |= (uint32_t)src[len] << acc_len;
acc_len += 8;
if (acc_len >= 13) {
*dst ++ = acc & 0x1FFF;
acc >>= 13;
acc_len -= 13;
}
}
return acc;
}
/*
* Convert an integer (13-bit words, little-endian) to unsigned
* big-endian encoding. The total encoding length is provided; all
* the destination bytes will be filled.
*/
static void
le13_to_be8(unsigned char *dst, size_t len, const uint32_t *src)
{
uint32_t acc;
int acc_len;
acc = 0;
acc_len = 0;
while (len -- > 0) {
if (acc_len < 8) {
acc |= (*src ++) << acc_len;
acc_len += 13;
}
dst[len] = (unsigned char)acc;
acc >>= 8;
acc_len -= 8;
}
}
/*
* Normalise an array of words to a strict 13 bits per word. Returned
* value is the resulting carry. The source (w) and destination (d)
* arrays may be identical, but shall not overlap partially.
*/
static inline uint32_t
norm13(uint32_t *d, const uint32_t *w, size_t len)
{
size_t u;
uint32_t cc;
cc = 0;
for (u = 0; u < len; u ++) {
int32_t z;
z = w[u] + cc;
d[u] = z & 0x1FFF;
cc = ARSH(z, 13);
}
return cc;
}
/*
* mul20() multiplies two 260-bit integers together. Each word must fit
* on 13 bits; source operands use 20 words, destination operand
* receives 40 words. All overlaps allowed.
*
* square20() computes the square of a 260-bit integer. Each word must
* fit on 13 bits; source operand uses 20 words, destination operand
* receives 40 words. All overlaps allowed.
*/
#if BR_SLOW_MUL15
static void
mul20(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
/*
* Two-level Karatsuba: turns a 20x20 multiplication into
* nine 5x5 multiplications. We use 13-bit words but do not
* propagate carries immediately, so words may expand:
*
* - First Karatsuba decomposition turns the 20x20 mul on
* 13-bit words into three 10x10 muls, two on 13-bit words
* and one on 14-bit words.
*
* - Second Karatsuba decomposition further splits these into:
*
* * four 5x5 muls on 13-bit words
* * four 5x5 muls on 14-bit words
* * one 5x5 mul on 15-bit words
*
* Highest word value is 8191, 16382 or 32764, for 13-bit, 14-bit
* or 15-bit words, respectively.
*/
uint32_t u[45], v[45], w[90];
uint32_t cc;
int i;
#define ZADD(dw, d_off, s1w, s1_off, s2w, s2_off) do { \
(dw)[5 * (d_off) + 0] = (s1w)[5 * (s1_off) + 0] \
+ (s2w)[5 * (s2_off) + 0]; \
(dw)[5 * (d_off) + 1] = (s1w)[5 * (s1_off) + 1] \
+ (s2w)[5 * (s2_off) + 1]; \
(dw)[5 * (d_off) + 2] = (s1w)[5 * (s1_off) + 2] \
+ (s2w)[5 * (s2_off) + 2]; \
(dw)[5 * (d_off) + 3] = (s1w)[5 * (s1_off) + 3] \
+ (s2w)[5 * (s2_off) + 3]; \
(dw)[5 * (d_off) + 4] = (s1w)[5 * (s1_off) + 4] \
+ (s2w)[5 * (s2_off) + 4]; \
} while (0)
#define ZADDT(dw, d_off, sw, s_off) do { \
(dw)[5 * (d_off) + 0] += (sw)[5 * (s_off) + 0]; \
(dw)[5 * (d_off) + 1] += (sw)[5 * (s_off) + 1]; \
(dw)[5 * (d_off) + 2] += (sw)[5 * (s_off) + 2]; \
(dw)[5 * (d_off) + 3] += (sw)[5 * (s_off) + 3]; \
(dw)[5 * (d_off) + 4] += (sw)[5 * (s_off) + 4]; \
} while (0)
#define ZSUB2F(dw, d_off, s1w, s1_off, s2w, s2_off) do { \
(dw)[5 * (d_off) + 0] -= (s1w)[5 * (s1_off) + 0] \
+ (s2w)[5 * (s2_off) + 0]; \
(dw)[5 * (d_off) + 1] -= (s1w)[5 * (s1_off) + 1] \
+ (s2w)[5 * (s2_off) + 1]; \
(dw)[5 * (d_off) + 2] -= (s1w)[5 * (s1_off) + 2] \
+ (s2w)[5 * (s2_off) + 2]; \
(dw)[5 * (d_off) + 3] -= (s1w)[5 * (s1_off) + 3] \
+ (s2w)[5 * (s2_off) + 3]; \
(dw)[5 * (d_off) + 4] -= (s1w)[5 * (s1_off) + 4] \
+ (s2w)[5 * (s2_off) + 4]; \
} while (0)
#define CPR1(w, cprcc) do { \
uint32_t cprz = (w) + cprcc; \
(w) = cprz & 0x1FFF; \
cprcc = cprz >> 13; \
} while (0)
#define CPR(dw, d_off) do { \
uint32_t cprcc; \
cprcc = 0; \
CPR1((dw)[(d_off) + 0], cprcc); \
CPR1((dw)[(d_off) + 1], cprcc); \
CPR1((dw)[(d_off) + 2], cprcc); \
CPR1((dw)[(d_off) + 3], cprcc); \
CPR1((dw)[(d_off) + 4], cprcc); \
CPR1((dw)[(d_off) + 5], cprcc); \
CPR1((dw)[(d_off) + 6], cprcc); \
CPR1((dw)[(d_off) + 7], cprcc); \
CPR1((dw)[(d_off) + 8], cprcc); \
(dw)[(d_off) + 9] = cprcc; \
} while (0)
memcpy(u, a, 20 * sizeof *a);
ZADD(u, 4, a, 0, a, 1);
ZADD(u, 5, a, 2, a, 3);
ZADD(u, 6, a, 0, a, 2);
ZADD(u, 7, a, 1, a, 3);
ZADD(u, 8, u, 6, u, 7);
memcpy(v, b, 20 * sizeof *b);
ZADD(v, 4, b, 0, b, 1);
ZADD(v, 5, b, 2, b, 3);
ZADD(v, 6, b, 0, b, 2);
ZADD(v, 7, b, 1, b, 3);
ZADD(v, 8, v, 6, v, 7);
/*
* Do the eight first 8x8 muls. Source words are at most 16382
* each, so we can add product results together "as is" in 32-bit
* words.
*/
for (i = 0; i < 40; i += 5) {
w[(i << 1) + 0] = MUL15(u[i + 0], v[i + 0]);
w[(i << 1) + 1] = MUL15(u[i + 0], v[i + 1])
+ MUL15(u[i + 1], v[i + 0]);
w[(i << 1) + 2] = MUL15(u[i + 0], v[i + 2])
+ MUL15(u[i + 1], v[i + 1])
+ MUL15(u[i + 2], v[i + 0]);
w[(i << 1) + 3] = MUL15(u[i + 0], v[i + 3])
+ MUL15(u[i + 1], v[i + 2])
+ MUL15(u[i + 2], v[i + 1])
+ MUL15(u[i + 3], v[i + 0]);
w[(i << 1) + 4] = MUL15(u[i + 0], v[i + 4])
+ MUL15(u[i + 1], v[i + 3])
+ MUL15(u[i + 2], v[i + 2])
+ MUL15(u[i + 3], v[i + 1])
+ MUL15(u[i + 4], v[i + 0]);
w[(i << 1) + 5] = MUL15(u[i + 1], v[i + 4])
+ MUL15(u[i + 2], v[i + 3])
+ MUL15(u[i + 3], v[i + 2])
+ MUL15(u[i + 4], v[i + 1]);
w[(i << 1) + 6] = MUL15(u[i + 2], v[i + 4])
+ MUL15(u[i + 3], v[i + 3])
+ MUL15(u[i + 4], v[i + 2]);
w[(i << 1) + 7] = MUL15(u[i + 3], v[i + 4])
+ MUL15(u[i + 4], v[i + 3]);
w[(i << 1) + 8] = MUL15(u[i + 4], v[i + 4]);
w[(i << 1) + 9] = 0;
}
/*
* For the 9th multiplication, source words are up to 32764,
* so we must do some carry propagation. If we add up to
* 4 products and the carry is no more than 524224, then the
* result fits in 32 bits, and the next carry will be no more
* than 524224 (because 4*(32764^2)+524224 < 8192*524225).
*
* We thus just skip one of the products in the middle word,
* then do a carry propagation (this reduces words to 13 bits
* each, except possibly the last, which may use up to 17 bits
* or so), then add the missing product.
*/
w[80 + 0] = MUL15(u[40 + 0], v[40 + 0]);
w[80 + 1] = MUL15(u[40 + 0], v[40 + 1])
+ MUL15(u[40 + 1], v[40 + 0]);
w[80 + 2] = MUL15(u[40 + 0], v[40 + 2])
+ MUL15(u[40 + 1], v[40 + 1])
+ MUL15(u[40 + 2], v[40 + 0]);
w[80 + 3] = MUL15(u[40 + 0], v[40 + 3])
+ MUL15(u[40 + 1], v[40 + 2])
+ MUL15(u[40 + 2], v[40 + 1])
+ MUL15(u[40 + 3], v[40 + 0]);
w[80 + 4] = MUL15(u[40 + 0], v[40 + 4])
+ MUL15(u[40 + 1], v[40 + 3])
+ MUL15(u[40 + 2], v[40 + 2])
+ MUL15(u[40 + 3], v[40 + 1]);
/* + MUL15(u[40 + 4], v[40 + 0]) */
w[80 + 5] = MUL15(u[40 + 1], v[40 + 4])
+ MUL15(u[40 + 2], v[40 + 3])
+ MUL15(u[40 + 3], v[40 + 2])
+ MUL15(u[40 + 4], v[40 + 1]);
w[80 + 6] = MUL15(u[40 + 2], v[40 + 4])
+ MUL15(u[40 + 3], v[40 + 3])
+ MUL15(u[40 + 4], v[40 + 2]);
w[80 + 7] = MUL15(u[40 + 3], v[40 + 4])
+ MUL15(u[40 + 4], v[40 + 3]);
w[80 + 8] = MUL15(u[40 + 4], v[40 + 4]);
CPR(w, 80);
w[80 + 4] += MUL15(u[40 + 4], v[40 + 0]);
/*
* The products on 14-bit words in slots 6 and 7 yield values
* up to 5*(16382^2) each, and we need to subtract two such
* values from the higher word. We need the subtraction to fit
* in a _signed_ 32-bit integer, i.e. 31 bits + a sign bit.
* However, 10*(16382^2) does not fit. So we must perform a
* bit of reduction here.
*/
CPR(w, 60);
CPR(w, 70);
/*
* Recompose results.
*/
/* 0..1*0..1 into 0..3 */
ZSUB2F(w, 8, w, 0, w, 2);
ZSUB2F(w, 9, w, 1, w, 3);
ZADDT(w, 1, w, 8);
ZADDT(w, 2, w, 9);
/* 2..3*2..3 into 4..7 */
ZSUB2F(w, 10, w, 4, w, 6);
ZSUB2F(w, 11, w, 5, w, 7);
ZADDT(w, 5, w, 10);
ZADDT(w, 6, w, 11);
/* (0..1+2..3)*(0..1+2..3) into 12..15 */
ZSUB2F(w, 16, w, 12, w, 14);
ZSUB2F(w, 17, w, 13, w, 15);
ZADDT(w, 13, w, 16);
ZADDT(w, 14, w, 17);
/* first-level recomposition */
ZSUB2F(w, 12, w, 0, w, 4);
ZSUB2F(w, 13, w, 1, w, 5);
ZSUB2F(w, 14, w, 2, w, 6);
ZSUB2F(w, 15, w, 3, w, 7);
ZADDT(w, 2, w, 12);
ZADDT(w, 3, w, 13);
ZADDT(w, 4, w, 14);
ZADDT(w, 5, w, 15);
/*
* Perform carry propagation to bring all words down to 13 bits.
*/
cc = norm13(d, w, 40);
d[39] += (cc << 13);
#undef ZADD
#undef ZADDT
#undef ZSUB2F
#undef CPR1
#undef CPR
}
static inline void
square20(uint32_t *d, const uint32_t *a)
{
mul20(d, a, a);
}
#else
static void
mul20(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
uint32_t t[39];
t[ 0] = MUL15(a[ 0], b[ 0]);
t[ 1] = MUL15(a[ 0], b[ 1])
+ MUL15(a[ 1], b[ 0]);
t[ 2] = MUL15(a[ 0], b[ 2])
+ MUL15(a[ 1], b[ 1])
+ MUL15(a[ 2], b[ 0]);
t[ 3] = MUL15(a[ 0], b[ 3])
+ MUL15(a[ 1], b[ 2])
+ MUL15(a[ 2], b[ 1])
+ MUL15(a[ 3], b[ 0]);
t[ 4] = MUL15(a[ 0], b[ 4])
+ MUL15(a[ 1], b[ 3])
+ MUL15(a[ 2], b[ 2])
+ MUL15(a[ 3], b[ 1])
+ MUL15(a[ 4], b[ 0]);
t[ 5] = MUL15(a[ 0], b[ 5])
+ MUL15(a[ 1], b[ 4])
+ MUL15(a[ 2], b[ 3])
+ MUL15(a[ 3], b[ 2])
+ MUL15(a[ 4], b[ 1])
+ MUL15(a[ 5], b[ 0]);
t[ 6] = MUL15(a[ 0], b[ 6])
+ MUL15(a[ 1], b[ 5])
+ MUL15(a[ 2], b[ 4])
+ MUL15(a[ 3], b[ 3])
+ MUL15(a[ 4], b[ 2])
+ MUL15(a[ 5], b[ 1])
+ MUL15(a[ 6], b[ 0]);
t[ 7] = MUL15(a[ 0], b[ 7])
+ MUL15(a[ 1], b[ 6])
+ MUL15(a[ 2], b[ 5])
+ MUL15(a[ 3], b[ 4])
+ MUL15(a[ 4], b[ 3])
+ MUL15(a[ 5], b[ 2])
+ MUL15(a[ 6], b[ 1])
+ MUL15(a[ 7], b[ 0]);
t[ 8] = MUL15(a[ 0], b[ 8])
+ MUL15(a[ 1], b[ 7])
+ MUL15(a[ 2], b[ 6])
+ MUL15(a[ 3], b[ 5])
+ MUL15(a[ 4], b[ 4])
+ MUL15(a[ 5], b[ 3])
+ MUL15(a[ 6], b[ 2])
+ MUL15(a[ 7], b[ 1])
+ MUL15(a[ 8], b[ 0]);
t[ 9] = MUL15(a[ 0], b[ 9])
+ MUL15(a[ 1], b[ 8])
+ MUL15(a[ 2], b[ 7])
+ MUL15(a[ 3], b[ 6])
+ MUL15(a[ 4], b[ 5])
+ MUL15(a[ 5], b[ 4])
+ MUL15(a[ 6], b[ 3])
+ MUL15(a[ 7], b[ 2])
+ MUL15(a[ 8], b[ 1])
+ MUL15(a[ 9], b[ 0]);
t[10] = MUL15(a[ 0], b[10])
+ MUL15(a[ 1], b[ 9])
+ MUL15(a[ 2], b[ 8])
+ MUL15(a[ 3], b[ 7])
+ MUL15(a[ 4], b[ 6])
+ MUL15(a[ 5], b[ 5])
+ MUL15(a[ 6], b[ 4])
+ MUL15(a[ 7], b[ 3])
+ MUL15(a[ 8], b[ 2])
+ MUL15(a[ 9], b[ 1])
+ MUL15(a[10], b[ 0]);
t[11] = MUL15(a[ 0], b[11])
+ MUL15(a[ 1], b[10])
+ MUL15(a[ 2], b[ 9])
+ MUL15(a[ 3], b[ 8])
+ MUL15(a[ 4], b[ 7])
+ MUL15(a[ 5], b[ 6])
+ MUL15(a[ 6], b[ 5])
+ MUL15(a[ 7], b[ 4])
+ MUL15(a[ 8], b[ 3])
+ MUL15(a[ 9], b[ 2])
+ MUL15(a[10], b[ 1])
+ MUL15(a[11], b[ 0]);
t[12] = MUL15(a[ 0], b[12])
+ MUL15(a[ 1], b[11])
+ MUL15(a[ 2], b[10])
+ MUL15(a[ 3], b[ 9])
+ MUL15(a[ 4], b[ 8])
+ MUL15(a[ 5], b[ 7])
+ MUL15(a[ 6], b[ 6])
+ MUL15(a[ 7], b[ 5])
+ MUL15(a[ 8], b[ 4])
+ MUL15(a[ 9], b[ 3])
+ MUL15(a[10], b[ 2])
+ MUL15(a[11], b[ 1])
+ MUL15(a[12], b[ 0]);
t[13] = MUL15(a[ 0], b[13])
+ MUL15(a[ 1], b[12])
+ MUL15(a[ 2], b[11])
+ MUL15(a[ 3], b[10])
+ MUL15(a[ 4], b[ 9])
+ MUL15(a[ 5], b[ 8])
+ MUL15(a[ 6], b[ 7])
+ MUL15(a[ 7], b[ 6])
+ MUL15(a[ 8], b[ 5])
+ MUL15(a[ 9], b[ 4])
+ MUL15(a[10], b[ 3])
+ MUL15(a[11], b[ 2])
+ MUL15(a[12], b[ 1])
+ MUL15(a[13], b[ 0]);
t[14] = MUL15(a[ 0], b[14])
+ MUL15(a[ 1], b[13])
+ MUL15(a[ 2], b[12])
+ MUL15(a[ 3], b[11])
+ MUL15(a[ 4], b[10])
+ MUL15(a[ 5], b[ 9])
+ MUL15(a[ 6], b[ 8])
+ MUL15(a[ 7], b[ 7])
+ MUL15(a[ 8], b[ 6])
+ MUL15(a[ 9], b[ 5])
+ MUL15(a[10], b[ 4])
+ MUL15(a[11], b[ 3])
+ MUL15(a[12], b[ 2])
+ MUL15(a[13], b[ 1])
+ MUL15(a[14], b[ 0]);
t[15] = MUL15(a[ 0], b[15])
+ MUL15(a[ 1], b[14])
+ MUL15(a[ 2], b[13])
+ MUL15(a[ 3], b[12])
+ MUL15(a[ 4], b[11])
+ MUL15(a[ 5], b[10])
+ MUL15(a[ 6], b[ 9])
+ MUL15(a[ 7], b[ 8])
+ MUL15(a[ 8], b[ 7])
+ MUL15(a[ 9], b[ 6])
+ MUL15(a[10], b[ 5])
+ MUL15(a[11], b[ 4])
+ MUL15(a[12], b[ 3])
+ MUL15(a[13], b[ 2])
+ MUL15(a[14], b[ 1])
+ MUL15(a[15], b[ 0]);
t[16] = MUL15(a[ 0], b[16])
+ MUL15(a[ 1], b[15])
+ MUL15(a[ 2], b[14])
+ MUL15(a[ 3], b[13])
+ MUL15(a[ 4], b[12])
+ MUL15(a[ 5], b[11])
+ MUL15(a[ 6], b[10])
+ MUL15(a[ 7], b[ 9])
+ MUL15(a[ 8], b[ 8])
+ MUL15(a[ 9], b[ 7])
+ MUL15(a[10], b[ 6])
+ MUL15(a[11], b[ 5])
+ MUL15(a[12], b[ 4])
+ MUL15(a[13], b[ 3])
+ MUL15(a[14], b[ 2])
+ MUL15(a[15], b[ 1])
+ MUL15(a[16], b[ 0]);
t[17] = MUL15(a[ 0], b[17])
+ MUL15(a[ 1], b[16])
+ MUL15(a[ 2], b[15])
+ MUL15(a[ 3], b[14])
+ MUL15(a[ 4], b[13])
+ MUL15(a[ 5], b[12])
+ MUL15(a[ 6], b[11])
+ MUL15(a[ 7], b[10])
+ MUL15(a[ 8], b[ 9])
+ MUL15(a[ 9], b[ 8])
+ MUL15(a[10], b[ 7])
+ MUL15(a[11], b[ 6])
+ MUL15(a[12], b[ 5])
+ MUL15(a[13], b[ 4])
+ MUL15(a[14], b[ 3])
+ MUL15(a[15], b[ 2])
+ MUL15(a[16], b[ 1])
+ MUL15(a[17], b[ 0]);
t[18] = MUL15(a[ 0], b[18])
+ MUL15(a[ 1], b[17])
+ MUL15(a[ 2], b[16])
+ MUL15(a[ 3], b[15])
+ MUL15(a[ 4], b[14])
+ MUL15(a[ 5], b[13])
+ MUL15(a[ 6], b[12])
+ MUL15(a[ 7], b[11])
+ MUL15(a[ 8], b[10])
+ MUL15(a[ 9], b[ 9])
+ MUL15(a[10], b[ 8])
+ MUL15(a[11], b[ 7])
+ MUL15(a[12], b[ 6])
+ MUL15(a[13], b[ 5])
+ MUL15(a[14], b[ 4])
+ MUL15(a[15], b[ 3])
+ MUL15(a[16], b[ 2])
+ MUL15(a[17], b[ 1])
+ MUL15(a[18], b[ 0]);
t[19] = MUL15(a[ 0], b[19])
+ MUL15(a[ 1], b[18])
+ MUL15(a[ 2], b[17])
+ MUL15(a[ 3], b[16])
+ MUL15(a[ 4], b[15])
+ MUL15(a[ 5], b[14])
+ MUL15(a[ 6], b[13])
+ MUL15(a[ 7], b[12])
+ MUL15(a[ 8], b[11])
+ MUL15(a[ 9], b[10])
+ MUL15(a[10], b[ 9])
+ MUL15(a[11], b[ 8])
+ MUL15(a[12], b[ 7])
+ MUL15(a[13], b[ 6])
+ MUL15(a[14], b[ 5])
+ MUL15(a[15], b[ 4])
+ MUL15(a[16], b[ 3])
+ MUL15(a[17], b[ 2])
+ MUL15(a[18], b[ 1])
+ MUL15(a[19], b[ 0]);
t[20] = MUL15(a[ 1], b[19])
+ MUL15(a[ 2], b[18])
+ MUL15(a[ 3], b[17])
+ MUL15(a[ 4], b[16])
+ MUL15(a[ 5], b[15])
+ MUL15(a[ 6], b[14])
+ MUL15(a[ 7], b[13])
+ MUL15(a[ 8], b[12])
+ MUL15(a[ 9], b[11])
+ MUL15(a[10], b[10])
+ MUL15(a[11], b[ 9])
+ MUL15(a[12], b[ 8])
+ MUL15(a[13], b[ 7])
+ MUL15(a[14], b[ 6])
+ MUL15(a[15], b[ 5])
+ MUL15(a[16], b[ 4])
+ MUL15(a[17], b[ 3])
+ MUL15(a[18], b[ 2])
+ MUL15(a[19], b[ 1]);
t[21] = MUL15(a[ 2], b[19])
+ MUL15(a[ 3], b[18])
+ MUL15(a[ 4], b[17])
+ MUL15(a[ 5], b[16])
+ MUL15(a[ 6], b[15])
+ MUL15(a[ 7], b[14])
+ MUL15(a[ 8], b[13])
+ MUL15(a[ 9], b[12])
+ MUL15(a[10], b[11])
+ MUL15(a[11], b[10])
+ MUL15(a[12], b[ 9])
+ MUL15(a[13], b[ 8])
+ MUL15(a[14], b[ 7])
+ MUL15(a[15], b[ 6])
+ MUL15(a[16], b[ 5])
+ MUL15(a[17], b[ 4])
+ MUL15(a[18], b[ 3])
+ MUL15(a[19], b[ 2]);
t[22] = MUL15(a[ 3], b[19])
+ MUL15(a[ 4], b[18])
+ MUL15(a[ 5], b[17])
+ MUL15(a[ 6], b[16])
+ MUL15(a[ 7], b[15])
+ MUL15(a[ 8], b[14])
+ MUL15(a[ 9], b[13])
+ MUL15(a[10], b[12])
+ MUL15(a[11], b[11])
+ MUL15(a[12], b[10])
+ MUL15(a[13], b[ 9])
+ MUL15(a[14], b[ 8])
+ MUL15(a[15], b[ 7])
+ MUL15(a[16], b[ 6])
+ MUL15(a[17], b[ 5])
+ MUL15(a[18], b[ 4])
+ MUL15(a[19], b[ 3]);
t[23] = MUL15(a[ 4], b[19])
+ MUL15(a[ 5], b[18])
+ MUL15(a[ 6], b[17])
+ MUL15(a[ 7], b[16])
+ MUL15(a[ 8], b[15])
+ MUL15(a[ 9], b[14])
+ MUL15(a[10], b[13])
+ MUL15(a[11], b[12])
+ MUL15(a[12], b[11])
+ MUL15(a[13], b[10])
+ MUL15(a[14], b[ 9])
+ MUL15(a[15], b[ 8])
+ MUL15(a[16], b[ 7])
+ MUL15(a[17], b[ 6])
+ MUL15(a[18], b[ 5])
+ MUL15(a[19], b[ 4]);
t[24] = MUL15(a[ 5], b[19])
+ MUL15(a[ 6], b[18])
+ MUL15(a[ 7], b[17])
+ MUL15(a[ 8], b[16])
+ MUL15(a[ 9], b[15])
+ MUL15(a[10], b[14])
+ MUL15(a[11], b[13])
+ MUL15(a[12], b[12])
+ MUL15(a[13], b[11])
+ MUL15(a[14], b[10])
+ MUL15(a[15], b[ 9])
+ MUL15(a[16], b[ 8])
+ MUL15(a[17], b[ 7])
+ MUL15(a[18], b[ 6])
+ MUL15(a[19], b[ 5]);
t[25] = MUL15(a[ 6], b[19])
+ MUL15(a[ 7], b[18])
+ MUL15(a[ 8], b[17])
+ MUL15(a[ 9], b[16])
+ MUL15(a[10], b[15])
+ MUL15(a[11], b[14])
+ MUL15(a[12], b[13])
+ MUL15(a[13], b[12])
+ MUL15(a[14], b[11])
+ MUL15(a[15], b[10])
+ MUL15(a[16], b[ 9])
+ MUL15(a[17], b[ 8])
+ MUL15(a[18], b[ 7])
+ MUL15(a[19], b[ 6]);
t[26] = MUL15(a[ 7], b[19])
+ MUL15(a[ 8], b[18])
+ MUL15(a[ 9], b[17])
+ MUL15(a[10], b[16])
+ MUL15(a[11], b[15])
+ MUL15(a[12], b[14])
+ MUL15(a[13], b[13])
+ MUL15(a[14], b[12])
+ MUL15(a[15], b[11])
+ MUL15(a[16], b[10])
+ MUL15(a[17], b[ 9])
+ MUL15(a[18], b[ 8])
+ MUL15(a[19], b[ 7]);
t[27] = MUL15(a[ 8], b[19])
+ MUL15(a[ 9], b[18])
+ MUL15(a[10], b[17])
+ MUL15(a[11], b[16])
+ MUL15(a[12], b[15])
+ MUL15(a[13], b[14])
+ MUL15(a[14], b[13])
+ MUL15(a[15], b[12])
+ MUL15(a[16], b[11])
+ MUL15(a[17], b[10])
+ MUL15(a[18], b[ 9])
+ MUL15(a[19], b[ 8]);
t[28] = MUL15(a[ 9], b[19])
+ MUL15(a[10], b[18])
+ MUL15(a[11], b[17])
+ MUL15(a[12], b[16])
+ MUL15(a[13], b[15])
+ MUL15(a[14], b[14])
+ MUL15(a[15], b[13])
+ MUL15(a[16], b[12])
+ MUL15(a[17], b[11])
+ MUL15(a[18], b[10])
+ MUL15(a[19], b[ 9]);
t[29] = MUL15(a[10], b[19])
+ MUL15(a[11], b[18])
+ MUL15(a[12], b[17])
+ MUL15(a[13], b[16])
+ MUL15(a[14], b[15])
+ MUL15(a[15], b[14])
+ MUL15(a[16], b[13])
+ MUL15(a[17], b[12])
+ MUL15(a[18], b[11])
+ MUL15(a[19], b[10]);
t[30] = MUL15(a[11], b[19])
+ MUL15(a[12], b[18])
+ MUL15(a[13], b[17])
+ MUL15(a[14], b[16])
+ MUL15(a[15], b[15])
+ MUL15(a[16], b[14])
+ MUL15(a[17], b[13])
+ MUL15(a[18], b[12])
+ MUL15(a[19], b[11]);
t[31] = MUL15(a[12], b[19])
+ MUL15(a[13], b[18])
+ MUL15(a[14], b[17])
+ MUL15(a[15], b[16])
+ MUL15(a[16], b[15])
+ MUL15(a[17], b[14])
+ MUL15(a[18], b[13])
+ MUL15(a[19], b[12]);
t[32] = MUL15(a[13], b[19])
+ MUL15(a[14], b[18])
+ MUL15(a[15], b[17])
+ MUL15(a[16], b[16])
+ MUL15(a[17], b[15])
+ MUL15(a[18], b[14])
+ MUL15(a[19], b[13]);
t[33] = MUL15(a[14], b[19])
+ MUL15(a[15], b[18])
+ MUL15(a[16], b[17])
+ MUL15(a[17], b[16])
+ MUL15(a[18], b[15])
+ MUL15(a[19], b[14]);
t[34] = MUL15(a[15], b[19])
+ MUL15(a[16], b[18])
+ MUL15(a[17], b[17])
+ MUL15(a[18], b[16])
+ MUL15(a[19], b[15]);
t[35] = MUL15(a[16], b[19])
+ MUL15(a[17], b[18])
+ MUL15(a[18], b[17])
+ MUL15(a[19], b[16]);
t[36] = MUL15(a[17], b[19])
+ MUL15(a[18], b[18])
+ MUL15(a[19], b[17]);
t[37] = MUL15(a[18], b[19])
+ MUL15(a[19], b[18]);
t[38] = MUL15(a[19], b[19]);
d[39] = norm13(d, t, 39);
}
static void
square20(uint32_t *d, const uint32_t *a)
{
uint32_t t[39];
t[ 0] = MUL15(a[ 0], a[ 0]);
t[ 1] = ((MUL15(a[ 0], a[ 1])) << 1);
t[ 2] = MUL15(a[ 1], a[ 1])
+ ((MUL15(a[ 0], a[ 2])) << 1);
t[ 3] = ((MUL15(a[ 0], a[ 3])
+ MUL15(a[ 1], a[ 2])) << 1);
t[ 4] = MUL15(a[ 2], a[ 2])
+ ((MUL15(a[ 0], a[ 4])
+ MUL15(a[ 1], a[ 3])) << 1);
t[ 5] = ((MUL15(a[ 0], a[ 5])
+ MUL15(a[ 1], a[ 4])
+ MUL15(a[ 2], a[ 3])) << 1);
t[ 6] = MUL15(a[ 3], a[ 3])
+ ((MUL15(a[ 0], a[ 6])
+ MUL15(a[ 1], a[ 5])
+ MUL15(a[ 2], a[ 4])) << 1);
t[ 7] = ((MUL15(a[ 0], a[ 7])
+ MUL15(a[ 1], a[ 6])
+ MUL15(a[ 2], a[ 5])
+ MUL15(a[ 3], a[ 4])) << 1);
t[ 8] = MUL15(a[ 4], a[ 4])
+ ((MUL15(a[ 0], a[ 8])
+ MUL15(a[ 1], a[ 7])
+ MUL15(a[ 2], a[ 6])
+ MUL15(a[ 3], a[ 5])) << 1);
t[ 9] = ((MUL15(a[ 0], a[ 9])
+ MUL15(a[ 1], a[ 8])
+ MUL15(a[ 2], a[ 7])
+ MUL15(a[ 3], a[ 6])
+ MUL15(a[ 4], a[ 5])) << 1);
t[10] = MUL15(a[ 5], a[ 5])
+ ((MUL15(a[ 0], a[10])
+ MUL15(a[ 1], a[ 9])
+ MUL15(a[ 2], a[ 8])
+ MUL15(a[ 3], a[ 7])
+ MUL15(a[ 4], a[ 6])) << 1);
t[11] = ((MUL15(a[ 0], a[11])
+ MUL15(a[ 1], a[10])
+ MUL15(a[ 2], a[ 9])
+ MUL15(a[ 3], a[ 8])
+ MUL15(a[ 4], a[ 7])
+ MUL15(a[ 5], a[ 6])) << 1);
t[12] = MUL15(a[ 6], a[ 6])
+ ((MUL15(a[ 0], a[12])
+ MUL15(a[ 1], a[11])
+ MUL15(a[ 2], a[10])
+ MUL15(a[ 3], a[ 9])
+ MUL15(a[ 4], a[ 8])
+ MUL15(a[ 5], a[ 7])) << 1);
t[13] = ((MUL15(a[ 0], a[13])
+ MUL15(a[ 1], a[12])
+ MUL15(a[ 2], a[11])
+ MUL15(a[ 3], a[10])
+ MUL15(a[ 4], a[ 9])
+ MUL15(a[ 5], a[ 8])
+ MUL15(a[ 6], a[ 7])) << 1);
t[14] = MUL15(a[ 7], a[ 7])
+ ((MUL15(a[ 0], a[14])
+ MUL15(a[ 1], a[13])
+ MUL15(a[ 2], a[12])
+ MUL15(a[ 3], a[11])
+ MUL15(a[ 4], a[10])
+ MUL15(a[ 5], a[ 9])
+ MUL15(a[ 6], a[ 8])) << 1);
t[15] = ((MUL15(a[ 0], a[15])
+ MUL15(a[ 1], a[14])
+ MUL15(a[ 2], a[13])
+ MUL15(a[ 3], a[12])
+ MUL15(a[ 4], a[11])
+ MUL15(a[ 5], a[10])
+ MUL15(a[ 6], a[ 9])
+ MUL15(a[ 7], a[ 8])) << 1);
t[16] = MUL15(a[ 8], a[ 8])
+ ((MUL15(a[ 0], a[16])
+ MUL15(a[ 1], a[15])
+ MUL15(a[ 2], a[14])
+ MUL15(a[ 3], a[13])
+ MUL15(a[ 4], a[12])
+ MUL15(a[ 5], a[11])
+ MUL15(a[ 6], a[10])
+ MUL15(a[ 7], a[ 9])) << 1);
t[17] = ((MUL15(a[ 0], a[17])
+ MUL15(a[ 1], a[16])
+ MUL15(a[ 2], a[15])
+ MUL15(a[ 3], a[14])
+ MUL15(a[ 4], a[13])
+ MUL15(a[ 5], a[12])
+ MUL15(a[ 6], a[11])
+ MUL15(a[ 7], a[10])
+ MUL15(a[ 8], a[ 9])) << 1);
t[18] = MUL15(a[ 9], a[ 9])
+ ((MUL15(a[ 0], a[18])
+ MUL15(a[ 1], a[17])
+ MUL15(a[ 2], a[16])
+ MUL15(a[ 3], a[15])
+ MUL15(a[ 4], a[14])
+ MUL15(a[ 5], a[13])
+ MUL15(a[ 6], a[12])
+ MUL15(a[ 7], a[11])
+ MUL15(a[ 8], a[10])) << 1);
t[19] = ((MUL15(a[ 0], a[19])
+ MUL15(a[ 1], a[18])
+ MUL15(a[ 2], a[17])
+ MUL15(a[ 3], a[16])
+ MUL15(a[ 4], a[15])
+ MUL15(a[ 5], a[14])
+ MUL15(a[ 6], a[13])
+ MUL15(a[ 7], a[12])
+ MUL15(a[ 8], a[11])
+ MUL15(a[ 9], a[10])) << 1);
t[20] = MUL15(a[10], a[10])
+ ((MUL15(a[ 1], a[19])
+ MUL15(a[ 2], a[18])
+ MUL15(a[ 3], a[17])
+ MUL15(a[ 4], a[16])
+ MUL15(a[ 5], a[15])
+ MUL15(a[ 6], a[14])
+ MUL15(a[ 7], a[13])
+ MUL15(a[ 8], a[12])
+ MUL15(a[ 9], a[11])) << 1);
t[21] = ((MUL15(a[ 2], a[19])
+ MUL15(a[ 3], a[18])
+ MUL15(a[ 4], a[17])
+ MUL15(a[ 5], a[16])
+ MUL15(a[ 6], a[15])
+ MUL15(a[ 7], a[14])
+ MUL15(a[ 8], a[13])
+ MUL15(a[ 9], a[12])
+ MUL15(a[10], a[11])) << 1);
t[22] = MUL15(a[11], a[11])
+ ((MUL15(a[ 3], a[19])
+ MUL15(a[ 4], a[18])
+ MUL15(a[ 5], a[17])
+ MUL15(a[ 6], a[16])
+ MUL15(a[ 7], a[15])
+ MUL15(a[ 8], a[14])
+ MUL15(a[ 9], a[13])
+ MUL15(a[10], a[12])) << 1);
t[23] = ((MUL15(a[ 4], a[19])
+ MUL15(a[ 5], a[18])
+ MUL15(a[ 6], a[17])
+ MUL15(a[ 7], a[16])
+ MUL15(a[ 8], a[15])
+ MUL15(a[ 9], a[14])
+ MUL15(a[10], a[13])
+ MUL15(a[11], a[12])) << 1);
t[24] = MUL15(a[12], a[12])
+ ((MUL15(a[ 5], a[19])
+ MUL15(a[ 6], a[18])
+ MUL15(a[ 7], a[17])
+ MUL15(a[ 8], a[16])
+ MUL15(a[ 9], a[15])
+ MUL15(a[10], a[14])
+ MUL15(a[11], a[13])) << 1);
t[25] = ((MUL15(a[ 6], a[19])
+ MUL15(a[ 7], a[18])
+ MUL15(a[ 8], a[17])
+ MUL15(a[ 9], a[16])
+ MUL15(a[10], a[15])
+ MUL15(a[11], a[14])
+ MUL15(a[12], a[13])) << 1);
t[26] = MUL15(a[13], a[13])
+ ((MUL15(a[ 7], a[19])
+ MUL15(a[ 8], a[18])
+ MUL15(a[ 9], a[17])
+ MUL15(a[10], a[16])
+ MUL15(a[11], a[15])
+ MUL15(a[12], a[14])) << 1);
t[27] = ((MUL15(a[ 8], a[19])
+ MUL15(a[ 9], a[18])
+ MUL15(a[10], a[17])
+ MUL15(a[11], a[16])
+ MUL15(a[12], a[15])
+ MUL15(a[13], a[14])) << 1);
t[28] = MUL15(a[14], a[14])
+ ((MUL15(a[ 9], a[19])
+ MUL15(a[10], a[18])
+ MUL15(a[11], a[17])
+ MUL15(a[12], a[16])
+ MUL15(a[13], a[15])) << 1);
t[29] = ((MUL15(a[10], a[19])
+ MUL15(a[11], a[18])
+ MUL15(a[12], a[17])
+ MUL15(a[13], a[16])
+ MUL15(a[14], a[15])) << 1);
t[30] = MUL15(a[15], a[15])
+ ((MUL15(a[11], a[19])
+ MUL15(a[12], a[18])
+ MUL15(a[13], a[17])
+ MUL15(a[14], a[16])) << 1);
t[31] = ((MUL15(a[12], a[19])
+ MUL15(a[13], a[18])
+ MUL15(a[14], a[17])
+ MUL15(a[15], a[16])) << 1);
t[32] = MUL15(a[16], a[16])
+ ((MUL15(a[13], a[19])
+ MUL15(a[14], a[18])
+ MUL15(a[15], a[17])) << 1);
t[33] = ((MUL15(a[14], a[19])
+ MUL15(a[15], a[18])
+ MUL15(a[16], a[17])) << 1);
t[34] = MUL15(a[17], a[17])
+ ((MUL15(a[15], a[19])
+ MUL15(a[16], a[18])) << 1);
t[35] = ((MUL15(a[16], a[19])
+ MUL15(a[17], a[18])) << 1);
t[36] = MUL15(a[18], a[18])
+ ((MUL15(a[17], a[19])) << 1);
t[37] = ((MUL15(a[18], a[19])) << 1);
t[38] = MUL15(a[19], a[19]);
d[39] = norm13(d, t, 39);
}
#endif
/*
* Modulus for field F256 (field for point coordinates in curve P-256).
*/
static const uint32_t F256[] = {
0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x001F,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0400, 0x0000,
0x0000, 0x1FF8, 0x1FFF, 0x01FF
};
/*
* The 'b' curve equation coefficient for P-256.
*/
static const uint32_t P256_B[] = {
0x004B, 0x1E93, 0x0F89, 0x1C78, 0x03BC, 0x187B, 0x114E, 0x1619,
0x1D06, 0x0328, 0x01AF, 0x0D31, 0x1557, 0x15DE, 0x1ECF, 0x127C,
0x0A3A, 0x0EC5, 0x118D, 0x00B5
};
/*
* Perform a "short reduction" in field F256 (field for curve P-256).
* The source value should be less than 262 bits; on output, it will
* be at most 257 bits, and less than twice the modulus.
*/
static void
reduce_f256(uint32_t *d)
{
uint32_t x;
x = d[19] >> 9;
d[19] &= 0x01FF;
d[17] += x << 3;
d[14] -= x << 10;
d[7] -= x << 5;
d[0] += x;
norm13(d, d, 20);
}
/*
* Perform a "final reduction" in field F256 (field for curve P-256).
* The source value must be less than twice the modulus. If the value
* is not lower than the modulus, then the modulus is subtracted and
* this function returns 1; otherwise, it leaves it untouched and it
* returns 0.
*/
static uint32_t
reduce_final_f256(uint32_t *d)
{
uint32_t t[20];
uint32_t cc;
int i;
memcpy(t, d, sizeof t);
cc = 0;
for (i = 0; i < 20; i ++) {
uint32_t w;
w = t[i] - F256[i] - cc;
cc = w >> 31;
t[i] = w & 0x1FFF;
}
cc ^= 1;
CCOPY(cc, d, t, sizeof t);
return cc;
}
/*
* Perform a multiplication of two integers modulo
* 2^256-2^224+2^192+2^96-1 (for NIST curve P-256). Operands are arrays
* of 20 words, each containing 13 bits of data, in little-endian order.
* On input, upper word may be up to 13 bits (hence value up to 2^260-1);
* on output, value fits on 257 bits and is lower than twice the modulus.
*/
static void
mul_f256(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
uint32_t t[40], cc;
int i;
/*
* Compute raw multiplication. All result words fit in 13 bits
* each.
*/
mul20(t, a, b);
/*
* Modular reduction: each high word in added/subtracted where
* necessary.
*
* The modulus is:
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1
* Therefore:
* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
*
* For a word x at bit offset n (n >= 256), we have:
* x*2^n = x*2^(n-32) - x*2^(n-64)
* - x*2^(n - 160) + x*2^(n-256) mod p
*
* Thus, we can nullify the high word if we reinject it at some
* proper emplacements.
*/
for (i = 39; i >= 20; i --) {
uint32_t x;
x = t[i];
t[i - 2] += ARSH(x, 6);
t[i - 3] += (x << 7) & 0x1FFF;
t[i - 4] -= ARSH(x, 12);
t[i - 5] -= (x << 1) & 0x1FFF;
t[i - 12] -= ARSH(x, 4);
t[i - 13] -= (x << 9) & 0x1FFF;
t[i - 19] += ARSH(x, 9);
t[i - 20] += (x << 4) & 0x1FFF;
}
/*
* Propagate carries. This is a signed propagation, and the
* result may be negative. The loop above may enlarge values,
* but not two much: worst case is the chain involving t[i - 3],
* in which a value may be added to itself up to 7 times. Since
* starting values are 13-bit each, all words fit on 20 bits
* (21 to account for the sign bit).
*/
cc = norm13(t, t, 20);
/*
* Perform modular reduction again for the bits beyond 256 (the carry
* and the bits 256..259). Since the largest shift below is by 10
* bits, and the values fit on 21 bits, values fit in 32-bit words,
* thereby allowing injecting full word values.
*/
cc = (cc << 4) | (t[19] >> 9);
t[19] &= 0x01FF;
t[17] += cc << 3;
t[14] -= cc << 10;
t[7] -= cc << 5;
t[0] += cc;
/*
* If the carry is negative, then after carry propagation, we may
* end up with a value which is negative, and we don't want that.
* Thus, in that case, we add the modulus. Note that the subtraction
* result, when the carry is negative, is always smaller than the
* modulus, so the extra addition will not make the value exceed
* twice the modulus.
*/
cc >>= 31;
t[0] -= cc;
t[7] += cc << 5;
t[14] += cc << 10;
t[17] -= cc << 3;
t[19] += cc << 9;
norm13(d, t, 20);
}
/*
* Square an integer modulo 2^256-2^224+2^192+2^96-1 (for NIST curve
* P-256). Operand is an array of 20 words, each containing 13 bits of
* data, in little-endian order. On input, upper word may be up to 13
* bits (hence value up to 2^260-1); on output, value fits on 257 bits
* and is lower than twice the modulus.
*/
static void
square_f256(uint32_t *d, const uint32_t *a)
{
uint32_t t[40], cc;
int i;
/*
* Compute raw square. All result words fit in 13 bits each.
*/
square20(t, a);
/*
* Modular reduction: each high word in added/subtracted where
* necessary.
*
* The modulus is:
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1
* Therefore:
* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
*
* For a word x at bit offset n (n >= 256), we have:
* x*2^n = x*2^(n-32) - x*2^(n-64)
* - x*2^(n - 160) + x*2^(n-256) mod p
*
* Thus, we can nullify the high word if we reinject it at some
* proper emplacements.
*/
for (i = 39; i >= 20; i --) {
uint32_t x;
x = t[i];
t[i - 2] += ARSH(x, 6);
t[i - 3] += (x << 7) & 0x1FFF;
t[i - 4] -= ARSH(x, 12);
t[i - 5] -= (x << 1) & 0x1FFF;
t[i - 12] -= ARSH(x, 4);
t[i - 13] -= (x << 9) & 0x1FFF;
t[i - 19] += ARSH(x, 9);
t[i - 20] += (x << 4) & 0x1FFF;
}
/*
* Propagate carries. This is a signed propagation, and the
* result may be negative. The loop above may enlarge values,
* but not two much: worst case is the chain involving t[i - 3],
* in which a value may be added to itself up to 7 times. Since
* starting values are 13-bit each, all words fit on 20 bits
* (21 to account for the sign bit).
*/
cc = norm13(t, t, 20);
/*
* Perform modular reduction again for the bits beyond 256 (the carry
* and the bits 256..259). Since the largest shift below is by 10
* bits, and the values fit on 21 bits, values fit in 32-bit words,
* thereby allowing injecting full word values.
*/
cc = (cc << 4) | (t[19] >> 9);
t[19] &= 0x01FF;
t[17] += cc << 3;
t[14] -= cc << 10;
t[7] -= cc << 5;
t[0] += cc;
/*
* If the carry is negative, then after carry propagation, we may
* end up with a value which is negative, and we don't want that.
* Thus, in that case, we add the modulus. Note that the subtraction
* result, when the carry is negative, is always smaller than the
* modulus, so the extra addition will not make the value exceed
* twice the modulus.
*/
cc >>= 31;
t[0] -= cc;
t[7] += cc << 5;
t[14] += cc << 10;
t[17] -= cc << 3;
t[19] += cc << 9;
norm13(d, t, 20);
}
/*
* Jacobian coordinates for a point in P-256: affine coordinates (X,Y)
* are such that:
* X = x / z^2
* Y = y / z^3
* For the point at infinity, z = 0.
* Each point thus admits many possible representations.
*
* Coordinates are represented in arrays of 32-bit integers, each holding
* 13 bits of data. Values may also be slightly greater than the modulus,
* but they will always be lower than twice the modulus.
*/
typedef struct {
uint32_t x[20];
uint32_t y[20];
uint32_t z[20];
} p256_jacobian;
/*
* Convert a point to affine coordinates:
* - If the point is the point at infinity, then all three coordinates
* are set to 0.
* - Otherwise, the 'z' coordinate is set to 1, and the 'x' and 'y'
* coordinates are the 'X' and 'Y' affine coordinates.
* The coordinates are guaranteed to be lower than the modulus.
*/
static void
p256_to_affine(p256_jacobian *P)
{
uint32_t t1[20], t2[20];
int i;
/*
* Invert z with a modular exponentiation: the modulus is
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1, and the exponent is
* p-2. Exponent bit pattern (from high to low) is:
* - 32 bits of value 1
* - 31 bits of value 0
* - 1 bit of value 1
* - 96 bits of value 0
* - 94 bits of value 1
* - 1 bit of value 0
* - 1 bit of value 1
* Thus, we precompute z^(2^31-1) to speed things up.
*
* If z = 0 (point at infinity) then the modular exponentiation
* will yield 0, which leads to the expected result (all three
* coordinates set to 0).
*/
/*
* A simple square-and-multiply for z^(2^31-1). We could save about
* two dozen multiplications here with an addition chain, but
* this would require a bit more code, and extra stack buffers.
*/
memcpy(t1, P->z, sizeof P->z);
for (i = 0; i < 30; i ++) {
square_f256(t1, t1);
mul_f256(t1, t1, P->z);
}
/*
* Square-and-multiply. Apart from the squarings, we have a few
* multiplications to set bits to 1; we multiply by the original z
* for setting 1 bit, and by t1 for setting 31 bits.
*/
memcpy(t2, P->z, sizeof P->z);
for (i = 1; i < 256; i ++) {
square_f256(t2, t2);
switch (i) {
case 31:
case 190:
case 221:
case 252:
mul_f256(t2, t2, t1);
break;
case 63:
case 253:
case 255:
mul_f256(t2, t2, P->z);
break;
}
}
/*
* Now that we have 1/z, multiply x by 1/z^2 and y by 1/z^3.
*/
mul_f256(t1, t2, t2);
mul_f256(P->x, t1, P->x);
mul_f256(t1, t1, t2);
mul_f256(P->y, t1, P->y);
reduce_final_f256(P->x);
reduce_final_f256(P->y);
/*
* Multiply z by 1/z. If z = 0, then this will yield 0, otherwise
* this will set z to 1.
*/
mul_f256(P->z, P->z, t2);
reduce_final_f256(P->z);
}
/*
* Double a point in P-256. This function works for all valid points,
* including the point at infinity.
*/
static void
p256_double(p256_jacobian *Q)
{
/*
* Doubling formulas are:
*
* s = 4*x*y^2
* m = 3*(x + z^2)*(x - z^2)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y^4
* z' = 2*y*z
*
* These formulas work for all points, including points of order 2
* and points at infinity:
* - If y = 0 then z' = 0. But there is no such point in P-256
* anyway.
* - If z = 0 then z' = 0.
*/
uint32_t t1[20], t2[20], t3[20], t4[20];
int i;
/*
* Compute z^2 in t1.
*/
square_f256(t1, Q->z);
/*
* Compute x-z^2 in t2 and x+z^2 in t1.
*/
for (i = 0; i < 20; i ++) {
t2[i] = (F256[i] << 1) + Q->x[i] - t1[i];
t1[i] += Q->x[i];
}
norm13(t1, t1, 20);
norm13(t2, t2, 20);
/*
* Compute 3*(x+z^2)*(x-z^2) in t1.
*/
mul_f256(t3, t1, t2);
for (i = 0; i < 20; i ++) {
t1[i] = MUL15(3, t3[i]);
}
norm13(t1, t1, 20);
/*
* Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
*/
square_f256(t3, Q->y);
for (i = 0; i < 20; i ++) {
t3[i] <<= 1;
}
norm13(t3, t3, 20);
mul_f256(t2, Q->x, t3);
for (i = 0; i < 20; i ++) {
t2[i] <<= 1;
}
norm13(t2, t2, 20);
reduce_f256(t2);
/*
* Compute x' = m^2 - 2*s.
*/
square_f256(Q->x, t1);
for (i = 0; i < 20; i ++) {
Q->x[i] += (F256[i] << 2) - (t2[i] << 1);
}
norm13(Q->x, Q->x, 20);
reduce_f256(Q->x);
/*
* Compute z' = 2*y*z.
*/
mul_f256(t4, Q->y, Q->z);
for (i = 0; i < 20; i ++) {
Q->z[i] = t4[i] << 1;
}
norm13(Q->z, Q->z, 20);
reduce_f256(Q->z);
/*
* Compute y' = m*(s - x') - 8*y^4. Note that we already have
* 2*y^2 in t3.
*/
for (i = 0; i < 20; i ++) {
t2[i] += (F256[i] << 1) - Q->x[i];
}
norm13(t2, t2, 20);
mul_f256(Q->y, t1, t2);
square_f256(t4, t3);
for (i = 0; i < 20; i ++) {
Q->y[i] += (F256[i] << 2) - (t4[i] << 1);
}
norm13(Q->y, Q->y, 20);
reduce_f256(Q->y);
}
/*
* Add point P2 to point P1.
*
* This function computes the wrong result in the following cases:
*
* - If P1 == 0 but P2 != 0
* - If P1 != 0 but P2 == 0
* - If P1 == P2
*
* In all three cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y coordinate
* - P1 == 0 and P2 == 0
* - The Y coordinate of one of the points is 0 and the other point is
* the point at infinity.
*
* The third case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*/
static uint32_t
p256_add(p256_jacobian *P1, const p256_jacobian *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1 * z2^2
* u2 = x2 * z1^2
* s1 = y1 * z2^3
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1 * z2
*/
uint32_t t1[20], t2[20], t3[20], t4[20], t5[20], t6[20], t7[20];
uint32_t ret;
int i;
/*
* Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
*/
square_f256(t3, P2->z);
mul_f256(t1, P1->x, t3);
mul_f256(t4, P2->z, t3);
mul_f256(t3, P1->y, t4);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
square_f256(t4, P1->z);
mul_f256(t2, P2->x, t4);
mul_f256(t5, P1->z, t4);
mul_f256(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
for (i = 0; i < 20; i ++) {
t2[i] += (F256[i] << 1) - t1[i];
t4[i] += (F256[i] << 1) - t3[i];
}
norm13(t2, t2, 20);
norm13(t4, t4, 20);
reduce_f256(t4);
reduce_final_f256(t4);
ret = 0;
for (i = 0; i < 20; i ++) {
ret |= t4[i];
}
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
square_f256(t7, t2);
mul_f256(t6, t1, t7);
mul_f256(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
square_f256(P1->x, t4);
for (i = 0; i < 20; i ++) {
P1->x[i] += (F256[i] << 3) - t5[i] - (t6[i] << 1);
}
norm13(P1->x, P1->x, 20);
reduce_f256(P1->x);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
for (i = 0; i < 20; i ++) {
t6[i] += (F256[i] << 1) - P1->x[i];
}
norm13(t6, t6, 20);
mul_f256(P1->y, t4, t6);
mul_f256(t1, t5, t3);
for (i = 0; i < 20; i ++) {
P1->y[i] += (F256[i] << 1) - t1[i];
}
norm13(P1->y, P1->y, 20);
reduce_f256(P1->y);
/*
* Compute z3 = h*z1*z2.
*/
mul_f256(t1, P1->z, P2->z);
mul_f256(P1->z, t1, t2);
return ret;
}
/*
* Add point P2 to point P1. This is a specialised function for the
* case when P2 is a non-zero point in affine coordinate.
*
* This function computes the wrong result in the following cases:
*
* - If P1 == 0
* - If P1 == P2
*
* In both cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y coordinate
* - The Y coordinate of P2 is 0 and P1 is the point at infinity.
*
* The second case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*/
static uint32_t
p256_add_mixed(p256_jacobian *P1, const p256_jacobian *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1
* u2 = x2 * z1^2
* s1 = y1
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1
*/
uint32_t t1[20], t2[20], t3[20], t4[20], t5[20], t6[20], t7[20];
uint32_t ret;
int i;
/*
* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
*/
memcpy(t1, P1->x, sizeof t1);
memcpy(t3, P1->y, sizeof t3);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
square_f256(t4, P1->z);
mul_f256(t2, P2->x, t4);
mul_f256(t5, P1->z, t4);
mul_f256(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
for (i = 0; i < 20; i ++) {
t2[i] += (F256[i] << 1) - t1[i];
t4[i] += (F256[i] << 1) - t3[i];
}
norm13(t2, t2, 20);
norm13(t4, t4, 20);
reduce_f256(t4);
reduce_final_f256(t4);
ret = 0;
for (i = 0; i < 20; i ++) {
ret |= t4[i];
}
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
square_f256(t7, t2);
mul_f256(t6, t1, t7);
mul_f256(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
square_f256(P1->x, t4);
for (i = 0; i < 20; i ++) {
P1->x[i] += (F256[i] << 3) - t5[i] - (t6[i] << 1);
}
norm13(P1->x, P1->x, 20);
reduce_f256(P1->x);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
for (i = 0; i < 20; i ++) {
t6[i] += (F256[i] << 1) - P1->x[i];
}
norm13(t6, t6, 20);
mul_f256(P1->y, t4, t6);
mul_f256(t1, t5, t3);
for (i = 0; i < 20; i ++) {
P1->y[i] += (F256[i] << 1) - t1[i];
}
norm13(P1->y, P1->y, 20);
reduce_f256(P1->y);
/*
* Compute z3 = h*z1*z2.
*/
mul_f256(P1->z, P1->z, t2);
return ret;
}
/*
* Decode a P-256 point. This function does not support the point at
* infinity. Returned value is 0 if the point is invalid, 1 otherwise.
*/
static uint32_t
p256_decode(p256_jacobian *P, const void *src, size_t len)
{
const unsigned char *buf;
uint32_t tx[20], ty[20], t1[20], t2[20];
uint32_t bad;
int i;
if (len != 65) {
return 0;
}
buf = src;
/*
* First byte must be 0x04 (uncompressed format). We could support
* "hybrid format" (first byte is 0x06 or 0x07, and encodes the
* least significant bit of the Y coordinate), but it is explicitly
* forbidden by RFC 5480 (section 2.2).
*/
bad = NEQ(buf[0], 0x04);
/*
* Decode the coordinates, and check that they are both lower
* than the modulus.
*/
tx[19] = be8_to_le13(tx, buf + 1, 32);
ty[19] = be8_to_le13(ty, buf + 33, 32);
bad |= reduce_final_f256(tx);
bad |= reduce_final_f256(ty);
/*
* Check curve equation.
*/
square_f256(t1, tx);
mul_f256(t1, tx, t1);
square_f256(t2, ty);
for (i = 0; i < 20; i ++) {
t1[i] += (F256[i] << 3) - MUL15(3, tx[i]) + P256_B[i] - t2[i];
}
norm13(t1, t1, 20);
reduce_f256(t1);
reduce_final_f256(t1);
for (i = 0; i < 20; i ++) {
bad |= t1[i];
}
/*
* Copy coordinates to the point structure.
*/
memcpy(P->x, tx, sizeof tx);
memcpy(P->y, ty, sizeof ty);
memset(P->z, 0, sizeof P->z);
P->z[0] = 1;
return EQ(bad, 0);
}
/*
* Encode a point into a buffer. This function assumes that the point is
* valid, in affine coordinates, and not the point at infinity.
*/
static void
p256_encode(void *dst, const p256_jacobian *P)
{
unsigned char *buf;
buf = dst;
buf[0] = 0x04;
le13_to_be8(buf + 1, 32, P->x);
le13_to_be8(buf + 33, 32, P->y);
}
/*
* Multiply a curve point by an integer. The integer is assumed to be
* lower than the curve order, and the base point must not be the point
* at infinity.
*/
static void
p256_mul(p256_jacobian *P, const unsigned char *x, size_t xlen)
{
/*
* qz is a flag that is initially 1, and remains equal to 1
* as long as the point is the point at infinity.
*
* We use a 2-bit window to handle multiplier bits by pairs.
* The precomputed window really is the points P2 and P3.
*/
uint32_t qz;
p256_jacobian P2, P3, Q, T, U;
/*
* Compute window values.
*/
P2 = *P;
p256_double(&P2);
P3 = *P;
p256_add(&P3, &P2);
/*
* We start with Q = 0. We process multiplier bits 2 by 2.
*/
memset(&Q, 0, sizeof Q);
qz = 1;
while (xlen -- > 0) {
int k;
for (k = 6; k >= 0; k -= 2) {
uint32_t bits;
uint32_t bnz;
p256_double(&Q);
p256_double(&Q);
T = *P;
U = Q;
bits = (*x >> k) & (uint32_t)3;
bnz = NEQ(bits, 0);
CCOPY(EQ(bits, 2), &T, &P2, sizeof T);
CCOPY(EQ(bits, 3), &T, &P3, sizeof T);
p256_add(&U, &T);
CCOPY(bnz & qz, &Q, &T, sizeof Q);
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
}
x ++;
}
*P = Q;
}
/*
* Precomputed window: k*G points, where G is the curve generator, and k
* is an integer from 1 to 15 (inclusive). The X and Y coordinates of
* the point are encoded as 20 words of 13 bits each (little-endian
* order); 13-bit words are then grouped 2-by-2 into 32-bit words
* (little-endian order within each word).
*/
static const uint32_t Gwin[15][20] = {
{ 0x04C60296, 0x02721176, 0x19D00F4A, 0x102517AC,
0x13B8037D, 0x0748103C, 0x1E730E56, 0x08481FE2,
0x0F97012C, 0x00D605F4, 0x1DFA11F5, 0x0C801A0D,
0x0F670CBB, 0x0AED0CC5, 0x115E0E33, 0x181F0785,
0x13F514A7, 0x0FF30E3B, 0x17171E1A, 0x009F18D0 },
{ 0x1B341978, 0x16911F11, 0x0D9A1A60, 0x1C4E1FC8,
0x1E040969, 0x096A06B0, 0x091C0030, 0x09EF1A29,
0x18C40D03, 0x00F91C9E, 0x13C313D1, 0x096F0748,
0x011419E0, 0x1CC713A6, 0x1DD31DAD, 0x1EE80C36,
0x1ECD0C69, 0x1A0800A4, 0x08861B8E, 0x000E1DD5 },
{ 0x173F1D6C, 0x02CC06F1, 0x14C21FB4, 0x043D1EB6,
0x0F3606B7, 0x1A971C59, 0x1BF71951, 0x01481323,
0x068D0633, 0x00BD12F9, 0x13EA1032, 0x136209E8,
0x1C1E19A7, 0x06C7013E, 0x06C10AB0, 0x14C908BB,
0x05830CE1, 0x1FEF18DD, 0x00620998, 0x010E0D19 },
{ 0x18180852, 0x0604111A, 0x0B771509, 0x1B6F0156,
0x00181FE2, 0x1DCC0AF4, 0x16EF0659, 0x11F70E80,
0x11A912D0, 0x01C414D2, 0x027618C6, 0x05840FC6,
0x100215C4, 0x187E0C3B, 0x12771C96, 0x150C0B5D,
0x0FF705FD, 0x07981C67, 0x1AD20C63, 0x01C11C55 },
{ 0x1E8113ED, 0x0A940370, 0x12920215, 0x1FA31D6F,
0x1F7C0C82, 0x10CD03F7, 0x02640560, 0x081A0B5E,
0x1BD21151, 0x00A21642, 0x0D0B0DA4, 0x0176113F,
0x04440D1D, 0x001A1360, 0x1068012F, 0x1F141E49,
0x10DF136B, 0x0E4F162B, 0x0D44104A, 0x01C1105F },
{ 0x011411A9, 0x01551A4F, 0x0ADA0C6B, 0x01BD0EC8,
0x18120C74, 0x112F1778, 0x099202CB, 0x0C05124B,
0x195316A4, 0x01600685, 0x1E3B1FE2, 0x189014E3,
0x0B5E1FD7, 0x0E0311F8, 0x08E000F7, 0x174E00DE,
0x160702DF, 0x1B5A15BF, 0x03A11237, 0x01D01704 },
{ 0x0C3D12A3, 0x0C501C0C, 0x17AD1300, 0x1715003F,
0x03F719F8, 0x18031ED8, 0x1D980667, 0x0F681896,
0x1B7D00BF, 0x011C14CE, 0x0FA000B4, 0x1C3501B0,
0x0D901C55, 0x06790C10, 0x029E0736, 0x0DEB0400,
0x034F183A, 0x030619B4, 0x0DEF0033, 0x00E71AC7 },
{ 0x1B7D1393, 0x1B3B1076, 0x0BED1B4D, 0x13011F3A,
0x0E0E1238, 0x156A132B, 0x013A02D3, 0x160A0D01,
0x1CED1EE9, 0x00C5165D, 0x184C157E, 0x08141A83,
0x153C0DA5, 0x1ED70F9D, 0x05170D51, 0x02CF13B8,
0x18AE1771, 0x1B04113F, 0x05EC11E9, 0x015A16B3 },
{ 0x04A41EE0, 0x1D1412E4, 0x1C591D79, 0x118511B7,
0x14F00ACB, 0x1AE31E1C, 0x049C0D51, 0x016E061E,
0x1DB71EDF, 0x01D41A35, 0x0E8208FA, 0x14441293,
0x011F1E85, 0x1D54137A, 0x026B114F, 0x151D0832,
0x00A50964, 0x1F9C1E1C, 0x064B12C9, 0x005409D1 },
{ 0x062B123F, 0x0C0D0501, 0x183704C3, 0x08E31120,
0x0A2E0A6C, 0x14440FED, 0x090A0D1E, 0x13271964,
0x0B590A3A, 0x019D1D9B, 0x05780773, 0x09770A91,
0x0F770CA3, 0x053F19D4, 0x02C80DED, 0x1A761304,
0x091E0DD9, 0x15D201B8, 0x151109AA, 0x010F0198 },
{ 0x05E101D1, 0x072314DD, 0x045F1433, 0x1A041541,
0x10B3142E, 0x01840736, 0x1C1B19DB, 0x098B0418,
0x1DBC083B, 0x007D1444, 0x01511740, 0x11DD1F3A,
0x04ED0E2F, 0x1B4B1A62, 0x10480D04, 0x09E911A2,
0x04211AFA, 0x19140893, 0x04D60CC4, 0x01210648 },
{ 0x112703C4, 0x018B1BA1, 0x164C1D50, 0x05160BE0,
0x0BCC1830, 0x01CB1554, 0x13291732, 0x1B2B1918,
0x0DED0817, 0x00E80775, 0x0A2401D3, 0x0BFE08B3,
0x0E531199, 0x058616E9, 0x04770B91, 0x110F0C55,
0x19C11554, 0x0BFB1159, 0x03541C38, 0x000E1C2D },
{ 0x10390C01, 0x02BB0751, 0x0AC5098E, 0x096C17AB,
0x03C90E28, 0x10BD18BF, 0x002E1F2D, 0x092B0986,
0x1BD700AC, 0x002E1F20, 0x1E3D1FD8, 0x077718BB,
0x06F919C4, 0x187407ED, 0x11370E14, 0x081E139C,
0x00481ADB, 0x14AB0289, 0x066A0EBE, 0x00C70ED6 },
{ 0x0694120B, 0x124E1CC9, 0x0E2F0570, 0x17CF081A,
0x078906AC, 0x066D17CF, 0x1B3207F4, 0x0C5705E9,
0x10001C38, 0x00A919DE, 0x06851375, 0x0F900BD8,
0x080401BA, 0x0EEE0D42, 0x1B8B11EA, 0x0B4519F0,
0x090F18C0, 0x062E1508, 0x0DD909F4, 0x01EB067C },
{ 0x0CDC1D5F, 0x0D1818F9, 0x07781636, 0x125B18E8,
0x0D7003AF, 0x13110099, 0x1D9B1899, 0x175C1EB7,
0x0E34171A, 0x01E01153, 0x081A0F36, 0x0B391783,
0x1D1F147E, 0x19CE16D7, 0x11511B21, 0x1F2C10F9,
0x12CA0E51, 0x05A31D39, 0x171A192E, 0x016B0E4F }
};
/*
* Lookup one of the Gwin[] values, by index. This is constant-time.
*/
static void
lookup_Gwin(p256_jacobian *T, uint32_t idx)
{
uint32_t xy[20];
uint32_t k;
size_t u;
memset(xy, 0, sizeof xy);
for (k = 0; k < 15; k ++) {
uint32_t m;
m = -EQ(idx, k + 1);
for (u = 0; u < 20; u ++) {
xy[u] |= m & Gwin[k][u];
}
}
for (u = 0; u < 10; u ++) {
T->x[(u << 1) + 0] = xy[u] & 0xFFFF;
T->x[(u << 1) + 1] = xy[u] >> 16;
T->y[(u << 1) + 0] = xy[u + 10] & 0xFFFF;
T->y[(u << 1) + 1] = xy[u + 10] >> 16;
}
memset(T->z, 0, sizeof T->z);
T->z[0] = 1;
}
/*
* Multiply the generator by an integer. The integer is assumed non-zero
* and lower than the curve order.
*/
static void
p256_mulgen(p256_jacobian *P, const unsigned char *x, size_t xlen)
{
/*
* qz is a flag that is initially 1, and remains equal to 1
* as long as the point is the point at infinity.
*
* We use a 4-bit window to handle multiplier bits by groups
* of 4. The precomputed window is constant static data, with
* points in affine coordinates; we use a constant-time lookup.
*/
p256_jacobian Q;
uint32_t qz;
memset(&Q, 0, sizeof Q);
qz = 1;
while (xlen -- > 0) {
int k;
unsigned bx;
bx = *x ++;
for (k = 0; k < 2; k ++) {
uint32_t bits;
uint32_t bnz;
p256_jacobian T, U;
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
bits = (bx >> 4) & 0x0F;
bnz = NEQ(bits, 0);
lookup_Gwin(&T, bits);
U = Q;
p256_add_mixed(&U, &T);
CCOPY(bnz & qz, &Q, &T, sizeof Q);
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
bx <<= 4;
}
}
*P = Q;
}
static const unsigned char P256_G[] = {
0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
0x68, 0x37, 0xBF, 0x51, 0xF5
};
static const unsigned char P256_N[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
0x25, 0x51
};
static const unsigned char *
api_generator(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_G;
return P256_G;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_N;
return P256_N;
}
static size_t
api_xoff(int curve, size_t *len)
{
(void)curve;
*len = 32;
return 1;
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *x, size_t xlen, int curve)
{
uint32_t r;
p256_jacobian P;
(void)curve;
+ if (Glen != 65) {
+ return 0;
+ }
r = p256_decode(&P, G, Glen);
p256_mul(&P, x, xlen);
- if (Glen >= 65) {
- p256_to_affine(&P);
- p256_encode(G, &P);
- }
+ p256_to_affine(&P);
+ p256_encode(G, &P);
return r;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *x, size_t xlen, int curve)
{
p256_jacobian P;
(void)curve;
p256_mulgen(&P, x, xlen);
p256_to_affine(&P);
p256_encode(R, &P);
return 65;
-
- /*
- const unsigned char *G;
- size_t Glen;
-
- G = api_generator(curve, &Glen);
- memcpy(R, G, Glen);
- api_mul(R, Glen, x, xlen, curve);
- return Glen;
- */
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
p256_jacobian P, Q;
uint32_t r, t, z;
int i;
(void)curve;
+ if (len != 65) {
+ return 0;
+ }
r = p256_decode(&P, A, len);
p256_mul(&P, x, xlen);
if (B == NULL) {
p256_mulgen(&Q, y, ylen);
} else {
r &= p256_decode(&Q, B, len);
p256_mul(&Q, y, ylen);
}
/*
* The final addition may fail in case both points are equal.
*/
t = p256_add(&P, &Q);
reduce_final_f256(P.z);
z = 0;
for (i = 0; i < 20; i ++) {
z |= P.z[i];
}
z = EQ(z, 0);
p256_double(&Q);
/*
* If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
* have the following:
*
* z = 0, t = 0 return P (normal addition)
* z = 0, t = 1 return P (normal addition)
* z = 1, t = 0 return Q (a 'double' case)
* z = 1, t = 1 report an error (P+Q = 0)
*/
CCOPY(z & ~t, &P, &Q, sizeof Q);
p256_to_affine(&P);
p256_encode(A, &P);
r &= ~(z & t);
return r;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_p256_m15 = {
(uint32_t)0x00800000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
diff --git a/contrib/bearssl/src/ec/ec_p256_m31.c b/contrib/bearssl/src/ec/ec_p256_m31.c
index d57ef7b097ff..b185937e1606 100644
--- a/contrib/bearssl/src/ec/ec_p256_m31.c
+++ b/contrib/bearssl/src/ec/ec_p256_m31.c
@@ -1,1475 +1,1469 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/*
* If BR_NO_ARITH_SHIFT is undefined, or defined to 0, then we _assume_
* that right-shifting a signed negative integer copies the sign bit
* (arithmetic right-shift). This is "implementation-defined behaviour",
* i.e. it is not undefined, but it may differ between compilers. Each
* compiler is supposed to document its behaviour in that respect. GCC
* explicitly defines that an arithmetic right shift is used. We expect
* all other compilers to do the same, because underlying CPU offer an
* arithmetic right shift opcode that could not be used otherwise.
*/
#if BR_NO_ARITH_SHIFT
#define ARSH(x, n) (((uint32_t)(x) >> (n)) \
| ((-((uint32_t)(x) >> 31)) << (32 - (n))))
#define ARSHW(x, n) (((uint64_t)(x) >> (n)) \
| ((-((uint64_t)(x) >> 63)) << (64 - (n))))
#else
#define ARSH(x, n) ((*(int32_t *)&(x)) >> (n))
#define ARSHW(x, n) ((*(int64_t *)&(x)) >> (n))
#endif
/*
* Convert an integer from unsigned big-endian encoding to a sequence of
* 30-bit words in little-endian order. The final "partial" word is
* returned.
*/
static uint32_t
be8_to_le30(uint32_t *dst, const unsigned char *src, size_t len)
{
uint32_t acc;
int acc_len;
acc = 0;
acc_len = 0;
while (len -- > 0) {
uint32_t b;
b = src[len];
if (acc_len < 22) {
acc |= b << acc_len;
acc_len += 8;
} else {
*dst ++ = (acc | (b << acc_len)) & 0x3FFFFFFF;
acc = b >> (30 - acc_len);
acc_len -= 22;
}
}
return acc;
}
/*
* Convert an integer (30-bit words, little-endian) to unsigned
* big-endian encoding. The total encoding length is provided; all
* the destination bytes will be filled.
*/
static void
le30_to_be8(unsigned char *dst, size_t len, const uint32_t *src)
{
uint32_t acc;
int acc_len;
acc = 0;
acc_len = 0;
while (len -- > 0) {
if (acc_len < 8) {
uint32_t w;
w = *src ++;
dst[len] = (unsigned char)(acc | (w << acc_len));
acc = w >> (8 - acc_len);
acc_len += 22;
} else {
dst[len] = (unsigned char)acc;
acc >>= 8;
acc_len -= 8;
}
}
}
/*
* Multiply two integers. Source integers are represented as arrays of
* nine 30-bit words, for values up to 2^270-1. Result is encoded over
* 18 words of 30 bits each.
*/
static void
mul9(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
/*
* Maximum intermediate result is no more than
* 10376293531797946367, which fits in 64 bits. Reason:
*
* 10376293531797946367 = 9 * (2^30-1)^2 + 9663676406
* 10376293531797946367 < 9663676407 * 2^30
*
* Thus, adding together 9 products of 30-bit integers, with
* a carry of at most 9663676406, yields an integer that fits
* on 64 bits and generates a carry of at most 9663676406.
*/
uint64_t t[17];
uint64_t cc;
int i;
t[ 0] = MUL31(a[0], b[0]);
t[ 1] = MUL31(a[0], b[1])
+ MUL31(a[1], b[0]);
t[ 2] = MUL31(a[0], b[2])
+ MUL31(a[1], b[1])
+ MUL31(a[2], b[0]);
t[ 3] = MUL31(a[0], b[3])
+ MUL31(a[1], b[2])
+ MUL31(a[2], b[1])
+ MUL31(a[3], b[0]);
t[ 4] = MUL31(a[0], b[4])
+ MUL31(a[1], b[3])
+ MUL31(a[2], b[2])
+ MUL31(a[3], b[1])
+ MUL31(a[4], b[0]);
t[ 5] = MUL31(a[0], b[5])
+ MUL31(a[1], b[4])
+ MUL31(a[2], b[3])
+ MUL31(a[3], b[2])
+ MUL31(a[4], b[1])
+ MUL31(a[5], b[0]);
t[ 6] = MUL31(a[0], b[6])
+ MUL31(a[1], b[5])
+ MUL31(a[2], b[4])
+ MUL31(a[3], b[3])
+ MUL31(a[4], b[2])
+ MUL31(a[5], b[1])
+ MUL31(a[6], b[0]);
t[ 7] = MUL31(a[0], b[7])
+ MUL31(a[1], b[6])
+ MUL31(a[2], b[5])
+ MUL31(a[3], b[4])
+ MUL31(a[4], b[3])
+ MUL31(a[5], b[2])
+ MUL31(a[6], b[1])
+ MUL31(a[7], b[0]);
t[ 8] = MUL31(a[0], b[8])
+ MUL31(a[1], b[7])
+ MUL31(a[2], b[6])
+ MUL31(a[3], b[5])
+ MUL31(a[4], b[4])
+ MUL31(a[5], b[3])
+ MUL31(a[6], b[2])
+ MUL31(a[7], b[1])
+ MUL31(a[8], b[0]);
t[ 9] = MUL31(a[1], b[8])
+ MUL31(a[2], b[7])
+ MUL31(a[3], b[6])
+ MUL31(a[4], b[5])
+ MUL31(a[5], b[4])
+ MUL31(a[6], b[3])
+ MUL31(a[7], b[2])
+ MUL31(a[8], b[1]);
t[10] = MUL31(a[2], b[8])
+ MUL31(a[3], b[7])
+ MUL31(a[4], b[6])
+ MUL31(a[5], b[5])
+ MUL31(a[6], b[4])
+ MUL31(a[7], b[3])
+ MUL31(a[8], b[2]);
t[11] = MUL31(a[3], b[8])
+ MUL31(a[4], b[7])
+ MUL31(a[5], b[6])
+ MUL31(a[6], b[5])
+ MUL31(a[7], b[4])
+ MUL31(a[8], b[3]);
t[12] = MUL31(a[4], b[8])
+ MUL31(a[5], b[7])
+ MUL31(a[6], b[6])
+ MUL31(a[7], b[5])
+ MUL31(a[8], b[4]);
t[13] = MUL31(a[5], b[8])
+ MUL31(a[6], b[7])
+ MUL31(a[7], b[6])
+ MUL31(a[8], b[5]);
t[14] = MUL31(a[6], b[8])
+ MUL31(a[7], b[7])
+ MUL31(a[8], b[6]);
t[15] = MUL31(a[7], b[8])
+ MUL31(a[8], b[7]);
t[16] = MUL31(a[8], b[8]);
/*
* Propagate carries.
*/
cc = 0;
for (i = 0; i < 17; i ++) {
uint64_t w;
w = t[i] + cc;
d[i] = (uint32_t)w & 0x3FFFFFFF;
cc = w >> 30;
}
d[17] = (uint32_t)cc;
}
/*
* Square a 270-bit integer, represented as an array of nine 30-bit words.
* Result uses 18 words of 30 bits each.
*/
static void
square9(uint32_t *d, const uint32_t *a)
{
uint64_t t[17];
uint64_t cc;
int i;
t[ 0] = MUL31(a[0], a[0]);
t[ 1] = ((MUL31(a[0], a[1])) << 1);
t[ 2] = MUL31(a[1], a[1])
+ ((MUL31(a[0], a[2])) << 1);
t[ 3] = ((MUL31(a[0], a[3])
+ MUL31(a[1], a[2])) << 1);
t[ 4] = MUL31(a[2], a[2])
+ ((MUL31(a[0], a[4])
+ MUL31(a[1], a[3])) << 1);
t[ 5] = ((MUL31(a[0], a[5])
+ MUL31(a[1], a[4])
+ MUL31(a[2], a[3])) << 1);
t[ 6] = MUL31(a[3], a[3])
+ ((MUL31(a[0], a[6])
+ MUL31(a[1], a[5])
+ MUL31(a[2], a[4])) << 1);
t[ 7] = ((MUL31(a[0], a[7])
+ MUL31(a[1], a[6])
+ MUL31(a[2], a[5])
+ MUL31(a[3], a[4])) << 1);
t[ 8] = MUL31(a[4], a[4])
+ ((MUL31(a[0], a[8])
+ MUL31(a[1], a[7])
+ MUL31(a[2], a[6])
+ MUL31(a[3], a[5])) << 1);
t[ 9] = ((MUL31(a[1], a[8])
+ MUL31(a[2], a[7])
+ MUL31(a[3], a[6])
+ MUL31(a[4], a[5])) << 1);
t[10] = MUL31(a[5], a[5])
+ ((MUL31(a[2], a[8])
+ MUL31(a[3], a[7])
+ MUL31(a[4], a[6])) << 1);
t[11] = ((MUL31(a[3], a[8])
+ MUL31(a[4], a[7])
+ MUL31(a[5], a[6])) << 1);
t[12] = MUL31(a[6], a[6])
+ ((MUL31(a[4], a[8])
+ MUL31(a[5], a[7])) << 1);
t[13] = ((MUL31(a[5], a[8])
+ MUL31(a[6], a[7])) << 1);
t[14] = MUL31(a[7], a[7])
+ ((MUL31(a[6], a[8])) << 1);
t[15] = ((MUL31(a[7], a[8])) << 1);
t[16] = MUL31(a[8], a[8]);
/*
* Propagate carries.
*/
cc = 0;
for (i = 0; i < 17; i ++) {
uint64_t w;
w = t[i] + cc;
d[i] = (uint32_t)w & 0x3FFFFFFF;
cc = w >> 30;
}
d[17] = (uint32_t)cc;
}
/*
* Base field modulus for P-256.
*/
static const uint32_t F256[] = {
0x3FFFFFFF, 0x3FFFFFFF, 0x3FFFFFFF, 0x0000003F, 0x00000000,
0x00000000, 0x00001000, 0x3FFFC000, 0x0000FFFF
};
/*
* The 'b' curve equation coefficient for P-256.
*/
static const uint32_t P256_B[] = {
0x27D2604B, 0x2F38F0F8, 0x053B0F63, 0x0741AC33, 0x1886BC65,
0x2EF555DA, 0x293E7B3E, 0x0D762A8E, 0x00005AC6
};
/*
* Addition in the field. Source operands shall fit on 257 bits; output
* will be lower than twice the modulus.
*/
static void
add_f256(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
uint32_t w, cc;
int i;
cc = 0;
for (i = 0; i < 9; i ++) {
w = a[i] + b[i] + cc;
d[i] = w & 0x3FFFFFFF;
cc = w >> 30;
}
w >>= 16;
d[8] &= 0xFFFF;
d[3] -= w << 6;
d[6] -= w << 12;
d[7] += w << 14;
cc = w;
for (i = 0; i < 9; i ++) {
w = d[i] + cc;
d[i] = w & 0x3FFFFFFF;
cc = ARSH(w, 30);
}
}
/*
* Subtraction in the field. Source operands shall be smaller than twice
* the modulus; the result will fulfil the same property.
*/
static void
sub_f256(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
uint32_t w, cc;
int i;
/*
* We really compute a - b + 2*p to make sure that the result is
* positive.
*/
w = a[0] - b[0] - 0x00002;
d[0] = w & 0x3FFFFFFF;
w = a[1] - b[1] + ARSH(w, 30);
d[1] = w & 0x3FFFFFFF;
w = a[2] - b[2] + ARSH(w, 30);
d[2] = w & 0x3FFFFFFF;
w = a[3] - b[3] + ARSH(w, 30) + 0x00080;
d[3] = w & 0x3FFFFFFF;
w = a[4] - b[4] + ARSH(w, 30);
d[4] = w & 0x3FFFFFFF;
w = a[5] - b[5] + ARSH(w, 30);
d[5] = w & 0x3FFFFFFF;
w = a[6] - b[6] + ARSH(w, 30) + 0x02000;
d[6] = w & 0x3FFFFFFF;
w = a[7] - b[7] + ARSH(w, 30) - 0x08000;
d[7] = w & 0x3FFFFFFF;
w = a[8] - b[8] + ARSH(w, 30) + 0x20000;
d[8] = w & 0xFFFF;
w >>= 16;
d[8] &= 0xFFFF;
d[3] -= w << 6;
d[6] -= w << 12;
d[7] += w << 14;
cc = w;
for (i = 0; i < 9; i ++) {
w = d[i] + cc;
d[i] = w & 0x3FFFFFFF;
cc = ARSH(w, 30);
}
}
/*
* Compute a multiplication in F256. Source operands shall be less than
* twice the modulus.
*/
static void
mul_f256(uint32_t *d, const uint32_t *a, const uint32_t *b)
{
uint32_t t[18];
uint64_t s[18];
uint64_t cc, x;
uint32_t z, c;
int i;
mul9(t, a, b);
/*
* Modular reduction: each high word in added/subtracted where
* necessary.
*
* The modulus is:
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1
* Therefore:
* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
*
* For a word x at bit offset n (n >= 256), we have:
* x*2^n = x*2^(n-32) - x*2^(n-64)
* - x*2^(n - 160) + x*2^(n-256) mod p
*
* Thus, we can nullify the high word if we reinject it at some
* proper emplacements.
*
* We use 64-bit intermediate words to allow for carries to
* accumulate easily, before performing the final propagation.
*/
for (i = 0; i < 18; i ++) {
s[i] = t[i];
}
for (i = 17; i >= 9; i --) {
uint64_t y;
y = s[i];
s[i - 1] += ARSHW(y, 2);
s[i - 2] += (y << 28) & 0x3FFFFFFF;
s[i - 2] -= ARSHW(y, 4);
s[i - 3] -= (y << 26) & 0x3FFFFFFF;
s[i - 5] -= ARSHW(y, 10);
s[i - 6] -= (y << 20) & 0x3FFFFFFF;
s[i - 8] += ARSHW(y, 16);
s[i - 9] += (y << 14) & 0x3FFFFFFF;
}
/*
* Carry propagation must be signed. Moreover, we may have overdone
* it a bit, and obtain a negative result.
*
* The loop above ran 9 times; each time, each word was augmented
* by at most one extra word (in absolute value). Thus, the top
* word must in fine fit in 39 bits, so the carry below will fit
* on 9 bits.
*/
cc = 0;
for (i = 0; i < 9; i ++) {
x = s[i] + cc;
d[i] = (uint32_t)x & 0x3FFFFFFF;
cc = ARSHW(x, 30);
}
/*
* All nine words fit on 30 bits, but there may be an extra
* carry for a few bits (at most 9), and that carry may be
* negative. Moreover, we want the result to fit on 257 bits.
* The two lines below ensure that the word in d[] has length
* 256 bits, and the (signed) carry (beyond 2^256) is in cc. The
* significant length of cc is less than 24 bits, so we will be
* able to switch to 32-bit operations.
*/
cc = ARSHW(x, 16);
d[8] &= 0xFFFF;
/*
* One extra round of reduction, for cc*2^256, which means
* adding cc*(2^224-2^192-2^96+1) to a 256-bit (nonnegative)
* value. If cc is negative, then it may happen (rarely, but
* not neglectibly so) that the result would be negative. In
* order to avoid that, if cc is negative, then we add the
* modulus once. Note that if cc is negative, then propagating
* that carry must yield a value lower than the modulus, so
* adding the modulus once will keep the final result under
* twice the modulus.
*/
z = (uint32_t)cc;
d[3] -= z << 6;
d[6] -= (z << 12) & 0x3FFFFFFF;
d[7] -= ARSH(z, 18);
d[7] += (z << 14) & 0x3FFFFFFF;
d[8] += ARSH(z, 16);
c = z >> 31;
d[0] -= c;
d[3] += c << 6;
d[6] += c << 12;
d[7] -= c << 14;
d[8] += c << 16;
for (i = 0; i < 9; i ++) {
uint32_t w;
w = d[i] + z;
d[i] = w & 0x3FFFFFFF;
z = ARSH(w, 30);
}
}
/*
* Compute a square in F256. Source operand shall be less than
* twice the modulus.
*/
static void
square_f256(uint32_t *d, const uint32_t *a)
{
uint32_t t[18];
uint64_t s[18];
uint64_t cc, x;
uint32_t z, c;
int i;
square9(t, a);
/*
* Modular reduction: each high word in added/subtracted where
* necessary.
*
* The modulus is:
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1
* Therefore:
* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
*
* For a word x at bit offset n (n >= 256), we have:
* x*2^n = x*2^(n-32) - x*2^(n-64)
* - x*2^(n - 160) + x*2^(n-256) mod p
*
* Thus, we can nullify the high word if we reinject it at some
* proper emplacements.
*
* We use 64-bit intermediate words to allow for carries to
* accumulate easily, before performing the final propagation.
*/
for (i = 0; i < 18; i ++) {
s[i] = t[i];
}
for (i = 17; i >= 9; i --) {
uint64_t y;
y = s[i];
s[i - 1] += ARSHW(y, 2);
s[i - 2] += (y << 28) & 0x3FFFFFFF;
s[i - 2] -= ARSHW(y, 4);
s[i - 3] -= (y << 26) & 0x3FFFFFFF;
s[i - 5] -= ARSHW(y, 10);
s[i - 6] -= (y << 20) & 0x3FFFFFFF;
s[i - 8] += ARSHW(y, 16);
s[i - 9] += (y << 14) & 0x3FFFFFFF;
}
/*
* Carry propagation must be signed. Moreover, we may have overdone
* it a bit, and obtain a negative result.
*
* The loop above ran 9 times; each time, each word was augmented
* by at most one extra word (in absolute value). Thus, the top
* word must in fine fit in 39 bits, so the carry below will fit
* on 9 bits.
*/
cc = 0;
for (i = 0; i < 9; i ++) {
x = s[i] + cc;
d[i] = (uint32_t)x & 0x3FFFFFFF;
cc = ARSHW(x, 30);
}
/*
* All nine words fit on 30 bits, but there may be an extra
* carry for a few bits (at most 9), and that carry may be
* negative. Moreover, we want the result to fit on 257 bits.
* The two lines below ensure that the word in d[] has length
* 256 bits, and the (signed) carry (beyond 2^256) is in cc. The
* significant length of cc is less than 24 bits, so we will be
* able to switch to 32-bit operations.
*/
cc = ARSHW(x, 16);
d[8] &= 0xFFFF;
/*
* One extra round of reduction, for cc*2^256, which means
* adding cc*(2^224-2^192-2^96+1) to a 256-bit (nonnegative)
* value. If cc is negative, then it may happen (rarely, but
* not neglectibly so) that the result would be negative. In
* order to avoid that, if cc is negative, then we add the
* modulus once. Note that if cc is negative, then propagating
* that carry must yield a value lower than the modulus, so
* adding the modulus once will keep the final result under
* twice the modulus.
*/
z = (uint32_t)cc;
d[3] -= z << 6;
d[6] -= (z << 12) & 0x3FFFFFFF;
d[7] -= ARSH(z, 18);
d[7] += (z << 14) & 0x3FFFFFFF;
d[8] += ARSH(z, 16);
c = z >> 31;
d[0] -= c;
d[3] += c << 6;
d[6] += c << 12;
d[7] -= c << 14;
d[8] += c << 16;
for (i = 0; i < 9; i ++) {
uint32_t w;
w = d[i] + z;
d[i] = w & 0x3FFFFFFF;
z = ARSH(w, 30);
}
}
/*
* Perform a "final reduction" in field F256 (field for curve P-256).
* The source value must be less than twice the modulus. If the value
* is not lower than the modulus, then the modulus is subtracted and
* this function returns 1; otherwise, it leaves it untouched and it
* returns 0.
*/
static uint32_t
reduce_final_f256(uint32_t *d)
{
uint32_t t[9];
uint32_t cc;
int i;
cc = 0;
for (i = 0; i < 9; i ++) {
uint32_t w;
w = d[i] - F256[i] - cc;
cc = w >> 31;
t[i] = w & 0x3FFFFFFF;
}
cc ^= 1;
CCOPY(cc, d, t, sizeof t);
return cc;
}
/*
* Jacobian coordinates for a point in P-256: affine coordinates (X,Y)
* are such that:
* X = x / z^2
* Y = y / z^3
* For the point at infinity, z = 0.
* Each point thus admits many possible representations.
*
* Coordinates are represented in arrays of 32-bit integers, each holding
* 30 bits of data. Values may also be slightly greater than the modulus,
* but they will always be lower than twice the modulus.
*/
typedef struct {
uint32_t x[9];
uint32_t y[9];
uint32_t z[9];
} p256_jacobian;
/*
* Convert a point to affine coordinates:
* - If the point is the point at infinity, then all three coordinates
* are set to 0.
* - Otherwise, the 'z' coordinate is set to 1, and the 'x' and 'y'
* coordinates are the 'X' and 'Y' affine coordinates.
* The coordinates are guaranteed to be lower than the modulus.
*/
static void
p256_to_affine(p256_jacobian *P)
{
uint32_t t1[9], t2[9];
int i;
/*
* Invert z with a modular exponentiation: the modulus is
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1, and the exponent is
* p-2. Exponent bit pattern (from high to low) is:
* - 32 bits of value 1
* - 31 bits of value 0
* - 1 bit of value 1
* - 96 bits of value 0
* - 94 bits of value 1
* - 1 bit of value 0
* - 1 bit of value 1
* Thus, we precompute z^(2^31-1) to speed things up.
*
* If z = 0 (point at infinity) then the modular exponentiation
* will yield 0, which leads to the expected result (all three
* coordinates set to 0).
*/
/*
* A simple square-and-multiply for z^(2^31-1). We could save about
* two dozen multiplications here with an addition chain, but
* this would require a bit more code, and extra stack buffers.
*/
memcpy(t1, P->z, sizeof P->z);
for (i = 0; i < 30; i ++) {
square_f256(t1, t1);
mul_f256(t1, t1, P->z);
}
/*
* Square-and-multiply. Apart from the squarings, we have a few
* multiplications to set bits to 1; we multiply by the original z
* for setting 1 bit, and by t1 for setting 31 bits.
*/
memcpy(t2, P->z, sizeof P->z);
for (i = 1; i < 256; i ++) {
square_f256(t2, t2);
switch (i) {
case 31:
case 190:
case 221:
case 252:
mul_f256(t2, t2, t1);
break;
case 63:
case 253:
case 255:
mul_f256(t2, t2, P->z);
break;
}
}
/*
* Now that we have 1/z, multiply x by 1/z^2 and y by 1/z^3.
*/
mul_f256(t1, t2, t2);
mul_f256(P->x, t1, P->x);
mul_f256(t1, t1, t2);
mul_f256(P->y, t1, P->y);
reduce_final_f256(P->x);
reduce_final_f256(P->y);
/*
* Multiply z by 1/z. If z = 0, then this will yield 0, otherwise
* this will set z to 1.
*/
mul_f256(P->z, P->z, t2);
reduce_final_f256(P->z);
}
/*
* Double a point in P-256. This function works for all valid points,
* including the point at infinity.
*/
static void
p256_double(p256_jacobian *Q)
{
/*
* Doubling formulas are:
*
* s = 4*x*y^2
* m = 3*(x + z^2)*(x - z^2)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y^4
* z' = 2*y*z
*
* These formulas work for all points, including points of order 2
* and points at infinity:
* - If y = 0 then z' = 0. But there is no such point in P-256
* anyway.
* - If z = 0 then z' = 0.
*/
uint32_t t1[9], t2[9], t3[9], t4[9];
/*
* Compute z^2 in t1.
*/
square_f256(t1, Q->z);
/*
* Compute x-z^2 in t2 and x+z^2 in t1.
*/
add_f256(t2, Q->x, t1);
sub_f256(t1, Q->x, t1);
/*
* Compute 3*(x+z^2)*(x-z^2) in t1.
*/
mul_f256(t3, t1, t2);
add_f256(t1, t3, t3);
add_f256(t1, t3, t1);
/*
* Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
*/
square_f256(t3, Q->y);
add_f256(t3, t3, t3);
mul_f256(t2, Q->x, t3);
add_f256(t2, t2, t2);
/*
* Compute x' = m^2 - 2*s.
*/
square_f256(Q->x, t1);
sub_f256(Q->x, Q->x, t2);
sub_f256(Q->x, Q->x, t2);
/*
* Compute z' = 2*y*z.
*/
mul_f256(t4, Q->y, Q->z);
add_f256(Q->z, t4, t4);
/*
* Compute y' = m*(s - x') - 8*y^4. Note that we already have
* 2*y^2 in t3.
*/
sub_f256(t2, t2, Q->x);
mul_f256(Q->y, t1, t2);
square_f256(t4, t3);
add_f256(t4, t4, t4);
sub_f256(Q->y, Q->y, t4);
}
/*
* Add point P2 to point P1.
*
* This function computes the wrong result in the following cases:
*
* - If P1 == 0 but P2 != 0
* - If P1 != 0 but P2 == 0
* - If P1 == P2
*
* In all three cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y coordinate
* - P1 == 0 and P2 == 0
* - The Y coordinate of one of the points is 0 and the other point is
* the point at infinity.
*
* The third case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*/
static uint32_t
p256_add(p256_jacobian *P1, const p256_jacobian *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1 * z2^2
* u2 = x2 * z1^2
* s1 = y1 * z2^3
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1 * z2
*/
uint32_t t1[9], t2[9], t3[9], t4[9], t5[9], t6[9], t7[9];
uint32_t ret;
int i;
/*
* Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
*/
square_f256(t3, P2->z);
mul_f256(t1, P1->x, t3);
mul_f256(t4, P2->z, t3);
mul_f256(t3, P1->y, t4);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
square_f256(t4, P1->z);
mul_f256(t2, P2->x, t4);
mul_f256(t5, P1->z, t4);
mul_f256(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
sub_f256(t2, t2, t1);
sub_f256(t4, t4, t3);
reduce_final_f256(t4);
ret = 0;
for (i = 0; i < 9; i ++) {
ret |= t4[i];
}
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
square_f256(t7, t2);
mul_f256(t6, t1, t7);
mul_f256(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
square_f256(P1->x, t4);
sub_f256(P1->x, P1->x, t5);
sub_f256(P1->x, P1->x, t6);
sub_f256(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
sub_f256(t6, t6, P1->x);
mul_f256(P1->y, t4, t6);
mul_f256(t1, t5, t3);
sub_f256(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1*z2.
*/
mul_f256(t1, P1->z, P2->z);
mul_f256(P1->z, t1, t2);
return ret;
}
/*
* Add point P2 to point P1. This is a specialised function for the
* case when P2 is a non-zero point in affine coordinate.
*
* This function computes the wrong result in the following cases:
*
* - If P1 == 0
* - If P1 == P2
*
* In both cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y coordinate
* - The Y coordinate of P2 is 0 and P1 is the point at infinity.
*
* The second case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*/
static uint32_t
p256_add_mixed(p256_jacobian *P1, const p256_jacobian *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1
* u2 = x2 * z1^2
* s1 = y1
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1
*/
uint32_t t1[9], t2[9], t3[9], t4[9], t5[9], t6[9], t7[9];
uint32_t ret;
int i;
/*
* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
*/
memcpy(t1, P1->x, sizeof t1);
memcpy(t3, P1->y, sizeof t3);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
square_f256(t4, P1->z);
mul_f256(t2, P2->x, t4);
mul_f256(t5, P1->z, t4);
mul_f256(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
sub_f256(t2, t2, t1);
sub_f256(t4, t4, t3);
reduce_final_f256(t4);
ret = 0;
for (i = 0; i < 9; i ++) {
ret |= t4[i];
}
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
square_f256(t7, t2);
mul_f256(t6, t1, t7);
mul_f256(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
square_f256(P1->x, t4);
sub_f256(P1->x, P1->x, t5);
sub_f256(P1->x, P1->x, t6);
sub_f256(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
sub_f256(t6, t6, P1->x);
mul_f256(P1->y, t4, t6);
mul_f256(t1, t5, t3);
sub_f256(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1*z2.
*/
mul_f256(P1->z, P1->z, t2);
return ret;
}
/*
* Decode a P-256 point. This function does not support the point at
* infinity. Returned value is 0 if the point is invalid, 1 otherwise.
*/
static uint32_t
p256_decode(p256_jacobian *P, const void *src, size_t len)
{
const unsigned char *buf;
uint32_t tx[9], ty[9], t1[9], t2[9];
uint32_t bad;
int i;
if (len != 65) {
return 0;
}
buf = src;
/*
* First byte must be 0x04 (uncompressed format). We could support
* "hybrid format" (first byte is 0x06 or 0x07, and encodes the
* least significant bit of the Y coordinate), but it is explicitly
* forbidden by RFC 5480 (section 2.2).
*/
bad = NEQ(buf[0], 0x04);
/*
* Decode the coordinates, and check that they are both lower
* than the modulus.
*/
tx[8] = be8_to_le30(tx, buf + 1, 32);
ty[8] = be8_to_le30(ty, buf + 33, 32);
bad |= reduce_final_f256(tx);
bad |= reduce_final_f256(ty);
/*
* Check curve equation.
*/
square_f256(t1, tx);
mul_f256(t1, tx, t1);
square_f256(t2, ty);
sub_f256(t1, t1, tx);
sub_f256(t1, t1, tx);
sub_f256(t1, t1, tx);
add_f256(t1, t1, P256_B);
sub_f256(t1, t1, t2);
reduce_final_f256(t1);
for (i = 0; i < 9; i ++) {
bad |= t1[i];
}
/*
* Copy coordinates to the point structure.
*/
memcpy(P->x, tx, sizeof tx);
memcpy(P->y, ty, sizeof ty);
memset(P->z, 0, sizeof P->z);
P->z[0] = 1;
return EQ(bad, 0);
}
/*
* Encode a point into a buffer. This function assumes that the point is
* valid, in affine coordinates, and not the point at infinity.
*/
static void
p256_encode(void *dst, const p256_jacobian *P)
{
unsigned char *buf;
buf = dst;
buf[0] = 0x04;
le30_to_be8(buf + 1, 32, P->x);
le30_to_be8(buf + 33, 32, P->y);
}
/*
* Multiply a curve point by an integer. The integer is assumed to be
* lower than the curve order, and the base point must not be the point
* at infinity.
*/
static void
p256_mul(p256_jacobian *P, const unsigned char *x, size_t xlen)
{
/*
* qz is a flag that is initially 1, and remains equal to 1
* as long as the point is the point at infinity.
*
* We use a 2-bit window to handle multiplier bits by pairs.
* The precomputed window really is the points P2 and P3.
*/
uint32_t qz;
p256_jacobian P2, P3, Q, T, U;
/*
* Compute window values.
*/
P2 = *P;
p256_double(&P2);
P3 = *P;
p256_add(&P3, &P2);
/*
* We start with Q = 0. We process multiplier bits 2 by 2.
*/
memset(&Q, 0, sizeof Q);
qz = 1;
while (xlen -- > 0) {
int k;
for (k = 6; k >= 0; k -= 2) {
uint32_t bits;
uint32_t bnz;
p256_double(&Q);
p256_double(&Q);
T = *P;
U = Q;
bits = (*x >> k) & (uint32_t)3;
bnz = NEQ(bits, 0);
CCOPY(EQ(bits, 2), &T, &P2, sizeof T);
CCOPY(EQ(bits, 3), &T, &P3, sizeof T);
p256_add(&U, &T);
CCOPY(bnz & qz, &Q, &T, sizeof Q);
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
}
x ++;
}
*P = Q;
}
/*
* Precomputed window: k*G points, where G is the curve generator, and k
* is an integer from 1 to 15 (inclusive). The X and Y coordinates of
* the point are encoded as 9 words of 30 bits each (little-endian
* order).
*/
static const uint32_t Gwin[15][18] = {
{ 0x1898C296, 0x1284E517, 0x1EB33A0F, 0x00DF604B,
0x2440F277, 0x339B958E, 0x04247F8B, 0x347CB84B,
0x00006B17, 0x37BF51F5, 0x2ED901A0, 0x3315ECEC,
0x338CD5DA, 0x0F9E162B, 0x1FAD29F0, 0x27F9B8EE,
0x10B8BF86, 0x00004FE3 },
{ 0x07669978, 0x182D23F1, 0x3F21B35A, 0x225A789D,
0x351AC3C0, 0x08E00C12, 0x34F7E8A5, 0x1EC62340,
0x00007CF2, 0x227873D1, 0x3812DE74, 0x0E982299,
0x1F6B798F, 0x3430DBBA, 0x366B1A7D, 0x2D040293,
0x154436E3, 0x00000777 },
{ 0x06E7FD6C, 0x2D05986F, 0x3ADA985F, 0x31ADC87B,
0x0BF165E6, 0x1FBE5475, 0x30A44C8F, 0x3934698C,
0x00005ECB, 0x227D5032, 0x29E6C49E, 0x04FB83D9,
0x0AAC0D8E, 0x24A2ECD8, 0x2C1B3869, 0x0FF7E374,
0x19031266, 0x00008734 },
{ 0x2B030852, 0x024C0911, 0x05596EF5, 0x07F8B6DE,
0x262BD003, 0x3779967B, 0x08FBBA02, 0x128D4CB4,
0x0000E253, 0x184ED8C6, 0x310B08FC, 0x30EE0055,
0x3F25B0FC, 0x062D764E, 0x3FB97F6A, 0x33CC719D,
0x15D69318, 0x0000E0F1 },
{ 0x03D033ED, 0x05552837, 0x35BE5242, 0x2320BF47,
0x268FDFEF, 0x13215821, 0x140D2D78, 0x02DE9454,
0x00005159, 0x3DA16DA4, 0x0742ED13, 0x0D80888D,
0x004BC035, 0x0A79260D, 0x06FCDAFE, 0x2727D8AE,
0x1F6A2412, 0x0000E0C1 },
{ 0x3C2291A9, 0x1AC2ABA4, 0x3B215B4C, 0x131D037A,
0x17DDE302, 0x0C90B2E2, 0x0602C92D, 0x05CA9DA9,
0x0000B01A, 0x0FC77FE2, 0x35F1214E, 0x07E16BDF,
0x003DDC07, 0x2703791C, 0x3038B7EE, 0x3DAD56FE,
0x041D0C8D, 0x0000E85C },
{ 0x3187B2A3, 0x0018A1C0, 0x00FEF5B3, 0x3E7E2E2A,
0x01FB607E, 0x2CC199F0, 0x37B4625B, 0x0EDBE82F,
0x00008E53, 0x01F400B4, 0x15786A1B, 0x3041B21C,
0x31CD8CF2, 0x35900053, 0x1A7E0E9B, 0x318366D0,
0x076F780C, 0x000073EB },
{ 0x1B6FB393, 0x13767707, 0x3CE97DBB, 0x348E2603,
0x354CADC1, 0x09D0B4EA, 0x1B053404, 0x1DE76FBA,
0x000062D9, 0x0F09957E, 0x295029A8, 0x3E76A78D,
0x3B547DAE, 0x27CEE0A2, 0x0575DC45, 0x1D8244FF,
0x332F647A, 0x0000AD5A },
{ 0x10949EE0, 0x1E7A292E, 0x06DF8B3D, 0x02B2E30B,
0x31F8729E, 0x24E35475, 0x30B71878, 0x35EDBFB7,
0x0000EA68, 0x0DD048FA, 0x21688929, 0x0DE823FE,
0x1C53FAA9, 0x0EA0C84D, 0x052A592A, 0x1FCE7870,
0x11325CB2, 0x00002A27 },
{ 0x04C5723F, 0x30D81A50, 0x048306E4, 0x329B11C7,
0x223FB545, 0x085347A8, 0x2993E591, 0x1B5ACA8E,
0x0000CEF6, 0x04AF0773, 0x28D2EEA9, 0x2751EEEC,
0x037B4A7F, 0x3B4C1059, 0x08F37674, 0x2AE906E1,
0x18A88A6A, 0x00008786 },
{ 0x34BC21D1, 0x0CCE474D, 0x15048BF4, 0x1D0BB409,
0x021CDA16, 0x20DE76C3, 0x34C59063, 0x04EDE20E,
0x00003ED1, 0x282A3740, 0x0BE3BBF3, 0x29889DAE,
0x03413697, 0x34C68A09, 0x210EBE93, 0x0C8A224C,
0x0826B331, 0x00009099 },
{ 0x0624E3C4, 0x140317BA, 0x2F82C99D, 0x260C0A2C,
0x25D55179, 0x194DCC83, 0x3D95E462, 0x356F6A05,
0x0000741D, 0x0D4481D3, 0x2657FC8B, 0x1BA5CA71,
0x3AE44B0D, 0x07B1548E, 0x0E0D5522, 0x05FDC567,
0x2D1AA70E, 0x00000770 },
{ 0x06072C01, 0x23857675, 0x1EAD58A9, 0x0B8A12D9,
0x1EE2FC79, 0x0177CB61, 0x0495A618, 0x20DEB82B,
0x0000177C, 0x2FC7BFD8, 0x310EEF8B, 0x1FB4DF39,
0x3B8530E8, 0x0F4E7226, 0x0246B6D0, 0x2A558A24,
0x163353AF, 0x000063BB },
{ 0x24D2920B, 0x1C249DCC, 0x2069C5E5, 0x09AB2F9E,
0x36DF3CF1, 0x1991FD0C, 0x062B97A7, 0x1E80070E,
0x000054E7, 0x20D0B375, 0x2E9F20BD, 0x35090081,
0x1C7A9DDC, 0x22E7C371, 0x087E3016, 0x03175421,
0x3C6ECA7D, 0x0000F599 },
{ 0x259B9D5F, 0x0D9A318F, 0x23A0EF16, 0x00EBE4B7,
0x088265AE, 0x2CDE2666, 0x2BAE7ADF, 0x1371A5C6,
0x0000F045, 0x0D034F36, 0x1F967378, 0x1B5FA3F4,
0x0EC8739D, 0x1643E62A, 0x1653947E, 0x22D1F4E6,
0x0FB8D64B, 0x0000B5B9 }
};
/*
* Lookup one of the Gwin[] values, by index. This is constant-time.
*/
static void
lookup_Gwin(p256_jacobian *T, uint32_t idx)
{
uint32_t xy[18];
uint32_t k;
size_t u;
memset(xy, 0, sizeof xy);
for (k = 0; k < 15; k ++) {
uint32_t m;
m = -EQ(idx, k + 1);
for (u = 0; u < 18; u ++) {
xy[u] |= m & Gwin[k][u];
}
}
memcpy(T->x, &xy[0], sizeof T->x);
memcpy(T->y, &xy[9], sizeof T->y);
memset(T->z, 0, sizeof T->z);
T->z[0] = 1;
}
/*
* Multiply the generator by an integer. The integer is assumed non-zero
* and lower than the curve order.
*/
static void
p256_mulgen(p256_jacobian *P, const unsigned char *x, size_t xlen)
{
/*
* qz is a flag that is initially 1, and remains equal to 1
* as long as the point is the point at infinity.
*
* We use a 4-bit window to handle multiplier bits by groups
* of 4. The precomputed window is constant static data, with
* points in affine coordinates; we use a constant-time lookup.
*/
p256_jacobian Q;
uint32_t qz;
memset(&Q, 0, sizeof Q);
qz = 1;
while (xlen -- > 0) {
int k;
unsigned bx;
bx = *x ++;
for (k = 0; k < 2; k ++) {
uint32_t bits;
uint32_t bnz;
p256_jacobian T, U;
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
bits = (bx >> 4) & 0x0F;
bnz = NEQ(bits, 0);
lookup_Gwin(&T, bits);
U = Q;
p256_add_mixed(&U, &T);
CCOPY(bnz & qz, &Q, &T, sizeof Q);
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
bx <<= 4;
}
}
*P = Q;
}
static const unsigned char P256_G[] = {
0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
0x68, 0x37, 0xBF, 0x51, 0xF5
};
static const unsigned char P256_N[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
0x25, 0x51
};
static const unsigned char *
api_generator(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_G;
return P256_G;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_N;
return P256_N;
}
static size_t
api_xoff(int curve, size_t *len)
{
(void)curve;
*len = 32;
return 1;
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *x, size_t xlen, int curve)
{
uint32_t r;
p256_jacobian P;
(void)curve;
+ if (Glen != 65) {
+ return 0;
+ }
r = p256_decode(&P, G, Glen);
p256_mul(&P, x, xlen);
- if (Glen >= 65) {
- p256_to_affine(&P);
- p256_encode(G, &P);
- }
+ p256_to_affine(&P);
+ p256_encode(G, &P);
return r;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *x, size_t xlen, int curve)
{
p256_jacobian P;
(void)curve;
p256_mulgen(&P, x, xlen);
p256_to_affine(&P);
p256_encode(R, &P);
return 65;
-
- /*
- const unsigned char *G;
- size_t Glen;
-
- G = api_generator(curve, &Glen);
- memcpy(R, G, Glen);
- api_mul(R, Glen, x, xlen, curve);
- return Glen;
- */
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
p256_jacobian P, Q;
uint32_t r, t, z;
int i;
(void)curve;
+ if (len != 65) {
+ return 0;
+ }
r = p256_decode(&P, A, len);
p256_mul(&P, x, xlen);
if (B == NULL) {
p256_mulgen(&Q, y, ylen);
} else {
r &= p256_decode(&Q, B, len);
p256_mul(&Q, y, ylen);
}
/*
* The final addition may fail in case both points are equal.
*/
t = p256_add(&P, &Q);
reduce_final_f256(P.z);
z = 0;
for (i = 0; i < 9; i ++) {
z |= P.z[i];
}
z = EQ(z, 0);
p256_double(&Q);
/*
* If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
* have the following:
*
* z = 0, t = 0 return P (normal addition)
* z = 0, t = 1 return P (normal addition)
* z = 1, t = 0 return Q (a 'double' case)
* z = 1, t = 1 report an error (P+Q = 0)
*/
CCOPY(z & ~t, &P, &Q, sizeof Q);
p256_to_affine(&P);
p256_encode(A, &P);
r &= ~(z & t);
return r;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_p256_m31 = {
(uint32_t)0x00800000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
diff --git a/contrib/bearssl/src/ec/ec_p256_m62.c b/contrib/bearssl/src/ec/ec_p256_m62.c
index 3bcb95b5b19b..a4317905204d 100644
--- a/contrib/bearssl/src/ec/ec_p256_m62.c
+++ b/contrib/bearssl/src/ec/ec_p256_m62.c
@@ -1,1765 +1,1765 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
#if BR_INT128 || BR_UMUL128
#if BR_UMUL128
#include <intrin.h>
#endif
static const unsigned char P256_G[] = {
0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
0x68, 0x37, 0xBF, 0x51, 0xF5
};
static const unsigned char P256_N[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
0x25, 0x51
};
static const unsigned char *
api_generator(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_G;
return P256_G;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_N;
return P256_N;
}
static size_t
api_xoff(int curve, size_t *len)
{
(void)curve;
*len = 32;
return 1;
}
/*
* A field element is encoded as five 64-bit integers, in basis 2^52.
* Limbs may occasionally exceed 2^52.
*
* A _partially reduced_ value is such that the following hold:
* - top limb is less than 2^48 + 2^30
* - the other limbs fit on 53 bits each
* In particular, such a value is less than twice the modulus p.
*/
#define BIT(n) ((uint64_t)1 << (n))
#define MASK48 (BIT(48) - BIT(0))
#define MASK52 (BIT(52) - BIT(0))
/* R = 2^260 mod p */
static const uint64_t F256_R[] = {
0x0000000000010, 0xF000000000000, 0xFFFFFFFFFFFFF,
0xFFEFFFFFFFFFF, 0x00000000FFFFF
};
/* Curve equation is y^2 = x^3 - 3*x + B. This constant is B*R mod p
(Montgomery representation of B). */
static const uint64_t P256_B_MONTY[] = {
0xDF6229C4BDDFD, 0xCA8843090D89C, 0x212ED6ACF005C,
0x83415A220ABF7, 0x0C30061DD4874
};
/*
* Addition in the field. Carry propagation is not performed.
* On input, limbs may be up to 63 bits each; on output, they will
* be up to one bit more than on input.
*/
static inline void
f256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
d[0] = a[0] + b[0];
d[1] = a[1] + b[1];
d[2] = a[2] + b[2];
d[3] = a[3] + b[3];
d[4] = a[4] + b[4];
}
/*
* Partially reduce the provided value.
* Input: limbs can go up to 61 bits each.
* Output: partially reduced.
*/
static inline void
f256_partial_reduce(uint64_t *a)
{
uint64_t w, cc, s;
/*
* Propagate carries.
*/
w = a[0];
a[0] = w & MASK52;
cc = w >> 52;
w = a[1] + cc;
a[1] = w & MASK52;
cc = w >> 52;
w = a[2] + cc;
a[2] = w & MASK52;
cc = w >> 52;
w = a[3] + cc;
a[3] = w & MASK52;
cc = w >> 52;
a[4] += cc;
s = a[4] >> 48; /* s < 2^14 */
a[0] += s; /* a[0] < 2^52 + 2^14 */
w = a[1] - (s << 44);
a[1] = w & MASK52; /* a[1] < 2^52 */
cc = -(w >> 52) & 0xFFF; /* cc < 16 */
w = a[2] - cc;
a[2] = w & MASK52; /* a[2] < 2^52 */
cc = w >> 63; /* cc = 0 or 1 */
w = a[3] - cc - (s << 36);
a[3] = w & MASK52; /* a[3] < 2^52 */
cc = w >> 63; /* cc = 0 or 1 */
w = a[4] & MASK48;
a[4] = w + (s << 16) - cc; /* a[4] < 2^48 + 2^30 */
}
/*
* Subtraction in the field.
* Input: limbs must fit on 60 bits each; in particular, the complete
* integer will be less than 2^268 + 2^217.
* Output: partially reduced.
*/
static inline void
f256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
uint64_t t[5], w, s, cc;
/*
* We compute d = 2^13*p + a - b; this ensures a positive
* intermediate value.
*
* Each individual addition/subtraction may yield a positive or
* negative result; thus, we need to handle a signed carry, thus
* with sign extension. We prefer not to use signed types (int64_t)
* because conversion from unsigned to signed is cumbersome (a
* direct cast with the top bit set is undefined behavior; instead,
* we have to use pointer aliasing, using the guaranteed properties
* of exact-width types, but this requires the compiler to optimize
* away the writes and reads from RAM), and right-shifting a
* signed negative value is implementation-defined. Therefore,
* we use a custom sign extension.
*/
w = a[0] - b[0] - BIT(13);
t[0] = w & MASK52;
cc = w >> 52;
cc |= -(cc & BIT(11));
w = a[1] - b[1] + cc;
t[1] = w & MASK52;
cc = w >> 52;
cc |= -(cc & BIT(11));
w = a[2] - b[2] + cc;
t[2] = (w & MASK52) + BIT(5);
cc = w >> 52;
cc |= -(cc & BIT(11));
w = a[3] - b[3] + cc;
t[3] = (w & MASK52) + BIT(49);
cc = w >> 52;
cc |= -(cc & BIT(11));
t[4] = (BIT(61) - BIT(29)) + a[4] - b[4] + cc;
/*
* Perform partial reduction. Rule is:
* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
*
* At that point:
* 0 <= t[0] <= 2^52 - 1
* 0 <= t[1] <= 2^52 - 1
* 2^5 <= t[2] <= 2^52 + 2^5 - 1
* 2^49 <= t[3] <= 2^52 + 2^49 - 1
* 2^59 < t[4] <= 2^61 + 2^60 - 2^29
*
* Thus, the value 's' (t[4] / 2^48) will be necessarily
* greater than 2048, and less than 12288.
*/
s = t[4] >> 48;
d[0] = t[0] + s; /* d[0] <= 2^52 + 12287 */
w = t[1] - (s << 44);
d[1] = w & MASK52; /* d[1] <= 2^52 - 1 */
cc = -(w >> 52) & 0xFFF; /* cc <= 48 */
w = t[2] - cc;
cc = w >> 63; /* cc = 0 or 1 */
d[2] = w + (cc << 52); /* d[2] <= 2^52 + 31 */
w = t[3] - cc - (s << 36);
cc = w >> 63; /* cc = 0 or 1 */
d[3] = w + (cc << 52); /* t[3] <= 2^52 + 2^49 - 1 */
d[4] = (t[4] & MASK48) + (s << 16) - cc; /* d[4] < 2^48 + 2^30 */
/*
* If s = 0, then none of the limbs is modified, and there cannot
* be an overflow; if s != 0, then (s << 16) > cc, and there is
* no overflow either.
*/
}
/*
* Montgomery multiplication in the field.
* Input: limbs must fit on 56 bits each.
* Output: partially reduced.
*/
static void
f256_montymul(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
#if BR_INT128
int i;
uint64_t t[5];
t[0] = 0;
t[1] = 0;
t[2] = 0;
t[3] = 0;
t[4] = 0;
for (i = 0; i < 5; i ++) {
uint64_t x, f, cc, w, s;
unsigned __int128 z;
/*
* Since limbs of a[] and b[] fit on 56 bits each,
* each individual product fits on 112 bits. Also,
* the factor f fits on 52 bits, so f<<48 fits on
* 112 bits too. This guarantees that carries (cc)
* will fit on 62 bits, thus no overflow.
*
* The operations below compute:
* t <- (t + x*b + f*p) / 2^64
*/
x = a[i];
z = (unsigned __int128)b[0] * (unsigned __int128)x
+ (unsigned __int128)t[0];
f = (uint64_t)z & MASK52;
cc = (uint64_t)(z >> 52);
z = (unsigned __int128)b[1] * (unsigned __int128)x
+ (unsigned __int128)t[1] + cc
+ ((unsigned __int128)f << 44);
t[0] = (uint64_t)z & MASK52;
cc = (uint64_t)(z >> 52);
z = (unsigned __int128)b[2] * (unsigned __int128)x
+ (unsigned __int128)t[2] + cc;
t[1] = (uint64_t)z & MASK52;
cc = (uint64_t)(z >> 52);
z = (unsigned __int128)b[3] * (unsigned __int128)x
+ (unsigned __int128)t[3] + cc
+ ((unsigned __int128)f << 36);
t[2] = (uint64_t)z & MASK52;
cc = (uint64_t)(z >> 52);
z = (unsigned __int128)b[4] * (unsigned __int128)x
+ (unsigned __int128)t[4] + cc
+ ((unsigned __int128)f << 48)
- ((unsigned __int128)f << 16);
t[3] = (uint64_t)z & MASK52;
t[4] = (uint64_t)(z >> 52);
/*
* t[4] may be up to 62 bits here; we need to do a
* partial reduction. Note that limbs t[0] to t[3]
* fit on 52 bits each.
*/
s = t[4] >> 48; /* s < 2^14 */
t[0] += s; /* t[0] < 2^52 + 2^14 */
w = t[1] - (s << 44);
t[1] = w & MASK52; /* t[1] < 2^52 */
cc = -(w >> 52) & 0xFFF; /* cc < 16 */
w = t[2] - cc;
t[2] = w & MASK52; /* t[2] < 2^52 */
cc = w >> 63; /* cc = 0 or 1 */
w = t[3] - cc - (s << 36);
t[3] = w & MASK52; /* t[3] < 2^52 */
cc = w >> 63; /* cc = 0 or 1 */
w = t[4] & MASK48;
t[4] = w + (s << 16) - cc; /* t[4] < 2^48 + 2^30 */
/*
* The final t[4] cannot overflow because cc is 0 or 1,
* and cc can be 1 only if s != 0.
*/
}
d[0] = t[0];
d[1] = t[1];
d[2] = t[2];
d[3] = t[3];
d[4] = t[4];
#elif BR_UMUL128
int i;
uint64_t t[5];
t[0] = 0;
t[1] = 0;
t[2] = 0;
t[3] = 0;
t[4] = 0;
for (i = 0; i < 5; i ++) {
uint64_t x, f, cc, w, s, zh, zl;
unsigned char k;
/*
* Since limbs of a[] and b[] fit on 56 bits each,
* each individual product fits on 112 bits. Also,
* the factor f fits on 52 bits, so f<<48 fits on
* 112 bits too. This guarantees that carries (cc)
* will fit on 62 bits, thus no overflow.
*
* The operations below compute:
* t <- (t + x*b + f*p) / 2^64
*/
x = a[i];
zl = _umul128(b[0], x, &zh);
k = _addcarry_u64(0, t[0], zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
f = zl & MASK52;
cc = (zl >> 52) | (zh << 12);
zl = _umul128(b[1], x, &zh);
k = _addcarry_u64(0, t[1], zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, cc, zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, f << 44, zl, &zl);
(void)_addcarry_u64(k, f >> 20, zh, &zh);
t[0] = zl & MASK52;
cc = (zl >> 52) | (zh << 12);
zl = _umul128(b[2], x, &zh);
k = _addcarry_u64(0, t[2], zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, cc, zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
t[1] = zl & MASK52;
cc = (zl >> 52) | (zh << 12);
zl = _umul128(b[3], x, &zh);
k = _addcarry_u64(0, t[3], zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, cc, zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, f << 36, zl, &zl);
(void)_addcarry_u64(k, f >> 28, zh, &zh);
t[2] = zl & MASK52;
cc = (zl >> 52) | (zh << 12);
zl = _umul128(b[4], x, &zh);
k = _addcarry_u64(0, t[4], zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, cc, zl, &zl);
(void)_addcarry_u64(k, 0, zh, &zh);
k = _addcarry_u64(0, f << 48, zl, &zl);
(void)_addcarry_u64(k, f >> 16, zh, &zh);
k = _subborrow_u64(0, zl, f << 16, &zl);
(void)_subborrow_u64(k, zh, f >> 48, &zh);
t[3] = zl & MASK52;
t[4] = (zl >> 52) | (zh << 12);
/*
* t[4] may be up to 62 bits here; we need to do a
* partial reduction. Note that limbs t[0] to t[3]
* fit on 52 bits each.
*/
s = t[4] >> 48; /* s < 2^14 */
t[0] += s; /* t[0] < 2^52 + 2^14 */
w = t[1] - (s << 44);
t[1] = w & MASK52; /* t[1] < 2^52 */
cc = -(w >> 52) & 0xFFF; /* cc < 16 */
w = t[2] - cc;
t[2] = w & MASK52; /* t[2] < 2^52 */
cc = w >> 63; /* cc = 0 or 1 */
w = t[3] - cc - (s << 36);
t[3] = w & MASK52; /* t[3] < 2^52 */
cc = w >> 63; /* cc = 0 or 1 */
w = t[4] & MASK48;
t[4] = w + (s << 16) - cc; /* t[4] < 2^48 + 2^30 */
/*
* The final t[4] cannot overflow because cc is 0 or 1,
* and cc can be 1 only if s != 0.
*/
}
d[0] = t[0];
d[1] = t[1];
d[2] = t[2];
d[3] = t[3];
d[4] = t[4];
#endif
}
/*
* Montgomery squaring in the field; currently a basic wrapper around
* multiplication (inline, should be optimized away).
* TODO: see if some extra speed can be gained here.
*/
static inline void
f256_montysquare(uint64_t *d, const uint64_t *a)
{
f256_montymul(d, a, a);
}
/*
* Convert to Montgomery representation.
*/
static void
f256_tomonty(uint64_t *d, const uint64_t *a)
{
/*
* R2 = 2^520 mod p.
* If R = 2^260 mod p, then R2 = R^2 mod p; and the Montgomery
* multiplication of a by R2 is: a*R2/R = a*R mod p, i.e. the
* conversion to Montgomery representation.
*/
static const uint64_t R2[] = {
0x0000000000300, 0xFFFFFFFF00000, 0xFFFFEFFFFFFFB,
0xFDFFFFFFFFFFF, 0x0000004FFFFFF
};
f256_montymul(d, a, R2);
}
/*
* Convert from Montgomery representation.
*/
static void
f256_frommonty(uint64_t *d, const uint64_t *a)
{
/*
* Montgomery multiplication by 1 is division by 2^260 modulo p.
*/
static const uint64_t one[] = { 1, 0, 0, 0, 0 };
f256_montymul(d, a, one);
}
/*
* Inversion in the field. If the source value is 0 modulo p, then this
* returns 0 or p. This function uses Montgomery representation.
*/
static void
f256_invert(uint64_t *d, const uint64_t *a)
{
/*
* We compute a^(p-2) mod p. The exponent pattern (from high to
* low) is:
* - 32 bits of value 1
* - 31 bits of value 0
* - 1 bit of value 1
* - 96 bits of value 0
* - 94 bits of value 1
* - 1 bit of value 0
* - 1 bit of value 1
* To speed up the square-and-multiply algorithm, we precompute
* a^(2^31-1).
*/
uint64_t r[5], t[5];
int i;
memcpy(t, a, sizeof t);
for (i = 0; i < 30; i ++) {
f256_montysquare(t, t);
f256_montymul(t, t, a);
}
memcpy(r, t, sizeof t);
for (i = 224; i >= 0; i --) {
f256_montysquare(r, r);
switch (i) {
case 0:
case 2:
case 192:
case 224:
f256_montymul(r, r, a);
break;
case 3:
case 34:
case 65:
f256_montymul(r, r, t);
break;
}
}
memcpy(d, r, sizeof r);
}
/*
* Finalize reduction.
* Input value should be partially reduced.
* On output, limbs a[0] to a[3] fit on 52 bits each, limb a[4] fits
* on 48 bits, and the integer is less than p.
*/
static inline void
f256_final_reduce(uint64_t *a)
{
uint64_t r[5], t[5], w, cc;
int i;
/*
* Propagate carries to ensure that limbs 0 to 3 fit on 52 bits.
*/
cc = 0;
for (i = 0; i < 5; i ++) {
w = a[i] + cc;
r[i] = w & MASK52;
cc = w >> 52;
}
/*
* We compute t = r + (2^256 - p) = r + 2^224 - 2^192 - 2^96 + 1.
* If t < 2^256, then r < p, and we return r. Otherwise, we
* want to return r - p = t - 2^256.
*/
/*
* Add 2^224 + 1, and propagate carries to ensure that limbs
* t[0] to t[3] fit in 52 bits each.
*/
w = r[0] + 1;
t[0] = w & MASK52;
cc = w >> 52;
w = r[1] + cc;
t[1] = w & MASK52;
cc = w >> 52;
w = r[2] + cc;
t[2] = w & MASK52;
cc = w >> 52;
w = r[3] + cc;
t[3] = w & MASK52;
cc = w >> 52;
t[4] = r[4] + cc + BIT(16);
/*
* Subtract 2^192 + 2^96. Since we just added 2^224 + 1, the
* result cannot be negative.
*/
w = t[1] - BIT(44);
t[1] = w & MASK52;
cc = w >> 63;
w = t[2] - cc;
t[2] = w & MASK52;
cc = w >> 63;
- w = t[3] - BIT(36);
+ w = t[3] - BIT(36) - cc;
t[3] = w & MASK52;
cc = w >> 63;
t[4] -= cc;
/*
* If the top limb t[4] fits on 48 bits, then r[] is already
* in the proper range. Otherwise, t[] is the value to return
* (truncated to 256 bits).
*/
cc = -(t[4] >> 48);
t[4] &= MASK48;
for (i = 0; i < 5; i ++) {
a[i] = r[i] ^ (cc & (r[i] ^ t[i]));
}
}
/*
* Points in affine and Jacobian coordinates.
*
* - In affine coordinates, the point-at-infinity cannot be encoded.
* - Jacobian coordinates (X,Y,Z) correspond to affine (X/Z^2,Y/Z^3);
* if Z = 0 then this is the point-at-infinity.
*/
typedef struct {
uint64_t x[5];
uint64_t y[5];
} p256_affine;
typedef struct {
uint64_t x[5];
uint64_t y[5];
uint64_t z[5];
} p256_jacobian;
/*
* Decode a field element (unsigned big endian notation).
*/
static void
f256_decode(uint64_t *a, const unsigned char *buf)
{
uint64_t w0, w1, w2, w3;
w3 = br_dec64be(buf + 0);
w2 = br_dec64be(buf + 8);
w1 = br_dec64be(buf + 16);
w0 = br_dec64be(buf + 24);
a[0] = w0 & MASK52;
a[1] = ((w0 >> 52) | (w1 << 12)) & MASK52;
a[2] = ((w1 >> 40) | (w2 << 24)) & MASK52;
a[3] = ((w2 >> 28) | (w3 << 36)) & MASK52;
a[4] = w3 >> 16;
}
/*
* Encode a field element (unsigned big endian notation). The field
* element MUST be fully reduced.
*/
static void
f256_encode(unsigned char *buf, const uint64_t *a)
{
uint64_t w0, w1, w2, w3;
w0 = a[0] | (a[1] << 52);
w1 = (a[1] >> 12) | (a[2] << 40);
w2 = (a[2] >> 24) | (a[3] << 28);
w3 = (a[3] >> 36) | (a[4] << 16);
br_enc64be(buf + 0, w3);
br_enc64be(buf + 8, w2);
br_enc64be(buf + 16, w1);
br_enc64be(buf + 24, w0);
}
/*
* Decode a point. The returned point is in Jacobian coordinates, but
* with z = 1. If the encoding is invalid, or encodes a point which is
* not on the curve, or encodes the point at infinity, then this function
* returns 0. Otherwise, 1 is returned.
*
* The buffer is assumed to have length exactly 65 bytes.
*/
static uint32_t
point_decode(p256_jacobian *P, const unsigned char *buf)
{
uint64_t x[5], y[5], t[5], x3[5], tt;
uint32_t r;
/*
* Header byte shall be 0x04.
*/
r = EQ(buf[0], 0x04);
/*
* Decode X and Y coordinates, and convert them into
* Montgomery representation.
*/
f256_decode(x, buf + 1);
f256_decode(y, buf + 33);
f256_tomonty(x, x);
f256_tomonty(y, y);
/*
* Verify y^2 = x^3 + A*x + B. In curve P-256, A = -3.
* Note that the Montgomery representation of 0 is 0. We must
* take care to apply the final reduction to make sure we have
* 0 and not p.
*/
f256_montysquare(t, y);
f256_montysquare(x3, x);
f256_montymul(x3, x3, x);
f256_sub(t, t, x3);
f256_add(t, t, x);
f256_add(t, t, x);
f256_add(t, t, x);
f256_sub(t, t, P256_B_MONTY);
f256_final_reduce(t);
tt = t[0] | t[1] | t[2] | t[3] | t[4];
r &= EQ((uint32_t)(tt | (tt >> 32)), 0);
/*
* Return the point in Jacobian coordinates (and Montgomery
* representation).
*/
memcpy(P->x, x, sizeof x);
memcpy(P->y, y, sizeof y);
memcpy(P->z, F256_R, sizeof F256_R);
return r;
}
/*
* Final conversion for a point:
* - The point is converted back to affine coordinates.
* - Final reduction is performed.
* - The point is encoded into the provided buffer.
*
* If the point is the point-at-infinity, all operations are performed,
* but the buffer contents are indeterminate, and 0 is returned. Otherwise,
* the encoded point is written in the buffer, and 1 is returned.
*/
static uint32_t
point_encode(unsigned char *buf, const p256_jacobian *P)
{
uint64_t t1[5], t2[5], z;
/* Set t1 = 1/z^2 and t2 = 1/z^3. */
f256_invert(t2, P->z);
f256_montysquare(t1, t2);
f256_montymul(t2, t2, t1);
/* Compute affine coordinates x (in t1) and y (in t2). */
f256_montymul(t1, P->x, t1);
f256_montymul(t2, P->y, t2);
/* Convert back from Montgomery representation, and finalize
reductions. */
f256_frommonty(t1, t1);
f256_frommonty(t2, t2);
f256_final_reduce(t1);
f256_final_reduce(t2);
/* Encode. */
buf[0] = 0x04;
f256_encode(buf + 1, t1);
f256_encode(buf + 33, t2);
/* Return success if and only if P->z != 0. */
z = P->z[0] | P->z[1] | P->z[2] | P->z[3] | P->z[4];
return NEQ((uint32_t)(z | z >> 32), 0);
}
/*
* Point doubling in Jacobian coordinates: point P is doubled.
* Note: if the source point is the point-at-infinity, then the result is
* still the point-at-infinity, which is correct. Moreover, if the three
* coordinates were zero, then they still are zero in the returned value.
*/
static void
p256_double(p256_jacobian *P)
{
/*
* Doubling formulas are:
*
* s = 4*x*y^2
* m = 3*(x + z^2)*(x - z^2)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y^4
* z' = 2*y*z
*
* These formulas work for all points, including points of order 2
* and points at infinity:
* - If y = 0 then z' = 0. But there is no such point in P-256
* anyway.
* - If z = 0 then z' = 0.
*/
uint64_t t1[5], t2[5], t3[5], t4[5];
/*
* Compute z^2 in t1.
*/
f256_montysquare(t1, P->z);
/*
* Compute x-z^2 in t2 and x+z^2 in t1.
*/
f256_add(t2, P->x, t1);
f256_sub(t1, P->x, t1);
/*
* Compute 3*(x+z^2)*(x-z^2) in t1.
*/
f256_montymul(t3, t1, t2);
f256_add(t1, t3, t3);
f256_add(t1, t3, t1);
/*
* Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
*/
f256_montysquare(t3, P->y);
f256_add(t3, t3, t3);
f256_montymul(t2, P->x, t3);
f256_add(t2, t2, t2);
/*
* Compute x' = m^2 - 2*s.
*/
f256_montysquare(P->x, t1);
f256_sub(P->x, P->x, t2);
f256_sub(P->x, P->x, t2);
/*
* Compute z' = 2*y*z.
*/
f256_montymul(t4, P->y, P->z);
f256_add(P->z, t4, t4);
f256_partial_reduce(P->z);
/*
* Compute y' = m*(s - x') - 8*y^4. Note that we already have
* 2*y^2 in t3.
*/
f256_sub(t2, t2, P->x);
f256_montymul(P->y, t1, t2);
f256_montysquare(t4, t3);
f256_add(t4, t4, t4);
f256_sub(P->y, P->y, t4);
}
/*
* Point addition (Jacobian coordinates): P1 is replaced with P1+P2.
* This function computes the wrong result in the following cases:
*
* - If P1 == 0 but P2 != 0
* - If P1 != 0 but P2 == 0
* - If P1 == P2
*
* In all three cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y coordinate.
* - P1 == 0 and P2 == 0.
* - The Y coordinate of one of the points is 0 and the other point is
* the point at infinity.
*
* The third case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*
* Note that you can get a returned value of 0 with a correct result,
* e.g. if P1 and P2 have the same Y coordinate, but distinct X coordinates.
*/
static uint32_t
p256_add(p256_jacobian *P1, const p256_jacobian *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1 * z2^2
* u2 = x2 * z1^2
* s1 = y1 * z2^3
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1 * z2
*/
uint64_t t1[5], t2[5], t3[5], t4[5], t5[5], t6[5], t7[5], tt;
uint32_t ret;
/*
* Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
*/
f256_montysquare(t3, P2->z);
f256_montymul(t1, P1->x, t3);
f256_montymul(t4, P2->z, t3);
f256_montymul(t3, P1->y, t4);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
f256_montysquare(t4, P1->z);
f256_montymul(t2, P2->x, t4);
f256_montymul(t5, P1->z, t4);
f256_montymul(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
f256_sub(t2, t2, t1);
f256_sub(t4, t4, t3);
f256_final_reduce(t4);
tt = t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
ret = (uint32_t)(tt | (tt >> 32));
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
f256_montysquare(t7, t2);
f256_montymul(t6, t1, t7);
f256_montymul(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
f256_montysquare(P1->x, t4);
f256_sub(P1->x, P1->x, t5);
f256_sub(P1->x, P1->x, t6);
f256_sub(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
f256_sub(t6, t6, P1->x);
f256_montymul(P1->y, t4, t6);
f256_montymul(t1, t5, t3);
f256_sub(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1*z2.
*/
f256_montymul(t1, P1->z, P2->z);
f256_montymul(P1->z, t1, t2);
return ret;
}
/*
* Point addition (mixed coordinates): P1 is replaced with P1+P2.
* This is a specialised function for the case when P2 is a non-zero point
* in affine coordinates.
*
* This function computes the wrong result in the following cases:
*
* - If P1 == 0
* - If P1 == P2
*
* In both cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y (affine) coordinate.
* - The Y coordinate of P2 is 0 and P1 is the point at infinity.
*
* The second case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*
* Again, a value of 0 may be returned in some cases where the addition
* result is correct.
*/
static uint32_t
p256_add_mixed(p256_jacobian *P1, const p256_affine *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1
* u2 = x2 * z1^2
* s1 = y1
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1
*/
uint64_t t1[5], t2[5], t3[5], t4[5], t5[5], t6[5], t7[5], tt;
uint32_t ret;
/*
* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
*/
memcpy(t1, P1->x, sizeof t1);
memcpy(t3, P1->y, sizeof t3);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
f256_montysquare(t4, P1->z);
f256_montymul(t2, P2->x, t4);
f256_montymul(t5, P1->z, t4);
f256_montymul(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
f256_sub(t2, t2, t1);
f256_sub(t4, t4, t3);
f256_final_reduce(t4);
tt = t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
ret = (uint32_t)(tt | (tt >> 32));
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
f256_montysquare(t7, t2);
f256_montymul(t6, t1, t7);
f256_montymul(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
f256_montysquare(P1->x, t4);
f256_sub(P1->x, P1->x, t5);
f256_sub(P1->x, P1->x, t6);
f256_sub(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
f256_sub(t6, t6, P1->x);
f256_montymul(P1->y, t4, t6);
f256_montymul(t1, t5, t3);
f256_sub(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1*z2.
*/
f256_montymul(P1->z, P1->z, t2);
return ret;
}
#if 0
/* unused */
/*
* Point addition (mixed coordinates, complete): P1 is replaced with P1+P2.
* This is a specialised function for the case when P2 is a non-zero point
* in affine coordinates.
*
* This function returns the correct result in all cases.
*/
static uint32_t
p256_add_complete_mixed(p256_jacobian *P1, const p256_affine *P2)
{
/*
* Addtions formulas, in the general case, are:
*
* u1 = x1
* u2 = x2 * z1^2
* s1 = y1
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1
*
* These formulas mishandle the two following cases:
*
* - If P1 is the point-at-infinity (z1 = 0), then z3 is
* incorrectly set to 0.
*
* - If P1 = P2, then u1 = u2 and s1 = s2, and x3, y3 and z3
* are all set to 0.
*
* However, if P1 + P2 = 0, then u1 = u2 but s1 != s2, and then
* we correctly get z3 = 0 (the point-at-infinity).
*
* To fix the case P1 = 0, we perform at the end a copy of P2
* over P1, conditional to z1 = 0.
*
* For P1 = P2: in that case, both h and r are set to 0, and
* we get x3, y3 and z3 equal to 0. We can test for that
* occurrence to make a mask which will be all-one if P1 = P2,
* or all-zero otherwise; then we can compute the double of P2
* and add it, combined with the mask, to (x3,y3,z3).
*
* Using the doubling formulas in p256_double() on (x2,y2),
* simplifying since P2 is affine (i.e. z2 = 1, implicitly),
* we get:
* s = 4*x2*y2^2
* m = 3*(x2 + 1)*(x2 - 1)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y2^4
* z' = 2*y2
* which requires only 6 multiplications. Added to the 11
* multiplications of the normal mixed addition in Jacobian
* coordinates, we get a cost of 17 multiplications in total.
*/
uint64_t t1[5], t2[5], t3[5], t4[5], t5[5], t6[5], t7[5], tt, zz;
int i;
/*
* Set zz to -1 if P1 is the point at infinity, 0 otherwise.
*/
zz = P1->z[0] | P1->z[1] | P1->z[2] | P1->z[3] | P1->z[4];
zz = ((zz | -zz) >> 63) - (uint64_t)1;
/*
* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
*/
memcpy(t1, P1->x, sizeof t1);
memcpy(t3, P1->y, sizeof t3);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
f256_montysquare(t4, P1->z);
f256_montymul(t2, P2->x, t4);
f256_montymul(t5, P1->z, t4);
f256_montymul(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* reduce.
*/
f256_sub(t2, t2, t1);
f256_sub(t4, t4, t3);
/*
* If both h = 0 and r = 0, then P1 = P2, and we want to set
* the mask tt to -1; otherwise, the mask will be 0.
*/
f256_final_reduce(t2);
f256_final_reduce(t4);
tt = t2[0] | t2[1] | t2[2] | t2[3] | t2[4]
| t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
tt = ((tt | -tt) >> 63) - (uint64_t)1;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
f256_montysquare(t7, t2);
f256_montymul(t6, t1, t7);
f256_montymul(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
f256_montysquare(P1->x, t4);
f256_sub(P1->x, P1->x, t5);
f256_sub(P1->x, P1->x, t6);
f256_sub(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
f256_sub(t6, t6, P1->x);
f256_montymul(P1->y, t4, t6);
f256_montymul(t1, t5, t3);
f256_sub(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1.
*/
f256_montymul(P1->z, P1->z, t2);
/*
* The "double" result, in case P1 = P2.
*/
/*
* Compute z' = 2*y2 (in t1).
*/
f256_add(t1, P2->y, P2->y);
f256_partial_reduce(t1);
/*
* Compute 2*(y2^2) (in t2) and s = 4*x2*(y2^2) (in t3).
*/
f256_montysquare(t2, P2->y);
f256_add(t2, t2, t2);
f256_add(t3, t2, t2);
f256_montymul(t3, P2->x, t3);
/*
* Compute m = 3*(x2^2 - 1) (in t4).
*/
f256_montysquare(t4, P2->x);
f256_sub(t4, t4, F256_R);
f256_add(t5, t4, t4);
f256_add(t4, t4, t5);
/*
* Compute x' = m^2 - 2*s (in t5).
*/
f256_montysquare(t5, t4);
f256_sub(t5, t3);
f256_sub(t5, t3);
/*
* Compute y' = m*(s - x') - 8*y2^4 (in t6).
*/
f256_sub(t6, t3, t5);
f256_montymul(t6, t6, t4);
f256_montysquare(t7, t2);
f256_sub(t6, t6, t7);
f256_sub(t6, t6, t7);
/*
* We now have the alternate (doubling) coordinates in (t5,t6,t1).
* We combine them with (x3,y3,z3).
*/
for (i = 0; i < 5; i ++) {
P1->x[i] |= tt & t5[i];
P1->y[i] |= tt & t6[i];
P1->z[i] |= tt & t1[i];
}
/*
* If P1 = 0, then we get z3 = 0 (which is invalid); if z1 is 0,
* then we want to replace the result with a copy of P2. The
* test on z1 was done at the start, in the zz mask.
*/
for (i = 0; i < 5; i ++) {
P1->x[i] ^= zz & (P1->x[i] ^ P2->x[i]);
P1->y[i] ^= zz & (P1->y[i] ^ P2->y[i]);
P1->z[i] ^= zz & (P1->z[i] ^ F256_R[i]);
}
}
#endif
/*
* Inner function for computing a point multiplication. A window is
* provided, with points 1*P to 15*P in affine coordinates.
*
* Assumptions:
* - All provided points are valid points on the curve.
* - Multiplier is non-zero, and smaller than the curve order.
* - Everything is in Montgomery representation.
*/
static void
point_mul_inner(p256_jacobian *R, const p256_affine *W,
const unsigned char *k, size_t klen)
{
p256_jacobian Q;
uint32_t qz;
memset(&Q, 0, sizeof Q);
qz = 1;
while (klen -- > 0) {
int i;
unsigned bk;
bk = *k ++;
for (i = 0; i < 2; i ++) {
uint32_t bits;
uint32_t bnz;
p256_affine T;
p256_jacobian U;
uint32_t n;
int j;
uint64_t m;
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
bits = (bk >> 4) & 0x0F;
bnz = NEQ(bits, 0);
/*
* Lookup point in window. If the bits are 0,
* we get something invalid, which is not a
* problem because we will use it only if the
* bits are non-zero.
*/
memset(&T, 0, sizeof T);
for (n = 0; n < 15; n ++) {
m = -(uint64_t)EQ(bits, n + 1);
T.x[0] |= m & W[n].x[0];
T.x[1] |= m & W[n].x[1];
T.x[2] |= m & W[n].x[2];
T.x[3] |= m & W[n].x[3];
T.x[4] |= m & W[n].x[4];
T.y[0] |= m & W[n].y[0];
T.y[1] |= m & W[n].y[1];
T.y[2] |= m & W[n].y[2];
T.y[3] |= m & W[n].y[3];
T.y[4] |= m & W[n].y[4];
}
U = Q;
p256_add_mixed(&U, &T);
/*
* If qz is still 1, then Q was all-zeros, and this
* is conserved through p256_double().
*/
m = -(uint64_t)(bnz & qz);
for (j = 0; j < 5; j ++) {
Q.x[j] ^= m & (Q.x[j] ^ T.x[j]);
Q.y[j] ^= m & (Q.y[j] ^ T.y[j]);
Q.z[j] ^= m & (Q.z[j] ^ F256_R[j]);
}
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
bk <<= 4;
}
}
*R = Q;
}
/*
* Convert a window from Jacobian to affine coordinates. A single
* field inversion is used. This function works for windows up to
* 32 elements.
*
* The destination array (aff[]) and the source array (jac[]) may
* overlap, provided that the start of aff[] is not after the start of
* jac[]. Even if the arrays do _not_ overlap, the source array is
* modified.
*/
static void
window_to_affine(p256_affine *aff, p256_jacobian *jac, int num)
{
/*
* Convert the window points to affine coordinates. We use the
* following trick to mutualize the inversion computation: if
* we have z1, z2, z3, and z4, and want to invert all of them,
* we compute u = 1/(z1*z2*z3*z4), and then we have:
* 1/z1 = u*z2*z3*z4
* 1/z2 = u*z1*z3*z4
* 1/z3 = u*z1*z2*z4
* 1/z4 = u*z1*z2*z3
*
* The partial products are computed recursively:
*
* - on input (z_1,z_2), return (z_2,z_1) and z_1*z_2
* - on input (z_1,z_2,... z_n):
* recurse on (z_1,z_2,... z_(n/2)) -> r1 and m1
* recurse on (z_(n/2+1),z_(n/2+2)... z_n) -> r2 and m2
* multiply elements of r1 by m2 -> s1
* multiply elements of r2 by m1 -> s2
* return r1||r2 and m1*m2
*
* In the example below, we suppose that we have 14 elements.
* Let z1, z2,... zE be the 14 values to invert (index noted in
* hexadecimal, starting at 1).
*
* - Depth 1:
* swap(z1, z2); z12 = z1*z2
* swap(z3, z4); z34 = z3*z4
* swap(z5, z6); z56 = z5*z6
* swap(z7, z8); z78 = z7*z8
* swap(z9, zA); z9A = z9*zA
* swap(zB, zC); zBC = zB*zC
* swap(zD, zE); zDE = zD*zE
*
* - Depth 2:
* z1 <- z1*z34, z2 <- z2*z34, z3 <- z3*z12, z4 <- z4*z12
* z1234 = z12*z34
* z5 <- z5*z78, z6 <- z6*z78, z7 <- z7*z56, z8 <- z8*z56
* z5678 = z56*z78
* z9 <- z9*zBC, zA <- zA*zBC, zB <- zB*z9A, zC <- zC*z9A
* z9ABC = z9A*zBC
*
* - Depth 3:
* z1 <- z1*z5678, z2 <- z2*z5678, z3 <- z3*z5678, z4 <- z4*z5678
* z5 <- z5*z1234, z6 <- z6*z1234, z7 <- z7*z1234, z8 <- z8*z1234
* z12345678 = z1234*z5678
* z9 <- z9*zDE, zA <- zA*zDE, zB <- zB*zDE, zC <- zC*zDE
* zD <- zD*z9ABC, zE*z9ABC
* z9ABCDE = z9ABC*zDE
*
* - Depth 4:
* multiply z1..z8 by z9ABCDE
* multiply z9..zE by z12345678
* final z = z12345678*z9ABCDE
*/
uint64_t z[16][5];
int i, k, s;
#define zt (z[15])
#define zu (z[14])
#define zv (z[13])
/*
* First recursion step (pairwise swapping and multiplication).
* If there is an odd number of elements, then we "invent" an
* extra one with coordinate Z = 1 (in Montgomery representation).
*/
for (i = 0; (i + 1) < num; i += 2) {
memcpy(zt, jac[i].z, sizeof zt);
memcpy(jac[i].z, jac[i + 1].z, sizeof zt);
memcpy(jac[i + 1].z, zt, sizeof zt);
f256_montymul(z[i >> 1], jac[i].z, jac[i + 1].z);
}
if ((num & 1) != 0) {
memcpy(z[num >> 1], jac[num - 1].z, sizeof zt);
memcpy(jac[num - 1].z, F256_R, sizeof F256_R);
}
/*
* Perform further recursion steps. At the entry of each step,
* the process has been done for groups of 's' points. The
* integer k is the log2 of s.
*/
for (k = 1, s = 2; s < num; k ++, s <<= 1) {
int n;
for (i = 0; i < num; i ++) {
f256_montymul(jac[i].z, jac[i].z, z[(i >> k) ^ 1]);
}
n = (num + s - 1) >> k;
for (i = 0; i < (n >> 1); i ++) {
f256_montymul(z[i], z[i << 1], z[(i << 1) + 1]);
}
if ((n & 1) != 0) {
memmove(z[n >> 1], z[n], sizeof zt);
}
}
/*
* Invert the final result, and convert all points.
*/
f256_invert(zt, z[0]);
for (i = 0; i < num; i ++) {
f256_montymul(zv, jac[i].z, zt);
f256_montysquare(zu, zv);
f256_montymul(zv, zv, zu);
f256_montymul(aff[i].x, jac[i].x, zu);
f256_montymul(aff[i].y, jac[i].y, zv);
}
}
/*
* Multiply the provided point by an integer.
* Assumptions:
* - Source point is a valid curve point.
* - Source point is not the point-at-infinity.
* - Integer is not 0, and is lower than the curve order.
* If these conditions are not met, then the result is indeterminate
* (but the process is still constant-time).
*/
static void
p256_mul(p256_jacobian *P, const unsigned char *k, size_t klen)
{
union {
p256_affine aff[15];
p256_jacobian jac[15];
} window;
int i;
/*
* Compute window, in Jacobian coordinates.
*/
window.jac[0] = *P;
for (i = 2; i < 16; i ++) {
window.jac[i - 1] = window.jac[(i >> 1) - 1];
if ((i & 1) == 0) {
p256_double(&window.jac[i - 1]);
} else {
p256_add(&window.jac[i - 1], &window.jac[i >> 1]);
}
}
/*
* Convert the window points to affine coordinates. Point
* window[0] is the source point, already in affine coordinates.
*/
window_to_affine(window.aff, window.jac, 15);
/*
* Perform point multiplication.
*/
point_mul_inner(P, window.aff, k, klen);
}
/*
* Precomputed window for the conventional generator: P256_Gwin[n]
* contains (n+1)*G (affine coordinates, in Montgomery representation).
*/
static const p256_affine P256_Gwin[] = {
{
{ 0x30D418A9143C1, 0xC4FEDB60179E7, 0x62251075BA95F,
0x5C669FB732B77, 0x08905F76B5375 },
{ 0x5357CE95560A8, 0x43A19E45CDDF2, 0x21F3258B4AB8E,
0xD8552E88688DD, 0x0571FF18A5885 }
},
{
{ 0x46D410DDD64DF, 0x0B433827D8500, 0x1490D9AA6AE3C,
0xA3A832205038D, 0x06BB32E52DCF3 },
{ 0x48D361BEE1A57, 0xB7B236FF82F36, 0x042DBE152CD7C,
0xA3AA9A8FB0E92, 0x08C577517A5B8 }
},
{
{ 0x3F904EEBC1272, 0x9E87D81FBFFAC, 0xCBBC98B027F84,
0x47E46AD77DD87, 0x06936A3FD6FF7 },
{ 0x5C1FC983A7EBD, 0xC3861FE1AB04C, 0x2EE98E583E47A,
0xC06A88208311A, 0x05F06A2AB587C }
},
{
{ 0xB50D46918DCC5, 0xD7623C17374B0, 0x100AF24650A6E,
0x76ABCDAACACE8, 0x077362F591B01 },
{ 0xF24CE4CBABA68, 0x17AD6F4472D96, 0xDDD22E1762847,
0x862EB6C36DEE5, 0x04B14C39CC5AB }
},
{
{ 0x8AAEC45C61F5C, 0x9D4B9537DBE1B, 0x76C20C90EC649,
0x3C7D41CB5AAD0, 0x0907960649052 },
{ 0x9B4AE7BA4F107, 0xF75EB882BEB30, 0x7A1F6873C568E,
0x915C540A9877E, 0x03A076BB9DD1E }
},
{
{ 0x47373E77664A1, 0xF246CEE3E4039, 0x17A3AD55AE744,
0x673C50A961A5B, 0x03074B5964213 },
{ 0x6220D377E44BA, 0x30DFF14B593D3, 0x639F11299C2B5,
0x75F5424D44CEF, 0x04C9916DEA07F }
},
{
{ 0x354EA0173B4F1, 0x3C23C00F70746, 0x23BB082BD2021,
0xE03E43EAAB50C, 0x03BA5119D3123 },
{ 0xD0303F5B9D4DE, 0x17DA67BDD2847, 0xC941956742F2F,
0x8670F933BDC77, 0x0AEDD9164E240 }
},
{
{ 0x4CD19499A78FB, 0x4BF9B345527F1, 0x2CFC6B462AB5C,
0x30CDF90F02AF0, 0x0763891F62652 },
{ 0xA3A9532D49775, 0xD7F9EBA15F59D, 0x60BBF021E3327,
0xF75C23C7B84BE, 0x06EC12F2C706D }
},
{
{ 0x6E8F264E20E8E, 0xC79A7A84175C9, 0xC8EB00ABE6BFE,
0x16A4CC09C0444, 0x005B3081D0C4E },
{ 0x777AA45F33140, 0xDCE5D45E31EB7, 0xB12F1A56AF7BE,
0xF9B2B6E019A88, 0x086659CDFD835 }
},
{
{ 0xDBD19DC21EC8C, 0x94FCF81392C18, 0x250B4998F9868,
0x28EB37D2CD648, 0x0C61C947E4B34 },
{ 0x407880DD9E767, 0x0C83FBE080C2B, 0x9BE5D2C43A899,
0xAB4EF7D2D6577, 0x08719A555B3B4 }
},
{
{ 0x260A6245E4043, 0x53E7FDFE0EA7D, 0xAC1AB59DE4079,
0x072EFF3A4158D, 0x0E7090F1949C9 },
{ 0x85612B944E886, 0xE857F61C81A76, 0xAD643D250F939,
0x88DAC0DAA891E, 0x089300244125B }
},
{
{ 0x1AA7D26977684, 0x58A345A3304B7, 0x37385EABDEDEF,
0x155E409D29DEE, 0x0EE1DF780B83E },
{ 0x12D91CBB5B437, 0x65A8956370CAC, 0xDE6D66170ED2F,
0xAC9B8228CFA8A, 0x0FF57C95C3238 }
},
{
{ 0x25634B2ED7097, 0x9156FD30DCCC4, 0x9E98110E35676,
0x7594CBCD43F55, 0x038477ACC395B },
{ 0x2B90C00EE17FF, 0xF842ED2E33575, 0x1F5BC16874838,
0x7968CD06422BD, 0x0BC0876AB9E7B }
},
{
{ 0xA35BB0CF664AF, 0x68F9707E3A242, 0x832660126E48F,
0x72D2717BF54C6, 0x0AAE7333ED12C },
{ 0x2DB7995D586B1, 0xE732237C227B5, 0x65E7DBBE29569,
0xBBBD8E4193E2A, 0x052706DC3EAA1 }
},
{
{ 0xD8B7BC60055BE, 0xD76E27E4B72BC, 0x81937003CC23E,
0xA090E337424E4, 0x02AA0E43EAD3D },
{ 0x524F6383C45D2, 0x422A41B2540B8, 0x8A4797D766355,
0xDF444EFA6DE77, 0x0042170A9079A }
},
};
/*
* Multiply the conventional generator of the curve by the provided
* integer. Return is written in *P.
*
* Assumptions:
* - Integer is not 0, and is lower than the curve order.
* If this conditions is not met, then the result is indeterminate
* (but the process is still constant-time).
*/
static void
p256_mulgen(p256_jacobian *P, const unsigned char *k, size_t klen)
{
point_mul_inner(P, P256_Gwin, k, klen);
}
/*
* Return 1 if all of the following hold:
* - klen <= 32
* - k != 0
* - k is lower than the curve order
* Otherwise, return 0.
*
* Constant-time behaviour: only klen may be observable.
*/
static uint32_t
check_scalar(const unsigned char *k, size_t klen)
{
uint32_t z;
int32_t c;
size_t u;
if (klen > 32) {
return 0;
}
z = 0;
for (u = 0; u < klen; u ++) {
z |= k[u];
}
if (klen == 32) {
c = 0;
for (u = 0; u < klen; u ++) {
c |= -(int32_t)EQ0(c) & CMP(k[u], P256_N[u]);
}
} else {
c = -1;
}
return NEQ(z, 0) & LT0(c);
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *k, size_t klen, int curve)
{
uint32_t r;
p256_jacobian P;
(void)curve;
if (Glen != 65) {
return 0;
}
r = check_scalar(k, klen);
r &= point_decode(&P, G);
p256_mul(&P, k, klen);
r &= point_encode(G, &P);
return r;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *k, size_t klen, int curve)
{
p256_jacobian P;
(void)curve;
p256_mulgen(&P, k, klen);
point_encode(R, &P);
return 65;
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
/*
* We might want to use Shamir's trick here: make a composite
* window of u*P+v*Q points, to merge the two doubling-ladders
* into one. This, however, has some complications:
*
* - During the computation, we may hit the point-at-infinity.
* Thus, we would need p256_add_complete_mixed() (complete
* formulas for point addition), with a higher cost (17 muls
* instead of 11).
*
* - A 4-bit window would be too large, since it would involve
* 16*16-1 = 255 points. For the same window size as in the
* p256_mul() case, we would need to reduce the window size
* to 2 bits, and thus perform twice as many non-doubling
* point additions.
*
* - The window may itself contain the point-at-infinity, and
* thus cannot be in all generality be made of affine points.
* Instead, we would need to make it a window of points in
* Jacobian coordinates. Even p256_add_complete_mixed() would
* be inappropriate.
*
* For these reasons, the code below performs two separate
* point multiplications, then computes the final point addition
* (which is both a "normal" addition, and a doubling, to handle
* all cases).
*/
p256_jacobian P, Q;
uint32_t r, t, s;
uint64_t z;
(void)curve;
if (len != 65) {
return 0;
}
r = point_decode(&P, A);
p256_mul(&P, x, xlen);
if (B == NULL) {
p256_mulgen(&Q, y, ylen);
} else {
r &= point_decode(&Q, B);
p256_mul(&Q, y, ylen);
}
/*
* The final addition may fail in case both points are equal.
*/
t = p256_add(&P, &Q);
f256_final_reduce(P.z);
z = P.z[0] | P.z[1] | P.z[2] | P.z[3] | P.z[4];
s = EQ((uint32_t)(z | (z >> 32)), 0);
p256_double(&Q);
/*
* If s is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
* have the following:
*
* s = 0, t = 0 return P (normal addition)
* s = 0, t = 1 return P (normal addition)
* s = 1, t = 0 return Q (a 'double' case)
* s = 1, t = 1 report an error (P+Q = 0)
*/
CCOPY(s & ~t, &P, &Q, sizeof Q);
point_encode(A, &P);
r &= ~(s & t);
return r;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_p256_m62 = {
(uint32_t)0x00800000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
/* see bearssl_ec.h */
const br_ec_impl *
br_ec_p256_m62_get(void)
{
return &br_ec_p256_m62;
}
#else
/* see bearssl_ec.h */
const br_ec_impl *
br_ec_p256_m62_get(void)
{
return 0;
}
#endif
diff --git a/contrib/bearssl/src/ec/ec_p256_m64.c b/contrib/bearssl/src/ec/ec_p256_m64.c
index 5a7ea177408b..71a527c36955 100644
--- a/contrib/bearssl/src/ec/ec_p256_m64.c
+++ b/contrib/bearssl/src/ec/ec_p256_m64.c
@@ -1,1730 +1,1781 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
#if BR_INT128 || BR_UMUL128
#if BR_UMUL128
#include <intrin.h>
#endif
static const unsigned char P256_G[] = {
0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
0x68, 0x37, 0xBF, 0x51, 0xF5
};
static const unsigned char P256_N[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
0x25, 0x51
};
static const unsigned char *
api_generator(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_G;
return P256_G;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
(void)curve;
*len = sizeof P256_N;
return P256_N;
}
static size_t
api_xoff(int curve, size_t *len)
{
(void)curve;
*len = 32;
return 1;
}
/*
* A field element is encoded as four 64-bit integers, in basis 2^64.
* Values may reach up to 2^256-1. Montgomery multiplication is used.
*/
/* R = 2^256 mod p */
static const uint64_t F256_R[] = {
0x0000000000000001, 0xFFFFFFFF00000000,
0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFE
};
/* Curve equation is y^2 = x^3 - 3*x + B. This constant is B*R mod p
(Montgomery representation of B). */
static const uint64_t P256_B_MONTY[] = {
0xD89CDF6229C4BDDF, 0xACF005CD78843090,
0xE5A220ABF7212ED6, 0xDC30061D04874834
};
/*
* Addition in the field.
*/
static inline void
f256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
#if BR_INT128
unsigned __int128 w;
uint64_t t;
+ /*
+ * Do the addition, with an extra carry in t.
+ */
w = (unsigned __int128)a[0] + b[0];
d[0] = (uint64_t)w;
w = (unsigned __int128)a[1] + b[1] + (w >> 64);
d[1] = (uint64_t)w;
w = (unsigned __int128)a[2] + b[2] + (w >> 64);
d[2] = (uint64_t)w;
w = (unsigned __int128)a[3] + b[3] + (w >> 64);
d[3] = (uint64_t)w;
t = (uint64_t)(w >> 64);
/*
- * 2^256 = 2^224 - 2^192 - 2^96 + 1 in the field.
+ * Fold carry t, using: 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p.
*/
w = (unsigned __int128)d[0] + t;
d[0] = (uint64_t)w;
w = (unsigned __int128)d[1] + (w >> 64) - (t << 32);
d[1] = (uint64_t)w;
/* Here, carry "w >> 64" can only be 0 or -1 */
w = (unsigned __int128)d[2] - ((w >> 64) & 1);
d[2] = (uint64_t)w;
- /* Again, carry is 0 or -1 */
- d[3] += (uint64_t)(w >> 64) + (t << 32) - t;
+ /* Again, carry is 0 or -1. But there can be carry only if t = 1,
+ in which case the addition of (t << 32) - t is positive. */
+ w = (unsigned __int128)d[3] - ((w >> 64) & 1) + (t << 32) - t;
+ d[3] = (uint64_t)w;
+ t = (uint64_t)(w >> 64);
+
+ /*
+ * There can be an extra carry here, which we must fold again.
+ */
+ w = (unsigned __int128)d[0] + t;
+ d[0] = (uint64_t)w;
+ w = (unsigned __int128)d[1] + (w >> 64) - (t << 32);
+ d[1] = (uint64_t)w;
+ w = (unsigned __int128)d[2] - ((w >> 64) & 1);
+ d[2] = (uint64_t)w;
+ d[3] += (t << 32) - t - (uint64_t)((w >> 64) & 1);
#elif BR_UMUL128
unsigned char cc;
uint64_t t;
cc = _addcarry_u64(0, a[0], b[0], &d[0]);
cc = _addcarry_u64(cc, a[1], b[1], &d[1]);
cc = _addcarry_u64(cc, a[2], b[2], &d[2]);
cc = _addcarry_u64(cc, a[3], b[3], &d[3]);
/*
* If there is a carry, then we want to subtract p, which we
* do by adding 2^256 - p.
*/
t = cc;
cc = _addcarry_u64(cc, d[0], 0, &d[0]);
cc = _addcarry_u64(cc, d[1], -(t << 32), &d[1]);
cc = _addcarry_u64(cc, d[2], -t, &d[2]);
+ cc = _addcarry_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
+
+ /*
+ * We have to do it again if there still is a carry.
+ */
+ t = cc;
+ cc = _addcarry_u64(cc, d[0], 0, &d[0]);
+ cc = _addcarry_u64(cc, d[1], -(t << 32), &d[1]);
+ cc = _addcarry_u64(cc, d[2], -t, &d[2]);
(void)_addcarry_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
#endif
}
/*
* Subtraction in the field.
*/
static inline void
f256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
#if BR_INT128
unsigned __int128 w;
uint64_t t;
w = (unsigned __int128)a[0] - b[0];
d[0] = (uint64_t)w;
w = (unsigned __int128)a[1] - b[1] - ((w >> 64) & 1);
d[1] = (uint64_t)w;
w = (unsigned __int128)a[2] - b[2] - ((w >> 64) & 1);
d[2] = (uint64_t)w;
w = (unsigned __int128)a[3] - b[3] - ((w >> 64) & 1);
d[3] = (uint64_t)w;
t = (uint64_t)(w >> 64) & 1;
/*
+ * If there is a borrow (t = 1), then we must add the modulus
* p = 2^256 - 2^224 + 2^192 + 2^96 - 1.
*/
w = (unsigned __int128)d[0] - t;
d[0] = (uint64_t)w;
w = (unsigned __int128)d[1] + (t << 32) - ((w >> 64) & 1);
d[1] = (uint64_t)w;
/* Here, carry "w >> 64" can only be 0 or +1 */
w = (unsigned __int128)d[2] + (w >> 64);
d[2] = (uint64_t)w;
/* Again, carry is 0 or +1 */
+ w = (unsigned __int128)d[3] + (w >> 64) - (t << 32) + t;
+ d[3] = (uint64_t)w;
+ t = (uint64_t)(w >> 64) & 1;
+
+ /*
+ * There may be again a borrow, in which case we must add the
+ * modulus again.
+ */
+ w = (unsigned __int128)d[0] - t;
+ d[0] = (uint64_t)w;
+ w = (unsigned __int128)d[1] + (t << 32) - ((w >> 64) & 1);
+ d[1] = (uint64_t)w;
+ w = (unsigned __int128)d[2] + (w >> 64);
+ d[2] = (uint64_t)w;
d[3] += (uint64_t)(w >> 64) - (t << 32) + t;
#elif BR_UMUL128
unsigned char cc;
uint64_t t;
cc = _subborrow_u64(0, a[0], b[0], &d[0]);
cc = _subborrow_u64(cc, a[1], b[1], &d[1]);
cc = _subborrow_u64(cc, a[2], b[2], &d[2]);
cc = _subborrow_u64(cc, a[3], b[3], &d[3]);
/*
- * If there is a carry, then we need to add p.
+ * If there is a borrow, then we need to add p. We (virtually)
+ * add 2^256, then subtract 2^256 - p.
+ */
+ t = cc;
+ cc = _subborrow_u64(0, d[0], t, &d[0]);
+ cc = _subborrow_u64(cc, d[1], -(t << 32), &d[1]);
+ cc = _subborrow_u64(cc, d[2], -t, &d[2]);
+ cc = _subborrow_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
+
+ /*
+ * If there still is a borrow, then we need to add p again.
*/
t = cc;
- cc = _addcarry_u64(0, d[0], -t, &d[0]);
- cc = _addcarry_u64(cc, d[1], (-t) >> 32, &d[1]);
- cc = _addcarry_u64(cc, d[2], 0, &d[2]);
- (void)_addcarry_u64(cc, d[3], t - (t << 32), &d[3]);
+ cc = _subborrow_u64(0, d[0], t, &d[0]);
+ cc = _subborrow_u64(cc, d[1], -(t << 32), &d[1]);
+ cc = _subborrow_u64(cc, d[2], -t, &d[2]);
+ (void)_subborrow_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
#endif
}
/*
* Montgomery multiplication in the field.
*/
static void
f256_montymul(uint64_t *d, const uint64_t *a, const uint64_t *b)
{
#if BR_INT128
uint64_t x, f, t0, t1, t2, t3, t4;
unsigned __int128 z, ff;
int i;
/*
* When computing d <- d + a[u]*b, we also add f*p such
* that d + a[u]*b + f*p is a multiple of 2^64. Since
* p = -1 mod 2^64, we can compute f = d[0] + a[u]*b[0] mod 2^64.
*/
/*
* Step 1: t <- (a[0]*b + f*p) / 2^64
* We have f = a[0]*b[0] mod 2^64. Since p = -1 mod 2^64, this
* ensures that (a[0]*b + f*p) is a multiple of 2^64.
*
* We also have: f*p = f*2^256 - f*2^224 + f*2^192 + f*2^96 - f.
*/
x = a[0];
z = (unsigned __int128)b[0] * x;
f = (uint64_t)z;
z = (unsigned __int128)b[1] * x + (z >> 64) + (uint64_t)(f << 32);
t0 = (uint64_t)z;
z = (unsigned __int128)b[2] * x + (z >> 64) + (uint64_t)(f >> 32);
t1 = (uint64_t)z;
z = (unsigned __int128)b[3] * x + (z >> 64) + f;
t2 = (uint64_t)z;
t3 = (uint64_t)(z >> 64);
ff = ((unsigned __int128)f << 64) - ((unsigned __int128)f << 32);
z = (unsigned __int128)t2 + (uint64_t)ff;
t2 = (uint64_t)z;
z = (unsigned __int128)t3 + (z >> 64) + (ff >> 64);
t3 = (uint64_t)z;
t4 = (uint64_t)(z >> 64);
/*
* Steps 2 to 4: t <- (t + a[i]*b + f*p) / 2^64
*/
for (i = 1; i < 4; i ++) {
x = a[i];
/* t <- (t + x*b - f) / 2^64 */
z = (unsigned __int128)b[0] * x + t0;
f = (uint64_t)z;
z = (unsigned __int128)b[1] * x + t1 + (z >> 64);
t0 = (uint64_t)z;
z = (unsigned __int128)b[2] * x + t2 + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)b[3] * x + t3 + (z >> 64);
t2 = (uint64_t)z;
z = t4 + (z >> 64);
t3 = (uint64_t)z;
t4 = (uint64_t)(z >> 64);
/* t <- t + f*2^32, carry in the upper half of z */
z = (unsigned __int128)t0 + (uint64_t)(f << 32);
t0 = (uint64_t)z;
z = (z >> 64) + (unsigned __int128)t1 + (uint64_t)(f >> 32);
t1 = (uint64_t)z;
/* t <- t + f*2^192 - f*2^160 + f*2^128 */
ff = ((unsigned __int128)f << 64)
- ((unsigned __int128)f << 32) + f;
z = (z >> 64) + (unsigned __int128)t2 + (uint64_t)ff;
t2 = (uint64_t)z;
z = (unsigned __int128)t3 + (z >> 64) + (ff >> 64);
t3 = (uint64_t)z;
t4 += (uint64_t)(z >> 64);
}
/*
* At that point, we have computed t = (a*b + F*p) / 2^256, where
* F is a 256-bit integer whose limbs are the "f" coefficients
* in the steps above. We have:
* a <= 2^256-1
* b <= 2^256-1
* F <= 2^256-1
* Hence:
* a*b + F*p <= (2^256-1)*(2^256-1) + p*(2^256-1)
* a*b + F*p <= 2^256*(2^256 - 2 + p) + 1 - p
* Therefore:
* t < 2^256 + p - 2
* Since p < 2^256, it follows that:
* t4 can be only 0 or 1
* t - p < 2^256
* We can therefore subtract p from t, conditionally on t4, to
* get a nonnegative result that fits on 256 bits.
*/
z = (unsigned __int128)t0 + t4;
t0 = (uint64_t)z;
z = (unsigned __int128)t1 - (t4 << 32) + (z >> 64);
t1 = (uint64_t)z;
z = (unsigned __int128)t2 - (z >> 127);
t2 = (uint64_t)z;
t3 = t3 - (uint64_t)(z >> 127) - t4 + (t4 << 32);
d[0] = t0;
d[1] = t1;
d[2] = t2;
d[3] = t3;
#elif BR_UMUL128
uint64_t x, f, t0, t1, t2, t3, t4;
uint64_t zl, zh, ffl, ffh;
unsigned char k, m;
int i;
/*
* When computing d <- d + a[u]*b, we also add f*p such
* that d + a[u]*b + f*p is a multiple of 2^64. Since
* p = -1 mod 2^64, we can compute f = d[0] + a[u]*b[0] mod 2^64.
*/
/*
* Step 1: t <- (a[0]*b + f*p) / 2^64
* We have f = a[0]*b[0] mod 2^64. Since p = -1 mod 2^64, this
* ensures that (a[0]*b + f*p) is a multiple of 2^64.
*
* We also have: f*p = f*2^256 - f*2^224 + f*2^192 + f*2^96 - f.
*/
x = a[0];
zl = _umul128(b[0], x, &zh);
f = zl;
t0 = zh;
zl = _umul128(b[1], x, &zh);
k = _addcarry_u64(0, zl, t0, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
k = _addcarry_u64(0, zl, f << 32, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
t0 = zl;
t1 = zh;
zl = _umul128(b[2], x, &zh);
k = _addcarry_u64(0, zl, t1, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
k = _addcarry_u64(0, zl, f >> 32, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
t1 = zl;
t2 = zh;
zl = _umul128(b[3], x, &zh);
k = _addcarry_u64(0, zl, t2, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
k = _addcarry_u64(0, zl, f, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
t2 = zl;
t3 = zh;
t4 = _addcarry_u64(0, t3, f, &t3);
k = _subborrow_u64(0, t2, f << 32, &t2);
k = _subborrow_u64(k, t3, f >> 32, &t3);
(void)_subborrow_u64(k, t4, 0, &t4);
/*
* Steps 2 to 4: t <- (t + a[i]*b + f*p) / 2^64
*/
for (i = 1; i < 4; i ++) {
x = a[i];
/* f = t0 + x * b[0]; -- computed below */
/* t <- (t + x*b - f) / 2^64 */
zl = _umul128(b[0], x, &zh);
k = _addcarry_u64(0, zl, t0, &f);
(void)_addcarry_u64(k, zh, 0, &t0);
zl = _umul128(b[1], x, &zh);
k = _addcarry_u64(0, zl, t0, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
k = _addcarry_u64(0, zl, t1, &t0);
(void)_addcarry_u64(k, zh, 0, &t1);
zl = _umul128(b[2], x, &zh);
k = _addcarry_u64(0, zl, t1, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
k = _addcarry_u64(0, zl, t2, &t1);
(void)_addcarry_u64(k, zh, 0, &t2);
zl = _umul128(b[3], x, &zh);
k = _addcarry_u64(0, zl, t2, &zl);
(void)_addcarry_u64(k, zh, 0, &zh);
k = _addcarry_u64(0, zl, t3, &t2);
(void)_addcarry_u64(k, zh, 0, &t3);
t4 = _addcarry_u64(0, t3, t4, &t3);
/* t <- t + f*2^32, carry in k */
k = _addcarry_u64(0, t0, f << 32, &t0);
k = _addcarry_u64(k, t1, f >> 32, &t1);
/* t <- t + f*2^192 - f*2^160 + f*2^128 */
m = _subborrow_u64(0, f, f << 32, &ffl);
(void)_subborrow_u64(m, f, f >> 32, &ffh);
k = _addcarry_u64(k, t2, ffl, &t2);
k = _addcarry_u64(k, t3, ffh, &t3);
(void)_addcarry_u64(k, t4, 0, &t4);
}
/*
* At that point, we have computed t = (a*b + F*p) / 2^256, where
* F is a 256-bit integer whose limbs are the "f" coefficients
* in the steps above. We have:
* a <= 2^256-1
* b <= 2^256-1
* F <= 2^256-1
* Hence:
* a*b + F*p <= (2^256-1)*(2^256-1) + p*(2^256-1)
* a*b + F*p <= 2^256*(2^256 - 2 + p) + 1 - p
* Therefore:
* t < 2^256 + p - 2
* Since p < 2^256, it follows that:
* t4 can be only 0 or 1
* t - p < 2^256
* We can therefore subtract p from t, conditionally on t4, to
* get a nonnegative result that fits on 256 bits.
*/
k = _addcarry_u64(0, t0, t4, &t0);
k = _addcarry_u64(k, t1, -(t4 << 32), &t1);
k = _addcarry_u64(k, t2, -t4, &t2);
(void)_addcarry_u64(k, t3, (t4 << 32) - (t4 << 1), &t3);
d[0] = t0;
d[1] = t1;
d[2] = t2;
d[3] = t3;
#endif
}
/*
* Montgomery squaring in the field; currently a basic wrapper around
* multiplication (inline, should be optimized away).
* TODO: see if some extra speed can be gained here.
*/
static inline void
f256_montysquare(uint64_t *d, const uint64_t *a)
{
f256_montymul(d, a, a);
}
/*
* Convert to Montgomery representation.
*/
static void
f256_tomonty(uint64_t *d, const uint64_t *a)
{
/*
* R2 = 2^512 mod p.
* If R = 2^256 mod p, then R2 = R^2 mod p; and the Montgomery
* multiplication of a by R2 is: a*R2/R = a*R mod p, i.e. the
* conversion to Montgomery representation.
*/
static const uint64_t R2[] = {
0x0000000000000003,
0xFFFFFFFBFFFFFFFF,
0xFFFFFFFFFFFFFFFE,
0x00000004FFFFFFFD
};
f256_montymul(d, a, R2);
}
/*
* Convert from Montgomery representation.
*/
static void
f256_frommonty(uint64_t *d, const uint64_t *a)
{
/*
* Montgomery multiplication by 1 is division by 2^256 modulo p.
*/
static const uint64_t one[] = { 1, 0, 0, 0 };
f256_montymul(d, a, one);
}
/*
* Inversion in the field. If the source value is 0 modulo p, then this
* returns 0 or p. This function uses Montgomery representation.
*/
static void
f256_invert(uint64_t *d, const uint64_t *a)
{
/*
* We compute a^(p-2) mod p. The exponent pattern (from high to
* low) is:
* - 32 bits of value 1
* - 31 bits of value 0
* - 1 bit of value 1
* - 96 bits of value 0
* - 94 bits of value 1
* - 1 bit of value 0
* - 1 bit of value 1
* To speed up the square-and-multiply algorithm, we precompute
* a^(2^31-1).
*/
uint64_t r[4], t[4];
int i;
memcpy(t, a, sizeof t);
for (i = 0; i < 30; i ++) {
f256_montysquare(t, t);
f256_montymul(t, t, a);
}
memcpy(r, t, sizeof t);
for (i = 224; i >= 0; i --) {
f256_montysquare(r, r);
switch (i) {
case 0:
case 2:
case 192:
case 224:
f256_montymul(r, r, a);
break;
case 3:
case 34:
case 65:
f256_montymul(r, r, t);
break;
}
}
memcpy(d, r, sizeof r);
}
/*
* Finalize reduction.
* Input value fits on 256 bits. This function subtracts p if and only
* if the input is greater than or equal to p.
*/
static inline void
f256_final_reduce(uint64_t *a)
{
#if BR_INT128
uint64_t t0, t1, t2, t3, cc;
unsigned __int128 z;
/*
* We add 2^224 - 2^192 - 2^96 + 1 to a. If there is no carry,
* then a < p; otherwise, the addition result we computed is
* the value we must return.
*/
z = (unsigned __int128)a[0] + 1;
t0 = (uint64_t)z;
z = (unsigned __int128)a[1] + (z >> 64) - ((uint64_t)1 << 32);
t1 = (uint64_t)z;
z = (unsigned __int128)a[2] - (z >> 127);
t2 = (uint64_t)z;
z = (unsigned __int128)a[3] - (z >> 127) + 0xFFFFFFFF;
t3 = (uint64_t)z;
cc = -(uint64_t)(z >> 64);
a[0] ^= cc & (a[0] ^ t0);
a[1] ^= cc & (a[1] ^ t1);
a[2] ^= cc & (a[2] ^ t2);
a[3] ^= cc & (a[3] ^ t3);
#elif BR_UMUL128
uint64_t t0, t1, t2, t3, m;
unsigned char k;
k = _addcarry_u64(0, a[0], (uint64_t)1, &t0);
k = _addcarry_u64(k, a[1], -((uint64_t)1 << 32), &t1);
k = _addcarry_u64(k, a[2], -(uint64_t)1, &t2);
k = _addcarry_u64(k, a[3], ((uint64_t)1 << 32) - 2, &t3);
m = -(uint64_t)k;
a[0] ^= m & (a[0] ^ t0);
a[1] ^= m & (a[1] ^ t1);
a[2] ^= m & (a[2] ^ t2);
a[3] ^= m & (a[3] ^ t3);
#endif
}
/*
* Points in affine and Jacobian coordinates.
*
* - In affine coordinates, the point-at-infinity cannot be encoded.
* - Jacobian coordinates (X,Y,Z) correspond to affine (X/Z^2,Y/Z^3);
* if Z = 0 then this is the point-at-infinity.
*/
typedef struct {
uint64_t x[4];
uint64_t y[4];
} p256_affine;
typedef struct {
uint64_t x[4];
uint64_t y[4];
uint64_t z[4];
} p256_jacobian;
/*
* Decode a point. The returned point is in Jacobian coordinates, but
* with z = 1. If the encoding is invalid, or encodes a point which is
* not on the curve, or encodes the point at infinity, then this function
* returns 0. Otherwise, 1 is returned.
*
* The buffer is assumed to have length exactly 65 bytes.
*/
static uint32_t
point_decode(p256_jacobian *P, const unsigned char *buf)
{
uint64_t x[4], y[4], t[4], x3[4], tt;
uint32_t r;
/*
* Header byte shall be 0x04.
*/
r = EQ(buf[0], 0x04);
/*
* Decode X and Y coordinates, and convert them into
* Montgomery representation.
*/
x[3] = br_dec64be(buf + 1);
x[2] = br_dec64be(buf + 9);
x[1] = br_dec64be(buf + 17);
x[0] = br_dec64be(buf + 25);
y[3] = br_dec64be(buf + 33);
y[2] = br_dec64be(buf + 41);
y[1] = br_dec64be(buf + 49);
y[0] = br_dec64be(buf + 57);
f256_tomonty(x, x);
f256_tomonty(y, y);
/*
* Verify y^2 = x^3 + A*x + B. In curve P-256, A = -3.
* Note that the Montgomery representation of 0 is 0. We must
* take care to apply the final reduction to make sure we have
* 0 and not p.
*/
f256_montysquare(t, y);
f256_montysquare(x3, x);
f256_montymul(x3, x3, x);
f256_sub(t, t, x3);
f256_add(t, t, x);
f256_add(t, t, x);
f256_add(t, t, x);
f256_sub(t, t, P256_B_MONTY);
f256_final_reduce(t);
tt = t[0] | t[1] | t[2] | t[3];
r &= EQ((uint32_t)(tt | (tt >> 32)), 0);
/*
* Return the point in Jacobian coordinates (and Montgomery
* representation).
*/
memcpy(P->x, x, sizeof x);
memcpy(P->y, y, sizeof y);
memcpy(P->z, F256_R, sizeof F256_R);
return r;
}
/*
* Final conversion for a point:
* - The point is converted back to affine coordinates.
* - Final reduction is performed.
* - The point is encoded into the provided buffer.
*
* If the point is the point-at-infinity, all operations are performed,
* but the buffer contents are indeterminate, and 0 is returned. Otherwise,
* the encoded point is written in the buffer, and 1 is returned.
*/
static uint32_t
point_encode(unsigned char *buf, const p256_jacobian *P)
{
uint64_t t1[4], t2[4], z;
/* Set t1 = 1/z^2 and t2 = 1/z^3. */
f256_invert(t2, P->z);
f256_montysquare(t1, t2);
f256_montymul(t2, t2, t1);
/* Compute affine coordinates x (in t1) and y (in t2). */
f256_montymul(t1, P->x, t1);
f256_montymul(t2, P->y, t2);
/* Convert back from Montgomery representation, and finalize
reductions. */
f256_frommonty(t1, t1);
f256_frommonty(t2, t2);
f256_final_reduce(t1);
f256_final_reduce(t2);
/* Encode. */
buf[0] = 0x04;
br_enc64be(buf + 1, t1[3]);
br_enc64be(buf + 9, t1[2]);
br_enc64be(buf + 17, t1[1]);
br_enc64be(buf + 25, t1[0]);
br_enc64be(buf + 33, t2[3]);
br_enc64be(buf + 41, t2[2]);
br_enc64be(buf + 49, t2[1]);
br_enc64be(buf + 57, t2[0]);
/* Return success if and only if P->z != 0. */
z = P->z[0] | P->z[1] | P->z[2] | P->z[3];
return NEQ((uint32_t)(z | z >> 32), 0);
}
/*
* Point doubling in Jacobian coordinates: point P is doubled.
* Note: if the source point is the point-at-infinity, then the result is
* still the point-at-infinity, which is correct. Moreover, if the three
* coordinates were zero, then they still are zero in the returned value.
*
* (Note: this is true even without the final reduction: if the three
* coordinates are encoded as four words of value zero each, then the
* result will also have all-zero coordinate encodings, not the alternate
* encoding as the integer p.)
*/
static void
p256_double(p256_jacobian *P)
{
/*
* Doubling formulas are:
*
* s = 4*x*y^2
* m = 3*(x + z^2)*(x - z^2)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y^4
* z' = 2*y*z
*
* These formulas work for all points, including points of order 2
* and points at infinity:
* - If y = 0 then z' = 0. But there is no such point in P-256
* anyway.
* - If z = 0 then z' = 0.
*/
uint64_t t1[4], t2[4], t3[4], t4[4];
/*
* Compute z^2 in t1.
*/
f256_montysquare(t1, P->z);
/*
* Compute x-z^2 in t2 and x+z^2 in t1.
*/
f256_add(t2, P->x, t1);
f256_sub(t1, P->x, t1);
/*
* Compute 3*(x+z^2)*(x-z^2) in t1.
*/
f256_montymul(t3, t1, t2);
f256_add(t1, t3, t3);
f256_add(t1, t3, t1);
/*
* Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
*/
f256_montysquare(t3, P->y);
f256_add(t3, t3, t3);
f256_montymul(t2, P->x, t3);
f256_add(t2, t2, t2);
/*
* Compute x' = m^2 - 2*s.
*/
f256_montysquare(P->x, t1);
f256_sub(P->x, P->x, t2);
f256_sub(P->x, P->x, t2);
/*
* Compute z' = 2*y*z.
*/
f256_montymul(t4, P->y, P->z);
f256_add(P->z, t4, t4);
/*
* Compute y' = m*(s - x') - 8*y^4. Note that we already have
* 2*y^2 in t3.
*/
f256_sub(t2, t2, P->x);
f256_montymul(P->y, t1, t2);
f256_montysquare(t4, t3);
f256_add(t4, t4, t4);
f256_sub(P->y, P->y, t4);
}
/*
* Point addition (Jacobian coordinates): P1 is replaced with P1+P2.
* This function computes the wrong result in the following cases:
*
* - If P1 == 0 but P2 != 0
* - If P1 != 0 but P2 == 0
* - If P1 == P2
*
* In all three cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y coordinate.
* - P1 == 0 and P2 == 0.
* - The Y coordinate of one of the points is 0 and the other point is
* the point at infinity.
*
* The third case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*
* Note that you can get a returned value of 0 with a correct result,
* e.g. if P1 and P2 have the same Y coordinate, but distinct X coordinates.
*/
static uint32_t
p256_add(p256_jacobian *P1, const p256_jacobian *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1 * z2^2
* u2 = x2 * z1^2
* s1 = y1 * z2^3
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1 * z2
*/
uint64_t t1[4], t2[4], t3[4], t4[4], t5[4], t6[4], t7[4], tt;
uint32_t ret;
/*
* Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
*/
f256_montysquare(t3, P2->z);
f256_montymul(t1, P1->x, t3);
f256_montymul(t4, P2->z, t3);
f256_montymul(t3, P1->y, t4);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
f256_montysquare(t4, P1->z);
f256_montymul(t2, P2->x, t4);
f256_montymul(t5, P1->z, t4);
f256_montymul(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
f256_sub(t2, t2, t1);
f256_sub(t4, t4, t3);
f256_final_reduce(t4);
tt = t4[0] | t4[1] | t4[2] | t4[3];
ret = (uint32_t)(tt | (tt >> 32));
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
f256_montysquare(t7, t2);
f256_montymul(t6, t1, t7);
f256_montymul(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
f256_montysquare(P1->x, t4);
f256_sub(P1->x, P1->x, t5);
f256_sub(P1->x, P1->x, t6);
f256_sub(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
f256_sub(t6, t6, P1->x);
f256_montymul(P1->y, t4, t6);
f256_montymul(t1, t5, t3);
f256_sub(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1*z2.
*/
f256_montymul(t1, P1->z, P2->z);
f256_montymul(P1->z, t1, t2);
return ret;
}
/*
* Point addition (mixed coordinates): P1 is replaced with P1+P2.
* This is a specialised function for the case when P2 is a non-zero point
* in affine coordinates.
*
* This function computes the wrong result in the following cases:
*
* - If P1 == 0
* - If P1 == P2
*
* In both cases, P1 is set to the point at infinity.
*
* Returned value is 0 if one of the following occurs:
*
* - P1 and P2 have the same Y (affine) coordinate.
* - The Y coordinate of P2 is 0 and P1 is the point at infinity.
*
* The second case cannot actually happen with valid points, since a point
* with Y == 0 is a point of order 2, and there is no point of order 2 on
* curve P-256.
*
* Therefore, assuming that P1 != 0 on input, then the caller
* can apply the following:
*
* - If the result is not the point at infinity, then it is correct.
* - Otherwise, if the returned value is 1, then this is a case of
* P1+P2 == 0, so the result is indeed the point at infinity.
* - Otherwise, P1 == P2, so a "double" operation should have been
* performed.
*
* Again, a value of 0 may be returned in some cases where the addition
* result is correct.
*/
static uint32_t
p256_add_mixed(p256_jacobian *P1, const p256_affine *P2)
{
/*
* Addtions formulas are:
*
* u1 = x1
* u2 = x2 * z1^2
* s1 = y1
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1
*/
uint64_t t1[4], t2[4], t3[4], t4[4], t5[4], t6[4], t7[4], tt;
uint32_t ret;
/*
* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
*/
memcpy(t1, P1->x, sizeof t1);
memcpy(t3, P1->y, sizeof t3);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
f256_montysquare(t4, P1->z);
f256_montymul(t2, P2->x, t4);
f256_montymul(t5, P1->z, t4);
f256_montymul(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* We need to test whether r is zero, so we will do some extra
* reduce.
*/
f256_sub(t2, t2, t1);
f256_sub(t4, t4, t3);
f256_final_reduce(t4);
tt = t4[0] | t4[1] | t4[2] | t4[3];
ret = (uint32_t)(tt | (tt >> 32));
ret = (ret | -ret) >> 31;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
f256_montysquare(t7, t2);
f256_montymul(t6, t1, t7);
f256_montymul(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
f256_montysquare(P1->x, t4);
f256_sub(P1->x, P1->x, t5);
f256_sub(P1->x, P1->x, t6);
f256_sub(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
f256_sub(t6, t6, P1->x);
f256_montymul(P1->y, t4, t6);
f256_montymul(t1, t5, t3);
f256_sub(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1*z2.
*/
f256_montymul(P1->z, P1->z, t2);
return ret;
}
#if 0
/* unused */
/*
* Point addition (mixed coordinates, complete): P1 is replaced with P1+P2.
* This is a specialised function for the case when P2 is a non-zero point
* in affine coordinates.
*
* This function returns the correct result in all cases.
*/
static uint32_t
p256_add_complete_mixed(p256_jacobian *P1, const p256_affine *P2)
{
/*
* Addtions formulas, in the general case, are:
*
* u1 = x1
* u2 = x2 * z1^2
* s1 = y1
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1
*
* These formulas mishandle the two following cases:
*
* - If P1 is the point-at-infinity (z1 = 0), then z3 is
* incorrectly set to 0.
*
* - If P1 = P2, then u1 = u2 and s1 = s2, and x3, y3 and z3
* are all set to 0.
*
* However, if P1 + P2 = 0, then u1 = u2 but s1 != s2, and then
* we correctly get z3 = 0 (the point-at-infinity).
*
* To fix the case P1 = 0, we perform at the end a copy of P2
* over P1, conditional to z1 = 0.
*
* For P1 = P2: in that case, both h and r are set to 0, and
* we get x3, y3 and z3 equal to 0. We can test for that
* occurrence to make a mask which will be all-one if P1 = P2,
* or all-zero otherwise; then we can compute the double of P2
* and add it, combined with the mask, to (x3,y3,z3).
*
* Using the doubling formulas in p256_double() on (x2,y2),
* simplifying since P2 is affine (i.e. z2 = 1, implicitly),
* we get:
* s = 4*x2*y2^2
* m = 3*(x2 + 1)*(x2 - 1)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y2^4
* z' = 2*y2
* which requires only 6 multiplications. Added to the 11
* multiplications of the normal mixed addition in Jacobian
* coordinates, we get a cost of 17 multiplications in total.
*/
uint64_t t1[4], t2[4], t3[4], t4[4], t5[4], t6[4], t7[4], tt, zz;
int i;
/*
* Set zz to -1 if P1 is the point at infinity, 0 otherwise.
*/
zz = P1->z[0] | P1->z[1] | P1->z[2] | P1->z[3];
zz = ((zz | -zz) >> 63) - (uint64_t)1;
/*
* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
*/
memcpy(t1, P1->x, sizeof t1);
memcpy(t3, P1->y, sizeof t3);
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
f256_montysquare(t4, P1->z);
f256_montymul(t2, P2->x, t4);
f256_montymul(t5, P1->z, t4);
f256_montymul(t4, P2->y, t5);
/*
* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
* reduce.
*/
f256_sub(t2, t2, t1);
f256_sub(t4, t4, t3);
/*
* If both h = 0 and r = 0, then P1 = P2, and we want to set
* the mask tt to -1; otherwise, the mask will be 0.
*/
f256_final_reduce(t2);
f256_final_reduce(t4);
tt = t2[0] | t2[1] | t2[2] | t2[3] | t4[0] | t4[1] | t4[2] | t4[3];
tt = ((tt | -tt) >> 63) - (uint64_t)1;
/*
* Compute u1*h^2 (in t6) and h^3 (in t5);
*/
f256_montysquare(t7, t2);
f256_montymul(t6, t1, t7);
f256_montymul(t5, t7, t2);
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
*/
f256_montysquare(P1->x, t4);
f256_sub(P1->x, P1->x, t5);
f256_sub(P1->x, P1->x, t6);
f256_sub(P1->x, P1->x, t6);
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
f256_sub(t6, t6, P1->x);
f256_montymul(P1->y, t4, t6);
f256_montymul(t1, t5, t3);
f256_sub(P1->y, P1->y, t1);
/*
* Compute z3 = h*z1.
*/
f256_montymul(P1->z, P1->z, t2);
/*
* The "double" result, in case P1 = P2.
*/
/*
* Compute z' = 2*y2 (in t1).
*/
f256_add(t1, P2->y, P2->y);
/*
* Compute 2*(y2^2) (in t2) and s = 4*x2*(y2^2) (in t3).
*/
f256_montysquare(t2, P2->y);
f256_add(t2, t2, t2);
f256_add(t3, t2, t2);
f256_montymul(t3, P2->x, t3);
/*
* Compute m = 3*(x2^2 - 1) (in t4).
*/
f256_montysquare(t4, P2->x);
f256_sub(t4, t4, F256_R);
f256_add(t5, t4, t4);
f256_add(t4, t4, t5);
/*
* Compute x' = m^2 - 2*s (in t5).
*/
f256_montysquare(t5, t4);
f256_sub(t5, t3);
f256_sub(t5, t3);
/*
* Compute y' = m*(s - x') - 8*y2^4 (in t6).
*/
f256_sub(t6, t3, t5);
f256_montymul(t6, t6, t4);
f256_montysquare(t7, t2);
f256_sub(t6, t6, t7);
f256_sub(t6, t6, t7);
/*
* We now have the alternate (doubling) coordinates in (t5,t6,t1).
* We combine them with (x3,y3,z3).
*/
for (i = 0; i < 4; i ++) {
P1->x[i] |= tt & t5[i];
P1->y[i] |= tt & t6[i];
P1->z[i] |= tt & t1[i];
}
/*
* If P1 = 0, then we get z3 = 0 (which is invalid); if z1 is 0,
* then we want to replace the result with a copy of P2. The
* test on z1 was done at the start, in the zz mask.
*/
for (i = 0; i < 4; i ++) {
P1->x[i] ^= zz & (P1->x[i] ^ P2->x[i]);
P1->y[i] ^= zz & (P1->y[i] ^ P2->y[i]);
P1->z[i] ^= zz & (P1->z[i] ^ F256_R[i]);
}
}
#endif
/*
* Inner function for computing a point multiplication. A window is
* provided, with points 1*P to 15*P in affine coordinates.
*
* Assumptions:
* - All provided points are valid points on the curve.
* - Multiplier is non-zero, and smaller than the curve order.
* - Everything is in Montgomery representation.
*/
static void
point_mul_inner(p256_jacobian *R, const p256_affine *W,
const unsigned char *k, size_t klen)
{
p256_jacobian Q;
uint32_t qz;
memset(&Q, 0, sizeof Q);
qz = 1;
while (klen -- > 0) {
int i;
unsigned bk;
bk = *k ++;
for (i = 0; i < 2; i ++) {
uint32_t bits;
uint32_t bnz;
p256_affine T;
p256_jacobian U;
uint32_t n;
int j;
uint64_t m;
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
p256_double(&Q);
bits = (bk >> 4) & 0x0F;
bnz = NEQ(bits, 0);
/*
* Lookup point in window. If the bits are 0,
* we get something invalid, which is not a
* problem because we will use it only if the
* bits are non-zero.
*/
memset(&T, 0, sizeof T);
for (n = 0; n < 15; n ++) {
m = -(uint64_t)EQ(bits, n + 1);
T.x[0] |= m & W[n].x[0];
T.x[1] |= m & W[n].x[1];
T.x[2] |= m & W[n].x[2];
T.x[3] |= m & W[n].x[3];
T.y[0] |= m & W[n].y[0];
T.y[1] |= m & W[n].y[1];
T.y[2] |= m & W[n].y[2];
T.y[3] |= m & W[n].y[3];
}
U = Q;
p256_add_mixed(&U, &T);
/*
* If qz is still 1, then Q was all-zeros, and this
* is conserved through p256_double().
*/
m = -(uint64_t)(bnz & qz);
for (j = 0; j < 4; j ++) {
Q.x[j] |= m & T.x[j];
Q.y[j] |= m & T.y[j];
Q.z[j] |= m & F256_R[j];
}
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
bk <<= 4;
}
}
*R = Q;
}
/*
* Convert a window from Jacobian to affine coordinates. A single
* field inversion is used. This function works for windows up to
* 32 elements.
*
* The destination array (aff[]) and the source array (jac[]) may
* overlap, provided that the start of aff[] is not after the start of
* jac[]. Even if the arrays do _not_ overlap, the source array is
* modified.
*/
static void
window_to_affine(p256_affine *aff, p256_jacobian *jac, int num)
{
/*
* Convert the window points to affine coordinates. We use the
* following trick to mutualize the inversion computation: if
* we have z1, z2, z3, and z4, and want to inverse all of them,
* we compute u = 1/(z1*z2*z3*z4), and then we have:
* 1/z1 = u*z2*z3*z4
* 1/z2 = u*z1*z3*z4
* 1/z3 = u*z1*z2*z4
* 1/z4 = u*z1*z2*z3
*
* The partial products are computed recursively:
*
* - on input (z_1,z_2), return (z_2,z_1) and z_1*z_2
* - on input (z_1,z_2,... z_n):
* recurse on (z_1,z_2,... z_(n/2)) -> r1 and m1
* recurse on (z_(n/2+1),z_(n/2+2)... z_n) -> r2 and m2
* multiply elements of r1 by m2 -> s1
* multiply elements of r2 by m1 -> s2
* return r1||r2 and m1*m2
*
* In the example below, we suppose that we have 14 elements.
* Let z1, z2,... zE be the 14 values to invert (index noted in
* hexadecimal, starting at 1).
*
* - Depth 1:
* swap(z1, z2); z12 = z1*z2
* swap(z3, z4); z34 = z3*z4
* swap(z5, z6); z56 = z5*z6
* swap(z7, z8); z78 = z7*z8
* swap(z9, zA); z9A = z9*zA
* swap(zB, zC); zBC = zB*zC
* swap(zD, zE); zDE = zD*zE
*
* - Depth 2:
* z1 <- z1*z34, z2 <- z2*z34, z3 <- z3*z12, z4 <- z4*z12
* z1234 = z12*z34
* z5 <- z5*z78, z6 <- z6*z78, z7 <- z7*z56, z8 <- z8*z56
* z5678 = z56*z78
* z9 <- z9*zBC, zA <- zA*zBC, zB <- zB*z9A, zC <- zC*z9A
* z9ABC = z9A*zBC
*
* - Depth 3:
* z1 <- z1*z5678, z2 <- z2*z5678, z3 <- z3*z5678, z4 <- z4*z5678
* z5 <- z5*z1234, z6 <- z6*z1234, z7 <- z7*z1234, z8 <- z8*z1234
* z12345678 = z1234*z5678
* z9 <- z9*zDE, zA <- zA*zDE, zB <- zB*zDE, zC <- zC*zDE
* zD <- zD*z9ABC, zE*z9ABC
* z9ABCDE = z9ABC*zDE
*
* - Depth 4:
* multiply z1..z8 by z9ABCDE
* multiply z9..zE by z12345678
* final z = z12345678*z9ABCDE
*/
uint64_t z[16][4];
int i, k, s;
#define zt (z[15])
#define zu (z[14])
#define zv (z[13])
/*
* First recursion step (pairwise swapping and multiplication).
* If there is an odd number of elements, then we "invent" an
* extra one with coordinate Z = 1 (in Montgomery representation).
*/
for (i = 0; (i + 1) < num; i += 2) {
memcpy(zt, jac[i].z, sizeof zt);
memcpy(jac[i].z, jac[i + 1].z, sizeof zt);
memcpy(jac[i + 1].z, zt, sizeof zt);
f256_montymul(z[i >> 1], jac[i].z, jac[i + 1].z);
}
if ((num & 1) != 0) {
memcpy(z[num >> 1], jac[num - 1].z, sizeof zt);
memcpy(jac[num - 1].z, F256_R, sizeof F256_R);
}
/*
* Perform further recursion steps. At the entry of each step,
* the process has been done for groups of 's' points. The
* integer k is the log2 of s.
*/
for (k = 1, s = 2; s < num; k ++, s <<= 1) {
int n;
for (i = 0; i < num; i ++) {
f256_montymul(jac[i].z, jac[i].z, z[(i >> k) ^ 1]);
}
n = (num + s - 1) >> k;
for (i = 0; i < (n >> 1); i ++) {
f256_montymul(z[i], z[i << 1], z[(i << 1) + 1]);
}
if ((n & 1) != 0) {
memmove(z[n >> 1], z[n], sizeof zt);
}
}
/*
* Invert the final result, and convert all points.
*/
f256_invert(zt, z[0]);
for (i = 0; i < num; i ++) {
f256_montymul(zv, jac[i].z, zt);
f256_montysquare(zu, zv);
f256_montymul(zv, zv, zu);
f256_montymul(aff[i].x, jac[i].x, zu);
f256_montymul(aff[i].y, jac[i].y, zv);
}
}
/*
* Multiply the provided point by an integer.
* Assumptions:
* - Source point is a valid curve point.
* - Source point is not the point-at-infinity.
* - Integer is not 0, and is lower than the curve order.
* If these conditions are not met, then the result is indeterminate
* (but the process is still constant-time).
*/
static void
p256_mul(p256_jacobian *P, const unsigned char *k, size_t klen)
{
union {
p256_affine aff[15];
p256_jacobian jac[15];
} window;
int i;
/*
* Compute window, in Jacobian coordinates.
*/
window.jac[0] = *P;
for (i = 2; i < 16; i ++) {
window.jac[i - 1] = window.jac[(i >> 1) - 1];
if ((i & 1) == 0) {
p256_double(&window.jac[i - 1]);
} else {
p256_add(&window.jac[i - 1], &window.jac[i >> 1]);
}
}
/*
* Convert the window points to affine coordinates. Point
* window[0] is the source point, already in affine coordinates.
*/
window_to_affine(window.aff, window.jac, 15);
/*
* Perform point multiplication.
*/
point_mul_inner(P, window.aff, k, klen);
}
/*
* Precomputed window for the conventional generator: P256_Gwin[n]
* contains (n+1)*G (affine coordinates, in Montgomery representation).
*/
static const p256_affine P256_Gwin[] = {
{
{ 0x79E730D418A9143C, 0x75BA95FC5FEDB601,
0x79FB732B77622510, 0x18905F76A53755C6 },
{ 0xDDF25357CE95560A, 0x8B4AB8E4BA19E45C,
0xD2E88688DD21F325, 0x8571FF1825885D85 }
},
{
{ 0x850046D410DDD64D, 0xAA6AE3C1A433827D,
0x732205038D1490D9, 0xF6BB32E43DCF3A3B },
{ 0x2F3648D361BEE1A5, 0x152CD7CBEB236FF8,
0x19A8FB0E92042DBE, 0x78C577510A5B8A3B }
},
{
{ 0xFFAC3F904EEBC127, 0xB027F84A087D81FB,
0x66AD77DD87CBBC98, 0x26936A3FB6FF747E },
{ 0xB04C5C1FC983A7EB, 0x583E47AD0861FE1A,
0x788208311A2EE98E, 0xD5F06A29E587CC07 }
},
{
{ 0x74B0B50D46918DCC, 0x4650A6EDC623C173,
0x0CDAACACE8100AF2, 0x577362F541B0176B },
{ 0x2D96F24CE4CBABA6, 0x17628471FAD6F447,
0x6B6C36DEE5DDD22E, 0x84B14C394C5AB863 }
},
{
{ 0xBE1B8AAEC45C61F5, 0x90EC649A94B9537D,
0x941CB5AAD076C20C, 0xC9079605890523C8 },
{ 0xEB309B4AE7BA4F10, 0x73C568EFE5EB882B,
0x3540A9877E7A1F68, 0x73A076BB2DD1E916 }
},
{
{ 0x403947373E77664A, 0x55AE744F346CEE3E,
0xD50A961A5B17A3AD, 0x13074B5954213673 },
{ 0x93D36220D377E44B, 0x299C2B53ADFF14B5,
0xF424D44CEF639F11, 0xA4C9916D4A07F75F }
},
{
{ 0x0746354EA0173B4F, 0x2BD20213D23C00F7,
0xF43EAAB50C23BB08, 0x13BA5119C3123E03 },
{ 0x2847D0303F5B9D4D, 0x6742F2F25DA67BDD,
0xEF933BDC77C94195, 0xEAEDD9156E240867 }
},
{
{ 0x27F14CD19499A78F, 0x462AB5C56F9B3455,
0x8F90F02AF02CFC6B, 0xB763891EB265230D },
{ 0xF59DA3A9532D4977, 0x21E3327DCF9EBA15,
0x123C7B84BE60BBF0, 0x56EC12F27706DF76 }
},
{
{ 0x75C96E8F264E20E8, 0xABE6BFED59A7A841,
0x2CC09C0444C8EB00, 0xE05B3080F0C4E16B },
{ 0x1EB7777AA45F3314, 0x56AF7BEDCE5D45E3,
0x2B6E019A88B12F1A, 0x086659CDFD835F9B }
},
{
{ 0x2C18DBD19DC21EC8, 0x98F9868A0FCF8139,
0x737D2CD648250B49, 0xCC61C94724B3428F },
{ 0x0C2B407880DD9E76, 0xC43A8991383FBE08,
0x5F7D2D65779BE5D2, 0x78719A54EB3B4AB5 }
},
{
{ 0xEA7D260A6245E404, 0x9DE407956E7FDFE0,
0x1FF3A4158DAC1AB5, 0x3E7090F1649C9073 },
{ 0x1A7685612B944E88, 0x250F939EE57F61C8,
0x0C0DAA891EAD643D, 0x68930023E125B88E }
},
{
{ 0x04B71AA7D2697768, 0xABDEDEF5CA345A33,
0x2409D29DEE37385E, 0x4EE1DF77CB83E156 },
{ 0x0CAC12D91CBB5B43, 0x170ED2F6CA895637,
0x28228CFA8ADE6D66, 0x7FF57C9553238ACA }
},
{
{ 0xCCC425634B2ED709, 0x0E356769856FD30D,
0xBCBCD43F559E9811, 0x738477AC5395B759 },
{ 0x35752B90C00EE17F, 0x68748390742ED2E3,
0x7CD06422BD1F5BC1, 0xFBC08769C9E7B797 }
},
{
{ 0xA242A35BB0CF664A, 0x126E48F77F9707E3,
0x1717BF54C6832660, 0xFAAE7332FD12C72E },
{ 0x27B52DB7995D586B, 0xBE29569E832237C2,
0xE8E4193E2A65E7DB, 0x152706DC2EAA1BBB }
},
{
{ 0x72BCD8B7BC60055B, 0x03CC23EE56E27E4B,
0xEE337424E4819370, 0xE2AA0E430AD3DA09 },
{ 0x40B8524F6383C45D, 0xD766355442A41B25,
0x64EFA6DE778A4797, 0x2042170A7079ADF4 }
}
};
/*
* Multiply the conventional generator of the curve by the provided
* integer. Return is written in *P.
*
* Assumptions:
* - Integer is not 0, and is lower than the curve order.
* If this conditions is not met, then the result is indeterminate
* (but the process is still constant-time).
*/
static void
p256_mulgen(p256_jacobian *P, const unsigned char *k, size_t klen)
{
point_mul_inner(P, P256_Gwin, k, klen);
}
/*
* Return 1 if all of the following hold:
* - klen <= 32
* - k != 0
* - k is lower than the curve order
* Otherwise, return 0.
*
* Constant-time behaviour: only klen may be observable.
*/
static uint32_t
check_scalar(const unsigned char *k, size_t klen)
{
uint32_t z;
int32_t c;
size_t u;
if (klen > 32) {
return 0;
}
z = 0;
for (u = 0; u < klen; u ++) {
z |= k[u];
}
if (klen == 32) {
c = 0;
for (u = 0; u < klen; u ++) {
c |= -(int32_t)EQ0(c) & CMP(k[u], P256_N[u]);
}
} else {
c = -1;
}
return NEQ(z, 0) & LT0(c);
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *k, size_t klen, int curve)
{
uint32_t r;
p256_jacobian P;
(void)curve;
if (Glen != 65) {
return 0;
}
r = check_scalar(k, klen);
r &= point_decode(&P, G);
p256_mul(&P, k, klen);
r &= point_encode(G, &P);
return r;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *k, size_t klen, int curve)
{
p256_jacobian P;
(void)curve;
p256_mulgen(&P, k, klen);
point_encode(R, &P);
return 65;
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
/*
* We might want to use Shamir's trick here: make a composite
* window of u*P+v*Q points, to merge the two doubling-ladders
* into one. This, however, has some complications:
*
* - During the computation, we may hit the point-at-infinity.
* Thus, we would need p256_add_complete_mixed() (complete
* formulas for point addition), with a higher cost (17 muls
* instead of 11).
*
* - A 4-bit window would be too large, since it would involve
* 16*16-1 = 255 points. For the same window size as in the
* p256_mul() case, we would need to reduce the window size
* to 2 bits, and thus perform twice as many non-doubling
* point additions.
*
* - The window may itself contain the point-at-infinity, and
* thus cannot be in all generality be made of affine points.
* Instead, we would need to make it a window of points in
* Jacobian coordinates. Even p256_add_complete_mixed() would
* be inappropriate.
*
* For these reasons, the code below performs two separate
* point multiplications, then computes the final point addition
* (which is both a "normal" addition, and a doubling, to handle
* all cases).
*/
p256_jacobian P, Q;
uint32_t r, t, s;
uint64_t z;
(void)curve;
if (len != 65) {
return 0;
}
r = point_decode(&P, A);
p256_mul(&P, x, xlen);
if (B == NULL) {
p256_mulgen(&Q, y, ylen);
} else {
r &= point_decode(&Q, B);
p256_mul(&Q, y, ylen);
}
/*
* The final addition may fail in case both points are equal.
*/
t = p256_add(&P, &Q);
f256_final_reduce(P.z);
z = P.z[0] | P.z[1] | P.z[2] | P.z[3];
s = EQ((uint32_t)(z | (z >> 32)), 0);
p256_double(&Q);
/*
* If s is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
* have the following:
*
* s = 0, t = 0 return P (normal addition)
* s = 0, t = 1 return P (normal addition)
* s = 1, t = 0 return Q (a 'double' case)
* s = 1, t = 1 report an error (P+Q = 0)
*/
CCOPY(s & ~t, &P, &Q, sizeof Q);
point_encode(A, &P);
r &= ~(s & t);
return r;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_p256_m64 = {
(uint32_t)0x00800000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
/* see bearssl_ec.h */
const br_ec_impl *
br_ec_p256_m64_get(void)
{
return &br_ec_p256_m64;
}
#else
/* see bearssl_ec.h */
const br_ec_impl *
br_ec_p256_m64_get(void)
{
return 0;
}
#endif
diff --git a/contrib/bearssl/src/ec/ec_prime_i15.c b/contrib/bearssl/src/ec/ec_prime_i15.c
index 0f210f240475..f86dbe6ff0db 100644
--- a/contrib/bearssl/src/ec/ec_prime_i15.c
+++ b/contrib/bearssl/src/ec/ec_prime_i15.c
@@ -1,820 +1,824 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/*
* Parameters for supported curves:
* - field modulus p
* - R^2 mod p (R = 2^(15k) for the smallest k such that R >= p)
* - b*R mod p (b is the second curve equation parameter)
*/
static const uint16_t P256_P[] = {
0x0111,
0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x003F, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x1000, 0x0000, 0x4000, 0x7FFF,
0x7FFF, 0x0001
};
static const uint16_t P256_R2[] = {
0x0111,
0x0000, 0x6000, 0x0000, 0x0000, 0x0000, 0x0000, 0x7FFC, 0x7FFF,
0x7FBF, 0x7FFF, 0x7FBF, 0x7FFF, 0x7FFF, 0x7FFF, 0x77FF, 0x7FFF,
0x4FFF, 0x0000
};
static const uint16_t P256_B[] = {
0x0111,
0x770C, 0x5EEF, 0x29C4, 0x3EC4, 0x6273, 0x0486, 0x4543, 0x3993,
0x3C01, 0x6B56, 0x212E, 0x57EE, 0x4882, 0x204B, 0x7483, 0x3C16,
0x0187, 0x0000
};
static const uint16_t P384_P[] = {
0x0199,
0x7FFF, 0x7FFF, 0x0003, 0x0000, 0x0000, 0x0000, 0x7FC0, 0x7FFF,
0x7EFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF,
0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF,
0x7FFF, 0x01FF
};
static const uint16_t P384_R2[] = {
0x0199,
0x1000, 0x0000, 0x0000, 0x7FFF, 0x7FFF, 0x0001, 0x0000, 0x0010,
0x0000, 0x0000, 0x0000, 0x7F00, 0x7FFF, 0x01FF, 0x0000, 0x1000,
0x0000, 0x2000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000
};
static const uint16_t P384_B[] = {
0x0199,
0x7333, 0x2096, 0x70D1, 0x2310, 0x3020, 0x6197, 0x1464, 0x35BB,
0x70CA, 0x0117, 0x1920, 0x4136, 0x5FC8, 0x5713, 0x4938, 0x7DD2,
0x4DD2, 0x4A71, 0x0220, 0x683E, 0x2C87, 0x4DB1, 0x7BFF, 0x6C09,
0x0452, 0x0084
};
static const uint16_t P521_P[] = {
0x022B,
0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF,
0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF,
0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF,
0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF,
0x7FFF, 0x7FFF, 0x07FF
};
static const uint16_t P521_R2[] = {
0x022B,
0x0100, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000
};
static const uint16_t P521_B[] = {
0x022B,
0x7002, 0x6A07, 0x751A, 0x228F, 0x71EF, 0x5869, 0x20F4, 0x1EFC,
0x7357, 0x37E0, 0x4EEC, 0x605E, 0x1652, 0x26F6, 0x31FA, 0x4A8F,
0x6193, 0x3C2A, 0x3C42, 0x48C7, 0x3489, 0x6771, 0x4C57, 0x5CCD,
0x2725, 0x545B, 0x503B, 0x5B42, 0x21A0, 0x2534, 0x687E, 0x70E4,
0x1618, 0x27D7, 0x0465
};
typedef struct {
const uint16_t *p;
const uint16_t *b;
const uint16_t *R2;
uint16_t p0i;
size_t point_len;
} curve_params;
static inline const curve_params *
id_to_curve(int curve)
{
static const curve_params pp[] = {
{ P256_P, P256_B, P256_R2, 0x0001, 65 },
{ P384_P, P384_B, P384_R2, 0x0001, 97 },
{ P521_P, P521_B, P521_R2, 0x0001, 133 }
};
return &pp[curve - BR_EC_secp256r1];
}
#define I15_LEN ((BR_MAX_EC_SIZE + 29) / 15)
/*
* Type for a point in Jacobian coordinates:
* -- three values, x, y and z, in Montgomery representation
* -- affine coordinates are X = x / z^2 and Y = y / z^3
* -- for the point at infinity, z = 0
*/
typedef struct {
uint16_t c[3][I15_LEN];
} jacobian;
/*
* We use a custom interpreter that uses a dozen registers, and
* only six operations:
* MSET(d, a) copy a into d
* MADD(d, a) d = d+a (modular)
* MSUB(d, a) d = d-a (modular)
* MMUL(d, a, b) d = a*b (Montgomery multiplication)
* MINV(d, a, b) invert d modulo p; a and b are used as scratch registers
* MTZ(d) clear return value if d = 0
* Destination of MMUL (d) must be distinct from operands (a and b).
* There is no such constraint for MSUB and MADD.
*
* Registers include the operand coordinates, and temporaries.
*/
#define MSET(d, a) (0x0000 + ((d) << 8) + ((a) << 4))
#define MADD(d, a) (0x1000 + ((d) << 8) + ((a) << 4))
#define MSUB(d, a) (0x2000 + ((d) << 8) + ((a) << 4))
#define MMUL(d, a, b) (0x3000 + ((d) << 8) + ((a) << 4) + (b))
#define MINV(d, a, b) (0x4000 + ((d) << 8) + ((a) << 4) + (b))
#define MTZ(d) (0x5000 + ((d) << 8))
#define ENDCODE 0
/*
* Registers for the input operands.
*/
#define P1x 0
#define P1y 1
#define P1z 2
#define P2x 3
#define P2y 4
#define P2z 5
/*
* Alternate names for the first input operand.
*/
#define Px 0
#define Py 1
#define Pz 2
/*
* Temporaries.
*/
#define t1 6
#define t2 7
#define t3 8
#define t4 9
#define t5 10
#define t6 11
#define t7 12
/*
* Extra scratch registers available when there is no second operand (e.g.
* for "double" and "affine").
*/
#define t8 3
#define t9 4
#define t10 5
/*
* Doubling formulas are:
*
* s = 4*x*y^2
* m = 3*(x + z^2)*(x - z^2)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y^4
* z' = 2*y*z
*
* If y = 0 (P has order 2) then this yields infinity (z' = 0), as it
* should. This case should not happen anyway, because our curves have
* prime order, and thus do not contain any point of order 2.
*
* If P is infinity (z = 0), then again the formulas yield infinity,
* which is correct. Thus, this code works for all points.
*
* Cost: 8 multiplications
*/
static const uint16_t code_double[] = {
/*
* Compute z^2 (in t1).
*/
MMUL(t1, Pz, Pz),
/*
* Compute x-z^2 (in t2) and then x+z^2 (in t1).
*/
MSET(t2, Px),
MSUB(t2, t1),
MADD(t1, Px),
/*
* Compute m = 3*(x+z^2)*(x-z^2) (in t1).
*/
MMUL(t3, t1, t2),
MSET(t1, t3),
MADD(t1, t3),
MADD(t1, t3),
/*
* Compute s = 4*x*y^2 (in t2) and 2*y^2 (in t3).
*/
MMUL(t3, Py, Py),
MADD(t3, t3),
MMUL(t2, Px, t3),
MADD(t2, t2),
/*
* Compute x' = m^2 - 2*s.
*/
MMUL(Px, t1, t1),
MSUB(Px, t2),
MSUB(Px, t2),
/*
* Compute z' = 2*y*z.
*/
MMUL(t4, Py, Pz),
MSET(Pz, t4),
MADD(Pz, t4),
/*
* Compute y' = m*(s - x') - 8*y^4. Note that we already have
* 2*y^2 in t3.
*/
MSUB(t2, Px),
MMUL(Py, t1, t2),
MMUL(t4, t3, t3),
MSUB(Py, t4),
MSUB(Py, t4),
ENDCODE
};
/*
* Addtions formulas are:
*
* u1 = x1 * z2^2
* u2 = x2 * z1^2
* s1 = y1 * z2^3
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1 * z2
*
* If both P1 and P2 are infinity, then z1 == 0 and z2 == 0, implying that
* z3 == 0, so the result is correct.
* If either of P1 or P2 is infinity, but not both, then z3 == 0, which is
* not correct.
* h == 0 only if u1 == u2; this happens in two cases:
* -- if s1 == s2 then P1 and/or P2 is infinity, or P1 == P2
* -- if s1 != s2 then P1 + P2 == infinity (but neither P1 or P2 is infinity)
*
* Thus, the following situations are not handled correctly:
* -- P1 = 0 and P2 != 0
* -- P1 != 0 and P2 = 0
* -- P1 = P2
* All other cases are properly computed. However, even in "incorrect"
* situations, the three coordinates still are properly formed field
* elements.
*
* The returned flag is cleared if r == 0. This happens in the following
* cases:
* -- Both points are on the same horizontal line (same Y coordinate).
* -- Both points are infinity.
* -- One point is infinity and the other is on line Y = 0.
* The third case cannot happen with our curves (there is no valid point
* on line Y = 0 since that would be a point of order 2). If the two
* source points are non-infinity, then remains only the case where the
* two points are on the same horizontal line.
*
* This allows us to detect the "P1 == P2" case, assuming that P1 != 0 and
* P2 != 0:
* -- If the returned value is not the point at infinity, then it was properly
* computed.
* -- Otherwise, if the returned flag is 1, then P1+P2 = 0, and the result
* is indeed the point at infinity.
* -- Otherwise (result is infinity, flag is 0), then P1 = P2 and we should
* use the 'double' code.
*
* Cost: 16 multiplications
*/
static const uint16_t code_add[] = {
/*
* Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
*/
MMUL(t3, P2z, P2z),
MMUL(t1, P1x, t3),
MMUL(t4, P2z, t3),
MMUL(t3, P1y, t4),
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
MMUL(t4, P1z, P1z),
MMUL(t2, P2x, t4),
MMUL(t5, P1z, t4),
MMUL(t4, P2y, t5),
/*
* Compute h = u2 - u1 (in t2) and r = s2 - s1 (in t4).
*/
MSUB(t2, t1),
MSUB(t4, t3),
/*
* Report cases where r = 0 through the returned flag.
*/
MTZ(t4),
/*
* Compute u1*h^2 (in t6) and h^3 (in t5).
*/
MMUL(t7, t2, t2),
MMUL(t6, t1, t7),
MMUL(t5, t7, t2),
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
* t1 and t7 can be used as scratch registers.
*/
MMUL(P1x, t4, t4),
MSUB(P1x, t5),
MSUB(P1x, t6),
MSUB(P1x, t6),
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
MSUB(t6, P1x),
MMUL(P1y, t4, t6),
MMUL(t1, t5, t3),
MSUB(P1y, t1),
/*
* Compute z3 = h*z1*z2.
*/
MMUL(t1, P1z, P2z),
MMUL(P1z, t1, t2),
ENDCODE
};
/*
* Check that the point is on the curve. This code snippet assumes the
* following conventions:
* -- Coordinates x and y have been freshly decoded in P1 (but not
* converted to Montgomery coordinates yet).
* -- P2x, P2y and P2z are set to, respectively, R^2, b*R and 1.
*/
static const uint16_t code_check[] = {
/* Convert x and y to Montgomery representation. */
MMUL(t1, P1x, P2x),
MMUL(t2, P1y, P2x),
MSET(P1x, t1),
MSET(P1y, t2),
/* Compute x^3 in t1. */
MMUL(t2, P1x, P1x),
MMUL(t1, P1x, t2),
/* Subtract 3*x from t1. */
MSUB(t1, P1x),
MSUB(t1, P1x),
MSUB(t1, P1x),
/* Add b. */
MADD(t1, P2y),
/* Compute y^2 in t2. */
MMUL(t2, P1y, P1y),
/* Compare y^2 with x^3 - 3*x + b; they must match. */
MSUB(t1, t2),
MTZ(t1),
/* Set z to 1 (in Montgomery representation). */
MMUL(P1z, P2x, P2z),
ENDCODE
};
/*
* Conversion back to affine coordinates. This code snippet assumes that
* the z coordinate of P2 is set to 1 (not in Montgomery representation).
*/
static const uint16_t code_affine[] = {
/* Save z*R in t1. */
MSET(t1, P1z),
/* Compute z^3 in t2. */
MMUL(t2, P1z, P1z),
MMUL(t3, P1z, t2),
MMUL(t2, t3, P2z),
/* Invert to (1/z^3) in t2. */
MINV(t2, t3, t4),
/* Compute y. */
MSET(t3, P1y),
MMUL(P1y, t2, t3),
/* Compute (1/z^2) in t3. */
MMUL(t3, t2, t1),
/* Compute x. */
MSET(t2, P1x),
MMUL(P1x, t2, t3),
ENDCODE
};
static uint32_t
run_code(jacobian *P1, const jacobian *P2,
const curve_params *cc, const uint16_t *code)
{
uint32_t r;
uint16_t t[13][I15_LEN];
size_t u;
r = 1;
/*
* Copy the two operands in the dedicated registers.
*/
memcpy(t[P1x], P1->c, 3 * I15_LEN * sizeof(uint16_t));
memcpy(t[P2x], P2->c, 3 * I15_LEN * sizeof(uint16_t));
/*
* Run formulas.
*/
for (u = 0;; u ++) {
unsigned op, d, a, b;
op = code[u];
if (op == 0) {
break;
}
d = (op >> 8) & 0x0F;
a = (op >> 4) & 0x0F;
b = op & 0x0F;
op >>= 12;
switch (op) {
uint32_t ctl;
size_t plen;
unsigned char tp[(BR_MAX_EC_SIZE + 7) >> 3];
case 0:
memcpy(t[d], t[a], I15_LEN * sizeof(uint16_t));
break;
case 1:
ctl = br_i15_add(t[d], t[a], 1);
ctl |= NOT(br_i15_sub(t[d], cc->p, 0));
br_i15_sub(t[d], cc->p, ctl);
break;
case 2:
br_i15_add(t[d], cc->p, br_i15_sub(t[d], t[a], 1));
break;
case 3:
br_i15_montymul(t[d], t[a], t[b], cc->p, cc->p0i);
break;
case 4:
plen = (cc->p[0] - (cc->p[0] >> 4) + 7) >> 3;
br_i15_encode(tp, plen, cc->p);
tp[plen - 1] -= 2;
br_i15_modpow(t[d], tp, plen,
cc->p, cc->p0i, t[a], t[b]);
break;
default:
r &= ~br_i15_iszero(t[d]);
break;
}
}
/*
* Copy back result.
*/
memcpy(P1->c, t[P1x], 3 * I15_LEN * sizeof(uint16_t));
return r;
}
static void
set_one(uint16_t *x, const uint16_t *p)
{
size_t plen;
plen = (p[0] + 31) >> 4;
memset(x, 0, plen * sizeof *x);
x[0] = p[0];
x[1] = 0x0001;
}
static void
point_zero(jacobian *P, const curve_params *cc)
{
memset(P, 0, sizeof *P);
P->c[0][0] = P->c[1][0] = P->c[2][0] = cc->p[0];
}
static inline void
point_double(jacobian *P, const curve_params *cc)
{
run_code(P, P, cc, code_double);
}
static inline uint32_t
point_add(jacobian *P1, const jacobian *P2, const curve_params *cc)
{
return run_code(P1, P2, cc, code_add);
}
static void
point_mul(jacobian *P, const unsigned char *x, size_t xlen,
const curve_params *cc)
{
/*
* We do a simple double-and-add ladder with a 2-bit window
* to make only one add every two doublings. We thus first
* precompute 2P and 3P in some local buffers.
*
* We always perform two doublings and one addition; the
* addition is with P, 2P and 3P and is done in a temporary
* array.
*
* The addition code cannot handle cases where one of the
* operands is infinity, which is the case at the start of the
* ladder. We therefore need to maintain a flag that controls
* this situation.
*/
uint32_t qz;
jacobian P2, P3, Q, T, U;
memcpy(&P2, P, sizeof P2);
point_double(&P2, cc);
memcpy(&P3, P, sizeof P3);
point_add(&P3, &P2, cc);
point_zero(&Q, cc);
qz = 1;
while (xlen -- > 0) {
int k;
for (k = 6; k >= 0; k -= 2) {
uint32_t bits;
uint32_t bnz;
point_double(&Q, cc);
point_double(&Q, cc);
memcpy(&T, P, sizeof T);
memcpy(&U, &Q, sizeof U);
bits = (*x >> k) & (uint32_t)3;
bnz = NEQ(bits, 0);
CCOPY(EQ(bits, 2), &T, &P2, sizeof T);
CCOPY(EQ(bits, 3), &T, &P3, sizeof T);
point_add(&U, &T, cc);
CCOPY(bnz & qz, &Q, &T, sizeof Q);
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
}
x ++;
}
memcpy(P, &Q, sizeof Q);
}
/*
* Decode point into Jacobian coordinates. This function does not support
* the point at infinity. If the point is invalid then this returns 0, but
* the coordinates are still set to properly formed field elements.
*/
static uint32_t
point_decode(jacobian *P, const void *src, size_t len, const curve_params *cc)
{
/*
* Points must use uncompressed format:
* -- first byte is 0x04;
* -- coordinates X and Y use unsigned big-endian, with the same
* length as the field modulus.
*
* We don't support hybrid format (uncompressed, but first byte
* has value 0x06 or 0x07, depending on the least significant bit
* of Y) because it is rather useless, and explicitly forbidden
* by PKIX (RFC 5480, section 2.2).
*
* We don't support compressed format either, because it is not
* much used in practice (there are or were patent-related
* concerns about point compression, which explains the lack of
* generalised support). Also, point compression support would
* need a bit more code.
*/
const unsigned char *buf;
size_t plen, zlen;
uint32_t r;
jacobian Q;
buf = src;
point_zero(P, cc);
plen = (cc->p[0] - (cc->p[0] >> 4) + 7) >> 3;
if (len != 1 + (plen << 1)) {
return 0;
}
r = br_i15_decode_mod(P->c[0], buf + 1, plen, cc->p);
r &= br_i15_decode_mod(P->c[1], buf + 1 + plen, plen, cc->p);
/*
* Check first byte.
*/
r &= EQ(buf[0], 0x04);
/* obsolete
r &= EQ(buf[0], 0x04) | (EQ(buf[0] & 0xFE, 0x06)
& ~(uint32_t)(buf[0] ^ buf[plen << 1]));
*/
/*
* Convert coordinates and check that the point is valid.
*/
zlen = ((cc->p[0] + 31) >> 4) * sizeof(uint16_t);
memcpy(Q.c[0], cc->R2, zlen);
memcpy(Q.c[1], cc->b, zlen);
set_one(Q.c[2], cc->p);
r &= ~run_code(P, &Q, cc, code_check);
return r;
}
/*
* Encode a point. This method assumes that the point is correct and is
* not the point at infinity. Encoded size is always 1+2*plen, where
* plen is the field modulus length, in bytes.
*/
static void
point_encode(void *dst, const jacobian *P, const curve_params *cc)
{
unsigned char *buf;
size_t plen;
jacobian Q, T;
buf = dst;
plen = (cc->p[0] - (cc->p[0] >> 4) + 7) >> 3;
buf[0] = 0x04;
memcpy(&Q, P, sizeof *P);
set_one(T.c[2], cc->p);
run_code(&Q, &T, cc, code_affine);
br_i15_encode(buf + 1, plen, Q.c[0]);
br_i15_encode(buf + 1 + plen, plen, Q.c[1]);
}
static const br_ec_curve_def *
id_to_curve_def(int curve)
{
switch (curve) {
case BR_EC_secp256r1:
return &br_secp256r1;
case BR_EC_secp384r1:
return &br_secp384r1;
case BR_EC_secp521r1:
return &br_secp521r1;
}
return NULL;
}
static const unsigned char *
api_generator(int curve, size_t *len)
{
const br_ec_curve_def *cd;
cd = id_to_curve_def(curve);
*len = cd->generator_len;
return cd->generator;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
const br_ec_curve_def *cd;
cd = id_to_curve_def(curve);
*len = cd->order_len;
return cd->order;
}
static size_t
api_xoff(int curve, size_t *len)
{
api_generator(curve, len);
*len >>= 1;
return 1;
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *x, size_t xlen, int curve)
{
uint32_t r;
const curve_params *cc;
jacobian P;
cc = id_to_curve(curve);
+ if (Glen != cc->point_len) {
+ return 0;
+ }
r = point_decode(&P, G, Glen, cc);
point_mul(&P, x, xlen, cc);
- if (Glen == cc->point_len) {
- point_encode(G, &P, cc);
- }
+ point_encode(G, &P, cc);
return r;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *x, size_t xlen, int curve)
{
const unsigned char *G;
size_t Glen;
G = api_generator(curve, &Glen);
memcpy(R, G, Glen);
api_mul(R, Glen, x, xlen, curve);
return Glen;
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
uint32_t r, t, z;
const curve_params *cc;
jacobian P, Q;
/*
* TODO: see about merging the two ladders. Right now, we do
* two independent point multiplications, which is a bit
* wasteful of CPU resources (but yields short code).
*/
cc = id_to_curve(curve);
+ if (len != cc->point_len) {
+ return 0;
+ }
r = point_decode(&P, A, len, cc);
if (B == NULL) {
size_t Glen;
B = api_generator(curve, &Glen);
}
r &= point_decode(&Q, B, len, cc);
point_mul(&P, x, xlen, cc);
point_mul(&Q, y, ylen, cc);
/*
* We want to compute P+Q. Since the base points A and B are distinct
* from infinity, and the multipliers are non-zero and lower than the
* curve order, then we know that P and Q are non-infinity. This
* leaves two special situations to test for:
* -- If P = Q then we must use point_double().
* -- If P+Q = 0 then we must report an error.
*/
t = point_add(&P, &Q, cc);
point_double(&Q, cc);
z = br_i15_iszero(P.c[2]);
/*
* If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
* have the following:
*
* z = 0, t = 0 return P (normal addition)
* z = 0, t = 1 return P (normal addition)
* z = 1, t = 0 return Q (a 'double' case)
* z = 1, t = 1 report an error (P+Q = 0)
*/
CCOPY(z & ~t, &P, &Q, sizeof Q);
point_encode(A, &P, cc);
r &= ~(z & t);
return r;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_prime_i15 = {
(uint32_t)0x03800000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
diff --git a/contrib/bearssl/src/ec/ec_prime_i31.c b/contrib/bearssl/src/ec/ec_prime_i31.c
index 0586a3b5ab6d..b205f367aeba 100644
--- a/contrib/bearssl/src/ec/ec_prime_i31.c
+++ b/contrib/bearssl/src/ec/ec_prime_i31.c
@@ -1,819 +1,826 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/*
* Parameters for supported curves (field modulus, and 'b' equation
* parameter; both values use the 'i31' format, and 'b' is in Montgomery
* representation).
*/
static const uint32_t P256_P[] = {
0x00000108,
0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x00000007,
0x00000000, 0x00000000, 0x00000040, 0x7FFFFF80,
0x000000FF
};
static const uint32_t P256_R2[] = {
0x00000108,
0x00014000, 0x00018000, 0x00000000, 0x7FF40000,
0x7FEFFFFF, 0x7FF7FFFF, 0x7FAFFFFF, 0x005FFFFF,
0x00000000
};
static const uint32_t P256_B[] = {
0x00000108,
0x6FEE1803, 0x6229C4BD, 0x21B139BE, 0x327150AA,
0x3567802E, 0x3F7212ED, 0x012E4355, 0x782DD38D,
0x0000000E
};
static const uint32_t P384_P[] = {
0x0000018C,
0x7FFFFFFF, 0x00000001, 0x00000000, 0x7FFFFFF8,
0x7FFFFFEF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,
0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,
0x00000FFF
};
static const uint32_t P384_R2[] = {
0x0000018C,
0x00000000, 0x00000080, 0x7FFFFE00, 0x000001FF,
0x00000800, 0x00000000, 0x7FFFE000, 0x00001FFF,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00000000
};
static const uint32_t P384_B[] = {
0x0000018C,
0x6E666840, 0x070D0392, 0x5D810231, 0x7651D50C,
0x17E218D6, 0x1B192002, 0x44EFE441, 0x3A524E2B,
0x2719BA5F, 0x41F02209, 0x36C5643E, 0x5813EFFE,
0x000008A5
};
static const uint32_t P521_P[] = {
0x00000219,
0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,
0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,
0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,
0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,
0x01FFFFFF
};
static const uint32_t P521_R2[] = {
0x00000219,
0x00001000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000
};
static const uint32_t P521_B[] = {
0x00000219,
0x540FC00A, 0x228FEA35, 0x2C34F1EF, 0x67BF107A,
0x46FC1CD5, 0x1605E9DD, 0x6937B165, 0x272A3D8F,
0x42785586, 0x44C8C778, 0x15F3B8B4, 0x64B73366,
0x03BA8B69, 0x0D05B42A, 0x21F929A2, 0x2C31C393,
0x00654FAE
};
typedef struct {
const uint32_t *p;
const uint32_t *b;
const uint32_t *R2;
uint32_t p0i;
+ size_t point_len;
} curve_params;
static inline const curve_params *
id_to_curve(int curve)
{
static const curve_params pp[] = {
- { P256_P, P256_B, P256_R2, 0x00000001 },
- { P384_P, P384_B, P384_R2, 0x00000001 },
- { P521_P, P521_B, P521_R2, 0x00000001 }
+ { P256_P, P256_B, P256_R2, 0x00000001, 65 },
+ { P384_P, P384_B, P384_R2, 0x00000001, 97 },
+ { P521_P, P521_B, P521_R2, 0x00000001, 133 }
};
return &pp[curve - BR_EC_secp256r1];
}
#define I31_LEN ((BR_MAX_EC_SIZE + 61) / 31)
/*
* Type for a point in Jacobian coordinates:
* -- three values, x, y and z, in Montgomery representation
* -- affine coordinates are X = x / z^2 and Y = y / z^3
* -- for the point at infinity, z = 0
*/
typedef struct {
uint32_t c[3][I31_LEN];
} jacobian;
/*
* We use a custom interpreter that uses a dozen registers, and
* only six operations:
* MSET(d, a) copy a into d
* MADD(d, a) d = d+a (modular)
* MSUB(d, a) d = d-a (modular)
* MMUL(d, a, b) d = a*b (Montgomery multiplication)
* MINV(d, a, b) invert d modulo p; a and b are used as scratch registers
* MTZ(d) clear return value if d = 0
* Destination of MMUL (d) must be distinct from operands (a and b).
* There is no such constraint for MSUB and MADD.
*
* Registers include the operand coordinates, and temporaries.
*/
#define MSET(d, a) (0x0000 + ((d) << 8) + ((a) << 4))
#define MADD(d, a) (0x1000 + ((d) << 8) + ((a) << 4))
#define MSUB(d, a) (0x2000 + ((d) << 8) + ((a) << 4))
#define MMUL(d, a, b) (0x3000 + ((d) << 8) + ((a) << 4) + (b))
#define MINV(d, a, b) (0x4000 + ((d) << 8) + ((a) << 4) + (b))
#define MTZ(d) (0x5000 + ((d) << 8))
#define ENDCODE 0
/*
* Registers for the input operands.
*/
#define P1x 0
#define P1y 1
#define P1z 2
#define P2x 3
#define P2y 4
#define P2z 5
/*
* Alternate names for the first input operand.
*/
#define Px 0
#define Py 1
#define Pz 2
/*
* Temporaries.
*/
#define t1 6
#define t2 7
#define t3 8
#define t4 9
#define t5 10
#define t6 11
#define t7 12
/*
* Extra scratch registers available when there is no second operand (e.g.
* for "double" and "affine").
*/
#define t8 3
#define t9 4
#define t10 5
/*
* Doubling formulas are:
*
* s = 4*x*y^2
* m = 3*(x + z^2)*(x - z^2)
* x' = m^2 - 2*s
* y' = m*(s - x') - 8*y^4
* z' = 2*y*z
*
* If y = 0 (P has order 2) then this yields infinity (z' = 0), as it
* should. This case should not happen anyway, because our curves have
* prime order, and thus do not contain any point of order 2.
*
* If P is infinity (z = 0), then again the formulas yield infinity,
* which is correct. Thus, this code works for all points.
*
* Cost: 8 multiplications
*/
static const uint16_t code_double[] = {
/*
* Compute z^2 (in t1).
*/
MMUL(t1, Pz, Pz),
/*
* Compute x-z^2 (in t2) and then x+z^2 (in t1).
*/
MSET(t2, Px),
MSUB(t2, t1),
MADD(t1, Px),
/*
* Compute m = 3*(x+z^2)*(x-z^2) (in t1).
*/
MMUL(t3, t1, t2),
MSET(t1, t3),
MADD(t1, t3),
MADD(t1, t3),
/*
* Compute s = 4*x*y^2 (in t2) and 2*y^2 (in t3).
*/
MMUL(t3, Py, Py),
MADD(t3, t3),
MMUL(t2, Px, t3),
MADD(t2, t2),
/*
* Compute x' = m^2 - 2*s.
*/
MMUL(Px, t1, t1),
MSUB(Px, t2),
MSUB(Px, t2),
/*
* Compute z' = 2*y*z.
*/
MMUL(t4, Py, Pz),
MSET(Pz, t4),
MADD(Pz, t4),
/*
* Compute y' = m*(s - x') - 8*y^4. Note that we already have
* 2*y^2 in t3.
*/
MSUB(t2, Px),
MMUL(Py, t1, t2),
MMUL(t4, t3, t3),
MSUB(Py, t4),
MSUB(Py, t4),
ENDCODE
};
/*
* Addtions formulas are:
*
* u1 = x1 * z2^2
* u2 = x2 * z1^2
* s1 = y1 * z2^3
* s2 = y2 * z1^3
* h = u2 - u1
* r = s2 - s1
* x3 = r^2 - h^3 - 2 * u1 * h^2
* y3 = r * (u1 * h^2 - x3) - s1 * h^3
* z3 = h * z1 * z2
*
* If both P1 and P2 are infinity, then z1 == 0 and z2 == 0, implying that
* z3 == 0, so the result is correct.
* If either of P1 or P2 is infinity, but not both, then z3 == 0, which is
* not correct.
* h == 0 only if u1 == u2; this happens in two cases:
* -- if s1 == s2 then P1 and/or P2 is infinity, or P1 == P2
* -- if s1 != s2 then P1 + P2 == infinity (but neither P1 or P2 is infinity)
*
* Thus, the following situations are not handled correctly:
* -- P1 = 0 and P2 != 0
* -- P1 != 0 and P2 = 0
* -- P1 = P2
* All other cases are properly computed. However, even in "incorrect"
* situations, the three coordinates still are properly formed field
* elements.
*
* The returned flag is cleared if r == 0. This happens in the following
* cases:
* -- Both points are on the same horizontal line (same Y coordinate).
* -- Both points are infinity.
* -- One point is infinity and the other is on line Y = 0.
* The third case cannot happen with our curves (there is no valid point
* on line Y = 0 since that would be a point of order 2). If the two
* source points are non-infinity, then remains only the case where the
* two points are on the same horizontal line.
*
* This allows us to detect the "P1 == P2" case, assuming that P1 != 0 and
* P2 != 0:
* -- If the returned value is not the point at infinity, then it was properly
* computed.
* -- Otherwise, if the returned flag is 1, then P1+P2 = 0, and the result
* is indeed the point at infinity.
* -- Otherwise (result is infinity, flag is 0), then P1 = P2 and we should
* use the 'double' code.
*
* Cost: 16 multiplications
*/
static const uint16_t code_add[] = {
/*
* Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
*/
MMUL(t3, P2z, P2z),
MMUL(t1, P1x, t3),
MMUL(t4, P2z, t3),
MMUL(t3, P1y, t4),
/*
* Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
*/
MMUL(t4, P1z, P1z),
MMUL(t2, P2x, t4),
MMUL(t5, P1z, t4),
MMUL(t4, P2y, t5),
/*
* Compute h = u2 - u1 (in t2) and r = s2 - s1 (in t4).
*/
MSUB(t2, t1),
MSUB(t4, t3),
/*
* Report cases where r = 0 through the returned flag.
*/
MTZ(t4),
/*
* Compute u1*h^2 (in t6) and h^3 (in t5).
*/
MMUL(t7, t2, t2),
MMUL(t6, t1, t7),
MMUL(t5, t7, t2),
/*
* Compute x3 = r^2 - h^3 - 2*u1*h^2.
* t1 and t7 can be used as scratch registers.
*/
MMUL(P1x, t4, t4),
MSUB(P1x, t5),
MSUB(P1x, t6),
MSUB(P1x, t6),
/*
* Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
*/
MSUB(t6, P1x),
MMUL(P1y, t4, t6),
MMUL(t1, t5, t3),
MSUB(P1y, t1),
/*
* Compute z3 = h*z1*z2.
*/
MMUL(t1, P1z, P2z),
MMUL(P1z, t1, t2),
ENDCODE
};
/*
* Check that the point is on the curve. This code snippet assumes the
* following conventions:
* -- Coordinates x and y have been freshly decoded in P1 (but not
* converted to Montgomery coordinates yet).
* -- P2x, P2y and P2z are set to, respectively, R^2, b*R and 1.
*/
static const uint16_t code_check[] = {
/* Convert x and y to Montgomery representation. */
MMUL(t1, P1x, P2x),
MMUL(t2, P1y, P2x),
MSET(P1x, t1),
MSET(P1y, t2),
/* Compute x^3 in t1. */
MMUL(t2, P1x, P1x),
MMUL(t1, P1x, t2),
/* Subtract 3*x from t1. */
MSUB(t1, P1x),
MSUB(t1, P1x),
MSUB(t1, P1x),
/* Add b. */
MADD(t1, P2y),
/* Compute y^2 in t2. */
MMUL(t2, P1y, P1y),
/* Compare y^2 with x^3 - 3*x + b; they must match. */
MSUB(t1, t2),
MTZ(t1),
/* Set z to 1 (in Montgomery representation). */
MMUL(P1z, P2x, P2z),
ENDCODE
};
/*
* Conversion back to affine coordinates. This code snippet assumes that
* the z coordinate of P2 is set to 1 (not in Montgomery representation).
*/
static const uint16_t code_affine[] = {
/* Save z*R in t1. */
MSET(t1, P1z),
/* Compute z^3 in t2. */
MMUL(t2, P1z, P1z),
MMUL(t3, P1z, t2),
MMUL(t2, t3, P2z),
/* Invert to (1/z^3) in t2. */
MINV(t2, t3, t4),
/* Compute y. */
MSET(t3, P1y),
MMUL(P1y, t2, t3),
/* Compute (1/z^2) in t3. */
MMUL(t3, t2, t1),
/* Compute x. */
MSET(t2, P1x),
MMUL(P1x, t2, t3),
ENDCODE
};
static uint32_t
run_code(jacobian *P1, const jacobian *P2,
const curve_params *cc, const uint16_t *code)
{
uint32_t r;
uint32_t t[13][I31_LEN];
size_t u;
r = 1;
/*
* Copy the two operands in the dedicated registers.
*/
memcpy(t[P1x], P1->c, 3 * I31_LEN * sizeof(uint32_t));
memcpy(t[P2x], P2->c, 3 * I31_LEN * sizeof(uint32_t));
/*
* Run formulas.
*/
for (u = 0;; u ++) {
unsigned op, d, a, b;
op = code[u];
if (op == 0) {
break;
}
d = (op >> 8) & 0x0F;
a = (op >> 4) & 0x0F;
b = op & 0x0F;
op >>= 12;
switch (op) {
uint32_t ctl;
size_t plen;
unsigned char tp[(BR_MAX_EC_SIZE + 7) >> 3];
case 0:
memcpy(t[d], t[a], I31_LEN * sizeof(uint32_t));
break;
case 1:
ctl = br_i31_add(t[d], t[a], 1);
ctl |= NOT(br_i31_sub(t[d], cc->p, 0));
br_i31_sub(t[d], cc->p, ctl);
break;
case 2:
br_i31_add(t[d], cc->p, br_i31_sub(t[d], t[a], 1));
break;
case 3:
br_i31_montymul(t[d], t[a], t[b], cc->p, cc->p0i);
break;
case 4:
plen = (cc->p[0] - (cc->p[0] >> 5) + 7) >> 3;
br_i31_encode(tp, plen, cc->p);
tp[plen - 1] -= 2;
br_i31_modpow(t[d], tp, plen,
cc->p, cc->p0i, t[a], t[b]);
break;
default:
r &= ~br_i31_iszero(t[d]);
break;
}
}
/*
* Copy back result.
*/
memcpy(P1->c, t[P1x], 3 * I31_LEN * sizeof(uint32_t));
return r;
}
static void
set_one(uint32_t *x, const uint32_t *p)
{
size_t plen;
plen = (p[0] + 63) >> 5;
memset(x, 0, plen * sizeof *x);
x[0] = p[0];
x[1] = 0x00000001;
}
static void
point_zero(jacobian *P, const curve_params *cc)
{
memset(P, 0, sizeof *P);
P->c[0][0] = P->c[1][0] = P->c[2][0] = cc->p[0];
}
static inline void
point_double(jacobian *P, const curve_params *cc)
{
run_code(P, P, cc, code_double);
}
static inline uint32_t
point_add(jacobian *P1, const jacobian *P2, const curve_params *cc)
{
return run_code(P1, P2, cc, code_add);
}
static void
point_mul(jacobian *P, const unsigned char *x, size_t xlen,
const curve_params *cc)
{
/*
* We do a simple double-and-add ladder with a 2-bit window
* to make only one add every two doublings. We thus first
* precompute 2P and 3P in some local buffers.
*
* We always perform two doublings and one addition; the
* addition is with P, 2P and 3P and is done in a temporary
* array.
*
* The addition code cannot handle cases where one of the
* operands is infinity, which is the case at the start of the
* ladder. We therefore need to maintain a flag that controls
* this situation.
*/
uint32_t qz;
jacobian P2, P3, Q, T, U;
memcpy(&P2, P, sizeof P2);
point_double(&P2, cc);
memcpy(&P3, P, sizeof P3);
point_add(&P3, &P2, cc);
point_zero(&Q, cc);
qz = 1;
while (xlen -- > 0) {
int k;
for (k = 6; k >= 0; k -= 2) {
uint32_t bits;
uint32_t bnz;
point_double(&Q, cc);
point_double(&Q, cc);
memcpy(&T, P, sizeof T);
memcpy(&U, &Q, sizeof U);
bits = (*x >> k) & (uint32_t)3;
bnz = NEQ(bits, 0);
CCOPY(EQ(bits, 2), &T, &P2, sizeof T);
CCOPY(EQ(bits, 3), &T, &P3, sizeof T);
point_add(&U, &T, cc);
CCOPY(bnz & qz, &Q, &T, sizeof Q);
CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
qz &= ~bnz;
}
x ++;
}
memcpy(P, &Q, sizeof Q);
}
/*
* Decode point into Jacobian coordinates. This function does not support
* the point at infinity. If the point is invalid then this returns 0, but
* the coordinates are still set to properly formed field elements.
*/
static uint32_t
point_decode(jacobian *P, const void *src, size_t len, const curve_params *cc)
{
/*
* Points must use uncompressed format:
* -- first byte is 0x04;
* -- coordinates X and Y use unsigned big-endian, with the same
* length as the field modulus.
*
* We don't support hybrid format (uncompressed, but first byte
* has value 0x06 or 0x07, depending on the least significant bit
* of Y) because it is rather useless, and explicitly forbidden
* by PKIX (RFC 5480, section 2.2).
*
* We don't support compressed format either, because it is not
* much used in practice (there are or were patent-related
* concerns about point compression, which explains the lack of
* generalised support). Also, point compression support would
* need a bit more code.
*/
const unsigned char *buf;
size_t plen, zlen;
uint32_t r;
jacobian Q;
buf = src;
point_zero(P, cc);
plen = (cc->p[0] - (cc->p[0] >> 5) + 7) >> 3;
if (len != 1 + (plen << 1)) {
return 0;
}
r = br_i31_decode_mod(P->c[0], buf + 1, plen, cc->p);
r &= br_i31_decode_mod(P->c[1], buf + 1 + plen, plen, cc->p);
/*
* Check first byte.
*/
r &= EQ(buf[0], 0x04);
/* obsolete
r &= EQ(buf[0], 0x04) | (EQ(buf[0] & 0xFE, 0x06)
& ~(uint32_t)(buf[0] ^ buf[plen << 1]));
*/
/*
* Convert coordinates and check that the point is valid.
*/
zlen = ((cc->p[0] + 63) >> 5) * sizeof(uint32_t);
memcpy(Q.c[0], cc->R2, zlen);
memcpy(Q.c[1], cc->b, zlen);
set_one(Q.c[2], cc->p);
r &= ~run_code(P, &Q, cc, code_check);
return r;
}
/*
* Encode a point. This method assumes that the point is correct and is
* not the point at infinity. Encoded size is always 1+2*plen, where
* plen is the field modulus length, in bytes.
*/
static void
point_encode(void *dst, const jacobian *P, const curve_params *cc)
{
unsigned char *buf;
uint32_t xbl;
size_t plen;
jacobian Q, T;
buf = dst;
xbl = cc->p[0];
xbl -= (xbl >> 5);
plen = (xbl + 7) >> 3;
buf[0] = 0x04;
memcpy(&Q, P, sizeof *P);
set_one(T.c[2], cc->p);
run_code(&Q, &T, cc, code_affine);
br_i31_encode(buf + 1, plen, Q.c[0]);
br_i31_encode(buf + 1 + plen, plen, Q.c[1]);
}
static const br_ec_curve_def *
id_to_curve_def(int curve)
{
switch (curve) {
case BR_EC_secp256r1:
return &br_secp256r1;
case BR_EC_secp384r1:
return &br_secp384r1;
case BR_EC_secp521r1:
return &br_secp521r1;
}
return NULL;
}
static const unsigned char *
api_generator(int curve, size_t *len)
{
const br_ec_curve_def *cd;
cd = id_to_curve_def(curve);
*len = cd->generator_len;
return cd->generator;
}
static const unsigned char *
api_order(int curve, size_t *len)
{
const br_ec_curve_def *cd;
cd = id_to_curve_def(curve);
*len = cd->order_len;
return cd->order;
}
static size_t
api_xoff(int curve, size_t *len)
{
api_generator(curve, len);
*len >>= 1;
return 1;
}
static uint32_t
api_mul(unsigned char *G, size_t Glen,
const unsigned char *x, size_t xlen, int curve)
{
uint32_t r;
const curve_params *cc;
jacobian P;
cc = id_to_curve(curve);
+ if (Glen != cc->point_len) {
+ return 0;
+ }
r = point_decode(&P, G, Glen, cc);
point_mul(&P, x, xlen, cc);
point_encode(G, &P, cc);
return r;
}
static size_t
api_mulgen(unsigned char *R,
const unsigned char *x, size_t xlen, int curve)
{
const unsigned char *G;
size_t Glen;
G = api_generator(curve, &Glen);
memcpy(R, G, Glen);
api_mul(R, Glen, x, xlen, curve);
return Glen;
}
static uint32_t
api_muladd(unsigned char *A, const unsigned char *B, size_t len,
const unsigned char *x, size_t xlen,
const unsigned char *y, size_t ylen, int curve)
{
uint32_t r, t, z;
const curve_params *cc;
jacobian P, Q;
/*
* TODO: see about merging the two ladders. Right now, we do
* two independent point multiplications, which is a bit
* wasteful of CPU resources (but yields short code).
*/
cc = id_to_curve(curve);
+ if (len != cc->point_len) {
+ return 0;
+ }
r = point_decode(&P, A, len, cc);
if (B == NULL) {
size_t Glen;
B = api_generator(curve, &Glen);
}
r &= point_decode(&Q, B, len, cc);
point_mul(&P, x, xlen, cc);
point_mul(&Q, y, ylen, cc);
/*
* We want to compute P+Q. Since the base points A and B are distinct
* from infinity, and the multipliers are non-zero and lower than the
* curve order, then we know that P and Q are non-infinity. This
* leaves two special situations to test for:
* -- If P = Q then we must use point_double().
* -- If P+Q = 0 then we must report an error.
*/
t = point_add(&P, &Q, cc);
point_double(&Q, cc);
z = br_i31_iszero(P.c[2]);
/*
* If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
* have the following:
*
* z = 0, t = 0 return P (normal addition)
* z = 0, t = 1 return P (normal addition)
* z = 1, t = 0 return Q (a 'double' case)
* z = 1, t = 1 report an error (P+Q = 0)
*/
CCOPY(z & ~t, &P, &Q, sizeof Q);
point_encode(A, &P, cc);
r &= ~(z & t);
return r;
}
/* see bearssl_ec.h */
const br_ec_impl br_ec_prime_i31 = {
(uint32_t)0x03800000,
&api_generator,
&api_order,
&api_xoff,
&api_mul,
&api_mulgen,
&api_muladd
};
diff --git a/contrib/bearssl/src/inner.h b/contrib/bearssl/src/inner.h
index 986220f0f542..07e1d0a478e8 100644
--- a/contrib/bearssl/src/inner.h
+++ b/contrib/bearssl/src/inner.h
@@ -1,2557 +1,2577 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef INNER_H__
#define INNER_H__
#include <string.h>
#include <limits.h>
#include "config.h"
#include "bearssl.h"
/*
* On MSVC, disable the warning about applying unary minus on an
* unsigned type: it is standard, we do it all the time, and for
* good reasons.
*/
#if _MSC_VER
#pragma warning( disable : 4146 )
#endif
/*
* Maximum size for a RSA modulus (in bits). Allocated stack buffers
* depend on that size, so this value should be kept small. Currently,
* 2048-bit RSA keys offer adequate security, and should still do so for
* the next few decades; however, a number of widespread PKI have
* already set their root keys to RSA-4096, so we should be able to
* process such keys.
*
* This value MUST be a multiple of 64. This value MUST NOT exceed 47666
* (some computations in RSA key generation rely on the factor size being
* no more than 23833 bits). RSA key sizes beyond 3072 bits don't make a
* lot of sense anyway.
*/
#define BR_MAX_RSA_SIZE 4096
/*
* Minimum size for a RSA modulus (in bits); this value is used only to
* filter out invalid parameters for key pair generation. Normally,
* applications should not use RSA keys smaller than 2048 bits; but some
* specific cases might need shorter keys, for legacy or research
* purposes.
*/
#define BR_MIN_RSA_SIZE 512
/*
* Maximum size for a RSA factor (in bits). This is for RSA private-key
* operations. Default is to support factors up to a bit more than half
* the maximum modulus size.
*
* This value MUST be a multiple of 32.
*/
#define BR_MAX_RSA_FACTOR ((BR_MAX_RSA_SIZE + 64) >> 1)
/*
* Maximum size for an EC curve (modulus or order), in bits. Size of
* stack buffers depends on that parameter. This size MUST be a multiple
* of 8 (so that decoding an integer with that many bytes does not
* overflow).
*/
#define BR_MAX_EC_SIZE 528
/*
* Some macros to recognize the current architecture. Right now, we are
* interested into automatically recognizing architecture with efficient
* 64-bit types so that we may automatically use implementations that
* use 64-bit registers in that case. Future versions may detect, e.g.,
* availability of SSE2 intrinsics.
*
* If 'unsigned long' is a 64-bit type, then we assume that 64-bit types
* are efficient. Otherwise, we rely on macros that depend on compiler,
* OS and architecture. In any case, failure to detect the architecture
* as 64-bit means that the 32-bit code will be used, and that code
* works also on 64-bit architectures (the 64-bit code may simply be
* more efficient).
*
* The test on 'unsigned long' should already catch most cases, the one
* notable exception being Windows code where 'unsigned long' is kept to
* 32-bit for compatibility with all the legacy code that liberally uses
* the 'DWORD' type for 32-bit values.
*
* Macro names are taken from: http://nadeausoftware.com/articles/2012/02/c_c_tip_how_detect_processor_type_using_compiler_predefined_macros
*/
#ifndef BR_64
#if ((ULONG_MAX >> 31) >> 31) == 3
#define BR_64 1
#elif defined(__ia64) || defined(__itanium__) || defined(_M_IA64)
#define BR_64 1
#elif defined(__powerpc64__) || defined(__ppc64__) || defined(__PPC64__) \
|| defined(__64BIT__) || defined(_LP64) || defined(__LP64__)
#define BR_64 1
#elif defined(__sparc64__)
#define BR_64 1
#elif defined(__x86_64__) || defined(_M_X64)
#define BR_64 1
#elif defined(__aarch64__) || defined(_M_ARM64)
#define BR_64 1
#elif defined(__mips64)
#define BR_64 1
#endif
#endif
/*
* Set BR_LOMUL on platforms where it makes sense.
*/
#ifndef BR_LOMUL
#if BR_ARMEL_CORTEXM_GCC
#define BR_LOMUL 1
#endif
#endif
/*
* Architecture detection.
*/
#ifndef BR_i386
#if __i386__ || _M_IX86
#define BR_i386 1
#endif
#endif
#ifndef BR_amd64
#if __x86_64__ || _M_X64
#define BR_amd64 1
#endif
#endif
/*
* Compiler brand and version.
*
* Implementations that use intrinsics need to detect the compiler type
* and version because some specific actions may be needed to activate
* the corresponding opcodes, both for header inclusion, and when using
* them in a function.
*
* BR_GCC, BR_CLANG and BR_MSC will be set to 1 for, respectively, GCC,
* Clang and MS Visual C. For each of them, sub-macros will be defined
* for versions; each sub-macro is set whenever the compiler version is
* at least as recent as the one corresponding to the macro.
*/
/*
* GCC thresholds are on versions 4.4 to 4.9 and 5.0.
*/
#ifndef BR_GCC
#if __GNUC__ && !__clang__
#define BR_GCC 1
#if __GNUC__ > 4
#define BR_GCC_5_0 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9
#define BR_GCC_4_9 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 8
#define BR_GCC_4_8 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 7
#define BR_GCC_4_7 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 6
#define BR_GCC_4_6 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 5
#define BR_GCC_4_5 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 4
#define BR_GCC_4_4 1
#endif
#if BR_GCC_5_0
#define BR_GCC_4_9 1
#endif
#if BR_GCC_4_9
#define BR_GCC_4_8 1
#endif
#if BR_GCC_4_8
#define BR_GCC_4_7 1
#endif
#if BR_GCC_4_7
#define BR_GCC_4_6 1
#endif
#if BR_GCC_4_6
#define BR_GCC_4_5 1
#endif
#if BR_GCC_4_5
#define BR_GCC_4_4 1
#endif
#endif
#endif
/*
* Clang thresholds are on versions 3.7.0 and 3.8.0.
*/
#ifndef BR_CLANG
#if __clang__
#define BR_CLANG 1
#if __clang_major__ > 3 || (__clang_major__ == 3 && __clang_minor__ >= 8)
#define BR_CLANG_3_8 1
#elif __clang_major__ == 3 && __clang_minor__ >= 7
#define BR_CLANG_3_7 1
#endif
#if BR_CLANG_3_8
#define BR_CLANG_3_7 1
#endif
#endif
#endif
/*
* MS Visual C thresholds are on Visual Studio 2005 to 2015.
*/
#ifndef BR_MSC
#if _MSC_VER
#define BR_MSC 1
#if _MSC_VER >= 1900
#define BR_MSC_2015 1
#elif _MSC_VER >= 1800
#define BR_MSC_2013 1
#elif _MSC_VER >= 1700
#define BR_MSC_2012 1
#elif _MSC_VER >= 1600
#define BR_MSC_2010 1
#elif _MSC_VER >= 1500
#define BR_MSC_2008 1
#elif _MSC_VER >= 1400
#define BR_MSC_2005 1
#endif
#if BR_MSC_2015
#define BR_MSC_2013 1
#endif
#if BR_MSC_2013
#define BR_MSC_2012 1
#endif
#if BR_MSC_2012
#define BR_MSC_2010 1
#endif
#if BR_MSC_2010
#define BR_MSC_2008 1
#endif
#if BR_MSC_2008
#define BR_MSC_2005 1
#endif
#endif
#endif
/*
* GCC 4.4+ and Clang 3.7+ allow tagging specific functions with a
* 'target' attribute that activates support for specific opcodes.
*/
#if BR_GCC_4_4 || BR_CLANG_3_7
#define BR_TARGET(x) __attribute__((target(x)))
#else
#define BR_TARGET(x)
#endif
/*
* AES-NI intrinsics are available on x86 (32-bit and 64-bit) with
* GCC 4.8+, Clang 3.7+ and MSC 2012+.
*/
#ifndef BR_AES_X86NI
#if (BR_i386 || BR_amd64) && (BR_GCC_4_8 || BR_CLANG_3_7 || BR_MSC_2012)
#define BR_AES_X86NI 1
#endif
#endif
/*
* SSE2 intrinsics are available on x86 (32-bit and 64-bit) with
* GCC 4.4+, Clang 3.7+ and MSC 2005+.
*/
#ifndef BR_SSE2
#if (BR_i386 || BR_amd64) && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005)
#define BR_SSE2 1
#endif
#endif
/*
* RDRAND intrinsics are available on x86 (32-bit and 64-bit) with
* GCC 4.6+, Clang 3.7+ and MSC 2012+.
*/
#ifndef BR_RDRAND
#if (BR_i386 || BR_amd64) && (BR_GCC_4_6 || BR_CLANG_3_7 || BR_MSC_2012)
#define BR_RDRAND 1
#endif
#endif
/*
* Determine type of OS for random number generation. Macro names and
* values are documented on:
* https://sourceforge.net/p/predef/wiki/OperatingSystems/
*
- * TODO: enrich the list of detected system. Also add detection for
- * alternate system calls like getentropy(), which are usually
- * preferable when available.
+ * Win32's CryptGenRandom() should be available on Windows systems.
+ *
+ * /dev/urandom should work on all Unix-like systems (including macOS X).
+ *
+ * getentropy() is present on Linux (Glibc 2.25+), FreeBSD (12.0+) and
+ * OpenBSD (5.6+). For OpenBSD, there does not seem to be easy to use
+ * macros to test the minimum version, so we just assume that it is
+ * recent enough (last version without getentropy() has gone out of
+ * support in May 2015).
+ *
+ * Ideally we should use getentropy() on macOS (10.12+) too, but I don't
+ * know how to test the exact OS version with preprocessor macros.
+ *
+ * TODO: enrich the list of detected system.
*/
#ifndef BR_USE_URANDOM
#if defined _AIX \
|| defined __ANDROID__ \
|| defined __FreeBSD__ \
|| defined __NetBSD__ \
|| defined __OpenBSD__ \
|| defined __DragonFly__ \
|| defined __linux__ \
|| (defined __sun && (defined __SVR4 || defined __svr4__)) \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_URANDOM 1
#endif
#endif
+#ifndef BR_USE_GETENTROPY
+#if (defined __linux__ \
+ && (__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 25))) \
+ || (defined __FreeBSD__ && __FreeBSD__ >= 12) \
+ || defined __OpenBSD__
+#define BR_USE_GETENTROPY 1
+#endif
+#endif
+
#ifndef BR_USE_WIN32_RAND
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_RAND 1
#endif
#endif
/*
* POWER8 crypto support. We rely on compiler macros for the
* architecture, since we do not have a reliable, simple way to detect
* the required support at runtime (we could try running an opcode, and
* trapping the exception or signal on illegal instruction, but this
* induces some non-trivial OS dependencies that we would prefer to
* avoid if possible).
*/
#ifndef BR_POWER8
#if __GNUC__ && ((_ARCH_PWR8 || _ARCH_PPC) && __CRYPTO__)
#define BR_POWER8 1
#endif
#endif
/*
* Detect endinanness on POWER8.
*/
#if BR_POWER8
#if defined BR_POWER8_LE
#undef BR_POWER8_BE
#if BR_POWER8_LE
#define BR_POWER8_BE 0
#else
#define BR_POWER8_BE 1
#endif
#elif defined BR_POWER8_BE
#undef BR_POWER8_LE
#if BR_POWER8_BE
#define BR_POWER8_LE 0
#else
#define BR_POWER8_LE 1
#endif
#else
#if __LITTLE_ENDIAN__
#define BR_POWER8_LE 1
#define BR_POWER8_BE 0
#else
#define BR_POWER8_LE 0
#define BR_POWER8_BE 1
#endif
#endif
#endif
/*
* Detect support for 128-bit integers.
*/
#if !defined BR_INT128 && !defined BR_UMUL128
#ifdef __SIZEOF_INT128__
#define BR_INT128 1
#elif _M_X64
#define BR_UMUL128 1
#endif
#endif
/*
* Detect support for unaligned accesses with known endianness.
*
* x86 (both 32-bit and 64-bit) is little-endian and allows unaligned
* accesses.
*
* POWER/PowerPC allows unaligned accesses when big-endian. POWER8 and
* later also allow unaligned accesses when little-endian.
*/
#if !defined BR_LE_UNALIGNED && !defined BR_BE_UNALIGNED
#if __i386 || __i386__ || __x86_64__ || _M_IX86 || _M_X64
#define BR_LE_UNALIGNED 1
#elif BR_POWER8_BE
#define BR_BE_UNALIGNED 1
#elif BR_POWER8_LE
#define BR_LE_UNALIGNED 1
#elif (__powerpc__ || __powerpc64__ || _M_PPC || _ARCH_PPC || _ARCH_PPC64) \
&& __BIG_ENDIAN__
#define BR_BE_UNALIGNED 1
#endif
#endif
/*
* Detect support for an OS-provided time source.
*/
#ifndef BR_USE_UNIX_TIME
#if defined __unix__ || defined __linux__ \
|| defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_UNIX_TIME 1
#endif
#endif
#ifndef BR_USE_WIN32_TIME
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_TIME 1
#endif
#endif
/* ==================================================================== */
/*
* Encoding/decoding functions.
*
* 32-bit and 64-bit decoding, both little-endian and big-endian, is
* implemented with the inline functions below.
*
* When allowed by some compile-time options (autodetected or provided),
* optimised code is used, to perform direct memory access when the
* underlying architecture supports it, both for endianness and
* alignment. This, however, may trigger strict aliasing issues; the
* code below uses unions to perform (supposedly) safe type punning.
* Since the C aliasing rules are relatively complex and were amended,
* or at least re-explained with different phrasing, in all successive
* versions of the C standard, it is always a bit risky to bet that any
* specific version of a C compiler got it right, for some notion of
* "right".
*/
typedef union {
uint16_t u;
unsigned char b[sizeof(uint16_t)];
} br_union_u16;
typedef union {
uint32_t u;
unsigned char b[sizeof(uint32_t)];
} br_union_u32;
typedef union {
uint64_t u;
unsigned char b[sizeof(uint64_t)];
} br_union_u64;
static inline void
br_enc16le(void *dst, unsigned x)
{
#if BR_LE_UNALIGNED
((br_union_u16 *)dst)->u = x;
#else
unsigned char *buf;
buf = dst;
buf[0] = (unsigned char)x;
buf[1] = (unsigned char)(x >> 8);
#endif
}
static inline void
br_enc16be(void *dst, unsigned x)
{
#if BR_BE_UNALIGNED
((br_union_u16 *)dst)->u = x;
#else
unsigned char *buf;
buf = dst;
buf[0] = (unsigned char)(x >> 8);
buf[1] = (unsigned char)x;
#endif
}
static inline unsigned
br_dec16le(const void *src)
{
#if BR_LE_UNALIGNED
return ((const br_union_u16 *)src)->u;
#else
const unsigned char *buf;
buf = src;
return (unsigned)buf[0] | ((unsigned)buf[1] << 8);
#endif
}
static inline unsigned
br_dec16be(const void *src)
{
#if BR_BE_UNALIGNED
return ((const br_union_u16 *)src)->u;
#else
const unsigned char *buf;
buf = src;
return ((unsigned)buf[0] << 8) | (unsigned)buf[1];
#endif
}
static inline void
br_enc32le(void *dst, uint32_t x)
{
#if BR_LE_UNALIGNED
((br_union_u32 *)dst)->u = x;
#else
unsigned char *buf;
buf = dst;
buf[0] = (unsigned char)x;
buf[1] = (unsigned char)(x >> 8);
buf[2] = (unsigned char)(x >> 16);
buf[3] = (unsigned char)(x >> 24);
#endif
}
static inline void
br_enc32be(void *dst, uint32_t x)
{
#if BR_BE_UNALIGNED
((br_union_u32 *)dst)->u = x;
#else
unsigned char *buf;
buf = dst;
buf[0] = (unsigned char)(x >> 24);
buf[1] = (unsigned char)(x >> 16);
buf[2] = (unsigned char)(x >> 8);
buf[3] = (unsigned char)x;
#endif
}
static inline uint32_t
br_dec32le(const void *src)
{
#if BR_LE_UNALIGNED
return ((const br_union_u32 *)src)->u;
#else
const unsigned char *buf;
buf = src;
return (uint32_t)buf[0]
| ((uint32_t)buf[1] << 8)
| ((uint32_t)buf[2] << 16)
| ((uint32_t)buf[3] << 24);
#endif
}
static inline uint32_t
br_dec32be(const void *src)
{
#if BR_BE_UNALIGNED
return ((const br_union_u32 *)src)->u;
#else
const unsigned char *buf;
buf = src;
return ((uint32_t)buf[0] << 24)
| ((uint32_t)buf[1] << 16)
| ((uint32_t)buf[2] << 8)
| (uint32_t)buf[3];
#endif
}
static inline void
br_enc64le(void *dst, uint64_t x)
{
#if BR_LE_UNALIGNED
((br_union_u64 *)dst)->u = x;
#else
unsigned char *buf;
buf = dst;
br_enc32le(buf, (uint32_t)x);
br_enc32le(buf + 4, (uint32_t)(x >> 32));
#endif
}
static inline void
br_enc64be(void *dst, uint64_t x)
{
#if BR_BE_UNALIGNED
((br_union_u64 *)dst)->u = x;
#else
unsigned char *buf;
buf = dst;
br_enc32be(buf, (uint32_t)(x >> 32));
br_enc32be(buf + 4, (uint32_t)x);
#endif
}
static inline uint64_t
br_dec64le(const void *src)
{
#if BR_LE_UNALIGNED
return ((const br_union_u64 *)src)->u;
#else
const unsigned char *buf;
buf = src;
return (uint64_t)br_dec32le(buf)
| ((uint64_t)br_dec32le(buf + 4) << 32);
#endif
}
static inline uint64_t
br_dec64be(const void *src)
{
#if BR_BE_UNALIGNED
return ((const br_union_u64 *)src)->u;
#else
const unsigned char *buf;
buf = src;
return ((uint64_t)br_dec32be(buf) << 32)
| (uint64_t)br_dec32be(buf + 4);
#endif
}
/*
* Range decoding and encoding (for several successive values).
*/
void br_range_dec16le(uint16_t *v, size_t num, const void *src);
void br_range_dec16be(uint16_t *v, size_t num, const void *src);
void br_range_enc16le(void *dst, const uint16_t *v, size_t num);
void br_range_enc16be(void *dst, const uint16_t *v, size_t num);
void br_range_dec32le(uint32_t *v, size_t num, const void *src);
void br_range_dec32be(uint32_t *v, size_t num, const void *src);
void br_range_enc32le(void *dst, const uint32_t *v, size_t num);
void br_range_enc32be(void *dst, const uint32_t *v, size_t num);
void br_range_dec64le(uint64_t *v, size_t num, const void *src);
void br_range_dec64be(uint64_t *v, size_t num, const void *src);
void br_range_enc64le(void *dst, const uint64_t *v, size_t num);
void br_range_enc64be(void *dst, const uint64_t *v, size_t num);
/*
* Byte-swap a 32-bit integer.
*/
static inline uint32_t
br_swap32(uint32_t x)
{
x = ((x & (uint32_t)0x00FF00FF) << 8)
| ((x >> 8) & (uint32_t)0x00FF00FF);
return (x << 16) | (x >> 16);
}
/* ==================================================================== */
/*
* Support code for hash functions.
*/
/*
* IV for MD5, SHA-1, SHA-224 and SHA-256.
*/
extern const uint32_t br_md5_IV[];
extern const uint32_t br_sha1_IV[];
extern const uint32_t br_sha224_IV[];
extern const uint32_t br_sha256_IV[];
/*
* Round functions for MD5, SHA-1, SHA-224 and SHA-256 (SHA-224 and
* SHA-256 use the same round function).
*/
void br_md5_round(const unsigned char *buf, uint32_t *val);
void br_sha1_round(const unsigned char *buf, uint32_t *val);
void br_sha2small_round(const unsigned char *buf, uint32_t *val);
/*
* The core function for the TLS PRF. It computes
* P_hash(secret, label + seed), and XORs the result into the dst buffer.
*/
void br_tls_phash(void *dst, size_t len,
const br_hash_class *dig,
const void *secret, size_t secret_len, const char *label,
size_t seed_num, const br_tls_prf_seed_chunk *seed);
/*
* Copy all configured hash implementations from a multihash context
* to another.
*/
static inline void
br_multihash_copyimpl(br_multihash_context *dst,
const br_multihash_context *src)
{
memcpy((void *)dst->impl, src->impl, sizeof src->impl);
}
/* ==================================================================== */
/*
* Constant-time primitives. These functions manipulate 32-bit values in
* order to provide constant-time comparisons and multiplexers.
*
* Boolean values (the "ctl" bits) MUST have value 0 or 1.
*
* Implementation notes:
* =====================
*
* The uintN_t types are unsigned and with width exactly N bits; the C
* standard guarantees that computations are performed modulo 2^N, and
* there can be no overflow. Negation (unary '-') works on unsigned types
* as well.
*
* The intN_t types are guaranteed to have width exactly N bits, with no
* padding bit, and using two's complement representation. Casting
* intN_t to uintN_t really is conversion modulo 2^N. Beware that intN_t
* types, being signed, trigger implementation-defined behaviour on
* overflow (including raising some signal): with GCC, while modular
* arithmetics are usually applied, the optimizer may assume that
* overflows don't occur (unless the -fwrapv command-line option is
* added); Clang has the additional -ftrapv option to explicitly trap on
* integer overflow or underflow.
*/
/*
* Negate a boolean.
*/
static inline uint32_t
NOT(uint32_t ctl)
{
return ctl ^ 1;
}
/*
* Multiplexer: returns x if ctl == 1, y if ctl == 0.
*/
static inline uint32_t
MUX(uint32_t ctl, uint32_t x, uint32_t y)
{
return y ^ (-ctl & (x ^ y));
}
/*
* Equality check: returns 1 if x == y, 0 otherwise.
*/
static inline uint32_t
EQ(uint32_t x, uint32_t y)
{
uint32_t q;
q = x ^ y;
return NOT((q | -q) >> 31);
}
/*
* Inequality check: returns 1 if x != y, 0 otherwise.
*/
static inline uint32_t
NEQ(uint32_t x, uint32_t y)
{
uint32_t q;
q = x ^ y;
return (q | -q) >> 31;
}
/*
* Comparison: returns 1 if x > y, 0 otherwise.
*/
static inline uint32_t
GT(uint32_t x, uint32_t y)
{
/*
* If both x < 2^31 and x < 2^31, then y-x will have its high
* bit set if x > y, cleared otherwise.
*
* If either x >= 2^31 or y >= 2^31 (but not both), then the
* result is the high bit of x.
*
* If both x >= 2^31 and y >= 2^31, then we can virtually
* subtract 2^31 from both, and we are back to the first case.
* Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
* fine.
*/
uint32_t z;
z = y - x;
return (z ^ ((x ^ y) & (x ^ z))) >> 31;
}
/*
* Other comparisons (greater-or-equal, lower-than, lower-or-equal).
*/
#define GE(x, y) NOT(GT(y, x))
#define LT(x, y) GT(y, x)
#define LE(x, y) NOT(GT(x, y))
/*
* General comparison: returned value is -1, 0 or 1, depending on
* whether x is lower than, equal to, or greater than y.
*/
static inline int32_t
CMP(uint32_t x, uint32_t y)
{
return (int32_t)GT(x, y) | -(int32_t)GT(y, x);
}
/*
* Returns 1 if x == 0, 0 otherwise. Take care that the operand is signed.
*/
static inline uint32_t
EQ0(int32_t x)
{
uint32_t q;
q = (uint32_t)x;
return ~(q | -q) >> 31;
}
/*
* Returns 1 if x > 0, 0 otherwise. Take care that the operand is signed.
*/
static inline uint32_t
GT0(int32_t x)
{
/*
* High bit of -x is 0 if x == 0, but 1 if x > 0.
*/
uint32_t q;
q = (uint32_t)x;
return (~q & -q) >> 31;
}
/*
* Returns 1 if x >= 0, 0 otherwise. Take care that the operand is signed.
*/
static inline uint32_t
GE0(int32_t x)
{
return ~(uint32_t)x >> 31;
}
/*
* Returns 1 if x < 0, 0 otherwise. Take care that the operand is signed.
*/
static inline uint32_t
LT0(int32_t x)
{
return (uint32_t)x >> 31;
}
/*
* Returns 1 if x <= 0, 0 otherwise. Take care that the operand is signed.
*/
static inline uint32_t
LE0(int32_t x)
{
uint32_t q;
/*
* ~-x has its high bit set if and only if -x is nonnegative (as
* a signed int), i.e. x is in the -(2^31-1) to 0 range. We must
* do an OR with x itself to account for x = -2^31.
*/
q = (uint32_t)x;
return (q | ~-q) >> 31;
}
/*
* Conditional copy: src[] is copied into dst[] if and only if ctl is 1.
* dst[] and src[] may overlap completely (but not partially).
*/
void br_ccopy(uint32_t ctl, void *dst, const void *src, size_t len);
#define CCOPY br_ccopy
/*
* Compute the bit length of a 32-bit integer. Returned value is between 0
* and 32 (inclusive).
*/
static inline uint32_t
BIT_LENGTH(uint32_t x)
{
uint32_t k, c;
k = NEQ(x, 0);
c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
c = GT(x, 0x00FF); x = MUX(c, x >> 8, x); k += c << 3;
c = GT(x, 0x000F); x = MUX(c, x >> 4, x); k += c << 2;
c = GT(x, 0x0003); x = MUX(c, x >> 2, x); k += c << 1;
k += GT(x, 0x0001);
return k;
}
/*
* Compute the minimum of x and y.
*/
static inline uint32_t
MIN(uint32_t x, uint32_t y)
{
return MUX(GT(x, y), y, x);
}
/*
* Compute the maximum of x and y.
*/
static inline uint32_t
MAX(uint32_t x, uint32_t y)
{
return MUX(GT(x, y), x, y);
}
/*
* Multiply two 32-bit integers, with a 64-bit result. This default
* implementation assumes that the basic multiplication operator
* yields constant-time code.
*/
#define MUL(x, y) ((uint64_t)(x) * (uint64_t)(y))
#if BR_CT_MUL31
/*
* Alternate implementation of MUL31, that will be constant-time on some
* (old) platforms where the default MUL31 is not. Unfortunately, it is
* also substantially slower, and yields larger code, on more modern
* platforms, which is why it is deactivated by default.
*
* MUL31_lo() must do some extra work because on some platforms, the
* _signed_ multiplication may return early if the top bits are 1.
* Simply truncating (casting) the output of MUL31() would not be
* sufficient, because the compiler may notice that we keep only the low
* word, and then replace automatically the unsigned multiplication with
* a signed multiplication opcode.
*/
#define MUL31(x, y) ((uint64_t)((x) | (uint32_t)0x80000000) \
* (uint64_t)((y) | (uint32_t)0x80000000) \
- ((uint64_t)(x) << 31) - ((uint64_t)(y) << 31) \
- ((uint64_t)1 << 62))
static inline uint32_t
MUL31_lo(uint32_t x, uint32_t y)
{
uint32_t xl, xh;
uint32_t yl, yh;
xl = (x & 0xFFFF) | (uint32_t)0x80000000;
xh = (x >> 16) | (uint32_t)0x80000000;
yl = (y & 0xFFFF) | (uint32_t)0x80000000;
yh = (y >> 16) | (uint32_t)0x80000000;
return (xl * yl + ((xl * yh + xh * yl) << 16)) & (uint32_t)0x7FFFFFFF;
}
#else
/*
* Multiply two 31-bit integers, with a 62-bit result. This default
* implementation assumes that the basic multiplication operator
* yields constant-time code.
* The MUL31_lo() macro returns only the low 31 bits of the product.
*/
#define MUL31(x, y) ((uint64_t)(x) * (uint64_t)(y))
#define MUL31_lo(x, y) (((uint32_t)(x) * (uint32_t)(y)) & (uint32_t)0x7FFFFFFF)
#endif
/*
* Multiply two words together; the sum of the lengths of the two
* operands must not exceed 31 (for instance, one operand may use 16
* bits if the other fits on 15). If BR_CT_MUL15 is non-zero, then the
* macro will contain some extra operations that help in making the
* operation constant-time on some platforms, where the basic 32-bit
* multiplication is not constant-time.
*/
#if BR_CT_MUL15
#define MUL15(x, y) (((uint32_t)(x) | (uint32_t)0x80000000) \
* ((uint32_t)(y) | (uint32_t)0x80000000) \
& (uint32_t)0x7FFFFFFF)
#else
#define MUL15(x, y) ((uint32_t)(x) * (uint32_t)(y))
#endif
/*
* Arithmetic right shift (sign bit is copied). What happens when
* right-shifting a negative value is _implementation-defined_, so it
* does not trigger undefined behaviour, but it is still up to each
* compiler to define (and document) what it does. Most/all compilers
* will do an arithmetic shift, the sign bit being used to fill the
* holes; this is a native operation on the underlying CPU, and it would
* make little sense for the compiler to do otherwise. GCC explicitly
* documents that it follows that convention.
*
* Still, if BR_NO_ARITH_SHIFT is defined (and non-zero), then an
* alternate version will be used, that does not rely on such
* implementation-defined behaviour. Unfortunately, it is also slower
* and yields bigger code, which is why it is deactivated by default.
*/
#if BR_NO_ARITH_SHIFT
#define ARSH(x, n) (((uint32_t)(x) >> (n)) \
| ((-((uint32_t)(x) >> 31)) << (32 - (n))))
#else
#define ARSH(x, n) ((*(int32_t *)&(x)) >> (n))
#endif
/*
* Constant-time division. The dividend hi:lo is divided by the
* divisor d; the quotient is returned and the remainder is written
* in *r. If hi == d, then the quotient does not fit on 32 bits;
* returned value is thus truncated. If hi > d, returned values are
* indeterminate.
*/
uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d, uint32_t *r);
/*
* Wrapper for br_divrem(); the remainder is returned, and the quotient
* is discarded.
*/
static inline uint32_t
br_rem(uint32_t hi, uint32_t lo, uint32_t d)
{
uint32_t r;
br_divrem(hi, lo, d, &r);
return r;
}
/*
* Wrapper for br_divrem(); the quotient is returned, and the remainder
* is discarded.
*/
static inline uint32_t
br_div(uint32_t hi, uint32_t lo, uint32_t d)
{
uint32_t r;
return br_divrem(hi, lo, d, &r);
}
/* ==================================================================== */
/*
* Integers 'i32'
* --------------
*
* The 'i32' functions implement computations on big integers using
* an internal representation as an array of 32-bit integers. For
* an array x[]:
* -- x[0] contains the "announced bit length" of the integer
* -- x[1], x[2]... contain the value in little-endian order (x[1]
* contains the least significant 32 bits)
*
* Multiplications rely on the elementary 32x32->64 multiplication.
*
* The announced bit length specifies the number of bits that are
* significant in the subsequent 32-bit words. Unused bits in the
* last (most significant) word are set to 0; subsequent words are
* uninitialized and need not exist at all.
*
* The execution time and memory access patterns of all computations
* depend on the announced bit length, but not on the actual word
* values. For modular integers, the announced bit length of any integer
* modulo n is equal to the actual bit length of n; thus, computations
* on modular integers are "constant-time" (only the modulus length may
* leak).
*/
/*
* Compute the actual bit length of an integer. The argument x should
* point to the first (least significant) value word of the integer.
* The len 'xlen' contains the number of 32-bit words to access.
*
* CT: value or length of x does not leak.
*/
uint32_t br_i32_bit_length(uint32_t *x, size_t xlen);
/*
* Decode an integer from its big-endian unsigned representation. The
* "true" bit length of the integer is computed, but all words of x[]
* corresponding to the full 'len' bytes of the source are set.
*
* CT: value or length of x does not leak.
*/
void br_i32_decode(uint32_t *x, const void *src, size_t len);
/*
* Decode an integer from its big-endian unsigned representation. The
* integer MUST be lower than m[]; the announced bit length written in
* x[] will be equal to that of m[]. All 'len' bytes from the source are
* read.
*
* Returned value is 1 if the decode value fits within the modulus, 0
* otherwise. In the latter case, the x[] buffer will be set to 0 (but
* still with the announced bit length of m[]).
*
* CT: value or length of x does not leak. Memory access pattern depends
* only of 'len' and the announced bit length of m. Whether x fits or
* not does not leak either.
*/
uint32_t br_i32_decode_mod(uint32_t *x,
const void *src, size_t len, const uint32_t *m);
/*
* Reduce an integer (a[]) modulo another (m[]). The result is written
* in x[] and its announced bit length is set to be equal to that of m[].
*
* x[] MUST be distinct from a[] and m[].
*
* CT: only announced bit lengths leak, not values of x, a or m.
*/
void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m);
/*
* Decode an integer from its big-endian unsigned representation, and
* reduce it modulo the provided modulus m[]. The announced bit length
* of the result is set to be equal to that of the modulus.
*
* x[] MUST be distinct from m[].
*/
void br_i32_decode_reduce(uint32_t *x,
const void *src, size_t len, const uint32_t *m);
/*
* Encode an integer into its big-endian unsigned representation. The
* output length in bytes is provided (parameter 'len'); if the length
* is too short then the integer is appropriately truncated; if it is
* too long then the extra bytes are set to 0.
*/
void br_i32_encode(void *dst, size_t len, const uint32_t *x);
/*
* Multiply x[] by 2^32 and then add integer z, modulo m[]. This
* function assumes that x[] and m[] have the same announced bit
* length, and the announced bit length of m[] matches its true
* bit length.
*
* x[] and m[] MUST be distinct arrays.
*
* CT: only the common announced bit length of x and m leaks, not
* the values of x, z or m.
*/
void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m);
/*
* Extract one word from an integer. The offset is counted in bits.
* The word MUST entirely fit within the word elements corresponding
* to the announced bit length of a[].
*/
static inline uint32_t
br_i32_word(const uint32_t *a, uint32_t off)
{
size_t u;
unsigned j;
u = (size_t)(off >> 5) + 1;
j = (unsigned)off & 31;
if (j == 0) {
return a[u];
} else {
return (a[u] >> j) | (a[u + 1] << (32 - j));
}
}
/*
* Test whether an integer is zero.
*/
uint32_t br_i32_iszero(const uint32_t *x);
/*
* Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
* is unmodified, but the carry is still computed and returned. The
* arrays a[] and b[] MUST have the same announced bit length.
*
* a[] and b[] MAY be the same array, but partial overlap is not allowed.
*/
uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl);
/*
* Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
* then a[] is unmodified, but the carry is still computed and returned.
* The arrays a[] and b[] MUST have the same announced bit length.
*
* a[] and b[] MAY be the same array, but partial overlap is not allowed.
*/
uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl);
/*
* Compute d+a*b, result in d. The initial announced bit length of d[]
* MUST match that of a[]. The d[] array MUST be large enough to
* accommodate the full result, plus (possibly) an extra word. The
* resulting announced bit length of d[] will be the sum of the announced
* bit lengths of a[] and b[] (therefore, it may be larger than the actual
* bit length of the numerical result).
*
* a[] and b[] may be the same array. d[] must be disjoint from both a[]
* and b[].
*/
void br_i32_mulacc(uint32_t *d, const uint32_t *a, const uint32_t *b);
/*
* Zeroize an integer. The announced bit length is set to the provided
* value, and the corresponding words are set to 0.
*/
static inline void
br_i32_zero(uint32_t *x, uint32_t bit_len)
{
*x ++ = bit_len;
memset(x, 0, ((bit_len + 31) >> 5) * sizeof *x);
}
/*
* Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
*/
uint32_t br_i32_ninv32(uint32_t x);
/*
* Convert a modular integer to Montgomery representation. The integer x[]
* MUST be lower than m[], but with the same announced bit length.
*/
void br_i32_to_monty(uint32_t *x, const uint32_t *m);
/*
* Convert a modular integer back from Montgomery representation. The
* integer x[] MUST be lower than m[], but with the same announced bit
* length. The "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is
* the least significant value word of m[] (this works only if m[] is
* an odd integer).
*/
void br_i32_from_monty(uint32_t *x, const uint32_t *m, uint32_t m0i);
/*
* Compute a modular Montgomery multiplication. d[] is filled with the
* value of x*y/R modulo m[] (where R is the Montgomery factor). The
* array d[] MUST be distinct from x[], y[] and m[]. x[] and y[] MUST be
* numerically lower than m[]. x[] and y[] MAY be the same array. The
* "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is the least
* significant value word of m[] (this works only if m[] is an odd
* integer).
*/
void br_i32_montymul(uint32_t *d, const uint32_t *x, const uint32_t *y,
const uint32_t *m, uint32_t m0i);
/*
* Compute a modular exponentiation. x[] MUST be an integer modulo m[]
* (same announced bit length, lower value). m[] MUST be odd. The
* exponent is in big-endian unsigned notation, over 'elen' bytes. The
* "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is the least
* significant value word of m[] (this works only if m[] is an odd
* integer). The t1[] and t2[] parameters must be temporary arrays,
* each large enough to accommodate an integer with the same size as m[].
*/
void br_i32_modpow(uint32_t *x, const unsigned char *e, size_t elen,
const uint32_t *m, uint32_t m0i, uint32_t *t1, uint32_t *t2);
/* ==================================================================== */
/*
* Integers 'i31'
* --------------
*
* The 'i31' functions implement computations on big integers using
* an internal representation as an array of 32-bit integers. For
* an array x[]:
* -- x[0] encodes the array length and the "announced bit length"
* of the integer: namely, if the announced bit length is k,
* then x[0] = ((k / 31) << 5) + (k % 31).
* -- x[1], x[2]... contain the value in little-endian order, 31
* bits per word (x[1] contains the least significant 31 bits).
* The upper bit of each word is 0.
*
* Multiplications rely on the elementary 32x32->64 multiplication.
*
* The announced bit length specifies the number of bits that are
* significant in the subsequent 32-bit words. Unused bits in the
* last (most significant) word are set to 0; subsequent words are
* uninitialized and need not exist at all.
*
* The execution time and memory access patterns of all computations
* depend on the announced bit length, but not on the actual word
* values. For modular integers, the announced bit length of any integer
* modulo n is equal to the actual bit length of n; thus, computations
* on modular integers are "constant-time" (only the modulus length may
* leak).
*/
/*
* Test whether an integer is zero.
*/
uint32_t br_i31_iszero(const uint32_t *x);
/*
* Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
* is unmodified, but the carry is still computed and returned. The
* arrays a[] and b[] MUST have the same announced bit length.
*
* a[] and b[] MAY be the same array, but partial overlap is not allowed.
*/
uint32_t br_i31_add(uint32_t *a, const uint32_t *b, uint32_t ctl);
/*
* Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
* then a[] is unmodified, but the carry is still computed and returned.
* The arrays a[] and b[] MUST have the same announced bit length.
*
* a[] and b[] MAY be the same array, but partial overlap is not allowed.
*/
uint32_t br_i31_sub(uint32_t *a, const uint32_t *b, uint32_t ctl);
/*
* Compute the ENCODED actual bit length of an integer. The argument x
* should point to the first (least significant) value word of the
* integer. The len 'xlen' contains the number of 32-bit words to
* access. The upper bit of each value word MUST be 0.
* Returned value is ((k / 31) << 5) + (k % 31) if the bit length is k.
*
* CT: value or length of x does not leak.
*/
uint32_t br_i31_bit_length(uint32_t *x, size_t xlen);
/*
* Decode an integer from its big-endian unsigned representation. The
* "true" bit length of the integer is computed and set in the encoded
* announced bit length (x[0]), but all words of x[] corresponding to
* the full 'len' bytes of the source are set.
*
* CT: value or length of x does not leak.
*/
void br_i31_decode(uint32_t *x, const void *src, size_t len);
/*
* Decode an integer from its big-endian unsigned representation. The
* integer MUST be lower than m[]; the (encoded) announced bit length
* written in x[] will be equal to that of m[]. All 'len' bytes from the
* source are read.
*
* Returned value is 1 if the decode value fits within the modulus, 0
* otherwise. In the latter case, the x[] buffer will be set to 0 (but
* still with the announced bit length of m[]).
*
* CT: value or length of x does not leak. Memory access pattern depends
* only of 'len' and the announced bit length of m. Whether x fits or
* not does not leak either.
*/
uint32_t br_i31_decode_mod(uint32_t *x,
const void *src, size_t len, const uint32_t *m);
/*
* Zeroize an integer. The announced bit length is set to the provided
* value, and the corresponding words are set to 0. The ENCODED bit length
* is expected here.
*/
static inline void
br_i31_zero(uint32_t *x, uint32_t bit_len)
{
*x ++ = bit_len;
memset(x, 0, ((bit_len + 31) >> 5) * sizeof *x);
}
/*
* Right-shift an integer. The shift amount must be lower than 31
* bits.
*/
void br_i31_rshift(uint32_t *x, int count);
/*
* Reduce an integer (a[]) modulo another (m[]). The result is written
* in x[] and its announced bit length is set to be equal to that of m[].
*
* x[] MUST be distinct from a[] and m[].
*
* CT: only announced bit lengths leak, not values of x, a or m.
*/
void br_i31_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m);
/*
* Decode an integer from its big-endian unsigned representation, and
* reduce it modulo the provided modulus m[]. The announced bit length
* of the result is set to be equal to that of the modulus.
*
* x[] MUST be distinct from m[].
*/
void br_i31_decode_reduce(uint32_t *x,
const void *src, size_t len, const uint32_t *m);
/*
* Multiply x[] by 2^31 and then add integer z, modulo m[]. This
* function assumes that x[] and m[] have the same announced bit
* length, the announced bit length of m[] matches its true
* bit length.
*
* x[] and m[] MUST be distinct arrays. z MUST fit in 31 bits (upper
* bit set to 0).
*
* CT: only the common announced bit length of x and m leaks, not
* the values of x, z or m.
*/
void br_i31_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m);
/*
* Encode an integer into its big-endian unsigned representation. The
* output length in bytes is provided (parameter 'len'); if the length
* is too short then the integer is appropriately truncated; if it is
* too long then the extra bytes are set to 0.
*/
void br_i31_encode(void *dst, size_t len, const uint32_t *x);
/*
* Compute -(1/x) mod 2^31. If x is even, then this function returns 0.
*/
uint32_t br_i31_ninv31(uint32_t x);
/*
* Compute a modular Montgomery multiplication. d[] is filled with the
* value of x*y/R modulo m[] (where R is the Montgomery factor). The
* array d[] MUST be distinct from x[], y[] and m[]. x[] and y[] MUST be
* numerically lower than m[]. x[] and y[] MAY be the same array. The
* "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
* significant value word of m[] (this works only if m[] is an odd
* integer).
*/
void br_i31_montymul(uint32_t *d, const uint32_t *x, const uint32_t *y,
const uint32_t *m, uint32_t m0i);
/*
* Convert a modular integer to Montgomery representation. The integer x[]
* MUST be lower than m[], but with the same announced bit length.
*/
void br_i31_to_monty(uint32_t *x, const uint32_t *m);
/*
* Convert a modular integer back from Montgomery representation. The
* integer x[] MUST be lower than m[], but with the same announced bit
* length. The "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is
* the least significant value word of m[] (this works only if m[] is
* an odd integer).
*/
void br_i31_from_monty(uint32_t *x, const uint32_t *m, uint32_t m0i);
/*
* Compute a modular exponentiation. x[] MUST be an integer modulo m[]
* (same announced bit length, lower value). m[] MUST be odd. The
* exponent is in big-endian unsigned notation, over 'elen' bytes. The
* "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
* significant value word of m[] (this works only if m[] is an odd
* integer). The t1[] and t2[] parameters must be temporary arrays,
* each large enough to accommodate an integer with the same size as m[].
*/
void br_i31_modpow(uint32_t *x, const unsigned char *e, size_t elen,
const uint32_t *m, uint32_t m0i, uint32_t *t1, uint32_t *t2);
/*
* Compute a modular exponentiation. x[] MUST be an integer modulo m[]
* (same announced bit length, lower value). m[] MUST be odd. The
* exponent is in big-endian unsigned notation, over 'elen' bytes. The
* "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
* significant value word of m[] (this works only if m[] is an odd
* integer). The tmp[] array is used for temporaries, and has size
* 'twlen' words; it must be large enough to accommodate at least two
* temporary values with the same size as m[] (including the leading
* "bit length" word). If there is room for more temporaries, then this
* function may use the extra room for window-based optimisation,
* resulting in faster computations.
*
* Returned value is 1 on success, 0 on error. An error is reported if
* the provided tmp[] array is too short.
*/
uint32_t br_i31_modpow_opt(uint32_t *x, const unsigned char *e, size_t elen,
const uint32_t *m, uint32_t m0i, uint32_t *tmp, size_t twlen);
/*
* Compute d+a*b, result in d. The initial announced bit length of d[]
* MUST match that of a[]. The d[] array MUST be large enough to
* accommodate the full result, plus (possibly) an extra word. The
* resulting announced bit length of d[] will be the sum of the announced
* bit lengths of a[] and b[] (therefore, it may be larger than the actual
* bit length of the numerical result).
*
* a[] and b[] may be the same array. d[] must be disjoint from both a[]
* and b[].
*/
void br_i31_mulacc(uint32_t *d, const uint32_t *a, const uint32_t *b);
/*
* Compute x/y mod m, result in x. Values x and y must be between 0 and
* m-1, and have the same announced bit length as m. Modulus m must be
* odd. The "m0i" parameter is equal to -1/m mod 2^31. The array 't'
* must point to a temporary area that can hold at least three integers
* of the size of m.
*
* m may not overlap x and y. x and y may overlap each other (this can
* be useful to test whether a value is invertible modulo m). t must be
* disjoint from all other arrays.
*
* Returned value is 1 on success, 0 otherwise. Success is attained if
* y is invertible modulo m.
*/
uint32_t br_i31_moddiv(uint32_t *x, const uint32_t *y,
const uint32_t *m, uint32_t m0i, uint32_t *t);
/* ==================================================================== */
/*
* FIXME: document "i15" functions.
*/
static inline void
br_i15_zero(uint16_t *x, uint16_t bit_len)
{
*x ++ = bit_len;
memset(x, 0, ((bit_len + 15) >> 4) * sizeof *x);
}
uint32_t br_i15_iszero(const uint16_t *x);
uint16_t br_i15_ninv15(uint16_t x);
uint32_t br_i15_add(uint16_t *a, const uint16_t *b, uint32_t ctl);
uint32_t br_i15_sub(uint16_t *a, const uint16_t *b, uint32_t ctl);
void br_i15_muladd_small(uint16_t *x, uint16_t z, const uint16_t *m);
void br_i15_montymul(uint16_t *d, const uint16_t *x, const uint16_t *y,
const uint16_t *m, uint16_t m0i);
void br_i15_to_monty(uint16_t *x, const uint16_t *m);
void br_i15_modpow(uint16_t *x, const unsigned char *e, size_t elen,
const uint16_t *m, uint16_t m0i, uint16_t *t1, uint16_t *t2);
uint32_t br_i15_modpow_opt(uint16_t *x, const unsigned char *e, size_t elen,
const uint16_t *m, uint16_t m0i, uint16_t *tmp, size_t twlen);
void br_i15_encode(void *dst, size_t len, const uint16_t *x);
uint32_t br_i15_decode_mod(uint16_t *x,
const void *src, size_t len, const uint16_t *m);
void br_i15_rshift(uint16_t *x, int count);
uint32_t br_i15_bit_length(uint16_t *x, size_t xlen);
void br_i15_decode(uint16_t *x, const void *src, size_t len);
void br_i15_from_monty(uint16_t *x, const uint16_t *m, uint16_t m0i);
void br_i15_decode_reduce(uint16_t *x,
const void *src, size_t len, const uint16_t *m);
void br_i15_reduce(uint16_t *x, const uint16_t *a, const uint16_t *m);
void br_i15_mulacc(uint16_t *d, const uint16_t *a, const uint16_t *b);
uint32_t br_i15_moddiv(uint16_t *x, const uint16_t *y,
const uint16_t *m, uint16_t m0i, uint16_t *t);
/*
* Variant of br_i31_modpow_opt() that internally uses 64x64->128
* multiplications. It expects the same parameters as br_i31_modpow_opt(),
* except that the temporaries should be 64-bit integers, not 32-bit
* integers.
*/
uint32_t br_i62_modpow_opt(uint32_t *x31, const unsigned char *e, size_t elen,
const uint32_t *m31, uint32_t m0i31, uint64_t *tmp, size_t twlen);
/*
* Type for a function with the same API as br_i31_modpow_opt() (some
* implementations of this type may have stricter alignment requirements
* on the temporaries).
*/
typedef uint32_t (*br_i31_modpow_opt_type)(uint32_t *x,
const unsigned char *e, size_t elen,
const uint32_t *m, uint32_t m0i, uint32_t *tmp, size_t twlen);
/*
* Wrapper for br_i62_modpow_opt() that uses the same type as
* br_i31_modpow_opt(); however, it requires its 'tmp' argument to the
* 64-bit aligned.
*/
uint32_t br_i62_modpow_opt_as_i31(uint32_t *x,
const unsigned char *e, size_t elen,
const uint32_t *m, uint32_t m0i, uint32_t *tmp, size_t twlen);
/* ==================================================================== */
static inline size_t
br_digest_size(const br_hash_class *digest_class)
{
return (size_t)(digest_class->desc >> BR_HASHDESC_OUT_OFF)
& BR_HASHDESC_OUT_MASK;
}
/*
* Get the output size (in bytes) of a hash function.
*/
size_t br_digest_size_by_ID(int digest_id);
/*
* Get the OID (encoded OBJECT IDENTIFIER value, without tag and length)
* for a hash function. If digest_id is not a supported digest identifier
* (in particular if it is equal to 0, i.e. br_md5sha1_ID), then NULL is
* returned and *len is set to 0.
*/
const unsigned char *br_digest_OID(int digest_id, size_t *len);
/* ==================================================================== */
/*
* DES support functions.
*/
/*
* Apply DES Initial Permutation.
*/
void br_des_do_IP(uint32_t *xl, uint32_t *xr);
/*
* Apply DES Final Permutation (inverse of IP).
*/
void br_des_do_invIP(uint32_t *xl, uint32_t *xr);
/*
* Key schedule unit: for a DES key (8 bytes), compute 16 subkeys. Each
* subkey is two 28-bit words represented as two 32-bit words; the PC-2
* bit extration is NOT applied.
*/
void br_des_keysched_unit(uint32_t *skey, const void *key);
/*
* Reversal of 16 DES sub-keys (for decryption).
*/
void br_des_rev_skey(uint32_t *skey);
/*
* DES/3DES key schedule for 'des_tab' (encryption direction). Returned
* value is the number of rounds.
*/
unsigned br_des_tab_keysched(uint32_t *skey, const void *key, size_t key_len);
/*
* DES/3DES key schedule for 'des_ct' (encryption direction). Returned
* value is the number of rounds.
*/
unsigned br_des_ct_keysched(uint32_t *skey, const void *key, size_t key_len);
/*
* DES/3DES subkey decompression (from the compressed bitsliced subkeys).
*/
void br_des_ct_skey_expand(uint32_t *sk_exp,
unsigned num_rounds, const uint32_t *skey);
/*
* DES/3DES block encryption/decryption ('des_tab').
*/
void br_des_tab_process_block(unsigned num_rounds,
const uint32_t *skey, void *block);
/*
* DES/3DES block encryption/decryption ('des_ct').
*/
void br_des_ct_process_block(unsigned num_rounds,
const uint32_t *skey, void *block);
/* ==================================================================== */
/*
* AES support functions.
*/
/*
* The AES S-box (256-byte table).
*/
extern const unsigned char br_aes_S[];
/*
* AES key schedule. skey[] is filled with n+1 128-bit subkeys, where n
* is the number of rounds (10 to 14, depending on key size). The number
* of rounds is returned. If the key size is invalid (not 16, 24 or 32),
* then 0 is returned.
*
* This implementation uses a 256-byte table and is NOT constant-time.
*/
unsigned br_aes_keysched(uint32_t *skey, const void *key, size_t key_len);
/*
* AES key schedule for decryption ('aes_big' implementation).
*/
unsigned br_aes_big_keysched_inv(uint32_t *skey,
const void *key, size_t key_len);
/*
* AES block encryption with the 'aes_big' implementation (fast, but
* not constant-time). This function encrypts a single block "in place".
*/
void br_aes_big_encrypt(unsigned num_rounds, const uint32_t *skey, void *data);
/*
* AES block decryption with the 'aes_big' implementation (fast, but
* not constant-time). This function decrypts a single block "in place".
*/
void br_aes_big_decrypt(unsigned num_rounds, const uint32_t *skey, void *data);
/*
* AES block encryption with the 'aes_small' implementation (small, but
* slow and not constant-time). This function encrypts a single block
* "in place".
*/
void br_aes_small_encrypt(unsigned num_rounds,
const uint32_t *skey, void *data);
/*
* AES block decryption with the 'aes_small' implementation (small, but
* slow and not constant-time). This function decrypts a single block
* "in place".
*/
void br_aes_small_decrypt(unsigned num_rounds,
const uint32_t *skey, void *data);
/*
* The constant-time implementation is "bitsliced": the 128-bit state is
* split over eight 32-bit words q* in the following way:
*
* -- Input block consists in 16 bytes:
* a00 a10 a20 a30 a01 a11 a21 a31 a02 a12 a22 a32 a03 a13 a23 a33
* In the terminology of FIPS 197, this is a 4x4 matrix which is read
* column by column.
*
* -- Each byte is split into eight bits which are distributed over the
* eight words, at the same rank. Thus, for a byte x at rank k, bit 0
* (least significant) of x will be at rank k in q0 (if that bit is b,
* then it contributes "b << k" to the value of q0), bit 1 of x will be
* at rank k in q1, and so on.
*
* -- Ranks given to bits are in "row order" and are either all even, or
* all odd. Two independent AES states are thus interleaved, one using
* the even ranks, the other the odd ranks. Row order means:
* a00 a01 a02 a03 a10 a11 a12 a13 a20 a21 a22 a23 a30 a31 a32 a33
*
* Converting input bytes from two AES blocks to bitslice representation
* is done in the following way:
* -- Decode first block into the four words q0 q2 q4 q6, in that order,
* using little-endian convention.
* -- Decode second block into the four words q1 q3 q5 q7, in that order,
* using little-endian convention.
* -- Call br_aes_ct_ortho().
*
* Converting back to bytes is done by using the reverse operations. Note
* that br_aes_ct_ortho() is its own inverse.
*/
/*
* Perform bytewise orthogonalization of eight 32-bit words. Bytes
* of q0..q7 are spread over all words: for a byte x that occurs
* at rank i in q[j] (byte x uses bits 8*i to 8*i+7 in q[j]), the bit
* of rank k in x (0 <= k <= 7) goes to q[k] at rank 8*i+j.
*
* This operation is an involution.
*/
void br_aes_ct_ortho(uint32_t *q);
/*
* The AES S-box, as a bitsliced constant-time version. The input array
* consists in eight 32-bit words; 32 S-box instances are computed in
* parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant)
* are spread over the words 0 to 7, at the same rank.
*/
void br_aes_ct_bitslice_Sbox(uint32_t *q);
/*
* Like br_aes_bitslice_Sbox(), but for the inverse S-box.
*/
void br_aes_ct_bitslice_invSbox(uint32_t *q);
/*
* Compute AES encryption on bitsliced data. Since input is stored on
* eight 32-bit words, two block encryptions are actually performed
* in parallel.
*/
void br_aes_ct_bitslice_encrypt(unsigned num_rounds,
const uint32_t *skey, uint32_t *q);
/*
* Compute AES decryption on bitsliced data. Since input is stored on
* eight 32-bit words, two block decryptions are actually performed
* in parallel.
*/
void br_aes_ct_bitslice_decrypt(unsigned num_rounds,
const uint32_t *skey, uint32_t *q);
/*
* AES key schedule, constant-time version. skey[] is filled with n+1
* 128-bit subkeys, where n is the number of rounds (10 to 14, depending
* on key size). The number of rounds is returned. If the key size is
* invalid (not 16, 24 or 32), then 0 is returned.
*/
unsigned br_aes_ct_keysched(uint32_t *comp_skey,
const void *key, size_t key_len);
/*
* Expand AES subkeys as produced by br_aes_ct_keysched(), into
* a larger array suitable for br_aes_ct_bitslice_encrypt() and
* br_aes_ct_bitslice_decrypt().
*/
void br_aes_ct_skey_expand(uint32_t *skey,
unsigned num_rounds, const uint32_t *comp_skey);
/*
* For the ct64 implementation, the same bitslicing technique is used,
* but four instances are interleaved. First instance uses bits 0, 4,
* 8, 12,... of each word; second instance uses bits 1, 5, 9, 13,...
* and so on.
*/
/*
* Perform bytewise orthogonalization of eight 64-bit words. Bytes
* of q0..q7 are spread over all words: for a byte x that occurs
* at rank i in q[j] (byte x uses bits 8*i to 8*i+7 in q[j]), the bit
* of rank k in x (0 <= k <= 7) goes to q[k] at rank 8*i+j.
*
* This operation is an involution.
*/
void br_aes_ct64_ortho(uint64_t *q);
/*
* Interleave bytes for an AES input block. If input bytes are
* denoted 0123456789ABCDEF, and have been decoded with little-endian
* convention (w[0] contains 0123, with '3' being most significant;
* w[1] contains 4567, and so on), then output word q0 will be
* set to 08192A3B (again little-endian convention) and q1 will
* be set to 4C5D6E7F.
*/
void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w);
/*
* Perform the opposite of br_aes_ct64_interleave_in().
*/
void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1);
/*
* The AES S-box, as a bitsliced constant-time version. The input array
* consists in eight 64-bit words; 64 S-box instances are computed in
* parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant)
* are spread over the words 0 to 7, at the same rank.
*/
void br_aes_ct64_bitslice_Sbox(uint64_t *q);
/*
* Like br_aes_bitslice_Sbox(), but for the inverse S-box.
*/
void br_aes_ct64_bitslice_invSbox(uint64_t *q);
/*
* Compute AES encryption on bitsliced data. Since input is stored on
* eight 64-bit words, four block encryptions are actually performed
* in parallel.
*/
void br_aes_ct64_bitslice_encrypt(unsigned num_rounds,
const uint64_t *skey, uint64_t *q);
/*
* Compute AES decryption on bitsliced data. Since input is stored on
* eight 64-bit words, four block decryptions are actually performed
* in parallel.
*/
void br_aes_ct64_bitslice_decrypt(unsigned num_rounds,
const uint64_t *skey, uint64_t *q);
/*
* AES key schedule, constant-time version. skey[] is filled with n+1
* 128-bit subkeys, where n is the number of rounds (10 to 14, depending
* on key size). The number of rounds is returned. If the key size is
* invalid (not 16, 24 or 32), then 0 is returned.
*/
unsigned br_aes_ct64_keysched(uint64_t *comp_skey,
const void *key, size_t key_len);
/*
* Expand AES subkeys as produced by br_aes_ct64_keysched(), into
* a larger array suitable for br_aes_ct64_bitslice_encrypt() and
* br_aes_ct64_bitslice_decrypt().
*/
void br_aes_ct64_skey_expand(uint64_t *skey,
unsigned num_rounds, const uint64_t *comp_skey);
/*
* Test support for AES-NI opcodes.
*/
int br_aes_x86ni_supported(void);
/*
* AES key schedule, using x86 AES-NI instructions. This yields the
* subkeys in the encryption direction. Number of rounds is returned.
* Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
*/
unsigned br_aes_x86ni_keysched_enc(unsigned char *skni,
const void *key, size_t len);
/*
* AES key schedule, using x86 AES-NI instructions. This yields the
* subkeys in the decryption direction. Number of rounds is returned.
* Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
*/
unsigned br_aes_x86ni_keysched_dec(unsigned char *skni,
const void *key, size_t len);
/*
* Test support for AES POWER8 opcodes.
*/
int br_aes_pwr8_supported(void);
/*
* AES key schedule, using POWER8 instructions. This yields the
* subkeys in the encryption direction. Number of rounds is returned.
* Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
*/
unsigned br_aes_pwr8_keysched(unsigned char *skni,
const void *key, size_t len);
/* ==================================================================== */
/*
* RSA.
*/
/*
* Apply proper PKCS#1 v1.5 padding (for signatures). 'hash_oid' is
* the encoded hash function OID, or NULL.
*/
uint32_t br_rsa_pkcs1_sig_pad(const unsigned char *hash_oid,
const unsigned char *hash, size_t hash_len,
uint32_t n_bitlen, unsigned char *x);
/*
* Check PKCS#1 v1.5 padding (for signatures). 'hash_oid' is the encoded
* hash function OID, or NULL. The provided 'sig' value is _after_ the
* modular exponentiation, i.e. it should be the padded hash. On
* success, the hashed message is extracted.
*/
uint32_t br_rsa_pkcs1_sig_unpad(const unsigned char *sig, size_t sig_len,
const unsigned char *hash_oid, size_t hash_len,
unsigned char *hash_out);
/*
* Apply proper PSS padding. The 'x' buffer is output only: it
* receives the value that is to be exponentiated.
*/
uint32_t br_rsa_pss_sig_pad(const br_prng_class **rng,
const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
const unsigned char *hash, size_t salt_len,
uint32_t n_bitlen, unsigned char *x);
/*
* Check PSS padding. The provided value is the one _after_
* the modular exponentiation; it is modified by this function.
* This function infers the signature length from the public key
* size, i.e. it assumes that this has already been verified (as
* part of the exponentiation).
*/
uint32_t br_rsa_pss_sig_unpad(
const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
const unsigned char *hash, size_t salt_len,
const br_rsa_public_key *pk, unsigned char *x);
/*
* Apply OAEP padding. Returned value is the actual padded string length,
* or zero on error.
*/
size_t br_rsa_oaep_pad(const br_prng_class **rnd, const br_hash_class *dig,
const void *label, size_t label_len, const br_rsa_public_key *pk,
void *dst, size_t dst_nax_len, const void *src, size_t src_len);
/*
* Unravel and check OAEP padding. If the padding is correct, then 1 is
* returned, '*len' is adjusted to the length of the message, and the
* data is moved to the start of the 'data' buffer. If the padding is
* incorrect, then 0 is returned and '*len' is untouched. Either way,
* the complete buffer contents are altered.
*/
uint32_t br_rsa_oaep_unpad(const br_hash_class *dig,
const void *label, size_t label_len, void *data, size_t *len);
/*
* Compute MGF1 for a given seed, and XOR the output into the provided
* buffer.
*/
void br_mgf1_xor(void *data, size_t len,
const br_hash_class *dig, const void *seed, size_t seed_len);
/*
* Inner function for RSA key generation; used by the "i31" and "i62"
* implementations.
*/
uint32_t br_rsa_i31_keygen_inner(const br_prng_class **rng,
br_rsa_private_key *sk, void *kbuf_priv,
br_rsa_public_key *pk, void *kbuf_pub,
unsigned size, uint32_t pubexp, br_i31_modpow_opt_type mp31);
/* ==================================================================== */
/*
* Elliptic curves.
*/
/*
* Type for generic EC parameters: curve order (unsigned big-endian
* encoding) and encoded conventional generator.
*/
typedef struct {
int curve;
const unsigned char *order;
size_t order_len;
const unsigned char *generator;
size_t generator_len;
} br_ec_curve_def;
extern const br_ec_curve_def br_secp256r1;
extern const br_ec_curve_def br_secp384r1;
extern const br_ec_curve_def br_secp521r1;
/*
* For Curve25519, the advertised "order" really is 2^255-1, since the
* point multipliction function really works over arbitrary 255-bit
* scalars. This value is only meant as a hint for ECDH key generation;
* only ECDSA uses the exact curve order, and ECDSA is not used with
* that specific curve.
*/
extern const br_ec_curve_def br_curve25519;
/*
* Decode some bytes as an i31 integer, with truncation (corresponding
* to the 'bits2int' operation in RFC 6979). The target ENCODED bit
* length is provided as last parameter. The resulting value will have
* this declared bit length, and consists the big-endian unsigned decoding
* of exactly that many bits in the source (capped at the source length).
*/
void br_ecdsa_i31_bits2int(uint32_t *x,
const void *src, size_t len, uint32_t ebitlen);
/*
* Decode some bytes as an i15 integer, with truncation (corresponding
* to the 'bits2int' operation in RFC 6979). The target ENCODED bit
* length is provided as last parameter. The resulting value will have
* this declared bit length, and consists the big-endian unsigned decoding
* of exactly that many bits in the source (capped at the source length).
*/
void br_ecdsa_i15_bits2int(uint16_t *x,
const void *src, size_t len, uint32_t ebitlen);
/* ==================================================================== */
/*
* ASN.1 support functions.
*/
/*
* A br_asn1_uint structure contains encoding information about an
* INTEGER nonnegative value: pointer to the integer contents (unsigned
* big-endian representation), length of the integer contents,
* and length of the encoded value. The data shall have minimal length:
* - If the integer value is zero, then 'len' must be zero.
* - If the integer value is not zero, then data[0] must be non-zero.
*
* Under these conditions, 'asn1len' is necessarily equal to either len
* or len+1.
*/
typedef struct {
const unsigned char *data;
size_t len;
size_t asn1len;
} br_asn1_uint;
/*
* Given an encoded integer (unsigned big-endian, with possible leading
* bytes of value 0), returned the "prepared INTEGER" structure.
*/
br_asn1_uint br_asn1_uint_prepare(const void *xdata, size_t xlen);
/*
* Encode an ASN.1 length. The length of the encoded length is returned.
* If 'dest' is NULL, then no encoding is performed, but the length of
* the encoded length is still computed and returned.
*/
size_t br_asn1_encode_length(void *dest, size_t len);
/*
* Convenient macro for computing lengths of lengths.
*/
#define len_of_len(len) br_asn1_encode_length(NULL, len)
/*
* Encode a (prepared) ASN.1 INTEGER. The encoded length is returned.
* If 'dest' is NULL, then no encoding is performed, but the length of
* the encoded integer is still computed and returned.
*/
size_t br_asn1_encode_uint(void *dest, br_asn1_uint pp);
/*
* Get the OID that identifies an elliptic curve. Returned value is
* the DER-encoded OID, with the length (always one byte) but without
* the tag. Thus, the first byte of the returned buffer contains the
* number of subsequent bytes in the value. If the curve is not
* recognised, NULL is returned.
*/
const unsigned char *br_get_curve_OID(int curve);
/*
* Inner function for EC private key encoding. This is equivalent to
* the API function br_encode_ec_raw_der(), except for an extra
* parameter: if 'include_curve_oid' is zero, then the curve OID is
* _not_ included in the output blob (this is for PKCS#8 support).
*/
size_t br_encode_ec_raw_der_inner(void *dest,
const br_ec_private_key *sk, const br_ec_public_key *pk,
int include_curve_oid);
/* ==================================================================== */
/*
* SSL/TLS support functions.
*/
/*
* Record types.
*/
#define BR_SSL_CHANGE_CIPHER_SPEC 20
#define BR_SSL_ALERT 21
#define BR_SSL_HANDSHAKE 22
#define BR_SSL_APPLICATION_DATA 23
/*
* Handshake message types.
*/
#define BR_SSL_HELLO_REQUEST 0
#define BR_SSL_CLIENT_HELLO 1
#define BR_SSL_SERVER_HELLO 2
#define BR_SSL_CERTIFICATE 11
#define BR_SSL_SERVER_KEY_EXCHANGE 12
#define BR_SSL_CERTIFICATE_REQUEST 13
#define BR_SSL_SERVER_HELLO_DONE 14
#define BR_SSL_CERTIFICATE_VERIFY 15
#define BR_SSL_CLIENT_KEY_EXCHANGE 16
#define BR_SSL_FINISHED 20
/*
* Alert levels.
*/
#define BR_LEVEL_WARNING 1
#define BR_LEVEL_FATAL 2
/*
* Low-level I/O state.
*/
#define BR_IO_FAILED 0
#define BR_IO_IN 1
#define BR_IO_OUT 2
#define BR_IO_INOUT 3
/*
* Mark a SSL engine as failed. The provided error code is recorded if
* the engine was not already marked as failed. If 'err' is 0, then the
* engine is marked as closed (without error).
*/
void br_ssl_engine_fail(br_ssl_engine_context *cc, int err);
/*
* Test whether the engine is closed (normally or as a failure).
*/
static inline int
br_ssl_engine_closed(const br_ssl_engine_context *cc)
{
return cc->iomode == BR_IO_FAILED;
}
/*
* Configure a new maximum fragment length. If possible, the maximum
* length for outgoing records is immediately adjusted (if there are
* not already too many buffered bytes for that).
*/
void br_ssl_engine_new_max_frag_len(
br_ssl_engine_context *rc, unsigned max_frag_len);
/*
* Test whether the current incoming record has been fully received
* or not. This functions returns 0 only if a complete record header
* has been received, but some of the (possibly encrypted) payload
* has not yet been obtained.
*/
int br_ssl_engine_recvrec_finished(const br_ssl_engine_context *rc);
/*
* Flush the current record (if not empty). This is meant to be called
* from the handshake processor only.
*/
void br_ssl_engine_flush_record(br_ssl_engine_context *cc);
/*
* Test whether there is some accumulated payload to send.
*/
static inline int
br_ssl_engine_has_pld_to_send(const br_ssl_engine_context *rc)
{
return rc->oxa != rc->oxb && rc->oxa != rc->oxc;
}
/*
* Initialize RNG in engine. Returned value is 1 on success, 0 on error.
* This function will try to use the OS-provided RNG, if available. If
* there is no OS-provided RNG, or if it failed, and no entropy was
* injected by the caller, then a failure will be reported. On error,
* the context error code is set.
*/
int br_ssl_engine_init_rand(br_ssl_engine_context *cc);
/*
* Reset the handshake-related parts of the engine.
*/
void br_ssl_engine_hs_reset(br_ssl_engine_context *cc,
void (*hsinit)(void *), void (*hsrun)(void *));
/*
* Get the PRF to use for this context, for the provided PRF hash
* function ID.
*/
br_tls_prf_impl br_ssl_engine_get_PRF(br_ssl_engine_context *cc, int prf_id);
/*
* Consume the provided pre-master secret and compute the corresponding
* master secret. The 'prf_id' is the ID of the hash function to use
* with the TLS 1.2 PRF (ignored if the version is TLS 1.0 or 1.1).
*/
void br_ssl_engine_compute_master(br_ssl_engine_context *cc,
int prf_id, const void *pms, size_t len);
/*
* Switch to CBC decryption for incoming records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF (ignored if not TLS 1.2+)
* mac_id id of hash function for HMAC
* bc_impl block cipher implementation (CBC decryption)
* cipher_key_len block cipher key length (in bytes)
*/
void br_ssl_engine_switch_cbc_in(br_ssl_engine_context *cc,
int is_client, int prf_id, int mac_id,
const br_block_cbcdec_class *bc_impl, size_t cipher_key_len);
/*
* Switch to CBC encryption for outgoing records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF (ignored if not TLS 1.2+)
* mac_id id of hash function for HMAC
* bc_impl block cipher implementation (CBC encryption)
* cipher_key_len block cipher key length (in bytes)
*/
void br_ssl_engine_switch_cbc_out(br_ssl_engine_context *cc,
int is_client, int prf_id, int mac_id,
const br_block_cbcenc_class *bc_impl, size_t cipher_key_len);
/*
* Switch to GCM decryption for incoming records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF
* bc_impl block cipher implementation (CTR)
* cipher_key_len block cipher key length (in bytes)
*/
void br_ssl_engine_switch_gcm_in(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctr_class *bc_impl, size_t cipher_key_len);
/*
* Switch to GCM encryption for outgoing records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF
* bc_impl block cipher implementation (CTR)
* cipher_key_len block cipher key length (in bytes)
*/
void br_ssl_engine_switch_gcm_out(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctr_class *bc_impl, size_t cipher_key_len);
/*
* Switch to ChaCha20+Poly1305 decryption for incoming records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF
*/
void br_ssl_engine_switch_chapol_in(br_ssl_engine_context *cc,
int is_client, int prf_id);
/*
* Switch to ChaCha20+Poly1305 encryption for outgoing records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF
*/
void br_ssl_engine_switch_chapol_out(br_ssl_engine_context *cc,
int is_client, int prf_id);
/*
* Switch to CCM decryption for incoming records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF
* bc_impl block cipher implementation (CTR+CBC)
* cipher_key_len block cipher key length (in bytes)
* tag_len tag length (in bytes)
*/
void br_ssl_engine_switch_ccm_in(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctrcbc_class *bc_impl,
size_t cipher_key_len, size_t tag_len);
/*
* Switch to GCM encryption for outgoing records.
* cc the engine context
* is_client non-zero for a client, zero for a server
* prf_id id of hash function for PRF
* bc_impl block cipher implementation (CTR+CBC)
* cipher_key_len block cipher key length (in bytes)
* tag_len tag length (in bytes)
*/
void br_ssl_engine_switch_ccm_out(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctrcbc_class *bc_impl,
size_t cipher_key_len, size_t tag_len);
/*
* Calls to T0-generated code.
*/
void br_ssl_hs_client_init_main(void *ctx);
void br_ssl_hs_client_run(void *ctx);
void br_ssl_hs_server_init_main(void *ctx);
void br_ssl_hs_server_run(void *ctx);
/*
* Get the hash function to use for signatures, given a bit mask of
* supported hash functions. This implements a strict choice order
* (namely SHA-256, SHA-384, SHA-512, SHA-224, SHA-1). If the mask
* does not document support of any of these hash functions, then this
* functions returns 0.
*/
int br_ssl_choose_hash(unsigned bf);
/* ==================================================================== */
/*
* PowerPC / POWER assembly stuff. The special BR_POWER_ASM_MACROS macro
* must be defined before including this file; this is done by source
* files that use some inline assembly for PowerPC / POWER machines.
*/
#if BR_POWER_ASM_MACROS
#define lxvw4x(xt, ra, rb) lxvw4x_(xt, ra, rb)
#define stxvw4x(xt, ra, rb) stxvw4x_(xt, ra, rb)
#define bdnz(foo) bdnz_(foo)
#define bdz(foo) bdz_(foo)
#define beq(foo) beq_(foo)
#define li(rx, value) li_(rx, value)
#define addi(rx, ra, imm) addi_(rx, ra, imm)
#define cmpldi(rx, imm) cmpldi_(rx, imm)
#define mtctr(rx) mtctr_(rx)
#define vspltb(vrt, vrb, uim) vspltb_(vrt, vrb, uim)
#define vspltw(vrt, vrb, uim) vspltw_(vrt, vrb, uim)
#define vspltisb(vrt, imm) vspltisb_(vrt, imm)
#define vspltisw(vrt, imm) vspltisw_(vrt, imm)
#define vrlw(vrt, vra, vrb) vrlw_(vrt, vra, vrb)
#define vsbox(vrt, vra) vsbox_(vrt, vra)
#define vxor(vrt, vra, vrb) vxor_(vrt, vra, vrb)
#define vand(vrt, vra, vrb) vand_(vrt, vra, vrb)
#define vsro(vrt, vra, vrb) vsro_(vrt, vra, vrb)
#define vsl(vrt, vra, vrb) vsl_(vrt, vra, vrb)
#define vsldoi(vt, va, vb, sh) vsldoi_(vt, va, vb, sh)
#define vsr(vrt, vra, vrb) vsr_(vrt, vra, vrb)
#define vaddcuw(vrt, vra, vrb) vaddcuw_(vrt, vra, vrb)
#define vadduwm(vrt, vra, vrb) vadduwm_(vrt, vra, vrb)
#define vsububm(vrt, vra, vrb) vsububm_(vrt, vra, vrb)
#define vsubuwm(vrt, vra, vrb) vsubuwm_(vrt, vra, vrb)
#define vsrw(vrt, vra, vrb) vsrw_(vrt, vra, vrb)
#define vcipher(vt, va, vb) vcipher_(vt, va, vb)
#define vcipherlast(vt, va, vb) vcipherlast_(vt, va, vb)
#define vncipher(vt, va, vb) vncipher_(vt, va, vb)
#define vncipherlast(vt, va, vb) vncipherlast_(vt, va, vb)
#define vperm(vt, va, vb, vc) vperm_(vt, va, vb, vc)
#define vpmsumd(vt, va, vb) vpmsumd_(vt, va, vb)
#define xxpermdi(vt, va, vb, d) xxpermdi_(vt, va, vb, d)
#define lxvw4x_(xt, ra, rb) "\tlxvw4x\t" #xt "," #ra "," #rb "\n"
#define stxvw4x_(xt, ra, rb) "\tstxvw4x\t" #xt "," #ra "," #rb "\n"
#define label(foo) #foo "%=:\n"
#define bdnz_(foo) "\tbdnz\t" #foo "%=\n"
#define bdz_(foo) "\tbdz\t" #foo "%=\n"
#define beq_(foo) "\tbeq\t" #foo "%=\n"
#define li_(rx, value) "\tli\t" #rx "," #value "\n"
#define addi_(rx, ra, imm) "\taddi\t" #rx "," #ra "," #imm "\n"
#define cmpldi_(rx, imm) "\tcmpldi\t" #rx "," #imm "\n"
#define mtctr_(rx) "\tmtctr\t" #rx "\n"
#define vspltb_(vrt, vrb, uim) "\tvspltb\t" #vrt "," #vrb "," #uim "\n"
#define vspltw_(vrt, vrb, uim) "\tvspltw\t" #vrt "," #vrb "," #uim "\n"
#define vspltisb_(vrt, imm) "\tvspltisb\t" #vrt "," #imm "\n"
#define vspltisw_(vrt, imm) "\tvspltisw\t" #vrt "," #imm "\n"
#define vrlw_(vrt, vra, vrb) "\tvrlw\t" #vrt "," #vra "," #vrb "\n"
#define vsbox_(vrt, vra) "\tvsbox\t" #vrt "," #vra "\n"
#define vxor_(vrt, vra, vrb) "\tvxor\t" #vrt "," #vra "," #vrb "\n"
#define vand_(vrt, vra, vrb) "\tvand\t" #vrt "," #vra "," #vrb "\n"
#define vsro_(vrt, vra, vrb) "\tvsro\t" #vrt "," #vra "," #vrb "\n"
#define vsl_(vrt, vra, vrb) "\tvsl\t" #vrt "," #vra "," #vrb "\n"
#define vsldoi_(vt, va, vb, sh) "\tvsldoi\t" #vt "," #va "," #vb "," #sh "\n"
#define vsr_(vrt, vra, vrb) "\tvsr\t" #vrt "," #vra "," #vrb "\n"
#define vaddcuw_(vrt, vra, vrb) "\tvaddcuw\t" #vrt "," #vra "," #vrb "\n"
#define vadduwm_(vrt, vra, vrb) "\tvadduwm\t" #vrt "," #vra "," #vrb "\n"
#define vsububm_(vrt, vra, vrb) "\tvsububm\t" #vrt "," #vra "," #vrb "\n"
#define vsubuwm_(vrt, vra, vrb) "\tvsubuwm\t" #vrt "," #vra "," #vrb "\n"
#define vsrw_(vrt, vra, vrb) "\tvsrw\t" #vrt "," #vra "," #vrb "\n"
#define vcipher_(vt, va, vb) "\tvcipher\t" #vt "," #va "," #vb "\n"
#define vcipherlast_(vt, va, vb) "\tvcipherlast\t" #vt "," #va "," #vb "\n"
#define vncipher_(vt, va, vb) "\tvncipher\t" #vt "," #va "," #vb "\n"
#define vncipherlast_(vt, va, vb) "\tvncipherlast\t" #vt "," #va "," #vb "\n"
#define vperm_(vt, va, vb, vc) "\tvperm\t" #vt "," #va "," #vb "," #vc "\n"
#define vpmsumd_(vt, va, vb) "\tvpmsumd\t" #vt "," #va "," #vb "\n"
#define xxpermdi_(vt, va, vb, d) "\txxpermdi\t" #vt "," #va "," #vb "," #d "\n"
#endif
/* ==================================================================== */
/*
* Special "activate intrinsics" code, needed for some compiler versions.
* This is defined at the end of this file, so that it won't impact any
* of the inline functions defined previously; and it is controlled by
* a specific macro defined in the caller code.
*
* Calling code conventions:
*
* - Caller must define BR_ENABLE_INTRINSICS before including "inner.h".
* - Functions that use intrinsics must be enclosed in an "enabled"
* region (between BR_TARGETS_X86_UP and BR_TARGETS_X86_DOWN).
* - Functions that use intrinsics must be tagged with the appropriate
* BR_TARGET().
*/
#if BR_ENABLE_INTRINSICS && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005)
/*
* x86 intrinsics (both 32-bit and 64-bit).
*/
#if BR_i386 || BR_amd64
/*
* On GCC before version 5.0, we need to use the pragma to enable the
* target options globally, because the 'target' function attribute
* appears to be unreliable. Before 4.6 we must also avoid the
* push_options / pop_options mechanism, because it tends to trigger
* some internal compiler errors.
*/
#if BR_GCC && !BR_GCC_5_0
#if BR_GCC_4_6
#define BR_TARGETS_X86_UP \
_Pragma("GCC push_options") \
_Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul,rdrnd\")")
#define BR_TARGETS_X86_DOWN \
_Pragma("GCC pop_options")
#else
#define BR_TARGETS_X86_UP \
_Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul\")")
#define BR_TARGETS_X86_DOWN
#endif
#pragma GCC diagnostic ignored "-Wpsabi"
#endif
#if BR_CLANG && !BR_CLANG_3_8
#undef __SSE2__
#undef __SSE3__
#undef __SSSE3__
#undef __SSE4_1__
#undef __AES__
#undef __PCLMUL__
#undef __RDRND__
#define __SSE2__ 1
#define __SSE3__ 1
#define __SSSE3__ 1
#define __SSE4_1__ 1
#define __AES__ 1
#define __PCLMUL__ 1
#define __RDRND__ 1
#endif
#ifndef BR_TARGETS_X86_UP
#define BR_TARGETS_X86_UP
#endif
#ifndef BR_TARGETS_X86_DOWN
#define BR_TARGETS_X86_DOWN
#endif
#if BR_GCC || BR_CLANG
BR_TARGETS_X86_UP
#include <x86intrin.h>
#include <cpuid.h>
#define br_bswap32 __builtin_bswap32
BR_TARGETS_X86_DOWN
#endif
#if BR_MSC
#include <stdlib.h>
#include <intrin.h>
#include <immintrin.h>
#define br_bswap32 _byteswap_ulong
#endif
static inline int
br_cpuid(uint32_t mask_eax, uint32_t mask_ebx,
uint32_t mask_ecx, uint32_t mask_edx)
{
#if BR_GCC || BR_CLANG
unsigned eax, ebx, ecx, edx;
if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) {
if ((eax & mask_eax) == mask_eax
&& (ebx & mask_ebx) == mask_ebx
&& (ecx & mask_ecx) == mask_ecx
&& (edx & mask_edx) == mask_edx)
{
return 1;
}
}
#elif BR_MSC
int info[4];
__cpuid(info, 1);
if (((uint32_t)info[0] & mask_eax) == mask_eax
&& ((uint32_t)info[1] & mask_ebx) == mask_ebx
&& ((uint32_t)info[2] & mask_ecx) == mask_ecx
&& ((uint32_t)info[3] & mask_edx) == mask_edx)
{
return 1;
}
#endif
return 0;
}
#endif
#endif
/* ==================================================================== */
#endif
diff --git a/contrib/bearssl/src/rand/sysrng.c b/contrib/bearssl/src/rand/sysrng.c
index 5ddbcbea4fb9..5a921145db73 100644
--- a/contrib/bearssl/src/rand/sysrng.c
+++ b/contrib/bearssl/src/rand/sysrng.c
@@ -1,170 +1,252 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
+#if BR_USE_GETENTROPY
+#include <unistd.h>
+#endif
+
#if BR_USE_URANDOM
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#endif
#if BR_USE_WIN32_RAND
#include <windows.h>
#include <wincrypt.h>
#pragma comment(lib, "advapi32")
#endif
+/*
+ * Seeder that uses the RDRAND opcodes (on x86 CPU).
+ */
#if BR_RDRAND
BR_TARGETS_X86_UP
BR_TARGET("rdrnd")
static int
seeder_rdrand(const br_prng_class **ctx)
{
unsigned char tmp[32];
size_t u;
for (u = 0; u < sizeof tmp; u += sizeof(uint32_t)) {
int j;
uint32_t x;
/*
* We use the 32-bit intrinsic so that code is compatible
* with both 32-bit and 64-bit architectures.
*
* Intel recommends trying at least 10 times in case of
* failure.
+ *
+ * AMD bug: there are reports that some AMD processors
+ * have a bug that makes them fail silently after a
+ * suspend/resume cycle, in which case RDRAND will report
+ * a success but always return 0xFFFFFFFF.
+ * see: https://bugzilla.kernel.org/show_bug.cgi?id=85911
+ *
+ * As a mitigation, if the 32-bit value is 0 or -1, then
+ * it is considered a failure and tried again. This should
+ * reliably detect the buggy case, at least. This also
+ * implies that the selected seed values can never be
+ * 0x00000000 or 0xFFFFFFFF, which is not a problem since
+ * we are generating a seed for a PRNG, and we overdo it
+ * a bit (we generate 32 bytes of randomness, and 256 bits
+ * of entropy are really overkill).
*/
for (j = 0; j < 10; j ++) {
- if (_rdrand32_step(&x)) {
+ if (_rdrand32_step(&x) && x != 0 && x != (uint32_t)-1) {
goto next_word;
}
}
return 0;
next_word:
br_enc32le(tmp + u, x);
}
(*ctx)->update(ctx, tmp, sizeof tmp);
return 1;
}
BR_TARGETS_X86_DOWN
static int
rdrand_supported(void)
{
/*
* The RDRND support is bit 30 of ECX, as returned by CPUID.
*/
return br_cpuid(0, 0, 0x40000000, 0);
}
-
#endif
+/*
+ * Seeder that uses /dev/urandom (on Unix-like systems).
+ */
#if BR_USE_URANDOM
static int
seeder_urandom(const br_prng_class **ctx)
{
int f;
f = open("/dev/urandom", O_RDONLY);
if (f >= 0) {
unsigned char tmp[32];
size_t u;
for (u = 0; u < sizeof tmp;) {
ssize_t len;
len = read(f, tmp + u, (sizeof tmp) - u);
if (len < 0) {
if (errno == EINTR) {
continue;
}
break;
}
u += (size_t)len;
}
close(f);
if (u == sizeof tmp) {
(*ctx)->update(ctx, tmp, sizeof tmp);
return 1;
}
}
return 0;
}
#endif
+/*
+ * Seeder that uses getentropy() (backed by getrandom() on some systems,
+ * e.g. Linux). On failure, it will use the /dev/urandom seeder (if
+ * enabled).
+ */
+#if BR_USE_GETENTROPY
+static int
+seeder_getentropy(const br_prng_class **ctx)
+{
+ unsigned char tmp[32];
+
+ if (getentropy(tmp, sizeof tmp) == 0) {
+ (*ctx)->update(ctx, tmp, sizeof tmp);
+ return 1;
+ }
+#if BR_USE_URANDOM
+ return seeder_urandom(ctx);
+#else
+ return 0;
+#endif
+}
+#endif
+
+/*
+ * Seeder that uses CryptGenRandom() (on Windows).
+ */
#if BR_USE_WIN32_RAND
static int
seeder_win32(const br_prng_class **ctx)
{
HCRYPTPROV hp;
if (CryptAcquireContext(&hp, 0, 0, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
{
BYTE buf[32];
BOOL r;
r = CryptGenRandom(hp, sizeof buf, buf);
CryptReleaseContext(hp, 0);
if (r) {
(*ctx)->update(ctx, buf, sizeof buf);
return 1;
}
}
return 0;
}
#endif
+/*
+ * An aggregate seeder that uses RDRAND, and falls back to an OS-provided
+ * source if RDRAND fails.
+ */
+#if BR_RDRAND && (BR_USE_GETENTROPY || BR_USE_URANDOM || BR_USE_WIN32_RAND)
+static int
+seeder_rdrand_with_fallback(const br_prng_class **ctx)
+{
+ if (!seeder_rdrand(ctx)) {
+#if BR_USE_GETENTROPY
+ return seeder_getentropy(ctx);
+#elif BR_USE_URANDOM
+ return seeder_urandom(ctx);
+#elif BR_USE_WIN32_RAND
+ return seeder_win32(ctx);
+#else
+#error "macro selection has gone wrong"
+#endif
+ }
+ return 1;
+}
+#endif
+
/* see bearssl_rand.h */
br_prng_seeder
br_prng_seeder_system(const char **name)
{
#if BR_RDRAND
if (rdrand_supported()) {
if (name != NULL) {
*name = "rdrand";
}
+#if BR_USE_GETENTROPY || BR_USE_URANDOM || BR_USE_WIN32_RAND
+ return &seeder_rdrand_with_fallback;
+#else
return &seeder_rdrand;
+#endif
}
#endif
-#if BR_USE_URANDOM
+#if BR_USE_GETENTROPY
+ if (name != NULL) {
+ *name = "getentropy";
+ }
+ return &seeder_getentropy;
+#elif BR_USE_URANDOM
if (name != NULL) {
*name = "urandom";
}
return &seeder_urandom;
#elif BR_USE_WIN32_RAND
if (name != NULL) {
*name = "win32";
}
return &seeder_win32;
#else
if (name != NULL) {
*name = "none";
}
return 0;
#endif
}
diff --git a/contrib/bearssl/src/rsa/rsa_i15_keygen.c b/contrib/bearssl/src/rsa/rsa_i15_keygen.c
index 1c011fe0dcdf..e8da41984a08 100644
--- a/contrib/bearssl/src/rsa/rsa_i15_keygen.c
+++ b/contrib/bearssl/src/rsa/rsa_i15_keygen.c
@@ -1,583 +1,583 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/*
* Make a random integer of the provided size. The size is encoded.
* The header word is untouched.
*/
static void
mkrand(const br_prng_class **rng, uint16_t *x, uint32_t esize)
{
size_t u, len;
unsigned m;
len = (esize + 15) >> 4;
(*rng)->generate(rng, x + 1, len * sizeof(uint16_t));
for (u = 1; u < len; u ++) {
x[u] &= 0x7FFF;
}
m = esize & 15;
if (m == 0) {
x[len] &= 0x7FFF;
} else {
x[len] &= 0x7FFF >> (15 - m);
}
}
/*
* This is the big-endian unsigned representation of the product of
* all small primes from 13 to 1481.
*/
static const unsigned char SMALL_PRIMES[] = {
0x2E, 0xAB, 0x92, 0xD1, 0x8B, 0x12, 0x47, 0x31, 0x54, 0x0A,
0x99, 0x5D, 0x25, 0x5E, 0xE2, 0x14, 0x96, 0x29, 0x1E, 0xB7,
0x78, 0x70, 0xCC, 0x1F, 0xA5, 0xAB, 0x8D, 0x72, 0x11, 0x37,
0xFB, 0xD8, 0x1E, 0x3F, 0x5B, 0x34, 0x30, 0x17, 0x8B, 0xE5,
0x26, 0x28, 0x23, 0xA1, 0x8A, 0xA4, 0x29, 0xEA, 0xFD, 0x9E,
0x39, 0x60, 0x8A, 0xF3, 0xB5, 0xA6, 0xEB, 0x3F, 0x02, 0xB6,
0x16, 0xC3, 0x96, 0x9D, 0x38, 0xB0, 0x7D, 0x82, 0x87, 0x0C,
0xF7, 0xBE, 0x24, 0xE5, 0x5F, 0x41, 0x04, 0x79, 0x76, 0x40,
0xE7, 0x00, 0x22, 0x7E, 0xB5, 0x85, 0x7F, 0x8D, 0x01, 0x50,
0xE9, 0xD3, 0x29, 0x42, 0x08, 0xB3, 0x51, 0x40, 0x7B, 0xD7,
0x8D, 0xCC, 0x10, 0x01, 0x64, 0x59, 0x28, 0xB6, 0x53, 0xF3,
0x50, 0x4E, 0xB1, 0xF2, 0x58, 0xCD, 0x6E, 0xF5, 0x56, 0x3E,
0x66, 0x2F, 0xD7, 0x07, 0x7F, 0x52, 0x4C, 0x13, 0x24, 0xDC,
0x8E, 0x8D, 0xCC, 0xED, 0x77, 0xC4, 0x21, 0xD2, 0xFD, 0x08,
0xEA, 0xD7, 0xC0, 0x5C, 0x13, 0x82, 0x81, 0x31, 0x2F, 0x2B,
0x08, 0xE4, 0x80, 0x04, 0x7A, 0x0C, 0x8A, 0x3C, 0xDC, 0x22,
0xE4, 0x5A, 0x7A, 0xB0, 0x12, 0x5E, 0x4A, 0x76, 0x94, 0x77,
0xC2, 0x0E, 0x92, 0xBA, 0x8A, 0xA0, 0x1F, 0x14, 0x51, 0x1E,
0x66, 0x6C, 0x38, 0x03, 0x6C, 0xC7, 0x4A, 0x4B, 0x70, 0x80,
0xAF, 0xCA, 0x84, 0x51, 0xD8, 0xD2, 0x26, 0x49, 0xF5, 0xA8,
0x5E, 0x35, 0x4B, 0xAC, 0xCE, 0x29, 0x92, 0x33, 0xB7, 0xA2,
0x69, 0x7D, 0x0C, 0xE0, 0x9C, 0xDB, 0x04, 0xD6, 0xB4, 0xBC,
0x39, 0xD7, 0x7F, 0x9E, 0x9D, 0x78, 0x38, 0x7F, 0x51, 0x54,
0x50, 0x8B, 0x9E, 0x9C, 0x03, 0x6C, 0xF5, 0x9D, 0x2C, 0x74,
0x57, 0xF0, 0x27, 0x2A, 0xC3, 0x47, 0xCA, 0xB9, 0xD7, 0x5C,
0xFF, 0xC2, 0xAC, 0x65, 0x4E, 0xBD
};
/*
* We need temporary values for at least 7 integers of the same size
* as a factor (including header word); more space helps with performance
* (in modular exponentiations), but we much prefer to remain under
* 2 kilobytes in total, to save stack space. The macro TEMPS below
* exceeds 1024 (which is a count in 16-bit words) when BR_MAX_RSA_SIZE
* is greater than 4350 (default value is 4096, so the 2-kB limit is
* maintained unless BR_MAX_RSA_SIZE was modified).
*/
#define MAX(x, y) ((x) > (y) ? (x) : (y))
#define TEMPS MAX(1024, 7 * ((((BR_MAX_RSA_SIZE + 1) >> 1) + 29) / 15))
/*
* Perform trial division on a candidate prime. This computes
* y = SMALL_PRIMES mod x, then tries to compute y/y mod x. The
* br_i15_moddiv() function will report an error if y is not invertible
* modulo x. Returned value is 1 on success (none of the small primes
* divides x), 0 on error (a non-trivial GCD is obtained).
*
* This function assumes that x is odd.
*/
static uint32_t
trial_divisions(const uint16_t *x, uint16_t *t)
{
uint16_t *y;
uint16_t x0i;
y = t;
t += 1 + ((x[0] + 15) >> 4);
x0i = br_i15_ninv15(x[1]);
br_i15_decode_reduce(y, SMALL_PRIMES, sizeof SMALL_PRIMES, x);
return br_i15_moddiv(y, y, x, x0i, t);
}
/*
* Perform n rounds of Miller-Rabin on the candidate prime x. This
* function assumes that x = 3 mod 4.
*
* Returned value is 1 on success (all rounds completed successfully),
* 0 otherwise.
*/
static uint32_t
miller_rabin(const br_prng_class **rng, const uint16_t *x, int n,
uint16_t *t, size_t tlen)
{
/*
* Since x = 3 mod 4, the Miller-Rabin test is simple:
* - get a random base a (such that 1 < a < x-1)
* - compute z = a^((x-1)/2) mod x
* - if z != 1 and z != x-1, the number x is composite
*
* We generate bases 'a' randomly with a size which is
* one bit less than x, which ensures that a < x-1. It
* is not useful to verify that a > 1 because the probability
* that we get a value a equal to 0 or 1 is much smaller
* than the probability of our Miller-Rabin tests not to
* detect a composite, which is already quite smaller than the
* probability of the hardware misbehaving and return a
* composite integer because of some glitch (e.g. bad RAM
* or ill-timed cosmic ray).
*/
unsigned char *xm1d2;
size_t xlen, xm1d2_len, xm1d2_len_u16, u;
uint32_t asize;
unsigned cc;
uint16_t x0i;
/*
* Compute (x-1)/2 (encoded).
*/
xm1d2 = (unsigned char *)t;
xm1d2_len = ((x[0] - (x[0] >> 4)) + 7) >> 3;
br_i15_encode(xm1d2, xm1d2_len, x);
cc = 0;
for (u = 0; u < xm1d2_len; u ++) {
unsigned w;
w = xm1d2[u];
xm1d2[u] = (unsigned char)((w >> 1) | cc);
cc = w << 7;
}
/*
* We used some words of the provided buffer for (x-1)/2.
*/
xm1d2_len_u16 = (xm1d2_len + 1) >> 1;
t += xm1d2_len_u16;
tlen -= xm1d2_len_u16;
xlen = (x[0] + 15) >> 4;
asize = x[0] - 1 - EQ0(x[0] & 15);
x0i = br_i15_ninv15(x[1]);
while (n -- > 0) {
uint16_t *a;
uint32_t eq1, eqm1;
/*
* Generate a random base. We don't need the base to be
* really uniform modulo x, so we just get a random
* number which is one bit shorter than x.
*/
a = t;
a[0] = x[0];
a[xlen] = 0;
mkrand(rng, a, asize);
/*
* Compute a^((x-1)/2) mod x. We assume here that the
* function will not fail (the temporary array is large
* enough).
*/
br_i15_modpow_opt(a, xm1d2, xm1d2_len,
x, x0i, t + 1 + xlen, tlen - 1 - xlen);
/*
* We must obtain either 1 or x-1. Note that x is odd,
* hence x-1 differs from x only in its low word (no
* carry).
*/
eq1 = a[1] ^ 1;
eqm1 = a[1] ^ (x[1] - 1);
for (u = 2; u <= xlen; u ++) {
eq1 |= a[u];
eqm1 |= a[u] ^ x[u];
}
if ((EQ0(eq1) | EQ0(eqm1)) == 0) {
return 0;
}
}
return 1;
}
/*
* Create a random prime of the provided size. 'size' is the _encoded_
* bit length. The two top bits and the two bottom bits are set to 1.
*/
static void
mkprime(const br_prng_class **rng, uint16_t *x, uint32_t esize,
uint32_t pubexp, uint16_t *t, size_t tlen)
{
size_t len;
x[0] = esize;
len = (esize + 15) >> 4;
for (;;) {
size_t u;
uint32_t m3, m5, m7, m11;
int rounds;
/*
* Generate random bits. We force the two top bits and the
* two bottom bits to 1.
*/
mkrand(rng, x, esize);
if ((esize & 15) == 0) {
x[len] |= 0x6000;
} else if ((esize & 15) == 1) {
x[len] |= 0x0001;
x[len - 1] |= 0x4000;
} else {
x[len] |= 0x0003 << ((esize & 15) - 2);
}
x[1] |= 0x0003;
/*
* Trial division with low primes (3, 5, 7 and 11). We
* use the following properties:
*
* 2^2 = 1 mod 3
* 2^4 = 1 mod 5
* 2^3 = 1 mod 7
* 2^10 = 1 mod 11
*/
m3 = 0;
m5 = 0;
m7 = 0;
m11 = 0;
for (u = 0; u < len; u ++) {
uint32_t w;
w = x[1 + u];
m3 += w << (u & 1);
m3 = (m3 & 0xFF) + (m3 >> 8);
m5 += w << ((4 - u) & 3);
m5 = (m5 & 0xFF) + (m5 >> 8);
m7 += w;
m7 = (m7 & 0x1FF) + (m7 >> 9);
m11 += w << (5 & -(u & 1));
m11 = (m11 & 0x3FF) + (m11 >> 10);
}
/*
* Maximum values of m* at this point:
* m3: 511
* m5: 2310
* m7: 510
* m11: 2047
* We use the same properties to make further reductions.
*/
m3 = (m3 & 0x0F) + (m3 >> 4); /* max: 46 */
m3 = (m3 & 0x0F) + (m3 >> 4); /* max: 16 */
m3 = ((m3 * 43) >> 5) & 3;
m5 = (m5 & 0xFF) + (m5 >> 8); /* max: 263 */
m5 = (m5 & 0x0F) + (m5 >> 4); /* max: 30 */
m5 = (m5 & 0x0F) + (m5 >> 4); /* max: 15 */
m5 -= 10 & -GT(m5, 9);
m5 -= 5 & -GT(m5, 4);
m7 = (m7 & 0x3F) + (m7 >> 6); /* max: 69 */
m7 = (m7 & 7) + (m7 >> 3); /* max: 14 */
m7 = ((m7 * 147) >> 7) & 7;
/*
* 2^5 = 32 = -1 mod 11.
*/
m11 = (m11 & 0x1F) + 66 - (m11 >> 5); /* max: 97 */
m11 -= 88 & -GT(m11, 87);
m11 -= 44 & -GT(m11, 43);
m11 -= 22 & -GT(m11, 21);
m11 -= 11 & -GT(m11, 10);
/*
* If any of these modulo is 0, then the candidate is
* not prime. Also, if pubexp is 3, 5, 7 or 11, and the
* corresponding modulus is 1, then the candidate must
* be rejected, because we need e to be invertible
* modulo p-1. We can use simple comparisons here
* because they won't leak information on a candidate
* that we keep, only on one that we reject (and is thus
* not secret).
*/
if (m3 == 0 || m5 == 0 || m7 == 0 || m11 == 0) {
continue;
}
if ((pubexp == 3 && m3 == 1)
- || (pubexp == 5 && m5 == 5)
- || (pubexp == 7 && m5 == 7)
- || (pubexp == 11 && m5 == 11))
+ || (pubexp == 5 && m5 == 1)
+ || (pubexp == 7 && m7 == 1)
+ || (pubexp == 11 && m11 == 1))
{
continue;
}
/*
* More trial divisions.
*/
if (!trial_divisions(x, t)) {
continue;
}
/*
* Miller-Rabin algorithm. Since we selected a random
* integer, not a maliciously crafted integer, we can use
* relatively few rounds to lower the risk of a false
* positive (i.e. declaring prime a non-prime) under
* 2^(-80). It is not useful to lower the probability much
* below that, since that would be substantially below
* the probability of the hardware misbehaving. Sufficient
* numbers of rounds are extracted from the Handbook of
* Applied Cryptography, note 4.49 (page 149).
*
* Since we work on the encoded size (esize), we need to
* compare with encoded thresholds.
*/
if (esize < 320) {
rounds = 12;
} else if (esize < 480) {
rounds = 9;
} else if (esize < 693) {
rounds = 6;
} else if (esize < 906) {
rounds = 4;
} else if (esize < 1386) {
rounds = 3;
} else {
rounds = 2;
}
if (miller_rabin(rng, x, rounds, t, tlen)) {
return;
}
}
}
/*
* Let p be a prime (p > 2^33, p = 3 mod 4). Let m = (p-1)/2, provided
* as parameter (with announced bit length equal to that of p). This
* function computes d = 1/e mod p-1 (for an odd integer e). Returned
* value is 1 on success, 0 on error (an error is reported if e is not
* invertible modulo p-1).
*
* The temporary buffer (t) must have room for at least 4 integers of
* the size of p.
*/
static uint32_t
invert_pubexp(uint16_t *d, const uint16_t *m, uint32_t e, uint16_t *t)
{
uint16_t *f;
uint32_t r;
f = t;
t += 1 + ((m[0] + 15) >> 4);
/*
* Compute d = 1/e mod m. Since p = 3 mod 4, m is odd.
*/
br_i15_zero(d, m[0]);
d[1] = 1;
br_i15_zero(f, m[0]);
f[1] = e & 0x7FFF;
f[2] = (e >> 15) & 0x7FFF;
f[3] = e >> 30;
r = br_i15_moddiv(d, f, m, br_i15_ninv15(m[1]), t);
/*
* We really want d = 1/e mod p-1, with p = 2m. By the CRT,
* the result is either the d we got, or d + m.
*
* Let's write e*d = 1 + k*m, for some integer k. Integers e
* and m are odd. If d is odd, then e*d is odd, which implies
* that k must be even; in that case, e*d = 1 + (k/2)*2m, and
* thus d is already fine. Conversely, if d is even, then k
* is odd, and we must add m to d in order to get the correct
* result.
*/
br_i15_add(d, m, (uint32_t)(1 - (d[1] & 1)));
return r;
}
/*
* Swap two buffers in RAM. They must be disjoint.
*/
static void
bufswap(void *b1, void *b2, size_t len)
{
size_t u;
unsigned char *buf1, *buf2;
buf1 = b1;
buf2 = b2;
for (u = 0; u < len; u ++) {
unsigned w;
w = buf1[u];
buf1[u] = buf2[u];
buf2[u] = w;
}
}
/* see bearssl_rsa.h */
uint32_t
br_rsa_i15_keygen(const br_prng_class **rng,
br_rsa_private_key *sk, void *kbuf_priv,
br_rsa_public_key *pk, void *kbuf_pub,
unsigned size, uint32_t pubexp)
{
uint32_t esize_p, esize_q;
size_t plen, qlen, tlen;
uint16_t *p, *q, *t;
uint16_t tmp[TEMPS];
uint32_t r;
if (size < BR_MIN_RSA_SIZE || size > BR_MAX_RSA_SIZE) {
return 0;
}
if (pubexp == 0) {
pubexp = 3;
} else if (pubexp == 1 || (pubexp & 1) == 0) {
return 0;
}
esize_p = (size + 1) >> 1;
esize_q = size - esize_p;
sk->n_bitlen = size;
sk->p = kbuf_priv;
sk->plen = (esize_p + 7) >> 3;
sk->q = sk->p + sk->plen;
sk->qlen = (esize_q + 7) >> 3;
sk->dp = sk->q + sk->qlen;
sk->dplen = sk->plen;
sk->dq = sk->dp + sk->dplen;
sk->dqlen = sk->qlen;
sk->iq = sk->dq + sk->dqlen;
sk->iqlen = sk->plen;
if (pk != NULL) {
pk->n = kbuf_pub;
pk->nlen = (size + 7) >> 3;
pk->e = pk->n + pk->nlen;
pk->elen = 4;
br_enc32be(pk->e, pubexp);
while (*pk->e == 0) {
pk->e ++;
pk->elen --;
}
}
/*
* We now switch to encoded sizes.
*
* floor((x * 17477) / (2^18)) is equal to floor(x/15) for all
* integers x from 0 to 23833.
*/
esize_p += MUL15(esize_p, 17477) >> 18;
esize_q += MUL15(esize_q, 17477) >> 18;
plen = (esize_p + 15) >> 4;
qlen = (esize_q + 15) >> 4;
p = tmp;
q = p + 1 + plen;
t = q + 1 + qlen;
tlen = ((sizeof tmp) / sizeof(uint16_t)) - (2 + plen + qlen);
/*
* When looking for primes p and q, we temporarily divide
* candidates by 2, in order to compute the inverse of the
* public exponent.
*/
for (;;) {
mkprime(rng, p, esize_p, pubexp, t, tlen);
br_i15_rshift(p, 1);
if (invert_pubexp(t, p, pubexp, t + 1 + plen)) {
br_i15_add(p, p, 1);
p[1] |= 1;
br_i15_encode(sk->p, sk->plen, p);
br_i15_encode(sk->dp, sk->dplen, t);
break;
}
}
for (;;) {
mkprime(rng, q, esize_q, pubexp, t, tlen);
br_i15_rshift(q, 1);
if (invert_pubexp(t, q, pubexp, t + 1 + qlen)) {
br_i15_add(q, q, 1);
q[1] |= 1;
br_i15_encode(sk->q, sk->qlen, q);
br_i15_encode(sk->dq, sk->dqlen, t);
break;
}
}
/*
* If p and q have the same size, then it is possible that q > p
* (when the target modulus size is odd, we generate p with a
* greater bit length than q). If q > p, we want to swap p and q
* (and also dp and dq) for two reasons:
* - The final step below (inversion of q modulo p) is easier if
* p > q.
* - While BearSSL's RSA code is perfectly happy with RSA keys such
* that p < q, some other implementations have restrictions and
* require p > q.
*
* Note that we can do a simple non-constant-time swap here,
* because the only information we leak here is that we insist on
* returning p and q such that p > q, which is not a secret.
*/
if (esize_p == esize_q && br_i15_sub(p, q, 0) == 1) {
bufswap(p, q, (1 + plen) * sizeof *p);
bufswap(sk->p, sk->q, sk->plen);
bufswap(sk->dp, sk->dq, sk->dplen);
}
/*
* We have produced p, q, dp and dq. We can now compute iq = 1/d mod p.
*
* We ensured that p >= q, so this is just a matter of updating the
* header word for q (and possibly adding an extra word).
*
* Theoretically, the call below may fail, in case we were
* extraordinarily unlucky, and p = q. Another failure case is if
* Miller-Rabin failed us _twice_, and p and q are non-prime and
* have a factor is common. We report the error mostly because it
* is cheap and we can, but in practice this never happens (or, at
* least, it happens way less often than hardware glitches).
*/
q[0] = p[0];
if (plen > qlen) {
q[plen] = 0;
t ++;
tlen --;
}
br_i15_zero(t, p[0]);
t[1] = 1;
r = br_i15_moddiv(t, q, p, br_i15_ninv15(p[1]), t + 1 + plen);
br_i15_encode(sk->iq, sk->iqlen, t);
/*
* Compute the public modulus too, if required.
*/
if (pk != NULL) {
br_i15_zero(t, p[0]);
br_i15_mulacc(t, p, q);
br_i15_encode(pk->n, pk->nlen, t);
}
return r;
}
diff --git a/contrib/bearssl/src/rsa/rsa_i15_modulus.c b/contrib/bearssl/src/rsa/rsa_i15_modulus.c
index d61c7949c6fc..16458c3e5123 100644
--- a/contrib/bearssl/src/rsa/rsa_i15_modulus.c
+++ b/contrib/bearssl/src/rsa/rsa_i15_modulus.c
@@ -1,99 +1,99 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/* see bearssl_rsa.h */
size_t
br_rsa_i15_compute_modulus(void *n, const br_rsa_private_key *sk)
{
- uint16_t tmp[2 * ((BR_MAX_RSA_SIZE + 14) / 15) + 5];
+ uint16_t tmp[4 * (((BR_MAX_RSA_SIZE / 2) + 14) / 15) + 5];
uint16_t *t, *p, *q;
const unsigned char *pbuf, *qbuf;
size_t nlen, plen, qlen, tlen;
/*
* Compute actual byte and lengths for p and q.
*/
pbuf = sk->p;
plen = sk->plen;
while (plen > 0 && *pbuf == 0) {
pbuf ++;
plen --;
}
qbuf = sk->q;
qlen = sk->qlen;
while (qlen > 0 && *qbuf == 0) {
qbuf ++;
qlen --;
}
t = tmp;
tlen = (sizeof tmp) / (sizeof tmp[0]);
/*
* Decode p.
*/
if ((15 * tlen) < (plen << 3) + 15) {
return 0;
}
br_i15_decode(t, pbuf, plen);
p = t;
plen = (p[0] + 31) >> 4;
t += plen;
tlen -= plen;
/*
* Decode q.
*/
if ((15 * tlen) < (qlen << 3) + 15) {
return 0;
}
br_i15_decode(t, qbuf, qlen);
q = t;
qlen = (q[0] + 31) >> 4;
t += qlen;
tlen -= qlen;
/*
* Computation can proceed only if we have enough room for the
* modulus.
*/
if (tlen < (plen + qlen + 1)) {
return 0;
}
/*
* Private key already contains the modulus bit length, from which
* we can infer the output length. Even if n is NULL, we still had
* to decode p and q to make sure that the product can be computed.
*/
nlen = (sk->n_bitlen + 7) >> 3;
if (n != NULL) {
br_i15_zero(t, p[0]);
br_i15_mulacc(t, p, q);
br_i15_encode(n, nlen, t);
}
return nlen;
}
diff --git a/contrib/bearssl/src/rsa/rsa_i31_keygen_inner.c b/contrib/bearssl/src/rsa/rsa_i31_keygen_inner.c
index 9ec881b5f945..98df445871f5 100644
--- a/contrib/bearssl/src/rsa/rsa_i31_keygen_inner.c
+++ b/contrib/bearssl/src/rsa/rsa_i31_keygen_inner.c
@@ -1,608 +1,608 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/*
* Make a random integer of the provided size. The size is encoded.
* The header word is untouched.
*/
static void
mkrand(const br_prng_class **rng, uint32_t *x, uint32_t esize)
{
size_t u, len;
unsigned m;
len = (esize + 31) >> 5;
(*rng)->generate(rng, x + 1, len * sizeof(uint32_t));
for (u = 1; u < len; u ++) {
x[u] &= 0x7FFFFFFF;
}
m = esize & 31;
if (m == 0) {
x[len] &= 0x7FFFFFFF;
} else {
x[len] &= 0x7FFFFFFF >> (31 - m);
}
}
/*
* This is the big-endian unsigned representation of the product of
* all small primes from 13 to 1481.
*/
static const unsigned char SMALL_PRIMES[] = {
0x2E, 0xAB, 0x92, 0xD1, 0x8B, 0x12, 0x47, 0x31, 0x54, 0x0A,
0x99, 0x5D, 0x25, 0x5E, 0xE2, 0x14, 0x96, 0x29, 0x1E, 0xB7,
0x78, 0x70, 0xCC, 0x1F, 0xA5, 0xAB, 0x8D, 0x72, 0x11, 0x37,
0xFB, 0xD8, 0x1E, 0x3F, 0x5B, 0x34, 0x30, 0x17, 0x8B, 0xE5,
0x26, 0x28, 0x23, 0xA1, 0x8A, 0xA4, 0x29, 0xEA, 0xFD, 0x9E,
0x39, 0x60, 0x8A, 0xF3, 0xB5, 0xA6, 0xEB, 0x3F, 0x02, 0xB6,
0x16, 0xC3, 0x96, 0x9D, 0x38, 0xB0, 0x7D, 0x82, 0x87, 0x0C,
0xF7, 0xBE, 0x24, 0xE5, 0x5F, 0x41, 0x04, 0x79, 0x76, 0x40,
0xE7, 0x00, 0x22, 0x7E, 0xB5, 0x85, 0x7F, 0x8D, 0x01, 0x50,
0xE9, 0xD3, 0x29, 0x42, 0x08, 0xB3, 0x51, 0x40, 0x7B, 0xD7,
0x8D, 0xCC, 0x10, 0x01, 0x64, 0x59, 0x28, 0xB6, 0x53, 0xF3,
0x50, 0x4E, 0xB1, 0xF2, 0x58, 0xCD, 0x6E, 0xF5, 0x56, 0x3E,
0x66, 0x2F, 0xD7, 0x07, 0x7F, 0x52, 0x4C, 0x13, 0x24, 0xDC,
0x8E, 0x8D, 0xCC, 0xED, 0x77, 0xC4, 0x21, 0xD2, 0xFD, 0x08,
0xEA, 0xD7, 0xC0, 0x5C, 0x13, 0x82, 0x81, 0x31, 0x2F, 0x2B,
0x08, 0xE4, 0x80, 0x04, 0x7A, 0x0C, 0x8A, 0x3C, 0xDC, 0x22,
0xE4, 0x5A, 0x7A, 0xB0, 0x12, 0x5E, 0x4A, 0x76, 0x94, 0x77,
0xC2, 0x0E, 0x92, 0xBA, 0x8A, 0xA0, 0x1F, 0x14, 0x51, 0x1E,
0x66, 0x6C, 0x38, 0x03, 0x6C, 0xC7, 0x4A, 0x4B, 0x70, 0x80,
0xAF, 0xCA, 0x84, 0x51, 0xD8, 0xD2, 0x26, 0x49, 0xF5, 0xA8,
0x5E, 0x35, 0x4B, 0xAC, 0xCE, 0x29, 0x92, 0x33, 0xB7, 0xA2,
0x69, 0x7D, 0x0C, 0xE0, 0x9C, 0xDB, 0x04, 0xD6, 0xB4, 0xBC,
0x39, 0xD7, 0x7F, 0x9E, 0x9D, 0x78, 0x38, 0x7F, 0x51, 0x54,
0x50, 0x8B, 0x9E, 0x9C, 0x03, 0x6C, 0xF5, 0x9D, 0x2C, 0x74,
0x57, 0xF0, 0x27, 0x2A, 0xC3, 0x47, 0xCA, 0xB9, 0xD7, 0x5C,
0xFF, 0xC2, 0xAC, 0x65, 0x4E, 0xBD
};
/*
* We need temporary values for at least 7 integers of the same size
* as a factor (including header word); more space helps with performance
* (in modular exponentiations), but we much prefer to remain under
* 2 kilobytes in total, to save stack space. The macro TEMPS below
* exceeds 512 (which is a count in 32-bit words) when BR_MAX_RSA_SIZE
* is greater than 4464 (default value is 4096, so the 2-kB limit is
* maintained unless BR_MAX_RSA_SIZE was modified).
*/
#define MAX(x, y) ((x) > (y) ? (x) : (y))
#define ROUND2(x) ((((x) + 1) >> 1) << 1)
#define TEMPS MAX(512, ROUND2(7 * ((((BR_MAX_RSA_SIZE + 1) >> 1) + 61) / 31)))
/*
* Perform trial division on a candidate prime. This computes
* y = SMALL_PRIMES mod x, then tries to compute y/y mod x. The
* br_i31_moddiv() function will report an error if y is not invertible
* modulo x. Returned value is 1 on success (none of the small primes
* divides x), 0 on error (a non-trivial GCD is obtained).
*
* This function assumes that x is odd.
*/
static uint32_t
trial_divisions(const uint32_t *x, uint32_t *t)
{
uint32_t *y;
uint32_t x0i;
y = t;
t += 1 + ((x[0] + 31) >> 5);
x0i = br_i31_ninv31(x[1]);
br_i31_decode_reduce(y, SMALL_PRIMES, sizeof SMALL_PRIMES, x);
return br_i31_moddiv(y, y, x, x0i, t);
}
/*
* Perform n rounds of Miller-Rabin on the candidate prime x. This
* function assumes that x = 3 mod 4.
*
* Returned value is 1 on success (all rounds completed successfully),
* 0 otherwise.
*/
static uint32_t
miller_rabin(const br_prng_class **rng, const uint32_t *x, int n,
uint32_t *t, size_t tlen, br_i31_modpow_opt_type mp31)
{
/*
* Since x = 3 mod 4, the Miller-Rabin test is simple:
* - get a random base a (such that 1 < a < x-1)
* - compute z = a^((x-1)/2) mod x
* - if z != 1 and z != x-1, the number x is composite
*
* We generate bases 'a' randomly with a size which is
* one bit less than x, which ensures that a < x-1. It
* is not useful to verify that a > 1 because the probability
* that we get a value a equal to 0 or 1 is much smaller
* than the probability of our Miller-Rabin tests not to
* detect a composite, which is already quite smaller than the
* probability of the hardware misbehaving and return a
* composite integer because of some glitch (e.g. bad RAM
* or ill-timed cosmic ray).
*/
unsigned char *xm1d2;
size_t xlen, xm1d2_len, xm1d2_len_u32, u;
uint32_t asize;
unsigned cc;
uint32_t x0i;
/*
* Compute (x-1)/2 (encoded).
*/
xm1d2 = (unsigned char *)t;
xm1d2_len = ((x[0] - (x[0] >> 5)) + 7) >> 3;
br_i31_encode(xm1d2, xm1d2_len, x);
cc = 0;
for (u = 0; u < xm1d2_len; u ++) {
unsigned w;
w = xm1d2[u];
xm1d2[u] = (unsigned char)((w >> 1) | cc);
cc = w << 7;
}
/*
* We used some words of the provided buffer for (x-1)/2.
*/
xm1d2_len_u32 = (xm1d2_len + 3) >> 2;
t += xm1d2_len_u32;
tlen -= xm1d2_len_u32;
xlen = (x[0] + 31) >> 5;
asize = x[0] - 1 - EQ0(x[0] & 31);
x0i = br_i31_ninv31(x[1]);
while (n -- > 0) {
uint32_t *a, *t2;
uint32_t eq1, eqm1;
size_t t2len;
/*
* Generate a random base. We don't need the base to be
* really uniform modulo x, so we just get a random
* number which is one bit shorter than x.
*/
a = t;
a[0] = x[0];
a[xlen] = 0;
mkrand(rng, a, asize);
/*
* Compute a^((x-1)/2) mod x. We assume here that the
* function will not fail (the temporary array is large
* enough).
*/
t2 = t + 1 + xlen;
t2len = tlen - 1 - xlen;
if ((t2len & 1) != 0) {
/*
* Since the source array is 64-bit aligned and
* has an even number of elements (TEMPS), we
* can use the parity of the remaining length to
* detect and adjust alignment.
*/
t2 ++;
t2len --;
}
mp31(a, xm1d2, xm1d2_len, x, x0i, t2, t2len);
/*
* We must obtain either 1 or x-1. Note that x is odd,
* hence x-1 differs from x only in its low word (no
* carry).
*/
eq1 = a[1] ^ 1;
eqm1 = a[1] ^ (x[1] - 1);
for (u = 2; u <= xlen; u ++) {
eq1 |= a[u];
eqm1 |= a[u] ^ x[u];
}
if ((EQ0(eq1) | EQ0(eqm1)) == 0) {
return 0;
}
}
return 1;
}
/*
* Create a random prime of the provided size. 'size' is the _encoded_
* bit length. The two top bits and the two bottom bits are set to 1.
*/
static void
mkprime(const br_prng_class **rng, uint32_t *x, uint32_t esize,
uint32_t pubexp, uint32_t *t, size_t tlen, br_i31_modpow_opt_type mp31)
{
size_t len;
x[0] = esize;
len = (esize + 31) >> 5;
for (;;) {
size_t u;
uint32_t m3, m5, m7, m11;
int rounds, s7, s11;
/*
* Generate random bits. We force the two top bits and the
* two bottom bits to 1.
*/
mkrand(rng, x, esize);
if ((esize & 31) == 0) {
x[len] |= 0x60000000;
} else if ((esize & 31) == 1) {
x[len] |= 0x00000001;
x[len - 1] |= 0x40000000;
} else {
x[len] |= 0x00000003 << ((esize & 31) - 2);
}
x[1] |= 0x00000003;
/*
* Trial division with low primes (3, 5, 7 and 11). We
* use the following properties:
*
* 2^2 = 1 mod 3
* 2^4 = 1 mod 5
* 2^3 = 1 mod 7
* 2^10 = 1 mod 11
*/
m3 = 0;
m5 = 0;
m7 = 0;
m11 = 0;
s7 = 0;
s11 = 0;
for (u = 0; u < len; u ++) {
uint32_t w, w3, w5, w7, w11;
w = x[1 + u];
w3 = (w & 0xFFFF) + (w >> 16); /* max: 98302 */
w5 = (w & 0xFFFF) + (w >> 16); /* max: 98302 */
w7 = (w & 0x7FFF) + (w >> 15); /* max: 98302 */
w11 = (w & 0xFFFFF) + (w >> 20); /* max: 1050622 */
m3 += w3 << (u & 1);
m3 = (m3 & 0xFF) + (m3 >> 8); /* max: 1025 */
m5 += w5 << ((4 - u) & 3);
m5 = (m5 & 0xFFF) + (m5 >> 12); /* max: 4479 */
m7 += w7 << s7;
m7 = (m7 & 0x1FF) + (m7 >> 9); /* max: 1280 */
if (++ s7 == 3) {
s7 = 0;
}
m11 += w11 << s11;
if (++ s11 == 10) {
s11 = 0;
}
m11 = (m11 & 0x3FF) + (m11 >> 10); /* max: 526847 */
}
m3 = (m3 & 0x3F) + (m3 >> 6); /* max: 78 */
m3 = (m3 & 0x0F) + (m3 >> 4); /* max: 18 */
m3 = ((m3 * 43) >> 5) & 3;
m5 = (m5 & 0xFF) + (m5 >> 8); /* max: 271 */
m5 = (m5 & 0x0F) + (m5 >> 4); /* max: 31 */
m5 -= 20 & -GT(m5, 19);
m5 -= 10 & -GT(m5, 9);
m5 -= 5 & -GT(m5, 4);
m7 = (m7 & 0x3F) + (m7 >> 6); /* max: 82 */
m7 = (m7 & 0x07) + (m7 >> 3); /* max: 16 */
m7 = ((m7 * 147) >> 7) & 7;
/*
* 2^5 = 32 = -1 mod 11.
*/
m11 = (m11 & 0x3FF) + (m11 >> 10); /* max: 1536 */
m11 = (m11 & 0x3FF) + (m11 >> 10); /* max: 1023 */
m11 = (m11 & 0x1F) + 33 - (m11 >> 5); /* max: 64 */
m11 -= 44 & -GT(m11, 43);
m11 -= 22 & -GT(m11, 21);
m11 -= 11 & -GT(m11, 10);
/*
* If any of these modulo is 0, then the candidate is
* not prime. Also, if pubexp is 3, 5, 7 or 11, and the
* corresponding modulus is 1, then the candidate must
* be rejected, because we need e to be invertible
* modulo p-1. We can use simple comparisons here
* because they won't leak information on a candidate
* that we keep, only on one that we reject (and is thus
* not secret).
*/
if (m3 == 0 || m5 == 0 || m7 == 0 || m11 == 0) {
continue;
}
if ((pubexp == 3 && m3 == 1)
- || (pubexp == 5 && m5 == 5)
- || (pubexp == 7 && m5 == 7)
- || (pubexp == 11 && m5 == 11))
+ || (pubexp == 5 && m5 == 1)
+ || (pubexp == 7 && m7 == 1)
+ || (pubexp == 11 && m11 == 1))
{
continue;
}
/*
* More trial divisions.
*/
if (!trial_divisions(x, t)) {
continue;
}
/*
* Miller-Rabin algorithm. Since we selected a random
* integer, not a maliciously crafted integer, we can use
* relatively few rounds to lower the risk of a false
* positive (i.e. declaring prime a non-prime) under
* 2^(-80). It is not useful to lower the probability much
* below that, since that would be substantially below
* the probability of the hardware misbehaving. Sufficient
* numbers of rounds are extracted from the Handbook of
* Applied Cryptography, note 4.49 (page 149).
*
* Since we work on the encoded size (esize), we need to
* compare with encoded thresholds.
*/
if (esize < 309) {
rounds = 12;
} else if (esize < 464) {
rounds = 9;
} else if (esize < 670) {
rounds = 6;
} else if (esize < 877) {
rounds = 4;
} else if (esize < 1341) {
rounds = 3;
} else {
rounds = 2;
}
if (miller_rabin(rng, x, rounds, t, tlen, mp31)) {
return;
}
}
}
/*
* Let p be a prime (p > 2^33, p = 3 mod 4). Let m = (p-1)/2, provided
* as parameter (with announced bit length equal to that of p). This
* function computes d = 1/e mod p-1 (for an odd integer e). Returned
* value is 1 on success, 0 on error (an error is reported if e is not
* invertible modulo p-1).
*
* The temporary buffer (t) must have room for at least 4 integers of
* the size of p.
*/
static uint32_t
invert_pubexp(uint32_t *d, const uint32_t *m, uint32_t e, uint32_t *t)
{
uint32_t *f;
uint32_t r;
f = t;
t += 1 + ((m[0] + 31) >> 5);
/*
* Compute d = 1/e mod m. Since p = 3 mod 4, m is odd.
*/
br_i31_zero(d, m[0]);
d[1] = 1;
br_i31_zero(f, m[0]);
f[1] = e & 0x7FFFFFFF;
f[2] = e >> 31;
r = br_i31_moddiv(d, f, m, br_i31_ninv31(m[1]), t);
/*
* We really want d = 1/e mod p-1, with p = 2m. By the CRT,
* the result is either the d we got, or d + m.
*
* Let's write e*d = 1 + k*m, for some integer k. Integers e
* and m are odd. If d is odd, then e*d is odd, which implies
* that k must be even; in that case, e*d = 1 + (k/2)*2m, and
* thus d is already fine. Conversely, if d is even, then k
* is odd, and we must add m to d in order to get the correct
* result.
*/
br_i31_add(d, m, (uint32_t)(1 - (d[1] & 1)));
return r;
}
/*
* Swap two buffers in RAM. They must be disjoint.
*/
static void
bufswap(void *b1, void *b2, size_t len)
{
size_t u;
unsigned char *buf1, *buf2;
buf1 = b1;
buf2 = b2;
for (u = 0; u < len; u ++) {
unsigned w;
w = buf1[u];
buf1[u] = buf2[u];
buf2[u] = w;
}
}
/* see inner.h */
uint32_t
br_rsa_i31_keygen_inner(const br_prng_class **rng,
br_rsa_private_key *sk, void *kbuf_priv,
br_rsa_public_key *pk, void *kbuf_pub,
unsigned size, uint32_t pubexp, br_i31_modpow_opt_type mp31)
{
uint32_t esize_p, esize_q;
size_t plen, qlen, tlen;
uint32_t *p, *q, *t;
union {
uint32_t t32[TEMPS];
uint64_t t64[TEMPS >> 1]; /* for 64-bit alignment */
} tmp;
uint32_t r;
if (size < BR_MIN_RSA_SIZE || size > BR_MAX_RSA_SIZE) {
return 0;
}
if (pubexp == 0) {
pubexp = 3;
} else if (pubexp == 1 || (pubexp & 1) == 0) {
return 0;
}
esize_p = (size + 1) >> 1;
esize_q = size - esize_p;
sk->n_bitlen = size;
sk->p = kbuf_priv;
sk->plen = (esize_p + 7) >> 3;
sk->q = sk->p + sk->plen;
sk->qlen = (esize_q + 7) >> 3;
sk->dp = sk->q + sk->qlen;
sk->dplen = sk->plen;
sk->dq = sk->dp + sk->dplen;
sk->dqlen = sk->qlen;
sk->iq = sk->dq + sk->dqlen;
sk->iqlen = sk->plen;
if (pk != NULL) {
pk->n = kbuf_pub;
pk->nlen = (size + 7) >> 3;
pk->e = pk->n + pk->nlen;
pk->elen = 4;
br_enc32be(pk->e, pubexp);
while (*pk->e == 0) {
pk->e ++;
pk->elen --;
}
}
/*
* We now switch to encoded sizes.
*
* floor((x * 16913) / (2^19)) is equal to floor(x/31) for all
* integers x from 0 to 34966; the intermediate product fits on
* 30 bits, thus we can use MUL31().
*/
esize_p += MUL31(esize_p, 16913) >> 19;
esize_q += MUL31(esize_q, 16913) >> 19;
plen = (esize_p + 31) >> 5;
qlen = (esize_q + 31) >> 5;
p = tmp.t32;
q = p + 1 + plen;
t = q + 1 + qlen;
tlen = ((sizeof tmp.t32) / sizeof(uint32_t)) - (2 + plen + qlen);
/*
* When looking for primes p and q, we temporarily divide
* candidates by 2, in order to compute the inverse of the
* public exponent.
*/
for (;;) {
mkprime(rng, p, esize_p, pubexp, t, tlen, mp31);
br_i31_rshift(p, 1);
if (invert_pubexp(t, p, pubexp, t + 1 + plen)) {
br_i31_add(p, p, 1);
p[1] |= 1;
br_i31_encode(sk->p, sk->plen, p);
br_i31_encode(sk->dp, sk->dplen, t);
break;
}
}
for (;;) {
mkprime(rng, q, esize_q, pubexp, t, tlen, mp31);
br_i31_rshift(q, 1);
if (invert_pubexp(t, q, pubexp, t + 1 + qlen)) {
br_i31_add(q, q, 1);
q[1] |= 1;
br_i31_encode(sk->q, sk->qlen, q);
br_i31_encode(sk->dq, sk->dqlen, t);
break;
}
}
/*
* If p and q have the same size, then it is possible that q > p
* (when the target modulus size is odd, we generate p with a
* greater bit length than q). If q > p, we want to swap p and q
* (and also dp and dq) for two reasons:
* - The final step below (inversion of q modulo p) is easier if
* p > q.
* - While BearSSL's RSA code is perfectly happy with RSA keys such
* that p < q, some other implementations have restrictions and
* require p > q.
*
* Note that we can do a simple non-constant-time swap here,
* because the only information we leak here is that we insist on
* returning p and q such that p > q, which is not a secret.
*/
if (esize_p == esize_q && br_i31_sub(p, q, 0) == 1) {
bufswap(p, q, (1 + plen) * sizeof *p);
bufswap(sk->p, sk->q, sk->plen);
bufswap(sk->dp, sk->dq, sk->dplen);
}
/*
* We have produced p, q, dp and dq. We can now compute iq = 1/d mod p.
*
* We ensured that p >= q, so this is just a matter of updating the
* header word for q (and possibly adding an extra word).
*
* Theoretically, the call below may fail, in case we were
* extraordinarily unlucky, and p = q. Another failure case is if
* Miller-Rabin failed us _twice_, and p and q are non-prime and
* have a factor is common. We report the error mostly because it
* is cheap and we can, but in practice this never happens (or, at
* least, it happens way less often than hardware glitches).
*/
q[0] = p[0];
if (plen > qlen) {
q[plen] = 0;
t ++;
tlen --;
}
br_i31_zero(t, p[0]);
t[1] = 1;
r = br_i31_moddiv(t, q, p, br_i31_ninv31(p[1]), t + 1 + plen);
br_i31_encode(sk->iq, sk->iqlen, t);
/*
* Compute the public modulus too, if required.
*/
if (pk != NULL) {
br_i31_zero(t, p[0]);
br_i31_mulacc(t, p, q);
br_i31_encode(pk->n, pk->nlen, t);
}
return r;
}
diff --git a/contrib/bearssl/src/rsa/rsa_i31_modulus.c b/contrib/bearssl/src/rsa/rsa_i31_modulus.c
index c469cf3c9cf7..f5f997f592cf 100644
--- a/contrib/bearssl/src/rsa/rsa_i31_modulus.c
+++ b/contrib/bearssl/src/rsa/rsa_i31_modulus.c
@@ -1,99 +1,99 @@
/*
* Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
/* see bearssl_rsa.h */
size_t
br_rsa_i31_compute_modulus(void *n, const br_rsa_private_key *sk)
{
- uint32_t tmp[2 * ((BR_MAX_RSA_SIZE + 30) / 31) + 5];
+ uint32_t tmp[4 * (((BR_MAX_RSA_SIZE / 2) + 30) / 31) + 5];
uint32_t *t, *p, *q;
const unsigned char *pbuf, *qbuf;
size_t nlen, plen, qlen, tlen;
/*
* Compute actual byte and lengths for p and q.
*/
pbuf = sk->p;
plen = sk->plen;
while (plen > 0 && *pbuf == 0) {
pbuf ++;
plen --;
}
qbuf = sk->q;
qlen = sk->qlen;
while (qlen > 0 && *qbuf == 0) {
qbuf ++;
qlen --;
}
t = tmp;
tlen = (sizeof tmp) / (sizeof tmp[0]);
/*
* Decode p.
*/
if ((31 * tlen) < (plen << 3) + 31) {
return 0;
}
br_i31_decode(t, pbuf, plen);
p = t;
plen = (p[0] + 63) >> 5;
t += plen;
tlen -= plen;
/*
* Decode q.
*/
if ((31 * tlen) < (qlen << 3) + 31) {
return 0;
}
br_i31_decode(t, qbuf, qlen);
q = t;
qlen = (q[0] + 63) >> 5;
t += qlen;
tlen -= qlen;
/*
* Computation can proceed only if we have enough room for the
* modulus.
*/
if (tlen < (plen + qlen + 1)) {
return 0;
}
/*
* Private key already contains the modulus bit length, from which
* we can infer the output length. Even if n is NULL, we still had
* to decode p and q to make sure that the product can be computed.
*/
nlen = (sk->n_bitlen + 7) >> 3;
if (n != NULL) {
br_i31_zero(t, p[0]);
br_i31_mulacc(t, p, q);
br_i31_encode(n, nlen, t);
}
return nlen;
}
diff --git a/contrib/bearssl/src/ssl/ssl_engine.c b/contrib/bearssl/src/ssl/ssl_engine.c
index f4ffe1854724..f59fe1a0f1e5 100644
--- a/contrib/bearssl/src/ssl/ssl_engine.c
+++ b/contrib/bearssl/src/ssl/ssl_engine.c
@@ -1,1569 +1,1584 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
#if 0
/* obsolete */
/*
* If BR_USE_URANDOM is not defined, then try to autodetect its presence
* through compiler macros.
*/
#ifndef BR_USE_URANDOM
/*
* Macro values documented on:
* https://sourceforge.net/p/predef/wiki/OperatingSystems/
*
* Only the most common systems have been included here for now. This
* should be enriched later on.
*/
#if defined _AIX \
|| defined __ANDROID__ \
|| defined __FreeBSD__ \
|| defined __NetBSD__ \
|| defined __OpenBSD__ \
|| defined __DragonFly__ \
|| defined __linux__ \
|| (defined __sun && (defined __SVR4 || defined __svr4__)) \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_URANDOM 1
#endif
#endif
/*
* If BR_USE_WIN32_RAND is not defined, perform autodetection here.
*/
#ifndef BR_USE_WIN32_RAND
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_RAND 1
#endif
#endif
#if BR_USE_URANDOM
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#endif
#if BR_USE_WIN32_RAND
#include <windows.h>
#include <wincrypt.h>
#pragma comment(lib, "advapi32")
#endif
#endif
/* ==================================================================== */
/*
* This part of the file does the low-level record management.
*/
/*
* IMPLEMENTATION NOTES
* ====================
*
* In this file, we designate by "input" (and the "i" letter) the "recv"
* operations: incoming records from the peer, from which payload data
* is obtained, and must be extracted by the application (or the SSL
* handshake engine). Similarly, "output" (and the "o" letter) is for
* "send": payload data injected by the application (and SSL handshake
* engine), to be wrapped into records, that are then conveyed to the
* peer over the transport medium.
*
* The input and output buffers may be distinct or shared. When
* shared, input and output cannot occur concurrently; the caller
* must make sure that it never needs to output data while input
* data has been received. In practice, a shared buffer prevents
* pipelining of HTTP requests, or similar protocols; however, a
* shared buffer saves RAM.
*
* The input buffer is pointed to by 'ibuf' and has size 'ibuf_len';
* the output buffer is pointed to by 'obuf' and has size 'obuf_len'.
* From the size of these buffers is derived the maximum fragment
* length, which will be honoured upon sending records; regardless of
* that length, incoming records will be processed as long as they
* fit in the input buffer, and their length still complies with the
* protocol specification (maximum plaintext payload length is 16384
* bytes).
*
* Three registers are used to manage buffering in ibuf, called ixa,
* ixb and ixc. Similarly, three registers are used to manage buffering
* in obuf, called oxa, oxb and oxc.
*
*
* At any time, the engine is in one of the following modes:
* -- Failed mode: an error occurs, no I/O can happen.
* -- Input mode: the engine can either receive record bytes from the
* transport layer, or it has some buffered payload bytes to yield.
* -- Output mode: the engine can either receive payload bytes, or it
* has some record bytes to send to the transport layer.
* -- Input/Output mode: both input and output modes are active. When
* the buffer is shared, this can happen only when the buffer is empty
* (no buffered payload bytes or record bytes in either direction).
*
*
* Failed mode:
* ------------
*
* I/O failed for some reason (invalid received data, not enough room
* for the next record...). No I/O may ever occur again for this context,
* until an explicit reset is performed. This mode, and the error code,
* are also used for protocol errors, especially handshake errors.
*
*
* Input mode:
* -----------
*
* ixa index within ibuf[] for the currently read data
* ixb maximum index within ibuf[] for the currently read data
* ixc number of bytes not yet received for the current record
*
* -- When ixa == ixb, there is no available data for readers. When
* ixa != ixb, there is available data and it starts at offset ixa.
*
* -- When waiting for the next record header, ixa and ixb are equal
* and contain a value ranging from 0 to 4; ixc is equal to 5-ixa.
*
* -- When the header has been received, record data is obtained. The
* ixc field records how many bytes are still needed to reach the
* end of the current record.
*
* ** If encryption is active, then ixa and ixb are kept equal, and
* point to the end of the currently received record bytes. When
* ixc reaches 0, decryption/MAC is applied, and ixa and ixb are
* adjusted.
*
* ** If encryption is not active, then ixa and ixb are distinct
* and data can be read right away. Additional record data is
* obtained only when ixa == ixb.
*
* Note: in input mode and no encryption, records larger than the buffer
* size are allowed. When encryption is active, the complete record must
* fit within the buffer, since it cannot be decrypted/MACed until it
* has been completely received.
*
* -- When receiving the next record header, 'version_in' contains the
* expected input version (0 if not expecting a specific version); on
* mismatch, the mode switches to 'failed'.
*
* -- When the header has been received, 'version_in' contains the received
* version. It is up to the caller to check and adjust the 'version_in' field
* to implement the required semantics.
*
* -- The 'record_type_in' field is updated with the incoming record type
* when the next record header has been received.
*
*
* Output mode:
* ------------
*
* oxa index within obuf[] for the currently accumulated data
* oxb maximum index within obuf[] for record data
* oxc pointer for start of record data, and for record sending
*
* -- When oxa != oxb, more data can be accumulated into the current
* record; when oxa == oxb, a closed record is being sent.
*
* -- When accumulating data, oxc points to the start of the data.
*
* -- During record sending, oxa (and oxb) point to the next record byte
* to send, and oxc indicates the end of the current record.
*
* Note: sent records must fit within the buffer, since the header is
* adjusted only when the complete record has been assembled.
*
* -- The 'version_out' and 'record_type_out' fields are used to build the
* record header when the mode is switched to 'sending'.
*
*
* Modes:
* ------
*
* The state register iomode contains one of the following values:
*
* BR_IO_FAILED I/O failed
* BR_IO_IN input mode
* BR_IO_OUT output mode
* BR_IO_INOUT input/output mode
*
* Whether encryption is active on incoming records is indicated by the
* incrypt flag. For outgoing records, there is no such flag; "encryption"
* is always considered active, but initially uses functions that do not
* encrypt anything. The 'incrypt' flag is needed because when there is
* no active encryption, records larger than the I/O buffer are accepted.
*
* Note: we do not support no-encryption modes (MAC only).
*
* TODO: implement GCM support
*
*
* Misc:
* -----
*
* 'max_frag_len' is the maximum plaintext size for an outgoing record.
* By default, it is set to the maximum value that fits in the provided
* buffers, in the following list: 512, 1024, 2048, 4096, 16384. The
* caller may change it if needed, but the new value MUST still fit in
* the buffers, and it MUST be one of the list above for compatibility
* with the Maximum Fragment Length extension.
*
* For incoming records, only the total buffer length and current
* encryption mode impact the maximum length for incoming records. The
* 'max_frag_len' value is still adjusted so that records up to that
* length can be both received and sent.
*
*
* Offsets and lengths:
* --------------------
*
* When sending fragments with TLS-1.1+, the maximum overhead is:
* 5 bytes for the record header
* 16 bytes for the explicit IV
* 48 bytes for the MAC (HMAC/SHA-384)
* 16 bytes for the padding (AES)
* so a total of 85 extra bytes. Note that we support block cipher sizes
* up to 16 bytes (AES) and HMAC output sizes up to 48 bytes (SHA-384).
*
* With TLS-1.0 and CBC mode, we apply a 1/n-1 split, for a maximum
* overhead of:
* 5 bytes for the first record header
* 32 bytes for the first record payload (AES-CBC + HMAC/SHA-1)
* 5 bytes for the second record header
* 20 bytes for the MAC (HMAC/SHA-1)
* 16 bytes for the padding (AES)
* -1 byte to account for the payload byte in the first record
* so a total of 77 extra bytes at most, less than the 85 bytes above.
* Note that with TLS-1.0, the MAC is HMAC with either MD5 or SHA-1, but
* no other hash function.
*
* The implementation does not try to send larger records when the current
* encryption mode has less overhead.
*
* Maximum input record overhead is:
* 5 bytes for the record header
* 16 bytes for the explicit IV (TLS-1.1+)
* 48 bytes for the MAC (HMAC/SHA-384)
* 256 bytes for the padding
* so a total of 325 extra bytes.
*
* When receiving the next record header, it is written into the buffer
* bytes 0 to 4 (inclusive). Record data is always written into buf[]
* starting at offset 5. When encryption is active, the plaintext data
* may start at a larger offset (e.g. because of an explicit IV).
*/
#define MAX_OUT_OVERHEAD 85
#define MAX_IN_OVERHEAD 325
/* see inner.h */
void
br_ssl_engine_fail(br_ssl_engine_context *rc, int err)
{
if (rc->iomode != BR_IO_FAILED) {
rc->iomode = BR_IO_FAILED;
rc->err = err;
}
}
/*
* Adjust registers for a new incoming record.
*/
static void
make_ready_in(br_ssl_engine_context *rc)
{
rc->ixa = rc->ixb = 0;
rc->ixc = 5;
if (rc->iomode == BR_IO_IN) {
rc->iomode = BR_IO_INOUT;
}
}
/*
* Adjust registers for a new outgoing record.
*/
static void
make_ready_out(br_ssl_engine_context *rc)
{
size_t a, b;
a = 5;
b = rc->obuf_len - a;
rc->out.vtable->max_plaintext(&rc->out.vtable, &a, &b);
if ((b - a) > rc->max_frag_len) {
b = a + rc->max_frag_len;
}
rc->oxa = a;
rc->oxb = b;
rc->oxc = a;
if (rc->iomode == BR_IO_OUT) {
rc->iomode = BR_IO_INOUT;
}
}
/* see inner.h */
void
br_ssl_engine_new_max_frag_len(br_ssl_engine_context *rc, unsigned max_frag_len)
{
size_t nxb;
rc->max_frag_len = max_frag_len;
nxb = rc->oxc + max_frag_len;
if (rc->oxa < rc->oxb && rc->oxb > nxb && rc->oxa < nxb) {
rc->oxb = nxb;
}
}
/* see bearssl_ssl.h */
void
br_ssl_engine_set_buffer(br_ssl_engine_context *rc,
void *buf, size_t buf_len, int bidi)
{
if (buf == NULL) {
br_ssl_engine_set_buffers_bidi(rc, NULL, 0, NULL, 0);
} else {
/*
* In bidirectional mode, we want to maximise input
* buffer size, since we support arbitrary fragmentation
* when sending, but the peer will not necessarily
* comply to any low fragment length (in particular if
* we are the server, because the maximum fragment
* length extension is under client control).
*
* We keep a minimum size of 512 bytes for the plaintext
* of our outgoing records.
*
* br_ssl_engine_set_buffers_bidi() will compute the maximum
* fragment length for outgoing records by using the minimum
* of allocated spaces for both input and output records,
* rounded down to a standard length.
*/
if (bidi) {
size_t w;
if (buf_len < (512 + MAX_IN_OVERHEAD
+ 512 + MAX_OUT_OVERHEAD))
{
rc->iomode = BR_IO_FAILED;
rc->err = BR_ERR_BAD_PARAM;
return;
} else if (buf_len < (16384 + MAX_IN_OVERHEAD
+ 512 + MAX_OUT_OVERHEAD))
{
w = 512 + MAX_OUT_OVERHEAD;
} else {
w = buf_len - (16384 + MAX_IN_OVERHEAD);
}
br_ssl_engine_set_buffers_bidi(rc,
buf, buf_len - w,
(unsigned char *)buf + w, w);
} else {
br_ssl_engine_set_buffers_bidi(rc,
buf, buf_len, NULL, 0);
}
}
}
/* see bearssl_ssl.h */
void
br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *rc,
void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len)
{
rc->iomode = BR_IO_INOUT;
rc->incrypt = 0;
rc->err = BR_ERR_OK;
rc->version_in = 0;
rc->record_type_in = 0;
rc->version_out = 0;
rc->record_type_out = 0;
if (ibuf == NULL) {
if (rc->ibuf == NULL) {
br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
}
} else {
unsigned u;
rc->ibuf = ibuf;
rc->ibuf_len = ibuf_len;
if (obuf == NULL) {
obuf = ibuf;
obuf_len = ibuf_len;
}
rc->obuf = obuf;
rc->obuf_len = obuf_len;
/*
* Compute the maximum fragment length, that fits for
* both incoming and outgoing records. This length will
* be used in fragment length negotiation, so we must
* honour it both ways. Regardless, larger incoming
* records will be accepted, as long as they fit in the
* actual buffer size.
*/
for (u = 14; u >= 9; u --) {
size_t flen;
flen = (size_t)1 << u;
if (obuf_len >= flen + MAX_OUT_OVERHEAD
&& ibuf_len >= flen + MAX_IN_OVERHEAD)
{
break;
}
}
if (u == 8) {
br_ssl_engine_fail(rc, BR_ERR_BAD_PARAM);
return;
} else if (u == 13) {
u = 12;
}
rc->max_frag_len = (size_t)1 << u;
rc->log_max_frag_len = u;
rc->peer_log_max_frag_len = 0;
}
rc->out.vtable = &br_sslrec_out_clear_vtable;
make_ready_in(rc);
make_ready_out(rc);
}
/*
* Clear buffers in both directions.
*/
static void
engine_clearbuf(br_ssl_engine_context *rc)
{
make_ready_in(rc);
make_ready_out(rc);
}
/*
* Make sure the internal PRNG is initialised (but not necessarily
* seeded properly yet).
*/
static int
rng_init(br_ssl_engine_context *cc)
{
const br_hash_class *h;
if (cc->rng_init_done != 0) {
return 1;
}
/*
* If using TLS-1.2, then SHA-256 or SHA-384 must be present (or
* both); we prefer SHA-256 which is faster for 32-bit systems.
*
* If using TLS-1.0 or 1.1 then SHA-1 must be present.
*
* Though HMAC_DRBG/SHA-1 is, as far as we know, as safe as
* these things can be, we still prefer the SHA-2 functions over
* SHA-1, if only for public relations (known theoretical
* weaknesses of SHA-1 with regards to collisions are mostly
* irrelevant here, but they still make people nervous).
*/
h = br_multihash_getimpl(&cc->mhash, br_sha256_ID);
if (!h) {
h = br_multihash_getimpl(&cc->mhash, br_sha384_ID);
if (!h) {
h = br_multihash_getimpl(&cc->mhash,
br_sha1_ID);
if (!h) {
br_ssl_engine_fail(cc, BR_ERR_BAD_STATE);
return 0;
}
}
}
br_hmac_drbg_init(&cc->rng, h, NULL, 0);
cc->rng_init_done = 1;
return 1;
}
/* see inner.h */
int
br_ssl_engine_init_rand(br_ssl_engine_context *cc)
{
if (!rng_init(cc)) {
return 0;
}
/*
* We always try OS/hardware seeding once. If it works, then
* we assume proper seeding. If not, then external entropy must
* have been injected; otherwise, we report an error.
*/
if (!cc->rng_os_rand_done) {
br_prng_seeder sd;
sd = br_prng_seeder_system(NULL);
if (sd != 0 && sd(&cc->rng.vtable)) {
cc->rng_init_done = 2;
}
cc->rng_os_rand_done = 1;
}
if (cc->rng_init_done < 2) {
br_ssl_engine_fail(cc, BR_ERR_NO_RANDOM);
return 0;
}
return 1;
}
/* see bearssl_ssl.h */
void
br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
const void *data, size_t len)
{
/*
* Externally provided entropy is assumed to be "good enough"
* (we cannot really test its quality) so if the RNG structure
* could be initialised at all, then we marked the RNG as
* "properly seeded".
*/
if (!rng_init(cc)) {
return;
}
br_hmac_drbg_update(&cc->rng, data, len);
cc->rng_init_done = 2;
}
/*
* We define a few internal functions that implement the low-level engine
* API for I/O; the external API (br_ssl_engine_sendapp_buf() and similar
* functions) is built upon these function, with special processing for
* records which are not of type "application data".
*
* recvrec_buf, recvrec_ack receives bytes from transport medium
* sendrec_buf, sendrec_ack send bytes to transport medium
* recvpld_buf, recvpld_ack receives payload data from engine
* sendpld_buf, sendpld_ack send payload data to engine
*/
static unsigned char *
recvrec_buf(const br_ssl_engine_context *rc, size_t *len)
{
if (rc->shutdown_recv) {
*len = 0;
return NULL;
}
/*
* Bytes from the transport can be injected only if the mode is
* compatible (in or in/out), and ixa == ixb; ixc then contains
* the number of bytes that are still expected (but it may
* exceed our buffer size).
*
* We cannot get "stuck" here (buffer is full, but still more
* data is expected) because oversized records are detected when
* their header is processed.
*/
switch (rc->iomode) {
case BR_IO_IN:
case BR_IO_INOUT:
if (rc->ixa == rc->ixb) {
size_t z;
z = rc->ixc;
if (z > rc->ibuf_len - rc->ixa) {
z = rc->ibuf_len - rc->ixa;
}
*len = z;
return rc->ibuf + rc->ixa;
}
break;
}
*len = 0;
return NULL;
}
static void
recvrec_ack(br_ssl_engine_context *rc, size_t len)
{
unsigned char *pbuf;
size_t pbuf_len;
/*
* Adjust state if necessary (for a shared input/output buffer):
* we got some incoming bytes, so we cannot (temporarily) handle
* outgoing data.
*/
if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
rc->iomode = BR_IO_IN;
}
/*
* Adjust data pointers.
*/
rc->ixb = (rc->ixa += len);
rc->ixc -= len;
/*
* If we are receiving a header and did not fully obtained it
* yet, then just wait for the next bytes.
*/
if (rc->ixa < 5) {
return;
}
/*
* If we just obtained a full header, process it.
*/
if (rc->ixa == 5) {
unsigned version;
unsigned rlen;
/*
* Get record type and version. We support only versions
* 3.x (if the version major number does not match, then
* we suppose that the record format is too alien for us
* to process it).
*
* Note: right now, we reject clients that try to send
* a ClientHello in a format compatible with SSL-2.0. It
* is unclear whether this will ever be supported; and
* if we want to support it, then this might be done in
* in the server-specific code, not here.
*/
rc->record_type_in = rc->ibuf[0];
version = br_dec16be(rc->ibuf + 1);
if ((version >> 8) != 3) {
br_ssl_engine_fail(rc, BR_ERR_UNSUPPORTED_VERSION);
return;
}
/*
* We ensure that successive records have the same
* version. The handshake code must check and adjust the
* variables when necessary to accommodate the protocol
* negotiation details.
*/
if (rc->version_in != 0 && rc->version_in != version) {
br_ssl_engine_fail(rc, BR_ERR_BAD_VERSION);
return;
}
rc->version_in = version;
/*
* Decode record length. We must check that the length
* is valid (relatively to the current encryption mode)
* and also (if encryption is active) that the record
* will fit in our buffer.
*
* When no encryption is active, we can process records
* by chunks, and thus accept any record up to the
* maximum allowed plaintext length (16384 bytes).
*/
rlen = br_dec16be(rc->ibuf + 3);
if (rc->incrypt) {
if (!rc->in.vtable->check_length(
&rc->in.vtable, rlen))
{
br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
return;
}
if (rlen > (rc->ibuf_len - 5)) {
br_ssl_engine_fail(rc, BR_ERR_TOO_LARGE);
return;
}
} else {
if (rlen > 16384) {
br_ssl_engine_fail(rc, BR_ERR_BAD_LENGTH);
return;
}
}
/*
* If the record is completely empty then we must switch
* to a new record. Note that, in that case, we
* completely ignore the record type, which is fitting
* since we received no actual data of that type.
*
* A completely empty record is technically allowed as
* long as encryption/MAC is not active, i.e. before
* completion of the first handshake. It it still weird;
* it might conceptually be useful as a heartbeat or
* keep-alive mechanism while some lengthy operation is
* going on, e.g. interaction with a human user.
*/
if (rlen == 0) {
make_ready_in(rc);
} else {
rc->ixa = rc->ixb = 5;
rc->ixc = rlen;
}
return;
}
/*
* If there is no active encryption, then the data can be read
* right away. Note that we do not receive bytes from the
* transport medium when we still have payload bytes to be
* acknowledged.
*/
if (!rc->incrypt) {
rc->ixa = 5;
return;
}
/*
* Since encryption is active, we must wait for a full record
* before processing it.
*/
if (rc->ixc != 0) {
return;
}
/*
* We got the full record. Decrypt it.
*/
pbuf_len = rc->ixa - 5;
pbuf = rc->in.vtable->decrypt(&rc->in.vtable,
rc->record_type_in, rc->version_in, rc->ibuf + 5, &pbuf_len);
if (pbuf == 0) {
br_ssl_engine_fail(rc, BR_ERR_BAD_MAC);
return;
}
rc->ixa = (size_t)(pbuf - rc->ibuf);
rc->ixb = rc->ixa + pbuf_len;
/*
* Decryption may have yielded an empty record, in which case
* we get back to "ready" state immediately.
*/
if (rc->ixa == rc->ixb) {
make_ready_in(rc);
}
}
/* see inner.h */
int
br_ssl_engine_recvrec_finished(const br_ssl_engine_context *rc)
{
switch (rc->iomode) {
case BR_IO_IN:
case BR_IO_INOUT:
return rc->ixc == 0 || rc->ixa < 5;
default:
return 1;
}
}
static unsigned char *
recvpld_buf(const br_ssl_engine_context *rc, size_t *len)
{
/*
* There is payload data to be read only if the mode is
* compatible, and ixa != ixb.
*/
switch (rc->iomode) {
case BR_IO_IN:
case BR_IO_INOUT:
*len = rc->ixb - rc->ixa;
return (*len == 0) ? NULL : (rc->ibuf + rc->ixa);
default:
*len = 0;
return NULL;
}
}
static void
recvpld_ack(br_ssl_engine_context *rc, size_t len)
{
rc->ixa += len;
/*
* If we read all the available data, then we either expect
* the remainder of the current record (if the current record
* was not finished; this may happen when encryption is not
* active), or go to "ready" state.
*/
if (rc->ixa == rc->ixb) {
if (rc->ixc == 0) {
make_ready_in(rc);
} else {
rc->ixa = rc->ixb = 5;
}
}
}
static unsigned char *
sendpld_buf(const br_ssl_engine_context *rc, size_t *len)
{
/*
* Payload data can be injected only if the current mode is
* compatible, and oxa != oxb.
*/
switch (rc->iomode) {
case BR_IO_OUT:
case BR_IO_INOUT:
*len = rc->oxb - rc->oxa;
return (*len == 0) ? NULL : (rc->obuf + rc->oxa);
default:
*len = 0;
return NULL;
}
}
/*
* If some payload bytes have been accumulated, then wrap them into
* an outgoing record. Otherwise, this function does nothing, unless
* 'force' is non-zero, in which case an empty record is assembled.
*
* The caller must take care not to invoke this function if the engine
* is not currently ready to receive payload bytes to send.
*/
static void
sendpld_flush(br_ssl_engine_context *rc, int force)
{
size_t xlen;
unsigned char *buf;
if (rc->oxa == rc->oxb) {
return;
}
xlen = rc->oxa - rc->oxc;
if (xlen == 0 && !force) {
return;
}
buf = rc->out.vtable->encrypt(&rc->out.vtable,
rc->record_type_out, rc->version_out,
rc->obuf + rc->oxc, &xlen);
rc->oxb = rc->oxa = (size_t)(buf - rc->obuf);
rc->oxc = rc->oxa + xlen;
}
static void
sendpld_ack(br_ssl_engine_context *rc, size_t len)
{
/*
* If using a shared buffer, then we may have to modify the
* current mode.
*/
if (rc->iomode == BR_IO_INOUT && rc->ibuf == rc->obuf) {
rc->iomode = BR_IO_OUT;
}
rc->oxa += len;
if (rc->oxa >= rc->oxb) {
/*
* Set oxb to one more than oxa so that sendpld_flush()
* does not mistakingly believe that a record is
* already prepared and being sent.
*/
rc->oxb = rc->oxa + 1;
sendpld_flush(rc, 0);
}
}
static unsigned char *
sendrec_buf(const br_ssl_engine_context *rc, size_t *len)
{
/*
* When still gathering payload bytes, oxc points to the start
* of the record data, so oxc <= oxa. However, when a full
* record has been completed, oxc points to the end of the record,
* so oxc > oxa.
*/
switch (rc->iomode) {
case BR_IO_OUT:
case BR_IO_INOUT:
if (rc->oxc > rc->oxa) {
*len = rc->oxc - rc->oxa;
return rc->obuf + rc->oxa;
}
break;
}
*len = 0;
return NULL;
}
static void
sendrec_ack(br_ssl_engine_context *rc, size_t len)
{
rc->oxb = (rc->oxa += len);
if (rc->oxa == rc->oxc) {
make_ready_out(rc);
}
}
/*
* Test whether there is some buffered outgoing record that still must
* sent.
*/
static inline int
has_rec_tosend(const br_ssl_engine_context *rc)
{
return rc->oxa == rc->oxb && rc->oxa != rc->oxc;
}
/*
* The "no encryption" mode has no overhead. It limits the payload size
* to the maximum size allowed by the standard (16384 bytes); the caller
* is responsible for possibly enforcing a smaller fragment length.
*/
static void
clear_max_plaintext(const br_sslrec_out_clear_context *cc,
size_t *start, size_t *end)
{
size_t len;
(void)cc;
len = *end - *start;
if (len > 16384) {
*end = *start + 16384;
}
}
/*
* In "no encryption" mode, encryption is trivial (a no-operation) so
* we just have to encode the header.
*/
static unsigned char *
clear_encrypt(br_sslrec_out_clear_context *cc,
int record_type, unsigned version, void *data, size_t *data_len)
{
unsigned char *buf;
(void)cc;
buf = (unsigned char *)data - 5;
buf[0] = record_type;
br_enc16be(buf + 1, version);
br_enc16be(buf + 3, *data_len);
*data_len += 5;
return buf;
}
/* see bearssl_ssl.h */
const br_sslrec_out_class br_sslrec_out_clear_vtable = {
sizeof(br_sslrec_out_clear_context),
(void (*)(const br_sslrec_out_class *const *, size_t *, size_t *))
&clear_max_plaintext,
(unsigned char *(*)(const br_sslrec_out_class **,
int, unsigned, void *, size_t *))
&clear_encrypt
};
/* ==================================================================== */
/*
* In this part of the file, we handle the various record types, and
* communications with the handshake processor.
*/
/*
* IMPLEMENTATION NOTES
* ====================
*
* The handshake processor is written in T0 and runs as a coroutine.
* It receives the contents of all records except application data, and
* is responsible for producing the contents of all records except
* application data.
*
* A state flag is maintained, which specifies whether application data
* is acceptable or not. When it is set:
*
* -- Application data can be injected as payload data (provided that
* the output buffer is ready for that).
*
* -- Incoming application data records are accepted, and yield data
* that the caller may retrieve.
*
* When the flag is cleared, application data is not accepted from the
* application, and incoming application data records trigger an error.
*
*
* Records of type handshake, alert or change-cipher-spec are handled
* by the handshake processor. The handshake processor is written in T0
* and runs as a coroutine; it gets invoked whenever one of the following
* situations is reached:
*
* -- An incoming record has type handshake, alert or change-cipher-spec,
* and yields data that can be read (zero-length records are thus
* ignored).
*
* -- An outgoing record has just finished being sent, and the "application
* data" flag is cleared.
*
* -- The caller wishes to perform a close (call to br_ssl_engine_close()).
*
* -- The caller wishes to perform a renegotiation (call to
* br_ssl_engine_renegotiate()).
*
* Whenever the handshake processor is entered, access to the payload
* buffers is provided, along with some information about explicit
* closures or renegotiations.
*/
/* see bearssl_ssl.h */
void
br_ssl_engine_set_suites(br_ssl_engine_context *cc,
const uint16_t *suites, size_t suites_num)
{
if ((suites_num * sizeof *suites) > sizeof cc->suites_buf) {
br_ssl_engine_fail(cc, BR_ERR_BAD_PARAM);
return;
}
memcpy(cc->suites_buf, suites, suites_num * sizeof *suites);
cc->suites_num = suites_num;
}
/*
* Give control to handshake processor. 'action' is 1 for a close,
* 2 for a renegotiation, or 0 for a jump due to I/O completion.
*/
static void
jump_handshake(br_ssl_engine_context *cc, int action)
{
/*
* We use a loop because the handshake processor actions may
* allow for more actions; namely, if the processor reads all
* input data, then it may allow for output data to be produced,
* in case of a shared in/out buffer.
*/
for (;;) {
size_t hlen_in, hlen_out;
/*
* Get input buffer. We do not want to provide
* application data to the handshake processor (we could
* get called with an explicit close or renegotiation
* while there is application data ready to be read).
*/
cc->hbuf_in = recvpld_buf(cc, &hlen_in);
if (cc->hbuf_in != NULL
&& cc->record_type_in == BR_SSL_APPLICATION_DATA)
{
hlen_in = 0;
}
/*
* Get output buffer. The handshake processor never
* leaves an unfinished outgoing record, so if there is
* buffered output, then it MUST be some application
* data, so the processor cannot write to it.
*/
cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &hlen_out);
if (cc->hbuf_out != NULL && br_ssl_engine_has_pld_to_send(cc)) {
hlen_out = 0;
}
/*
* Note: hlen_in and hlen_out can be both non-zero only if
* the input and output buffers are disjoint. Thus, we can
* offer both buffers to the handshake code.
*/
cc->hlen_in = hlen_in;
cc->hlen_out = hlen_out;
cc->action = action;
cc->hsrun(&cc->cpu);
if (br_ssl_engine_closed(cc)) {
return;
}
if (cc->hbuf_out != cc->saved_hbuf_out) {
sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
}
if (hlen_in != cc->hlen_in) {
recvpld_ack(cc, hlen_in - cc->hlen_in);
if (cc->hlen_in == 0) {
/*
* We read all data bytes, which may have
* released the output buffer in case it
* is shared with the input buffer, and
* the handshake code might be waiting for
* that.
*/
action = 0;
continue;
}
}
break;
}
}
/* see inner.h */
void
br_ssl_engine_flush_record(br_ssl_engine_context *cc)
{
if (cc->hbuf_out != cc->saved_hbuf_out) {
sendpld_ack(cc, cc->hbuf_out - cc->saved_hbuf_out);
}
if (br_ssl_engine_has_pld_to_send(cc)) {
sendpld_flush(cc, 0);
}
cc->saved_hbuf_out = cc->hbuf_out = sendpld_buf(cc, &cc->hlen_out);
}
/* see bearssl_ssl.h */
unsigned char *
br_ssl_engine_sendapp_buf(const br_ssl_engine_context *cc, size_t *len)
{
if (!(cc->application_data & 1)) {
*len = 0;
return NULL;
}
return sendpld_buf(cc, len);
}
/* see bearssl_ssl.h */
void
br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len)
{
sendpld_ack(cc, len);
}
/* see bearssl_ssl.h */
unsigned char *
br_ssl_engine_recvapp_buf(const br_ssl_engine_context *cc, size_t *len)
{
if (!(cc->application_data & 1)
|| cc->record_type_in != BR_SSL_APPLICATION_DATA)
{
*len = 0;
return NULL;
}
return recvpld_buf(cc, len);
}
/* see bearssl_ssl.h */
void
br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len)
{
recvpld_ack(cc, len);
}
/* see bearssl_ssl.h */
unsigned char *
br_ssl_engine_sendrec_buf(const br_ssl_engine_context *cc, size_t *len)
{
return sendrec_buf(cc, len);
}
/* see bearssl_ssl.h */
void
br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len)
{
sendrec_ack(cc, len);
if (len != 0 && !has_rec_tosend(cc)
&& (cc->record_type_out != BR_SSL_APPLICATION_DATA
|| (cc->application_data & 1) == 0))
{
jump_handshake(cc, 0);
}
}
/* see bearssl_ssl.h */
unsigned char *
br_ssl_engine_recvrec_buf(const br_ssl_engine_context *cc, size_t *len)
{
return recvrec_buf(cc, len);
}
/* see bearssl_ssl.h */
void
br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len)
{
unsigned char *buf;
recvrec_ack(cc, len);
if (br_ssl_engine_closed(cc)) {
return;
}
/*
* We just received some bytes from the peer. This may have
* yielded some payload bytes, in which case we must process
* them according to the record type.
*/
buf = recvpld_buf(cc, &len);
if (buf != NULL) {
switch (cc->record_type_in) {
case BR_SSL_CHANGE_CIPHER_SPEC:
case BR_SSL_ALERT:
case BR_SSL_HANDSHAKE:
jump_handshake(cc, 0);
break;
case BR_SSL_APPLICATION_DATA:
if (cc->application_data == 1) {
break;
}
/*
* If we are currently closing, and waiting for
* a close_notify from the peer, then incoming
* application data should be discarded.
*/
if (cc->application_data == 2) {
recvpld_ack(cc, len);
break;
}
/* Fall through */
default:
br_ssl_engine_fail(cc, BR_ERR_UNEXPECTED);
break;
}
}
}
/* see bearssl_ssl.h */
void
br_ssl_engine_close(br_ssl_engine_context *cc)
{
if (!br_ssl_engine_closed(cc)) {
+ /*
+ * If we are not already closed, then we need to
+ * initiate the closure. Once closing, any incoming
+ * application data is discarded; we should also discard
+ * application data which is already there but has not
+ * been acknowledged by the application yet (this mimics
+ * usual semantics on BSD sockets: you cannot read()
+ * once you called close(), even if there was some
+ * unread data already buffered).
+ */
+ size_t len;
+
+ if (br_ssl_engine_recvapp_buf(cc, &len) != NULL && len != 0) {
+ br_ssl_engine_recvapp_ack(cc, len);
+ }
jump_handshake(cc, 1);
}
}
/* see bearssl_ssl.h */
int
br_ssl_engine_renegotiate(br_ssl_engine_context *cc)
{
size_t len;
if (br_ssl_engine_closed(cc) || cc->reneg == 1
|| (cc->flags & BR_OPT_NO_RENEGOTIATION) != 0
|| br_ssl_engine_recvapp_buf(cc, &len) != NULL)
{
return 0;
}
jump_handshake(cc, 2);
return 1;
}
/* see bearssl.h */
unsigned
br_ssl_engine_current_state(const br_ssl_engine_context *cc)
{
unsigned s;
size_t len;
if (br_ssl_engine_closed(cc)) {
return BR_SSL_CLOSED;
}
s = 0;
if (br_ssl_engine_sendrec_buf(cc, &len) != NULL) {
s |= BR_SSL_SENDREC;
}
if (br_ssl_engine_recvrec_buf(cc, &len) != NULL) {
s |= BR_SSL_RECVREC;
}
if (br_ssl_engine_sendapp_buf(cc, &len) != NULL) {
s |= BR_SSL_SENDAPP;
}
if (br_ssl_engine_recvapp_buf(cc, &len) != NULL) {
s |= BR_SSL_RECVAPP;
}
return s;
}
/* see bearssl_ssl.h */
void
br_ssl_engine_flush(br_ssl_engine_context *cc, int force)
{
if (!br_ssl_engine_closed(cc) && (cc->application_data & 1) != 0) {
sendpld_flush(cc, force);
}
}
/* see inner.h */
void
br_ssl_engine_hs_reset(br_ssl_engine_context *cc,
void (*hsinit)(void *), void (*hsrun)(void *))
{
engine_clearbuf(cc);
cc->cpu.dp = cc->dp_stack;
cc->cpu.rp = cc->rp_stack;
hsinit(&cc->cpu);
cc->hsrun = hsrun;
cc->shutdown_recv = 0;
cc->application_data = 0;
cc->alert = 0;
jump_handshake(cc, 0);
}
/* see inner.h */
br_tls_prf_impl
br_ssl_engine_get_PRF(br_ssl_engine_context *cc, int prf_id)
{
if (cc->session.version >= BR_TLS12) {
if (prf_id == br_sha384_ID) {
return cc->prf_sha384;
} else {
return cc->prf_sha256;
}
} else {
return cc->prf10;
}
}
/* see inner.h */
void
br_ssl_engine_compute_master(br_ssl_engine_context *cc,
int prf_id, const void *pms, size_t pms_len)
{
br_tls_prf_impl iprf;
br_tls_prf_seed_chunk seed[2] = {
{ cc->client_random, sizeof cc->client_random },
{ cc->server_random, sizeof cc->server_random }
};
iprf = br_ssl_engine_get_PRF(cc, prf_id);
iprf(cc->session.master_secret, sizeof cc->session.master_secret,
pms, pms_len, "master secret", 2, seed);
}
/*
* Compute key block.
*/
static void
compute_key_block(br_ssl_engine_context *cc, int prf_id,
size_t half_len, unsigned char *kb)
{
br_tls_prf_impl iprf;
br_tls_prf_seed_chunk seed[2] = {
{ cc->server_random, sizeof cc->server_random },
{ cc->client_random, sizeof cc->client_random }
};
iprf = br_ssl_engine_get_PRF(cc, prf_id);
iprf(kb, half_len << 1,
cc->session.master_secret, sizeof cc->session.master_secret,
"key expansion", 2, seed);
}
/* see inner.h */
void
br_ssl_engine_switch_cbc_in(br_ssl_engine_context *cc,
int is_client, int prf_id, int mac_id,
const br_block_cbcdec_class *bc_impl, size_t cipher_key_len)
{
unsigned char kb[192];
unsigned char *cipher_key, *mac_key, *iv;
const br_hash_class *imh;
size_t mac_key_len, mac_out_len, iv_len;
imh = br_ssl_engine_get_hash(cc, mac_id);
mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
mac_key_len = mac_out_len;
/*
* TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
*/
if (cc->session.version >= BR_TLS11) {
iv_len = 0;
} else {
iv_len = bc_impl->block_size;
}
compute_key_block(cc, prf_id,
mac_key_len + cipher_key_len + iv_len, kb);
if (is_client) {
mac_key = &kb[mac_key_len];
cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
} else {
mac_key = &kb[0];
cipher_key = &kb[mac_key_len << 1];
iv = &kb[(mac_key_len + cipher_key_len) << 1];
}
if (iv_len == 0) {
iv = NULL;
}
cc->icbc_in->init(&cc->in.cbc.vtable,
bc_impl, cipher_key, cipher_key_len,
imh, mac_key, mac_key_len, mac_out_len, iv);
cc->incrypt = 1;
}
/* see inner.h */
void
br_ssl_engine_switch_cbc_out(br_ssl_engine_context *cc,
int is_client, int prf_id, int mac_id,
const br_block_cbcenc_class *bc_impl, size_t cipher_key_len)
{
unsigned char kb[192];
unsigned char *cipher_key, *mac_key, *iv;
const br_hash_class *imh;
size_t mac_key_len, mac_out_len, iv_len;
imh = br_ssl_engine_get_hash(cc, mac_id);
mac_out_len = (imh->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
mac_key_len = mac_out_len;
/*
* TLS 1.1+ uses per-record explicit IV, so no IV to generate here.
*/
if (cc->session.version >= BR_TLS11) {
iv_len = 0;
} else {
iv_len = bc_impl->block_size;
}
compute_key_block(cc, prf_id,
mac_key_len + cipher_key_len + iv_len, kb);
if (is_client) {
mac_key = &kb[0];
cipher_key = &kb[mac_key_len << 1];
iv = &kb[(mac_key_len + cipher_key_len) << 1];
} else {
mac_key = &kb[mac_key_len];
cipher_key = &kb[(mac_key_len << 1) + cipher_key_len];
iv = &kb[((mac_key_len + cipher_key_len) << 1) + iv_len];
}
if (iv_len == 0) {
iv = NULL;
}
cc->icbc_out->init(&cc->out.cbc.vtable,
bc_impl, cipher_key, cipher_key_len,
imh, mac_key, mac_key_len, mac_out_len, iv);
}
/* see inner.h */
void
br_ssl_engine_switch_gcm_in(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctr_class *bc_impl, size_t cipher_key_len)
{
unsigned char kb[72];
unsigned char *cipher_key, *iv;
compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
if (is_client) {
cipher_key = &kb[cipher_key_len];
iv = &kb[(cipher_key_len << 1) + 4];
} else {
cipher_key = &kb[0];
iv = &kb[cipher_key_len << 1];
}
cc->igcm_in->init(&cc->in.gcm.vtable.in,
bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
cc->incrypt = 1;
}
/* see inner.h */
void
br_ssl_engine_switch_gcm_out(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctr_class *bc_impl, size_t cipher_key_len)
{
unsigned char kb[72];
unsigned char *cipher_key, *iv;
compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
if (is_client) {
cipher_key = &kb[0];
iv = &kb[cipher_key_len << 1];
} else {
cipher_key = &kb[cipher_key_len];
iv = &kb[(cipher_key_len << 1) + 4];
}
cc->igcm_out->init(&cc->out.gcm.vtable.out,
bc_impl, cipher_key, cipher_key_len, cc->ighash, iv);
}
/* see inner.h */
void
br_ssl_engine_switch_chapol_in(br_ssl_engine_context *cc,
int is_client, int prf_id)
{
unsigned char kb[88];
unsigned char *cipher_key, *iv;
compute_key_block(cc, prf_id, 44, kb);
if (is_client) {
cipher_key = &kb[32];
iv = &kb[76];
} else {
cipher_key = &kb[0];
iv = &kb[64];
}
cc->ichapol_in->init(&cc->in.chapol.vtable.in,
cc->ichacha, cc->ipoly, cipher_key, iv);
cc->incrypt = 1;
}
/* see inner.h */
void
br_ssl_engine_switch_chapol_out(br_ssl_engine_context *cc,
int is_client, int prf_id)
{
unsigned char kb[88];
unsigned char *cipher_key, *iv;
compute_key_block(cc, prf_id, 44, kb);
if (is_client) {
cipher_key = &kb[0];
iv = &kb[64];
} else {
cipher_key = &kb[32];
iv = &kb[76];
}
cc->ichapol_out->init(&cc->out.chapol.vtable.out,
cc->ichacha, cc->ipoly, cipher_key, iv);
}
/* see inner.h */
void
br_ssl_engine_switch_ccm_in(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctrcbc_class *bc_impl,
size_t cipher_key_len, size_t tag_len)
{
unsigned char kb[72];
unsigned char *cipher_key, *iv;
compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
if (is_client) {
cipher_key = &kb[cipher_key_len];
iv = &kb[(cipher_key_len << 1) + 4];
} else {
cipher_key = &kb[0];
iv = &kb[cipher_key_len << 1];
}
cc->iccm_in->init(&cc->in.ccm.vtable.in,
bc_impl, cipher_key, cipher_key_len, iv, tag_len);
cc->incrypt = 1;
}
/* see inner.h */
void
br_ssl_engine_switch_ccm_out(br_ssl_engine_context *cc,
int is_client, int prf_id,
const br_block_ctrcbc_class *bc_impl,
size_t cipher_key_len, size_t tag_len)
{
unsigned char kb[72];
unsigned char *cipher_key, *iv;
compute_key_block(cc, prf_id, cipher_key_len + 4, kb);
if (is_client) {
cipher_key = &kb[0];
iv = &kb[cipher_key_len << 1];
} else {
cipher_key = &kb[cipher_key_len];
iv = &kb[(cipher_key_len << 1) + 4];
}
cc->iccm_out->init(&cc->out.ccm.vtable.out,
bc_impl, cipher_key, cipher_key_len, iv, tag_len);
}
diff --git a/contrib/bearssl/src/ssl/ssl_rec_cbc.c b/contrib/bearssl/src/ssl/ssl_rec_cbc.c
index c0806049e3cd..c38cbfdfb1cc 100644
--- a/contrib/bearssl/src/ssl/ssl_rec_cbc.c
+++ b/contrib/bearssl/src/ssl/ssl_rec_cbc.c
@@ -1,440 +1,440 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
static void
in_cbc_init(br_sslrec_in_cbc_context *cc,
const br_block_cbcdec_class *bc_impl,
const void *bc_key, size_t bc_key_len,
const br_hash_class *dig_impl,
const void *mac_key, size_t mac_key_len, size_t mac_out_len,
const void *iv)
{
cc->vtable = &br_sslrec_in_cbc_vtable;
cc->seq = 0;
bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
cc->mac_len = mac_out_len;
if (iv == NULL) {
memset(cc->iv, 0, sizeof cc->iv);
cc->explicit_IV = 1;
} else {
memcpy(cc->iv, iv, bc_impl->block_size);
cc->explicit_IV = 0;
}
}
static int
cbc_check_length(const br_sslrec_in_cbc_context *cc, size_t rlen)
{
/*
* Plaintext size: at most 16384 bytes
* Padding: at most 256 bytes
* MAC: mac_len extra bytes
* TLS 1.1+: each record has an explicit IV
*
* Minimum length includes at least one byte of padding, and the
* MAC.
*
* Total length must be a multiple of the block size.
*/
size_t blen;
size_t min_len, max_len;
blen = cc->bc.vtable->block_size;
min_len = (blen + cc->mac_len) & ~(blen - 1);
max_len = (16384 + 256 + cc->mac_len) & ~(blen - 1);
if (cc->explicit_IV) {
min_len += blen;
max_len += blen;
}
return min_len <= rlen && rlen <= max_len;
}
/*
* Rotate array buf[] of length 'len' to the left (towards low indices)
* by 'num' bytes if ctl is 1; otherwise, leave it unchanged. This is
* constant-time. 'num' MUST be lower than 'len'. 'len' MUST be lower
* than or equal to 64.
*/
static void
cond_rotate(uint32_t ctl, unsigned char *buf, size_t len, size_t num)
{
unsigned char tmp[64];
size_t u, v;
for (u = 0, v = num; u < len; u ++) {
tmp[u] = MUX(ctl, buf[v], buf[u]);
if (++ v == len) {
v = 0;
}
}
memcpy(buf, tmp, len);
}
static unsigned char *
cbc_decrypt(br_sslrec_in_cbc_context *cc,
int record_type, unsigned version, void *data, size_t *data_len)
{
/*
* We represent all lengths on 32-bit integers, because:
* -- SSL record lengths always fit in 32 bits;
* -- our constant-time primitives operate on 32-bit integers.
*/
unsigned char *buf;
uint32_t u, v, len, blen, min_len, max_len;
uint32_t good, pad_len, rot_count, len_withmac, len_nomac;
unsigned char tmp1[64], tmp2[64];
int i;
br_hmac_context hc;
buf = data;
len = *data_len;
blen = cc->bc.vtable->block_size;
/*
* Decrypt data, and skip the explicit IV (if applicable). Note
* that the total length is supposed to have been verified by
* the caller. If there is an explicit IV, then we actually
* "decrypt" it using the implicit IV (from previous record),
* which is useless but harmless.
*/
cc->bc.vtable->run(&cc->bc.vtable, cc->iv, data, len);
if (cc->explicit_IV) {
buf += blen;
len -= blen;
}
/*
* Compute minimum and maximum length of plaintext + MAC. These
* lengths can be inferred from the outside: they are not secret.
*/
min_len = (cc->mac_len + 256 < len) ? len - 256 : cc->mac_len;
max_len = len - 1;
/*
* Use the last decrypted byte to compute the actual payload
- * length. Take care not to underflow (we use unsigned types).
+ * length. Take care not to overflow (we use unsigned types).
*/
pad_len = buf[max_len];
good = LE(pad_len, (uint32_t)(max_len - min_len));
len = MUX(good, (uint32_t)(max_len - pad_len), min_len);
/*
* Check padding contents: all padding bytes must be equal to
* the value of pad_len.
*/
for (u = min_len; u < max_len; u ++) {
good &= LT(u, len) | EQ(buf[u], pad_len);
}
/*
* Extract the MAC value. This is done in one pass, but results
* in a "rotated" MAC value depending on where it actually
* occurs. The 'rot_count' value is set to the offset of the
* first MAC byte within tmp1[].
*
* min_len and max_len are also adjusted to the minimum and
* maximum lengths of the plaintext alone (without the MAC).
*/
len_withmac = (uint32_t)len;
len_nomac = len_withmac - cc->mac_len;
min_len -= cc->mac_len;
rot_count = 0;
memset(tmp1, 0, cc->mac_len);
v = 0;
for (u = min_len; u < max_len; u ++) {
tmp1[v] |= MUX(GE(u, len_nomac) & LT(u, len_withmac),
buf[u], 0x00);
rot_count = MUX(EQ(u, len_nomac), v, rot_count);
if (++ v == cc->mac_len) {
v = 0;
}
}
max_len -= cc->mac_len;
/*
* Rotate back the MAC value. The loop below does the constant-time
* rotation in time n*log n for a MAC output of length n. We assume
* that the MAC output length is no more than 64 bytes, so the
* rotation count fits on 6 bits.
*/
for (i = 5; i >= 0; i --) {
uint32_t rc;
rc = (uint32_t)1 << i;
cond_rotate(rot_count >> i, tmp1, cc->mac_len, rc);
rot_count &= ~rc;
}
/*
* Recompute the HMAC value. The input is the concatenation of
* the sequence number (8 bytes), the record header (5 bytes),
* and the payload.
*
* At that point, min_len is the minimum plaintext length, but
* max_len still includes the MAC length.
*/
br_enc64be(tmp2, cc->seq ++);
tmp2[8] = (unsigned char)record_type;
br_enc16be(tmp2 + 9, version);
br_enc16be(tmp2 + 11, len_nomac);
br_hmac_init(&hc, &cc->mac, cc->mac_len);
br_hmac_update(&hc, tmp2, 13);
br_hmac_outCT(&hc, buf, len_nomac, min_len, max_len, tmp2);
/*
* Compare the extracted and recomputed MAC values.
*/
for (u = 0; u < cc->mac_len; u ++) {
good &= EQ0(tmp1[u] ^ tmp2[u]);
}
/*
* Check that the plaintext length is valid. The previous
* check was on the encrypted length, but the padding may have
* turned shorter than expected.
*
* Once this final test is done, the critical "constant-time"
* section ends and we can make conditional jumps again.
*/
good &= LE(len_nomac, 16384);
if (!good) {
return 0;
}
*data_len = len_nomac;
return buf;
}
/* see bearssl_ssl.h */
const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable = {
{
sizeof(br_sslrec_in_cbc_context),
(int (*)(const br_sslrec_in_class *const *, size_t))
&cbc_check_length,
(unsigned char *(*)(const br_sslrec_in_class **,
int, unsigned, void *, size_t *))
&cbc_decrypt
},
(void (*)(const br_sslrec_in_cbc_class **,
const br_block_cbcdec_class *, const void *, size_t,
const br_hash_class *, const void *, size_t, size_t,
const void *))
&in_cbc_init
};
/*
* For CBC output:
*
* -- With TLS 1.1+, there is an explicit IV. Generation method uses
* HMAC, computed over the current sequence number, and the current MAC
* key. The resulting value is truncated to the size of a block, and
* added at the head of the plaintext; it will get encrypted along with
* the data. This custom generation mechanism is "safe" under the
* assumption that HMAC behaves like a random oracle; since the MAC for
* a record is computed over the concatenation of the sequence number,
* the record header and the plaintext, the HMAC-for-IV will not collide
* with the normal HMAC.
*
* -- With TLS 1.0, for application data, we want to enforce a 1/n-1
* split, as a countermeasure against chosen-plaintext attacks. We thus
* need to leave some room in the buffer for that extra record.
*/
static void
out_cbc_init(br_sslrec_out_cbc_context *cc,
const br_block_cbcenc_class *bc_impl,
const void *bc_key, size_t bc_key_len,
const br_hash_class *dig_impl,
const void *mac_key, size_t mac_key_len, size_t mac_out_len,
const void *iv)
{
cc->vtable = &br_sslrec_out_cbc_vtable;
cc->seq = 0;
bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
cc->mac_len = mac_out_len;
if (iv == NULL) {
memset(cc->iv, 0, sizeof cc->iv);
cc->explicit_IV = 1;
} else {
memcpy(cc->iv, iv, bc_impl->block_size);
cc->explicit_IV = 0;
}
}
static void
cbc_max_plaintext(const br_sslrec_out_cbc_context *cc,
size_t *start, size_t *end)
{
size_t blen, len;
blen = cc->bc.vtable->block_size;
if (cc->explicit_IV) {
*start += blen;
} else {
*start += 4 + ((cc->mac_len + blen + 1) & ~(blen - 1));
}
len = (*end - *start) & ~(blen - 1);
len -= 1 + cc->mac_len;
if (len > 16384) {
len = 16384;
}
*end = *start + len;
}
static unsigned char *
cbc_encrypt(br_sslrec_out_cbc_context *cc,
int record_type, unsigned version, void *data, size_t *data_len)
{
unsigned char *buf, *rbuf;
size_t len, blen, plen;
unsigned char tmp[13];
br_hmac_context hc;
buf = data;
len = *data_len;
blen = cc->bc.vtable->block_size;
/*
* If using TLS 1.0, with more than one byte of plaintext, and
* the record is application data, then we need to compute
* a "split". We do not perform the split on other record types
* because it turned out that some existing, deployed
* implementations of SSL/TLS do not tolerate the splitting of
* some message types (in particular the Finished message).
*
* If using TLS 1.1+, then there is an explicit IV. We produce
* that IV by adding an extra initial plaintext block, whose
* value is computed with HMAC over the record sequence number.
*/
if (cc->explicit_IV) {
/*
* We use here the fact that all the HMAC variants we
* support can produce at least 16 bytes, while all the
* block ciphers we support have blocks of no more than
* 16 bytes. Thus, we can always truncate the HMAC output
* down to the block size.
*/
br_enc64be(tmp, cc->seq);
br_hmac_init(&hc, &cc->mac, blen);
br_hmac_update(&hc, tmp, 8);
br_hmac_out(&hc, buf - blen);
rbuf = buf - blen - 5;
} else {
if (len > 1 && record_type == BR_SSL_APPLICATION_DATA) {
/*
* To do the split, we use a recursive invocation;
* since we only give one byte to the inner call,
* the recursion stops there.
*
* We need to compute the exact size of the extra
* record, so that the two resulting records end up
* being sequential in RAM.
*
* We use here the fact that cbc_max_plaintext()
* adjusted the start offset to leave room for the
* initial fragment.
*/
size_t xlen;
rbuf = buf - 4
- ((cc->mac_len + blen + 1) & ~(blen - 1));
rbuf[0] = buf[0];
xlen = 1;
rbuf = cbc_encrypt(cc, record_type,
version, rbuf, &xlen);
buf ++;
len --;
} else {
rbuf = buf - 5;
}
}
/*
* Compute MAC.
*/
br_enc64be(tmp, cc->seq ++);
tmp[8] = record_type;
br_enc16be(tmp + 9, version);
br_enc16be(tmp + 11, len);
br_hmac_init(&hc, &cc->mac, cc->mac_len);
br_hmac_update(&hc, tmp, 13);
br_hmac_update(&hc, buf, len);
br_hmac_out(&hc, buf + len);
len += cc->mac_len;
/*
* Add padding.
*/
plen = blen - (len & (blen - 1));
memset(buf + len, (unsigned)plen - 1, plen);
len += plen;
/*
* If an explicit IV is used, the corresponding extra block was
* already put in place earlier; we just have to account for it
* here.
*/
if (cc->explicit_IV) {
buf -= blen;
len += blen;
}
/*
* Encrypt the whole thing. If there is an explicit IV, we also
* encrypt it, which is fine (encryption of a uniformly random
* block is still a uniformly random block).
*/
cc->bc.vtable->run(&cc->bc.vtable, cc->iv, buf, len);
/*
* Add the header and return.
*/
buf[-5] = record_type;
br_enc16be(buf - 4, version);
br_enc16be(buf - 2, len);
*data_len = (size_t)((buf + len) - rbuf);
return rbuf;
}
/* see bearssl_ssl.h */
const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable = {
{
sizeof(br_sslrec_out_cbc_context),
(void (*)(const br_sslrec_out_class *const *,
size_t *, size_t *))
&cbc_max_plaintext,
(unsigned char *(*)(const br_sslrec_out_class **,
int, unsigned, void *, size_t *))
&cbc_encrypt
},
(void (*)(const br_sslrec_out_cbc_class **,
const br_block_cbcenc_class *, const void *, size_t,
const br_hash_class *, const void *, size_t, size_t,
const void *))
&out_cbc_init
};
diff --git a/contrib/bearssl/src/x509/asn1.t0 b/contrib/bearssl/src/x509/asn1.t0
index ba59252632e9..c329514ad96f 100644
--- a/contrib/bearssl/src/x509/asn1.t0
+++ b/contrib/bearssl/src/x509/asn1.t0
@@ -1,757 +1,757 @@
\ Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
\
\ Permission is hereby granted, free of charge, to any person obtaining
\ a copy of this software and associated documentation files (the
\ "Software"), to deal in the Software without restriction, including
\ without limitation the rights to use, copy, modify, merge, publish,
\ distribute, sublicense, and/or sell copies of the Software, and to
\ permit persons to whom the Software is furnished to do so, subject to
\ the following conditions:
\
\ The above copyright notice and this permission notice shall be
\ included in all copies or substantial portions of the Software.
\
\ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
\ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
\ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
\ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
\ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
\ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
\ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
\ SOFTWARE.
\ =======================================================================
\ This file contains code which is common to all engines that do some
\ ASN.1 decoding. It should not be compiled on its own, but only along
\ with another file (e.g. x509_minimal.t0) which uses it.
\
\ Users must define several things:
\
\ -- In the preamble, a macro called "CTX" that evaluates to the current
\ context structure.
\
\ -- In the preamble, a macro called "CONTEXT_NAME" that evaluates to the
\ context structure type. This will be invoked during compilation.
\
\ -- A word called "read8-low" ( -- x ) that reads the next byte, or -1
\ if the input buffer is empty. That word is usually written in C.
\
\ -- A word called "read-blob-inner" ( addr len -- addr len ) that is
\ the multi-byte version of read8-low.
\
\ -- A word called "skip-remaining-inner" ( lim -- lim ) which reads but
\ drops some input bytes.
preamble {
#include "inner.h"
}
\ Read next source character, skipping blanks.
: skip-blanks begin char dup 32 > if ret then drop again ;
: fail-oid
"Invalid OID" puts cr exitvm ;
\ Read a decimal integer, followed by either a dot or whitespace.
\ Note: this does not check for overflows.
: parse-number ( -- val nextchar )
char decval
begin
char
dup dup `. = swap 32 <= or if ret then
decval swap 10 * +
again ;
\ Encode a number in unsigned 7E format.
: encode7E ( val -- )
0 encode7E-inner ;
: encode7E-inner ( val eb -- )
swap dup 0x7F > if
dup 7 u>> 0x80 encode7E-inner 0x7F and
then
or data-add8 ;
\ Decode an OID from source, and encode it. First byte is length,
\ followed by encoded ASN.1 DER value. The OID is encoded in the
\ current data block.
: OID
\ Get current data address, and push a 0 for length.
current-data 0 data-add8
\ Skip blanks and get first digit, which must be 0, 1 or 2.
skip-blanks decval dup 2 > if fail-oid then
40 *
\ Next character must be a dot.
char `. <> if fail-oid then
\ Second group must be one or two digits.
parse-number { nextchar }
dup 40 >= if fail-oid then
+ encode7E
\ While next character is a dot, keep encoding numbers.
begin nextchar `. = while
parse-number >nextchar
encode7E
repeat
\ Write back length in the first byte.
dup current-data swap - 1- swap data-set8
; immediate
\ Define a new data word for an encoded OID. The OID is read from the
\ source.
: OID:
new-data-block next-word define-data-word postpone OID ;
\ Define a word that evaluates to the address of a field within the
\ context.
: addr:
next-word { field }
"addr-" field + 0 1 define-word
0 8191 "offsetof(CONTEXT_NAME, " field + ")" + make-CX
postpone literal postpone ; ;
addr: pad
\ Define a word that evaluates to an error code through a macro name.
: err:
next-word { name }
name 0 1 define-word
0 63 "BR_" name + make-CX postpone literal postpone ; ;
err: ERR_X509_INVALID_VALUE
err: ERR_X509_TRUNCATED
err: ERR_X509_EMPTY_CHAIN
err: ERR_X509_INNER_TRUNC
err: ERR_X509_BAD_TAG_CLASS
err: ERR_X509_BAD_TAG_VALUE
err: ERR_X509_INDEFINITE_LENGTH
err: ERR_X509_EXTRA_ELEMENT
err: ERR_X509_UNEXPECTED
err: ERR_X509_NOT_CONSTRUCTED
err: ERR_X509_NOT_PRIMITIVE
err: ERR_X509_PARTIAL_BYTE
err: ERR_X509_BAD_BOOLEAN
err: ERR_X509_OVERFLOW
err: ERR_X509_BAD_DN
err: ERR_X509_BAD_TIME
err: ERR_X509_UNSUPPORTED
err: ERR_X509_LIMIT_EXCEEDED
err: ERR_X509_WRONG_KEY_TYPE
err: ERR_X509_BAD_SIGNATURE
err: ERR_X509_EXPIRED
err: ERR_X509_DN_MISMATCH
err: ERR_X509_BAD_SERVER_NAME
err: ERR_X509_CRITICAL_EXTENSION
err: ERR_X509_NOT_CA
err: ERR_X509_FORBIDDEN_KEY_USAGE
err: ERR_X509_WEAK_PUBLIC_KEY
: KEYTYPE_RSA CX 0 15 { BR_KEYTYPE_RSA } ;
: KEYTYPE_EC CX 0 15 { BR_KEYTYPE_EC } ;
cc: fail ( err -- ! ) {
CTX->err = T0_POPi();
T0_CO();
}
\ Read one byte from the stream.
: read8-nc ( -- x )
begin
read8-low dup 0 >= if ret then
drop co
again ;
\ Read one byte, enforcing current read limit.
: read8 ( lim -- lim x )
dup ifnot ERR_X509_INNER_TRUNC fail then
1- read8-nc ;
\ Read a 16-bit value, big-endian encoding.
: read16be ( lim -- lim x )
read8 8 << swap read8 rot + ;
\ Read a 16-bit value, little-endian encoding.
: read16le ( lim -- lim x )
read8 swap read8 8 << rot + ;
\ Read all bytes from the current element, then close it (i.e. drop the
\ limit). Destination address is an offset within the context.
: read-blob ( lim addr -- )
swap
begin dup while read-blob-inner dup if co then repeat
2drop ;
\ Skip remaining bytes in the current structure, but do not close it
\ (thus, this leaves the value 0 on the stack).
: skip-remaining ( lim -- lim )
begin dup while skip-remaining-inner dup if co then repeat ;
: skip-remaining-inner ( lim -- lim )
0 over read-blob-inner -rot 2drop ;
cc: set8 ( val addr -- ) {
uint32_t addr = T0_POP();
*((unsigned char *)CTX + addr) = (unsigned char)T0_POP();
}
cc: set16 ( val addr -- ) {
uint32_t addr = T0_POP();
*(uint16_t *)(void *)((unsigned char *)CTX + addr) = T0_POP();
}
cc: set32 ( val addr -- ) {
uint32_t addr = T0_POP();
*(uint32_t *)(void *)((unsigned char *)CTX + addr) = T0_POP();
}
cc: get8 ( addr -- val ) {
uint32_t addr = T0_POP();
T0_PUSH(*((unsigned char *)CTX + addr));
}
cc: get16 ( addr -- val ) {
uint32_t addr = T0_POP();
T0_PUSH(*(uint16_t *)(void *)((unsigned char *)CTX + addr));
}
cc: get32 ( addr -- val ) {
uint32_t addr = T0_POP();
T0_PUSH(*(uint32_t *)(void *)((unsigned char *)CTX + addr));
}
\ Read an ASN.1 tag. This function returns the "constructed" status
\ and the tag value. The constructed status is a boolean (-1 for
\ constructed, 0 for primitive). The tag value is either 0 to 31 for
\ a universal tag, or 32+x for a contextual tag of value x. Tag classes
\ "application" and "private" are rejected. Universal tags beyond 30
\ are rejected. Contextual tags beyond 30 are rejected. Thus, accepted
\ tags will necessarily fit on exactly one byte. This does not support
\ the whole of ASN.1/BER, but is sufficient for certificate parsing.
: read-tag ( lim -- lim constructed value )
read8 { fb }
\ Constructed flag is bit 5.
fb 5 >> 0x01 and neg
\ Class is in bits 6 and 7. Accepted classes are 00 (universal)
\ and 10 (context). We check that bit 6 is 0, and shift back
\ bit 7 so that we get 0 (universal) or 32 (context).
fb 6 >> dup 0x01 and if ERR_X509_BAD_TAG_CLASS fail then
4 <<
\ Tag value is in bits 0..4. If the value is 31, then this is
\ an extended tag, encoded over subsequent bytes, and we do
\ not support that.
fb 0x1F and dup 0x1F = if ERR_X509_BAD_TAG_VALUE fail then
+ ;
\ Read a tag, but only if not at the end of the current object. If there
\ is no room for another element (limit is zero), then this will push a
\ synthetic "no tag" value (primitive, with value -1).
: read-tag-or-end ( lim -- lim constructed value )
dup ifnot 0 -1 ret then
read-tag ;
\ Compare the read tag with the provided value. If equal, then the
\ element is skipped, and a new tag is read (or end of object).
: iftag-skip ( lim constructed value ref -- lim constructed value )
over = if
2drop
read-length-open-elt skip-close-elt
read-tag-or-end
then ;
\ Read an ASN.1 length. This supports only definite lengths (theoretically,
\ certificates may use an indefinite length for the outer structure, using
\ DER only in the TBS, but this never happens in practice, except in a
\ single example certificate from 15 years ago that also fails to decode
\ properly for other reasons).
: read-length ( lim -- lim length )
read8
\ Lengths in 0x00..0x7F get encoded as a single byte.
dup 0x80 < if ret then
\ If the byte is 0x80 then this is an indefinite length, and we
\ do not support that.
0x80 - dup ifnot ERR_X509_INDEFINITE_LENGTH fail then
\ Masking out bit 7, this yields the number of bytes over which
\ the value is encoded. Since the total certificate length must
\ fit over 3 bytes (this is a consequence of SSL/TLS message
\ format), we can reject big lengths and keep the length in a
\ single integer.
{ n } 0
begin n 0 > while n 1- >n
dup 0x7FFFFF > if ERR_X509_INNER_TRUNC fail then
8 << swap read8 rot +
repeat ;
\ Open a sub-structure. This subtracts the length from the limit, and
\ pushes the length back as new limit.
: open-elt ( lim length -- lim_outer lim_inner )
dup2 < if ERR_X509_INNER_TRUNC fail then
dup { len } - len ;
\ Read a length and open the value as a sub-structure.
: read-length-open-elt ( lim -- lim_outer lim_inner )
read-length open-elt ;
\ Close a sub-structure. This verifies that there is no remaining
\ element to read.
: close-elt ( lim -- )
if ERR_X509_EXTRA_ELEMENT fail then ;
\ Skip remaining bytes in the current structure, then close it.
: skip-close-elt ( lim -- )
skip-remaining drop ;
\ Read a length and then skip the value.
: read-length-skip ( lim -- lim )
read-length-open-elt skip-close-elt ;
\ Check that a given tag is constructed and has the expected value.
: check-tag-constructed ( constructed value refvalue -- )
= ifnot ERR_X509_UNEXPECTED fail then
check-constructed ;
\ Check that the top value is true; report a "not constructed"
\ error otherwise.
: check-constructed ( constructed -- )
ifnot ERR_X509_NOT_CONSTRUCTED fail then ;
\ Check that a given tag is primitive and has the expected value.
: check-tag-primitive ( constructed value refvalue -- )
= ifnot ERR_X509_UNEXPECTED fail then
check-primitive ;
\ Check that the top value is true; report a "not primitive"
\ error otherwise.
: check-primitive ( constructed -- )
if ERR_X509_NOT_PRIMITIVE fail then ;
\ Check that the tag is for a constructed SEQUENCE.
: check-sequence ( constructed value -- )
0x10 check-tag-constructed ;
\ Read a tag, check that it is for a constructed SEQUENCE, and open
\ it as a sub-element.
: read-sequence-open ( lim -- lim_outer lim_inner )
read-tag check-sequence read-length-open-elt ;
\ Read the next element as a BIT STRING with no ignore bits, and open
\ it as a sub-element.
: read-bits-open ( lim -- lim_outer lim_inner )
read-tag 0x03 check-tag-primitive
read-length-open-elt
read8 if ERR_X509_PARTIAL_BYTE fail then ;
OID: rsaEncryption 1.2.840.113549.1.1.1
OID: sha1WithRSAEncryption 1.2.840.113549.1.1.5
OID: sha224WithRSAEncryption 1.2.840.113549.1.1.14
OID: sha256WithRSAEncryption 1.2.840.113549.1.1.11
OID: sha384WithRSAEncryption 1.2.840.113549.1.1.12
OID: sha512WithRSAEncryption 1.2.840.113549.1.1.13
OID: id-sha1 1.3.14.3.2.26
OID: id-sha224 2.16.840.1.101.3.4.2.4
OID: id-sha256 2.16.840.1.101.3.4.2.1
OID: id-sha384 2.16.840.1.101.3.4.2.2
OID: id-sha512 2.16.840.1.101.3.4.2.3
OID: id-ecPublicKey 1.2.840.10045.2.1
OID: ansix9p256r1 1.2.840.10045.3.1.7
OID: ansix9p384r1 1.3.132.0.34
OID: ansix9p521r1 1.3.132.0.35
OID: ecdsa-with-SHA1 1.2.840.10045.4.1
OID: ecdsa-with-SHA224 1.2.840.10045.4.3.1
OID: ecdsa-with-SHA256 1.2.840.10045.4.3.2
OID: ecdsa-with-SHA384 1.2.840.10045.4.3.3
OID: ecdsa-with-SHA512 1.2.840.10045.4.3.4
OID: id-at-commonName 2.5.4.3
\ Read a "small value". This assumes that the tag has just been read
\ and processed, but not the length. The first pad byte is set to the
\ value length; the encoded value itself follows. If the value length
\ exceeds 255 bytes, then a single 0 is written in the pad, and this
\ method returns false (0). Otherwise, it returns true (-1).
\ Either way, the element is fully read.
: read-small-value ( lim -- lim bool )
read-length-open-elt
dup 255 > if skip-close-elt 0 addr-pad set8 0 ret then
dup addr-pad set8
addr-pad 1+ read-blob
-1 ;
\ Read an OID as a "small value" (tag, length and value). A boolean
\ value is returned, which is true (-1) if the OID value fits on the pad,
\ false (0) otherwise.
: read-OID ( lim -- lim bool )
read-tag 0x06 check-tag-primitive read-small-value ;
\ Read a UTF-8 code point. On error, return 0. Reading a code point of
\ value 0 is considered to be an error.
: read-UTF8 ( lim -- lim val )
read8
choice
dup 0x80 < uf ret enduf
dup 0xC0 < uf drop 0 ret enduf
dup 0xE0 < uf 0x1F and 1 read-UTF8-next 0x80 0x7FF enduf
dup 0xF0 < uf 0x0F and 2 read-UTF8-next 0x800 0xFFFF enduf
dup 0xF8 < uf 0x07 and 3 read-UTF8-next 0x10000 0x10FFFF enduf
drop 0 ret
endchoice
between? ifnot drop 0 then
;
\ Read n subsequent bytes to complete the provided first byte. The final
\ value is -1 on error, or the code point numerical value. The final
\ value is duplicated.
: read-UTF8-next ( lim val n -- lim val val )
begin dup while
-rot
read-UTF8-chunk
rot 1-
repeat
drop dup ;
\ Read one byte, that should be a trailing UTF-8 byte, and complement the
\ current value. On error, value is set to -1.
: read-UTF8-chunk ( lim val -- lim val )
swap
\ If we are at the end of the value, report an error but don't fail.
dup ifnot 2drop 0 -1 ret then
read8 rot
dup 0< if swap drop ret then 6 <<
swap dup 6 >> 2 <> if 2drop -1 ret then
0x3F and + ;
: high-surrogate? ( x -- x bool )
dup 0xD800 0xDBFF between? ;
: low-surrogate? ( x -- x bool )
dup 0xDC00 0xDFFF between? ;
: assemble-surrogate-pair ( hi lim lo -- lim val )
low-surrogate? ifnot rot 2drop 0 ret then
rot 10 << + 0x35FDC00 - ;
\ Read a UTF-16 code point (big-endian). Returned value is 0 on error.
: read-UTF16BE ( lim -- lim val )
read16be
choice
high-surrogate? uf
swap dup ifnot 2drop 0 0 ret then
read16be assemble-surrogate-pair
enduf
low-surrogate? uf
drop 0
enduf
endchoice ;
\ Read a UTF-16 code point (little-endian). Returned value is 0 on error.
: read-UTF16LE ( lim -- lim val )
read16le
choice
high-surrogate? uf
swap dup ifnot 2drop 0 0 ret then
read16le assemble-surrogate-pair
enduf
low-surrogate? uf
drop 0
enduf
endchoice ;
\ Add byte to current pad value. Offset is updated, or set to 0 on error.
: pad-append ( off val -- off )
over dup 0= swap 256 >= or if 2drop 0 ret then
over addr-pad + set8 1+ ;
\ Add UTF-8 chunk byte to the pad. The 'nn' parameter is the shift count.
: pad-append-UTF8-chunk ( off val nn -- off )
>> 0x3F and 0x80 or pad-append ;
\ Test whether a code point is invalid when encoding. This rejects the
\ 66 noncharacters, and also the surrogate range; this function does NOT
\ check that the value is in the 0..10FFFF range.
: valid-unicode? ( val -- bool )
- dup 0xFDD0 0xFEDF between? if drop 0 ret then
+ dup 0xFDD0 0xFDEF between? if drop 0 ret then
dup 0xD800 0xDFFF between? if drop 0 ret then
0xFFFF and 0xFFFE < ;
\ Encode a code point in UTF-8. Offset is in the pad; it is updated, or
\ set to 0 on error. Leading BOM are ignored.
: encode-UTF8 ( val off -- off )
\ Skip leading BOM (U+FEFF when off is 1).
dup2 1 = swap 0xFEFF = and if swap drop ret then
swap dup { val }
dup valid-unicode? ifnot 2drop 0 ret then
choice
dup 0x80 < uf pad-append enduf
dup 0x800 < uf
6 >> 0xC0 or pad-append
val 0 pad-append-UTF8-chunk
enduf
dup 0xFFFF < uf
12 >> 0xE0 or pad-append
val 6 pad-append-UTF8-chunk
val 0 pad-append-UTF8-chunk
enduf
18 >> 0xF0 or pad-append
val 12 pad-append-UTF8-chunk
val 6 pad-append-UTF8-chunk
val 0 pad-append-UTF8-chunk
endchoice ;
\ Read a string value into the pad; this function checks that the source
\ characters are UTF-8 and non-zero. The string length (in bytes) is
\ written in the first pad byte. Returned value is true (-1) on success,
\ false (0) on error.
: read-value-UTF8 ( lim -- lim bool )
read-length-open-elt
1 { off }
begin dup while
read-UTF8 dup ifnot drop skip-close-elt 0 ret then
off encode-UTF8 >off
repeat
drop off dup ifnot ret then 1- addr-pad set8 -1 ;
\ Decode a UTF-16 string into the pad. The string is converted to UTF-8,
\ and the length is written in the first pad byte. A leading BOM is
\ honoured (big-endian is assumed if there is no BOM). A code point of
\ value 0 is an error. Returned value is true (-1) on success, false (0)
\ on error.
: read-value-UTF16 ( lim -- lim bool )
read-length-open-elt
dup ifnot addr-pad set8 -1 ret then
1 { off }
read-UTF16BE dup 0xFFFE = if
\ Leading BOM, and indicates little-endian.
drop
begin dup while
read-UTF16LE dup ifnot drop skip-close-elt 0 ret then
off encode-UTF8 >off
repeat
else
dup ifnot drop skip-close-elt 0 ret then
\ Big-endian BOM, or no BOM.
begin
off encode-UTF8 >off
dup while
read-UTF16BE dup ifnot drop skip-close-elt 0 ret then
repeat
then
drop off dup ifnot ret then 1- addr-pad set8 -1 ;
\ Decode a latin-1 string into the pad. The string is converted to UTF-8,
\ and the length is written in the first pad byte. A source byte of
\ value 0 is an error. Returned value is true (-1) on success, false (0)
\ on error.
: read-value-latin1 ( lim -- lim bool )
read-length-open-elt
1 { off }
begin dup while
read8 dup ifnot drop skip-close-elt 0 ret then
off encode-UTF8 >off
repeat
drop off dup ifnot ret then 1- addr-pad set8 -1 ;
\ Read a value and interpret it as an INTEGER or ENUMERATED value. If
\ the integer value does not fit on an unsigned 32-bit value, an error
\ is reported. This function assumes that the tag has just been read
\ and processed, but not the length.
: read-small-int-value ( lim -- lim x )
read-length-open-elt
dup ifnot ERR_X509_OVERFLOW fail then
read8 dup 0x80 >= if ERR_X509_OVERFLOW fail then
{ x }
begin dup while
read8 x dup 0xFFFFFF >= if ERR_X509_OVERFLOW fail then
8 << + >x
repeat
drop x ;
\ Compare the OID in the pad with an OID in the constant data block.
\ Returned value is -1 on equality, 0 otherwise.
cc: eqOID ( addrConst -- bool ) {
const unsigned char *a2 = &t0_datablock[T0_POP()];
const unsigned char *a1 = &CTX->pad[0];
size_t len = a1[0];
int x;
if (len == a2[0]) {
x = -(memcmp(a1 + 1, a2 + 1, len) == 0);
} else {
x = 0;
}
T0_PUSH((uint32_t)x);
}
\ Compare two blobs in the context. Returned value is -1 on equality, 0
\ otherwise.
cc: eqblob ( addr1 addr2 len -- bool ) {
size_t len = T0_POP();
const unsigned char *a2 = (const unsigned char *)CTX + T0_POP();
const unsigned char *a1 = (const unsigned char *)CTX + T0_POP();
T0_PUSHi(-(memcmp(a1, a2, len) == 0));
}
\ Check that a value is in a given range (inclusive).
: between? ( x min max -- bool )
{ min max } dup min >= swap max <= and ;
\ Convert the provided byte value into a number in the 0..9 range,
\ assuming that it is an ASCII digit. A non-digit triggers an error
\ (a "bad time" error since this is used in date/time decoding).
: digit-dec ( char -- value )
`0 - dup 0 9 between? ifnot ERR_X509_BAD_TIME fail then ;
\ Read two ASCII digits and return the value in the 0..99 range. An
\ error is reported if the characters are not ASCII digits.
: read-dec2 ( lim -- lim x )
read8 digit-dec 10 * { x } read8 digit-dec x + ;
\ Read two ASCII digits and check that the value is in the provided
\ range (inclusive).
: read-dec2-range ( lim min max -- lim x )
{ min max }
read-dec2 dup min max between? ifnot ERR_X509_BAD_TIME fail then ;
\ Maximum days in a month and accumulated day count. Each
\ 16-bit value contains the month day count in its lower 5 bits. The first
\ 12 values are for a normal year, the other 12 for a leap year.
data: month-to-days
hexb| 001F 03FC 077F 0B5E 0F1F 12FE 16BF 1A9F 1E7E 223F 261E 29DF |
hexb| 001F 03FD 079F 0B7E 0F3F 131E 16DF 1ABF 1E9E 225F 263E 29FF |
\ Read a date (UTCTime or GeneralizedTime). The date value is converted
\ to a day count and a second count. The day count starts at 0 for
\ January 1st, 0 AD (that's they year before 1 AD, also known as 1 BC)
\ in a proleptic Gregorian calendar (i.e. Gregorian rules are assumed to
\ extend indefinitely in the past). The second count is between 0 and
\ 86400 (inclusive, in case of a leap second).
: read-date ( lim -- lim days seconds )
\ Read tag; must be UTCTime or GeneralizedTime. Year count is
\ 4 digits with GeneralizedTime, 2 digits with UTCTime.
read-tag
dup 0x17 0x18 between? ifnot ERR_X509_BAD_TIME fail then
0x18 = { y4d }
check-primitive
read-length-open-elt
\ We compute the days and seconds counts during decoding, in
\ order to minimize the number of needed temporary variables.
{ ; days seconds x }
\ Year is 4-digit with GeneralizedTime. With UTCTime, the year
\ is in the 1950..2049 range, and only the last two digits are
\ present in the encoding.
read-dec2
y4d if
100 * >x read-dec2 x +
else
dup 50 < if 100 + then 1900 +
then
>x
x 365 * x 3 + 4 / + x 99 + 100 / - x 399 + 400 / + >days
\ Month is 1..12. Number of days in a months depend on the
\ month and on the year (year count is in x at that point).
1 12 read-dec2-range
1- 1 <<
x 4 % 0= x 100 % 0<> x 400 % 0= or and if 24 + then
month-to-days + data-get16
dup 5 >> days + >days
0x1F and
\ Day. At this point, the TOS contains the maximum day count for
\ the current month.
1 swap read-dec2-range
days + 1- >days
\ Hour, minute and seconds. Count of seconds is allowed to go to
\ 60 in case of leap seconds (in practice, leap seconds really
\ occur only at the very end of the day, so this computation is
\ exact for a real leap second, and a spurious leap second only
\ implies a one-second shift that we can ignore).
0 23 read-dec2-range 3600 * >seconds
0 59 read-dec2-range 60 * seconds + >seconds
0 60 read-dec2-range seconds + >seconds
\ At this point, we may have fractional seconds. This should
\ happen only with GeneralizedTime, but we accept it for UTCTime
\ too (and, anyway, we ignore these fractional seconds).
read8 dup `. = if
drop
begin read8 dup `0 `9 between? while drop repeat
then
\ The time zone should be 'Z', not followed by anything. Other
\ time zone indications are not DER and thus not supposed to
\ appear in certificates.
`Z <> if ERR_X509_BAD_TIME fail then
close-elt
days seconds ;
\ Read an INTEGER (tag, length and value). The INTEGER is supposed to be
\ positive; its unsigned big-endian encoding is stored in the provided
\ in-context buffer. Returned value is the decoded length. If the integer
\ did not fit, or the value is negative, then an error is reported.
: read-integer ( lim addr len -- lim dlen )
rot read-tag 0x02 check-tag-primitive -rot
read-integer-next ;
\ Identical to read-integer, but the tag has already been read and checked.
: read-integer-next ( lim addr len -- lim dlen )
dup { addr len origlen }
read-length-open-elt
\ Read first byte; sign bit must be 0.
read8 dup 0x80 >= if ERR_X509_OVERFLOW fail then
\ Skip leading bytes of value 0. If there are only bytes of
\ value 0, then return.
begin dup 0 = while
drop dup ifnot drop 0 ret then
read8
repeat
\ At that point, we have the first non-zero byte on the stack.
begin
len dup ifnot ERR_X509_LIMIT_EXCEEDED fail then 1- >len
addr set8 addr 1+ >addr
dup while read8
repeat
drop origlen len - ;
\ Read a BOOLEAN value. This should be called immediately after reading
\ the tag.
: read-boolean ( lim constructed value -- lim bool )
0x01 check-tag-primitive
read-length 1 <> if ERR_X509_BAD_BOOLEAN fail then
read8 0<> ;
\ Identify an elliptic curve: read the OID, then check it against the
\ known curve OID.
: read-curve-ID ( lim -- lim curve )
read-OID ifnot ERR_X509_UNSUPPORTED fail then
choice
ansix9p256r1 eqOID uf 23 enduf
ansix9p384r1 eqOID uf 24 enduf
ansix9p521r1 eqOID uf 25 enduf
ERR_X509_UNSUPPORTED fail
endchoice ;
\ A convenient debug word: print the current data stack contents.
cc: DEBUG ( -- ) {
extern int printf(const char *fmt, ...);
uint32_t *p;
printf("<stack:");
for (p = &CTX->dp_stack[0]; p != dp; p ++) {
printf(" %lu", (unsigned long)*p);
}
printf(" >\n");
}
diff --git a/contrib/bearssl/src/x509/skey_decoder.c b/contrib/bearssl/src/x509/skey_decoder.c
index f4e43e7bfc40..9e285d74e42d 100644
--- a/contrib/bearssl/src/x509/skey_decoder.c
+++ b/contrib/bearssl/src/x509/skey_decoder.c
@@ -1,650 +1,650 @@
/* Automatically generated code; do not modify directly. */
#include <stddef.h>
#include <stdint.h>
typedef struct {
uint32_t *dp;
uint32_t *rp;
const unsigned char *ip;
} t0_context;
static uint32_t
t0_parse7E_unsigned(const unsigned char **p)
{
uint32_t x;
x = 0;
for (;;) {
unsigned y;
y = *(*p) ++;
x = (x << 7) | (uint32_t)(y & 0x7F);
if (y < 0x80) {
return x;
}
}
}
static int32_t
t0_parse7E_signed(const unsigned char **p)
{
int neg;
uint32_t x;
neg = ((**p) >> 6) & 1;
x = (uint32_t)-neg;
for (;;) {
unsigned y;
y = *(*p) ++;
x = (x << 7) | (uint32_t)(y & 0x7F);
if (y < 0x80) {
if (neg) {
return -(int32_t)~x - 1;
} else {
return (int32_t)x;
}
}
}
}
#define T0_VBYTE(x, n) (unsigned char)((((uint32_t)(x) >> (n)) & 0x7F) | 0x80)
#define T0_FBYTE(x, n) (unsigned char)(((uint32_t)(x) >> (n)) & 0x7F)
#define T0_SBYTE(x) (unsigned char)((((uint32_t)(x) >> 28) + 0xF8) ^ 0xF8)
#define T0_INT1(x) T0_FBYTE(x, 0)
#define T0_INT2(x) T0_VBYTE(x, 7), T0_FBYTE(x, 0)
#define T0_INT3(x) T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
#define T0_INT4(x) T0_VBYTE(x, 21), T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
#define T0_INT5(x) T0_SBYTE(x), T0_VBYTE(x, 21), T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
/* static const unsigned char t0_datablock[]; */
void br_skey_decoder_init_main(void *t0ctx);
void br_skey_decoder_run(void *t0ctx);
#include "inner.h"
#include "inner.h"
#define CTX ((br_skey_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu)))
#define CONTEXT_NAME br_skey_decoder_context
/* see bearssl_x509.h */
void
br_skey_decoder_init(br_skey_decoder_context *ctx)
{
memset(ctx, 0, sizeof *ctx);
ctx->cpu.dp = &ctx->dp_stack[0];
ctx->cpu.rp = &ctx->rp_stack[0];
br_skey_decoder_init_main(&ctx->cpu);
br_skey_decoder_run(&ctx->cpu);
}
/* see bearssl_x509.h */
void
br_skey_decoder_push(br_skey_decoder_context *ctx,
const void *data, size_t len)
{
ctx->hbuf = data;
ctx->hlen = len;
br_skey_decoder_run(&ctx->cpu);
}
static const unsigned char t0_datablock[] = {
0x00, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x07,
0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x08, 0x2A, 0x86, 0x48, 0xCE,
0x3D, 0x03, 0x01, 0x07, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x05, 0x2B,
0x81, 0x04, 0x00, 0x23
};
static const unsigned char t0_codeblock[] = {
0x00, 0x01, 0x01, 0x07, 0x00, 0x00, 0x01, 0x01, 0x08, 0x00, 0x00, 0x13,
0x13, 0x00, 0x00, 0x01, T0_INT1(BR_ERR_X509_BAD_TAG_CLASS), 0x00, 0x00,
0x01, T0_INT1(BR_ERR_X509_BAD_TAG_VALUE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_EXTRA_ELEMENT), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_INDEFINITE_LENGTH), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_INNER_TRUNC), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_INVALID_VALUE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_LIMIT_EXCEEDED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_NOT_CONSTRUCTED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_NOT_PRIMITIVE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_OVERFLOW), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_UNEXPECTED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_UNSUPPORTED), 0x00, 0x00, 0x01,
T0_INT1(BR_KEYTYPE_EC), 0x00, 0x00, 0x01, T0_INT1(BR_KEYTYPE_RSA),
0x00, 0x00, 0x01, T0_INT2(offsetof(CONTEXT_NAME, key_data)), 0x00,
0x00, 0x01, T0_INT2(offsetof(CONTEXT_NAME, key_type)), 0x00, 0x00,
0x33, 0x48, 0x00, 0x00, 0x01, T0_INT2(offsetof(CONTEXT_NAME, pad)),
0x00, 0x00, 0x01, 0x13, 0x00, 0x00, 0x01, 0x1C, 0x00, 0x00, 0x01, 0x22,
0x00, 0x00, 0x05, 0x02, 0x2C, 0x16, 0x00, 0x00, 0x06, 0x02, 0x2D, 0x16,
0x00, 0x00, 0x01, 0x10, 0x3D, 0x00, 0x00, 0x0D, 0x05, 0x02, 0x2F, 0x16,
0x3A, 0x00, 0x00, 0x0D, 0x05, 0x02, 0x2F, 0x16, 0x3B, 0x00, 0x00, 0x06,
0x02, 0x27, 0x16, 0x00, 0x01, 0x03, 0x00, 0x54, 0x57, 0x01, 0x02, 0x3E,
0x55, 0x23, 0x06, 0x02, 0x30, 0x16, 0x57, 0x01, 0x04, 0x3E, 0x02, 0x00,
0x41, 0x3F, 0x00, 0x02, 0x03, 0x00, 0x53, 0x14, 0x14, 0x03, 0x01, 0x48,
0x0E, 0x06, 0x02, 0x30, 0x16, 0x33, 0x4C, 0x58, 0x01, 0x7F, 0x19, 0x0D,
0x06, 0x04, 0x13, 0x13, 0x04, 0x29, 0x01, 0x20, 0x19, 0x0D, 0x06, 0x16,
0x13, 0x3A, 0x53, 0x4D, 0x02, 0x00, 0x06, 0x09, 0x02, 0x00, 0x0C, 0x06,
0x02, 0x2A, 0x16, 0x04, 0x02, 0x03, 0x00, 0x3F, 0x04, 0x0D, 0x01, 0x21,
0x19, 0x0D, 0x06, 0x04, 0x13, 0x3A, 0x04, 0x03, 0x30, 0x16, 0x13, 0x5D,
0x02, 0x00, 0x05, 0x02, 0x30, 0x16, 0x02, 0x00, 0x02, 0x01, 0x1D, 0x00,
0x02, 0x53, 0x4B, 0x05, 0x02, 0x30, 0x16, 0x5B, 0x15, 0x06, 0x07, 0x5D,
0x01, 0x7F, 0x03, 0x01, 0x04, 0x16, 0x46, 0x15, 0x06, 0x10, 0x01, 0x00,
0x03, 0x01, 0x14, 0x06, 0x03, 0x4D, 0x04, 0x02, 0x01, 0x00, 0x03, 0x00,
0x04, 0x02, 0x30, 0x16, 0x3F, 0x57, 0x01, 0x04, 0x3E, 0x53, 0x02, 0x01,
0x06, 0x03, 0x43, 0x04, 0x03, 0x02, 0x00, 0x40, 0x3F, 0x5D, 0x02, 0x01,
0x06, 0x03, 0x32, 0x04, 0x01, 0x31, 0x00, 0x00, 0x54, 0x57, 0x01, 0x02,
0x3E, 0x55, 0x06, 0x02, 0x30, 0x16, 0x57, 0x01, 0x02, 0x3E, 0x44, 0x3F,
0x00, 0x07, 0x35, 0x50, 0x14, 0x05, 0x02, 0x2F, 0x16, 0x23, 0x01, 0x03,
0x0B, 0x33, 0x17, 0x47, 0x07, 0x03, 0x00, 0x4F, 0x4F, 0x35, 0x4E, 0x14,
0x14, 0x03, 0x01, 0x03, 0x02, 0x51, 0x14, 0x03, 0x03, 0x02, 0x02, 0x07,
0x14, 0x03, 0x02, 0x51, 0x14, 0x03, 0x04, 0x02, 0x02, 0x07, 0x14, 0x03,
0x02, 0x51, 0x14, 0x03, 0x05, 0x02, 0x02, 0x07, 0x14, 0x03, 0x02, 0x51,
0x03, 0x06, 0x02, 0x00, 0x02, 0x01, 0x02, 0x03, 0x02, 0x04, 0x02, 0x05,
0x02, 0x06, 0x1E, 0x00, 0x00, 0x19, 0x19, 0x00, 0x00, 0x01, 0x0B, 0x00,
0x00, 0x01, 0x00, 0x20, 0x14, 0x06, 0x08, 0x01, 0x01, 0x21, 0x20, 0x22,
0x20, 0x04, 0x75, 0x13, 0x00, 0x00, 0x01,
- T0_INT2(3 * BR_X509_BUFSIZE_KEY), 0x00, 0x01, 0x01, 0x87, 0xFF, 0xFF,
+ T0_INT2(3 * BR_X509_BUFSIZE_SIG), 0x00, 0x01, 0x01, 0x87, 0xFF, 0xFF,
0x7F, 0x54, 0x57, 0x01, 0x02, 0x3E, 0x55, 0x01, 0x01, 0x0E, 0x06, 0x02,
0x30, 0x16, 0x57, 0x01, 0x02, 0x19, 0x0D, 0x06, 0x06, 0x13, 0x3B, 0x44,
0x32, 0x04, 0x1C, 0x01, 0x04, 0x19, 0x0D, 0x06, 0x08, 0x13, 0x3B, 0x01,
0x00, 0x41, 0x31, 0x04, 0x0E, 0x01, 0x10, 0x19, 0x0D, 0x06, 0x05, 0x13,
0x3A, 0x42, 0x04, 0x03, 0x30, 0x16, 0x13, 0x03, 0x00, 0x3F, 0x02, 0x00,
0x34, 0x1F, 0x5A, 0x27, 0x16, 0x00, 0x01, 0x45, 0x0A, 0x06, 0x02, 0x29,
0x16, 0x14, 0x03, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x57, 0x01, 0x06,
0x3E, 0x56, 0x00, 0x00, 0x20, 0x14, 0x06, 0x07, 0x1A, 0x14, 0x06, 0x01,
0x12, 0x04, 0x76, 0x24, 0x00, 0x00, 0x4B, 0x05, 0x02, 0x30, 0x16, 0x37,
0x15, 0x06, 0x04, 0x01, 0x17, 0x04, 0x12, 0x38, 0x15, 0x06, 0x04, 0x01,
0x18, 0x04, 0x0A, 0x39, 0x15, 0x06, 0x04, 0x01, 0x19, 0x04, 0x02, 0x30,
0x16, 0x00, 0x00, 0x1C, 0x57, 0x01, 0x02, 0x3E, 0x09, 0x50, 0x00, 0x00,
0x35, 0x4E, 0x13, 0x00, 0x03, 0x14, 0x03, 0x00, 0x03, 0x01, 0x03, 0x02,
0x53, 0x59, 0x14, 0x01, 0x81, 0x00, 0x0F, 0x06, 0x02, 0x2E, 0x16, 0x14,
0x01, 0x00, 0x0D, 0x06, 0x0B, 0x13, 0x14, 0x05, 0x04, 0x13, 0x01, 0x00,
0x00, 0x59, 0x04, 0x6F, 0x02, 0x01, 0x14, 0x05, 0x02, 0x2B, 0x16, 0x23,
0x03, 0x01, 0x02, 0x02, 0x1F, 0x02, 0x02, 0x22, 0x03, 0x02, 0x14, 0x06,
0x03, 0x59, 0x04, 0x68, 0x13, 0x02, 0x00, 0x02, 0x01, 0x08, 0x00, 0x00,
0x14, 0x35, 0x1C, 0x08, 0x20, 0x1C, 0x07, 0x20, 0x4E, 0x00, 0x01, 0x59,
0x14, 0x01, 0x81, 0x00, 0x0A, 0x06, 0x01, 0x00, 0x01, 0x81, 0x00, 0x08,
0x14, 0x05, 0x02, 0x28, 0x16, 0x03, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01,
0x00, 0x0E, 0x06, 0x19, 0x02, 0x00, 0x23, 0x03, 0x00, 0x14, 0x01, 0x83,
0xFF, 0xFF, 0x7F, 0x0E, 0x06, 0x02, 0x29, 0x16, 0x01, 0x08, 0x0B, 0x20,
0x59, 0x1C, 0x07, 0x04, 0x60, 0x00, 0x00, 0x52, 0x4A, 0x00, 0x00, 0x57,
0x3C, 0x53, 0x00, 0x01, 0x53, 0x14, 0x05, 0x02, 0x2E, 0x16, 0x59, 0x14,
0x01, 0x81, 0x00, 0x0F, 0x06, 0x02, 0x2E, 0x16, 0x03, 0x00, 0x14, 0x06,
0x16, 0x59, 0x02, 0x00, 0x14, 0x01, 0x87, 0xFF, 0xFF, 0x7F, 0x0F, 0x06,
0x02, 0x2E, 0x16, 0x01, 0x08, 0x0B, 0x07, 0x03, 0x00, 0x04, 0x67, 0x13,
0x02, 0x00, 0x00, 0x00, 0x53, 0x14, 0x01, 0x81, 0x7F, 0x0E, 0x06, 0x08,
0x5C, 0x01, 0x00, 0x36, 0x1F, 0x01, 0x00, 0x00, 0x14, 0x36, 0x1F, 0x36,
0x22, 0x4C, 0x01, 0x7F, 0x00, 0x01, 0x59, 0x03, 0x00, 0x02, 0x00, 0x01,
0x05, 0x10, 0x01, 0x01, 0x11, 0x18, 0x02, 0x00, 0x01, 0x06, 0x10, 0x14,
0x01, 0x01, 0x11, 0x06, 0x02, 0x25, 0x16, 0x01, 0x04, 0x0B, 0x02, 0x00,
0x01, 0x1F, 0x11, 0x14, 0x01, 0x1F, 0x0D, 0x06, 0x02, 0x26, 0x16, 0x07,
0x00, 0x00, 0x14, 0x05, 0x05, 0x01, 0x00, 0x01, 0x7F, 0x00, 0x57, 0x00,
0x00, 0x14, 0x05, 0x02, 0x29, 0x16, 0x23, 0x5A, 0x00, 0x00, 0x1B, 0x14,
0x01, 0x00, 0x0F, 0x06, 0x01, 0x00, 0x13, 0x12, 0x04, 0x74, 0x00, 0x01,
0x01, 0x00, 0x00, 0x5D, 0x13, 0x00, 0x00, 0x14, 0x06, 0x07, 0x5E, 0x14,
0x06, 0x01, 0x12, 0x04, 0x76, 0x00, 0x00, 0x01, 0x00, 0x19, 0x1A, 0x09,
0x24, 0x00
};
static const uint16_t t0_caddr[] = {
0,
5,
10,
14,
18,
22,
26,
30,
34,
38,
42,
46,
50,
54,
58,
62,
66,
70,
75,
80,
84,
89,
93,
97,
101,
107,
113,
118,
126,
134,
140,
163,
244,
311,
329,
404,
408,
412,
429,
434,
505,
519,
526,
540,
573,
582,
587,
654,
665,
721,
725,
730,
778,
804,
848,
859,
868,
881,
885,
889,
901
};
#define T0_INTERPRETED 34
#define T0_ENTER(ip, rp, slot) do { \
const unsigned char *t0_newip; \
uint32_t t0_lnum; \
t0_newip = &t0_codeblock[t0_caddr[(slot) - T0_INTERPRETED]]; \
t0_lnum = t0_parse7E_unsigned(&t0_newip); \
(rp) += t0_lnum; \
*((rp) ++) = (uint32_t)((ip) - &t0_codeblock[0]) + (t0_lnum << 16); \
(ip) = t0_newip; \
} while (0)
#define T0_DEFENTRY(name, slot) \
void \
name(void *ctx) \
{ \
t0_context *t0ctx = ctx; \
t0ctx->ip = &t0_codeblock[0]; \
T0_ENTER(t0ctx->ip, t0ctx->rp, slot); \
}
T0_DEFENTRY(br_skey_decoder_init_main, 73)
#define T0_NEXT(t0ipp) (*(*(t0ipp)) ++)
void
br_skey_decoder_run(void *t0ctx)
{
uint32_t *dp, *rp;
const unsigned char *ip;
#define T0_LOCAL(x) (*(rp - 2 - (x)))
#define T0_POP() (*-- dp)
#define T0_POPi() (*(int32_t *)(-- dp))
#define T0_PEEK(x) (*(dp - 1 - (x)))
#define T0_PEEKi(x) (*(int32_t *)(dp - 1 - (x)))
#define T0_PUSH(v) do { *dp = (v); dp ++; } while (0)
#define T0_PUSHi(v) do { *(int32_t *)dp = (v); dp ++; } while (0)
#define T0_RPOP() (*-- rp)
#define T0_RPOPi() (*(int32_t *)(-- rp))
#define T0_RPUSH(v) do { *rp = (v); rp ++; } while (0)
#define T0_RPUSHi(v) do { *(int32_t *)rp = (v); rp ++; } while (0)
#define T0_ROLL(x) do { \
size_t t0len = (size_t)(x); \
uint32_t t0tmp = *(dp - 1 - t0len); \
memmove(dp - t0len - 1, dp - t0len, t0len * sizeof *dp); \
*(dp - 1) = t0tmp; \
} while (0)
#define T0_SWAP() do { \
uint32_t t0tmp = *(dp - 2); \
*(dp - 2) = *(dp - 1); \
*(dp - 1) = t0tmp; \
} while (0)
#define T0_ROT() do { \
uint32_t t0tmp = *(dp - 3); \
*(dp - 3) = *(dp - 2); \
*(dp - 2) = *(dp - 1); \
*(dp - 1) = t0tmp; \
} while (0)
#define T0_NROT() do { \
uint32_t t0tmp = *(dp - 1); \
*(dp - 1) = *(dp - 2); \
*(dp - 2) = *(dp - 3); \
*(dp - 3) = t0tmp; \
} while (0)
#define T0_PICK(x) do { \
uint32_t t0depth = (x); \
T0_PUSH(T0_PEEK(t0depth)); \
} while (0)
#define T0_CO() do { \
goto t0_exit; \
} while (0)
#define T0_RET() goto t0_next
dp = ((t0_context *)t0ctx)->dp;
rp = ((t0_context *)t0ctx)->rp;
ip = ((t0_context *)t0ctx)->ip;
goto t0_next;
for (;;) {
uint32_t t0x;
t0_next:
t0x = T0_NEXT(&ip);
if (t0x < T0_INTERPRETED) {
switch (t0x) {
int32_t t0off;
case 0: /* ret */
t0x = T0_RPOP();
rp -= (t0x >> 16);
t0x &= 0xFFFF;
if (t0x == 0) {
ip = NULL;
goto t0_exit;
}
ip = &t0_codeblock[t0x];
break;
case 1: /* literal constant */
T0_PUSHi(t0_parse7E_signed(&ip));
break;
case 2: /* read local */
T0_PUSH(T0_LOCAL(t0_parse7E_unsigned(&ip)));
break;
case 3: /* write local */
T0_LOCAL(t0_parse7E_unsigned(&ip)) = T0_POP();
break;
case 4: /* jump */
t0off = t0_parse7E_signed(&ip);
ip += t0off;
break;
case 5: /* jump if */
t0off = t0_parse7E_signed(&ip);
if (T0_POP()) {
ip += t0off;
}
break;
case 6: /* jump if not */
t0off = t0_parse7E_signed(&ip);
if (!T0_POP()) {
ip += t0off;
}
break;
case 7: {
/* + */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a + b);
}
break;
case 8: {
/* - */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a - b);
}
break;
case 9: {
/* -rot */
T0_NROT();
}
break;
case 10: {
/* < */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a < b));
}
break;
case 11: {
/* << */
int c = (int)T0_POPi();
uint32_t x = T0_POP();
T0_PUSH(x << c);
}
break;
case 12: {
/* <> */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(-(uint32_t)(a != b));
}
break;
case 13: {
/* = */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(-(uint32_t)(a == b));
}
break;
case 14: {
/* > */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a > b));
}
break;
case 15: {
/* >= */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a >= b));
}
break;
case 16: {
/* >> */
int c = (int)T0_POPi();
int32_t x = T0_POPi();
T0_PUSHi(x >> c);
}
break;
case 17: {
/* and */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a & b);
}
break;
case 18: {
/* co */
T0_CO();
}
break;
case 19: {
/* drop */
(void)T0_POP();
}
break;
case 20: {
/* dup */
T0_PUSH(T0_PEEK(0));
}
break;
case 21: {
/* eqOID */
const unsigned char *a2 = &t0_datablock[T0_POP()];
const unsigned char *a1 = &CTX->pad[0];
size_t len = a1[0];
int x;
if (len == a2[0]) {
x = -(memcmp(a1 + 1, a2 + 1, len) == 0);
} else {
x = 0;
}
T0_PUSH((uint32_t)x);
}
break;
case 22: {
/* fail */
CTX->err = T0_POPi();
T0_CO();
}
break;
case 23: {
/* get8 */
uint32_t addr = T0_POP();
T0_PUSH(*((unsigned char *)CTX + addr));
}
break;
case 24: {
/* neg */
uint32_t a = T0_POP();
T0_PUSH(-a);
}
break;
case 25: {
/* over */
T0_PUSH(T0_PEEK(1));
}
break;
case 26: {
/* read-blob-inner */
uint32_t len = T0_POP();
uint32_t addr = T0_POP();
size_t clen = CTX->hlen;
if (clen > len) {
clen = (size_t)len;
}
if (addr != 0) {
memcpy((unsigned char *)CTX + addr, CTX->hbuf, clen);
}
CTX->hbuf += clen;
CTX->hlen -= clen;
T0_PUSH(addr + clen);
T0_PUSH(len - clen);
}
break;
case 27: {
/* read8-low */
if (CTX->hlen == 0) {
T0_PUSHi(-1);
} else {
CTX->hlen --;
T0_PUSH(*CTX->hbuf ++);
}
}
break;
case 28: {
/* rot */
T0_ROT();
}
break;
case 29: {
/* set-ec-key */
size_t xlen = T0_POP();
uint32_t curve = T0_POP();
CTX->key.ec.curve = curve;
CTX->key.ec.x = CTX->key_data;
CTX->key.ec.xlen = xlen;
}
break;
case 30: {
/* set-rsa-key */
size_t iqlen = T0_POP();
size_t dqlen = T0_POP();
size_t dplen = T0_POP();
size_t qlen = T0_POP();
size_t plen = T0_POP();
uint32_t n_bitlen = T0_POP();
size_t off;
CTX->key.rsa.n_bitlen = n_bitlen;
CTX->key.rsa.p = CTX->key_data;
CTX->key.rsa.plen = plen;
off = plen;
CTX->key.rsa.q = CTX->key_data + off;
CTX->key.rsa.qlen = qlen;
off += qlen;
CTX->key.rsa.dp = CTX->key_data + off;
CTX->key.rsa.dplen = dplen;
off += dplen;
CTX->key.rsa.dq = CTX->key_data + off;
CTX->key.rsa.dqlen = dqlen;
off += dqlen;
CTX->key.rsa.iq = CTX->key_data + off;
CTX->key.rsa.iqlen = iqlen;
}
break;
case 31: {
/* set8 */
uint32_t addr = T0_POP();
*((unsigned char *)CTX + addr) = (unsigned char)T0_POP();
}
break;
case 32: {
/* swap */
T0_SWAP();
}
break;
case 33: {
/* u>> */
int c = (int)T0_POPi();
uint32_t x = T0_POP();
T0_PUSH(x >> c);
}
break;
}
} else {
T0_ENTER(ip, rp, t0x);
}
}
t0_exit:
((t0_context *)t0ctx)->dp = dp;
((t0_context *)t0ctx)->rp = rp;
((t0_context *)t0ctx)->ip = ip;
}
diff --git a/contrib/bearssl/src/x509/skey_decoder.t0 b/contrib/bearssl/src/x509/skey_decoder.t0
index 5b5942111816..f00e614e2b35 100644
--- a/contrib/bearssl/src/x509/skey_decoder.t0
+++ b/contrib/bearssl/src/x509/skey_decoder.t0
@@ -1,373 +1,373 @@
\ Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
\
\ Permission is hereby granted, free of charge, to any person obtaining
\ a copy of this software and associated documentation files (the
\ "Software"), to deal in the Software without restriction, including
\ without limitation the rights to use, copy, modify, merge, publish,
\ distribute, sublicense, and/or sell copies of the Software, and to
\ permit persons to whom the Software is furnished to do so, subject to
\ the following conditions:
\
\ The above copyright notice and this permission notice shall be
\ included in all copies or substantial portions of the Software.
\
\ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
\ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
\ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
\ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
\ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
\ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
\ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
\ SOFTWARE.
preamble {
#include "inner.h"
#define CTX ((br_skey_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu)))
#define CONTEXT_NAME br_skey_decoder_context
/* see bearssl_x509.h */
void
br_skey_decoder_init(br_skey_decoder_context *ctx)
{
memset(ctx, 0, sizeof *ctx);
ctx->cpu.dp = &ctx->dp_stack[0];
ctx->cpu.rp = &ctx->rp_stack[0];
br_skey_decoder_init_main(&ctx->cpu);
br_skey_decoder_run(&ctx->cpu);
}
/* see bearssl_x509.h */
void
br_skey_decoder_push(br_skey_decoder_context *ctx,
const void *data, size_t len)
{
ctx->hbuf = data;
ctx->hlen = len;
br_skey_decoder_run(&ctx->cpu);
}
}
addr: key_type
addr: key_data
cc: read8-low ( -- x ) {
if (CTX->hlen == 0) {
T0_PUSHi(-1);
} else {
CTX->hlen --;
T0_PUSH(*CTX->hbuf ++);
}
}
cc: read-blob-inner ( addr len -- addr len ) {
uint32_t len = T0_POP();
uint32_t addr = T0_POP();
size_t clen = CTX->hlen;
if (clen > len) {
clen = (size_t)len;
}
if (addr != 0) {
memcpy((unsigned char *)CTX + addr, CTX->hbuf, clen);
}
CTX->hbuf += clen;
CTX->hlen -= clen;
T0_PUSH(addr + clen);
T0_PUSH(len - clen);
}
\ Get the length of the key_data buffer.
: len-key_data
- CX 0 8191 { 3 * BR_X509_BUFSIZE_KEY } ;
+ CX 0 8191 { 3 * BR_X509_BUFSIZE_SIG } ;
\ Get the address and length for the key_data buffer.
: addr-len-key_data ( -- addr len )
addr-key_data len-key_data ;
\ Set the private key (RSA).
cc: set-rsa-key ( n_bitlen plen qlen dplen dqlen iqlen -- ) {
size_t iqlen = T0_POP();
size_t dqlen = T0_POP();
size_t dplen = T0_POP();
size_t qlen = T0_POP();
size_t plen = T0_POP();
uint32_t n_bitlen = T0_POP();
size_t off;
CTX->key.rsa.n_bitlen = n_bitlen;
CTX->key.rsa.p = CTX->key_data;
CTX->key.rsa.plen = plen;
off = plen;
CTX->key.rsa.q = CTX->key_data + off;
CTX->key.rsa.qlen = qlen;
off += qlen;
CTX->key.rsa.dp = CTX->key_data + off;
CTX->key.rsa.dplen = dplen;
off += dplen;
CTX->key.rsa.dq = CTX->key_data + off;
CTX->key.rsa.dqlen = dqlen;
off += dqlen;
CTX->key.rsa.iq = CTX->key_data + off;
CTX->key.rsa.iqlen = iqlen;
}
\ Set the private key (EC).
cc: set-ec-key ( curve xlen -- ) {
size_t xlen = T0_POP();
uint32_t curve = T0_POP();
CTX->key.ec.curve = curve;
CTX->key.ec.x = CTX->key_data;
CTX->key.ec.xlen = xlen;
}
\ Get the bit length for an integer (unsigned).
: int-bit-length ( x -- bitlen )
0 swap
begin dup while 1 u>> swap 1+ swap repeat
drop ;
\ Read an INTEGER into the key_data buffer, but then ignore it.
: read-integer-ignore ( lim -- lim )
addr-len-key_data read-integer drop ;
\ Read an INTEGER into the key_data buffer, at the provided offset.
\ Returned value is the integer length (in bytes).
: read-integer-off ( lim off -- lim dlen )
dup addr-len-key_data rot - swap rot + swap read-integer ;
\ Decode RSA key, starting with the SEQUENCE tag.
: decode-RSA ( lim -- lim )
read-sequence-open
\ Version should be 0.
read-tag 0x02 check-tag-primitive read-small-int-value if
ERR_X509_UNSUPPORTED fail
then
\ Read tag for the modulus; should be INTEGER. Then use the
\ decode-RSA-next function for the remainder of the key.
read-tag 0x02 check-tag-primitive
decode-RSA-next
\ Close the SEQUENCE.
close-elt ;
\ Decode RSA key; the version, and the tag for the modulus, have been
\ read.
: decode-RSA-next ( lim -- lim )
\ Modulus: we read it but we do not keep it; we merely gather
\ the modulus bit length.
addr-len-key_data read-integer-next
dup ifnot ERR_X509_UNEXPECTED fail then
1- 3 << addr-key_data get8 int-bit-length + { n_bitlen }
\ Public exponent: read but skip.
read-integer-ignore
\ Private exponent: read but skip.
read-integer-ignore
\ First prime factor.
addr-len-key_data read-integer dup dup { off plen }
\ Second prime factor.
read-integer-off dup { qlen } off + dup >off
\ First reduced private exponent.
read-integer-off dup { dplen } off + dup >off
\ Second reduced private exponent.
read-integer-off dup { dqlen } off + dup >off
\ CRT coefficient.
read-integer-off { iqlen }
\ Set RSA key.
n_bitlen plen qlen dplen dqlen iqlen set-rsa-key
\ The caller will close the sequence, thereby validating that there
\ is no extra field.
;
\ Decode an EC key, starting with the SEQUENCE tag.
: decode-EC ( lim curve -- lim )
{ curve }
read-sequence-open
\ Version should be 1.
read-tag 0x02 check-tag-primitive read-small-int-value 1- if
ERR_X509_UNSUPPORTED fail
then
\ Read tag for the private key; should be OCTET STRING. Then use the
\ decode-EC-next function for the remainder of the key.
read-tag 0x04 check-tag-primitive
curve decode-EC-next
\ Close the SEQUENCE.
close-elt ;
\ Decode an EC key; the version, and the tag for the OCTET STRING, have
\ already been read. The curve ID is provided (0 if unknown).
: decode-EC-next ( lim curve -- lim )
{ curve }
\ Read the private key proper.
read-length-open-elt
dup dup { xlen } len-key_data > if ERR_X509_UNSUPPORTED fail then
addr-key_data read-blob
\ Next element might be the curve identifier.
read-tag-or-end
case
\ End of structure.
-1 of drop endof
\ Curve parameters; we support only named curves.
0x20 of
check-constructed read-length-open-elt
read-curve-ID
curve if
curve <> if ERR_X509_INVALID_VALUE fail then
else
>curve
then
close-elt
endof
\ Public key. We ignore it.
0x21 of check-constructed endof
ERR_X509_UNSUPPORTED fail
endcase
skip-remaining
\ The curve must have been defined one way or another.
curve ifnot ERR_X509_UNSUPPORTED fail then
\ Set the EC key.
curve xlen set-ec-key
\ The caller will close the sequence.
;
\ Decode a PKCS#8 object. The version and the tag for the AlgorithmIdentifier
\ structure have already been read. This function returns the key type.
: decode-PKCS8-next ( lim -- lim keytype )
\ Decode the AlgorithmIdentifier.
read-length-open-elt
read-OID ifnot ERR_X509_UNSUPPORTED fail then
{ ; is-rsa curve }
choice
rsaEncryption eqOID uf
\ RSA private key. We ignore the parameters.
skip-remaining -1 >is-rsa
enduf
id-ecPublicKey eqOID uf
\ EC private key. Parameters, if present, shall
\ identify the curve.
0 >is-rsa
dup if read-curve-ID else 0 then >curve
enduf
ERR_X509_UNSUPPORTED fail
endchoice
close-elt
\ Open private key value and decode it.
read-tag 0x04 check-tag-primitive
read-length-open-elt
is-rsa if
decode-RSA
else
curve decode-EC
then
close-elt
\ We ignore any extra field, i.e. attributes or public key.
skip-remaining
\ Return the key type.
is-rsa if KEYTYPE_RSA else KEYTYPE_EC then
;
\ Decode a private key.
: main ( -- ! )
\ RSA private key format is defined in PKCS#1 (RFC 3447):
\ RSAPrivateKey ::= SEQUENCE {
\ version INTEGER, -- 0 or 1
\ n INTEGER,
\ e INTEGER,
\ d INTEGER,
\ p INTEGER,
\ q INTEGER,
\ dp INTEGER,
\ dq INTEGER,
\ iq INTEGER,
\ other OtherPrimeInfos OPTIONAL
\ }
\ We do not support keys with more than two primes (these have
\ version 1); thus, we expect the version field to be 0, and
\ the 'other' field to be absent.
\
\ EC private key format is defined in RFC 5915:
\ ECPrivateKey ::= SEQUENCE {
\ version INTEGER, -- always 1
\ privateKey OCTET STRING,
\ parameters [0] EXPLICIT OBJECT IDENTIFIER OPTIONAL,
\ publicKey [1] EXPLICIT BIT STRING OPTIONAL
\ }
\ The "parameters" might conceptually be a complex curve description
\ structure but we support only named curves. The private key
\ contents are the unsigned big-endian encoding of the key value,
\ which is exactly what we want.
\
\ PKCS#8 (unencrypted) is:
\ OneAsymmetricKey ::= SEQUENCE {
\ version INTEGER, -- 0 or 1
\ algorithm AlgorithmIdentifier,
\ privateKey OCTET STRING,
\ attributes [0] IMPLICIT Attributes OPTIONAL,
\ publicKey [1] IMPLICIT BIT STRING OPTIONAL
\ }
\ The 'publicKey' field is an add-on from RFC 5958 and may be
\ present only if the 'version' is v2 (i.e. has value 1). We
\ ignore it anyway.
\ An arbitrary upper limit on the private key size.
0xFFFFFF
\ Open the outer SEQUENCE.
read-sequence-open
\ All our schemas begin with a small INTEGER which is either 0 or
\ 1. We don't care which it is.
read-tag 0x02 check-tag-primitive read-small-int-value 1 > if
ERR_X509_UNSUPPORTED fail
then
\ Get next tag: it should be either an INTEGER (RSA private key),
\ an OCTET STRING (EC private key), or a SEQUENCE (for an
\ AlgorithmIdentifier, in a PKCS#8 object).
read-tag
case
0x02 of check-primitive decode-RSA-next KEYTYPE_RSA endof
0x04 of check-primitive 0 decode-EC-next KEYTYPE_EC endof
0x10 of check-constructed decode-PKCS8-next endof
ERR_X509_UNSUPPORTED fail
endcase
{ key-type }
\ Close the SEQUENCE.
close-elt
\ Set the key type, which marks the decoding as a success.
key-type addr-key_type set8
\ Read one byte, then fail: if the read succeeds, then there is
\ some trailing byte.
read8-nc ERR_X509_EXTRA_ELEMENT fail
;
diff --git a/contrib/bearssl/src/x509/x509_minimal.c b/contrib/bearssl/src/x509/x509_minimal.c
index 3b876ef81980..04f149b98b3d 100644
--- a/contrib/bearssl/src/x509/x509_minimal.c
+++ b/contrib/bearssl/src/x509/x509_minimal.c
@@ -1,1713 +1,1722 @@
/* Automatically generated code; do not modify directly. */
#include <stddef.h>
#include <stdint.h>
typedef struct {
uint32_t *dp;
uint32_t *rp;
const unsigned char *ip;
} t0_context;
static uint32_t
t0_parse7E_unsigned(const unsigned char **p)
{
uint32_t x;
x = 0;
for (;;) {
unsigned y;
y = *(*p) ++;
x = (x << 7) | (uint32_t)(y & 0x7F);
if (y < 0x80) {
return x;
}
}
}
static int32_t
t0_parse7E_signed(const unsigned char **p)
{
int neg;
uint32_t x;
neg = ((**p) >> 6) & 1;
x = (uint32_t)-neg;
for (;;) {
unsigned y;
y = *(*p) ++;
x = (x << 7) | (uint32_t)(y & 0x7F);
if (y < 0x80) {
if (neg) {
return -(int32_t)~x - 1;
} else {
return (int32_t)x;
}
}
}
}
#define T0_VBYTE(x, n) (unsigned char)((((uint32_t)(x) >> (n)) & 0x7F) | 0x80)
#define T0_FBYTE(x, n) (unsigned char)(((uint32_t)(x) >> (n)) & 0x7F)
#define T0_SBYTE(x) (unsigned char)((((uint32_t)(x) >> 28) + 0xF8) ^ 0xF8)
#define T0_INT1(x) T0_FBYTE(x, 0)
#define T0_INT2(x) T0_VBYTE(x, 7), T0_FBYTE(x, 0)
#define T0_INT3(x) T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
#define T0_INT4(x) T0_VBYTE(x, 21), T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
#define T0_INT5(x) T0_SBYTE(x), T0_VBYTE(x, 21), T0_VBYTE(x, 14), T0_VBYTE(x, 7), T0_FBYTE(x, 0)
/* static const unsigned char t0_datablock[]; */
void br_x509_minimal_init_main(void *t0ctx);
void br_x509_minimal_run(void *t0ctx);
#include "inner.h"
#include "inner.h"
/*
* Implementation Notes
* --------------------
*
* The C code pushes the data by chunks; all decoding is done in the
* T0 code. The cert_length value is set to the certificate length when
* a new certificate is started; the T0 code picks it up as outer limit,
* and decoding functions use it to ensure that no attempt is made at
* reading past it. The T0 code also checks that once the certificate is
* decoded, there are no trailing bytes.
*
* The T0 code sets cert_length to 0 when the certificate is fully
* decoded.
*
* The C code must still perform two checks:
*
* -- If the certificate length is 0, then the T0 code will not be
* invoked at all. This invalid condition must thus be reported by the
* C code.
*
* -- When reaching the end of certificate, the C code must verify that
* the certificate length has been set to 0, thereby signaling that
* the T0 code properly decoded a certificate.
*
* Processing of a chain works in the following way:
*
* -- The error flag is set to a non-zero value when validation is
* finished. The value is either BR_ERR_X509_OK (validation is
* successful) or another non-zero error code. When a non-zero error
* code is obtained, the remaining bytes in the current certificate and
* the subsequent certificates (if any) are completely ignored.
*
* -- Each certificate is decoded in due course, with the following
* "interesting points":
*
* -- Start of the TBS: the multihash engine is reset and activated.
*
* -- Start of the issuer DN: the secondary hash engine is started,
* to process the encoded issuer DN.
*
* -- End of the issuer DN: the secondary hash engine is stopped. The
* resulting hash value is computed and then copied into the
* next_dn_hash[] buffer.
*
* -- Start of the subject DN: the secondary hash engine is started,
* to process the encoded subject DN.
*
* -- For the EE certificate only: the Common Name, if any, is matched
* against the expected server name.
*
* -- End of the subject DN: the secondary hash engine is stopped. The
* resulting hash value is computed into the pad. It is then processed:
*
* -- If this is the EE certificate, then the hash is ignored
* (except for direct trust processing, see later; the hash is
* simply left in current_dn_hash[]).
*
* -- Otherwise, the hashed subject DN is compared with the saved
* hash value (in saved_dn_hash[]). They must match.
*
* Either way, the next_dn_hash[] value is then copied into the
* saved_dn_hash[] value. Thus, at that point, saved_dn_hash[]
* contains the hash of the issuer DN for the current certificate,
* and current_dn_hash[] contains the hash of the subject DN for the
* current certificate.
*
* -- Public key: it is decoded into the cert_pkey[] buffer. Unknown
* key types are reported at that point.
*
* -- If this is the EE certificate, then the key type is compared
* with the expected key type (initialization parameter). The public
* key data is copied to ee_pkey_data[]. The key and hashed subject
* DN are also compared with the "direct trust" keys; if the key
* and DN are matched, then validation ends with a success.
*
* -- Otherwise, the saved signature (cert_sig[]) is verified
* against the saved TBS hash (tbs_hash[]) and that freshly
* decoded public key. Failure here ends validation with an error.
*
* -- Extensions: extension values are processed in due order.
*
* -- Basic Constraints: for all certificates except EE, must be
- * present, indicate a CA, and have a path legnth compatible with
+ * present, indicate a CA, and have a path length compatible with
* the chain length so far.
*
* -- Key Usage: for the EE, if present, must allow signatures
* or encryption/key exchange, as required for the cipher suite.
* For non-EE, if present, must have the "certificate sign" bit.
*
* -- Subject Alt Name: for the EE, dNSName names are matched
* against the server name. Ignored for non-EE.
*
* -- Authority Key Identifier, Subject Key Identifier, Issuer
* Alt Name, Subject Directory Attributes, CRL Distribution Points
* Freshest CRL, Authority Info Access and Subject Info Access
* extensions are always ignored: they either contain only
* informative data, or they relate to revocation processing, which
* we explicitly do not support.
*
* -- All other extensions are ignored if non-critical. If a
* critical extension other than the ones above is encountered,
* then a failure is reported.
*
* -- End of the TBS: the multihash engine is stopped.
*
* -- Signature algorithm: the signature algorithm on the
* certificate is decoded. A failure is reported if that algorithm
* is unknown. The hashed TBS corresponding to the signature hash
* function is computed and stored in tbs_hash[] (if not supported,
* then a failure is reported). The hash OID and length are stored
* in cert_sig_hash_oid and cert_sig_hash_len.
*
* -- Signature value: the signature value is copied into the
* cert_sig[] array.
*
* -- Certificate end: the hashed issuer DN (saved_dn_hash[]) is
* looked up in the trust store (CA trust anchors only); for all
* that match, the signature (cert_sig[]) is verified against the
* anchor public key (hashed TBS is in tbs_hash[]). If one of these
* signatures is valid, then validation ends with a success.
*
* -- If the chain end is reached without obtaining a validation success,
* then validation is reported as failed.
*/
#if BR_USE_UNIX_TIME
#include <time.h>
#endif
#if BR_USE_WIN32_TIME
#include <windows.h>
#endif
/*
* The T0 compiler will produce these prototypes declarations in the
* header.
*
void br_x509_minimal_init_main(void *ctx);
void br_x509_minimal_run(void *ctx);
*/
/* see bearssl_x509.h */
void
br_x509_minimal_init(br_x509_minimal_context *ctx,
const br_hash_class *dn_hash_impl,
const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num)
{
memset(ctx, 0, sizeof *ctx);
ctx->vtable = &br_x509_minimal_vtable;
ctx->dn_hash_impl = dn_hash_impl;
ctx->trust_anchors = trust_anchors;
ctx->trust_anchors_num = trust_anchors_num;
}
static void
xm_start_chain(const br_x509_class **ctx, const char *server_name)
{
br_x509_minimal_context *cc;
size_t u;
cc = (br_x509_minimal_context *)(void *)ctx;
for (u = 0; u < cc->num_name_elts; u ++) {
cc->name_elts[u].status = 0;
cc->name_elts[u].buf[0] = 0;
}
memset(&cc->pkey, 0, sizeof cc->pkey);
cc->num_certs = 0;
cc->err = 0;
cc->cpu.dp = cc->dp_stack;
cc->cpu.rp = cc->rp_stack;
br_x509_minimal_init_main(&cc->cpu);
if (server_name == NULL || *server_name == 0) {
cc->server_name = NULL;
} else {
cc->server_name = server_name;
}
}
static void
xm_start_cert(const br_x509_class **ctx, uint32_t length)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err != 0) {
return;
}
if (length == 0) {
cc->err = BR_ERR_X509_TRUNCATED;
return;
}
cc->cert_length = length;
}
static void
xm_append(const br_x509_class **ctx, const unsigned char *buf, size_t len)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err != 0) {
return;
}
cc->hbuf = buf;
cc->hlen = len;
br_x509_minimal_run(&cc->cpu);
}
static void
xm_end_cert(const br_x509_class **ctx)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == 0 && cc->cert_length != 0) {
cc->err = BR_ERR_X509_TRUNCATED;
}
cc->num_certs ++;
}
static unsigned
xm_end_chain(const br_x509_class **ctx)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == 0) {
if (cc->num_certs == 0) {
cc->err = BR_ERR_X509_EMPTY_CHAIN;
} else {
cc->err = BR_ERR_X509_NOT_TRUSTED;
}
} else if (cc->err == BR_ERR_X509_OK) {
return 0;
}
return (unsigned)cc->err;
}
static const br_x509_pkey *
xm_get_pkey(const br_x509_class *const *ctx, unsigned *usages)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == BR_ERR_X509_OK
|| cc->err == BR_ERR_X509_NOT_TRUSTED)
{
if (usages != NULL) {
*usages = cc->key_usages;
}
return &((br_x509_minimal_context *)(void *)ctx)->pkey;
} else {
return NULL;
}
}
/* see bearssl_x509.h */
const br_x509_class br_x509_minimal_vtable = {
sizeof(br_x509_minimal_context),
xm_start_chain,
xm_start_cert,
xm_append,
xm_end_cert,
xm_end_chain,
xm_get_pkey
};
#define CTX ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
#define CONTEXT_NAME br_x509_minimal_context
#define DNHASH_LEN ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)
/*
* Hash a DN (from a trust anchor) into the provided buffer. This uses the
* DN hash implementation and context structure from the X.509 engine
* context.
*/
static void
hash_dn(br_x509_minimal_context *ctx, const void *dn, size_t len,
unsigned char *out)
{
ctx->dn_hash_impl->init(&ctx->dn_hash.vtable);
ctx->dn_hash_impl->update(&ctx->dn_hash.vtable, dn, len);
ctx->dn_hash_impl->out(&ctx->dn_hash.vtable, out);
}
/*
* Compare two big integers for equality. The integers use unsigned big-endian
* encoding; extra leading bytes (of value 0) are allowed.
*/
static int
eqbigint(const unsigned char *b1, size_t len1,
const unsigned char *b2, size_t len2)
{
while (len1 > 0 && *b1 == 0) {
b1 ++;
len1 --;
}
while (len2 > 0 && *b2 == 0) {
b2 ++;
len2 --;
}
if (len1 != len2) {
return 0;
}
return memcmp(b1, b2, len1) == 0;
}
/*
* Compare two strings for equality, in a case-insensitive way. This
* function handles casing only for ASCII letters.
*/
static int
eqnocase(const void *s1, const void *s2, size_t len)
{
const unsigned char *buf1, *buf2;
buf1 = s1;
buf2 = s2;
while (len -- > 0) {
int x1, x2;
x1 = *buf1 ++;
x2 = *buf2 ++;
if (x1 >= 'A' && x1 <= 'Z') {
x1 += 'a' - 'A';
}
if (x2 >= 'A' && x2 <= 'Z') {
x2 += 'a' - 'A';
}
if (x1 != x2) {
return 0;
}
}
return 1;
}
static int verify_signature(br_x509_minimal_context *ctx,
const br_x509_pkey *pk);
static const unsigned char t0_datablock[] = {
0x00, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x09,
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x09, 0x2A, 0x86,
0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0E, 0x09, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x01, 0x0C, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
0x0D, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x09, 0x60, 0x86, 0x48, 0x01,
0x65, 0x03, 0x04, 0x02, 0x04, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x01, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
0x02, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x07,
0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x08, 0x2A, 0x86, 0x48, 0xCE,
0x3D, 0x03, 0x01, 0x07, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x05, 0x2B,
0x81, 0x04, 0x00, 0x23, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x01,
0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x01, 0x08, 0x2A, 0x86,
0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D,
0x04, 0x03, 0x03, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x04,
0x03, 0x55, 0x04, 0x03, 0x00, 0x1F, 0x03, 0xFC, 0x07, 0x7F, 0x0B, 0x5E,
0x0F, 0x1F, 0x12, 0xFE, 0x16, 0xBF, 0x1A, 0x9F, 0x1E, 0x7E, 0x22, 0x3F,
0x26, 0x1E, 0x29, 0xDF, 0x00, 0x1F, 0x03, 0xFD, 0x07, 0x9F, 0x0B, 0x7E,
0x0F, 0x3F, 0x13, 0x1E, 0x16, 0xDF, 0x1A, 0xBF, 0x1E, 0x9E, 0x22, 0x5F,
0x26, 0x3E, 0x29, 0xFF, 0x03, 0x55, 0x1D, 0x13, 0x03, 0x55, 0x1D, 0x0F,
0x03, 0x55, 0x1D, 0x11, 0x03, 0x55, 0x1D, 0x20, 0x08, 0x2B, 0x06, 0x01,
0x05, 0x05, 0x07, 0x02, 0x01, 0x03, 0x55, 0x1D, 0x23, 0x03, 0x55, 0x1D,
0x0E, 0x03, 0x55, 0x1D, 0x12, 0x03, 0x55, 0x1D, 0x09, 0x03, 0x55, 0x1D,
0x1F, 0x03, 0x55, 0x1D, 0x2E, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07,
0x01, 0x01, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x0B
};
static const unsigned char t0_codeblock[] = {
0x00, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x01, 0x00, 0x10, 0x00, 0x00, 0x01,
0x00, 0x11, 0x00, 0x00, 0x01, 0x01, 0x09, 0x00, 0x00, 0x01, 0x01, 0x0A,
- 0x00, 0x00, 0x24, 0x24, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x25, 0x25, 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_BAD_BOOLEAN), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_BAD_DN), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_BAD_SERVER_NAME), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_BAD_TAG_CLASS), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_BAD_TAG_VALUE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_BAD_TIME), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_CRITICAL_EXTENSION), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_DN_MISMATCH), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_EXPIRED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_EXTRA_ELEMENT), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_FORBIDDEN_KEY_USAGE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_INDEFINITE_LENGTH), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_INNER_TRUNC), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_LIMIT_EXCEEDED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_NOT_CA), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_NOT_CONSTRUCTED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_NOT_PRIMITIVE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_OVERFLOW), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_PARTIAL_BYTE), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_UNEXPECTED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_UNSUPPORTED), 0x00, 0x00, 0x01,
T0_INT1(BR_ERR_X509_WEAK_PUBLIC_KEY), 0x00, 0x00, 0x01,
T0_INT1(BR_KEYTYPE_EC), 0x00, 0x00, 0x01, T0_INT1(BR_KEYTYPE_RSA),
0x00, 0x00, 0x01, T0_INT2(offsetof(CONTEXT_NAME, cert_length)), 0x00,
0x00, 0x01, T0_INT2(offsetof(CONTEXT_NAME, cert_sig)), 0x00, 0x00,
0x01, T0_INT2(offsetof(CONTEXT_NAME, cert_sig_hash_len)), 0x00, 0x00,
0x01, T0_INT2(offsetof(CONTEXT_NAME, cert_sig_hash_oid)), 0x00, 0x00,
0x01, T0_INT2(offsetof(CONTEXT_NAME, cert_sig_len)), 0x00, 0x00, 0x01,
T0_INT2(offsetof(CONTEXT_NAME, cert_signer_key_type)), 0x00, 0x00,
0x01, T0_INT2(offsetof(CONTEXT_NAME, current_dn_hash)), 0x00, 0x00,
0x01, T0_INT2(offsetof(CONTEXT_NAME, key_usages)), 0x00, 0x00, 0x01,
T0_INT2(offsetof(br_x509_minimal_context, pkey_data)), 0x01,
T0_INT2(BR_X509_BUFSIZE_KEY), 0x00, 0x00, 0x01,
T0_INT2(offsetof(CONTEXT_NAME, min_rsa_size)), 0x00, 0x00, 0x01,
T0_INT2(offsetof(CONTEXT_NAME, next_dn_hash)), 0x00, 0x00, 0x01,
T0_INT2(offsetof(CONTEXT_NAME, num_certs)), 0x00, 0x00, 0x01,
T0_INT2(offsetof(CONTEXT_NAME, pad)), 0x00, 0x00, 0x01,
- T0_INT2(offsetof(CONTEXT_NAME, saved_dn_hash)), 0x00, 0x00, 0xC9, 0x71,
- 0x00, 0x00, 0x01, 0x80, 0x73, 0x00, 0x00, 0x01, 0x80, 0x7C, 0x00, 0x00,
- 0x01, 0x81, 0x02, 0x00, 0x00, 0x92, 0x05, 0x05, 0x34, 0x42, 0x01, 0x00,
- 0x00, 0x34, 0x01, 0x0A, 0x0E, 0x09, 0x01, 0x9A, 0xFF, 0xB8, 0x00, 0x0A,
- 0x00, 0x00, 0x01, 0x82, 0x19, 0x00, 0x00, 0x01, 0x82, 0x01, 0x00, 0x00,
- 0x01, 0x81, 0x68, 0x00, 0x04, 0x03, 0x00, 0x03, 0x01, 0x03, 0x02, 0x03,
- 0x03, 0x02, 0x03, 0x02, 0x01, 0x11, 0x06, 0x07, 0x02, 0x02, 0x02, 0x00,
- 0x0D, 0x04, 0x05, 0x02, 0x03, 0x02, 0x01, 0x0D, 0x00, 0x02, 0x03, 0x00,
- 0x03, 0x01, 0x25, 0x02, 0x01, 0x13, 0x3B, 0x02, 0x00, 0x0F, 0x15, 0x00,
- 0x00, 0x01, 0x81, 0x74, 0x00, 0x00, 0x05, 0x02, 0x52, 0x28, 0x00, 0x00,
- 0x06, 0x02, 0x53, 0x28, 0x00, 0x00, 0x01, 0x10, 0x77, 0x00, 0x00, 0x11,
- 0x05, 0x02, 0x56, 0x28, 0x74, 0x00, 0x00, 0x11, 0x05, 0x02, 0x56, 0x28,
- 0x75, 0x00, 0x00, 0x06, 0x02, 0x4C, 0x28, 0x00, 0x00, 0x01, 0x82, 0x11,
- 0x00, 0x00, 0x25, 0x20, 0x01, 0x08, 0x0E, 0x3B, 0x40, 0x20, 0x09, 0x00,
- 0x09, 0x03, 0x00, 0x5B, 0x2B, 0xAF, 0x39, 0xAF, 0xB3, 0x25, 0x01, 0x20,
- 0x11, 0x06, 0x11, 0x24, 0x74, 0xAD, 0xB3, 0x01, 0x02, 0x78, 0xB0, 0x01,
- 0x02, 0x12, 0x06, 0x02, 0x57, 0x28, 0x79, 0xB3, 0x01, 0x02, 0x78, 0xAE,
- 0xAF, 0xC2, 0x9C, 0x65, 0x61, 0x21, 0x16, 0xAF, 0xA7, 0x29, 0x69, 0x06,
- 0x02, 0x4B, 0x28, 0xA7, 0x29, 0x71, 0x06, 0x02, 0x4B, 0x28, 0x79, 0x02,
- 0x00, 0x06, 0x05, 0x9D, 0x03, 0x01, 0x04, 0x09, 0x9C, 0x61, 0x68, 0x21,
- 0x27, 0x05, 0x02, 0x4A, 0x28, 0x68, 0x65, 0x21, 0x16, 0xAF, 0xAF, 0x9E,
- 0x05, 0x02, 0x57, 0x28, 0xBC, 0x26, 0x06, 0x27, 0xC2, 0xA4, 0xAF, 0x63,
- 0xAA, 0x03, 0x03, 0x63, 0x3B, 0x02, 0x03, 0x09, 0x3B, 0x02, 0x03, 0x0A,
- 0xAA, 0x03, 0x04, 0x79, 0x64, 0x2A, 0x01, 0x81, 0x00, 0x09, 0x02, 0x03,
- 0x12, 0x06, 0x02, 0x58, 0x28, 0x79, 0x5A, 0x03, 0x02, 0x04, 0x3A, 0x88,
- 0x26, 0x06, 0x34, 0x9E, 0x05, 0x02, 0x57, 0x28, 0x6A, 0x26, 0x06, 0x04,
- 0x01, 0x17, 0x04, 0x12, 0x6B, 0x26, 0x06, 0x04, 0x01, 0x18, 0x04, 0x0A,
- 0x6C, 0x26, 0x06, 0x04, 0x01, 0x19, 0x04, 0x02, 0x57, 0x28, 0x03, 0x05,
- 0x79, 0xA4, 0x25, 0x03, 0x06, 0x25, 0x63, 0x34, 0x0D, 0x06, 0x02, 0x50,
- 0x28, 0xA5, 0x59, 0x03, 0x02, 0x04, 0x02, 0x57, 0x28, 0x79, 0x02, 0x00,
- 0x06, 0x21, 0x02, 0x02, 0x5A, 0x30, 0x11, 0x06, 0x08, 0x24, 0x02, 0x03,
- 0x02, 0x04, 0x1D, 0x04, 0x10, 0x59, 0x30, 0x11, 0x06, 0x08, 0x24, 0x02,
- 0x05, 0x02, 0x06, 0x1C, 0x04, 0x03, 0x57, 0x28, 0x24, 0x04, 0x24, 0x02,
- 0x02, 0x5A, 0x30, 0x11, 0x06, 0x08, 0x24, 0x02, 0x03, 0x02, 0x04, 0x23,
- 0x04, 0x10, 0x59, 0x30, 0x11, 0x06, 0x08, 0x24, 0x02, 0x05, 0x02, 0x06,
- 0x22, 0x04, 0x03, 0x57, 0x28, 0x24, 0x25, 0x06, 0x01, 0x28, 0x24, 0x01,
- 0x00, 0x03, 0x07, 0xB4, 0x01, 0x21, 0x8F, 0x01, 0x22, 0x8F, 0x25, 0x01,
- 0x23, 0x11, 0x06, 0x81, 0x26, 0x24, 0x74, 0xAD, 0xAF, 0x25, 0x06, 0x81,
- 0x1A, 0x01, 0x00, 0x03, 0x08, 0xAF, 0x9E, 0x24, 0xB3, 0x25, 0x01, 0x01,
- 0x11, 0x06, 0x04, 0xA6, 0x03, 0x08, 0xB3, 0x01, 0x04, 0x78, 0xAD, 0x70,
- 0x26, 0x06, 0x0F, 0x02, 0x00, 0x06, 0x03, 0xC3, 0x04, 0x05, 0x99, 0x01,
- 0x7F, 0x03, 0x07, 0x04, 0x80, 0x6C, 0x91, 0x26, 0x06, 0x06, 0x02, 0x00,
- 0x9B, 0x04, 0x80, 0x62, 0xC5, 0x26, 0x06, 0x11, 0x02, 0x00, 0x06, 0x09,
- 0x01, 0x00, 0x03, 0x01, 0x98, 0x03, 0x01, 0x04, 0x01, 0xC3, 0x04, 0x80,
- 0x4D, 0x73, 0x26, 0x06, 0x0A, 0x02, 0x08, 0x06, 0x03, 0x9A, 0x04, 0x01,
- 0xC3, 0x04, 0x3F, 0x6F, 0x26, 0x06, 0x03, 0xC3, 0x04, 0x38, 0xC8, 0x26,
- 0x06, 0x03, 0xC3, 0x04, 0x31, 0x90, 0x26, 0x06, 0x03, 0xC3, 0x04, 0x2A,
- 0xC6, 0x26, 0x06, 0x03, 0xC3, 0x04, 0x23, 0x7A, 0x26, 0x06, 0x03, 0xC3,
- 0x04, 0x1C, 0x85, 0x26, 0x06, 0x03, 0xC3, 0x04, 0x15, 0x6E, 0x26, 0x06,
- 0x03, 0xC3, 0x04, 0x0E, 0xC7, 0x26, 0x06, 0x03, 0xC3, 0x04, 0x07, 0x02,
- 0x08, 0x06, 0x02, 0x49, 0x28, 0xC3, 0x79, 0x79, 0x04, 0xFE, 0x62, 0x79,
- 0x79, 0x04, 0x08, 0x01, 0x7F, 0x11, 0x05, 0x02, 0x56, 0x28, 0x24, 0x79,
- 0x3A, 0x02, 0x00, 0x06, 0x08, 0x02, 0x01, 0x3C, 0x2F, 0x05, 0x02, 0x45,
- 0x28, 0x02, 0x00, 0x06, 0x01, 0x17, 0x02, 0x00, 0x02, 0x07, 0x2F, 0x05,
- 0x02, 0x51, 0x28, 0xB3, 0x76, 0xAD, 0x9E, 0x06, 0x80, 0x77, 0xBD, 0x26,
- 0x06, 0x07, 0x01, 0x02, 0x5A, 0x8A, 0x04, 0x80, 0x5E, 0xBE, 0x26, 0x06,
- 0x07, 0x01, 0x03, 0x5A, 0x8B, 0x04, 0x80, 0x53, 0xBF, 0x26, 0x06, 0x07,
- 0x01, 0x04, 0x5A, 0x8C, 0x04, 0x80, 0x48, 0xC0, 0x26, 0x06, 0x06, 0x01,
- 0x05, 0x5A, 0x8D, 0x04, 0x3E, 0xC1, 0x26, 0x06, 0x06, 0x01, 0x06, 0x5A,
- 0x8E, 0x04, 0x34, 0x7F, 0x26, 0x06, 0x06, 0x01, 0x02, 0x59, 0x8A, 0x04,
- 0x2A, 0x80, 0x26, 0x06, 0x06, 0x01, 0x03, 0x59, 0x8B, 0x04, 0x20, 0x81,
- 0x26, 0x06, 0x06, 0x01, 0x04, 0x59, 0x8C, 0x04, 0x16, 0x82, 0x26, 0x06,
- 0x06, 0x01, 0x05, 0x59, 0x8D, 0x04, 0x0C, 0x83, 0x26, 0x06, 0x06, 0x01,
- 0x06, 0x59, 0x8E, 0x04, 0x02, 0x57, 0x28, 0x5E, 0x35, 0x60, 0x37, 0x1B,
- 0x25, 0x05, 0x02, 0x57, 0x28, 0x5D, 0x37, 0x04, 0x02, 0x57, 0x28, 0xC2,
- 0xA4, 0x25, 0x01, T0_INT2(BR_X509_BUFSIZE_SIG), 0x12, 0x06, 0x02, 0x50,
- 0x28, 0x25, 0x5F, 0x35, 0x5C, 0xA5, 0x79, 0x79, 0x01, 0x00, 0x5B, 0x36,
- 0x18, 0x00, 0x00, 0x01, 0x30, 0x0A, 0x25, 0x01, 0x00, 0x01, 0x09, 0x72,
- 0x05, 0x02, 0x48, 0x28, 0x00, 0x00, 0x30, 0x30, 0x00, 0x00, 0x01, 0x81,
- 0x08, 0x00, 0x00, 0x01, 0x81, 0x10, 0x00, 0x00, 0x01, 0x81, 0x19, 0x00,
- 0x00, 0x01, 0x81, 0x22, 0x00, 0x00, 0x01, 0x81, 0x2B, 0x00, 0x01, 0x7E,
- 0x01, 0x01, 0x11, 0x3B, 0x01, 0x83, 0xFD, 0x7F, 0x11, 0x15, 0x06, 0x03,
- 0x3B, 0x24, 0x00, 0x3B, 0x25, 0x03, 0x00, 0x25, 0xCA, 0x05, 0x04, 0x42,
- 0x01, 0x00, 0x00, 0x25, 0x01, 0x81, 0x00, 0x0D, 0x06, 0x04, 0x96, 0x04,
- 0x80, 0x49, 0x25, 0x01, 0x90, 0x00, 0x0D, 0x06, 0x0F, 0x01, 0x06, 0x14,
- 0x01, 0x81, 0x40, 0x2F, 0x96, 0x02, 0x00, 0x01, 0x00, 0x97, 0x04, 0x33,
- 0x25, 0x01, 0x83, 0xFF, 0x7F, 0x0D, 0x06, 0x14, 0x01, 0x0C, 0x14, 0x01,
- 0x81, 0x60, 0x2F, 0x96, 0x02, 0x00, 0x01, 0x06, 0x97, 0x02, 0x00, 0x01,
- 0x00, 0x97, 0x04, 0x17, 0x01, 0x12, 0x14, 0x01, 0x81, 0x70, 0x2F, 0x96,
- 0x02, 0x00, 0x01, 0x0C, 0x97, 0x02, 0x00, 0x01, 0x06, 0x97, 0x02, 0x00,
- 0x01, 0x00, 0x97, 0x00, 0x00, 0x01, 0x82, 0x15, 0x00, 0x00, 0x25, 0x01,
- 0x83, 0xB0, 0x00, 0x01, 0x83, 0xB7, 0x7F, 0x72, 0x00, 0x00, 0x01, 0x81,
- 0x34, 0x00, 0x00, 0x01, 0x80, 0x6B, 0x00, 0x00, 0x01, 0x81, 0x78, 0x00,
- 0x00, 0x01, 0x3D, 0x00, 0x00, 0x01, 0x80, 0x43, 0x00, 0x00, 0x01, 0x80,
- 0x4D, 0x00, 0x00, 0x01, 0x80, 0x57, 0x00, 0x00, 0x01, 0x80, 0x61, 0x00,
- 0x00, 0x30, 0x11, 0x06, 0x04, 0x42, 0xAD, 0xC2, 0xB4, 0x00, 0x00, 0x01,
- 0x82, 0x09, 0x00, 0x00, 0x01, 0x81, 0x6C, 0x00, 0x00, 0x25, 0x01, 0x83,
- 0xB8, 0x00, 0x01, 0x83, 0xBF, 0x7F, 0x72, 0x00, 0x00, 0x01, 0x30, 0x62,
- 0x37, 0x01, 0x7F, 0x7C, 0x19, 0x01, 0x00, 0x7C, 0x19, 0x04, 0x7A, 0x00,
- 0x01, 0x81, 0x38, 0x00, 0x01, 0x7E, 0x0D, 0x06, 0x02, 0x4F, 0x28, 0x25,
- 0x03, 0x00, 0x0A, 0x02, 0x00, 0x00, 0x00, 0x30, 0x25, 0x3F, 0x3B, 0x01,
- 0x82, 0x00, 0x13, 0x2F, 0x06, 0x04, 0x42, 0x01, 0x00, 0x00, 0x30, 0x67,
- 0x09, 0x37, 0x40, 0x00, 0x00, 0x14, 0x01, 0x3F, 0x15, 0x01, 0x81, 0x00,
- 0x2F, 0x96, 0x00, 0x02, 0x01, 0x00, 0x03, 0x00, 0xAF, 0x25, 0x06, 0x80,
- 0x59, 0xB3, 0x01, 0x20, 0x30, 0x11, 0x06, 0x17, 0x24, 0x74, 0xAD, 0x9E,
- 0x24, 0x01, 0x7F, 0x2E, 0x03, 0x01, 0xB3, 0x01, 0x20, 0x77, 0xAD, 0xB2,
- 0x02, 0x01, 0x1F, 0x79, 0x79, 0x04, 0x38, 0x01, 0x21, 0x30, 0x11, 0x06,
- 0x08, 0x24, 0x75, 0xB6, 0x01, 0x01, 0x1E, 0x04, 0x2A, 0x01, 0x22, 0x30,
- 0x11, 0x06, 0x11, 0x24, 0x75, 0xB6, 0x25, 0x06, 0x06, 0x2C, 0x02, 0x00,
- 0x2F, 0x03, 0x00, 0x01, 0x02, 0x1E, 0x04, 0x13, 0x01, 0x26, 0x30, 0x11,
- 0x06, 0x08, 0x24, 0x75, 0xB6, 0x01, 0x06, 0x1E, 0x04, 0x05, 0x42, 0xAE,
- 0x01, 0x00, 0x24, 0x04, 0xFF, 0x23, 0x79, 0x02, 0x00, 0x00, 0x00, 0xAF,
- 0xB4, 0x25, 0x01, 0x01, 0x11, 0x06, 0x08, 0xA6, 0x05, 0x02, 0x51, 0x28,
- 0xB4, 0x04, 0x02, 0x51, 0x28, 0x25, 0x01, 0x02, 0x11, 0x06, 0x0C, 0x24,
- 0x75, 0xB0, 0x66, 0x2B, 0x41, 0x0D, 0x06, 0x02, 0x51, 0x28, 0xB4, 0x01,
- 0x7F, 0x10, 0x06, 0x02, 0x56, 0x28, 0x24, 0x79, 0x00, 0x00, 0xAF, 0x25,
- 0x06, 0x1A, 0xAF, 0x9E, 0x24, 0x25, 0x06, 0x11, 0xAF, 0x25, 0x06, 0x0C,
- 0xAF, 0x9E, 0x24, 0x89, 0x26, 0x05, 0x02, 0x49, 0x28, 0xC2, 0x04, 0x71,
- 0x79, 0x79, 0x04, 0x63, 0x79, 0x00, 0x02, 0x03, 0x00, 0xB3, 0x01, 0x03,
- 0x78, 0xAD, 0xBA, 0x03, 0x01, 0x02, 0x01, 0x01, 0x07, 0x12, 0x06, 0x02,
- 0x56, 0x28, 0x25, 0x01, 0x00, 0x30, 0x11, 0x06, 0x05, 0x24, 0x4D, 0x28,
- 0x04, 0x15, 0x01, 0x01, 0x30, 0x11, 0x06, 0x0A, 0x24, 0xBA, 0x02, 0x01,
- 0x14, 0x02, 0x01, 0x0E, 0x04, 0x05, 0x24, 0xBA, 0x01, 0x00, 0x24, 0x02,
- 0x00, 0x06, 0x19, 0x01, 0x00, 0x30, 0x01, 0x38, 0x15, 0x06, 0x03, 0x01,
- 0x10, 0x2F, 0x3B, 0x01, 0x81, 0x40, 0x15, 0x06, 0x03, 0x01, 0x20, 0x2F,
- 0x62, 0x37, 0x04, 0x07, 0x01, 0x04, 0x15, 0x05, 0x02, 0x4D, 0x28, 0xC2,
- 0x00, 0x00, 0x38, 0xAF, 0xC2, 0x1A, 0x00, 0x03, 0x01, 0x00, 0x03, 0x00,
- 0x38, 0xAF, 0x25, 0x06, 0x30, 0xB3, 0x01, 0x11, 0x77, 0xAD, 0x25, 0x05,
- 0x02, 0x44, 0x28, 0x25, 0x06, 0x20, 0xAF, 0x9E, 0x24, 0x87, 0x26, 0x03,
- 0x01, 0x01, 0x00, 0x2E, 0x03, 0x02, 0xB2, 0x25, 0x02, 0x01, 0x15, 0x06,
- 0x07, 0x2C, 0x06, 0x04, 0x01, 0x7F, 0x03, 0x00, 0x02, 0x02, 0x1F, 0x79,
- 0x04, 0x5D, 0x79, 0x04, 0x4D, 0x79, 0x1A, 0x02, 0x00, 0x00, 0x00, 0xB3,
- 0x01, 0x06, 0x78, 0xB1, 0x00, 0x00, 0xB8, 0x86, 0x06, 0x0E, 0x3B, 0x25,
- 0x05, 0x06, 0x42, 0x01, 0x00, 0x01, 0x00, 0x00, 0xB8, 0x6D, 0x04, 0x08,
- 0x92, 0x06, 0x05, 0x24, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0xB9, 0x86,
- 0x06, 0x0E, 0x3B, 0x25, 0x05, 0x06, 0x42, 0x01, 0x00, 0x01, 0x00, 0x00,
- 0xB9, 0x6D, 0x04, 0x08, 0x92, 0x06, 0x05, 0x24, 0x01, 0x00, 0x04, 0x00,
- 0x00, 0x00, 0xBA, 0x25, 0x01, 0x81, 0x00, 0x0D, 0x06, 0x04, 0x00, 0x04,
- 0x80, 0x55, 0x25, 0x01, 0x81, 0x40, 0x0D, 0x06, 0x07, 0x24, 0x01, 0x00,
- 0x00, 0x04, 0x80, 0x47, 0x25, 0x01, 0x81, 0x60, 0x0D, 0x06, 0x0E, 0x01,
- 0x1F, 0x15, 0x01, 0x01, 0xA3, 0x01, 0x81, 0x00, 0x01, 0x8F, 0x7F, 0x04,
- 0x32, 0x25, 0x01, 0x81, 0x70, 0x0D, 0x06, 0x0F, 0x01, 0x0F, 0x15, 0x01,
- 0x02, 0xA3, 0x01, 0x90, 0x00, 0x01, 0x83, 0xFF, 0x7F, 0x04, 0x1C, 0x25,
- 0x01, 0x81, 0x78, 0x0D, 0x06, 0x11, 0x01, 0x07, 0x15, 0x01, 0x03, 0xA3,
- 0x01, 0x84, 0x80, 0x00, 0x01, 0x80, 0xC3, 0xFF, 0x7F, 0x04, 0x04, 0x24,
- 0x01, 0x00, 0x00, 0x72, 0x05, 0x03, 0x24, 0x01, 0x00, 0x00, 0x00, 0x3B,
- 0x25, 0x05, 0x06, 0x42, 0x01, 0x00, 0x01, 0x7F, 0x00, 0xBA, 0x34, 0x25,
- 0x3D, 0x06, 0x03, 0x3B, 0x24, 0x00, 0x01, 0x06, 0x0E, 0x3B, 0x25, 0x01,
- 0x06, 0x14, 0x01, 0x02, 0x10, 0x06, 0x04, 0x42, 0x01, 0x7F, 0x00, 0x01,
- 0x3F, 0x15, 0x09, 0x00, 0x00, 0x25, 0x06, 0x06, 0x0B, 0xA2, 0x34, 0x41,
- 0x04, 0x77, 0x24, 0x25, 0x00, 0x00, 0xB3, 0x01, 0x03, 0x78, 0xAD, 0xBA,
- 0x06, 0x02, 0x55, 0x28, 0x00, 0x00, 0x3B, 0x25, 0x06, 0x07, 0x31, 0x25,
- 0x06, 0x01, 0x19, 0x04, 0x76, 0x42, 0x00, 0x00, 0x01, 0x01, 0x78, 0xAC,
- 0x01, 0x01, 0x10, 0x06, 0x02, 0x43, 0x28, 0xBA, 0x3E, 0x00, 0x04, 0xB3,
- 0x25, 0x01, 0x17, 0x01, 0x18, 0x72, 0x05, 0x02, 0x48, 0x28, 0x01, 0x18,
- 0x11, 0x03, 0x00, 0x75, 0xAD, 0xA8, 0x02, 0x00, 0x06, 0x0C, 0x01, 0x80,
- 0x64, 0x08, 0x03, 0x01, 0xA8, 0x02, 0x01, 0x09, 0x04, 0x0E, 0x25, 0x01,
- 0x32, 0x0D, 0x06, 0x04, 0x01, 0x80, 0x64, 0x09, 0x01, 0x8E, 0x6C, 0x09,
- 0x03, 0x01, 0x02, 0x01, 0x01, 0x82, 0x6D, 0x08, 0x02, 0x01, 0x01, 0x03,
- 0x09, 0x01, 0x04, 0x0C, 0x09, 0x02, 0x01, 0x01, 0x80, 0x63, 0x09, 0x01,
- 0x80, 0x64, 0x0C, 0x0A, 0x02, 0x01, 0x01, 0x83, 0x0F, 0x09, 0x01, 0x83,
- 0x10, 0x0C, 0x09, 0x03, 0x03, 0x01, 0x01, 0x01, 0x0C, 0xA9, 0x41, 0x01,
- 0x01, 0x0E, 0x02, 0x01, 0x01, 0x04, 0x07, 0x3F, 0x02, 0x01, 0x01, 0x80,
- 0x64, 0x07, 0x3E, 0x02, 0x01, 0x01, 0x83, 0x10, 0x07, 0x3F, 0x2F, 0x15,
- 0x06, 0x03, 0x01, 0x18, 0x09, 0x94, 0x09, 0x7B, 0x25, 0x01, 0x05, 0x14,
- 0x02, 0x03, 0x09, 0x03, 0x03, 0x01, 0x1F, 0x15, 0x01, 0x01, 0x3B, 0xA9,
- 0x02, 0x03, 0x09, 0x41, 0x03, 0x03, 0x01, 0x00, 0x01, 0x17, 0xA9, 0x01,
- 0x9C, 0x10, 0x08, 0x03, 0x02, 0x01, 0x00, 0x01, 0x3B, 0xA9, 0x01, 0x3C,
- 0x08, 0x02, 0x02, 0x09, 0x03, 0x02, 0x01, 0x00, 0x01, 0x3C, 0xA9, 0x02,
- 0x02, 0x09, 0x03, 0x02, 0xBA, 0x25, 0x01, 0x2E, 0x11, 0x06, 0x0D, 0x24,
- 0xBA, 0x25, 0x01, 0x30, 0x01, 0x39, 0x72, 0x06, 0x03, 0x24, 0x04, 0x74,
- 0x01, 0x80, 0x5A, 0x10, 0x06, 0x02, 0x48, 0x28, 0x79, 0x02, 0x03, 0x02,
- 0x02, 0x00, 0x01, 0xBA, 0x7D, 0x01, 0x0A, 0x08, 0x03, 0x00, 0xBA, 0x7D,
- 0x02, 0x00, 0x09, 0x00, 0x02, 0x03, 0x00, 0x03, 0x01, 0xA8, 0x25, 0x02,
- 0x01, 0x02, 0x00, 0x72, 0x05, 0x02, 0x48, 0x28, 0x00, 0x00, 0x34, 0xB3,
- 0x01, 0x02, 0x78, 0x0B, 0xAB, 0x00, 0x03, 0x25, 0x03, 0x00, 0x03, 0x01,
- 0x03, 0x02, 0xAD, 0xBA, 0x25, 0x01, 0x81, 0x00, 0x13, 0x06, 0x02, 0x54,
- 0x28, 0x25, 0x01, 0x00, 0x11, 0x06, 0x0B, 0x24, 0x25, 0x05, 0x04, 0x24,
- 0x01, 0x00, 0x00, 0xBA, 0x04, 0x6F, 0x02, 0x01, 0x25, 0x05, 0x02, 0x50,
- 0x28, 0x41, 0x03, 0x01, 0x02, 0x02, 0x37, 0x02, 0x02, 0x40, 0x03, 0x02,
- 0x25, 0x06, 0x03, 0xBA, 0x04, 0x68, 0x24, 0x02, 0x00, 0x02, 0x01, 0x0A,
- 0x00, 0x01, 0xBA, 0x25, 0x01, 0x81, 0x00, 0x0D, 0x06, 0x01, 0x00, 0x01,
- 0x81, 0x00, 0x0A, 0x25, 0x05, 0x02, 0x4E, 0x28, 0x03, 0x00, 0x01, 0x00,
- 0x02, 0x00, 0x01, 0x00, 0x12, 0x06, 0x19, 0x02, 0x00, 0x41, 0x03, 0x00,
- 0x25, 0x01, 0x83, 0xFF, 0xFF, 0x7F, 0x12, 0x06, 0x02, 0x4F, 0x28, 0x01,
- 0x08, 0x0E, 0x3B, 0xBA, 0x34, 0x09, 0x04, 0x60, 0x00, 0x00, 0xAC, 0x95,
- 0x00, 0x00, 0xAD, 0xC2, 0x00, 0x00, 0xB3, 0x76, 0xAD, 0x00, 0x01, 0xAD,
- 0x25, 0x05, 0x02, 0x54, 0x28, 0xBA, 0x25, 0x01, 0x81, 0x00, 0x13, 0x06,
- 0x02, 0x54, 0x28, 0x03, 0x00, 0x25, 0x06, 0x16, 0xBA, 0x02, 0x00, 0x25,
- 0x01, 0x87, 0xFF, 0xFF, 0x7F, 0x13, 0x06, 0x02, 0x54, 0x28, 0x01, 0x08,
- 0x0E, 0x09, 0x03, 0x00, 0x04, 0x67, 0x24, 0x02, 0x00, 0x00, 0x00, 0xAD,
- 0x25, 0x01, 0x81, 0x7F, 0x12, 0x06, 0x08, 0xC2, 0x01, 0x00, 0x67, 0x37,
- 0x01, 0x00, 0x00, 0x25, 0x67, 0x37, 0x67, 0x40, 0xA5, 0x01, 0x7F, 0x00,
- 0x00, 0xB3, 0x01, 0x0C, 0x30, 0x11, 0x06, 0x05, 0x24, 0x75, 0xB6, 0x04,
- 0x3E, 0x01, 0x12, 0x30, 0x11, 0x06, 0x05, 0x24, 0x75, 0xB7, 0x04, 0x33,
- 0x01, 0x13, 0x30, 0x11, 0x06, 0x05, 0x24, 0x75, 0xB7, 0x04, 0x28, 0x01,
- 0x14, 0x30, 0x11, 0x06, 0x05, 0x24, 0x75, 0xB7, 0x04, 0x1D, 0x01, 0x16,
- 0x30, 0x11, 0x06, 0x05, 0x24, 0x75, 0xB7, 0x04, 0x12, 0x01, 0x1E, 0x30,
- 0x11, 0x06, 0x05, 0x24, 0x75, 0xB5, 0x04, 0x07, 0x42, 0xAE, 0x01, 0x00,
- 0x01, 0x00, 0x24, 0x00, 0x01, 0xBA, 0x03, 0x00, 0x02, 0x00, 0x01, 0x05,
- 0x14, 0x01, 0x01, 0x15, 0x2D, 0x02, 0x00, 0x01, 0x06, 0x14, 0x25, 0x01,
- 0x01, 0x15, 0x06, 0x02, 0x46, 0x28, 0x01, 0x04, 0x0E, 0x02, 0x00, 0x01,
- 0x1F, 0x15, 0x25, 0x01, 0x1F, 0x11, 0x06, 0x02, 0x47, 0x28, 0x09, 0x00,
- 0x00, 0x25, 0x05, 0x05, 0x01, 0x00, 0x01, 0x7F, 0x00, 0xB3, 0x00, 0x01,
- 0xAD, 0x25, 0x05, 0x05, 0x67, 0x37, 0x01, 0x7F, 0x00, 0x01, 0x01, 0x03,
- 0x00, 0x9F, 0x25, 0x01, 0x83, 0xFF, 0x7E, 0x11, 0x06, 0x16, 0x24, 0x25,
- 0x06, 0x10, 0xA0, 0x25, 0x05, 0x05, 0x24, 0xC2, 0x01, 0x00, 0x00, 0x02,
- 0x00, 0x84, 0x03, 0x00, 0x04, 0x6D, 0x04, 0x1B, 0x25, 0x05, 0x05, 0x24,
- 0xC2, 0x01, 0x00, 0x00, 0x02, 0x00, 0x84, 0x03, 0x00, 0x25, 0x06, 0x0B,
- 0x9F, 0x25, 0x05, 0x05, 0x24, 0xC2, 0x01, 0x00, 0x00, 0x04, 0x6D, 0x24,
- 0x02, 0x00, 0x25, 0x05, 0x01, 0x00, 0x41, 0x67, 0x37, 0x01, 0x7F, 0x00,
- 0x01, 0xAD, 0x01, 0x01, 0x03, 0x00, 0x25, 0x06, 0x10, 0xA1, 0x25, 0x05,
- 0x05, 0x24, 0xC2, 0x01, 0x00, 0x00, 0x02, 0x00, 0x84, 0x03, 0x00, 0x04,
- 0x6D, 0x24, 0x02, 0x00, 0x25, 0x05, 0x01, 0x00, 0x41, 0x67, 0x37, 0x01,
- 0x7F, 0x00, 0x01, 0xAD, 0x01, 0x01, 0x03, 0x00, 0x25, 0x06, 0x10, 0xBA,
- 0x25, 0x05, 0x05, 0x24, 0xC2, 0x01, 0x00, 0x00, 0x02, 0x00, 0x84, 0x03,
- 0x00, 0x04, 0x6D, 0x24, 0x02, 0x00, 0x25, 0x05, 0x01, 0x00, 0x41, 0x67,
- 0x37, 0x01, 0x7F, 0x00, 0x00, 0xBA, 0x01, 0x08, 0x0E, 0x3B, 0xBA, 0x34,
- 0x09, 0x00, 0x00, 0xBA, 0x3B, 0xBA, 0x01, 0x08, 0x0E, 0x34, 0x09, 0x00,
- 0x00, 0x25, 0x05, 0x02, 0x4F, 0x28, 0x41, 0xBB, 0x00, 0x00, 0x32, 0x25,
- 0x01, 0x00, 0x13, 0x06, 0x01, 0x00, 0x24, 0x19, 0x04, 0x74, 0x00, 0x01,
- 0x01, 0x00, 0x00, 0x01, 0x0B, 0x00, 0x00, 0x01, 0x15, 0x00, 0x00, 0x01,
- 0x1F, 0x00, 0x00, 0x01, 0x29, 0x00, 0x00, 0x01, 0x33, 0x00, 0x00, 0xC3,
- 0x24, 0x00, 0x00, 0x25, 0x06, 0x07, 0xC4, 0x25, 0x06, 0x01, 0x19, 0x04,
- 0x76, 0x00, 0x00, 0x01, 0x00, 0x30, 0x31, 0x0B, 0x42, 0x00, 0x00, 0x01,
- 0x81, 0x70, 0x00, 0x00, 0x01, 0x82, 0x0D, 0x00, 0x00, 0x01, 0x82, 0x22,
- 0x00, 0x00, 0x01, 0x82, 0x05, 0x00, 0x00, 0x01, 0x03, 0x33, 0x01, 0x03,
- 0x33, 0x00, 0x00, 0x25, 0x01, 0x83, 0xFB, 0x50, 0x01, 0x83, 0xFD, 0x5F,
- 0x72, 0x06, 0x04, 0x24, 0x01, 0x00, 0x00, 0x25, 0x01, 0x83, 0xB0, 0x00,
- 0x01, 0x83, 0xBF, 0x7F, 0x72, 0x06, 0x04, 0x24, 0x01, 0x00, 0x00, 0x01,
- 0x83, 0xFF, 0x7F, 0x15, 0x01, 0x83, 0xFF, 0x7E, 0x0D, 0x00
+ T0_INT2(offsetof(CONTEXT_NAME, saved_dn_hash)), 0x00, 0x00, 0x01, 0x80,
+ 0x73, 0x00, 0x00, 0x01, 0x80, 0x7C, 0x00, 0x00, 0x01, 0x81, 0x02, 0x00,
+ 0x00, 0x8F, 0x05, 0x05, 0x33, 0x41, 0x01, 0x00, 0x00, 0x33, 0x01, 0x0A,
+ 0x0E, 0x09, 0x01, 0x9A, 0xFF, 0xB8, 0x00, 0x0A, 0x00, 0x00, 0x01, 0x82,
+ 0x19, 0x00, 0x00, 0x01, 0x82, 0x01, 0x00, 0x00, 0x01, 0x81, 0x68, 0x00,
+ 0x02, 0x03, 0x00, 0x03, 0x01, 0x26, 0x02, 0x01, 0x13, 0x3A, 0x02, 0x00,
+ 0x0F, 0x15, 0x00, 0x00, 0x01, 0x81, 0x74, 0x00, 0x00, 0x05, 0x02, 0x51,
+ 0x29, 0x00, 0x00, 0x06, 0x02, 0x52, 0x29, 0x00, 0x00, 0x01, 0x10, 0x74,
+ 0x00, 0x00, 0x11, 0x05, 0x02, 0x55, 0x29, 0x71, 0x00, 0x00, 0x11, 0x05,
+ 0x02, 0x55, 0x29, 0x72, 0x00, 0x00, 0x06, 0x02, 0x4B, 0x29, 0x00, 0x00,
+ 0x01, 0x82, 0x11, 0x00, 0x00, 0x26, 0x21, 0x01, 0x08, 0x0E, 0x3A, 0x3F,
+ 0x21, 0x09, 0x00, 0x0B, 0x03, 0x00, 0x5A, 0x2B, 0xAC, 0x38, 0xAC, 0xB0,
+ 0x26, 0x01, 0x20, 0x11, 0x06, 0x11, 0x25, 0x71, 0xAA, 0xB0, 0x01, 0x02,
+ 0x75, 0xAD, 0x01, 0x02, 0x12, 0x06, 0x02, 0x56, 0x29, 0x76, 0xB0, 0x01,
+ 0x02, 0x75, 0xAB, 0xAC, 0xBF, 0x99, 0x64, 0x60, 0x22, 0x16, 0xAC, 0xA4,
+ 0x03, 0x01, 0x03, 0x02, 0xA4, 0x02, 0x02, 0x02, 0x01, 0x19, 0x06, 0x02,
+ 0x4A, 0x29, 0x76, 0x02, 0x00, 0x06, 0x05, 0x9A, 0x03, 0x03, 0x04, 0x09,
+ 0x99, 0x60, 0x67, 0x22, 0x28, 0x05, 0x02, 0x49, 0x29, 0x67, 0x64, 0x22,
+ 0x16, 0xAC, 0xAC, 0x9B, 0x05, 0x02, 0x56, 0x29, 0xB9, 0x27, 0x06, 0x27,
+ 0xBF, 0xA1, 0xAC, 0x62, 0xA7, 0x03, 0x05, 0x62, 0x3A, 0x02, 0x05, 0x09,
+ 0x3A, 0x02, 0x05, 0x0A, 0xA7, 0x03, 0x06, 0x76, 0x63, 0x2A, 0x01, 0x81,
+ 0x00, 0x09, 0x02, 0x05, 0x12, 0x06, 0x02, 0x57, 0x29, 0x76, 0x59, 0x03,
+ 0x04, 0x04, 0x3A, 0x85, 0x27, 0x06, 0x34, 0x9B, 0x05, 0x02, 0x56, 0x29,
+ 0x68, 0x27, 0x06, 0x04, 0x01, 0x17, 0x04, 0x12, 0x69, 0x27, 0x06, 0x04,
+ 0x01, 0x18, 0x04, 0x0A, 0x6A, 0x27, 0x06, 0x04, 0x01, 0x19, 0x04, 0x02,
+ 0x56, 0x29, 0x03, 0x07, 0x76, 0xA1, 0x26, 0x03, 0x08, 0x26, 0x62, 0x33,
+ 0x0D, 0x06, 0x02, 0x4F, 0x29, 0xA2, 0x58, 0x03, 0x04, 0x04, 0x02, 0x56,
+ 0x29, 0x76, 0x02, 0x00, 0x06, 0x21, 0x02, 0x04, 0x59, 0x30, 0x11, 0x06,
+ 0x08, 0x25, 0x02, 0x05, 0x02, 0x06, 0x1E, 0x04, 0x10, 0x58, 0x30, 0x11,
+ 0x06, 0x08, 0x25, 0x02, 0x07, 0x02, 0x08, 0x1D, 0x04, 0x03, 0x56, 0x29,
+ 0x25, 0x04, 0x24, 0x02, 0x04, 0x59, 0x30, 0x11, 0x06, 0x08, 0x25, 0x02,
+ 0x05, 0x02, 0x06, 0x24, 0x04, 0x10, 0x58, 0x30, 0x11, 0x06, 0x08, 0x25,
+ 0x02, 0x07, 0x02, 0x08, 0x23, 0x04, 0x03, 0x56, 0x29, 0x25, 0x26, 0x06,
+ 0x01, 0x29, 0x25, 0x01, 0x00, 0x03, 0x09, 0xB1, 0x01, 0x21, 0x8C, 0x01,
+ 0x22, 0x8C, 0x26, 0x01, 0x23, 0x11, 0x06, 0x81, 0x26, 0x25, 0x71, 0xAA,
+ 0xAC, 0x26, 0x06, 0x81, 0x1A, 0x01, 0x00, 0x03, 0x0A, 0xAC, 0x9B, 0x25,
+ 0xB0, 0x26, 0x01, 0x01, 0x11, 0x06, 0x04, 0xA3, 0x03, 0x0A, 0xB0, 0x01,
+ 0x04, 0x75, 0xAA, 0x6E, 0x27, 0x06, 0x0F, 0x02, 0x00, 0x06, 0x03, 0xC0,
+ 0x04, 0x05, 0x96, 0x01, 0x7F, 0x03, 0x09, 0x04, 0x80, 0x6C, 0x8E, 0x27,
+ 0x06, 0x06, 0x02, 0x00, 0x98, 0x04, 0x80, 0x62, 0xC2, 0x27, 0x06, 0x11,
+ 0x02, 0x00, 0x06, 0x09, 0x01, 0x00, 0x03, 0x03, 0x95, 0x03, 0x03, 0x04,
+ 0x01, 0xC0, 0x04, 0x80, 0x4D, 0x70, 0x27, 0x06, 0x0A, 0x02, 0x0A, 0x06,
+ 0x03, 0x97, 0x04, 0x01, 0xC0, 0x04, 0x3F, 0x6D, 0x27, 0x06, 0x03, 0xC0,
+ 0x04, 0x38, 0xC5, 0x27, 0x06, 0x03, 0xC0, 0x04, 0x31, 0x8D, 0x27, 0x06,
+ 0x03, 0xC0, 0x04, 0x2A, 0xC3, 0x27, 0x06, 0x03, 0xC0, 0x04, 0x23, 0x77,
+ 0x27, 0x06, 0x03, 0xC0, 0x04, 0x1C, 0x82, 0x27, 0x06, 0x03, 0xC0, 0x04,
+ 0x15, 0x6C, 0x27, 0x06, 0x03, 0xC0, 0x04, 0x0E, 0xC4, 0x27, 0x06, 0x03,
+ 0xC0, 0x04, 0x07, 0x02, 0x0A, 0x06, 0x02, 0x48, 0x29, 0xC0, 0x76, 0x76,
+ 0x04, 0xFE, 0x62, 0x76, 0x76, 0x04, 0x08, 0x01, 0x7F, 0x11, 0x05, 0x02,
+ 0x55, 0x29, 0x25, 0x76, 0x39, 0x02, 0x00, 0x06, 0x08, 0x02, 0x03, 0x3B,
+ 0x2F, 0x05, 0x02, 0x44, 0x29, 0x02, 0x00, 0x06, 0x01, 0x17, 0x02, 0x00,
+ 0x02, 0x09, 0x2F, 0x05, 0x02, 0x50, 0x29, 0xB0, 0x73, 0xAA, 0x9B, 0x06,
+ 0x80, 0x77, 0xBA, 0x27, 0x06, 0x07, 0x01, 0x02, 0x59, 0x87, 0x04, 0x80,
+ 0x5E, 0xBB, 0x27, 0x06, 0x07, 0x01, 0x03, 0x59, 0x88, 0x04, 0x80, 0x53,
+ 0xBC, 0x27, 0x06, 0x07, 0x01, 0x04, 0x59, 0x89, 0x04, 0x80, 0x48, 0xBD,
+ 0x27, 0x06, 0x06, 0x01, 0x05, 0x59, 0x8A, 0x04, 0x3E, 0xBE, 0x27, 0x06,
+ 0x06, 0x01, 0x06, 0x59, 0x8B, 0x04, 0x34, 0x7C, 0x27, 0x06, 0x06, 0x01,
+ 0x02, 0x58, 0x87, 0x04, 0x2A, 0x7D, 0x27, 0x06, 0x06, 0x01, 0x03, 0x58,
+ 0x88, 0x04, 0x20, 0x7E, 0x27, 0x06, 0x06, 0x01, 0x04, 0x58, 0x89, 0x04,
+ 0x16, 0x7F, 0x27, 0x06, 0x06, 0x01, 0x05, 0x58, 0x8A, 0x04, 0x0C, 0x80,
+ 0x27, 0x06, 0x06, 0x01, 0x06, 0x58, 0x8B, 0x04, 0x02, 0x56, 0x29, 0x5D,
+ 0x34, 0x5F, 0x36, 0x1C, 0x26, 0x05, 0x02, 0x56, 0x29, 0x5C, 0x36, 0x04,
+ 0x02, 0x56, 0x29, 0xBF, 0xA1, 0x26, 0x01, T0_INT2(BR_X509_BUFSIZE_SIG),
+ 0x12, 0x06, 0x02, 0x4F, 0x29, 0x26, 0x5E, 0x34, 0x5B, 0xA2, 0x76, 0x76,
+ 0x01, 0x00, 0x5A, 0x35, 0x18, 0x00, 0x00, 0x01, 0x30, 0x0A, 0x26, 0x01,
+ 0x00, 0x01, 0x09, 0x6F, 0x05, 0x02, 0x47, 0x29, 0x00, 0x00, 0x30, 0x30,
+ 0x00, 0x00, 0x01, 0x81, 0x08, 0x00, 0x00, 0x01, 0x81, 0x10, 0x00, 0x00,
+ 0x01, 0x81, 0x19, 0x00, 0x00, 0x01, 0x81, 0x22, 0x00, 0x00, 0x01, 0x81,
+ 0x2B, 0x00, 0x01, 0x7B, 0x01, 0x01, 0x11, 0x3A, 0x01, 0x83, 0xFD, 0x7F,
+ 0x11, 0x15, 0x06, 0x03, 0x3A, 0x25, 0x00, 0x3A, 0x26, 0x03, 0x00, 0x26,
+ 0xC6, 0x05, 0x04, 0x41, 0x01, 0x00, 0x00, 0x26, 0x01, 0x81, 0x00, 0x0D,
+ 0x06, 0x04, 0x93, 0x04, 0x80, 0x49, 0x26, 0x01, 0x90, 0x00, 0x0D, 0x06,
+ 0x0F, 0x01, 0x06, 0x14, 0x01, 0x81, 0x40, 0x2F, 0x93, 0x02, 0x00, 0x01,
+ 0x00, 0x94, 0x04, 0x33, 0x26, 0x01, 0x83, 0xFF, 0x7F, 0x0D, 0x06, 0x14,
+ 0x01, 0x0C, 0x14, 0x01, 0x81, 0x60, 0x2F, 0x93, 0x02, 0x00, 0x01, 0x06,
+ 0x94, 0x02, 0x00, 0x01, 0x00, 0x94, 0x04, 0x17, 0x01, 0x12, 0x14, 0x01,
+ 0x81, 0x70, 0x2F, 0x93, 0x02, 0x00, 0x01, 0x0C, 0x94, 0x02, 0x00, 0x01,
+ 0x06, 0x94, 0x02, 0x00, 0x01, 0x00, 0x94, 0x00, 0x00, 0x01, 0x82, 0x15,
+ 0x00, 0x00, 0x26, 0x01, 0x83, 0xB0, 0x00, 0x01, 0x83, 0xB7, 0x7F, 0x6F,
+ 0x00, 0x00, 0x01, 0x81, 0x34, 0x00, 0x00, 0x01, 0x80, 0x6B, 0x00, 0x00,
+ 0x01, 0x81, 0x78, 0x00, 0x00, 0x01, 0x3D, 0x00, 0x00, 0x01, 0x80, 0x43,
+ 0x00, 0x00, 0x01, 0x80, 0x4D, 0x00, 0x00, 0x01, 0x80, 0x57, 0x00, 0x00,
+ 0x01, 0x80, 0x61, 0x00, 0x00, 0x30, 0x11, 0x06, 0x04, 0x41, 0xAA, 0xBF,
+ 0xB1, 0x00, 0x00, 0x01, 0x82, 0x09, 0x00, 0x00, 0x01, 0x81, 0x6C, 0x00,
+ 0x00, 0x26, 0x01, 0x83, 0xB8, 0x00, 0x01, 0x83, 0xBF, 0x7F, 0x6F, 0x00,
+ 0x00, 0x01, 0x30, 0x61, 0x36, 0x01, 0x7F, 0x79, 0x1A, 0x01, 0x00, 0x79,
+ 0x1A, 0x04, 0x7A, 0x00, 0x01, 0x81, 0x38, 0x00, 0x01, 0x7B, 0x0D, 0x06,
+ 0x02, 0x4E, 0x29, 0x26, 0x03, 0x00, 0x0A, 0x02, 0x00, 0x00, 0x00, 0x30,
+ 0x26, 0x3E, 0x3A, 0x01, 0x82, 0x00, 0x13, 0x2F, 0x06, 0x04, 0x41, 0x01,
+ 0x00, 0x00, 0x30, 0x66, 0x09, 0x36, 0x3F, 0x00, 0x00, 0x14, 0x01, 0x3F,
+ 0x15, 0x01, 0x81, 0x00, 0x2F, 0x93, 0x00, 0x02, 0x01, 0x00, 0x03, 0x00,
+ 0xAC, 0x26, 0x06, 0x80, 0x59, 0xB0, 0x01, 0x20, 0x30, 0x11, 0x06, 0x17,
+ 0x25, 0x71, 0xAA, 0x9B, 0x25, 0x01, 0x7F, 0x2E, 0x03, 0x01, 0xB0, 0x01,
+ 0x20, 0x74, 0xAA, 0xAF, 0x02, 0x01, 0x20, 0x76, 0x76, 0x04, 0x38, 0x01,
+ 0x21, 0x30, 0x11, 0x06, 0x08, 0x25, 0x72, 0xB3, 0x01, 0x01, 0x1F, 0x04,
+ 0x2A, 0x01, 0x22, 0x30, 0x11, 0x06, 0x11, 0x25, 0x72, 0xB3, 0x26, 0x06,
+ 0x06, 0x2C, 0x02, 0x00, 0x2F, 0x03, 0x00, 0x01, 0x02, 0x1F, 0x04, 0x13,
+ 0x01, 0x26, 0x30, 0x11, 0x06, 0x08, 0x25, 0x72, 0xB3, 0x01, 0x06, 0x1F,
+ 0x04, 0x05, 0x41, 0xAB, 0x01, 0x00, 0x25, 0x04, 0xFF, 0x23, 0x76, 0x02,
+ 0x00, 0x00, 0x00, 0xAC, 0xB1, 0x26, 0x01, 0x01, 0x11, 0x06, 0x08, 0xA3,
+ 0x05, 0x02, 0x50, 0x29, 0xB1, 0x04, 0x02, 0x50, 0x29, 0x26, 0x01, 0x02,
+ 0x11, 0x06, 0x0C, 0x25, 0x72, 0xAD, 0x65, 0x2B, 0x40, 0x0D, 0x06, 0x02,
+ 0x50, 0x29, 0xB1, 0x01, 0x7F, 0x10, 0x06, 0x02, 0x55, 0x29, 0x25, 0x76,
+ 0x00, 0x00, 0xAC, 0x26, 0x06, 0x1A, 0xAC, 0x9B, 0x25, 0x26, 0x06, 0x11,
+ 0xAC, 0x26, 0x06, 0x0C, 0xAC, 0x9B, 0x25, 0x86, 0x27, 0x05, 0x02, 0x48,
+ 0x29, 0xBF, 0x04, 0x71, 0x76, 0x76, 0x04, 0x63, 0x76, 0x00, 0x02, 0x03,
+ 0x00, 0xB0, 0x01, 0x03, 0x75, 0xAA, 0xB7, 0x03, 0x01, 0x02, 0x01, 0x01,
+ 0x07, 0x12, 0x06, 0x02, 0x55, 0x29, 0x26, 0x01, 0x00, 0x30, 0x11, 0x06,
+ 0x05, 0x25, 0x4C, 0x29, 0x04, 0x15, 0x01, 0x01, 0x30, 0x11, 0x06, 0x0A,
+ 0x25, 0xB7, 0x02, 0x01, 0x14, 0x02, 0x01, 0x0E, 0x04, 0x05, 0x25, 0xB7,
+ 0x01, 0x00, 0x25, 0x02, 0x00, 0x06, 0x19, 0x01, 0x00, 0x30, 0x01, 0x38,
+ 0x15, 0x06, 0x03, 0x01, 0x10, 0x2F, 0x3A, 0x01, 0x81, 0x40, 0x15, 0x06,
+ 0x03, 0x01, 0x20, 0x2F, 0x61, 0x36, 0x04, 0x07, 0x01, 0x04, 0x15, 0x05,
+ 0x02, 0x4C, 0x29, 0xBF, 0x00, 0x00, 0x37, 0xAC, 0xBF, 0x1B, 0x00, 0x03,
+ 0x01, 0x00, 0x03, 0x00, 0x37, 0xAC, 0x26, 0x06, 0x30, 0xB0, 0x01, 0x11,
+ 0x74, 0xAA, 0x26, 0x05, 0x02, 0x43, 0x29, 0x26, 0x06, 0x20, 0xAC, 0x9B,
+ 0x25, 0x84, 0x27, 0x03, 0x01, 0x01, 0x00, 0x2E, 0x03, 0x02, 0xAF, 0x26,
+ 0x02, 0x01, 0x15, 0x06, 0x07, 0x2C, 0x06, 0x04, 0x01, 0x7F, 0x03, 0x00,
+ 0x02, 0x02, 0x20, 0x76, 0x04, 0x5D, 0x76, 0x04, 0x4D, 0x76, 0x1B, 0x02,
+ 0x00, 0x00, 0x00, 0xB0, 0x01, 0x06, 0x75, 0xAE, 0x00, 0x00, 0xB5, 0x83,
+ 0x06, 0x0E, 0x3A, 0x26, 0x05, 0x06, 0x41, 0x01, 0x00, 0x01, 0x00, 0x00,
+ 0xB5, 0x6B, 0x04, 0x08, 0x8F, 0x06, 0x05, 0x25, 0x01, 0x00, 0x04, 0x00,
+ 0x00, 0x00, 0xB6, 0x83, 0x06, 0x0E, 0x3A, 0x26, 0x05, 0x06, 0x41, 0x01,
+ 0x00, 0x01, 0x00, 0x00, 0xB6, 0x6B, 0x04, 0x08, 0x8F, 0x06, 0x05, 0x25,
+ 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0xB7, 0x26, 0x01, 0x81, 0x00, 0x0D,
+ 0x06, 0x04, 0x00, 0x04, 0x80, 0x55, 0x26, 0x01, 0x81, 0x40, 0x0D, 0x06,
+ 0x07, 0x25, 0x01, 0x00, 0x00, 0x04, 0x80, 0x47, 0x26, 0x01, 0x81, 0x60,
+ 0x0D, 0x06, 0x0E, 0x01, 0x1F, 0x15, 0x01, 0x01, 0xA0, 0x01, 0x81, 0x00,
+ 0x01, 0x8F, 0x7F, 0x04, 0x32, 0x26, 0x01, 0x81, 0x70, 0x0D, 0x06, 0x0F,
+ 0x01, 0x0F, 0x15, 0x01, 0x02, 0xA0, 0x01, 0x90, 0x00, 0x01, 0x83, 0xFF,
+ 0x7F, 0x04, 0x1C, 0x26, 0x01, 0x81, 0x78, 0x0D, 0x06, 0x11, 0x01, 0x07,
+ 0x15, 0x01, 0x03, 0xA0, 0x01, 0x84, 0x80, 0x00, 0x01, 0x80, 0xC3, 0xFF,
+ 0x7F, 0x04, 0x04, 0x25, 0x01, 0x00, 0x00, 0x6F, 0x05, 0x03, 0x25, 0x01,
+ 0x00, 0x00, 0x00, 0x3A, 0x26, 0x05, 0x06, 0x41, 0x01, 0x00, 0x01, 0x7F,
+ 0x00, 0xB7, 0x33, 0x26, 0x3C, 0x06, 0x03, 0x3A, 0x25, 0x00, 0x01, 0x06,
+ 0x0E, 0x3A, 0x26, 0x01, 0x06, 0x14, 0x01, 0x02, 0x10, 0x06, 0x04, 0x41,
+ 0x01, 0x7F, 0x00, 0x01, 0x3F, 0x15, 0x09, 0x00, 0x00, 0x26, 0x06, 0x06,
+ 0x0B, 0x9F, 0x33, 0x40, 0x04, 0x77, 0x25, 0x26, 0x00, 0x00, 0xB0, 0x01,
+ 0x03, 0x75, 0xAA, 0xB7, 0x06, 0x02, 0x54, 0x29, 0x00, 0x00, 0x3A, 0x26,
+ 0x06, 0x07, 0x31, 0x26, 0x06, 0x01, 0x1A, 0x04, 0x76, 0x41, 0x00, 0x00,
+ 0x01, 0x01, 0x75, 0xA9, 0x01, 0x01, 0x10, 0x06, 0x02, 0x42, 0x29, 0xB7,
+ 0x3D, 0x00, 0x04, 0xB0, 0x26, 0x01, 0x17, 0x01, 0x18, 0x6F, 0x05, 0x02,
+ 0x47, 0x29, 0x01, 0x18, 0x11, 0x03, 0x00, 0x72, 0xAA, 0xA5, 0x02, 0x00,
+ 0x06, 0x0C, 0x01, 0x80, 0x64, 0x08, 0x03, 0x01, 0xA5, 0x02, 0x01, 0x09,
+ 0x04, 0x0E, 0x26, 0x01, 0x32, 0x0D, 0x06, 0x04, 0x01, 0x80, 0x64, 0x09,
+ 0x01, 0x8E, 0x6C, 0x09, 0x03, 0x01, 0x02, 0x01, 0x01, 0x82, 0x6D, 0x08,
+ 0x02, 0x01, 0x01, 0x03, 0x09, 0x01, 0x04, 0x0C, 0x09, 0x02, 0x01, 0x01,
+ 0x80, 0x63, 0x09, 0x01, 0x80, 0x64, 0x0C, 0x0A, 0x02, 0x01, 0x01, 0x83,
+ 0x0F, 0x09, 0x01, 0x83, 0x10, 0x0C, 0x09, 0x03, 0x03, 0x01, 0x01, 0x01,
+ 0x0C, 0xA6, 0x40, 0x01, 0x01, 0x0E, 0x02, 0x01, 0x01, 0x04, 0x07, 0x3E,
+ 0x02, 0x01, 0x01, 0x80, 0x64, 0x07, 0x3D, 0x02, 0x01, 0x01, 0x83, 0x10,
+ 0x07, 0x3E, 0x2F, 0x15, 0x06, 0x03, 0x01, 0x18, 0x09, 0x91, 0x09, 0x78,
+ 0x26, 0x01, 0x05, 0x14, 0x02, 0x03, 0x09, 0x03, 0x03, 0x01, 0x1F, 0x15,
+ 0x01, 0x01, 0x3A, 0xA6, 0x02, 0x03, 0x09, 0x40, 0x03, 0x03, 0x01, 0x00,
+ 0x01, 0x17, 0xA6, 0x01, 0x9C, 0x10, 0x08, 0x03, 0x02, 0x01, 0x00, 0x01,
+ 0x3B, 0xA6, 0x01, 0x3C, 0x08, 0x02, 0x02, 0x09, 0x03, 0x02, 0x01, 0x00,
+ 0x01, 0x3C, 0xA6, 0x02, 0x02, 0x09, 0x03, 0x02, 0xB7, 0x26, 0x01, 0x2E,
+ 0x11, 0x06, 0x0D, 0x25, 0xB7, 0x26, 0x01, 0x30, 0x01, 0x39, 0x6F, 0x06,
+ 0x03, 0x25, 0x04, 0x74, 0x01, 0x80, 0x5A, 0x10, 0x06, 0x02, 0x47, 0x29,
+ 0x76, 0x02, 0x03, 0x02, 0x02, 0x00, 0x01, 0xB7, 0x7A, 0x01, 0x0A, 0x08,
+ 0x03, 0x00, 0xB7, 0x7A, 0x02, 0x00, 0x09, 0x00, 0x02, 0x03, 0x00, 0x03,
+ 0x01, 0xA5, 0x26, 0x02, 0x01, 0x02, 0x00, 0x6F, 0x05, 0x02, 0x47, 0x29,
+ 0x00, 0x00, 0x33, 0xB0, 0x01, 0x02, 0x75, 0x0B, 0xA8, 0x00, 0x03, 0x26,
+ 0x03, 0x00, 0x03, 0x01, 0x03, 0x02, 0xAA, 0xB7, 0x26, 0x01, 0x81, 0x00,
+ 0x13, 0x06, 0x02, 0x53, 0x29, 0x26, 0x01, 0x00, 0x11, 0x06, 0x0B, 0x25,
+ 0x26, 0x05, 0x04, 0x25, 0x01, 0x00, 0x00, 0xB7, 0x04, 0x6F, 0x02, 0x01,
+ 0x26, 0x05, 0x02, 0x4F, 0x29, 0x40, 0x03, 0x01, 0x02, 0x02, 0x36, 0x02,
+ 0x02, 0x3F, 0x03, 0x02, 0x26, 0x06, 0x03, 0xB7, 0x04, 0x68, 0x25, 0x02,
+ 0x00, 0x02, 0x01, 0x0A, 0x00, 0x01, 0xB7, 0x26, 0x01, 0x81, 0x00, 0x0D,
+ 0x06, 0x01, 0x00, 0x01, 0x81, 0x00, 0x0A, 0x26, 0x05, 0x02, 0x4D, 0x29,
+ 0x03, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x00, 0x12, 0x06, 0x19, 0x02,
+ 0x00, 0x40, 0x03, 0x00, 0x26, 0x01, 0x83, 0xFF, 0xFF, 0x7F, 0x12, 0x06,
+ 0x02, 0x4E, 0x29, 0x01, 0x08, 0x0E, 0x3A, 0xB7, 0x33, 0x09, 0x04, 0x60,
+ 0x00, 0x00, 0xA9, 0x92, 0x00, 0x00, 0xAA, 0xBF, 0x00, 0x00, 0xB0, 0x73,
+ 0xAA, 0x00, 0x01, 0xAA, 0x26, 0x05, 0x02, 0x53, 0x29, 0xB7, 0x26, 0x01,
+ 0x81, 0x00, 0x13, 0x06, 0x02, 0x53, 0x29, 0x03, 0x00, 0x26, 0x06, 0x16,
+ 0xB7, 0x02, 0x00, 0x26, 0x01, 0x87, 0xFF, 0xFF, 0x7F, 0x13, 0x06, 0x02,
+ 0x53, 0x29, 0x01, 0x08, 0x0E, 0x09, 0x03, 0x00, 0x04, 0x67, 0x25, 0x02,
+ 0x00, 0x00, 0x00, 0xAA, 0x26, 0x01, 0x81, 0x7F, 0x12, 0x06, 0x08, 0xBF,
+ 0x01, 0x00, 0x66, 0x36, 0x01, 0x00, 0x00, 0x26, 0x66, 0x36, 0x66, 0x3F,
+ 0xA2, 0x01, 0x7F, 0x00, 0x00, 0xB0, 0x01, 0x0C, 0x30, 0x11, 0x06, 0x05,
+ 0x25, 0x72, 0xB3, 0x04, 0x3E, 0x01, 0x12, 0x30, 0x11, 0x06, 0x05, 0x25,
+ 0x72, 0xB4, 0x04, 0x33, 0x01, 0x13, 0x30, 0x11, 0x06, 0x05, 0x25, 0x72,
+ 0xB4, 0x04, 0x28, 0x01, 0x14, 0x30, 0x11, 0x06, 0x05, 0x25, 0x72, 0xB4,
+ 0x04, 0x1D, 0x01, 0x16, 0x30, 0x11, 0x06, 0x05, 0x25, 0x72, 0xB4, 0x04,
+ 0x12, 0x01, 0x1E, 0x30, 0x11, 0x06, 0x05, 0x25, 0x72, 0xB2, 0x04, 0x07,
+ 0x41, 0xAB, 0x01, 0x00, 0x01, 0x00, 0x25, 0x00, 0x01, 0xB7, 0x03, 0x00,
+ 0x02, 0x00, 0x01, 0x05, 0x14, 0x01, 0x01, 0x15, 0x2D, 0x02, 0x00, 0x01,
+ 0x06, 0x14, 0x26, 0x01, 0x01, 0x15, 0x06, 0x02, 0x45, 0x29, 0x01, 0x04,
+ 0x0E, 0x02, 0x00, 0x01, 0x1F, 0x15, 0x26, 0x01, 0x1F, 0x11, 0x06, 0x02,
+ 0x46, 0x29, 0x09, 0x00, 0x00, 0x26, 0x05, 0x05, 0x01, 0x00, 0x01, 0x7F,
+ 0x00, 0xB0, 0x00, 0x01, 0xAA, 0x26, 0x05, 0x05, 0x66, 0x36, 0x01, 0x7F,
+ 0x00, 0x01, 0x01, 0x03, 0x00, 0x9C, 0x26, 0x01, 0x83, 0xFF, 0x7E, 0x11,
+ 0x06, 0x16, 0x25, 0x26, 0x06, 0x10, 0x9D, 0x26, 0x05, 0x05, 0x25, 0xBF,
+ 0x01, 0x00, 0x00, 0x02, 0x00, 0x81, 0x03, 0x00, 0x04, 0x6D, 0x04, 0x1B,
+ 0x26, 0x05, 0x05, 0x25, 0xBF, 0x01, 0x00, 0x00, 0x02, 0x00, 0x81, 0x03,
+ 0x00, 0x26, 0x06, 0x0B, 0x9C, 0x26, 0x05, 0x05, 0x25, 0xBF, 0x01, 0x00,
+ 0x00, 0x04, 0x6D, 0x25, 0x02, 0x00, 0x26, 0x05, 0x01, 0x00, 0x40, 0x66,
+ 0x36, 0x01, 0x7F, 0x00, 0x01, 0xAA, 0x01, 0x01, 0x03, 0x00, 0x26, 0x06,
+ 0x10, 0x9E, 0x26, 0x05, 0x05, 0x25, 0xBF, 0x01, 0x00, 0x00, 0x02, 0x00,
+ 0x81, 0x03, 0x00, 0x04, 0x6D, 0x25, 0x02, 0x00, 0x26, 0x05, 0x01, 0x00,
+ 0x40, 0x66, 0x36, 0x01, 0x7F, 0x00, 0x01, 0xAA, 0x01, 0x01, 0x03, 0x00,
+ 0x26, 0x06, 0x10, 0xB7, 0x26, 0x05, 0x05, 0x25, 0xBF, 0x01, 0x00, 0x00,
+ 0x02, 0x00, 0x81, 0x03, 0x00, 0x04, 0x6D, 0x25, 0x02, 0x00, 0x26, 0x05,
+ 0x01, 0x00, 0x40, 0x66, 0x36, 0x01, 0x7F, 0x00, 0x00, 0xB7, 0x01, 0x08,
+ 0x0E, 0x3A, 0xB7, 0x33, 0x09, 0x00, 0x00, 0xB7, 0x3A, 0xB7, 0x01, 0x08,
+ 0x0E, 0x33, 0x09, 0x00, 0x00, 0x26, 0x05, 0x02, 0x4E, 0x29, 0x40, 0xB8,
+ 0x00, 0x00, 0x32, 0x26, 0x01, 0x00, 0x13, 0x06, 0x01, 0x00, 0x25, 0x1A,
+ 0x04, 0x74, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x0B, 0x00, 0x00, 0x01,
+ 0x15, 0x00, 0x00, 0x01, 0x1F, 0x00, 0x00, 0x01, 0x29, 0x00, 0x00, 0x01,
+ 0x33, 0x00, 0x00, 0xC0, 0x25, 0x00, 0x00, 0x26, 0x06, 0x07, 0xC1, 0x26,
+ 0x06, 0x01, 0x1A, 0x04, 0x76, 0x00, 0x00, 0x01, 0x00, 0x30, 0x31, 0x0B,
+ 0x41, 0x00, 0x00, 0x01, 0x81, 0x70, 0x00, 0x00, 0x01, 0x82, 0x0D, 0x00,
+ 0x00, 0x01, 0x82, 0x22, 0x00, 0x00, 0x01, 0x82, 0x05, 0x00, 0x00, 0x26,
+ 0x01, 0x83, 0xFB, 0x50, 0x01, 0x83, 0xFB, 0x6F, 0x6F, 0x06, 0x04, 0x25,
+ 0x01, 0x00, 0x00, 0x26, 0x01, 0x83, 0xB0, 0x00, 0x01, 0x83, 0xBF, 0x7F,
+ 0x6F, 0x06, 0x04, 0x25, 0x01, 0x00, 0x00, 0x01, 0x83, 0xFF, 0x7F, 0x15,
+ 0x01, 0x83, 0xFF, 0x7E, 0x0D, 0x00
};
static const uint16_t t0_caddr[] = {
0,
5,
10,
15,
20,
25,
29,
33,
37,
41,
45,
49,
53,
57,
61,
65,
69,
73,
77,
81,
85,
89,
93,
97,
101,
105,
109,
113,
117,
121,
125,
130,
135,
140,
145,
150,
155,
160,
165,
173,
178,
183,
188,
193,
198,
- 202,
- 207,
- 212,
- 217,
- 238,
- 243,
- 248,
- 253,
- 282,
- 297,
+ 203,
+ 208,
+ 213,
+ 234,
+ 239,
+ 244,
+ 249,
+ 264,
+ 269,
+ 275,
+ 281,
+ 286,
+ 294,
302,
308,
- 314,
- 319,
- 327,
- 335,
- 341,
- 346,
- 357,
- 992,
- 1007,
- 1011,
- 1016,
- 1021,
- 1026,
- 1031,
- 1036,
+ 313,
+ 324,
+ 960,
+ 975,
+ 979,
+ 984,
+ 989,
+ 994,
+ 999,
+ 1004,
+ 1118,
+ 1123,
+ 1135,
+ 1140,
+ 1145,
1150,
- 1155,
- 1167,
- 1172,
- 1177,
- 1182,
- 1186,
- 1191,
- 1196,
- 1201,
+ 1154,
+ 1159,
+ 1164,
+ 1169,
+ 1174,
+ 1184,
+ 1189,
+ 1194,
1206,
- 1216,
1221,
1226,
- 1238,
- 1253,
- 1258,
- 1272,
- 1294,
- 1305,
- 1408,
- 1455,
- 1488,
- 1579,
- 1585,
- 1648,
- 1655,
- 1683,
- 1711,
- 1816,
- 1858,
- 1871,
- 1883,
- 1897,
- 1912,
- 2132,
- 2146,
- 2163,
- 2172,
- 2239,
- 2295,
- 2299,
- 2303,
- 2308,
- 2356,
- 2382,
- 2458,
- 2502,
- 2513,
- 2598,
- 2636,
- 2674,
+ 1240,
+ 1262,
+ 1273,
+ 1376,
+ 1423,
+ 1456,
+ 1547,
+ 1553,
+ 1616,
+ 1623,
+ 1651,
+ 1679,
+ 1784,
+ 1826,
+ 1839,
+ 1851,
+ 1865,
+ 1880,
+ 2100,
+ 2114,
+ 2131,
+ 2140,
+ 2207,
+ 2263,
+ 2267,
+ 2271,
+ 2276,
+ 2324,
+ 2350,
+ 2426,
+ 2470,
+ 2481,
+ 2566,
+ 2604,
+ 2642,
+ 2652,
+ 2662,
+ 2671,
2684,
- 2694,
- 2703,
- 2716,
- 2720,
+ 2688,
+ 2692,
+ 2696,
+ 2700,
+ 2704,
+ 2708,
+ 2712,
2724,
- 2728,
2732,
- 2736,
- 2740,
- 2744,
- 2756,
- 2764,
- 2769,
- 2774,
- 2779,
- 2784,
- 2792
+ 2737,
+ 2742,
+ 2747,
+ 2752
};
-#define T0_INTERPRETED 61
+#define T0_INTERPRETED 60
#define T0_ENTER(ip, rp, slot) do { \
const unsigned char *t0_newip; \
uint32_t t0_lnum; \
t0_newip = &t0_codeblock[t0_caddr[(slot) - T0_INTERPRETED]]; \
t0_lnum = t0_parse7E_unsigned(&t0_newip); \
(rp) += t0_lnum; \
*((rp) ++) = (uint32_t)((ip) - &t0_codeblock[0]) + (t0_lnum << 16); \
(ip) = t0_newip; \
} while (0)
#define T0_DEFENTRY(name, slot) \
void \
name(void *ctx) \
{ \
t0_context *t0ctx = ctx; \
t0ctx->ip = &t0_codeblock[0]; \
T0_ENTER(t0ctx->ip, t0ctx->rp, slot); \
}
-T0_DEFENTRY(br_x509_minimal_init_main, 147)
+T0_DEFENTRY(br_x509_minimal_init_main, 144)
#define T0_NEXT(t0ipp) (*(*(t0ipp)) ++)
void
br_x509_minimal_run(void *t0ctx)
{
uint32_t *dp, *rp;
const unsigned char *ip;
#define T0_LOCAL(x) (*(rp - 2 - (x)))
#define T0_POP() (*-- dp)
#define T0_POPi() (*(int32_t *)(-- dp))
#define T0_PEEK(x) (*(dp - 1 - (x)))
#define T0_PEEKi(x) (*(int32_t *)(dp - 1 - (x)))
#define T0_PUSH(v) do { *dp = (v); dp ++; } while (0)
#define T0_PUSHi(v) do { *(int32_t *)dp = (v); dp ++; } while (0)
#define T0_RPOP() (*-- rp)
#define T0_RPOPi() (*(int32_t *)(-- rp))
#define T0_RPUSH(v) do { *rp = (v); rp ++; } while (0)
#define T0_RPUSHi(v) do { *(int32_t *)rp = (v); rp ++; } while (0)
#define T0_ROLL(x) do { \
size_t t0len = (size_t)(x); \
uint32_t t0tmp = *(dp - 1 - t0len); \
memmove(dp - t0len - 1, dp - t0len, t0len * sizeof *dp); \
*(dp - 1) = t0tmp; \
} while (0)
#define T0_SWAP() do { \
uint32_t t0tmp = *(dp - 2); \
*(dp - 2) = *(dp - 1); \
*(dp - 1) = t0tmp; \
} while (0)
#define T0_ROT() do { \
uint32_t t0tmp = *(dp - 3); \
*(dp - 3) = *(dp - 2); \
*(dp - 2) = *(dp - 1); \
*(dp - 1) = t0tmp; \
} while (0)
#define T0_NROT() do { \
uint32_t t0tmp = *(dp - 1); \
*(dp - 1) = *(dp - 2); \
*(dp - 2) = *(dp - 3); \
*(dp - 3) = t0tmp; \
} while (0)
#define T0_PICK(x) do { \
uint32_t t0depth = (x); \
T0_PUSH(T0_PEEK(t0depth)); \
} while (0)
#define T0_CO() do { \
goto t0_exit; \
} while (0)
#define T0_RET() goto t0_next
dp = ((t0_context *)t0ctx)->dp;
rp = ((t0_context *)t0ctx)->rp;
ip = ((t0_context *)t0ctx)->ip;
goto t0_next;
for (;;) {
uint32_t t0x;
t0_next:
t0x = T0_NEXT(&ip);
if (t0x < T0_INTERPRETED) {
switch (t0x) {
int32_t t0off;
case 0: /* ret */
t0x = T0_RPOP();
rp -= (t0x >> 16);
t0x &= 0xFFFF;
if (t0x == 0) {
ip = NULL;
goto t0_exit;
}
ip = &t0_codeblock[t0x];
break;
case 1: /* literal constant */
T0_PUSHi(t0_parse7E_signed(&ip));
break;
case 2: /* read local */
T0_PUSH(T0_LOCAL(t0_parse7E_unsigned(&ip)));
break;
case 3: /* write local */
T0_LOCAL(t0_parse7E_unsigned(&ip)) = T0_POP();
break;
case 4: /* jump */
t0off = t0_parse7E_signed(&ip);
ip += t0off;
break;
case 5: /* jump if */
t0off = t0_parse7E_signed(&ip);
if (T0_POP()) {
ip += t0off;
}
break;
case 6: /* jump if not */
t0off = t0_parse7E_signed(&ip);
if (!T0_POP()) {
ip += t0off;
}
break;
case 7: {
/* %25 */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSHi(a % b);
}
break;
case 8: {
/* * */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a * b);
}
break;
case 9: {
/* + */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a + b);
}
break;
case 10: {
/* - */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a - b);
}
break;
case 11: {
/* -rot */
T0_NROT();
}
break;
case 12: {
/* / */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSHi(a / b);
}
break;
case 13: {
/* < */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a < b));
}
break;
case 14: {
/* << */
int c = (int)T0_POPi();
uint32_t x = T0_POP();
T0_PUSH(x << c);
}
break;
case 15: {
/* <= */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a <= b));
}
break;
case 16: {
/* <> */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(-(uint32_t)(a != b));
}
break;
case 17: {
/* = */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(-(uint32_t)(a == b));
}
break;
case 18: {
/* > */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a > b));
}
break;
case 19: {
/* >= */
int32_t b = T0_POPi();
int32_t a = T0_POPi();
T0_PUSH(-(uint32_t)(a >= b));
}
break;
case 20: {
/* >> */
int c = (int)T0_POPi();
int32_t x = T0_POPi();
T0_PUSHi(x >> c);
}
break;
case 21: {
/* and */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a & b);
}
break;
case 22: {
/* blobcopy */
size_t len = T0_POP();
unsigned char *src = (unsigned char *)CTX + T0_POP();
unsigned char *dst = (unsigned char *)CTX + T0_POP();
memcpy(dst, src, len);
}
break;
case 23: {
/* check-direct-trust */
size_t u;
for (u = 0; u < CTX->trust_anchors_num; u ++) {
const br_x509_trust_anchor *ta;
unsigned char hashed_DN[64];
int kt;
ta = &CTX->trust_anchors[u];
if (ta->flags & BR_X509_TA_CA) {
continue;
}
hash_dn(CTX, ta->dn.data, ta->dn.len, hashed_DN);
if (memcmp(hashed_DN, CTX->current_dn_hash, DNHASH_LEN)) {
continue;
}
kt = CTX->pkey.key_type;
if ((ta->pkey.key_type & 0x0F) != kt) {
continue;
}
switch (kt) {
case BR_KEYTYPE_RSA:
if (!eqbigint(CTX->pkey.key.rsa.n,
CTX->pkey.key.rsa.nlen,
ta->pkey.key.rsa.n,
ta->pkey.key.rsa.nlen)
|| !eqbigint(CTX->pkey.key.rsa.e,
CTX->pkey.key.rsa.elen,
ta->pkey.key.rsa.e,
ta->pkey.key.rsa.elen))
{
continue;
}
break;
case BR_KEYTYPE_EC:
if (CTX->pkey.key.ec.curve != ta->pkey.key.ec.curve
|| CTX->pkey.key.ec.qlen != ta->pkey.key.ec.qlen
|| memcmp(CTX->pkey.key.ec.q,
ta->pkey.key.ec.q,
ta->pkey.key.ec.qlen) != 0)
{
continue;
}
break;
default:
continue;
}
/*
* Direct trust match!
*/
CTX->err = BR_ERR_X509_OK;
T0_CO();
}
}
break;
case 24: {
/* check-trust-anchor-CA */
size_t u;
for (u = 0; u < CTX->trust_anchors_num; u ++) {
const br_x509_trust_anchor *ta;
unsigned char hashed_DN[64];
ta = &CTX->trust_anchors[u];
if (!(ta->flags & BR_X509_TA_CA)) {
continue;
}
hash_dn(CTX, ta->dn.data, ta->dn.len, hashed_DN);
if (memcmp(hashed_DN, CTX->saved_dn_hash, DNHASH_LEN)) {
continue;
}
if (verify_signature(CTX, &ta->pkey) == 0) {
CTX->err = BR_ERR_X509_OK;
T0_CO();
}
}
}
break;
case 25: {
+ /* check-validity-range */
+
+ uint32_t nbs = T0_POP();
+ uint32_t nbd = T0_POP();
+ uint32_t nas = T0_POP();
+ uint32_t nad = T0_POP();
+ int r;
+ if (CTX->itime != 0) {
+ r = CTX->itime(CTX->itime_ctx, nbd, nbs, nad, nas);
+ if (r < -1 || r > 1) {
+ CTX->err = BR_ERR_X509_TIME_UNKNOWN;
+ T0_CO();
+ }
+ } else {
+ uint32_t vd = CTX->days;
+ uint32_t vs = CTX->seconds;
+ if (vd == 0 && vs == 0) {
+#if BR_USE_UNIX_TIME
+ time_t x = time(NULL);
+
+ vd = (uint32_t)(x / 86400) + 719528;
+ vs = (uint32_t)(x % 86400);
+#elif BR_USE_WIN32_TIME
+ FILETIME ft;
+ uint64_t x;
+
+ GetSystemTimeAsFileTime(&ft);
+ x = ((uint64_t)ft.dwHighDateTime << 32)
+ + (uint64_t)ft.dwLowDateTime;
+ x = (x / 10000000);
+ vd = (uint32_t)(x / 86400) + 584754;
+ vs = (uint32_t)(x % 86400);
+#else
+ CTX->err = BR_ERR_X509_TIME_UNKNOWN;
+ T0_CO();
+#endif
+ }
+ if (vd < nbd || (vd == nbd && vs < nbs)) {
+ r = -1;
+ } else if (vd > nad || (vd == nad && vs > nas)) {
+ r = 1;
+ } else {
+ r = 0;
+ }
+ }
+ T0_PUSHi(r);
+
+ }
+ break;
+ case 26: {
/* co */
T0_CO();
}
break;
- case 26: {
+ case 27: {
/* compute-dn-hash */
CTX->dn_hash_impl->out(&CTX->dn_hash.vtable, CTX->current_dn_hash);
CTX->do_dn_hash = 0;
}
break;
- case 27: {
+ case 28: {
/* compute-tbs-hash */
int id = T0_POPi();
size_t len;
len = br_multihash_out(&CTX->mhash, id, CTX->tbs_hash);
T0_PUSH(len);
}
break;
- case 28: {
+ case 29: {
/* copy-ee-ec-pkey */
size_t qlen = T0_POP();
uint32_t curve = T0_POP();
memcpy(CTX->ee_pkey_data, CTX->pkey_data, qlen);
CTX->pkey.key_type = BR_KEYTYPE_EC;
CTX->pkey.key.ec.curve = curve;
CTX->pkey.key.ec.q = CTX->ee_pkey_data;
CTX->pkey.key.ec.qlen = qlen;
}
break;
- case 29: {
+ case 30: {
/* copy-ee-rsa-pkey */
size_t elen = T0_POP();
size_t nlen = T0_POP();
memcpy(CTX->ee_pkey_data, CTX->pkey_data, nlen + elen);
CTX->pkey.key_type = BR_KEYTYPE_RSA;
CTX->pkey.key.rsa.n = CTX->ee_pkey_data;
CTX->pkey.key.rsa.nlen = nlen;
CTX->pkey.key.rsa.e = CTX->ee_pkey_data + nlen;
CTX->pkey.key.rsa.elen = elen;
}
break;
- case 30: {
+ case 31: {
/* copy-name-SAN */
unsigned tag = T0_POP();
unsigned ok = T0_POP();
size_t u, len;
len = CTX->pad[0];
for (u = 0; u < CTX->num_name_elts; u ++) {
br_name_element *ne;
ne = &CTX->name_elts[u];
if (ne->status == 0 && ne->oid[0] == 0 && ne->oid[1] == tag) {
if (ok && ne->len > len) {
memcpy(ne->buf, CTX->pad + 1, len);
ne->buf[len] = 0;
ne->status = 1;
} else {
ne->status = -1;
}
break;
}
}
}
break;
- case 31: {
+ case 32: {
/* copy-name-element */
size_t len;
int32_t off = T0_POPi();
int ok = T0_POPi();
if (off >= 0) {
br_name_element *ne = &CTX->name_elts[off];
if (ok) {
len = CTX->pad[0];
if (len < ne->len) {
memcpy(ne->buf, CTX->pad + 1, len);
ne->buf[len] = 0;
ne->status = 1;
} else {
ne->status = -1;
}
} else {
ne->status = -1;
}
}
}
break;
- case 32: {
+ case 33: {
/* data-get8 */
size_t addr = T0_POP();
T0_PUSH(t0_datablock[addr]);
}
break;
- case 33: {
+ case 34: {
/* dn-hash-length */
T0_PUSH(DNHASH_LEN);
}
break;
- case 34: {
+ case 35: {
/* do-ecdsa-vrfy */
size_t qlen = T0_POP();
int curve = T0_POP();
br_x509_pkey pk;
pk.key_type = BR_KEYTYPE_EC;
pk.key.ec.curve = curve;
pk.key.ec.q = CTX->pkey_data;
pk.key.ec.qlen = qlen;
T0_PUSH(verify_signature(CTX, &pk));
}
break;
- case 35: {
+ case 36: {
/* do-rsa-vrfy */
size_t elen = T0_POP();
size_t nlen = T0_POP();
br_x509_pkey pk;
pk.key_type = BR_KEYTYPE_RSA;
pk.key.rsa.n = CTX->pkey_data;
pk.key.rsa.nlen = nlen;
pk.key.rsa.e = CTX->pkey_data + nlen;
pk.key.rsa.elen = elen;
T0_PUSH(verify_signature(CTX, &pk));
}
break;
- case 36: {
+ case 37: {
/* drop */
(void)T0_POP();
}
break;
- case 37: {
+ case 38: {
/* dup */
T0_PUSH(T0_PEEK(0));
}
break;
- case 38: {
+ case 39: {
/* eqOID */
const unsigned char *a2 = &t0_datablock[T0_POP()];
const unsigned char *a1 = &CTX->pad[0];
size_t len = a1[0];
int x;
if (len == a2[0]) {
x = -(memcmp(a1 + 1, a2 + 1, len) == 0);
} else {
x = 0;
}
T0_PUSH((uint32_t)x);
}
break;
- case 39: {
+ case 40: {
/* eqblob */
size_t len = T0_POP();
const unsigned char *a2 = (const unsigned char *)CTX + T0_POP();
const unsigned char *a1 = (const unsigned char *)CTX + T0_POP();
T0_PUSHi(-(memcmp(a1, a2, len) == 0));
}
break;
- case 40: {
+ case 41: {
/* fail */
CTX->err = T0_POPi();
T0_CO();
- }
- break;
- case 41: {
- /* get-system-date */
-
- if (CTX->days == 0 && CTX->seconds == 0) {
-#if BR_USE_UNIX_TIME
- time_t x = time(NULL);
-
- T0_PUSH((uint32_t)(x / 86400) + 719528);
- T0_PUSH((uint32_t)(x % 86400));
-#elif BR_USE_WIN32_TIME
- FILETIME ft;
- uint64_t x;
-
- GetSystemTimeAsFileTime(&ft);
- x = ((uint64_t)ft.dwHighDateTime << 32)
- + (uint64_t)ft.dwLowDateTime;
- x = (x / 10000000);
- T0_PUSH((uint32_t)(x / 86400) + 584754);
- T0_PUSH((uint32_t)(x % 86400));
-#else
- CTX->err = BR_ERR_X509_TIME_UNKNOWN;
- T0_CO();
-#endif
- } else {
- T0_PUSH(CTX->days);
- T0_PUSH(CTX->seconds);
- }
-
}
break;
case 42: {
/* get16 */
uint32_t addr = T0_POP();
T0_PUSH(*(uint16_t *)(void *)((unsigned char *)CTX + addr));
}
break;
case 43: {
/* get32 */
uint32_t addr = T0_POP();
T0_PUSH(*(uint32_t *)(void *)((unsigned char *)CTX + addr));
}
break;
case 44: {
/* match-server-name */
size_t n1, n2;
if (CTX->server_name == NULL) {
T0_PUSH(0);
T0_RET();
}
n1 = strlen(CTX->server_name);
n2 = CTX->pad[0];
if (n1 == n2 && eqnocase(&CTX->pad[1], CTX->server_name, n1)) {
T0_PUSHi(-1);
T0_RET();
}
if (n2 >= 2 && CTX->pad[1] == '*' && CTX->pad[2] == '.') {
size_t u;
u = 0;
while (u < n1 && CTX->server_name[u] != '.') {
u ++;
}
u ++;
n1 -= u;
if ((n2 - 2) == n1
&& eqnocase(&CTX->pad[3], CTX->server_name + u, n1))
{
T0_PUSHi(-1);
T0_RET();
}
}
T0_PUSH(0);
}
break;
case 45: {
/* neg */
uint32_t a = T0_POP();
T0_PUSH(-a);
}
break;
case 46: {
/* offset-name-element */
unsigned san = T0_POP();
size_t u;
for (u = 0; u < CTX->num_name_elts; u ++) {
if (CTX->name_elts[u].status == 0) {
const unsigned char *oid;
size_t len, off;
oid = CTX->name_elts[u].oid;
if (san) {
if (oid[0] != 0 || oid[1] != 0) {
continue;
}
off = 2;
} else {
off = 0;
}
len = oid[off];
if (len != 0 && len == CTX->pad[0]
&& memcmp(oid + off + 1,
CTX->pad + 1, len) == 0)
{
T0_PUSH(u);
T0_RET();
}
}
}
T0_PUSHi(-1);
}
break;
case 47: {
/* or */
uint32_t b = T0_POP();
uint32_t a = T0_POP();
T0_PUSH(a | b);
}
break;
case 48: {
/* over */
T0_PUSH(T0_PEEK(1));
}
break;
case 49: {
/* read-blob-inner */
uint32_t len = T0_POP();
uint32_t addr = T0_POP();
size_t clen = CTX->hlen;
if (clen > len) {
clen = (size_t)len;
}
if (addr != 0) {
memcpy((unsigned char *)CTX + addr, CTX->hbuf, clen);
}
if (CTX->do_mhash) {
br_multihash_update(&CTX->mhash, CTX->hbuf, clen);
}
if (CTX->do_dn_hash) {
CTX->dn_hash_impl->update(
&CTX->dn_hash.vtable, CTX->hbuf, clen);
}
CTX->hbuf += clen;
CTX->hlen -= clen;
T0_PUSH(addr + clen);
T0_PUSH(len - clen);
}
break;
case 50: {
/* read8-low */
if (CTX->hlen == 0) {
T0_PUSHi(-1);
} else {
unsigned char x = *CTX->hbuf ++;
if (CTX->do_mhash) {
br_multihash_update(&CTX->mhash, &x, 1);
}
if (CTX->do_dn_hash) {
CTX->dn_hash_impl->update(&CTX->dn_hash.vtable, &x, 1);
}
CTX->hlen --;
T0_PUSH(x);
}
}
break;
case 51: {
- /* roll */
- T0_ROLL(T0_POP());
- }
- break;
- case 52: {
/* rot */
T0_ROT();
}
break;
- case 53: {
+ case 52: {
/* set16 */
uint32_t addr = T0_POP();
*(uint16_t *)(void *)((unsigned char *)CTX + addr) = T0_POP();
}
break;
- case 54: {
+ case 53: {
/* set32 */
uint32_t addr = T0_POP();
*(uint32_t *)(void *)((unsigned char *)CTX + addr) = T0_POP();
}
break;
- case 55: {
+ case 54: {
/* set8 */
uint32_t addr = T0_POP();
*((unsigned char *)CTX + addr) = (unsigned char)T0_POP();
}
break;
- case 56: {
+ case 55: {
/* start-dn-hash */
CTX->dn_hash_impl->init(&CTX->dn_hash.vtable);
CTX->do_dn_hash = 1;
}
break;
- case 57: {
+ case 56: {
/* start-tbs-hash */
br_multihash_init(&CTX->mhash);
CTX->do_mhash = 1;
}
break;
- case 58: {
+ case 57: {
/* stop-tbs-hash */
CTX->do_mhash = 0;
}
break;
- case 59: {
+ case 58: {
/* swap */
T0_SWAP();
}
break;
- case 60: {
+ case 59: {
/* zero-server-name */
T0_PUSHi(-(CTX->server_name == NULL));
}
break;
}
} else {
T0_ENTER(ip, rp, t0x);
}
}
t0_exit:
((t0_context *)t0ctx)->dp = dp;
((t0_context *)t0ctx)->rp = rp;
((t0_context *)t0ctx)->ip = ip;
}
/*
* Verify the signature on the certificate with the provided public key.
* This function checks the public key type with regards to the expected
* type. Returned value is either 0 on success, or a non-zero error code.
*/
static int
verify_signature(br_x509_minimal_context *ctx, const br_x509_pkey *pk)
{
int kt;
kt = ctx->cert_signer_key_type;
if ((pk->key_type & 0x0F) != kt) {
return BR_ERR_X509_WRONG_KEY_TYPE;
}
switch (kt) {
unsigned char tmp[64];
case BR_KEYTYPE_RSA:
if (ctx->irsa == 0) {
return BR_ERR_X509_UNSUPPORTED;
}
if (!ctx->irsa(ctx->cert_sig, ctx->cert_sig_len,
&t0_datablock[ctx->cert_sig_hash_oid],
ctx->cert_sig_hash_len, &pk->key.rsa, tmp))
{
return BR_ERR_X509_BAD_SIGNATURE;
}
if (memcmp(ctx->tbs_hash, tmp, ctx->cert_sig_hash_len) != 0) {
return BR_ERR_X509_BAD_SIGNATURE;
}
return 0;
case BR_KEYTYPE_EC:
if (ctx->iecdsa == 0) {
return BR_ERR_X509_UNSUPPORTED;
}
if (!ctx->iecdsa(ctx->iec, ctx->tbs_hash,
ctx->cert_sig_hash_len, &pk->key.ec,
ctx->cert_sig, ctx->cert_sig_len))
{
return BR_ERR_X509_BAD_SIGNATURE;
}
return 0;
default:
return BR_ERR_X509_UNSUPPORTED;
}
}
diff --git a/contrib/bearssl/src/x509/x509_minimal.t0 b/contrib/bearssl/src/x509/x509_minimal.t0
index 1e60016dcd71..80a370108e68 100644
--- a/contrib/bearssl/src/x509/x509_minimal.t0
+++ b/contrib/bearssl/src/x509/x509_minimal.t0
@@ -1,1508 +1,1526 @@
\ Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
\
\ Permission is hereby granted, free of charge, to any person obtaining
\ a copy of this software and associated documentation files (the
\ "Software"), to deal in the Software without restriction, including
\ without limitation the rights to use, copy, modify, merge, publish,
\ distribute, sublicense, and/or sell copies of the Software, and to
\ permit persons to whom the Software is furnished to do so, subject to
\ the following conditions:
\
\ The above copyright notice and this permission notice shall be
\ included in all copies or substantial portions of the Software.
\
\ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
\ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
\ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
\ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
\ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
\ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
\ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
\ SOFTWARE.
preamble {
#include "inner.h"
/*
* Implementation Notes
* --------------------
*
* The C code pushes the data by chunks; all decoding is done in the
* T0 code. The cert_length value is set to the certificate length when
* a new certificate is started; the T0 code picks it up as outer limit,
* and decoding functions use it to ensure that no attempt is made at
* reading past it. The T0 code also checks that once the certificate is
* decoded, there are no trailing bytes.
*
* The T0 code sets cert_length to 0 when the certificate is fully
* decoded.
*
* The C code must still perform two checks:
*
* -- If the certificate length is 0, then the T0 code will not be
* invoked at all. This invalid condition must thus be reported by the
* C code.
*
* -- When reaching the end of certificate, the C code must verify that
* the certificate length has been set to 0, thereby signaling that
* the T0 code properly decoded a certificate.
*
* Processing of a chain works in the following way:
*
* -- The error flag is set to a non-zero value when validation is
* finished. The value is either BR_ERR_X509_OK (validation is
* successful) or another non-zero error code. When a non-zero error
* code is obtained, the remaining bytes in the current certificate and
* the subsequent certificates (if any) are completely ignored.
*
* -- Each certificate is decoded in due course, with the following
* "interesting points":
*
* -- Start of the TBS: the multihash engine is reset and activated.
*
* -- Start of the issuer DN: the secondary hash engine is started,
* to process the encoded issuer DN.
*
* -- End of the issuer DN: the secondary hash engine is stopped. The
* resulting hash value is computed and then copied into the
* next_dn_hash[] buffer.
*
* -- Start of the subject DN: the secondary hash engine is started,
* to process the encoded subject DN.
*
* -- For the EE certificate only: the Common Name, if any, is matched
* against the expected server name.
*
* -- End of the subject DN: the secondary hash engine is stopped. The
* resulting hash value is computed into the pad. It is then processed:
*
* -- If this is the EE certificate, then the hash is ignored
* (except for direct trust processing, see later; the hash is
* simply left in current_dn_hash[]).
*
* -- Otherwise, the hashed subject DN is compared with the saved
* hash value (in saved_dn_hash[]). They must match.
*
* Either way, the next_dn_hash[] value is then copied into the
* saved_dn_hash[] value. Thus, at that point, saved_dn_hash[]
* contains the hash of the issuer DN for the current certificate,
* and current_dn_hash[] contains the hash of the subject DN for the
* current certificate.
*
* -- Public key: it is decoded into the cert_pkey[] buffer. Unknown
* key types are reported at that point.
*
* -- If this is the EE certificate, then the key type is compared
* with the expected key type (initialization parameter). The public
* key data is copied to ee_pkey_data[]. The key and hashed subject
* DN are also compared with the "direct trust" keys; if the key
* and DN are matched, then validation ends with a success.
*
* -- Otherwise, the saved signature (cert_sig[]) is verified
* against the saved TBS hash (tbs_hash[]) and that freshly
* decoded public key. Failure here ends validation with an error.
*
* -- Extensions: extension values are processed in due order.
*
* -- Basic Constraints: for all certificates except EE, must be
- * present, indicate a CA, and have a path legnth compatible with
+ * present, indicate a CA, and have a path length compatible with
* the chain length so far.
*
* -- Key Usage: for the EE, if present, must allow signatures
* or encryption/key exchange, as required for the cipher suite.
* For non-EE, if present, must have the "certificate sign" bit.
*
* -- Subject Alt Name: for the EE, dNSName names are matched
* against the server name. Ignored for non-EE.
*
* -- Authority Key Identifier, Subject Key Identifier, Issuer
* Alt Name, Subject Directory Attributes, CRL Distribution Points
* Freshest CRL, Authority Info Access and Subject Info Access
* extensions are always ignored: they either contain only
* informative data, or they relate to revocation processing, which
* we explicitly do not support.
*
* -- All other extensions are ignored if non-critical. If a
* critical extension other than the ones above is encountered,
* then a failure is reported.
*
* -- End of the TBS: the multihash engine is stopped.
*
* -- Signature algorithm: the signature algorithm on the
* certificate is decoded. A failure is reported if that algorithm
* is unknown. The hashed TBS corresponding to the signature hash
* function is computed and stored in tbs_hash[] (if not supported,
* then a failure is reported). The hash OID and length are stored
* in cert_sig_hash_oid and cert_sig_hash_len.
*
* -- Signature value: the signature value is copied into the
* cert_sig[] array.
*
* -- Certificate end: the hashed issuer DN (saved_dn_hash[]) is
* looked up in the trust store (CA trust anchors only); for all
* that match, the signature (cert_sig[]) is verified against the
* anchor public key (hashed TBS is in tbs_hash[]). If one of these
* signatures is valid, then validation ends with a success.
*
* -- If the chain end is reached without obtaining a validation success,
* then validation is reported as failed.
*/
#if BR_USE_UNIX_TIME
#include <time.h>
#endif
#if BR_USE_WIN32_TIME
#include <windows.h>
#endif
/*
* The T0 compiler will produce these prototypes declarations in the
* header.
*
void br_x509_minimal_init_main(void *ctx);
void br_x509_minimal_run(void *ctx);
*/
/* see bearssl_x509.h */
void
br_x509_minimal_init(br_x509_minimal_context *ctx,
const br_hash_class *dn_hash_impl,
const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num)
{
memset(ctx, 0, sizeof *ctx);
ctx->vtable = &br_x509_minimal_vtable;
ctx->dn_hash_impl = dn_hash_impl;
ctx->trust_anchors = trust_anchors;
ctx->trust_anchors_num = trust_anchors_num;
}
static void
xm_start_chain(const br_x509_class **ctx, const char *server_name)
{
br_x509_minimal_context *cc;
size_t u;
cc = (br_x509_minimal_context *)(void *)ctx;
for (u = 0; u < cc->num_name_elts; u ++) {
cc->name_elts[u].status = 0;
cc->name_elts[u].buf[0] = 0;
}
memset(&cc->pkey, 0, sizeof cc->pkey);
cc->num_certs = 0;
cc->err = 0;
cc->cpu.dp = cc->dp_stack;
cc->cpu.rp = cc->rp_stack;
br_x509_minimal_init_main(&cc->cpu);
if (server_name == NULL || *server_name == 0) {
cc->server_name = NULL;
} else {
cc->server_name = server_name;
}
}
static void
xm_start_cert(const br_x509_class **ctx, uint32_t length)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err != 0) {
return;
}
if (length == 0) {
cc->err = BR_ERR_X509_TRUNCATED;
return;
}
cc->cert_length = length;
}
static void
xm_append(const br_x509_class **ctx, const unsigned char *buf, size_t len)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err != 0) {
return;
}
cc->hbuf = buf;
cc->hlen = len;
br_x509_minimal_run(&cc->cpu);
}
static void
xm_end_cert(const br_x509_class **ctx)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == 0 && cc->cert_length != 0) {
cc->err = BR_ERR_X509_TRUNCATED;
}
cc->num_certs ++;
}
static unsigned
xm_end_chain(const br_x509_class **ctx)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == 0) {
if (cc->num_certs == 0) {
cc->err = BR_ERR_X509_EMPTY_CHAIN;
} else {
cc->err = BR_ERR_X509_NOT_TRUSTED;
}
} else if (cc->err == BR_ERR_X509_OK) {
return 0;
}
return (unsigned)cc->err;
}
static const br_x509_pkey *
xm_get_pkey(const br_x509_class *const *ctx, unsigned *usages)
{
br_x509_minimal_context *cc;
cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == BR_ERR_X509_OK
|| cc->err == BR_ERR_X509_NOT_TRUSTED)
{
if (usages != NULL) {
*usages = cc->key_usages;
}
return &((br_x509_minimal_context *)(void *)ctx)->pkey;
} else {
return NULL;
}
}
/* see bearssl_x509.h */
const br_x509_class br_x509_minimal_vtable = {
sizeof(br_x509_minimal_context),
xm_start_chain,
xm_start_cert,
xm_append,
xm_end_cert,
xm_end_chain,
xm_get_pkey
};
#define CTX ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
#define CONTEXT_NAME br_x509_minimal_context
#define DNHASH_LEN ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)
/*
* Hash a DN (from a trust anchor) into the provided buffer. This uses the
* DN hash implementation and context structure from the X.509 engine
* context.
*/
static void
hash_dn(br_x509_minimal_context *ctx, const void *dn, size_t len,
unsigned char *out)
{
ctx->dn_hash_impl->init(&ctx->dn_hash.vtable);
ctx->dn_hash_impl->update(&ctx->dn_hash.vtable, dn, len);
ctx->dn_hash_impl->out(&ctx->dn_hash.vtable, out);
}
/*
* Compare two big integers for equality. The integers use unsigned big-endian
* encoding; extra leading bytes (of value 0) are allowed.
*/
static int
eqbigint(const unsigned char *b1, size_t len1,
const unsigned char *b2, size_t len2)
{
while (len1 > 0 && *b1 == 0) {
b1 ++;
len1 --;
}
while (len2 > 0 && *b2 == 0) {
b2 ++;
len2 --;
}
if (len1 != len2) {
return 0;
}
return memcmp(b1, b2, len1) == 0;
}
/*
* Compare two strings for equality, in a case-insensitive way. This
* function handles casing only for ASCII letters.
*/
static int
eqnocase(const void *s1, const void *s2, size_t len)
{
const unsigned char *buf1, *buf2;
buf1 = s1;
buf2 = s2;
while (len -- > 0) {
int x1, x2;
x1 = *buf1 ++;
x2 = *buf2 ++;
if (x1 >= 'A' && x1 <= 'Z') {
x1 += 'a' - 'A';
}
if (x2 >= 'A' && x2 <= 'Z') {
x2 += 'a' - 'A';
}
if (x1 != x2) {
return 0;
}
}
return 1;
}
static int verify_signature(br_x509_minimal_context *ctx,
const br_x509_pkey *pk);
}
postamble {
/*
* Verify the signature on the certificate with the provided public key.
* This function checks the public key type with regards to the expected
* type. Returned value is either 0 on success, or a non-zero error code.
*/
static int
verify_signature(br_x509_minimal_context *ctx, const br_x509_pkey *pk)
{
int kt;
kt = ctx->cert_signer_key_type;
if ((pk->key_type & 0x0F) != kt) {
return BR_ERR_X509_WRONG_KEY_TYPE;
}
switch (kt) {
unsigned char tmp[64];
case BR_KEYTYPE_RSA:
if (ctx->irsa == 0) {
return BR_ERR_X509_UNSUPPORTED;
}
if (!ctx->irsa(ctx->cert_sig, ctx->cert_sig_len,
&t0_datablock[ctx->cert_sig_hash_oid],
ctx->cert_sig_hash_len, &pk->key.rsa, tmp))
{
return BR_ERR_X509_BAD_SIGNATURE;
}
if (memcmp(ctx->tbs_hash, tmp, ctx->cert_sig_hash_len) != 0) {
return BR_ERR_X509_BAD_SIGNATURE;
}
return 0;
case BR_KEYTYPE_EC:
if (ctx->iecdsa == 0) {
return BR_ERR_X509_UNSUPPORTED;
}
if (!ctx->iecdsa(ctx->iec, ctx->tbs_hash,
ctx->cert_sig_hash_len, &pk->key.ec,
ctx->cert_sig, ctx->cert_sig_len))
{
return BR_ERR_X509_BAD_SIGNATURE;
}
return 0;
default:
return BR_ERR_X509_UNSUPPORTED;
}
}
}
cc: read8-low ( -- x ) {
if (CTX->hlen == 0) {
T0_PUSHi(-1);
} else {
unsigned char x = *CTX->hbuf ++;
if (CTX->do_mhash) {
br_multihash_update(&CTX->mhash, &x, 1);
}
if (CTX->do_dn_hash) {
CTX->dn_hash_impl->update(&CTX->dn_hash.vtable, &x, 1);
}
CTX->hlen --;
T0_PUSH(x);
}
}
addr: cert_length
addr: num_certs
cc: read-blob-inner ( addr len -- addr len ) {
uint32_t len = T0_POP();
uint32_t addr = T0_POP();
size_t clen = CTX->hlen;
if (clen > len) {
clen = (size_t)len;
}
if (addr != 0) {
memcpy((unsigned char *)CTX + addr, CTX->hbuf, clen);
}
if (CTX->do_mhash) {
br_multihash_update(&CTX->mhash, CTX->hbuf, clen);
}
if (CTX->do_dn_hash) {
CTX->dn_hash_impl->update(
&CTX->dn_hash.vtable, CTX->hbuf, clen);
}
CTX->hbuf += clen;
CTX->hlen -= clen;
T0_PUSH(addr + clen);
T0_PUSH(len - clen);
}
\ Compute the TBS hash, using the provided hash ID. The hash value is
\ written in the tbs_hash[] array, and the hash length is returned. If
\ the requested hash function is not supported, then 0 is returned.
cc: compute-tbs-hash ( id -- hashlen ) {
int id = T0_POPi();
size_t len;
len = br_multihash_out(&CTX->mhash, id, CTX->tbs_hash);
T0_PUSH(len);
}
\ Push true (-1) if no server name is expected in the EE certificate.
cc: zero-server-name ( -- bool ) {
T0_PUSHi(-(CTX->server_name == NULL));
}
addr: key_usages
addr: cert_sig
addr: cert_sig_len
addr: cert_signer_key_type
addr: cert_sig_hash_oid
addr: cert_sig_hash_len
addr: tbs_hash
addr: min_rsa_size
\ Start TBS hash computation. The hash functions are reinitialised.
cc: start-tbs-hash ( -- ) {
br_multihash_init(&CTX->mhash);
CTX->do_mhash = 1;
}
\ Stop TBS hash computation.
cc: stop-tbs-hash ( -- ) {
CTX->do_mhash = 0;
}
\ Start DN hash computation.
cc: start-dn-hash ( -- ) {
CTX->dn_hash_impl->init(&CTX->dn_hash.vtable);
CTX->do_dn_hash = 1;
}
\ Terminate DN hash computation and write the DN hash into the
\ current_dn_hash buffer.
cc: compute-dn-hash ( -- ) {
CTX->dn_hash_impl->out(&CTX->dn_hash.vtable, CTX->current_dn_hash);
CTX->do_dn_hash = 0;
}
\ Get the length of hash values obtained with the DN hasher.
cc: dn-hash-length ( -- len ) {
T0_PUSH(DNHASH_LEN);
}
\ Copy data between two areas in the context.
cc: blobcopy ( addr-dst addr-src len -- ) {
size_t len = T0_POP();
unsigned char *src = (unsigned char *)CTX + T0_POP();
unsigned char *dst = (unsigned char *)CTX + T0_POP();
memcpy(dst, src, len);
}
addr: current_dn_hash
addr: next_dn_hash
addr: saved_dn_hash
\ Read a DN, hashing it into current_dn_hash. The DN contents are not
\ inspected (only the outer tag, for SEQUENCE, is checked).
: read-DN ( lim -- lim )
start-dn-hash
read-sequence-open skip-close-elt
compute-dn-hash ;
cc: offset-name-element ( san -- n ) {
unsigned san = T0_POP();
size_t u;
for (u = 0; u < CTX->num_name_elts; u ++) {
if (CTX->name_elts[u].status == 0) {
const unsigned char *oid;
size_t len, off;
oid = CTX->name_elts[u].oid;
if (san) {
if (oid[0] != 0 || oid[1] != 0) {
continue;
}
off = 2;
} else {
off = 0;
}
len = oid[off];
if (len != 0 && len == CTX->pad[0]
&& memcmp(oid + off + 1,
CTX->pad + 1, len) == 0)
{
T0_PUSH(u);
T0_RET();
}
}
}
T0_PUSHi(-1);
}
cc: copy-name-element ( bool offbuf -- ) {
size_t len;
int32_t off = T0_POPi();
int ok = T0_POPi();
if (off >= 0) {
br_name_element *ne = &CTX->name_elts[off];
if (ok) {
len = CTX->pad[0];
if (len < ne->len) {
memcpy(ne->buf, CTX->pad + 1, len);
ne->buf[len] = 0;
ne->status = 1;
} else {
ne->status = -1;
}
} else {
ne->status = -1;
}
}
}
cc: copy-name-SAN ( bool tag -- ) {
unsigned tag = T0_POP();
unsigned ok = T0_POP();
size_t u, len;
len = CTX->pad[0];
for (u = 0; u < CTX->num_name_elts; u ++) {
br_name_element *ne;
ne = &CTX->name_elts[u];
if (ne->status == 0 && ne->oid[0] == 0 && ne->oid[1] == tag) {
if (ok && ne->len > len) {
memcpy(ne->buf, CTX->pad + 1, len);
ne->buf[len] = 0;
ne->status = 1;
} else {
ne->status = -1;
}
break;
}
}
}
\ Read a value, decoding string types. If the string type is recognised
\ and the value could be converted to UTF-8 into the pad, then true (-1)
\ is returned; in all other cases, false (0) is returned. Either way, the
\ object is consumed.
: read-string ( lim -- lim bool )
read-tag case
\ UTF8String
12 of check-primitive read-value-UTF8 endof
\ NumericString
18 of check-primitive read-value-latin1 endof
\ PrintableString
19 of check-primitive read-value-latin1 endof
\ TeletexString
20 of check-primitive read-value-latin1 endof
\ IA5String
22 of check-primitive read-value-latin1 endof
\ BMPString
30 of check-primitive read-value-UTF16 endof
2drop read-length-skip 0 0
endcase ;
\ Read a DN for the EE. The normalized DN hash is computed and stored in the
\ current_dn_hash.
\ Name elements are gathered. Also, the Common Name is matched against the
\ intended server name.
\ Returned value is true (-1) if the CN matches the intended server name,
\ false (0) otherwise.
: read-DN-EE ( lim -- lim bool )
\ Flag will be set to true if there is a CN and it matches the
\ intended server name.
0 { eename-matches }
\ Activate DN hashing.
start-dn-hash
\ Parse the DN structure: it is a SEQUENCE of SET of
\ AttributeTypeAndValue. Each AttributeTypeAndValue is a
\ SEQUENCE { OBJECT IDENTIFIER, ANY }.
read-sequence-open
begin
dup while
read-tag 0x11 check-tag-constructed read-length-open-elt
dup ifnot ERR_X509_BAD_DN fail then
begin
dup while
read-sequence-open
\ Read the OID. If the OID could not be read (too
\ long) then the first pad byte will be 0.
read-OID drop
\ If it is the Common Name then we'll need to
\ match it against the intended server name (if
\ applicable).
id-at-commonName eqOID { isCN }
\ Get offset for reception buffer for that element
\ (or -1).
0 offset-name-element { offbuf }
\ Try to read the value as a string.
read-string
\ If the value could be decoded as a string,
\ copy it and/or match it, as appropriate.
dup isCN and if
match-server-name if
-1 >eename-matches
then
then
offbuf copy-name-element
\ Close the SEQUENCE
close-elt
repeat
close-elt
repeat
close-elt
\ Compute DN hash and deactivate DN hashing.
compute-dn-hash
\ Return the CN match flag.
eename-matches ;
-\ Get the validation date and time from the context or system.
-cc: get-system-date ( -- days seconds ) {
- if (CTX->days == 0 && CTX->seconds == 0) {
+\ Check the provided validity range against the current (or configured)
+\ date and time ("na" = notAfter, "nb = notBefore). Returned value:
+\ -1 current date/time is before the notBefore date
+\ 0 current date/time is within the allowed range
+\ +1 current date/time is after the notAfter range
+\ If the current date/time is not available, then this function triggers a
+\ failure and does not return.
+cc: check-validity-range ( na-days na-seconds nb-days nb-seconds -- int ) {
+ uint32_t nbs = T0_POP();
+ uint32_t nbd = T0_POP();
+ uint32_t nas = T0_POP();
+ uint32_t nad = T0_POP();
+ int r;
+ if (CTX->itime != 0) {
+ r = CTX->itime(CTX->itime_ctx, nbd, nbs, nad, nas);
+ if (r < -1 || r > 1) {
+ CTX->err = BR_ERR_X509_TIME_UNKNOWN;
+ T0_CO();
+ }
+ } else {
+ uint32_t vd = CTX->days;
+ uint32_t vs = CTX->seconds;
+ if (vd == 0 && vs == 0) {
#if BR_USE_UNIX_TIME
- time_t x = time(NULL);
+ time_t x = time(NULL);
- T0_PUSH((uint32_t)(x / 86400) + 719528);
- T0_PUSH((uint32_t)(x % 86400));
+ vd = (uint32_t)(x / 86400) + 719528;
+ vs = (uint32_t)(x % 86400);
#elif BR_USE_WIN32_TIME
- FILETIME ft;
- uint64_t x;
-
- GetSystemTimeAsFileTime(&ft);
- x = ((uint64_t)ft.dwHighDateTime << 32)
- + (uint64_t)ft.dwLowDateTime;
- x = (x / 10000000);
- T0_PUSH((uint32_t)(x / 86400) + 584754);
- T0_PUSH((uint32_t)(x % 86400));
+ FILETIME ft;
+ uint64_t x;
+
+ GetSystemTimeAsFileTime(&ft);
+ x = ((uint64_t)ft.dwHighDateTime << 32)
+ + (uint64_t)ft.dwLowDateTime;
+ x = (x / 10000000);
+ vd = (uint32_t)(x / 86400) + 584754;
+ vs = (uint32_t)(x % 86400);
#else
- CTX->err = BR_ERR_X509_TIME_UNKNOWN;
- T0_CO();
+ CTX->err = BR_ERR_X509_TIME_UNKNOWN;
+ T0_CO();
#endif
- } else {
- T0_PUSH(CTX->days);
- T0_PUSH(CTX->seconds);
+ }
+ if (vd < nbd || (vd == nbd && vs < nbs)) {
+ r = -1;
+ } else if (vd > nad || (vd == nad && vs > nas)) {
+ r = 1;
+ } else {
+ r = 0;
+ }
}
+ T0_PUSHi(r);
}
-\ Compare two dates (days+seconds) together.
-: before ( days1 seconds1 days2 seconds2 -- bool )
- { d1 s1 d2 s2 }
- d1 d2 = if s1 s2 < else d1 d2 < then ;
-
-: after ( days1 seconds1 days2 seconds2 -- bool )
- swap2 before ;
-
\ Swap the top two elements with the two elements immediately below.
: swap2 ( a b c d -- c d a b )
3 roll 3 roll ;
\ Match the name in the pad with the expected server name. Returned value
\ is true (-1) on match, false (0) otherwise. If there is no expected
\ server name, then 0 is returned.
\ Match conditions: either an exact match (case insensitive), or a
\ wildcard match, if the found name starts with "*.". We only match a
\ starting wildcard, and only against a complete DN name component.
cc: match-server-name ( -- bool ) {
size_t n1, n2;
if (CTX->server_name == NULL) {
T0_PUSH(0);
T0_RET();
}
n1 = strlen(CTX->server_name);
n2 = CTX->pad[0];
if (n1 == n2 && eqnocase(&CTX->pad[1], CTX->server_name, n1)) {
T0_PUSHi(-1);
T0_RET();
}
if (n2 >= 2 && CTX->pad[1] == '*' && CTX->pad[2] == '.') {
size_t u;
u = 0;
while (u < n1 && CTX->server_name[u] != '.') {
u ++;
}
u ++;
n1 -= u;
if ((n2 - 2) == n1
&& eqnocase(&CTX->pad[3], CTX->server_name + u, n1))
{
T0_PUSHi(-1);
T0_RET();
}
}
T0_PUSH(0);
}
\ Get the address and length for the pkey_data buffer.
: addr-len-pkey_data ( -- addr len )
CX 0 8191 { offsetof(br_x509_minimal_context, pkey_data) }
CX 0 8191 { BR_X509_BUFSIZE_KEY } ;
\ Copy the EE public key to the permanent buffer (RSA).
cc: copy-ee-rsa-pkey ( nlen elen -- ) {
size_t elen = T0_POP();
size_t nlen = T0_POP();
memcpy(CTX->ee_pkey_data, CTX->pkey_data, nlen + elen);
CTX->pkey.key_type = BR_KEYTYPE_RSA;
CTX->pkey.key.rsa.n = CTX->ee_pkey_data;
CTX->pkey.key.rsa.nlen = nlen;
CTX->pkey.key.rsa.e = CTX->ee_pkey_data + nlen;
CTX->pkey.key.rsa.elen = elen;
}
\ Copy the EE public key to the permanent buffer (EC).
cc: copy-ee-ec-pkey ( curve qlen -- ) {
size_t qlen = T0_POP();
uint32_t curve = T0_POP();
memcpy(CTX->ee_pkey_data, CTX->pkey_data, qlen);
CTX->pkey.key_type = BR_KEYTYPE_EC;
CTX->pkey.key.ec.curve = curve;
CTX->pkey.key.ec.q = CTX->ee_pkey_data;
CTX->pkey.key.ec.qlen = qlen;
}
\ Check whether the current certificate (EE) is directly trusted.
cc: check-direct-trust ( -- ) {
size_t u;
for (u = 0; u < CTX->trust_anchors_num; u ++) {
const br_x509_trust_anchor *ta;
unsigned char hashed_DN[64];
int kt;
ta = &CTX->trust_anchors[u];
if (ta->flags & BR_X509_TA_CA) {
continue;
}
hash_dn(CTX, ta->dn.data, ta->dn.len, hashed_DN);
if (memcmp(hashed_DN, CTX->current_dn_hash, DNHASH_LEN)) {
continue;
}
kt = CTX->pkey.key_type;
if ((ta->pkey.key_type & 0x0F) != kt) {
continue;
}
switch (kt) {
case BR_KEYTYPE_RSA:
if (!eqbigint(CTX->pkey.key.rsa.n,
CTX->pkey.key.rsa.nlen,
ta->pkey.key.rsa.n,
ta->pkey.key.rsa.nlen)
|| !eqbigint(CTX->pkey.key.rsa.e,
CTX->pkey.key.rsa.elen,
ta->pkey.key.rsa.e,
ta->pkey.key.rsa.elen))
{
continue;
}
break;
case BR_KEYTYPE_EC:
if (CTX->pkey.key.ec.curve != ta->pkey.key.ec.curve
|| CTX->pkey.key.ec.qlen != ta->pkey.key.ec.qlen
|| memcmp(CTX->pkey.key.ec.q,
ta->pkey.key.ec.q,
ta->pkey.key.ec.qlen) != 0)
{
continue;
}
break;
default:
continue;
}
/*
* Direct trust match!
*/
CTX->err = BR_ERR_X509_OK;
T0_CO();
}
}
\ Check the signature on the certificate with regards to all trusted CA.
\ We use the issuer hash (in saved_dn_hash[]) as CA identifier.
cc: check-trust-anchor-CA ( -- ) {
size_t u;
for (u = 0; u < CTX->trust_anchors_num; u ++) {
const br_x509_trust_anchor *ta;
unsigned char hashed_DN[64];
ta = &CTX->trust_anchors[u];
if (!(ta->flags & BR_X509_TA_CA)) {
continue;
}
hash_dn(CTX, ta->dn.data, ta->dn.len, hashed_DN);
if (memcmp(hashed_DN, CTX->saved_dn_hash, DNHASH_LEN)) {
continue;
}
if (verify_signature(CTX, &ta->pkey) == 0) {
CTX->err = BR_ERR_X509_OK;
T0_CO();
}
}
}
\ Verify RSA signature. This uses the public key that was just decoded
\ into CTX->pkey_data; the modulus and exponent length are provided as
\ parameters. The resulting hash value is compared with the one in
\ tbs_hash. Returned value is 0 on success, or a non-zero error code.
cc: do-rsa-vrfy ( nlen elen -- err ) {
size_t elen = T0_POP();
size_t nlen = T0_POP();
br_x509_pkey pk;
pk.key_type = BR_KEYTYPE_RSA;
pk.key.rsa.n = CTX->pkey_data;
pk.key.rsa.nlen = nlen;
pk.key.rsa.e = CTX->pkey_data + nlen;
pk.key.rsa.elen = elen;
T0_PUSH(verify_signature(CTX, &pk));
}
\ Verify ECDSA signature. This uses the public key that was just decoded
\ into CTX->pkey_dayta; the curve ID and public point length are provided
\ as parameters. The hash value in tbs_hash is used. Returned value is 0
\ on success, or non-zero error code.
cc: do-ecdsa-vrfy ( curve qlen -- err ) {
size_t qlen = T0_POP();
int curve = T0_POP();
br_x509_pkey pk;
pk.key_type = BR_KEYTYPE_EC;
pk.key.ec.curve = curve;
pk.key.ec.q = CTX->pkey_data;
pk.key.ec.qlen = qlen;
T0_PUSH(verify_signature(CTX, &pk));
}
cc: print-bytes ( addr len -- ) {
extern int printf(const char *fmt, ...);
size_t len = T0_POP();
unsigned char *buf = (unsigned char *)CTX + T0_POP();
size_t u;
for (u = 0; u < len; u ++) {
printf("%02X", buf[u]);
}
}
cc: printOID ( -- ) {
extern int printf(const char *fmt, ...);
size_t u, len;
len = CTX->pad[0];
if (len == 0) {
printf("*");
T0_RET();
}
printf("%u.%u", CTX->pad[1] / 40, CTX->pad[1] % 40);
u = 2;
while (u <= len) {
unsigned long ul;
ul = 0;
for (;;) {
int x;
if (u > len) {
printf("BAD");
T0_RET();
}
x = CTX->pad[u ++];
ul = (ul << 7) + (x & 0x7F);
if (!(x & 0x80)) {
break;
}
}
printf(".%lu", ul);
}
}
\ Extensions with specific processing.
OID: basicConstraints 2.5.29.19
OID: keyUsage 2.5.29.15
OID: subjectAltName 2.5.29.17
OID: certificatePolicies 2.5.29.32
\ Policy qualifier "pointer to CPS"
OID: id-qt-cps 1.3.6.1.5.5.7.2.1
\ Extensions which are ignored when encountered, even if critical.
OID: authorityKeyIdentifier 2.5.29.35
OID: subjectKeyIdentifier 2.5.29.14
OID: issuerAltName 2.5.29.18
OID: subjectDirectoryAttributes 2.5.29.9
OID: crlDistributionPoints 2.5.29.31
OID: freshestCRL 2.5.29.46
OID: authorityInfoAccess 1.3.6.1.5.5.7.1.1
OID: subjectInfoAccess 1.3.6.1.5.5.7.1.11
\ Process a Basic Constraints extension. This should be called only if
\ the certificate is not the EE. We check that the extension contains
\ the "CA" flag, and that the path length, if specified, is compatible
\ with the current chain length.
: process-basicConstraints ( lim -- lim )
read-sequence-open
read-tag-or-end
dup 0x01 = if
read-boolean ifnot ERR_X509_NOT_CA fail then
read-tag-or-end
else
ERR_X509_NOT_CA fail
then
dup 0x02 = if
drop check-primitive read-small-int-value
addr-num_certs get32 1- < if ERR_X509_NOT_CA fail then
read-tag-or-end
then
-1 <> if ERR_X509_UNEXPECTED fail then
drop
close-elt
;
\ Process a Key Usage extension.
\ For the EE certificate:
\ -- if the key usage contains keyEncipherment (2), dataEncipherment (3)
\ or keyAgreement (4), then the "key exchange" usage is allowed;
\ -- if the key usage contains digitalSignature (0) or nonRepudiation (1),
\ then the "signature" usage is allowed.
\ For CA certificates, the extension must contain keyCertSign (5).
: process-keyUsage ( lim ee -- lim )
{ ee }
\ Read tag for the BIT STRING and open it.
read-tag 0x03 check-tag-primitive
read-length-open-elt
\ First byte indicates number of ignored bits in the last byte. It
\ must be between 0 and 7.
read8 { ign }
ign 7 > if ERR_X509_UNEXPECTED fail then
\ Depending on length, we have either 0, 1 or more bytes to read.
dup case
0 of ERR_X509_FORBIDDEN_KEY_USAGE fail endof
1 of read8 ign >> ign << endof
drop read8 0
endcase
\ Check bits.
ee if
\ EE: get usages.
0
over 0x38 and if 0x10 or then
swap 0xC0 and if 0x20 or then
addr-key_usages set8
else
\ Not EE: keyCertSign must be set.
0x04 and ifnot ERR_X509_FORBIDDEN_KEY_USAGE fail then
then
\ We don't care about subsequent bytes.
skip-close-elt ;
\ Process a Certificate Policies extension.
\
\ Since we don't actually support full policies processing, this function
\ only checks that the extension contents can be safely ignored. Indeed,
\ we don't validate against a specific set of policies (in RFC 5280
\ terminology, user-initial-policy-set only contains the special value
\ any-policy). Moreover, we don't support policy constraints (if a
\ critical Policy Constraints extension is encountered, the validation
\ will fail). Therefore, we can safely ignore the contents of this
\ extension, except if it is critical AND one of the policy OID has a
\ qualifier which is distinct from id-qt-cps (because id-qt-cps is
\ specially designated by RFC 5280 has having no mandated action).
\
\ This function is called only if the extension is critical.
: process-certPolicies ( lim -- lim )
\ Extension value is a SEQUENCE OF PolicyInformation.
read-sequence-open
begin dup while
\ PolicyInformation ::= SEQUENCE {
\ policyIdentifier OBJECT IDENTIFIER,
\ policyQualifiers SEQUENCE OF PolicyQualifierInfo OPTIONAL
\ }
read-sequence-open
read-OID drop
dup if
read-sequence-open
begin dup while
\ PolicyQualifierInfo ::= SEQUENCE {
\ policyQualifierId OBJECT IDENTIFIER,
\ qualifier ANY
\ }
read-sequence-open
read-OID drop id-qt-cps eqOID ifnot
ERR_X509_CRITICAL_EXTENSION fail
then
skip-close-elt
repeat
close-elt
then
close-elt
repeat
close-elt ;
\ Process a Subject Alt Name extension. Returned value is a boolean set
\ to true if the expected server name was matched against a dNSName in
\ the extension.
: process-SAN ( lim -- lim bool )
0 { m }
read-sequence-open
begin dup while
\ Read the tag. If the tag is context-0, then parse an
\ 'otherName'. If the tag is context-2, then parse a
\ dNSName. If the tag is context-1 or context-6,
\ parse
read-tag case
\ OtherName
0x20 of
\ OtherName ::= SEQUENCE {
\ type-id OBJECT IDENTIFIER,
\ value [0] EXPLICIT ANY
\ }
check-constructed read-length-open-elt
read-OID drop
-1 offset-name-element { offbuf }
read-tag 0x20 check-tag-constructed
read-length-open-elt
read-string offbuf copy-name-element
close-elt
close-elt
endof
\ rfc822Name (IA5String)
0x21 of
check-primitive
read-value-UTF8 1 copy-name-SAN
endof
\ dNSName (IA5String)
0x22 of
check-primitive
read-value-UTF8
dup if match-server-name m or >m then
2 copy-name-SAN
endof
\ uniformResourceIdentifier (IA5String)
0x26 of
check-primitive
read-value-UTF8 6 copy-name-SAN
endof
2drop read-length-skip 0
endcase
\ We check only names of type dNSName; they use IA5String,
\ which is basically ASCII.
\ read-tag 0x22 = if
\ check-primitive
\ read-small-value drop
\ match-server-name m or >m
\ else
\ drop read-length-skip
\ then
repeat
close-elt
m ;
\ Decode a certificate. The "ee" boolean must be true for the EE.
: decode-certificate ( ee -- )
{ ee }
\ Obtain the total certificate length.
addr-cert_length get32
\ Open the outer SEQUENCE.
read-sequence-open
\ TBS
\ Activate hashing.
start-tbs-hash
read-sequence-open
\ First element may be an explicit version. We accept only
\ versions 0 to 2 (certificates v1 to v3).
read-tag dup 0x20 = if
drop check-constructed read-length-open-elt
read-tag
0x02 check-tag-primitive
read-small-int-value
2 > if ERR_X509_UNSUPPORTED fail then
close-elt
read-tag
then
\ Serial number. We just check that the tag is correct.
0x02 check-tag-primitive
read-length-skip
\ Signature algorithm. This structure is redundant with the one
\ on the outside; we just skip it.
read-sequence-open skip-close-elt
\ Issuer name: hashed, then copied into next_dn_hash[].
read-DN
addr-next_dn_hash addr-current_dn_hash dn-hash-length blobcopy
\ Validity dates.
read-sequence-open
- read-date get-system-date after if ERR_X509_EXPIRED fail then
- read-date get-system-date before if ERR_X509_EXPIRED fail then
+ read-date { nbd nbs } read-date nbd nbs check-validity-range
+ if ERR_X509_EXPIRED fail then
close-elt
\ Subject name.
ee if
\ For the EE, we must check whether the Common Name, if
\ any, matches the expected server name.
read-DN-EE { eename }
else
\ For a non-EE certificate, the hashed subject DN must match
\ the saved hashed issuer DN from the previous certificate.
read-DN
addr-current_dn_hash addr-saved_dn_hash dn-hash-length eqblob
ifnot ERR_X509_DN_MISMATCH fail then
then
\ Move the hashed issuer DN for this certificate into the
\ saved_dn_hash[] array.
addr-saved_dn_hash addr-next_dn_hash dn-hash-length blobcopy
\ Public Key.
read-sequence-open
\ Algorithm Identifier. Right now we are only interested in the
\ OID, since we only support RSA keys.
read-sequence-open
read-OID ifnot ERR_X509_UNSUPPORTED fail then
{ ; pkey-type }
choice
\ RSA public key.
rsaEncryption eqOID uf
skip-close-elt
\ Public key itself: the BIT STRING contains bytes
\ (no partial byte) and these bytes encode the
\ actual value.
read-bits-open
\ RSA public key is a SEQUENCE of two
\ INTEGER. We get both INTEGER values into
\ the pkey_data[] buffer, if they fit.
read-sequence-open
addr-len-pkey_data
read-integer { nlen }
addr-len-pkey_data swap nlen + swap nlen -
read-integer { elen }
close-elt
\ Check that the public key fits our minimal
\ size requirements. Note that the integer
\ decoder already skipped the leading bytes
\ of value 0, so we are working on the true
\ modulus length here.
addr-min_rsa_size get16 128 + nlen > if
ERR_X509_WEAK_PUBLIC_KEY fail
then
close-elt
KEYTYPE_RSA >pkey-type
enduf
\ EC public key.
id-ecPublicKey eqOID uf
\ We support only named curves, for which the
\ "parameters" field in the AlgorithmIdentifier
\ field should be an OID.
read-OID ifnot ERR_X509_UNSUPPORTED fail then
choice
ansix9p256r1 eqOID uf 23 enduf
ansix9p384r1 eqOID uf 24 enduf
ansix9p521r1 eqOID uf 25 enduf
ERR_X509_UNSUPPORTED fail
endchoice
{ curve }
close-elt
read-bits-open
dup { qlen }
dup addr-len-pkey_data rot < if
ERR_X509_LIMIT_EXCEEDED fail
then
read-blob
KEYTYPE_EC >pkey-type
enduf
\ Not a recognised public key type.
ERR_X509_UNSUPPORTED fail
endchoice
close-elt
\ Process public key.
ee if
\ For the EE certificate, copy the key data to the
\ relevant buffer.
pkey-type case
KEYTYPE_RSA of nlen elen copy-ee-rsa-pkey endof
KEYTYPE_EC of curve qlen copy-ee-ec-pkey endof
ERR_X509_UNSUPPORTED fail
endcase
else
\ Verify signature on previous certificate. We invoke
\ the RSA implementation.
pkey-type case
KEYTYPE_RSA of nlen elen do-rsa-vrfy endof
KEYTYPE_EC of curve qlen do-ecdsa-vrfy endof
ERR_X509_UNSUPPORTED fail
endcase
dup if fail then
drop
then
\ This flag will be set to true if the Basic Constraints extension
\ is encountered.
0 { seenBC }
\ Skip issuerUniqueID and subjectUniqueID, and process extensions
\ if present. Extensions are an explicit context tag of value 3
\ around a SEQUENCE OF extensions. Each extension is a SEQUENCE
\ with an OID, an optional boolean, and a value; the value is
\ an OCTET STRING.
read-tag-or-end
0x21 iftag-skip
0x22 iftag-skip
dup 0x23 = if
drop
check-constructed read-length-open-elt
read-sequence-open
begin dup while
0 { critical }
read-sequence-open
read-OID drop
read-tag dup 0x01 = if
read-boolean >critical
read-tag
then
0x04 check-tag-primitive read-length-open-elt
choice
\ Extensions with specific processing.
basicConstraints eqOID uf
ee if
skip-remaining
else
process-basicConstraints
-1 >seenBC
then
enduf
keyUsage eqOID uf
ee process-keyUsage
enduf
subjectAltName eqOID uf
ee if
0 >eename
process-SAN >eename
else
skip-remaining
then
enduf
\ We don't implement full processing of
\ policies. The call below mostly checks
\ that the contents of the Certificate
\ Policies extension can be safely ignored.
certificatePolicies eqOID uf
critical if
process-certPolicies
else
skip-remaining
then
enduf
\ Extensions which are always ignored,
\ even if critical.
authorityKeyIdentifier eqOID uf
skip-remaining
enduf
subjectKeyIdentifier eqOID uf
skip-remaining
enduf
issuerAltName eqOID uf
skip-remaining
enduf
subjectDirectoryAttributes eqOID uf
skip-remaining
enduf
crlDistributionPoints eqOID uf
skip-remaining
enduf
freshestCRL eqOID uf
skip-remaining
enduf
authorityInfoAccess eqOID uf
skip-remaining
enduf
subjectInfoAccess eqOID uf
skip-remaining
enduf
\ Unrecognized extensions trigger a failure
\ if critical; otherwise, they are just
\ ignored.
critical if
ERR_X509_CRITICAL_EXTENSION fail
then
skip-remaining
endchoice
close-elt
close-elt
repeat
close-elt
close-elt
else
-1 = ifnot ERR_X509_UNEXPECTED fail then
drop
then
close-elt
\ Terminate hashing.
stop-tbs-hash
\ For the EE certificate, verify that the intended server name
\ was matched.
ee if
eename zero-server-name or ifnot
ERR_X509_BAD_SERVER_NAME fail
then
then
\ If this is the EE certificate, then direct trust may apply.
\ Note: we do this at this point, not immediately after decoding
\ the public key, because even in case of direct trust we still
\ want to check the server name with regards to the SAN extension.
\ However, we want to check direct trust before trying to decode
\ the signature algorithm, because it should work even if that
\ algorithm is not supported.
ee if check-direct-trust then
\ Non-EE certificates MUST have a Basic Constraints extension
\ (that marks them as being CA).
ee seenBC or ifnot ERR_X509_NOT_CA fail then
\ signature algorithm
read-tag check-sequence read-length-open-elt
\ Read and understand the OID. Right now, we support only
\ RSA with PKCS#1 v1.5 padding, and hash functions SHA-1,
\ SHA-224, SHA-256, SHA-384 and SHA-512. We purposely do NOT
\ support MD5 here.
\ TODO: add support for RSA/PSS
read-OID if
\ Based on the signature OID, we get:
\ -- the signing key type
\ -- the hash function numeric identifier
\ -- the hash function OID
choice
sha1WithRSAEncryption eqOID
uf 2 KEYTYPE_RSA id-sha1 enduf
sha224WithRSAEncryption eqOID
uf 3 KEYTYPE_RSA id-sha224 enduf
sha256WithRSAEncryption eqOID
uf 4 KEYTYPE_RSA id-sha256 enduf
sha384WithRSAEncryption eqOID
uf 5 KEYTYPE_RSA id-sha384 enduf
sha512WithRSAEncryption eqOID
uf 6 KEYTYPE_RSA id-sha512 enduf
ecdsa-with-SHA1 eqOID
uf 2 KEYTYPE_EC id-sha1 enduf
ecdsa-with-SHA224 eqOID
uf 3 KEYTYPE_EC id-sha224 enduf
ecdsa-with-SHA256 eqOID
uf 4 KEYTYPE_EC id-sha256 enduf
ecdsa-with-SHA384 eqOID
uf 5 KEYTYPE_EC id-sha384 enduf
ecdsa-with-SHA512 eqOID
uf 6 KEYTYPE_EC id-sha512 enduf
ERR_X509_UNSUPPORTED fail
endchoice
addr-cert_sig_hash_oid set16
addr-cert_signer_key_type set8
\ Compute the TBS hash into tbs_hash.
compute-tbs-hash
dup ifnot ERR_X509_UNSUPPORTED fail then
addr-cert_sig_hash_len set8
else
ERR_X509_UNSUPPORTED fail
then
\ We ignore the parameters, whether they are present or not,
\ because we got all the information from the OID.
skip-close-elt
\ signature value
read-bits-open
dup CX 0 8191 { BR_X509_BUFSIZE_SIG } > if
ERR_X509_LIMIT_EXCEEDED fail
then
dup addr-cert_sig_len set16
addr-cert_sig read-blob
\ Close the outer SEQUENCE.
close-elt
\ Close the advertised total certificate length. This checks that
\ there is no trailing garbage after the certificate.
close-elt
\ Flag the certificate as fully processed.
0 addr-cert_length set32
\ Check whether the issuer for the current certificate is known
\ as a trusted CA; in which case, verify the signature.
check-trust-anchor-CA ;
: main
\ Unless restricted by a Key Usage extension, all usages are
\ deemed allowed.
0x30 addr-key_usages set8
-1 decode-certificate
co
begin
0 decode-certificate co
again
;
diff --git a/contrib/bearssl/test/test_crypto.c b/contrib/bearssl/test/test_crypto.c
index ae1d170f7a0b..c6c534d64bab 100644
--- a/contrib/bearssl/test/test_crypto.c
+++ b/contrib/bearssl/test/test_crypto.c
@@ -1,9475 +1,9475 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "bearssl.h"
#include "inner.h"
/*
* Decode an hexadecimal string. Returned value is the number of decoded
* bytes.
*/
static size_t
hextobin(unsigned char *dst, const char *src)
{
size_t num;
unsigned acc;
int z;
num = 0;
z = 0;
acc = 0;
while (*src != 0) {
int c = *src ++;
if (c >= '0' && c <= '9') {
c -= '0';
} else if (c >= 'A' && c <= 'F') {
c -= ('A' - 10);
} else if (c >= 'a' && c <= 'f') {
c -= ('a' - 10);
} else {
continue;
}
if (z) {
*dst ++ = (acc << 4) + c;
num ++;
} else {
acc = c;
}
z = !z;
}
return num;
}
static void
check_equals(const char *banner, const void *v1, const void *v2, size_t len)
{
size_t u;
const unsigned char *b;
if (memcmp(v1, v2, len) == 0) {
return;
}
fprintf(stderr, "\n%s failed\n", banner);
fprintf(stderr, "v1: ");
for (u = 0, b = v1; u < len; u ++) {
fprintf(stderr, "%02X", b[u]);
}
fprintf(stderr, "\nv2: ");
for (u = 0, b = v2; u < len; u ++) {
fprintf(stderr, "%02X", b[u]);
}
fprintf(stderr, "\n");
exit(EXIT_FAILURE);
}
#define HASH_SIZE(cname) br_ ## cname ## _SIZE
#define TEST_HASH(Name, cname) \
static void \
test_ ## cname ## _internal(char *data, char *refres) \
{ \
br_ ## cname ## _context mc; \
unsigned char res[HASH_SIZE(cname)], ref[HASH_SIZE(cname)]; \
size_t u, n; \
\
hextobin(ref, refres); \
n = strlen(data); \
br_ ## cname ## _init(&mc); \
br_ ## cname ## _update(&mc, data, n); \
br_ ## cname ## _out(&mc, res); \
check_equals("KAT " #Name " 1", res, ref, HASH_SIZE(cname)); \
br_ ## cname ## _init(&mc); \
for (u = 0; u < n; u ++) { \
br_ ## cname ## _update(&mc, data + u, 1); \
} \
br_ ## cname ## _out(&mc, res); \
check_equals("KAT " #Name " 2", res, ref, HASH_SIZE(cname)); \
for (u = 0; u < n; u ++) { \
br_ ## cname ## _context mc2; \
br_ ## cname ## _init(&mc); \
br_ ## cname ## _update(&mc, data, u); \
mc2 = mc; \
br_ ## cname ## _update(&mc, data + u, n - u); \
br_ ## cname ## _out(&mc, res); \
check_equals("KAT " #Name " 3", res, ref, HASH_SIZE(cname)); \
br_ ## cname ## _update(&mc2, data + u, n - u); \
br_ ## cname ## _out(&mc2, res); \
check_equals("KAT " #Name " 4", res, ref, HASH_SIZE(cname)); \
} \
memset(&mc, 0, sizeof mc); \
memset(res, 0, sizeof res); \
br_ ## cname ## _vtable.init(&mc.vtable); \
mc.vtable->update(&mc.vtable, data, n); \
mc.vtable->out(&mc.vtable, res); \
check_equals("KAT " #Name " 5", res, ref, HASH_SIZE(cname)); \
memset(res, 0, sizeof res); \
mc.vtable->init(&mc.vtable); \
mc.vtable->update(&mc.vtable, data, n); \
mc.vtable->out(&mc.vtable, res); \
check_equals("KAT " #Name " 6", res, ref, HASH_SIZE(cname)); \
}
#define KAT_MILLION_A(Name, cname, refres) do { \
br_ ## cname ## _context mc; \
unsigned char buf[1000]; \
unsigned char res[HASH_SIZE(cname)], ref[HASH_SIZE(cname)]; \
int i; \
\
hextobin(ref, refres); \
memset(buf, 'a', sizeof buf); \
br_ ## cname ## _init(&mc); \
for (i = 0; i < 1000; i ++) { \
br_ ## cname ## _update(&mc, buf, sizeof buf); \
} \
br_ ## cname ## _out(&mc, res); \
check_equals("KAT " #Name " 5", res, ref, HASH_SIZE(cname)); \
} while (0)
TEST_HASH(MD5, md5)
TEST_HASH(SHA-1, sha1)
TEST_HASH(SHA-224, sha224)
TEST_HASH(SHA-256, sha256)
TEST_HASH(SHA-384, sha384)
TEST_HASH(SHA-512, sha512)
static void
test_MD5(void)
{
printf("Test MD5: ");
fflush(stdout);
test_md5_internal("", "d41d8cd98f00b204e9800998ecf8427e");
test_md5_internal("a", "0cc175b9c0f1b6a831c399e269772661");
test_md5_internal("abc", "900150983cd24fb0d6963f7d28e17f72");
test_md5_internal("message digest", "f96b697d7cb7938d525a2f31aaf161d0");
test_md5_internal("abcdefghijklmnopqrstuvwxyz",
"c3fcd3d76192e4007dfb496cca67e13b");
test_md5_internal("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu"
"vwxyz0123456789", "d174ab98d277d9f5a5611c2c9f419d9f");
test_md5_internal("1234567890123456789012345678901234567890123456789"
"0123456789012345678901234567890",
"57edf4a22be3c955ac49da2e2107b67a");
KAT_MILLION_A(MD5, md5,
"7707d6ae4e027c70eea2a935c2296f21");
printf("done.\n");
fflush(stdout);
}
static void
test_SHA1(void)
{
printf("Test SHA-1: ");
fflush(stdout);
test_sha1_internal("abc", "a9993e364706816aba3e25717850c26c9cd0d89d");
test_sha1_internal("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlm"
"nomnopnopq", "84983e441c3bd26ebaae4aa1f95129e5e54670f1");
KAT_MILLION_A(SHA-1, sha1,
"34aa973cd4c4daa4f61eeb2bdbad27316534016f");
printf("done.\n");
fflush(stdout);
}
static void
test_SHA224(void)
{
printf("Test SHA-224: ");
fflush(stdout);
test_sha224_internal("abc",
"23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7");
test_sha224_internal("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlm"
"nomnopnopq",
"75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525");
KAT_MILLION_A(SHA-224, sha224,
"20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67");
printf("done.\n");
fflush(stdout);
}
static void
test_SHA256(void)
{
printf("Test SHA-256: ");
fflush(stdout);
test_sha256_internal("abc",
"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad");
test_sha256_internal("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlm"
"nomnopnopq",
"248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1");
KAT_MILLION_A(SHA-256, sha256,
"cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0");
printf("done.\n");
fflush(stdout);
}
static void
test_SHA384(void)
{
printf("Test SHA-384: ");
fflush(stdout);
test_sha384_internal("abc",
"cb00753f45a35e8bb5a03d699ac65007272c32ab0eded163"
"1a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7");
test_sha384_internal(
"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
"09330c33f71147e83d192fc782cd1b4753111b173b3b05d2"
"2fa08086e3b0f712fcc7c71a557e2db966c3e9fa91746039");
KAT_MILLION_A(SHA-384, sha384,
"9d0e1809716474cb086e834e310a4a1ced149e9c00f24852"
"7972cec5704c2a5b07b8b3dc38ecc4ebae97ddd87f3d8985");
printf("done.\n");
fflush(stdout);
}
static void
test_SHA512(void)
{
printf("Test SHA-512: ");
fflush(stdout);
test_sha512_internal("abc",
"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
"2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f");
test_sha512_internal(
"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
"8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
"501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909");
KAT_MILLION_A(SHA-512, sha512,
"e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb"
"de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b");
printf("done.\n");
fflush(stdout);
}
static void
test_MD5_SHA1(void)
{
unsigned char buf[500], out[36], outM[16], outS[20];
unsigned char seed[1];
br_hmac_drbg_context rc;
br_md5_context mc;
br_sha1_context sc;
br_md5sha1_context cc;
size_t u;
printf("Test MD5+SHA-1: ");
fflush(stdout);
seed[0] = 0;
br_hmac_drbg_init(&rc, &br_sha256_vtable, seed, sizeof seed);
for (u = 0; u < sizeof buf; u ++) {
size_t v;
br_hmac_drbg_generate(&rc, buf, u);
br_md5_init(&mc);
br_md5_update(&mc, buf, u);
br_md5_out(&mc, outM);
br_sha1_init(&sc);
br_sha1_update(&sc, buf, u);
br_sha1_out(&sc, outS);
br_md5sha1_init(&cc);
br_md5sha1_update(&cc, buf, u);
br_md5sha1_out(&cc, out);
check_equals("MD5+SHA-1 [1]", out, outM, 16);
check_equals("MD5+SHA-1 [2]", out + 16, outS, 20);
br_md5sha1_init(&cc);
for (v = 0; v < u; v ++) {
br_md5sha1_update(&cc, buf + v, 1);
}
br_md5sha1_out(&cc, out);
check_equals("MD5+SHA-1 [3]", out, outM, 16);
check_equals("MD5+SHA-1 [4]", out + 16, outS, 20);
}
printf("done.\n");
fflush(stdout);
}
/*
* Compute a hash function, on some data, by ID. Returned value is
* hash output length.
*/
static size_t
do_hash(int id, const void *data, size_t len, void *out)
{
br_md5_context cmd5;
br_sha1_context csha1;
br_sha224_context csha224;
br_sha256_context csha256;
br_sha384_context csha384;
br_sha512_context csha512;
switch (id) {
case br_md5_ID:
br_md5_init(&cmd5);
br_md5_update(&cmd5, data, len);
br_md5_out(&cmd5, out);
return 16;
case br_sha1_ID:
br_sha1_init(&csha1);
br_sha1_update(&csha1, data, len);
br_sha1_out(&csha1, out);
return 20;
case br_sha224_ID:
br_sha224_init(&csha224);
br_sha224_update(&csha224, data, len);
br_sha224_out(&csha224, out);
return 28;
case br_sha256_ID:
br_sha256_init(&csha256);
br_sha256_update(&csha256, data, len);
br_sha256_out(&csha256, out);
return 32;
case br_sha384_ID:
br_sha384_init(&csha384);
br_sha384_update(&csha384, data, len);
br_sha384_out(&csha384, out);
return 48;
case br_sha512_ID:
br_sha512_init(&csha512);
br_sha512_update(&csha512, data, len);
br_sha512_out(&csha512, out);
return 64;
default:
fprintf(stderr, "Uknown hash function: %d\n", id);
exit(EXIT_FAILURE);
return 0;
}
}
/*
* Tests for a multihash. Returned value should be 258 multiplied by the
* number of hash functions implemented by the context.
*/
static int
test_multihash_inner(br_multihash_context *mc)
{
/*
* Try hashing messages for all lengths from 0 to 257 bytes
* (inclusive). Each attempt is done twice, with data input
* either in one go, or byte by byte. In the byte by byte
* test, intermediate result are obtained and checked.
*/
size_t len;
unsigned char buf[258];
int i;
int tcount;
tcount = 0;
for (len = 0; len < sizeof buf; len ++) {
br_sha1_context sc;
unsigned char tmp[20];
br_sha1_init(&sc);
br_sha1_update(&sc, buf, len);
br_sha1_out(&sc, tmp);
buf[len] = tmp[0];
}
for (len = 0; len <= 257; len ++) {
size_t u;
br_multihash_init(mc);
br_multihash_update(mc, buf, len);
for (i = 1; i <= 6; i ++) {
unsigned char tmp[64], tmp2[64];
size_t olen, olen2;
olen = br_multihash_out(mc, i, tmp);
if (olen == 0) {
continue;
}
olen2 = do_hash(i, buf, len, tmp2);
if (olen != olen2) {
fprintf(stderr,
"Bad hash output length: %u / %u\n",
(unsigned)olen, (unsigned)olen2);
exit(EXIT_FAILURE);
}
check_equals("Hash output", tmp, tmp2, olen);
tcount ++;
}
br_multihash_init(mc);
for (u = 0; u < len; u ++) {
br_multihash_update(mc, buf + u, 1);
for (i = 1; i <= 6; i ++) {
unsigned char tmp[64], tmp2[64];
size_t olen, olen2;
olen = br_multihash_out(mc, i, tmp);
if (olen == 0) {
continue;
}
olen2 = do_hash(i, buf, u + 1, tmp2);
if (olen != olen2) {
fprintf(stderr, "Bad hash output"
" length: %u / %u\n",
(unsigned)olen,
(unsigned)olen2);
exit(EXIT_FAILURE);
}
check_equals("Hash output", tmp, tmp2, olen);
}
}
}
return tcount;
}
static void
test_multihash(void)
{
br_multihash_context mc;
printf("Test MultiHash: ");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_md5_ID, &br_md5_vtable);
if (test_multihash_inner(&mc) != 258) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_sha1_ID, &br_sha1_vtable);
if (test_multihash_inner(&mc) != 258) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_sha224_ID, &br_sha224_vtable);
if (test_multihash_inner(&mc) != 258) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_sha256_ID, &br_sha256_vtable);
if (test_multihash_inner(&mc) != 258) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_sha384_ID, &br_sha384_vtable);
if (test_multihash_inner(&mc) != 258) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_sha512_ID, &br_sha512_vtable);
if (test_multihash_inner(&mc) != 258) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
br_multihash_zero(&mc);
br_multihash_setimpl(&mc, br_md5_ID, &br_md5_vtable);
br_multihash_setimpl(&mc, br_sha1_ID, &br_sha1_vtable);
br_multihash_setimpl(&mc, br_sha224_ID, &br_sha224_vtable);
br_multihash_setimpl(&mc, br_sha256_ID, &br_sha256_vtable);
br_multihash_setimpl(&mc, br_sha384_ID, &br_sha384_vtable);
br_multihash_setimpl(&mc, br_sha512_ID, &br_sha512_vtable);
if (test_multihash_inner(&mc) != 258 * 6) {
fprintf(stderr, "Failed test count\n");
}
printf(".");
fflush(stdout);
printf("done.\n");
fflush(stdout);
}
static void
do_KAT_HMAC_bin_bin(const br_hash_class *digest_class,
const void *key, size_t key_len,
const void *data, size_t data_len, const char *href)
{
br_hmac_key_context kc;
br_hmac_context ctx;
unsigned char tmp[64], ref[64];
size_t u, len;
len = hextobin(ref, href);
br_hmac_key_init(&kc, digest_class, key, key_len);
br_hmac_init(&ctx, &kc, 0);
br_hmac_update(&ctx, data, data_len);
br_hmac_out(&ctx, tmp);
check_equals("KAT HMAC 1", tmp, ref, len);
br_hmac_init(&ctx, &kc, 0);
for (u = 0; u < data_len; u ++) {
br_hmac_update(&ctx, (const unsigned char *)data + u, 1);
}
br_hmac_out(&ctx, tmp);
check_equals("KAT HMAC 2", tmp, ref, len);
for (u = 0; u < data_len; u ++) {
br_hmac_init(&ctx, &kc, 0);
br_hmac_update(&ctx, data, u);
br_hmac_out(&ctx, tmp);
br_hmac_update(&ctx,
(const unsigned char *)data + u, data_len - u);
br_hmac_out(&ctx, tmp);
check_equals("KAT HMAC 3", tmp, ref, len);
}
}
static void
do_KAT_HMAC_str_str(const br_hash_class *digest_class, const char *key,
const char *data, const char *href)
{
do_KAT_HMAC_bin_bin(digest_class, key, strlen(key),
data, strlen(data), href);
}
static void
do_KAT_HMAC_hex_hex(const br_hash_class *digest_class, const char *skey,
const char *sdata, const char *href)
{
unsigned char key[1024];
unsigned char data[1024];
do_KAT_HMAC_bin_bin(digest_class, key, hextobin(key, skey),
data, hextobin(data, sdata), href);
}
static void
do_KAT_HMAC_hex_str(const br_hash_class *digest_class,
const char *skey, const char *data, const char *href)
{
unsigned char key[1024];
do_KAT_HMAC_bin_bin(digest_class, key, hextobin(key, skey),
data, strlen(data), href);
}
static void
test_HMAC_CT(const br_hash_class *digest_class,
const void *key, size_t key_len, const void *data)
{
br_hmac_key_context kc;
br_hmac_context hc1, hc2;
unsigned char buf1[64], buf2[64];
size_t u, v;
br_hmac_key_init(&kc, digest_class, key, key_len);
for (u = 0; u < 2; u ++) {
for (v = 0; v < 130; v ++) {
size_t min_len, max_len;
size_t w;
min_len = v;
max_len = v + 256;
for (w = min_len; w <= max_len; w ++) {
char tmp[30];
size_t hlen1, hlen2;
br_hmac_init(&hc1, &kc, 0);
br_hmac_update(&hc1, data, u + w);
hlen1 = br_hmac_out(&hc1, buf1);
br_hmac_init(&hc2, &kc, 0);
br_hmac_update(&hc2, data, u);
hlen2 = br_hmac_outCT(&hc2,
(const unsigned char *)data + u, w,
min_len, max_len, buf2);
if (hlen1 != hlen2) {
fprintf(stderr, "HMAC length mismatch:"
" %u / %u\n", (unsigned)hlen1,
(unsigned)hlen2);
exit(EXIT_FAILURE);
}
sprintf(tmp, "HMAC CT %u,%u,%u",
(unsigned)u, (unsigned)v, (unsigned)w);
check_equals(tmp, buf1, buf2, hlen1);
}
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
}
static void
test_HMAC(void)
{
unsigned char data[1000];
unsigned x;
size_t u;
const char key[] = "test HMAC key";
printf("Test HMAC: ");
fflush(stdout);
do_KAT_HMAC_hex_str(&br_md5_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"Hi There",
"9294727a3638bb1c13f48ef8158bfc9d");
do_KAT_HMAC_str_str(&br_md5_vtable,
"Jefe",
"what do ya want for nothing?",
"750c783e6ab0b503eaa86e310a5db738");
do_KAT_HMAC_hex_hex(&br_md5_vtable,
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
"56be34521d144c88dbb8c733f0e8b3f6");
do_KAT_HMAC_hex_hex(&br_md5_vtable,
"0102030405060708090a0b0c0d0e0f10111213141516171819",
"CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD",
"697eaf0aca3a3aea3a75164746ffaa79");
do_KAT_HMAC_hex_str(&br_md5_vtable,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c",
"Test With Truncation",
"56461ef2342edc00f9bab995690efd4c");
do_KAT_HMAC_hex_str(&br_md5_vtable,
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"Test Using Larger Than Block-Size Key - Hash Key First",
"6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd");
do_KAT_HMAC_hex_str(&br_md5_vtable,
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data",
"6f630fad67cda0ee1fb1f562db3aa53e");
do_KAT_HMAC_hex_str(&br_sha1_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"Hi There",
"b617318655057264e28bc0b6fb378c8ef146be00");
do_KAT_HMAC_str_str(&br_sha1_vtable,
"Jefe",
"what do ya want for nothing?",
"effcdf6ae5eb2fa2d27416d5f184df9c259a7c79");
do_KAT_HMAC_hex_hex(&br_sha1_vtable,
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
"125d7342b9ac11cd91a39af48aa17b4f63f175d3");
do_KAT_HMAC_hex_hex(&br_sha1_vtable,
"0102030405060708090a0b0c0d0e0f10111213141516171819",
"CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD",
"4c9007f4026250c6bc8414f9bf50c86c2d7235da");
do_KAT_HMAC_hex_str(&br_sha1_vtable,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c",
"Test With Truncation",
"4c1a03424b55e07fe7f27be1d58bb9324a9a5a04");
do_KAT_HMAC_hex_str(&br_sha1_vtable,
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"Test Using Larger Than Block-Size Key - Hash Key First",
"aa4ae5e15272d00e95705637ce8a3b55ed402112");
do_KAT_HMAC_hex_str(&br_sha1_vtable,
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data",
"e8e99d0f45237d786d6bbaa7965c7808bbff1a91");
/* From RFC 4231 */
do_KAT_HMAC_hex_hex(&br_sha224_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"4869205468657265",
"896fb1128abbdf196832107cd49df33f"
"47b4b1169912ba4f53684b22");
do_KAT_HMAC_hex_hex(&br_sha256_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"4869205468657265",
"b0344c61d8db38535ca8afceaf0bf12b"
"881dc200c9833da726e9376c2e32cff7");
do_KAT_HMAC_hex_hex(&br_sha384_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"4869205468657265",
"afd03944d84895626b0825f4ab46907f"
"15f9dadbe4101ec682aa034c7cebc59c"
"faea9ea9076ede7f4af152e8b2fa9cb6");
do_KAT_HMAC_hex_hex(&br_sha512_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"4869205468657265",
"87aa7cdea5ef619d4ff0b4241a1d6cb0"
"2379f4e2ce4ec2787ad0b30545e17cde"
"daa833b7d6b8a702038b274eaea3f4e4"
"be9d914eeb61f1702e696c203a126854");
do_KAT_HMAC_hex_hex(&br_sha224_vtable,
"4a656665",
"7768617420646f2079612077616e7420"
"666f72206e6f7468696e673f",
"a30e01098bc6dbbf45690f3a7e9e6d0f"
"8bbea2a39e6148008fd05e44");
do_KAT_HMAC_hex_hex(&br_sha256_vtable,
"4a656665",
"7768617420646f2079612077616e7420"
"666f72206e6f7468696e673f",
"5bdcc146bf60754e6a042426089575c7"
"5a003f089d2739839dec58b964ec3843");
do_KAT_HMAC_hex_hex(&br_sha384_vtable,
"4a656665",
"7768617420646f2079612077616e7420"
"666f72206e6f7468696e673f",
"af45d2e376484031617f78d2b58a6b1b"
"9c7ef464f5a01b47e42ec3736322445e"
"8e2240ca5e69e2c78b3239ecfab21649");
do_KAT_HMAC_hex_hex(&br_sha512_vtable,
"4a656665",
"7768617420646f2079612077616e7420"
"666f72206e6f7468696e673f",
"164b7a7bfcf819e2e395fbe73b56e0a3"
"87bd64222e831fd610270cd7ea250554"
"9758bf75c05a994a6d034f65f8f0e6fd"
"caeab1a34d4a6b4b636e070a38bce737");
do_KAT_HMAC_hex_hex(&br_sha224_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa",
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddd",
"7fb3cb3588c6c1f6ffa9694d7d6ad264"
"9365b0c1f65d69d1ec8333ea");
do_KAT_HMAC_hex_hex(&br_sha256_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa",
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddd",
"773ea91e36800e46854db8ebd09181a7"
"2959098b3ef8c122d9635514ced565fe");
do_KAT_HMAC_hex_hex(&br_sha384_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa",
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddd",
"88062608d3e6ad8a0aa2ace014c8a86f"
"0aa635d947ac9febe83ef4e55966144b"
"2a5ab39dc13814b94e3ab6e101a34f27");
do_KAT_HMAC_hex_hex(&br_sha512_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa",
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddddddddddddddddddddddddddddddd"
"dddd",
"fa73b0089d56a284efb0f0756c890be9"
"b1b5dbdd8ee81a3655f83e33b2279d39"
"bf3e848279a722c806b485a47e67c807"
"b946a337bee8942674278859e13292fb");
do_KAT_HMAC_hex_hex(&br_sha224_vtable,
"0102030405060708090a0b0c0d0e0f10"
"111213141516171819",
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcd",
"6c11506874013cac6a2abc1bb382627c"
"ec6a90d86efc012de7afec5a");
do_KAT_HMAC_hex_hex(&br_sha256_vtable,
"0102030405060708090a0b0c0d0e0f10"
"111213141516171819",
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcd",
"82558a389a443c0ea4cc819899f2083a"
"85f0faa3e578f8077a2e3ff46729665b");
do_KAT_HMAC_hex_hex(&br_sha384_vtable,
"0102030405060708090a0b0c0d0e0f10"
"111213141516171819",
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcd",
"3e8a69b7783c25851933ab6290af6ca7"
"7a9981480850009cc5577c6e1f573b4e"
"6801dd23c4a7d679ccf8a386c674cffb");
do_KAT_HMAC_hex_hex(&br_sha512_vtable,
"0102030405060708090a0b0c0d0e0f10"
"111213141516171819",
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"
"cdcd",
"b0ba465637458c6990e5a8c5f61d4af7"
"e576d97ff94b872de76f8050361ee3db"
"a91ca5c11aa25eb4d679275cc5788063"
"a5f19741120c4f2de2adebeb10a298dd");
do_KAT_HMAC_hex_hex(&br_sha224_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54657374205573696e67204c61726765"
"72205468616e20426c6f636b2d53697a"
"65204b6579202d2048617368204b6579"
"204669727374",
"95e9a0db962095adaebe9b2d6f0dbce2"
"d499f112f2d2b7273fa6870e");
do_KAT_HMAC_hex_hex(&br_sha256_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54657374205573696e67204c61726765"
"72205468616e20426c6f636b2d53697a"
"65204b6579202d2048617368204b6579"
"204669727374",
"60e431591ee0b67f0d8a26aacbf5b77f"
"8e0bc6213728c5140546040f0ee37f54");
do_KAT_HMAC_hex_hex(&br_sha384_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54657374205573696e67204c61726765"
"72205468616e20426c6f636b2d53697a"
"65204b6579202d2048617368204b6579"
"204669727374",
"4ece084485813e9088d2c63a041bc5b4"
"4f9ef1012a2b588f3cd11f05033ac4c6"
"0c2ef6ab4030fe8296248df163f44952");
do_KAT_HMAC_hex_hex(&br_sha512_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54657374205573696e67204c61726765"
"72205468616e20426c6f636b2d53697a"
"65204b6579202d2048617368204b6579"
"204669727374",
"80b24263c7c1a3ebb71493c1dd7be8b4"
"9b46d1f41b4aeec1121b013783f8f352"
"6b56d037e05f2598bd0fd2215d6a1e52"
"95e64f73f63f0aec8b915a985d786598");
do_KAT_HMAC_hex_hex(&br_sha224_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54686973206973206120746573742075"
"73696e672061206c6172676572207468"
"616e20626c6f636b2d73697a65206b65"
"7920616e642061206c61726765722074"
"68616e20626c6f636b2d73697a652064"
"6174612e20546865206b6579206e6565"
"647320746f2062652068617368656420"
"6265666f7265206265696e6720757365"
"642062792074686520484d414320616c"
"676f726974686d2e",
"3a854166ac5d9f023f54d517d0b39dbd"
"946770db9c2b95c9f6f565d1");
do_KAT_HMAC_hex_hex(&br_sha256_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54686973206973206120746573742075"
"73696e672061206c6172676572207468"
"616e20626c6f636b2d73697a65206b65"
"7920616e642061206c61726765722074"
"68616e20626c6f636b2d73697a652064"
"6174612e20546865206b6579206e6565"
"647320746f2062652068617368656420"
"6265666f7265206265696e6720757365"
"642062792074686520484d414320616c"
"676f726974686d2e",
"9b09ffa71b942fcb27635fbcd5b0e944"
"bfdc63644f0713938a7f51535c3a35e2");
do_KAT_HMAC_hex_hex(&br_sha384_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54686973206973206120746573742075"
"73696e672061206c6172676572207468"
"616e20626c6f636b2d73697a65206b65"
"7920616e642061206c61726765722074"
"68616e20626c6f636b2d73697a652064"
"6174612e20546865206b6579206e6565"
"647320746f2062652068617368656420"
"6265666f7265206265696e6720757365"
"642062792074686520484d414320616c"
"676f726974686d2e",
"6617178e941f020d351e2f254e8fd32c"
"602420feb0b8fb9adccebb82461e99c5"
"a678cc31e799176d3860e6110c46523e");
do_KAT_HMAC_hex_hex(&br_sha512_vtable,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaa",
"54686973206973206120746573742075"
"73696e672061206c6172676572207468"
"616e20626c6f636b2d73697a65206b65"
"7920616e642061206c61726765722074"
"68616e20626c6f636b2d73697a652064"
"6174612e20546865206b6579206e6565"
"647320746f2062652068617368656420"
"6265666f7265206265696e6720757365"
"642062792074686520484d414320616c"
"676f726974686d2e",
"e37b6a775dc87dbaa4dfa9f96e5e3ffd"
"debd71f8867289865df5a32d20cdc944"
"b6022cac3c4982b10d5eeb55c3e4de15"
"134676fb6de0446065c97440fa8c6a58");
for (x = 1, u = 0; u < sizeof data; u ++) {
data[u] = x;
x = (x * 45) % 257;
}
printf("(MD5) ");
test_HMAC_CT(&br_md5_vtable, key, sizeof key, data);
printf("(SHA-1) ");
test_HMAC_CT(&br_sha1_vtable, key, sizeof key, data);
printf("(SHA-224) ");
test_HMAC_CT(&br_sha224_vtable, key, sizeof key, data);
printf("(SHA-256) ");
test_HMAC_CT(&br_sha256_vtable, key, sizeof key, data);
printf("(SHA-384) ");
test_HMAC_CT(&br_sha384_vtable, key, sizeof key, data);
printf("(SHA-512) ");
test_HMAC_CT(&br_sha512_vtable, key, sizeof key, data);
printf("done.\n");
fflush(stdout);
}
static void
test_HKDF_inner(const br_hash_class *dig, const char *ikmhex,
const char *salthex, const char *infohex, const char *okmhex)
{
unsigned char ikm[100], saltbuf[100], info[100], okm[100], tmp[107];
const unsigned char *salt;
size_t ikm_len, salt_len, info_len, okm_len;
br_hkdf_context hc;
size_t u;
ikm_len = hextobin(ikm, ikmhex);
if (salthex == NULL) {
salt = BR_HKDF_NO_SALT;
salt_len = 0;
} else {
salt = saltbuf;
salt_len = hextobin(saltbuf, salthex);
}
info_len = hextobin(info, infohex);
okm_len = hextobin(okm, okmhex);
br_hkdf_init(&hc, dig, salt, salt_len);
br_hkdf_inject(&hc, ikm, ikm_len);
br_hkdf_flip(&hc);
br_hkdf_produce(&hc, info, info_len, tmp, okm_len);
check_equals("KAT HKDF 1", tmp, okm, okm_len);
br_hkdf_init(&hc, dig, salt, salt_len);
for (u = 0; u < ikm_len; u ++) {
br_hkdf_inject(&hc, &ikm[u], 1);
}
br_hkdf_flip(&hc);
for (u = 0; u < okm_len; u ++) {
br_hkdf_produce(&hc, info, info_len, &tmp[u], 1);
}
check_equals("KAT HKDF 2", tmp, okm, okm_len);
br_hkdf_init(&hc, dig, salt, salt_len);
br_hkdf_inject(&hc, ikm, ikm_len);
br_hkdf_flip(&hc);
for (u = 0; u < okm_len; u += 7) {
br_hkdf_produce(&hc, info, info_len, &tmp[u], 7);
}
check_equals("KAT HKDF 3", tmp, okm, okm_len);
printf(".");
fflush(stdout);
}
static void
test_HKDF(void)
{
printf("Test HKDF: ");
fflush(stdout);
test_HKDF_inner(&br_sha256_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"000102030405060708090a0b0c",
"f0f1f2f3f4f5f6f7f8f9",
"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865");
test_HKDF_inner(&br_sha256_vtable,
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f",
"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87");
test_HKDF_inner(&br_sha256_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"",
"",
"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8");
test_HKDF_inner(&br_sha1_vtable,
"0b0b0b0b0b0b0b0b0b0b0b",
"000102030405060708090a0b0c",
"f0f1f2f3f4f5f6f7f8f9",
"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896");
test_HKDF_inner(&br_sha1_vtable,
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f",
"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4");
test_HKDF_inner(&br_sha1_vtable,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
"",
"",
"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918");
test_HKDF_inner(&br_sha1_vtable,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c",
NULL,
"",
"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48");
printf(" done.\n");
fflush(stdout);
}
/*
* Known-answer test vectors for SHAKE128, from the NIST validation test
* suite. Each vector is a pair (input,output).
*/
static const char *const KAT_SHAKE128[] = {
"e4e932fc9907620ebebffd32b10fda7890a5bc20e5f41d5589882a18c2960e7aafd8730ee697469e5b0abb1d84de92ddba169802e31570374ef9939fde2b960e6b34ac7a65d36bacba4cd33bfa028cbbba486f32367548cb3a36dacf422924d0e0a7e3285ee158a2a42e4b765da3507b56e54998263b2c7b14e7078e35b74127d5d7220018e995e6e1572db5f3e8678357922f1cfd90a5afa6b420c600fd737b136c70e9dd14",
"459ce4fa824ee1910a678abc77c1f769",
"18636f702f216b1b9302e59d82192f4e002f82d526c3f04cbd4f9b9f0bcd2535ed7a67d326da66bdf7fc821ef0fff1a905d56c81e4472856863908d104301133ad111e39552cd542ef78d9b35f20419b893f4a93aee848e9f86ae3fd53d27fea7fb1fc69631fa0f3a5ff51267785086ab4f682d42baf394b3b6992e9a0bb58a38ce0692df9bbaf183e18523ee1352c5fad817e0c04a3e1c476be7f5e92f482a6fb29cd4bbf09ea",
"b7b9db481898f888e5ee4ed629859844",
"5d9ff9fe63c328ddbe0c865ac6ba605c52a14ee8e4870ba320ce849283532f2551959e74cf1a54c8b30ed75dd92e076637e4ad5213b3574e73d6640bd6245bc121378174dccdaa769e6e4f2dc650e1166c775d0a982021c0b160fe9438098e86b6cdc786f2a6d1ef68751551f7e99773daa28598d9961002c0b47ab511c8707df69f9b32796b723bf7685251d2c0d08567ad4e8540ddcc1b8a1a01f6c92aaaadcaf42301d9e53463",
"f50af2684408915871948779a14c147c",
"38c0be76e7b60f262f1499e328e0519f864bbb9d134d00345d8942d0ab762c3936c0cd1896eca6b77b3c01089dd285e9f61708a62e5ea4bf57c50decda5c215fb18ac149d7ace09ffdfed91e7fbf068d96908e42cf1e7ee7bc001c7ee9e378a311e44311923de4681f24c92eb5f0fb13d07ef679ded3b733f402168dc050568dbf97fb79afe8db994874783e27ad8d040ba8e75343c6762c6793a42247eee5a6216b908817f5edbbdf",
"e4786ad8f2ea9c8e420a6f50b5feec9a",
"ec586d52ad2ced1f96bd9458a5a1f64bc1b4cce1fa52517513c9ebe63d0d0eeb26ae5da73208137e08baa22651599a01bc65cbaa467baeceb8cd013d71d0b2406534fe2e6619da3aa380928f6effb09f42ba1fb7048e90d7898f1dc259b52c51b2d2970cd0c70afb6cf8acba83fd01cc589b0f31bcf2bf3b8df7879d7d2546c514706f6cf97b6a6b6d0a37d018ba553108f0e240f70f03a0ccee86f76589c64594f6cf74679bc330ad9f",
"191a3710c72d11da7a2410bc73ba9d9f",
"c201dfe59e03574476e3c220c971c1685ea96ea137daed2ac10845c54d8e6e53c307acdf956f1bdef3868ab53e758c7cbeb4cd02972ba311f998e5f3983000345c8947aa59b78bb301b6ecbe9808ee0de99ed0b938fc19f677997398bd84bcd6f34d5b4ed123d04a093a8f42c1700fa2472f1ecc00957761a2d296bda3d2cbc0f21d8ed4e4fb122b71db1d49a0f516c3402f6046d93de6dae20df7683462557abfbf88437c8678dfa2613b",
"464121895e5c9d85190bcee0437453dd",
"bd34acd613e0e0da6bebc45ba73fefa0bd8aa8ebba34040a07944f29eb63adea527101b8cd960e58d9ecddc0643b5e2d8db55170ace4678892e0a57612c50a4dc0647189f839b9a1229e22e0353dfa707acb7ab893f4ebe8bb910cd14f21b8fb8e77c4f19db027e0cd685d60212e0d920b34e96b774bd54f0a0f4ce2ac5f001b4411c19ac2e3a03b63b454eb30f4ddbac959673260d370e708c32d5030682ad56a99322972ba6eda6be9d027",
"8e167ceae101ea0b3b98175f66e46b0e",
"166b4fec6967c2a25f80c0075379978124833b84894c3cb3a538f649dcee08b8e41707901f6273a128cce964ac1e9b977bb7fe28de8bc2542c6c07109889cea84d34ada6bde8c8f5358afc46b5ef5db3009fe3a2efd860ed0ad6b540595246c27849abf7eafea9e5af42607519f3c51ddbc353bc633afec56aff69a0c953584d8ede684b4faefeb8be7d7db97e32bc1c35abb73ce3ba8425726d89f98e93ed93b67b4c6993ffafb789c1bbda8d",
"eb2fa0e8e04e698ca511d6abf7de84fb",
"62c625d31a400c5ff092d6fd638f1ea911ad912f2aabffea2377b1d2af4efeb6eb2519c5d8482d530f41acdab0fbe43f9c27d357e4df3caa8189fa7745ff95f811ed13e6497a1040852a1149890216d078ee6eb34461cfa6693ba631dbefacf83ce5ba3f531ddeadba16ae50d6eedce20cca0b4b3278e16644535e0859676c3fd5d6b7d7df7bbe2316cc2bfa7f055fffc2835225976d9a737b9ac905a7affc544288b1b7d6dad92901162f4c6d90",
"bb0acc4423c1d8cfc788e748ade8d5fd",
"8af63bbe701b84ff9b0c9d2fd830e28b7d557af3fcf4874bb7b69f2116388090d70bff64a600427eeea22f7bee0324900fbce9b8752fe312d40f8a8485231da5d94694daadb3d6bf3e7f2cc83f67f52829cc9cf1d3fcc87d42b3d20ec2e27cb135aee068acbca68734ac7a5ff3e3bd1a738e7be63de39e56aaaa6104f6fd077c964ccc55cba41ca1783003883100e52f94096fdfdc6dcd63b3fd1db148fc24cda22640eb34f19ed4b113ad8a2144d3",
"4a824cae0f236eab147bd6ebf66eafc2",
"a8c0f0e4afcda47e02afaaa2357c589e6b94168a6f6f142b019938186efa5b1b645bb4da032694b7376d54f4462e8c1ba5d6869d1003f3b9d98edc9f81c9dbd685058adb7a583c0b5c9debc224bb72c5982bfcdd67b4bdc57579e0467436c0a1b4c75a2d3cea034119455654f6ab7163ed9b61949d09da187d612b556fca724599a80c1970645023156f7df2e584f0bf4c2e9b08d98bb27a984fa7149c0b598adbb089e73f4f8d77f92248e419d0599f",
"4800f8f5e598a26ee05a0ea141f849d0",
"a035c12af3fb705602540bd0f4a00395e1625edf2d44af4a145b463585aba46b34ee3203eb9132842000f54dcd234e347c28486ea18414af2d3445916049403adfa3ed3906fdb3b27f2aa4bb149df405c12fb0bf0e1dacb79c50bec3fde2295fc8dd5c97ed46dd28475a80e27017dc50d9feff9b1a1861ac86371791037e49221923e6e44874962d9f18f1898a98ee5dec1e9eca6d7c1ad4166fbac41b2587caf7fef3e7be90c80aafed5f7a0928127321",
"2d124d81a4a45ad9c0b91cca23cc2991",
"d41739834414a0792470d53dee0f3f6c5a197314d3a14d75278440048294eab69df6eb7a33c9f807b5082bd93eb29d76c92837f6a2d6c5c21a154c9c7f509ee04b662b099c501a76e404996fe2997163d1abdd73df019c35e06d45b144f4dbb0462fa13767f12f4e1b2bc605c20ce1b9d96c0c94726af953e154d14cb9c8c8aff719f40c7cf45f15c1445ba6c65215024b316d60435905a686929874c6148e64c4eccd90c3a1d1553d18ff57d6b536c58ec3",
"551fc7eceeee151523be716538258e2e",
"5bbb333460ffac345e4d2bc2dba303ef75b85c57233590fabd22d547bf9e1d7a4ad43a286b2a4618a0bb42559808fd813bea376ceacc07e608167ad1b9ec7d7ae919fd2991464cf63570c7dfb299b61836bd73a29007cf1faa45b1e5539a00514272c35d58bb877526530187afbcf55a6f1757209c50af4eab96c2ab160e6ea75dc8d6ef4bf2bf3e7a4b3a7619db84efede22a0f960e701b14f0f44c89b18f2640017c05ef51bcf93942b8d3775d2980b80435",
"2c98dce5b1ec5f1f23554a755fac7700",
"8040a7296d7553886e5b25c7cf1f64a6a0a143185a83abf5c5813bef18008ec762e9bcc12ab7235552cf67274210b73942ac525f26364af431fc88cc34961169f6bf8872d864f360b9fbc27b18160d0578381db509e72e678402731157555bf9026b1325c1a34c136b863eab9a58ec720cedaa0049bfddb4863d03a6ca65f3dd4f9465c32b9db4d52f19e39f10ffdfe8c475032a2fe5e145ff524073d5ed617fa5e387325f7ab50fcf5cba40c2326bcf6a753019",
"c0bb8427ef0ca4e457d2887878d91310",
"cbaceb762e6c2f5f96052d4a681b899b84de459d198b3624bd35b471bdc59655b1405e9a5448b09e93e60941e486ad01d943e164f5655b97be28f75413c0ab08c099bd3650e33316234e8c83c012ad146b331e88fb037667e6e814e69e5f100b20417113c946a1116cc71ed7a3c87119623564d0d26c70dd5cfc75ef03acaea6f8c0e3f96877e0d599d8270635aee25be6d21b0522a82f4149ec8037edaf6b21709c7aafd580daaad00a0fd91fcfe6211d90abef95",
"626bd9eb0982b6db884d38e8c234854e",
"1bbee570394bc18d0f8713c7149cabb84e0567dd184510e922d97f5fb96b045f494808c02014f06074bd45b8a8ad12b4cb448ec16285fb27670fce99914f100ad6f504c32fa40ab39beec306667f76f9ab98b3ec18c036b8f1b60d4457a9fe53cbab23a0ee64d72d8a03d6d8d67a9f2ff6eb1d85c25d8746c8b4858794e094e12f54ab80e5ba1f774be5c456810755ffb52415b5e8c6b776f5f37b8bcf5c9b5d0ad7e58a9d0fa938e67ad5aaee8c5f11ef2be3a41362",
"a489ab3eb43f65ffbd4d4c34169ee762",
"aeacffca0e87bfdb2e6e74bfb67c9c90a8b6fb918b9be164cafcab7d570d8cd693bd8ee47243d3cbdaf921ce4d6e9e09c8b6d762eb0507bd597d976f6243e1f5e0d839e75ea72e2780da0d5e9f72a7a9b397548f762c3837c6a7c5d74b2081705ba70ab91adb5758e6b94058f2b141d830ff7b007538fb3ad8233f9e5bcbf6adcdd20843ee08d6c7d53cc3a58f53f3fe0997539e2f51d92e56990daad76dc816fd013b6d225634db140e9d2bbe7f45830406e44fee9d59",
"4eaa27b085d08fc6a7473e672ea2ca1b",
"a22314d2173ca4d53897924c4b395f0ae52c7fff4880525cee9055f866879af35f22759903b779898676a216feefd4ed75d484f83c00b58383b9279e2732cbc2cb5479b72abee5b4ab0bd0c937537b7a47f461ad419225c6045cca10c191225f0e4389f3355cd3a0d2de822c9d6f3cf984147de3fd3d8a6c9a02a617ddac87114f770b16cc96289321782108d94a00b153bd40651809cabe6c32237a2389e321b67769e89676cdd6c060162592ecadebdd7512fa3bfece04",
"eea88229becc3608df892998b80cf57b",
"f99bba3e3b14c8de38c8edecd9c983aa641320a251130f45596a00d2cfeefe7933f1a2c105c78627d782fd07a60001c06a286d14ec706dcdd8a232a613e1ea684ee7ef54dc903ec1c09c2c060bb0549a659fd47ae9e8b9cb3680b7c1c2d11ebf720209c06879d8f51d9ee1afafe263807c01bb9def83db879a89f7eb85c681c6c6cc58cc52893d0b131186cc3b9e16bad7d48c46a74abb492d475beb04c9fdc573cc454242c8534bcc7c822356ea558f9fa3ae3bb844415916",
"5109746cb7a61482e6e28de02db1a4a5",
"564da8460dc0c3d20b1fda3628349a399ba52446b5d3626fd0039ab282bc437b166f186b3c5e6c58ffb6bd95f8fe8b73c1b56a07ad37572eb6e148cfb7750760dcc03fac567ad7d3536d80922dda8ac4e118fc29c47ee3677183ea4e06242b6090864591c3ddaf4bef8c4cb52f8e3f35e4140034616faf21e831a9b8d68f5a841a0a52a2eb4f9ac9bb5b488766e251cdb0f29faeeed463640333ad948e7f3ad362948c68379740539f219d8f3ba069952efa0021d273a738aad0",
"f43552da8b2623a130196e70a770230d",
"8a54e8bf30eeb2e098955f2eef10af3c0a32391656fdff82120e4785bb35a629c8635e7e98c9eadfa93ed6760ae1d40313000dd85339b528cadfe28258a09e9976643a462477e6d022eb7f6a6338a8fdbf261c28e8ed43869f9a032f28b4d881fb202720bc42cf3b6d650211e35d53b4766a0f0dfd60d121fa05519211bb7d69bf5fcb124870cda8f17406747097fcb0a1968e907adb888341ea75b6fcfbb4d92ae8ce27b04a07a016df3399f330cb77a67040b847a68f33de0f16",
"c51c6e34cef091a05dfcf30d45b21536",
"2a64753a74d768b82c5638a0b24ef0da181bc7d6e2c4ffdb0ae50d9c48ecfa0d90880974db5f9ac32a004e25c8186cd7d0e88439f0f652256c03e47f663eff0d5cb7c089f2167ff5f28df82f910badc5f4b3860af28cbb6a1c7af3fafa6dae5398d8e0a14165def78be77ee6948f7a4d8a64167271ed0352203082368de1cd874bd3b2e351b28170fdf42871590d9d179ce27c99f481f287820fd95ba60124517e907e78a9662e09519e3ef868ebdcca311700a603b04fae4afe4090",
"2d2ee67938422ae12f8cfa8b2e744577",
"a7d645b70f27f01617e76abc2ae514164f18d6fd4f3464e71a7fc05a67e101a79b3b52d4ecfa3ddac6ec2a116d5222e8e536d9d90fffec9c1442679b06db8aa7c53dcde92006211b3dd779f83b6289f015c4cd21ca16ce83bb3ea162540bb012ee82bddef4722341454f5f59da3cd098a96abbbdc9a19202d61c7697979afa50deb22a9bb067ccb4a6fce51c930a7f4767cfaa9454c9c1832f83ee2318b0f0c95d761c079c0ca2dc28871229aef11f64199ca290b2b5e26d8c1c12ec1f",
"ec989e0290fc737952de37dd1ebc01c6",
"3436fe321f2a41478164b8b408a7a8f54ff2a79cb2020bf36118a2e3b3fca414bd42e55624cc4f402f909016209b10f0c55626194a098bb6519d0fa844a68ab3eaa116df39797b1e6c51eb30557df0c4f3d1a2e0471f1d8264fb3288c6c15dcde4daf795083aad2b5f2d31c84c542fb702ea83b7524ca9a1c1b9754ade5604abd375f23f3916cdad31aecaa7b028b7121a2a316713991759925f3fb8366c6795defa6ea77416c4ed095c1f9527026f1d621815b8310d4ff3fc76f798760b",
"bb5e48212442ad7ae83697092024c22b",
"01bdb4f89f84b728a9d6b3a03f60709900571c1a2a0f912702cad73677ceeae202babde3d0197e3e23381cb9f6350792e05937703aa76f9a84b5c36705bb58f6b2ea6b1e51ff94a8de174cbc2ec5ae9ad2627a8b3ea45f162b727a7639f71a4cd9f6c6926a5d81d0a21c4c923037ed199f1aef517e2eea03bea9044c5baab84e3f85d625635bcb1c37ef232144b44c770f2b9dab416b96c906016acfb3fbba62ab40a4c08323fcf66437d953b164541cea3a8c81d186eed0cb23b3e98813a9",
"8bb7ffa4572616f3bc7c33bd70bbcd59",
"9ae51ed483306c9a5a6db027f03cd4472cf3a71df5f1e11852306123d01ab81c259eeb88128275858efb8cff207ba5278dca3a21b358cbfdb5d223e958f3dca5ad9d2537f128c3dfb1fa564d3157de120f7b7d5524e67fc7abf897d9a5bd6b2c7c0a5348e6c95e920c919778ec7a86effb2ff91f0f44045c7dca46597e216e98d80efe25ba0d4f84e7e9d5e81689a5a6990d34e83e1a62a67371b7d2adc7ecd30ad1ad35359e9d9f8a299b057a2f441e313eb819770fa18cd41572adf856edc4",
"e7f66f49f70d506a9b5508cc50f65cf2",
"899c81ea1162514ea7a2d3487d0efcc4648a3067f891131918d59cc19a266b4f3c955c00ddd95cddedf27b86220c432d6ca548e52cf2011da17fd667a2177a7f93e37b8892d51898f1485277e9e046a48cb8b999fcbcf550db53d40602421a3f76cd070a971e2d869beb80a53b54ac30ac0aab0cd1b696bbaf99bb25216ff199cd9a280f567c44b0d4252c98812e1ddab4e445c414aa8d650598b64d6768a7948093051e36b7051c823c7ed6213743a98d8eaf4b2b5e8157c699ea053cf4e53877",
"52173b139c76a744b7a4d2221d4178c4",
"e50422869373abac1c26e738fb3ccb577b65975a7998ba096b04ef3aa148ada2cbe6beeabcf52d056d1766c245ab999d97445fdb6d59a0d6843eb4959752c89fe07b8411ddcfebef509482b8896bb43de7c875b29da52606b278b8704c62154b2da9bb237e68aa10cb85814250e4e4de73da200991e51241fd9a45f446de5a4bb959ad4727283510e9d2ac8a207ef0284163aa05d27f2d316e8ca1480f30604a8d74a0a661775398af644bb584a1a2c55c4959d0e7dd3f7c0c3614962fbeefeeafe0",
"f4c517a82c850c3c4c96d23a8f3106b8",
"066febbe205ea342cde69fd4c72889442e14a5977d886252bdbc2ff5f8dd8fc5f1f870ce121ab929a6b6227b484648be9b3501443cfdecf8f58d4de834ed1800bb244c18985a8232583ac6fc789aa59d1c5e87ad03994085bbf6e1ba1157d4e4ccbb28a49b6529e54b3b34613d6cc9671855e2dcbba6838176c093737962eaf88c85ab780184d4cae78013b28103dca7f7e3b8d94a6ae0728db30a1c535783c4644a7e9eb4ffac6a95d30cf52ba805e220d0b2aa9a2e7de26a97efbd877ec6d1bad148",
"bac7162dc8328911fa639f26ba952ab0",
"ccf92b17b9cf0d8577c1f3db9c19d3c86f16bab4058611f6aa97204783ebd07671eab55e375c4b16e03780675bb5738369aa7cf3b9156cd250f516392f5e0efa30cbb09132b66457756621f947093029e10233938c846513086023252d1bac9dd3442598f004e0b200f7dd79aa3a9122a0c6e77bc7fc8521988050f3c64b32c620fc1b5bba6f458e4791bdcfca731fd66e9da093b1a45264c8ffa48b3f1628dfe19c9ac1d71f1d5214ddc7e4f0da60ae122f67c394a55645628228d5e3a3174fdccbaab4",
"19a9eadf9c7c000fe340603f27bd830b",
"a37dcfab50a317e6a7cc51524b5d611a53652b59fc7df0229af3dac4d527d54c1134a14b2ed325d9727d07d9c3d0797f1a34561034be6de98b551dc384132235eaedae7a9b97bb7581a2a0f2c4e8e32f3e294f9b30f646dd33ce58187188146e14f01dc3ffb581c3bc834726b66c4732a98c3f8256ed22077ba8b34c024d53fe798517abc2f61eca0c6722fc02254c9141a54d4e106aaa6d4b2957e6a12c88ed00f4c4bc4c223b92579859fc0edb9b53f0bba286c53786198c9b6c6eb5eb5b4490844b7d06",
"b9e1455d06233d14b8d3020441351a76",
"0248b909e1f31ee855a03b6c81366757aa3732d2eca0b06a2b1015584c2d8205a4431fcdb02f6a03077ccf368ecb78b3eb78664b3c7ac157088b6cf9758adda4bc1d2cdedb9a69448a2833cf6f21865795bbd5551be859ed297aa82c288b898e331c07c3c8fcc4b2c4ec90bf8e003a499248a677f1b020357625f079cdf92fcbef89d904e11d23569e0f0e8c52303c93c867023a269bc036d8d36d69ca9c7664daacc92a8dc42c3600dbd4c02278333d216011252271def835ce4783883c0760dbcc00bc33bb",
"ea4606777e21f27d4ae860b3c25283b7",
"ce283768aa91488c75c71ee80a4df9495377b6a9ae3351a5962aa8317f08818a0117cf6c391331866d3abc2beea2fa4a43cf32a08385ea2c03dbabe3319104a6c0a3d171061ebed5a23306a8618a81fb63d9dd4c79b42bfdd2a79e05d78290e653f4c6dfd75bf5625ddb85c82bad9444faba3e1558691c004bb50afe37822e320131361d7572e015e559c0f313b53e0d529dde64e74bc41eb52e77361a3ae5721483a795a80a87d684d63f92e347843eb1a8439fef032b3d5a396b154751bd8ed211a3ae37cbf0",
"dca4d5f9f9b7f8011f4c2f547ce42847",
"19265f48c1ea240990847dc15d8198785d55ea6243ef7012ac903beabbdc2bd60032fb3a9f397d28aebb27d7deb7cf505eb1b36bfc4dbcfa8e1c044490b695b50e0974d3c5f0de748508d12ed9bfce10eaadde8fa128d3c30c12d0d403f60baf0b53d2fd7a38cc55dc1182b096c11d1ec9f171b879a73bd6ef1aa7825bc5162cbeba1d9f0739d1337c8142445ce645e4c32477cdcdf37e99fedb9236e24a3d94f0e45ea0b41a74762efe19d27555cdc89feef5b6e533237603fe98d8deae084f69799deac9043e86",
"688e532e15bde53b0b652291edfb7681",
"1080391fa810c50c7437ec058459d3a8cd23c33071c187474151151c809871b6eaf4cf88f592f84557e1eef5c847d3490912072b25b1919af724c0b5ecb111150bd95460328a0b1ba29613c0bd6486110fe6dfab8cca5fde18f5b0bc4d2dc970781511d2e45fc7385c3da18eeb18b3a9e68593d82c75bbbcadab2e5a29745f6f3a924e039579f4418dbee186d9cc24b896d96bd990186bdcbd3082b70aee9bb95a36531ecc405ae13d011bd10fe69fe728c8aed73d1d38e5506bf4fa770347f7e0eb6749121cc0be75",
"cbf8ee5d477630dac9457a9a0659497d",
"0a13ad2c7a239b4ba73ea6592ae84ea9",
"5feaf99c15f48851943ff9baa6e5055d8377f0dd347aa4dbece51ad3a6d9ce0c01aee9fe2260b80a4673a909b532adcdd1e421c32d6460535b5fe392a58d2634979a5a104d6c470aa3306c400b061db91c463b2848297bca2bc26d1864ba49d7ff949ebca50fbf79a5e63716dc82b600bd52ca7437ed774d169f6bf02e46487956fba2230f34cd2a0485484d",
NULL
};
/*
* Known-answer test vectors for SHAKE256, from the NIST validation test
* suite. Each vector is a pair (input,output).
*/
static const char *const KAT_SHAKE256[] = {
"389fe2a4eecdab928818c1aa6f14fabd41b8ff1a246247b05b1b4672171ce1008f922683529f3ad8dca192f268b66679068063b7ed25a1b5129ad4a1fa22c673cc1105d1aad6d82f4138783a9fe07d77451897277ed27e6fefec2cb56eb2494d18a5e7559d7b6fdddf66db4cbc9926fe270901327e70c8241798b4761dd652d49ad434d8d4",
"50717d9da0d528c3da799a3307ec74fc086a7d45acfb157774ac28e01ecc74f7",
"719effd45ed3a8394bf6c49b43f35879176a598601bd6f598867f966a38f512d21dc51b1488c162cbdc00301a41a09f2078a26937c652cfe02b8c4c92ddbb23583495ba825ae845eb2425c5b6856bda48c2cafae0c0c2e1764942d94be50da2b5d8b24a23b647a37f124d691d8cefbf76ef8fbc0fbdafb0a74a53aaf9f165075784ab485d4d4",
"6881babbb48e9eea72eeb3524db56e4efc323f3350b6be3cdb1f9c6826e359da",
"362f1eb00b37a9613b1ae82b90452579d42f8b1f9ede95f86badc6cdf04c9b79af08be4bc94d7cac136979026b92a2d44d2b642ea1431b47d75fce61367919f171486a007cc271d19de0d1c4c6a11c7a2251fe3aee0bb8938a7dd043d0eb0758a4768c95cc9f6f1703075839487879b47c29c10b2c3e5326ac8f363c65aa4ef76f1b8bd363eb60",
"c6ce60c1852ea780ed845aac4ca6a30e09f5c0064c9675865178717cfeb1dc97",
"d8f12b97f81d47aebbfb7314ff04172cf2be71c3778e238bcccdeecb691fbd542b00e5b7b1a0abb507f107f781fea700ea7e375fdea9e029754a0ea62216774bda3c59e8783d022360fe9625621c0d93e27f7bc03632942150716f019d048a752ccc0f93139c55df0f4aaa066a0550cf22e8c54e47d0475ba56b9842a392ffbc6bd98f1e4b64abd1",
"e2e1c432dd07c2ee89a78f31211c92eeb5306c4fa4db93c4e5cd43080d6079e4",
"a10d05d7e51e75dc150f640ec4722837220b86df2a3580ca1c826ec22ea250977e8663634cc4f212663e6f22e3ffc2a81465e194b885a1356fcbcc0072e1738d80d285e21c70a1f4f5f3296ba6e298a69f3715ff63be4850f5be6cb68cdba5948e3b94dbbce82989aa75b97073e55139aac849a894a71c2294a2776ce6588fb59007b8d796f434da6e",
"02f17bf86dc7b7f9c3fb96e4b3a10ca574cd0f8dedda50f3dda8008ce9e8fec9",
"152009657b680243c03af091d05cce6d1e0c3220a1f178ae1c521daba386694f5bab51cd819b9be1ae1c43a859571eb59d8cbd613c039462e5465ba0b28db544f57a10113406ccf772bc9fe5b02538e0b483225209c1eca447ab870e955befae6bf30dd89d92ddae9580ccf0dfac6415ec592a9a0f14c79acce9679f52d65fb8468012cbc225152d9ed2",
"b341f4114eee547eddeb2e7363b11d1e31d5e1eb5c18ea702b9d96b404938bad",
"eaf4249b5347c2395104a96d39fbf5322c9af2f8ec6a8c45efdc06a2b246efb5502952ab53b52ed9ca8f25a29cd1789b1b5333eddc29a5fbc76c13456a3eae8c9208c1381d062ff60a061da5d26cec73fb7a6a43eace4953f92cd01bc97ed078da19da095842afd938f1f83f84d53703f397fec2bd635f94ada5a3eb78103ebf4de503e8ad7295cb7dd91e",
"d14c7422c0832687786f1722f69c81fbe25b5889886bf85c7c7271bf7575517b",
"a03e55ee76150a6498634099ae418184228320bc838dbfe8276913761516ec9021226f4b597ba622a0823ca499618169c79eb44af2f182d1cc53caefd458a3ed7bbea0a5854653f2b3c20f659f70f23ae786238a8d0e59c29ef49d53125e50abf43b6f65c31f16bc174e43468717dddfcb63f5e21e8d4ba0e674140a97cffab1d5c165f1d9aef968154c60ad",
"fa889888d3b984c1577fe7c38ca86f0df859291502fe0b2f6e82c778babff377",
"2fb4178a0af42b155a739e2910b004e0781c1bca697ca479bf8e71430aefc043883cc7a151779013d2ad07a47cd652b5bdfd604130a1c565115ac51ff3c0ae56b5886c1ab2f0572e385e4fc33c430b874b46aedec49f9b6f45c08be3633bdde99ee02d7e9325276b74cc9d0fb6bfd85e093f2c2a8d3dcfa24308ec18c229f2072b8b32545ee0a9d46e3f1a0f53",
"254a115343d0ebd865e5d3ff6c61c3f9b65fe96ea92865a5681b1f1f0d1b00e9",
"dd344dd531f415a590a9c1838f242af8605bc0c29c1a71283ff5cd8af581683c94c48095e9e9e042b73804e0fd467ecb78699930696f3b6a9890108b99a0e4384e8a51bbadf99b53c358d8cef9fd545a97a13399861458f35a2e86309009c546136d086f058c0c7fbdf083750cb17250c5ebd8247c6f906c8db978a26123d30dec58ecdb7a0afd6face84efcbdca",
"2d56bef53fde76ef9849f97be2ed22d3c3d10f23b049eca2a8aba0d1fec33119",
"353111e447fee6f0bd05d562f30626ab9fb06384a620c49034a5eb3c0bc6d1eb1b86015053e6041ab8ac1cd7b4633512b0a318bfe592e2da6eabb44aa2bead0ba238158c2ea5db56bd7342efccf9d7fe76b8a6af45e0ad594816915f65749054f1d1b7627e4355ecf4e3af72e4d0f5b51877751c6f110f57e86ce942fcef640c31d94e98ecc959238683cb28a3f178",
"11b27034db724b46882a3086815a835947d19322885e08595be271c511ef783d",
"c4e5a5afa1c7d2edd5a21db8b4891ed53c926131f82c69d323b3f410114281fecbc9102bfa5f298e06d91fbd7e9b9661bbae43e7c013f3796557cf2db568de7c94a7cbf5a53ee9326ab4740cadbf1a0b1f59b92040156b977eb4c047a1f34a0c66a85f776a0d1ac34a5ca30b099cb0bbb2ba4c453edbd815b7f14fc69e8cce968bf453171374c428eef8342459db6359",
"f1ebe75725c26b82ffb59c5a577edaa2f24e49c9070cb9ca007e65938f33dae4",
"3b79da982ac5f2a0646374472826361c9d2d2e481414db678e67e0967e5cf3cdd0c1f570293362207191ecd78fb063347350d8135a4f02614d1de12feb70a0046939c078d7d673fea589460265290334d217d6231274ae0d3891e6f50da725f710c983d9bb16ede20833caef34f9dec3c36a6f9fc4eaa71256ac3a136b6a494dcc5985ba5e5c9773a377c0c78387bc8a4d",
"1fc7c4802141e2db7a9199c747d885a72d8f068262863843c9f4cbb19db38994",
"cf9552db2edd8947fd7fbbb2f7189a578343e742891ae6fb85fa0f64da8706e468f0cdc5607539db5726a2679aeddf3ac2ce711e886eff71dad203132e6ac283164e814414c7f686b011fd02c95f8c262920e9725c811a22c1339e0de16e5acd0036d620f2dda98e30c9324c2b778961e0c0b507ad5b205463a448199c9bb60b4f303420a1be3b3cfed5ab0d693cbe331036",
"b51adb0c2375c9d302ba61859040fa4bfa0091275eec1053fc13950aae706c25",
"4ebc9225da5f168c07ef62f621d742cd7c71bbd063269f5e51d65ef164791fe90e070f8b0e96f9499ec21843ee52290fd219c3b5b719ebfedcefe4efbf6b4490d57e4df27d59796f37d35734110b96fd634f5f20bc3de9cd1c28479464be84270ae7f16211f0be8839e8c8d0734ab22097dd371859d9be527a4b2fe83bba0637170ba6e3b1a2ef1c0cca121ffa57a4ffd78af2",
"54a3fd90ae00dfc77644ca16b4964c3b32a4641c5305704ee25d9f8fdbfb5c7f",
"a83f74dcbb48d679db402433020e33dacfa2c37f1e39b2d9dcdc70e81a2ab3d75f586c274376f90a39f49c0dad642cfa4f810afdae7157050847646d60cc6adcd27f7c6a24dab9049dd7c6111ab37c555ef2dd16aaa34d7e8de5ff41feaaad80a8bb8cec85fd7f2eaef28a8772828ab3a5fc24143a58fc0c15bf27ab1a4de28a8a1584f68f65b151154cd1b6dc5ac0dccba7c73d",
"5d084841c35b1cd9c43082746960ff5bb2d3de78f9bfdd80dc9ca4f5eae2a66d",
"734f872c431ab145706b7517e496a3be98bca885fca0105a99b54980f47caa84b60cb3720bf29748483cf7abd0d1f1d9380459dfa968460c86e5d1a54f0b19dac6a78bf9509460e29dd466bb8bdf04e5483b782eb74d6448166f897add43d295e946942ad9a814fab95b4aaede6ae4c8108c8edaeff971f58f7cf96566c9dc9b6812586b70d5bc78e2f829ec8e179a6cd81d224b16",
"14ec5a3c2ad919aa0f0492f206710347e742e7a58d6fdfd4b2c93dc2183b7b6f",
"10112498600da6e925d54d3e8cb0cdc90d0488b243d404b9fb879d1c8beb77bb6579b77aebdbf3e785abe61df17e69e8db219f29ae226f7ca9923719350abef876ec6b3920ebb5c28ccedb2a0b70d5d67a0c8a6116b74341922e60a867d24aa96cf1a89ca647d6c361c5922e7f91f9db114db322249c6a50dde28093c94c01166e11d66c26f73c322d1875f0f8e6bd41c86d803480d8",
"c9a88a3f221a857cc994a858f7cb4567979ada7834a265278e55de04c1fe496a",
"6969a27ad5d0aae6479b2b044bb4b043642375ff503ccb538e17be2f1e41f6aa88b1db991ffefd6087cfb20875920192b671be8b7381f7e1b33d8ff5213429f110fe475cbc74b3ecd2211f9b33f308fcf536e0d0abc36bd5e7756adefddd7728093730ec339c97313179b9e40e3f8e2a2a5c21f5836bf0d632a7961239a6a7f77b44dc700cdd70d8abbfc90c8dde5bc45dcaca2380df4e",
"bcdec7a8776380df27a4613cb50b7221995d3f752fa55691798ac2dfa0b15599",
"163cf8e89b260a81a3d6e4787587a304b35eab8b84faebcef14c626290a9e15f601d135cf503bc9ad5d23e7f213a6146787053f618c6ee90467e3a8df1e03387928acc375608339f7fa45788077fa82f87e11d3c58ce7cf3f8dad6aeaf3e508b722a2a62075df9fa6af4377c707ffe27aa5a11468c3b1c5fce073dae13eac2d1c9a635c5502b96115e69e741a262ee96a78336fcfc34573c",
"181d10fa5a58ca57077be52eda53910135087312ca7711084e4a5213c81cb4a2",
"3a023141ab4db8b08c5cb6792ad97abdf0116d512ea8f4141a8b987f1527657d2fd98f7deca55cc6492a3d0bfad53e40f656a1ac3550c63eb8554f24cb11819a87c5ec009af84e304b69b50eb847e46162a4f8e1ec284b902002994e332461a84ab08ef23cad57959aff64a9ed9632c73ee5b818dc964bb2597cbf25d6c9cf508081be7a5b2e3f9e3fd69305202af11a92002a7b8b038d4c6b",
"b75b698857675f8aff2b482ac437925af3ea86198484cbc87b60e6dacb13e7e8",
"2fd7ed70c6946b11c819775fd45bc0924c02e131ab6d4a3618f67e6d3b77801d4f0d87ea781bf9fa57929757dc70f5945c872eb4e480d547cc1f2fd68fc99f81da4361e7e2bc7b46fb0ef1e3674139ad6b50ee1da830c960a90fccb8b9dac020f701e22fac7eda3edb14eccd1ad47223a1e68a35a1860cc9d74dbfdb60b2cc40cfd072897d6afc2a202cf0dc9f338a3f25d068c4758987ca7d61",
"85c9275ec610ffbcd7f785c0ad24b7700b32ee352e6720f1ea2305bdb7f45277",
"cecb838187223873bab25205a54dadb1ab5a633958cbef3aa04f930467c8f7a947ff12548d964ddc843fe699f72c9377f1c76948c7a2fb5f58b1c65a94b7cd3f3bfe80cbe74be2064d11eb1bc0e52b67f732b1d00f2e2b58d30c4ff13c7479943430958d9f283f199c9029320860bdaa450404773955c74e99c9f47367e642cfb9fd1843bd14ac3cfa246887d885916763a62ae54c011668304e7e",
"3a5dd05e009e7f985a2668885dd0ea30c5502a1b5c575db6a4c1149c2e6229c1",
"283dfdb2e1dc081e3c2b377ba5bc6491cc4af08c40fbfa5e3fe2d45fcdc8b736032cb5fdaa88f0a008d60a86fa53dc7443836bae2475175f2d48163a52ee216241306d87f3f2dd5281b976043a6a135af2555ab39c71ee741ce9e6ac56d87ff48b510d9ae5a338fe50db643b8c8a710a80c8a5e4d278e667b4ce2dfb010f37b588987e7ca822676a1d44bd7419395e4e96e43489eb1167ff9efed170",
"5643c4252210fd45a2a67cd0a97d37e80d1b4a3c2fc86b0c3a3b4d3c1723b9ec",
"f32d2e50e8d5df7ce59a9d60255a19f48bffe790e3b1e0ba6b4bc53d920b257bff8d8003d5faac66367d784706f690b2f1f3a0afafdcbc16866d00a41169734f418d31d7a1c3ca9ede99e5b986f1294710fa5d011d5fcd13fdbef02b755b49cfbf168bf3d39a00cbe5d82bde2fb4ad5cf0fd65b1b5a3db5ad724dff745486da2830ed480f3e61795542094dd88a5e3989ae501e5ff10ae921c89133309",
"1ead94e30440b647d4cb4d7b3ed6b87ac07e8d72b3e5f28352bf14a78232ff1d",
"8bbc18eab6bcd9a3d6b90ec56d3be949e02a8866d69c7808e1ec787e600c7f72a41c001f513b6cbe079df94142dda2447f956e41a12df60392f0215d2d65331b5cdc06397d4796530b4bc45d7a975394627537b4e09e0f6c3a53f00fc1a9648cfc25b2a00288604a28ecf780dc100620d1f169295d9acb2b1f3c6afce4811aadcb1e8dbca8a8d18ba7a81a1132f1c2d014318e07dec7332889d4198c5e95",
"429f15c653f92734bfe4d1749e84da8c28861b70c5158bf59809ece810221774",
"a3d0eecfeff88df1cdd1e86df7bd2ec3ba60bcedfc9c42ef7dc021b05dfc1808df19201a6c6694e4dbf69514ef08ad1d21c7b28ba034ee9397607cefaedef5e9d3784db53a21f703a22b50d5dbba3a8e8579074c1a8b9a782fc5c89cf61a047408563c476110fe77acd9df58c2ba1d3e6dde83da718b8dc6cd57cd5e3e988dd2051cb679ea1af16881690b44acf09e54615eeedaad1b11a4f97e53de8d40d8",
"afccfd3b18f6d292d2e125884b721b3e3099c4dac8aef05ab0fba26799043d02",
"2ecb657808b29574b020545fb7f94071406047ef4de20c003cf08cbd91930187f55b079d7f99fded33cdae2bc8623021af990d4650c4a19197b4c38faf74a8b40d3803efb1907180a8e1150ed6167ff4f293d3ddd26a2790e9d22c0d0ed511d87e48a4952500bbd51943d230687df5941334e1dc5a3e66a43a320f5c351c059c517531b76352a1938ddb2db806ff5aa619667e6c71a7257693bcb4a7acb34ca8",
"c994acd17e08e8efd3ba83915245781e3727bac445672c44e6335e4f7deaf90b",
"e649888592d192c5fb59f10560f5f5a7b0ac21739c35dd80f1fe6b5825731c572f7cc4549c476b84e049459aea7fe533fbfaad72b79a89e77d1addb6f44cbbf5e6a65a5552fec305bc92ced3c84b4d95074387c71184e875d413f65c2b2d874cb3d031d0da7d0311383d72f823e296937d8f97bad17a62f29ef1a091f39be8233c01330d5c4c9170fc501b5022ca29f605e6c59220055f2585bcc29e742046432c",
"88a9aa4b4ffac981d1ef0e8b233cb309695f89211cd4e94d50760909e3cb919c",
"816b0bffd99b0f7821e6093ef152723a9cb45f7a082ef8d6bdf72cd33b5aa3c79102f43e2b74199decdd20057d0e227ae4c57945582e2e9653a9b16eeacecdbc5aaedac7e35c35cbd9adede7f83bbf36f8b0453d61416a85a17821885b3757d203fa2560a85c4b4c10dddaac0ae230b700fd2929cc6f94e9ccebe4e9399d284eb46b3ed2227b4366baf54d1b5c0a5d4225358fd240c0940bff8b62592a092a7b978b",
"c593f3d663c48426ce892f22584d49a3335cce3456194b7b5ee4814fab477fcb",
"a10918880cf31a8551af80bcb0d1a6ed71ca42c71e533967ef0fb71c866b7e6ddcca7e5d7cdfa6edef59fbe377c6e7ca00b1d33a530ef8598dd971a2cff995e5386a858f109b012c4615802a1d5e7fe0221d19cf617ed827d8d8cb8d2c8ed81b9b3354a832f1d14a402b371a0a611737c0543b0eb06b82d8ba56eb6304f1ef16ef6b143049a7bf50c4e2493aa69756d8c39f627fa89d9d741a99f9afbfeb81de1a5bec",
"d557aed03eb7c4c4c8091efdee992c9ad7f8d2e79e9296b40a08acae37868d48",
"de7ba70e45c879ad6c90ada6fda071c2b692840f7893eeca9b69ef8285b4357b7b735151b6cb6cddba04365ce3d520ce41e1cb9da681c07ffcc4619ddcb420f55ddbeefd2a06f689d8498cee7643606865a3f8b96aeb5d1301751438f4b34fe02dba655bc80280776d6795a4dd749a56cae1f3abec5a2d4e5183ee9bf5382c0492199eb3b946707022673bc641f0346119a3a4bb555698f895f6d90e06cc1e2835ff814d",
"06cfdd9cd7ce04abcdbf3121a9ba379505dbbb52f148c9d28ad9b50facf573ab",
"6e9a5752ff8ae7c385b088e651ef2543daae1624562052f787c9e0f5d83e8f01a82ce7d3e69b5f55de74d14d52412a3dcd356687346cbcd59e7315b8650bc3907e2a70ab054354b11cc7ac3ff6ec67d22fad22e75f125660eeb1d02a2a75621d969ed92385092e9de8b20102657742c9a91f328afe9a8a60208af9914c03d4719b8f0a838e7656e2ea3cb8dfc66a25ece2927eb93a8dbf9cdb077936f63e82543306ea1347",
"cb1e8082bb94629f162f20d815bcf3b212007bc049951a29ddb18a1f556bf3d1",
"b05007119789d382fa750d2087dde79b37a5459c24522b649ac976b07059cbdf99fcce56f6da94246e0f5ae241ae77dd99068f7863240acb5c99c4906f7d06403eb3b679ff6fcaa389f602d3aea5d7efcc35af149f3d523459f8a104f5498615c8fc2740594f5f4872b16ebb77c9ef19f7ba0b3881a6ede7b97175d2aac731a65e608975ac82395b52c805624423a7a3431e0daeb066c12ca389a9c338fef03a296644dea211",
"9021fefc1a020cd0c579e3dd67a66dacfabedde9cd36ddfc7d5c5c7c47be2721",
"a19909e14ddf9b3c470df6bb604604ad767c38c83b2b747937472b791173c3a10a733dffcae417295f2a71d183ab709a1d3be02a0bd61d811f95338967db44eeb2cf2a2f4f105ef618a418a5b031b831086f653328ddf43c2cb30b698c188638a196199a65cb374a7b61335c6f40a6193e01100a19a6c2536689fb4308935128e0ae5268937d6ccd8e4a0a21484000fbc7da29d8669b4e6dd5004a3c61b36c6676011dc0628ec3",
"7dcbf4dd9c27fd8340f51c553898502cec53d3bc83198352fc58465625c076a2",
"b0dffe4a5f64f612359397e4e070a8fa01296c1d8cee25177104d76a7c154e4279cb62a99d9d7afa21e84f983041f3df030a115b4b437638cfa3d0fa56e7b66fc76be9e18ff7da8f43db6c5f863efacd2eb39c27a20da6fc867572d29bb96017e0e71a5afe1b1dbbe29575a0ac0ec7aac84c95e85af5be4ae0a14458133252230d687e7cb1b04b65483df2c5685a62601aff85053ba2c509234fcff585fb967c96169bb0725f6d75",
"8e7023d18902a9184a0191f1c7a2b79030e833800baeeb33e2d0673500245dfa",
"dda3625c78f733c7df0b5f4987cd30d7207afa40ca07f3b686c0458aea2f62371a3f98a2f3a1e5a0896f0cb9d40fe82ca65b0132e0fe5d87e621992750483855e3763ae2bf98f0acd9201065acf105962c7b88e3fc277490e0f5d6447563440d209271a544a4fef4b86892d578392c1d9a23b8da8448e1d85d82276ac14a3166b9d96472ea8cb47e0c8dba929eb007cad89bb99fe22a4c674312b21f9cc4a56996943cd1191abc54bf",
"ad83957a387225aad811b0737f582dbe7eb616187a8ba8e09b00db5d0bee4a7b",
"5cd623be5b6bf6d1bcb414c826d0f4ce60793791b6d82dae9f9e9b699e50bba266e2850541882d80b2c9edfa59d504421818ff45740f37853e5b9bc67214af0a5f5fd5c00843cc39cbb8765b4001de99643c7923f738ac5922868f865dd3f1cb90759c597843d9e34daa3754a2fd89bd8c0d2e9106fa95149448ff11273587cb414a603759315f6881c6b94b46700d94d8b2a5f86bfdf99ddcc974cf98e47bf4ba09acc273b463afaf35",
"f754a71e3439760aec2d763751e160d05d3de0809dd4fd6aeef588da8b86a517",
"42c0a452e83840ae858c094c044961d5f2195ddb34a21cd1f5ab575be3803ac99b9872dd617688d515cd6da562e756853947c9ab7e8ef85a019b4f1baff6494b0a6f87d5d602234115fe42ee3667e89b8a98112cf72cfdabf01fcb8ea4314938768b0bc2aea5bafa6e67aface78fc021cc525ae60746d1ceac7ff33a2bf8e398c935252a5127f5090650dd69dd28861ee9becf6017a21ccb1b03f0a9aa15bf74eab5fd9727507b75c701f3",
"d5980482d666dde4f2c3a99b45e523fd6410be999a96ba8c5df397c950605e70",
"fece673103322483b85340e991e478c2c15e2d795a98adb5b697b4cf17a733898aaa4ffd11b1add300c9edb7a818740a33286fd8cf82140b0f7f2bde8d5bce94d58b6d697e5015c99a8df1c051d611b2c8c96a4c48a11eba9c08fe1aba2d4d31a617c75d9439e2cb4d4654ead346d52048ea26bb0c1c522a26db346de54639cac6f668c299919f43e09c1f1f78914abd7b32ac0f641c39c3749fd5be55cd1ac6fed1557ed683d1981c395946",
"17f4b2f60cb364da5e8a62db58e07eb1c44b888c433adc1e62461879cd271463",
"a542b2bdf8e04ec2a004cccd2f89e7bfd17ace1ad285c91360ac20e9913e3976a806000494c28b61b9d7ff36f342ad94d8d281d03e949d91fe8f4127f7b2ee1e550bcb13133a47c7be2400727cece45a4e1f95a3922e1269cc22950ca58bb7cb34b9da957d2fc81b3755982ad36dd238b9c8d33dd53a72c452cbe341a5afdca5ce79f730da8b5886add18f06feafbf57a33700430fa003c919f3f56dff08a5d3aab1e88c33353d30a700adad07",
"50cf700b5b6c802e20da4c1f9b75bd0a6632678212bd0e2418201f3a10389994",
"8fa67f49db80f22bc267a70e5636dfbc8a21c83d9691fe4b9c3051068b3fc9e94430e7fdfb712e4ce086e299ff5a104e65d7ceb685b4c46cda8eeb14cd3b9548d85baed5ec2f412810af3d034cd67a75c541f70829f8663c4d8cea3415621fb0954e5b3b756333a69a0a41b402522517f087ca9b4a06eba23f4fd5d02c5c6e07c132769660b50dadc5c07515ec751a1d2fd2cfd8b0855b85f602344fdbd28a37a52e874e73ccd627dbf9628cd1e8",
"3379265620eb781d6b59e331cc525e60e8c063e19f96cfabb2fda9aa83cdeba5",
"23ae9cd31da25c0187c0247be19e089872742d772f73d0efde5889c97b40d12ddbbec35b8f2b1f9c0b3d947708db3f2726306f4dd6ffabe37736f671bfc551835db0825adc6314e2cb479fe41b92497dc8638dcfbc0e3bf6f0b4c03dd418a892f1ad6138ccf442bc0e04cb2ae36a2f80a0340f63a849891190fc719781e0de44dedde95d2783b1121e9fa3b1280cf81af5cc7e7363579c1da03390e68fc5fc806e67a132b5bb6acd413eace2b120ac",
"a17a00ac106c0af50c4f449d3cdcc2cdbb9848d2d85a36ff434099162e25606c",
"3bfa57a5f9f60203059defd501977628908ee42116e4674dc0a52a32c5bac02aeb60c6714cd9c47c5a61558c21648884ccee85f76b637486f3709a698641c54bf5f5eb5b844f0ea0edae628ca73fb2d567710080e8a96c3fe83857fc738ac7b6639f0d8c28bfa617c56a60fd1b8fbdc36afe9ce3151e161fa5e3a71411fb8e123d48762bc093558aea7f950706bb72f8dc7ca3497a2b3ccf345ad3d9eafde10889d76c61d432e3a165d34ad0ee2d9619",
"1a2cfebf3483c33a5eba84121737d892cf8bd6c3ba324fd4ae4c2db42872e54f",
"e9b9525afd5634cf8d16df4ae7e12e8ae206c6ed6e7d4dd96f6fd75accf7a10cc22b023c7f569e4aec88dd51ca519c0a00c922ee33d3559b98a32d79067e6a9d50c182eed125de864841455be751991ea635c163ddbde6031223e2be0fd9f5253885bab81c4b5a4b4a4a00ae66698d8c7c538c9493c068d786f7dc710f90ac6c257f93e1884e7c609aaaf5927021e01d292a6bc87e6643e09b2505da2d2cf639bdb6f3b33cb8ab8fdf690b512d02fa9956",
"3ff47b4bf4f908aace95b0468a54b7e6644fe07df69ae327c0ff2e45325b97b9",
"13ec10c6b27a6ce6fdd5e2314e8626a28a69f313ec62f29b044cde1aff32e61228c252b9affe6a4ca93593a55932bc10aeb3f85b0c1d6c2c506d6c970e72e1f01c3aeede55cad3b1971111f60e1fcf48b5937c691952b691617f6a058ba73decf83b2b5e2b446ebfce52a24bf5b526f1a7f0c5659b6b96713f68208cfe38c2adc3af5361b9d5051c56de8fcc975d8bb48db41c7818cfd574f312d652f08f38dc857dac0e88e55e70379f20a37b7dc4396ec6",
"9703a69f279ef15b843b355f86b3f7098a46eafcad625920d93e0e3fb136fc5f",
"3d8263a177af8c5beabc76a4388e0816ab1bf1f5856e985791f15688feebe4ac6d480fa64999b339575be66d8e7c7435281b8c4ef990b86a00ac128e3c41b6b9c0e573c60af4c69391d408639d7de6815b38122731a6389d4f0534a587af82175ee3f5c963c8acb1bfaf434e0e9946436df9eb46d4bb0038a7842295873c300f6ecaff76fb1e4fdb0a75fef588d87cc486e67f738bd4f8832fb24526e5f0a8e91920f8967bfd96599aada321b4437049cc8836",
"e82d636a61c7657029699374a2da3dfabfae366e7708c7e4ba2dacd8b786a36f",
"01f793fa05548645f644a64ee1b5ff7fd38eaa233f874cd59f3ddf385e86b5e9f601b9b256f2f901864d61988d11c98593d7335543ab4d85731a3e39078c9e3012d5c6f83f064b5e7089c529a46dd5081efe66c8c49932cac5be88b57e674d689f98423389388446fb1f5969ee7029eebd29cbe489f8038edc5148148cbdca77e375b3cafc2fada07038a5c133c3cf21b881eb125c71c6b801fa03bdf9371b472792a3276094ce5417fb32973a0dcf87572d4db8",
"98bf0fd777137c94300ab5b1bff7b3f487a03a788e6bb96c715ba6f10ba1922b",
"71a986d2f662bf36dcbadbba0657f4e2797b569610e2d82271ee6d813f01f6db922a5a4ca405d9e7cddc9dfbb1129294b8c27845bea337250c2f721887045e50288ad513acd6a6be8dce300a308e2f8e600bd585fbf61dd2ebe45c4158ab18101c0f1eae789ecfc205d8bb6fed9371d65a9e94dd2fa5322ff75452851abfcc2357025ea56e24fbfb1d4266b34ee900768fc3dfd6c2761f4716c97d6a36092192c0abbc81f832d372be535b5dbd578576e6c2dbf61d",
"27255d504a38296857b8d382dc8ad4f1ca03ef3a8d1983e54bc01ef97b04e581",
"69ee06f5f53f74c76674751f8fa80efb42f43e71132ae0fc5ec6d2148c21570191e8baf0b9cd3547a57c103690d10d8ed84804d7b9b5cb9d5b35580a0f642abad5d0e5ca23ae3c32e1cc1355b8c7e5d78c7e64af47c6607dd960ea1d7d28b97c3d8ecdaab84a5131234cc6a68ef25e7d687ea62146c76845e02fd0745cd4cdf0d00bbab9020a3eec72e4714e9abb4029743012573d1fac9c798a513937d22ebd962df61f8854ca0ad67c5b7864885282b77df076b436",
"600b41954a9398ee66ea0e603c8c80d936fbc8be98c74f44ae13b0aa4b50b8d5",
"2a74e9800ce49aac07af3df2e451f245d4ffa5304c318574135eb7f39a064bcc8bf66fc8a4c8e2f5c6a9ac90495f0d28938ab301e9292fb78461aa23e87ad482712b1ed42f172983f4977e45aaba7f43ea8a9e7bcb91cc63f89c34cf06bf2a1404995e6e53d9569fb8011bd9af6b32de0289cd669b7043c19698bebd9bdd33ca6bca985cb81751913a70eb14ff790c41030eaa8a00cf7c1987dcaeb650ddd9eccf46326707d902a1a36c56be43ecf7b414a29caea3b55f",
"4e549f206099a8b3183fa3b86af220b1b6554ac3d8d52c54d093e68f60597256",
"5b2e2f2fd3ecc733a6198d34e5d143c176b60c3cc3dac6deafdf99fbce5cd088d583e8da4f01e7b09226f074f24613be345f691a46fb610b2d5855503ec761659152744db3a1a78f9b1fce7fdf584dbe28a52e04e40c701d3a62a13243b2af4a77e3fb106594afd7a84b52db16cf99ca3ad2808305d39a1dc043a52b45e7623e6f7da4accfa2a690a0f3a112fd739ee9522d891e111a8812a6448bc2ac2c234a616997a8579335c36d5fe6acfe0b052358fd715d70a7e104",
"24a3de94be98126ce95cfd3140754230b6880c71cfe4ec215c3f451bdc8bb690",
"013944b7958b6b3686b14bdb042f2f5b42768edc20fdd6a90894692b15f6e5157b9da9de23da95749524102f1bb150032343d6fbe64537e247162243fea59f95f53e95aff2a38f82775fbf06e7574475e9a2a8b8119aad1ebe3349543e8cef9239c410124c0fe2c6f409604aae4a92185c3a0efbeb26bfc63394e5451ed45d740dd823ef774615aad3caf9e2b9b1c25344b40facba11f5406fe1fefee6a571a33a22d42ebc6fb094de4c94b650b55c9068b7b3b3c783d7f53a",
"009661924d01ad811d4c598580eb954362b8554c5e9cd13686acbe41ac8c3940",
"72c2880163482bbe822cf72ff0e02be7081d271b366fd94c0cf37926925f76a9de44b086e590e7cc915773c314d336187ba9d03b866d1106b769b49fa99a4a9fa3fc74746d085504627a4792c757cde65b2fcaa82f9ff00eb81b7ab723ea1ed6e8723d92a2b65ead1e1dda64b275d897d0377c2ada0d5cab38913435a958da94d62f74a92da4e810ecc994017c344074014a50892fbe3e265f5448e2e2eb662295ba7f81b5dadc76f504dd31ce9debc517efad8cd5ba7fc754eb",
"77cf32d62a3d0622cd90f7c858ce1ae3bda60f9edc9cf50f7ecc9d7253d8d18d",
"c6dad2ff2cba3ed8873955178068b5704cbccf1e8c62eed472d275f726a7670a68ae2d6a763d943b30c616a27aab5a34e254feaf838093e828d8e905b5ca8decc39491fc8b9f8bfa050fe04e5198436f5593789ca8515ecdaeaf2ce905eafb3920b5851d32892cfd4e3d3e83ccd67707eea0c74bc47e56694c7ec609deb0b8d7c739913535a37e2c5377b5a9b40efee6f5a472269eae83a54a6d3dcf08c4ccb000473dac5a9489705be6cf28d1e7e1f2b2c60293008aee6aefa61b",
"8708b77ac39005607b179857c037f64860540e80ed7c7a4240e09ae62c88f87e",
"02553a2117e654ac28d948a6f67a83daf2089a95ff6631ff78131baa755cc36c4ad0ca6a51f5f176ea393a9bbf2b4af54deb12c6a0dfaec75da88dbc0655d34b7ad6fb0ebbb3c1e7f4fe3f94bb865683934d4fe7b53cc20b1016b7e68eab0cf1994e1735de888ba8500ea0b970f16e2acc159a1ec6e435739743e15194c53603af1f640640dd19600653a53368d55c92012b3b935c3fcfa6fc195325a00d192cc5332baa6b1831b81cb3952a2b9be6643a777a70feb5584d477f5489",
"376b551c1e8f908d7e1979efa436ab69013d2e85c34430dc826179b4f94480ae",
"9945c4f0e067b943986b6841b8fd21109e91d2f2549c711a11039abf03d37a6e4b34eba44a98e09c1b38046660c19e39424ab80ab38a805df648ee5c6212a72663322269c1de093325afe205d955ee2acf885146e5417432672ba807d5540c79e729b067cfa1faafbeb84947a91fd98a4d32e7cf712a15406b940feae5026f10e100dec5fb497cbaee3b83545a892701c530c0cddfac2a300a6b6c2a19829992589ff4accd3e57f9be20d65374f99f393e6a2467b82e7da94c9807f2fa",
"a4ab2e8f96b69097d84596b628e7bb76f460c001043ce5fa6e379fd29d1eabba",
"a4d7897eaf5c49979b361c39a67f47e26c2f75e5ffe0645539d4de245138eb8cadaa45aef7fa0c7a732dbbce90c85be2bd4bf6e37dfb4fdebee4d0e0671fc45c3051c6ccb674799bcfda7a431a6e93b3db3e32f30636190a9a2e5620302876e0d4d2f6201353fac4554341df6efb591c6f100f5dc21a2aa176ba592bd7db69e14237bbf2371df6bbb072f9ecb1f714e621c97768d82eea6bf98ebf4a82c005262188ff894a5dd549866f88b00ee82bd99872515d71fac230ccb472c55a60",
"9510ff5231813a865918badd0011f05915364165492ef17b85929a63e4951589",
"22813ee9edc5c2a90d8b3f07b48d9534e60f08312dc296d68fe78719bdb7478d8d037129aa182c4b8ae5bafca1604e76d5251ee43160ba68ddee9c624ebf00f0ba7ff6b1cf75b5cfa4ab323cf04ff13b7a591b23d06ed25f3c04c1baf4c8f7da913cf509c2a5053c4224ce4d0723268cbdf2277672b285c493731ea81799d353fa8497baed70c59a4c99b7b950a39470863a69667ff67c9ec981ddb41ffb3d63dd9d034bb79d9df1a95214083199e4efbd770a7a5f005ef5c877236674b6dd",
"44f8a8b05fc643566f1f53a93a122f7902d2cab68bb02267c0479339371a7304",
"eebfa2629596f61a926c4cd472ecb03eb2ecaf7f7650b12f7d2b8aa755284b7ccb295e46a62dd2a69577f38765ed1ea377bed34972470c5e3538cda310f2fd353334745a66f7557afb969e6c0132fdf4bb55e68951d5e25bc4fc2a9427e574de0d290d263ebc28a0ae11760caf85f63765fa0fc47ac2dc2c14c0c70404c9597f415050339443f2209430a2eed5acb1765df5768457d6a1db0ccbcc7a0e66531eb6f16608d1555c00973b4a9add70d5b88b8e44504fd9da709367627fad840bc5",
"9949d3ac3c05b4a08b85fa371811fd3f0b50c71950fef50acbb59c450ab1c587",
"ddf38f51b732aea3fdf1fe4c756d17961262163d737f407fad17e9724a19959a92425cbb099193ec38fca8edb0614eba4dbfda60b8a6ed102fec547289a22c3b74464a02023ada50647545f6f57959a37a85a4b5a70b2050e66416ad55c33cb50d6820cfaa16caf608c69d0e4a9d7f78211c3ae44b97216659e8f6cdb6640b30e50ea8c90a0bad06ac5678deb9b50962caec6494a930377b11debd77b46de2d382a2a8992902c9aad88d9e0d49a93f88fe5dec6dcbbfacb794b0335558c609c66e",
"954473b4965a57c4cbb20e199b8730487eb621f5fd694a1eb1667940da0d6728",
"184e1b9ccec71f837dca25838db073d51cacc26246fda091a468135d12e67faab69ac9d93e05bd9a687dad01c8db5bddc6751a45e64c2f734c867dd67f1e62626ddadc2baf7df0320f3e4c7e477a2b6f0ca679504b87372bb3a522e173fd8f7945f69ab9ab967ff378f6482293f3a936f82728abff188060e1ae48a778ebd09846d64cacb9b83487ad8bea1433b09ed791e06f7f8a65d2bbdf8a384f1550eb677962392b624bd593b6e77a7daf17d1fddfb995f472d8f5e4b41f3a02d394a98de583",
"0a7506e1b6cc43acdb4f2ec456e069e6e4b7608deb70dbe7ccb88578658be9da",
"c436d19f05550b6979bdc69bfd27ea4cd80c1a60f00a8b093e89178c7f9e8d492c304cf6ad59102bca0e0b23620338c15fc9ecd1e939ae91da16486f72ee1e154d41bfa391e6ba3b6ca9b3c3be39b5e61242ca5cd3d6c96cbd1170af91fdb2160db3522e1bc3b1a349d6e50479920ac5d9bedd8a16a787a3cdc2b6d24392f25555cc2f20b2ba9e6b47ddc96cfbd6df669d874ce21a758d3cf4704362ef7786d90ed67b01bd91299950058885accddbcf44e340ed4807864218653ee7ff7215aa1e1761",
"206be726fc681367387ff0a15303533058070f9655438ad8142cf39a0523b2ce",
"daf7c7526cdb85127df59220fbcb67dc5069ef58dc069a18a2e4ad164178dc0927cb1ae70120b0a975d78c4e1491dc228a95dc401873ec5645e7e6a8d0ffae58e8800be49f87b5f09d6caf4611ebd61bee86bb945325ae884a001b88b6be1a1c87de41503057bc6f5b7ba00fdb217d4de203335a746506371bf8f4bcddfd45df6bad65339bd9efaf18ce0ab1587bf842cfd6ec9c637b1cea1f96184e2b045a28fcb51e96c85574373d2b9335724170821ec58f6108af1929bea430458a1a7f80a2be1580",
"742389244ad26d7a16d1f2b01e9c83e987a283bbf3aa2907a556746fe8c98c38",
"597dadb776945e01c564f17eed4b5c1bbb34eebb13bce37d2d93363efe24b660f3785cc9e557dc2e4ab17a91a83d1f085060acc148508e43897993f66a20fbe65d46d3c4d9cf7e2e97e3952f0195f10ae8c20533753c719f6228d53d69a5e3c5fdafb9b039426d8716c2e961e09af9a8eb24a21b82c9b6192069a51ce3fc96843d7ab696edf9d0c42d151f2e2d95606ac14c2a80563c82392b02ab9abe6e3bab8471747ddc3cd06a46a6de9fd0ce4dd8d202466bdbe00088ebbb8ebfe341fbc2395a986df0",
"892985bdf2379f8ae138aac016894ee23408955d627cfa699fa5fa1439340a91",
"0efc14917a94f5320eb734c2b9e45f659d06c9f5c454deff0e76b30f6ee9e22e56a494a870fcdf138fc5538ce5bacf44761f993ccca4ae4ced8d576a8a10fd2979fe3e8066a641cdc5f746190ae4819e1d0d2886089bcbf6f36be44b5370afa45e523ba0c25bc169969436f1912b1c7b7a189d5edf00da050a5a813b31d09da5ede8b390ede30aeeece64a9ae05749e4758a2149b99d868219a056c18cf972370e07cdd95006c264ae33ab9e6130afdff6a9dbd1fe38747408868c65ccb4d45fa9f9b102528c",
"73088e0551c89477bcb675245c5c6347b4230390285832c7d723bf668c8061fb",
"9ac34ec974d28b18b7bcf6982eac60ebc670b0674e2acd697b49bfeb2fb81159fa5579a1e2a5bb8a5fc6ca46aaa5304a3771b15d804f2bef054fc1ad919e3852befea1c0bb74394f4d408d651412e247107bd32e64a23c9e593857f3a5ae253deea5104d8aa6ce108913881cf55d3c89587860027f8cc81b7eeec9e5f44e9fc190320c71d4a3427519250394d4ed07b9174f9e005b7696117c575fad05e76d86ae8cde5423d25d25076046f4392a0a7e56e8d6517fc66f265c5d617060e258354f9dce1dfe9de6",
"17cba68f47a0615b3513d28a44feda6ad36b6e6eb1ead7232f4e2a4e1a64bf50",
"d00df64c4bb9e2fd16fb6f9ca746d6cf162015ec7326e41a5d51e9b3d0792fed3f17d5bae34f03ec522e229d53304dcef105024ece941edeba410892846b2c7a1039ab82aa9750979a7bc70bf96d093bc3461b6f2d38f801380eccc286b562996cfce06d4a98b245176bc4ae4006f45eb36cc71636185acdfe429c0a7d5fbb927be7dc43685a0f40f185824ed102f57eeafe6d0d943e2d883564e233126f1eac648207ccafe651ce4f5169b35369f3e48f84771aedb2577b04fd0506ecef72305055cacfc4435e38",
"67302648e0082254d8d342b4eb8070ef9a44e0fc55c3d9a3f20613e4824aff21",
"fff5deb2bc7f43bd2db44ceff874e9c3b7c1a2f54cc6889f74186ca2a03d5047006b1b26e0919147379c81887df3403ebe43571fed8279607a2eb81a26d6f8f217dca3f927799ed182017c127069f2eb6f068b0d85979dc4d4867c676f6bedf36cd2def33b3e54a3366ea45478dee612f391a785bd0ede15aba921512103199228d434dbc1e899047a6861183e5b04fb716c11503dee2399261d10a0e5a76317736b0d7b6480573e76791b246ae734ee12203336ac3f539a6e6cb01c625eb3c9741dd199ca0d759753",
"bf64c9ab7042245fb2d8054edd699086dbe27a1ce904174d28bc0831ed9acf97",
"8d8001e2c096f1b88e7c9224a086efd4797fbf74a8033a2d422a2b6b8f6747e4",
"2e975f6a8a14f0704d51b13667d8195c219f71e6345696c49fa4b9d08e9225d3d39393425152c97e71dd24601c11abcfa0f12f53c680bd3ae757b8134a9c10d429615869217fdd5885c4db174985703a6d6de94a667eac3023443a8337ae1bc601b76d7d38ec3c34463105f0d3949d78e562a039e4469548b609395de5a4fd43c46ca9fd6ee29ada5efc07d84d553249450dab4a49c483ded250c9338f85cd937ae66bb436f3b4026e859fda1ca571432f3bfc09e7c03ca4d183b741111ca0483d0edabc03feb23b17ee48e844ba2408d9dcfd0139d2e8c7310125aee801c61ab7900d1efc47c078281766f361c5e6111346235e1dc38325666c",
NULL
};
static void
test_SHAKE_KAT(int security_level, const char *const *kat)
{
size_t u;
for (u = 0; kat[u] != NULL; u += 2) {
unsigned char msg[250], out[250], ref[250];
size_t msg_len, out_len, v;
br_shake_context sc;
msg_len = hextobin(msg, kat[u]);
out_len = hextobin(ref, kat[u + 1]);
br_shake_init(&sc, security_level);
br_shake_inject(&sc, msg, msg_len);
br_shake_flip(&sc);
br_shake_produce(&sc, out, out_len);
check_equals("KAT 1", out, ref, out_len);
br_shake_init(&sc, security_level);
for (v = 0; v < msg_len; v ++) {
br_shake_inject(&sc, msg + v, 1);
}
br_shake_flip(&sc);
br_shake_produce(&sc, out, out_len);
check_equals("KAT 2", out, ref, out_len);
br_shake_init(&sc, security_level);
br_shake_inject(&sc, msg, msg_len);
br_shake_flip(&sc);
for (v = 0; v < out_len; v ++) {
unsigned char x;
br_shake_produce(&sc, &x, 1);
if (x != ref[v]) {
fprintf(stderr, "KAT 3 (byte %u)\n",
(unsigned)v);
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
}
}
static void
test_SHAKE_MonteCarlo(int security_level,
size_t minoutlen, size_t maxoutlen, const char *smsg, const char *sref)
{
unsigned char out[250], ref[250];
size_t len, rlen, outlen, range;
int i, j;
hextobin(out, smsg);
outlen = maxoutlen;
range = maxoutlen - minoutlen + 1;
for (j = 0; j < 100; j ++) {
for (i = 1; i < 1001; i ++) {
br_shake_context sc;
len = outlen;
br_shake_init(&sc, security_level);
br_shake_inject(&sc, out, 16);
br_shake_flip(&sc);
br_shake_produce(&sc, out, len);
if (len < 16) {
memset(out + len, 0, 16 - len);
}
outlen = minoutlen
+ (br_dec16be(out + len - 2) % range);
}
printf(".");
fflush(stdout);
}
rlen = hextobin(ref, sref);
if (rlen != len) {
fprintf(stderr, "MC: bad length (%u vs %u)\n",
(unsigned)len, (unsigned)rlen);
exit(EXIT_FAILURE);
}
check_equals("KAT MC", out, ref, len);
}
static void
test_SHAKE(void)
{
printf("Test SHAKE: ");
fflush(stdout);
test_SHAKE_KAT(128, KAT_SHAKE128);
printf(" ");
fflush(stdout);
test_SHAKE_MonteCarlo(128, 16, 140,
"c8b310cb97efa3855434998fa81c7674",
"4aa371f0099b04a909f9b1680e8b52a21c6510ea2640137d501ffa114bf84717b1f725d64bae4ae5d87a");
printf(" ");
fflush(stdout);
test_SHAKE_KAT(256, KAT_SHAKE256);
printf(" ");
fflush(stdout);
test_SHAKE_MonteCarlo(256, 2, 250,
"48a0321b3653e4e86446d00f6a036efd",
"d4c8c26ded38cca426d8d1c8f8aedb5c543541333839deca8713cfd8684480fe923f57c3a5c89cb61427c220c7");
printf(" done.\n");
fflush(stdout);
}
static void
test_HMAC_DRBG(void)
{
br_hmac_drbg_context ctx;
unsigned char seed[42], tmp[30];
unsigned char ref1[30], ref2[30], ref3[30];
size_t seed_len;
printf("Test HMAC_DRBG: ");
fflush(stdout);
seed_len = hextobin(seed,
"009A4D6792295A7F730FC3F2B49CBC0F62E862272F"
"01795EDF0D54DB760F156D0DAC04C0322B3A204224");
hextobin(ref1,
"9305A46DE7FF8EB107194DEBD3FD48AA"
"20D5E7656CBE0EA69D2A8D4E7C67");
hextobin(ref2,
"C70C78608A3B5BE9289BE90EF6E81A9E"
"2C1516D5751D2F75F50033E45F73");
hextobin(ref3,
"475E80E992140567FCC3A50DAB90FE84"
"BCD7BB03638E9C4656A06F37F650");
br_hmac_drbg_init(&ctx, &br_sha256_vtable, seed, seed_len);
br_hmac_drbg_generate(&ctx, tmp, sizeof tmp);
check_equals("KAT HMAC_DRBG 1", tmp, ref1, sizeof tmp);
br_hmac_drbg_generate(&ctx, tmp, sizeof tmp);
check_equals("KAT HMAC_DRBG 2", tmp, ref2, sizeof tmp);
br_hmac_drbg_generate(&ctx, tmp, sizeof tmp);
check_equals("KAT HMAC_DRBG 3", tmp, ref3, sizeof tmp);
memset(&ctx, 0, sizeof ctx);
br_hmac_drbg_vtable.init(&ctx.vtable,
&br_sha256_vtable, seed, seed_len);
ctx.vtable->generate(&ctx.vtable, tmp, sizeof tmp);
check_equals("KAT HMAC_DRBG 4", tmp, ref1, sizeof tmp);
ctx.vtable->generate(&ctx.vtable, tmp, sizeof tmp);
check_equals("KAT HMAC_DRBG 5", tmp, ref2, sizeof tmp);
ctx.vtable->generate(&ctx.vtable, tmp, sizeof tmp);
check_equals("KAT HMAC_DRBG 6", tmp, ref3, sizeof tmp);
printf("done.\n");
fflush(stdout);
}
static void
test_AESCTR_DRBG(void)
{
br_aesctr_drbg_context ctx;
const br_block_ctr_class *ictr;
unsigned char tmp1[64], tmp2[64];
printf("Test AESCTR_DRBG: ");
fflush(stdout);
ictr = br_aes_x86ni_ctr_get_vtable();
if (ictr == NULL) {
ictr = br_aes_pwr8_ctr_get_vtable();
if (ictr == NULL) {
#if BR_64
ictr = &br_aes_ct64_ctr_vtable;
#else
ictr = &br_aes_ct_ctr_vtable;
#endif
}
}
br_aesctr_drbg_init(&ctx, ictr, NULL, 0);
ctx.vtable->generate(&ctx.vtable, tmp1, sizeof tmp1);
ctx.vtable->update(&ctx.vtable, "new seed", 8);
ctx.vtable->generate(&ctx.vtable, tmp2, sizeof tmp2);
if (memcmp(tmp1, tmp2, sizeof tmp1) == 0) {
fprintf(stderr, "AESCTR_DRBG failure\n");
exit(EXIT_FAILURE);
}
printf("done.\n");
fflush(stdout);
}
static void
do_KAT_PRF(br_tls_prf_impl prf,
const char *ssecret, const char *label, const char *sseed,
const char *sref)
{
unsigned char secret[100], seed[100], ref[500], out[500];
size_t secret_len, seed_len, ref_len;
br_tls_prf_seed_chunk chunks[2];
secret_len = hextobin(secret, ssecret);
seed_len = hextobin(seed, sseed);
ref_len = hextobin(ref, sref);
chunks[0].data = seed;
chunks[0].len = seed_len;
prf(out, ref_len, secret, secret_len, label, 1, chunks);
check_equals("TLS PRF KAT 1", out, ref, ref_len);
chunks[0].data = seed;
chunks[0].len = seed_len;
chunks[1].data = NULL;
chunks[1].len = 0;
prf(out, ref_len, secret, secret_len, label, 2, chunks);
check_equals("TLS PRF KAT 2", out, ref, ref_len);
chunks[0].data = NULL;
chunks[0].len = 0;
chunks[1].data = seed;
chunks[1].len = seed_len;
prf(out, ref_len, secret, secret_len, label, 2, chunks);
check_equals("TLS PRF KAT 3", out, ref, ref_len);
chunks[0].data = seed;
chunks[0].len = seed_len >> 1;
chunks[1].data = seed + chunks[0].len;
chunks[1].len = seed_len - chunks[0].len;
prf(out, ref_len, secret, secret_len, label, 2, chunks);
check_equals("TLS PRF KAT 4", out, ref, ref_len);
}
static void
test_PRF(void)
{
printf("Test TLS PRF: ");
fflush(stdout);
/*
* Test vector taken from an email that was on:
* http://www.imc.org/ietf-tls/mail-archive/msg01589.html
* but no longer exists there; a version archived in 2008
* can be found on http://www.archive.org/
*/
do_KAT_PRF(&br_tls10_prf,
"abababababababababababababababababababababababababababababababababababababababababababababababab",
"PRF Testvector",
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd",
"d3d4d1e349b5d515044666d51de32bab258cb521b6b053463e354832fd976754443bcf9a296519bc289abcbc1187e4ebd31e602353776c408aafb74cbc85eff69255f9788faa184cbb957a9819d84a5d7eb006eb459d3ae8de9810454b8b2d8f1afbc655a8c9a013");
/*
* Test vectors are taken from:
* https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
*/
do_KAT_PRF(&br_tls12_sha256_prf,
"9bbe436ba940f017b17652849a71db35",
"test label",
"a0ba9f936cda311827a6f796ffd5198c",
"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66");
do_KAT_PRF(&br_tls12_sha384_prf,
"b80b733d6ceefcdc71566ea48e5567df",
"test label",
"cd665cf6a8447dd6ff8b27555edb7465",
"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f");
printf("done.\n");
fflush(stdout);
}
/*
* AES known-answer tests. Order: key, plaintext, ciphertext.
*/
static const char *const KAT_AES[] = {
/*
* From FIPS-197.
*/
"000102030405060708090a0b0c0d0e0f",
"00112233445566778899aabbccddeeff",
"69c4e0d86a7b0430d8cdb78070b4c55a",
"000102030405060708090a0b0c0d0e0f1011121314151617",
"00112233445566778899aabbccddeeff",
"dda97ca4864cdfe06eaf70a0ec0d7191",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
"00112233445566778899aabbccddeeff",
"8ea2b7ca516745bfeafc49904b496089",
/*
* From NIST validation suite (ECBVarTxt128.rsp).
*/
"00000000000000000000000000000000",
"80000000000000000000000000000000",
"3ad78e726c1ec02b7ebfe92b23d9ec34",
"00000000000000000000000000000000",
"c0000000000000000000000000000000",
"aae5939c8efdf2f04e60b9fe7117b2c2",
"00000000000000000000000000000000",
"e0000000000000000000000000000000",
"f031d4d74f5dcbf39daaf8ca3af6e527",
"00000000000000000000000000000000",
"f0000000000000000000000000000000",
"96d9fd5cc4f07441727df0f33e401a36",
"00000000000000000000000000000000",
"f8000000000000000000000000000000",
"30ccdb044646d7e1f3ccea3dca08b8c0",
"00000000000000000000000000000000",
"fc000000000000000000000000000000",
"16ae4ce5042a67ee8e177b7c587ecc82",
"00000000000000000000000000000000",
"fe000000000000000000000000000000",
"b6da0bb11a23855d9c5cb1b4c6412e0a",
"00000000000000000000000000000000",
"ff000000000000000000000000000000",
"db4f1aa530967d6732ce4715eb0ee24b",
"00000000000000000000000000000000",
"ff800000000000000000000000000000",
"a81738252621dd180a34f3455b4baa2f",
"00000000000000000000000000000000",
"ffc00000000000000000000000000000",
"77e2b508db7fd89234caf7939ee5621a",
"00000000000000000000000000000000",
"ffe00000000000000000000000000000",
"b8499c251f8442ee13f0933b688fcd19",
"00000000000000000000000000000000",
"fff00000000000000000000000000000",
"965135f8a81f25c9d630b17502f68e53",
"00000000000000000000000000000000",
"fff80000000000000000000000000000",
"8b87145a01ad1c6cede995ea3670454f",
"00000000000000000000000000000000",
"fffc0000000000000000000000000000",
"8eae3b10a0c8ca6d1d3b0fa61e56b0b2",
"00000000000000000000000000000000",
"fffe0000000000000000000000000000",
"64b4d629810fda6bafdf08f3b0d8d2c5",
"00000000000000000000000000000000",
"ffff0000000000000000000000000000",
"d7e5dbd3324595f8fdc7d7c571da6c2a",
"00000000000000000000000000000000",
"ffff8000000000000000000000000000",
"f3f72375264e167fca9de2c1527d9606",
"00000000000000000000000000000000",
"ffffc000000000000000000000000000",
"8ee79dd4f401ff9b7ea945d86666c13b",
"00000000000000000000000000000000",
"ffffe000000000000000000000000000",
"dd35cea2799940b40db3f819cb94c08b",
"00000000000000000000000000000000",
"fffff000000000000000000000000000",
"6941cb6b3e08c2b7afa581ebdd607b87",
"00000000000000000000000000000000",
"fffff800000000000000000000000000",
"2c20f439f6bb097b29b8bd6d99aad799",
"00000000000000000000000000000000",
"fffffc00000000000000000000000000",
"625d01f058e565f77ae86378bd2c49b3",
"00000000000000000000000000000000",
"fffffe00000000000000000000000000",
"c0b5fd98190ef45fbb4301438d095950",
"00000000000000000000000000000000",
"ffffff00000000000000000000000000",
"13001ff5d99806efd25da34f56be854b",
"00000000000000000000000000000000",
"ffffff80000000000000000000000000",
"3b594c60f5c8277a5113677f94208d82",
"00000000000000000000000000000000",
"ffffffc0000000000000000000000000",
"e9c0fc1818e4aa46bd2e39d638f89e05",
"00000000000000000000000000000000",
"ffffffe0000000000000000000000000",
"f8023ee9c3fdc45a019b4e985c7e1a54",
"00000000000000000000000000000000",
"fffffff0000000000000000000000000",
"35f40182ab4662f3023baec1ee796b57",
"00000000000000000000000000000000",
"fffffff8000000000000000000000000",
"3aebbad7303649b4194a6945c6cc3694",
"00000000000000000000000000000000",
"fffffffc000000000000000000000000",
"a2124bea53ec2834279bed7f7eb0f938",
"00000000000000000000000000000000",
"fffffffe000000000000000000000000",
"b9fb4399fa4facc7309e14ec98360b0a",
"00000000000000000000000000000000",
"ffffffff000000000000000000000000",
"c26277437420c5d634f715aea81a9132",
"00000000000000000000000000000000",
"ffffffff800000000000000000000000",
"171a0e1b2dd424f0e089af2c4c10f32f",
"00000000000000000000000000000000",
"ffffffffc00000000000000000000000",
"7cadbe402d1b208fe735edce00aee7ce",
"00000000000000000000000000000000",
"ffffffffe00000000000000000000000",
"43b02ff929a1485af6f5c6d6558baa0f",
"00000000000000000000000000000000",
"fffffffff00000000000000000000000",
"092faacc9bf43508bf8fa8613ca75dea",
"00000000000000000000000000000000",
"fffffffff80000000000000000000000",
"cb2bf8280f3f9742c7ed513fe802629c",
"00000000000000000000000000000000",
"fffffffffc0000000000000000000000",
"215a41ee442fa992a6e323986ded3f68",
"00000000000000000000000000000000",
"fffffffffe0000000000000000000000",
"f21e99cf4f0f77cea836e11a2fe75fb1",
"00000000000000000000000000000000",
"ffffffffff0000000000000000000000",
"95e3a0ca9079e646331df8b4e70d2cd6",
"00000000000000000000000000000000",
"ffffffffff8000000000000000000000",
"4afe7f120ce7613f74fc12a01a828073",
"00000000000000000000000000000000",
"ffffffffffc000000000000000000000",
"827f000e75e2c8b9d479beed913fe678",
"00000000000000000000000000000000",
"ffffffffffe000000000000000000000",
"35830c8e7aaefe2d30310ef381cbf691",
"00000000000000000000000000000000",
"fffffffffff000000000000000000000",
"191aa0f2c8570144f38657ea4085ebe5",
"00000000000000000000000000000000",
"fffffffffff800000000000000000000",
"85062c2c909f15d9269b6c18ce99c4f0",
"00000000000000000000000000000000",
"fffffffffffc00000000000000000000",
"678034dc9e41b5a560ed239eeab1bc78",
"00000000000000000000000000000000",
"fffffffffffe00000000000000000000",
"c2f93a4ce5ab6d5d56f1b93cf19911c1",
"00000000000000000000000000000000",
"ffffffffffff00000000000000000000",
"1c3112bcb0c1dcc749d799743691bf82",
"00000000000000000000000000000000",
"ffffffffffff80000000000000000000",
"00c55bd75c7f9c881989d3ec1911c0d4",
"00000000000000000000000000000000",
"ffffffffffffc0000000000000000000",
"ea2e6b5ef182b7dff3629abd6a12045f",
"00000000000000000000000000000000",
"ffffffffffffe0000000000000000000",
"22322327e01780b17397f24087f8cc6f",
"00000000000000000000000000000000",
"fffffffffffff0000000000000000000",
"c9cacb5cd11692c373b2411768149ee7",
"00000000000000000000000000000000",
"fffffffffffff8000000000000000000",
"a18e3dbbca577860dab6b80da3139256",
"00000000000000000000000000000000",
"fffffffffffffc000000000000000000",
"79b61c37bf328ecca8d743265a3d425c",
"00000000000000000000000000000000",
"fffffffffffffe000000000000000000",
"d2d99c6bcc1f06fda8e27e8ae3f1ccc7",
"00000000000000000000000000000000",
"ffffffffffffff000000000000000000",
"1bfd4b91c701fd6b61b7f997829d663b",
"00000000000000000000000000000000",
"ffffffffffffff800000000000000000",
"11005d52f25f16bdc9545a876a63490a",
"00000000000000000000000000000000",
"ffffffffffffffc00000000000000000",
"3a4d354f02bb5a5e47d39666867f246a",
"00000000000000000000000000000000",
"ffffffffffffffe00000000000000000",
"d451b8d6e1e1a0ebb155fbbf6e7b7dc3",
"00000000000000000000000000000000",
"fffffffffffffff00000000000000000",
"6898d4f42fa7ba6a10ac05e87b9f2080",
"00000000000000000000000000000000",
"fffffffffffffff80000000000000000",
"b611295e739ca7d9b50f8e4c0e754a3f",
"00000000000000000000000000000000",
"fffffffffffffffc0000000000000000",
"7d33fc7d8abe3ca1936759f8f5deaf20",
"00000000000000000000000000000000",
"fffffffffffffffe0000000000000000",
"3b5e0f566dc96c298f0c12637539b25c",
"00000000000000000000000000000000",
"ffffffffffffffff0000000000000000",
"f807c3e7985fe0f5a50e2cdb25c5109e",
"00000000000000000000000000000000",
"ffffffffffffffff8000000000000000",
"41f992a856fb278b389a62f5d274d7e9",
"00000000000000000000000000000000",
"ffffffffffffffffc000000000000000",
"10d3ed7a6fe15ab4d91acbc7d0767ab1",
"00000000000000000000000000000000",
"ffffffffffffffffe000000000000000",
"21feecd45b2e675973ac33bf0c5424fc",
"00000000000000000000000000000000",
"fffffffffffffffff000000000000000",
"1480cb3955ba62d09eea668f7c708817",
"00000000000000000000000000000000",
"fffffffffffffffff800000000000000",
"66404033d6b72b609354d5496e7eb511",
"00000000000000000000000000000000",
"fffffffffffffffffc00000000000000",
"1c317a220a7d700da2b1e075b00266e1",
"00000000000000000000000000000000",
"fffffffffffffffffe00000000000000",
"ab3b89542233f1271bf8fd0c0f403545",
"00000000000000000000000000000000",
"ffffffffffffffffff00000000000000",
"d93eae966fac46dca927d6b114fa3f9e",
"00000000000000000000000000000000",
"ffffffffffffffffff80000000000000",
"1bdec521316503d9d5ee65df3ea94ddf",
"00000000000000000000000000000000",
"ffffffffffffffffffc0000000000000",
"eef456431dea8b4acf83bdae3717f75f",
"00000000000000000000000000000000",
"ffffffffffffffffffe0000000000000",
"06f2519a2fafaa596bfef5cfa15c21b9",
"00000000000000000000000000000000",
"fffffffffffffffffff0000000000000",
"251a7eac7e2fe809e4aa8d0d7012531a",
"00000000000000000000000000000000",
"fffffffffffffffffff8000000000000",
"3bffc16e4c49b268a20f8d96a60b4058",
"00000000000000000000000000000000",
"fffffffffffffffffffc000000000000",
"e886f9281999c5bb3b3e8862e2f7c988",
"00000000000000000000000000000000",
"fffffffffffffffffffe000000000000",
"563bf90d61beef39f48dd625fcef1361",
"00000000000000000000000000000000",
"ffffffffffffffffffff000000000000",
"4d37c850644563c69fd0acd9a049325b",
"00000000000000000000000000000000",
"ffffffffffffffffffff800000000000",
"b87c921b91829ef3b13ca541ee1130a6",
"00000000000000000000000000000000",
"ffffffffffffffffffffc00000000000",
"2e65eb6b6ea383e109accce8326b0393",
"00000000000000000000000000000000",
"ffffffffffffffffffffe00000000000",
"9ca547f7439edc3e255c0f4d49aa8990",
"00000000000000000000000000000000",
"fffffffffffffffffffff00000000000",
"a5e652614c9300f37816b1f9fd0c87f9",
"00000000000000000000000000000000",
"fffffffffffffffffffff80000000000",
"14954f0b4697776f44494fe458d814ed",
"00000000000000000000000000000000",
"fffffffffffffffffffffc0000000000",
"7c8d9ab6c2761723fe42f8bb506cbcf7",
"00000000000000000000000000000000",
"fffffffffffffffffffffe0000000000",
"db7e1932679fdd99742aab04aa0d5a80",
"00000000000000000000000000000000",
"ffffffffffffffffffffff0000000000",
"4c6a1c83e568cd10f27c2d73ded19c28",
"00000000000000000000000000000000",
"ffffffffffffffffffffff8000000000",
"90ecbe6177e674c98de412413f7ac915",
"00000000000000000000000000000000",
"ffffffffffffffffffffffc000000000",
"90684a2ac55fe1ec2b8ebd5622520b73",
"00000000000000000000000000000000",
"ffffffffffffffffffffffe000000000",
"7472f9a7988607ca79707795991035e6",
"00000000000000000000000000000000",
"fffffffffffffffffffffff000000000",
"56aff089878bf3352f8df172a3ae47d8",
"00000000000000000000000000000000",
"fffffffffffffffffffffff800000000",
"65c0526cbe40161b8019a2a3171abd23",
"00000000000000000000000000000000",
"fffffffffffffffffffffffc00000000",
"377be0be33b4e3e310b4aabda173f84f",
"00000000000000000000000000000000",
"fffffffffffffffffffffffe00000000",
"9402e9aa6f69de6504da8d20c4fcaa2f",
"00000000000000000000000000000000",
"ffffffffffffffffffffffff00000000",
"123c1f4af313ad8c2ce648b2e71fb6e1",
"00000000000000000000000000000000",
"ffffffffffffffffffffffff80000000",
"1ffc626d30203dcdb0019fb80f726cf4",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffc0000000",
"76da1fbe3a50728c50fd2e621b5ad885",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffe0000000",
"082eb8be35f442fb52668e16a591d1d6",
"00000000000000000000000000000000",
"fffffffffffffffffffffffff0000000",
"e656f9ecf5fe27ec3e4a73d00c282fb3",
"00000000000000000000000000000000",
"fffffffffffffffffffffffff8000000",
"2ca8209d63274cd9a29bb74bcd77683a",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffc000000",
"79bf5dce14bb7dd73a8e3611de7ce026",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffe000000",
"3c849939a5d29399f344c4a0eca8a576",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffff000000",
"ed3c0a94d59bece98835da7aa4f07ca2",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffff800000",
"63919ed4ce10196438b6ad09d99cd795",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffc00000",
"7678f3a833f19fea95f3c6029e2bc610",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffe00000",
"3aa426831067d36b92be7c5f81c13c56",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffff00000",
"9272e2d2cdd11050998c845077a30ea0",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffff80000",
"088c4b53f5ec0ff814c19adae7f6246c",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffc0000",
"4010a5e401fdf0a0354ddbcc0d012b17",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffe0000",
"a87a385736c0a6189bd6589bd8445a93",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffff0000",
"545f2b83d9616dccf60fa9830e9cd287",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffff8000",
"4b706f7f92406352394037a6d4f4688d",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffc000",
"b7972b3941c44b90afa7b264bfba7387",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffe000",
"6f45732cf10881546f0fd23896d2bb60",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffff000",
"2e3579ca15af27f64b3c955a5bfc30ba",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffff800",
"34a2c5a91ae2aec99b7d1b5fa6780447",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffffc00",
"a4d6616bd04f87335b0e53351227a9ee",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffffe00",
"7f692b03945867d16179a8cefc83ea3f",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffff00",
"3bd141ee84a0e6414a26e7a4f281f8a2",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffff80",
"d1788f572d98b2b16ec5d5f3922b99bc",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffffc0",
"0833ff6f61d98a57b288e8c3586b85a6",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffffe0",
"8568261797de176bf0b43becc6285afb",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffffff0",
"f9b0fda0c4a898f5b9e6f661c4ce4d07",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffffff8",
"8ade895913685c67c5269f8aae42983e",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffffffc",
"39bde67d5c8ed8a8b1c37eb8fa9f5ac0",
"00000000000000000000000000000000",
"fffffffffffffffffffffffffffffffe",
"5c005e72c1418c44f569f2ea33ba54f3",
"00000000000000000000000000000000",
"ffffffffffffffffffffffffffffffff",
"3f5b8cc9ea855a0afa7347d23e8d664e",
/*
* From NIST validation suite (ECBVarTxt192.rsp).
*/
"000000000000000000000000000000000000000000000000",
"80000000000000000000000000000000",
"6cd02513e8d4dc986b4afe087a60bd0c",
"000000000000000000000000000000000000000000000000",
"c0000000000000000000000000000000",
"2ce1f8b7e30627c1c4519eada44bc436",
"000000000000000000000000000000000000000000000000",
"e0000000000000000000000000000000",
"9946b5f87af446f5796c1fee63a2da24",
"000000000000000000000000000000000000000000000000",
"f0000000000000000000000000000000",
"2a560364ce529efc21788779568d5555",
"000000000000000000000000000000000000000000000000",
"f8000000000000000000000000000000",
"35c1471837af446153bce55d5ba72a0a",
"000000000000000000000000000000000000000000000000",
"fc000000000000000000000000000000",
"ce60bc52386234f158f84341e534cd9e",
"000000000000000000000000000000000000000000000000",
"fe000000000000000000000000000000",
"8c7c27ff32bcf8dc2dc57c90c2903961",
"000000000000000000000000000000000000000000000000",
"ff000000000000000000000000000000",
"32bb6a7ec84499e166f936003d55a5bb",
"000000000000000000000000000000000000000000000000",
"ff800000000000000000000000000000",
"a5c772e5c62631ef660ee1d5877f6d1b",
"000000000000000000000000000000000000000000000000",
"ffc00000000000000000000000000000",
"030d7e5b64f380a7e4ea5387b5cd7f49",
"000000000000000000000000000000000000000000000000",
"ffe00000000000000000000000000000",
"0dc9a2610037009b698f11bb7e86c83e",
"000000000000000000000000000000000000000000000000",
"fff00000000000000000000000000000",
"0046612c766d1840c226364f1fa7ed72",
"000000000000000000000000000000000000000000000000",
"fff80000000000000000000000000000",
"4880c7e08f27befe78590743c05e698b",
"000000000000000000000000000000000000000000000000",
"fffc0000000000000000000000000000",
"2520ce829a26577f0f4822c4ecc87401",
"000000000000000000000000000000000000000000000000",
"fffe0000000000000000000000000000",
"8765e8acc169758319cb46dc7bcf3dca",
"000000000000000000000000000000000000000000000000",
"ffff0000000000000000000000000000",
"e98f4ba4f073df4baa116d011dc24a28",
"000000000000000000000000000000000000000000000000",
"ffff8000000000000000000000000000",
"f378f68c5dbf59e211b3a659a7317d94",
"000000000000000000000000000000000000000000000000",
"ffffc000000000000000000000000000",
"283d3b069d8eb9fb432d74b96ca762b4",
"000000000000000000000000000000000000000000000000",
"ffffe000000000000000000000000000",
"a7e1842e8a87861c221a500883245c51",
"000000000000000000000000000000000000000000000000",
"fffff000000000000000000000000000",
"77aa270471881be070fb52c7067ce732",
"000000000000000000000000000000000000000000000000",
"fffff800000000000000000000000000",
"01b0f476d484f43f1aeb6efa9361a8ac",
"000000000000000000000000000000000000000000000000",
"fffffc00000000000000000000000000",
"1c3a94f1c052c55c2d8359aff2163b4f",
"000000000000000000000000000000000000000000000000",
"fffffe00000000000000000000000000",
"e8a067b604d5373d8b0f2e05a03b341b",
"000000000000000000000000000000000000000000000000",
"ffffff00000000000000000000000000",
"a7876ec87f5a09bfea42c77da30fd50e",
"000000000000000000000000000000000000000000000000",
"ffffff80000000000000000000000000",
"0cf3e9d3a42be5b854ca65b13f35f48d",
"000000000000000000000000000000000000000000000000",
"ffffffc0000000000000000000000000",
"6c62f6bbcab7c3e821c9290f08892dda",
"000000000000000000000000000000000000000000000000",
"ffffffe0000000000000000000000000",
"7f5e05bd2068738196fee79ace7e3aec",
"000000000000000000000000000000000000000000000000",
"fffffff0000000000000000000000000",
"440e0d733255cda92fb46e842fe58054",
"000000000000000000000000000000000000000000000000",
"fffffff8000000000000000000000000",
"aa5d5b1c4ea1b7a22e5583ac2e9ed8a7",
"000000000000000000000000000000000000000000000000",
"fffffffc000000000000000000000000",
"77e537e89e8491e8662aae3bc809421d",
"000000000000000000000000000000000000000000000000",
"fffffffe000000000000000000000000",
"997dd3e9f1598bfa73f75973f7e93b76",
"000000000000000000000000000000000000000000000000",
"ffffffff000000000000000000000000",
"1b38d4f7452afefcb7fc721244e4b72e",
"000000000000000000000000000000000000000000000000",
"ffffffff800000000000000000000000",
"0be2b18252e774dda30cdda02c6906e3",
"000000000000000000000000000000000000000000000000",
"ffffffffc00000000000000000000000",
"d2695e59c20361d82652d7d58b6f11b2",
"000000000000000000000000000000000000000000000000",
"ffffffffe00000000000000000000000",
"902d88d13eae52089abd6143cfe394e9",
"000000000000000000000000000000000000000000000000",
"fffffffff00000000000000000000000",
"d49bceb3b823fedd602c305345734bd2",
"000000000000000000000000000000000000000000000000",
"fffffffff80000000000000000000000",
"707b1dbb0ffa40ef7d95def421233fae",
"000000000000000000000000000000000000000000000000",
"fffffffffc0000000000000000000000",
"7ca0c1d93356d9eb8aa952084d75f913",
"000000000000000000000000000000000000000000000000",
"fffffffffe0000000000000000000000",
"f2cbf9cb186e270dd7bdb0c28febc57d",
"000000000000000000000000000000000000000000000000",
"ffffffffff0000000000000000000000",
"c94337c37c4e790ab45780bd9c3674a0",
"000000000000000000000000000000000000000000000000",
"ffffffffff8000000000000000000000",
"8e3558c135252fb9c9f367ed609467a1",
"000000000000000000000000000000000000000000000000",
"ffffffffffc000000000000000000000",
"1b72eeaee4899b443914e5b3a57fba92",
"000000000000000000000000000000000000000000000000",
"ffffffffffe000000000000000000000",
"011865f91bc56868d051e52c9efd59b7",
"000000000000000000000000000000000000000000000000",
"fffffffffff000000000000000000000",
"e4771318ad7a63dd680f6e583b7747ea",
"000000000000000000000000000000000000000000000000",
"fffffffffff800000000000000000000",
"61e3d194088dc8d97e9e6db37457eac5",
"000000000000000000000000000000000000000000000000",
"fffffffffffc00000000000000000000",
"36ff1ec9ccfbc349e5d356d063693ad6",
"000000000000000000000000000000000000000000000000",
"fffffffffffe00000000000000000000",
"3cc9e9a9be8cc3f6fb2ea24088e9bb19",
"000000000000000000000000000000000000000000000000",
"ffffffffffff00000000000000000000",
"1ee5ab003dc8722e74905d9a8fe3d350",
"000000000000000000000000000000000000000000000000",
"ffffffffffff80000000000000000000",
"245339319584b0a412412869d6c2eada",
"000000000000000000000000000000000000000000000000",
"ffffffffffffc0000000000000000000",
"7bd496918115d14ed5380852716c8814",
"000000000000000000000000000000000000000000000000",
"ffffffffffffe0000000000000000000",
"273ab2f2b4a366a57d582a339313c8b1",
"000000000000000000000000000000000000000000000000",
"fffffffffffff0000000000000000000",
"113365a9ffbe3b0ca61e98507554168b",
"000000000000000000000000000000000000000000000000",
"fffffffffffff8000000000000000000",
"afa99c997ac478a0dea4119c9e45f8b1",
"000000000000000000000000000000000000000000000000",
"fffffffffffffc000000000000000000",
"9216309a7842430b83ffb98638011512",
"000000000000000000000000000000000000000000000000",
"fffffffffffffe000000000000000000",
"62abc792288258492a7cb45145f4b759",
"000000000000000000000000000000000000000000000000",
"ffffffffffffff000000000000000000",
"534923c169d504d7519c15d30e756c50",
"000000000000000000000000000000000000000000000000",
"ffffffffffffff800000000000000000",
"fa75e05bcdc7e00c273fa33f6ee441d2",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffc00000000000000000",
"7d350fa6057080f1086a56b17ec240db",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffe00000000000000000",
"f34e4a6324ea4a5c39a661c8fe5ada8f",
"000000000000000000000000000000000000000000000000",
"fffffffffffffff00000000000000000",
"0882a16f44088d42447a29ac090ec17e",
"000000000000000000000000000000000000000000000000",
"fffffffffffffff80000000000000000",
"3a3c15bfc11a9537c130687004e136ee",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffc0000000000000000",
"22c0a7678dc6d8cf5c8a6d5a9960767c",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffe0000000000000000",
"b46b09809d68b9a456432a79bdc2e38c",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffff0000000000000000",
"93baaffb35fbe739c17c6ac22eecf18f",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffff8000000000000000",
"c8aa80a7850675bc007c46df06b49868",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffc000000000000000",
"12c6f3877af421a918a84b775858021d",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffe000000000000000",
"33f123282c5d633924f7d5ba3f3cab11",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffff000000000000000",
"a8f161002733e93ca4527d22c1a0c5bb",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffff800000000000000",
"b72f70ebf3e3fda23f508eec76b42c02",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffc00000000000000",
"6a9d965e6274143f25afdcfc88ffd77c",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffe00000000000000",
"a0c74fd0b9361764ce91c5200b095357",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffff00000000000000",
"091d1fdc2bd2c346cd5046a8c6209146",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffff80000000000000",
"e2a37580116cfb71856254496ab0aca8",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffc0000000000000",
"e0b3a00785917c7efc9adba322813571",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffe0000000000000",
"733d41f4727b5ef0df4af4cf3cffa0cb",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffff0000000000000",
"a99ebb030260826f981ad3e64490aa4f",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffff8000000000000",
"73f34c7d3eae5e80082c1647524308ee",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffc000000000000",
"40ebd5ad082345b7a2097ccd3464da02",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffe000000000000",
"7cc4ae9a424b2cec90c97153c2457ec5",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffff000000000000",
"54d632d03aba0bd0f91877ebdd4d09cb",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffff800000000000",
"d3427be7e4d27cd54f5fe37b03cf0897",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffc00000000000",
"b2099795e88cc158fd75ea133d7e7fbe",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffe00000000000",
"a6cae46fb6fadfe7a2c302a34242817b",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffff00000000000",
"026a7024d6a902e0b3ffccbaa910cc3f",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffff80000000000",
"156f07767a85a4312321f63968338a01",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffc0000000000",
"15eec9ebf42b9ca76897d2cd6c5a12e2",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffe0000000000",
"db0d3a6fdcc13f915e2b302ceeb70fd8",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffff0000000000",
"71dbf37e87a2e34d15b20e8f10e48924",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffff8000000000",
"c745c451e96ff3c045e4367c833e3b54",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffc000000000",
"340da09c2dd11c3b679d08ccd27dd595",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffe000000000",
"8279f7c0c2a03ee660c6d392db025d18",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffff000000000",
"a4b2c7d8eba531ff47c5041a55fbd1ec",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffff800000000",
"74569a2ca5a7bd5131ce8dc7cbfbf72f",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffc00000000",
"3713da0c0219b63454035613b5a403dd",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffe00000000",
"8827551ddcc9df23fa72a3de4e9f0b07",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffff00000000",
"2e3febfd625bfcd0a2c06eb460da1732",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffff80000000",
"ee82e6ba488156f76496311da6941deb",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffc0000000",
"4770446f01d1f391256e85a1b30d89d3",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffe0000000",
"af04b68f104f21ef2afb4767cf74143c",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffff0000000",
"cf3579a9ba38c8e43653173e14f3a4c6",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffff8000000",
"b3bba904f4953e09b54800af2f62e7d4",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffc000000",
"fc4249656e14b29eb9c44829b4c59a46",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffe000000",
"9b31568febe81cfc2e65af1c86d1a308",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffff000000",
"9ca09c25f273a766db98a480ce8dfedc",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffff800000",
"b909925786f34c3c92d971883c9fbedf",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffc00000",
"82647f1332fe570a9d4d92b2ee771d3b",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffe00000",
"3604a7e80832b3a99954bca6f5b9f501",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffff00000",
"884607b128c5de3ab39a529a1ef51bef",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffff80000",
"670cfa093d1dbdb2317041404102435e",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffc0000",
"7a867195f3ce8769cbd336502fbb5130",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffe0000",
"52efcf64c72b2f7ca5b3c836b1078c15",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffff0000",
"4019250f6eefb2ac5ccbcae044e75c7e",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffff8000",
"022c4f6f5a017d292785627667ddef24",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffc000",
"e9c21078a2eb7e03250f71000fa9e3ed",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffe000",
"a13eaeeb9cd391da4e2b09490b3e7fad",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffff000",
"c958a171dca1d4ed53e1af1d380803a9",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffff800",
"21442e07a110667f2583eaeeee44dc8c",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffc00",
"59bbb353cf1dd867a6e33737af655e99",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffe00",
"43cd3b25375d0ce41087ff9fe2829639",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffff00",
"6b98b17e80d1118e3516bd768b285a84",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffff80",
"ae47ed3676ca0c08deea02d95b81db58",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffffc0",
"34ec40dc20413795ed53628ea748720b",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffffe0",
"4dc68163f8e9835473253542c8a65d46",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffff0",
"2aabb999f43693175af65c6c612c46fb",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffff8",
"e01f94499dac3547515c5b1d756f0f58",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffffc",
"9d12435a46480ce00ea349f71799df9a",
"000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffffe",
"cef41d16d266bdfe46938ad7884cc0cf",
"000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffffff",
"b13db4da1f718bc6904797c82bcf2d32",
/*
* From NIST validation suite (ECBVarTxt256.rsp).
*/
"0000000000000000000000000000000000000000000000000000000000000000",
"80000000000000000000000000000000",
"ddc6bf790c15760d8d9aeb6f9a75fd4e",
"0000000000000000000000000000000000000000000000000000000000000000",
"c0000000000000000000000000000000",
"0a6bdc6d4c1e6280301fd8e97ddbe601",
"0000000000000000000000000000000000000000000000000000000000000000",
"e0000000000000000000000000000000",
"9b80eefb7ebe2d2b16247aa0efc72f5d",
"0000000000000000000000000000000000000000000000000000000000000000",
"f0000000000000000000000000000000",
"7f2c5ece07a98d8bee13c51177395ff7",
"0000000000000000000000000000000000000000000000000000000000000000",
"f8000000000000000000000000000000",
"7818d800dcf6f4be1e0e94f403d1e4c2",
"0000000000000000000000000000000000000000000000000000000000000000",
"fc000000000000000000000000000000",
"e74cd1c92f0919c35a0324123d6177d3",
"0000000000000000000000000000000000000000000000000000000000000000",
"fe000000000000000000000000000000",
"8092a4dcf2da7e77e93bdd371dfed82e",
"0000000000000000000000000000000000000000000000000000000000000000",
"ff000000000000000000000000000000",
"49af6b372135acef10132e548f217b17",
"0000000000000000000000000000000000000000000000000000000000000000",
"ff800000000000000000000000000000",
"8bcd40f94ebb63b9f7909676e667f1e7",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffc00000000000000000000000000000",
"fe1cffb83f45dcfb38b29be438dbd3ab",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffe00000000000000000000000000000",
"0dc58a8d886623705aec15cb1e70dc0e",
"0000000000000000000000000000000000000000000000000000000000000000",
"fff00000000000000000000000000000",
"c218faa16056bd0774c3e8d79c35a5e4",
"0000000000000000000000000000000000000000000000000000000000000000",
"fff80000000000000000000000000000",
"047bba83f7aa841731504e012208fc9e",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffc0000000000000000000000000000",
"dc8f0e4915fd81ba70a331310882f6da",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffe0000000000000000000000000000",
"1569859ea6b7206c30bf4fd0cbfac33c",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffff0000000000000000000000000000",
"300ade92f88f48fa2df730ec16ef44cd",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffff8000000000000000000000000000",
"1fe6cc3c05965dc08eb0590c95ac71d0",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffc000000000000000000000000000",
"59e858eaaa97fec38111275b6cf5abc0",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffe000000000000000000000000000",
"2239455e7afe3b0616100288cc5a723b",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffff000000000000000000000000000",
"3ee500c5c8d63479717163e55c5c4522",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffff800000000000000000000000000",
"d5e38bf15f16d90e3e214041d774daa8",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffc00000000000000000000000000",
"b1f4066e6f4f187dfe5f2ad1b17819d0",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffe00000000000000000000000000",
"6ef4cc4de49b11065d7af2909854794a",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffff00000000000000000000000000",
"ac86bc606b6640c309e782f232bf367f",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffff80000000000000000000000000",
"36aff0ef7bf3280772cf4cac80a0d2b2",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffc0000000000000000000000000",
"1f8eedea0f62a1406d58cfc3ecea72cf",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffe0000000000000000000000000",
"abf4154a3375a1d3e6b1d454438f95a6",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffff0000000000000000000000000",
"96f96e9d607f6615fc192061ee648b07",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffff8000000000000000000000000",
"cf37cdaaa0d2d536c71857634c792064",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffc000000000000000000000000",
"fbd6640c80245c2b805373f130703127",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffe000000000000000000000000",
"8d6a8afe55a6e481badae0d146f436db",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffff000000000000000000000000",
"6a4981f2915e3e68af6c22385dd06756",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffff800000000000000000000000",
"42a1136e5f8d8d21d3101998642d573b",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffc00000000000000000000000",
"9b471596dc69ae1586cee6158b0b0181",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffe00000000000000000000000",
"753665c4af1eff33aa8b628bf8741cfd",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffff00000000000000000000000",
"9a682acf40be01f5b2a4193c9a82404d",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffff80000000000000000000000",
"54fafe26e4287f17d1935f87eb9ade01",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffc0000000000000000000000",
"49d541b2e74cfe73e6a8e8225f7bd449",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffe0000000000000000000000",
"11a45530f624ff6f76a1b3826626ff7b",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffff0000000000000000000000",
"f96b0c4a8bc6c86130289f60b43b8fba",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffff8000000000000000000000",
"48c7d0e80834ebdc35b6735f76b46c8b",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffc000000000000000000000",
"2463531ab54d66955e73edc4cb8eaa45",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffe000000000000000000000",
"ac9bd8e2530469134b9d5b065d4f565b",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffff000000000000000000000",
"3f5f9106d0e52f973d4890e6f37e8a00",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffff800000000000000000000",
"20ebc86f1304d272e2e207e59db639f0",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffc00000000000000000000",
"e67ae6426bf9526c972cff072b52252c",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffe00000000000000000000",
"1a518dddaf9efa0d002cc58d107edfc8",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffff00000000000000000000",
"ead731af4d3a2fe3b34bed047942a49f",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffff80000000000000000000",
"b1d4efe40242f83e93b6c8d7efb5eae9",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffc0000000000000000000",
"cd2b1fec11fd906c5c7630099443610a",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffe0000000000000000000",
"a1853fe47fe29289d153161d06387d21",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffff0000000000000000000",
"4632154179a555c17ea604d0889fab14",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffff8000000000000000000",
"dd27cac6401a022e8f38f9f93e774417",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffc000000000000000000",
"c090313eb98674f35f3123385fb95d4d",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffe000000000000000000",
"cc3526262b92f02edce548f716b9f45c",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffff000000000000000000",
"c0838d1a2b16a7c7f0dfcc433c399c33",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffff800000000000000000",
"0d9ac756eb297695eed4d382eb126d26",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffc00000000000000000",
"56ede9dda3f6f141bff1757fa689c3e1",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffe00000000000000000",
"768f520efe0f23e61d3ec8ad9ce91774",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffff00000000000000000",
"b1144ddfa75755213390e7c596660490",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffff80000000000000000",
"1d7c0c4040b355b9d107a99325e3b050",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffc0000000000000000",
"d8e2bb1ae8ee3dcf5bf7d6c38da82a1a",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffe0000000000000000",
"faf82d178af25a9886a47e7f789b98d7",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffff0000000000000000",
"9b58dbfd77fe5aca9cfc190cd1b82d19",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffff8000000000000000",
"77f392089042e478ac16c0c86a0b5db5",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffc000000000000000",
"19f08e3420ee69b477ca1420281c4782",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffe000000000000000",
"a1b19beee4e117139f74b3c53fdcb875",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffff000000000000000",
"a37a5869b218a9f3a0868d19aea0ad6a",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffff800000000000000",
"bc3594e865bcd0261b13202731f33580",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffc00000000000000",
"811441ce1d309eee7185e8c752c07557",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffe00000000000000",
"959971ce4134190563518e700b9874d1",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffff00000000000000",
"76b5614a042707c98e2132e2e805fe63",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffff80000000000000",
"7d9fa6a57530d0f036fec31c230b0cc6",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffc0000000000000",
"964153a83bf6989a4ba80daa91c3e081",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffe0000000000000",
"a013014d4ce8054cf2591d06f6f2f176",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffff0000000000000",
"d1c5f6399bf382502e385eee1474a869",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffff8000000000000",
"0007e20b8298ec354f0f5fe7470f36bd",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffc000000000000",
"b95ba05b332da61ef63a2b31fcad9879",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffe000000000000",
"4620a49bd967491561669ab25dce45f4",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffff000000000000",
"12e71214ae8e04f0bb63d7425c6f14d5",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffff800000000000",
"4cc42fc1407b008fe350907c092e80ac",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffc00000000000",
"08b244ce7cbc8ee97fbba808cb146fda",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffe00000000000",
"39b333e8694f21546ad1edd9d87ed95b",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffff00000000000",
"3b271f8ab2e6e4a20ba8090f43ba78f3",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffff80000000000",
"9ad983f3bf651cd0393f0a73cccdea50",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffc0000000000",
"8f476cbff75c1f725ce18e4bbcd19b32",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffe0000000000",
"905b6267f1d6ab5320835a133f096f2a",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffff0000000000",
"145b60d6d0193c23f4221848a892d61a",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffff8000000000",
"55cfb3fb6d75cad0445bbc8dafa25b0f",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffc000000000",
"7b8e7098e357ef71237d46d8b075b0f5",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffe000000000",
"2bf27229901eb40f2df9d8398d1505ae",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffff000000000",
"83a63402a77f9ad5c1e931a931ecd706",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffff800000000",
"6f8ba6521152d31f2bada1843e26b973",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffc00000000",
"e5c3b8e30fd2d8e6239b17b44bd23bbd",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffe00000000",
"1ac1f7102c59933e8b2ddc3f14e94baa",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffff00000000",
"21d9ba49f276b45f11af8fc71a088e3d",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffff80000000",
"649f1cddc3792b4638635a392bc9bade",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffc0000000",
"e2775e4b59c1bc2e31a2078c11b5a08c",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffe0000000",
"2be1fae5048a25582a679ca10905eb80",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffff0000000",
"da86f292c6f41ea34fb2068df75ecc29",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffff8000000",
"220df19f85d69b1b562fa69a3c5beca5",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffc000000",
"1f11d5d0355e0b556ccdb6c7f5083b4d",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffe000000",
"62526b78be79cb384633c91f83b4151b",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffff000000",
"90ddbcb950843592dd47bbef00fdc876",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffff800000",
"2fd0e41c5b8402277354a7391d2618e2",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffc00000",
"3cdf13e72dee4c581bafec70b85f9660",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffe00000",
"afa2ffc137577092e2b654fa199d2c43",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffff00000",
"8d683ee63e60d208e343ce48dbc44cac",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffff80000",
"705a4ef8ba2133729c20185c3d3a4763",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffc0000",
"0861a861c3db4e94194211b77ed761b9",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffe0000",
"4b00c27e8b26da7eab9d3a88dec8b031",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffff0000",
"5f397bf03084820cc8810d52e5b666e9",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffff8000",
"63fafabb72c07bfbd3ddc9b1203104b8",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffc000",
"683e2140585b18452dd4ffbb93c95df9",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffe000",
"286894e48e537f8763b56707d7d155c8",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffff000",
"a423deabc173dcf7e2c4c53e77d37cd1",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffff800",
"eb8168313e1cfdfdb5e986d5429cf172",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffc00",
"27127daafc9accd2fb334ec3eba52323",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffe00",
"ee0715b96f72e3f7a22a5064fc592f4c",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffff00",
"29ee526770f2a11dcfa989d1ce88830f",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffff80",
"0493370e054b09871130fe49af730a5a",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffffc0",
"9b7b940f6c509f9e44a4ee140448ee46",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffffe0",
"2915be4a1ecfdcbe3e023811a12bb6c7",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffff0",
"7240e524bc51d8c4d440b1be55d1062c",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffff8",
"da63039d38cb4612b2dc36ba26684b93",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffffc",
"0f59cb5a4b522e2ac56c1a64f558ad9a",
"0000000000000000000000000000000000000000000000000000000000000000",
"fffffffffffffffffffffffffffffffe",
"7bfe9d876c6d63c1d035da8fe21c409d",
"0000000000000000000000000000000000000000000000000000000000000000",
"ffffffffffffffffffffffffffffffff",
"acdace8078a32b1a182bfa4987ca1347",
/*
* Table end marker.
*/
NULL
};
/*
* AES known-answer tests for CBC. Order: key, IV, plaintext, ciphertext.
*/
static const char *const KAT_AES_CBC[] = {
/*
* From NIST validation suite "Multiblock Message Test"
* (cbcmmt128.rsp).
*/
"1f8e4973953f3fb0bd6b16662e9a3c17",
"2fe2b333ceda8f98f4a99b40d2cd34a8",
"45cf12964fc824ab76616ae2f4bf0822",
"0f61c4d44c5147c03c195ad7e2cc12b2",
"0700d603a1c514e46b6191ba430a3a0c",
"aad1583cd91365e3bb2f0c3430d065bb",
"068b25c7bfb1f8bdd4cfc908f69dffc5ddc726a197f0e5f720f730393279be91",
"c4dc61d9725967a3020104a9738f23868527ce839aab1752fd8bdb95a82c4d00",
"3348aa51e9a45c2dbe33ccc47f96e8de",
"19153c673160df2b1d38c28060e59b96",
"9b7cee827a26575afdbb7c7a329f887238052e3601a7917456ba61251c214763d5e1847a6ad5d54127a399ab07ee3599",
"d5aed6c9622ec451a15db12819952b6752501cf05cdbf8cda34a457726ded97818e1f127a28d72db5652749f0c6afee5",
"b7f3c9576e12dd0db63e8f8fac2b9a39",
"c80f095d8bb1a060699f7c19974a1aa0",
"9ac19954ce1319b354d3220460f71c1e373f1cd336240881160cfde46ebfed2e791e8d5a1a136ebd1dc469dec00c4187722b841cdabcb22c1be8a14657da200e",
"19b9609772c63f338608bf6eb52ca10be65097f89c1e0905c42401fd47791ae2c5440b2d473116ca78bd9ff2fb6015cfd316524eae7dcb95ae738ebeae84a467",
"b6f9afbfe5a1562bba1368fc72ac9d9c",
"3f9d5ebe250ee7ce384b0d00ee849322",
"db397ec22718dbffb9c9d13de0efcd4611bf792be4fce0dc5f25d4f577ed8cdbd4eb9208d593dda3d4653954ab64f05676caa3ce9bfa795b08b67ceebc923fdc89a8c431188e9e482d8553982cf304d1",
"10ea27b19e16b93af169c4a88e06e35c99d8b420980b058e34b4b8f132b13766f72728202b089f428fecdb41c79f8aa0d0ef68f5786481cca29e2126f69bc14160f1ae2187878ba5c49cf3961e1b7ee9",
"bbe7b7ba07124ff1ae7c3416fe8b465e",
"7f65b5ee3630bed6b84202d97fb97a1e",
"2aad0c2c4306568bad7447460fd3dac054346d26feddbc9abd9110914011b4794be2a9a00a519a51a5b5124014f4ed2735480db21b434e99a911bb0b60fe0253763725b628d5739a5117b7ee3aefafc5b4c1bf446467e7bf5f78f31ff7caf187",
"3b8611bfc4973c5cd8e982b073b33184cd26110159172e44988eb5ff5661a1e16fad67258fcbfee55469267a12dc374893b4e3533d36f5634c3095583596f135aa8cd1138dc898bc5651ee35a92ebf89ab6aeb5366653bc60a70e0074fc11efe",
"89a553730433f7e6d67d16d373bd5360",
"f724558db3433a523f4e51a5bea70497",
"807bc4ea684eedcfdcca30180680b0f1ae2814f35f36d053c5aea6595a386c1442770f4d7297d8b91825ee7237241da8925dd594ccf676aecd46ca2068e8d37a3a0ec8a7d5185a201e663b5ff36ae197110188a23503763b8218826d23ced74b31e9f6e2d7fbfa6cb43420c7807a8625",
"406af1429a478c3d07e555c5287a60500d37fc39b68e5bbb9bafd6ddb223828561d6171a308d5b1a4551e8a5e7d572918d25c968d3871848d2f16635caa9847f38590b1df58ab5efb985f2c66cfaf86f61b3f9c0afad6c963c49cee9b8bc81a2ddb06c967f325515a4849eec37ce721a",
"c491ca31f91708458e29a925ec558d78",
"9ef934946e5cd0ae97bd58532cb49381",
"cb6a787e0dec56f9a165957f81af336ca6b40785d9e94093c6190e5152649f882e874d79ac5e167bd2a74ce5ae088d2ee854f6539e0a94796b1e1bd4c9fcdbc79acbef4d01eeb89776d18af71ae2a4fc47dd66df6c4dbe1d1850e466549a47b636bcc7c2b3a62495b56bb67b6d455f1eebd9bfefecbca6c7f335cfce9b45cb9d",
"7b2931f5855f717145e00f152a9f4794359b1ffcb3e55f594e33098b51c23a6c74a06c1d94fded7fd2ae42c7db7acaef5844cb33aeddc6852585ed0020a6699d2cb53809cefd169148ce42292afab063443978306c582c18b9ce0da3d084ce4d3c482cfd8fcf1a85084e89fb88b40a084d5e972466d07666126fb761f84078f2",
"f6e87d71b0104d6eb06a68dc6a71f498",
"1c245f26195b76ebebc2edcac412a2f8",
"f82bef3c73a6f7f80db285726d691db6bf55eec25a859d3ba0e0445f26b9bb3b16a3161ed1866e4dd8f2e5f8ecb4e46d74a7a78c20cdfc7bcc9e479ba7a0caba9438238ad0c01651d5d98de37f03ddce6e6b4bd4ab03cf9e8ed818aedfa1cf963b932067b97d776dce1087196e7e913f7448e38244509f0caf36bd8217e15336d35c149fd4e41707893fdb84014f8729",
"b09512f3eff9ed0d85890983a73dadbb7c3678d52581be64a8a8fc586f490f2521297a478a0598040ebd0f5509fafb0969f9d9e600eaef33b1b93eed99687b167f89a5065aac439ce46f3b8d22d30865e64e45ef8cd30b6984353a844a11c8cd60dba0e8866b3ee30d24b3fa8a643b328353e06010fa8273c8fd54ef0a2b6930e5520aae5cd5902f9b86a33592ca4365",
"2c14413751c31e2730570ba3361c786b",
"1dbbeb2f19abb448af849796244a19d7",
"40d930f9a05334d9816fe204999c3f82a03f6a0457a8c475c94553d1d116693adc618049f0a769a2eed6a6cb14c0143ec5cccdbc8dec4ce560cfd206225709326d4de7948e54d603d01b12d7fed752fb23f1aa4494fbb00130e9ded4e77e37c079042d828040c325b1a5efd15fc842e44014ca4374bf38f3c3fc3ee327733b0c8aee1abcd055772f18dc04603f7b2c1ea69ff662361f2be0a171bbdcea1e5d3f",
"6be8a12800455a320538853e0cba31bd2d80ea0c85164a4c5c261ae485417d93effe2ebc0d0a0b51d6ea18633d210cf63c0c4ddbc27607f2e81ed9113191ef86d56f3b99be6c415a4150299fb846ce7160b40b63baf1179d19275a2e83698376d28b92548c68e06e6d994e2c1501ed297014e702cdefee2f656447706009614d801de1caaf73f8b7fa56cf1ba94b631933bbe577624380850f117435a0355b2b",
/*
* From NIST validation suite "Multiblock Message Test"
* (cbcmmt192.rsp).
*/
"ba75f4d1d9d7cf7f551445d56cc1a8ab2a078e15e049dc2c",
"531ce78176401666aa30db94ec4a30eb",
"c51fc276774dad94bcdc1d2891ec8668",
"70dd95a14ee975e239df36ff4aee1d5d",
"eab3b19c581aa873e1981c83ab8d83bbf8025111fb2e6b21",
"f3d6667e8d4d791e60f7505ba383eb05",
"9d4e4cccd1682321856df069e3f1c6fa391a083a9fb02d59db74c14081b3acc4",
"51d44779f90d40a80048276c035cb49ca2a47bcb9b9cf7270b9144793787d53f",
"16c93bb398f1fc0cf6d68fc7a5673cdf431fa147852b4a2d",
"eaaeca2e07ddedf562f94df63f0a650f",
"c5ce958613bf741718c17444484ebaf1050ddcacb59b9590178cbe69d7ad7919608cb03af13bbe04f3506b718a301ea0",
"ed6a50e0c6921d52d6647f75d67b4fd56ace1fedb8b5a6a997b4d131640547d22c5d884a75e6752b5846b5b33a5181f4",
"067bb17b4df785697eaccf961f98e212cb75e6797ce935cb",
"8b59c9209c529ca8391c9fc0ce033c38",
"db3785a889b4bd387754da222f0e4c2d2bfe0d79e05bc910fba941beea30f1239eacf0068f4619ec01c368e986fca6b7c58e490579d29611bd10087986eff54f",
"d5f5589760bf9c762228fde236de1fa2dd2dad448db3fa9be0c4196efd46a35c84dd1ac77d9db58c95918cb317a6430a08d2fb6a8e8b0f1c9b72c7a344dc349f",
"0fd39de83e0be77a79c8a4a612e3dd9c8aae2ce35e7a2bf8",
"7e1d629b84f93b079be51f9a5f5cb23c",
"38fbda37e28fa86d9d83a4345e419dea95d28c7818ff25925db6ac3aedaf0a86154e20a4dfcc5b1b4192895393e5eb5846c88bdbd41ecf7af3104f410eaee470f5d9017ed460475f626953035a13db1f",
"edadae2f9a45ff3473e02d904c94d94a30a4d92da4deb6bcb4b0774472694571842039f21c496ef93fd658842c735f8a81fcd0aa578442ab893b18f606aed1bab11f81452dd45e9b56adf2eccf4ea095",
"e3fecc75f0075a09b383dfd389a3d33cc9b854b3b254c0f4",
"36eab883afef936cc38f63284619cd19",
"931b2f5f3a5820d53a6beaaa6431083a3488f4eb03b0f5b57ef838e1579623103bd6e6800377538b2e51ef708f3c4956432e8a8ee6a34e190642b26ad8bdae6c2af9a6c7996f3b6004d2671e41f1c9f40ee03d1c4a52b0a0654a331f15f34dce",
"75395974bd32b3665654a6c8e396b88ae34b123575872a7ab687d8e76b46df911a8a590cd01d2f5c330be3a6626e9dd3aa5e10ed14e8ff829811b6fed50f3f533ca4385a1cbca78f5c4744e50f2f8359165c2485d1324e76c3eae76a0ccac629",
"f9c27565eb07947c8cb51b79248430f7b1066c3d2fdc3d13",
"2bd67cc89ab7948d644a49672843cbd9",
"6abcc270173cf114d44847e911a050db57ba7a2e2c161c6f37ccb6aaa4677bddcaf50cad0b5f8758fcf7c0ebc650ceb5cd52cafb8f8dd3edcece55d9f1f08b9fa8f54365cf56e28b9596a7e1dd1d3418e4444a7724add4cf79d527b183ec88de4be4eeff29c80a97e54f85351cb189ee",
"ca282924a61187feb40520979106e5cc861957f23828dcb7285e0eaac8a0ca2a6b60503d63d6039f4693dba32fa1f73ae2e709ca94911f28a5edd1f30eaddd54680c43acc9c74cd90d8bb648b4e544275f47e514daa20697f66c738eb30337f017fca1a26da4d1a0cc0a0e98e2463070",
"fb09cf9e00dbf883689d079c920077c0073c31890b55bab5",
"e3c89bd097c3abddf64f4881db6dbfe2",
"c1a37683fb289467dd1b2c89efba16bbd2ee24cf18d19d44596ded2682c79a2f711c7a32bf6a24badd32a4ee637c73b7a41da6258635650f91fb9ffa45bdfc3cb122136241b3deced8996aa51ea8d3e81c9d70e006a44bc0571ed48623a0d622a93fa9da290baaedf5d9e876c94620945ff8ecc83f27379ed55cf490c5790f27",
"8158e21420f25b59d6ae943fa1cbf21f02e979f419dab0126a721b7eef55bee9ad97f5ccff7d239057bbc19a8c378142f7672f1d5e7e17d7bebcb0070e8355cace6660171a53b61816ae824a6ef69ce470b6ffd3b5bb4b438874d91d27854d3b6f25860d3868958de3307d62b1339bdddb8a318c0ce0f33c17caf0e9f6040820",
"bca6fa3c67fd294e958f66fe8bd64f45f428f5bc8e9733a7",
"92a47f2833f1450d1da41717bdc6e83c",
"5becbc31d8bead6d36ae014a5863d14a431e6b55d29ea6baaa417271716db3a33b2e506b452086dfe690834ac2de30bc41254ec5401ec47d064237c7792fdcd7914d8af20eb114756642d519021a8c75a92f6bc53d326ae9a5b7e1b10a9756574692934d9939fc399e0c203f7edf8e7e6482eadd31a0400770e897b48c6bca2b404593045080e93377358c42a0f4dede",
"926db248cc1ba20f0c57631a7c8aef094f791937b905949e3460240e8bfa6fa483115a1b310b6e4369caebc5262888377b1ddaa5800ea496a2bdff0f9a1031e7129c9a20e35621e7f0b8baca0d87030f2ae7ca8593c8599677a06fd4b26009ead08fecac24caa9cf2cad3b470c8227415a7b1e0f2eab3fad96d70a209c8bb26c627677e2531b9435ca6e3c444d195b5f",
"162ad50ee64a0702aa551f571dedc16b2c1b6a1e4d4b5eee",
"24408038161a2ccae07b029bb66355c1",
"be8abf00901363987a82cc77d0ec91697ba3857f9e4f84bd79406c138d02698f003276d0449120bef4578d78fecabe8e070e11710b3f0a2744bd52434ec70015884c181ebdfd51c604a71c52e4c0e110bc408cd462b248a80b8a8ac06bb952ac1d7faed144807f1a731b7febcaf7835762defe92eccfc7a9944e1c702cffe6bc86733ed321423121085ac02df8962bcbc1937092eebf0e90a8b20e3dd8c244ae",
"c82cf2c476dea8cb6a6e607a40d2f0391be82ea9ec84a537a6820f9afb997b76397d005424faa6a74dc4e8c7aa4a8900690f894b6d1dca80675393d2243adac762f159301e357e98b724762310cd5a7bafe1c2a030dba46fd93a9fdb89cc132ca9c17dc72031ec6822ee5a9d99dbca66c784c01b0885cbb62e29d97801927ec415a5d215158d325f9ee689437ad1b7684ad33c0d92739451ac87f39ff8c31b84",
/*
* From NIST validation suite "Multiblock Message Test"
* (cbcmmt256.rsp).
*/
"6ed76d2d97c69fd1339589523931f2a6cff554b15f738f21ec72dd97a7330907",
"851e8764776e6796aab722dbb644ace8",
"6282b8c05c5c1530b97d4816ca434762",
"6acc04142e100a65f51b97adf5172c41",
"dce26c6b4cfb286510da4eecd2cffe6cdf430f33db9b5f77b460679bd49d13ae",
"fdeaa134c8d7379d457175fd1a57d3fc",
"50e9eee1ac528009e8cbcd356975881f957254b13f91d7c6662d10312052eb00",
"2fa0df722a9fd3b64cb18fb2b3db55ff2267422757289413f8f657507412a64c",
"fe8901fecd3ccd2ec5fdc7c7a0b50519c245b42d611a5ef9e90268d59f3edf33",
"bd416cb3b9892228d8f1df575692e4d0",
"8d3aa196ec3d7c9b5bb122e7fe77fb1295a6da75abe5d3a510194d3a8a4157d5c89d40619716619859da3ec9b247ced9",
"608e82c7ab04007adb22e389a44797fed7de090c8c03ca8a2c5acd9e84df37fbc58ce8edb293e98f02b640d6d1d72464",
"0493ff637108af6a5b8e90ac1fdf035a3d4bafd1afb573be7ade9e8682e663e5",
"c0cd2bebccbb6c49920bd5482ac756e8",
"8b37f9148df4bb25956be6310c73c8dc58ea9714ff49b643107b34c9bff096a94fedd6823526abc27a8e0b16616eee254ab4567dd68e8ccd4c38ac563b13639c",
"05d5c77729421b08b737e41119fa4438d1f570cc772a4d6c3df7ffeda0384ef84288ce37fc4c4c7d1125a499b051364c389fd639bdda647daa3bdadab2eb5594",
"9adc8fbd506e032af7fa20cf5343719de6d1288c158c63d6878aaf64ce26ca85",
"11958dc6ab81e1c7f01631e9944e620f",
"c7917f84f747cd8c4b4fedc2219bdbc5f4d07588389d8248854cf2c2f89667a2d7bcf53e73d32684535f42318e24cd45793950b3825e5d5c5c8fcd3e5dda4ce9246d18337ef3052d8b21c5561c8b660e",
"9c99e68236bb2e929db1089c7750f1b356d39ab9d0c40c3e2f05108ae9d0c30b04832ccdbdc08ebfa426b7f5efde986ed05784ce368193bb3699bc691065ac62e258b9aa4cc557e2b45b49ce05511e65",
"73b8faf00b3302ac99855cf6f9e9e48518690a5906a4869d4dcf48d282faae2a",
"b3cb97a80a539912b8c21f450d3b9395",
"3adea6e06e42c4f041021491f2775ef6378cb08824165edc4f6448e232175b60d0345b9f9c78df6596ec9d22b7b9e76e8f3c76b32d5d67273f1d83fe7a6fc3dd3c49139170fa5701b3beac61b490f0a9e13f844640c4500f9ad3087adfb0ae10",
"ac3d6dbafe2e0f740632fd9e820bf6044cd5b1551cbb9cc03c0b25c39ccb7f33b83aacfca40a3265f2bbff879153448acacb88fcfb3bb7b10fe463a68c0109f028382e3e557b1adf02ed648ab6bb895df0205d26ebbfa9a5fd8cebd8e4bee3dc",
"9ddf3745896504ff360a51a3eb49c01b79fccebc71c3abcb94a949408b05b2c9",
"e79026639d4aa230b5ccffb0b29d79bc",
"cf52e5c3954c51b94c9e38acb8c9a7c76aebdaa9943eae0a1ce155a2efdb4d46985d935511471452d9ee64d2461cb2991d59fc0060697f9a671672163230f367fed1422316e52d29eceacb8768f56d9b80f6d278093c9a8acd3cfd7edd8ebd5c293859f64d2f8486ae1bd593c65bc014",
"34df561bd2cfebbcb7af3b4b8d21ca5258312e7e2e4e538e35ad2490b6112f0d7f148f6aa8d522a7f3c61d785bd667db0e1dc4606c318ea4f26af4fe7d11d4dcff0456511b4aed1a0d91ba4a1fd6cd9029187bc5881a5a07fe02049d39368e83139b12825bae2c7be81e6f12c61bb5c5",
"458b67bf212d20f3a57fce392065582dcefbf381aa22949f8338ab9052260e1d",
"4c12effc5963d40459602675153e9649",
"256fd73ce35ae3ea9c25dd2a9454493e96d8633fe633b56176dce8785ce5dbbb84dbf2c8a2eeb1e96b51899605e4f13bbc11b93bf6f39b3469be14858b5b720d4a522d36feed7a329c9b1e852c9280c47db8039c17c4921571a07d1864128330e09c308ddea1694e95c84500f1a61e614197e86a30ecc28df64ccb3ccf5437aa",
"90b7b9630a2378f53f501ab7beff039155008071bc8438e789932cfd3eb1299195465e6633849463fdb44375278e2fdb1310821e6492cf80ff15cb772509fb426f3aeee27bd4938882fd2ae6b5bd9d91fa4a43b17bb439ebbe59c042310163a82a5fe5388796eee35a181a1271f00be29b852d8fa759bad01ff4678f010594cd",
"d2412db0845d84e5732b8bbd642957473b81fb99ca8bff70e7920d16c1dbec89",
"51c619fcf0b23f0c7925f400a6cacb6d",
"026006c4a71a180c9929824d9d095b8faaa86fc4fa25ecac61d85ff6de92dfa8702688c02a282c1b8af4449707f22d75e91991015db22374c95f8f195d5bb0afeb03040ff8965e0e1339dba5653e174f8aa5a1b39fe3ac839ce307a4e44b4f8f1b0063f738ec18acdbff2ebfe07383e734558723e741f0a1836dafdf9de82210a9248bc113b3c1bc8b4e252ca01bd803",
"0254b23463bcabec5a395eb74c8fb0eb137a07bc6f5e9f61ec0b057de305714f8fa294221c91a159c315939b81e300ee902192ec5f15254428d8772f79324ec43298ca21c00b370273ee5e5ed90e43efa1e05a5d171209fe34f9f29237dba2a6726650fd3b1321747d1208863c6c3c6b3e2d879ab5f25782f08ba8f2abbe63e0bedb4a227e81afb36bb6645508356d34",
"48be597e632c16772324c8d3fa1d9c5a9ecd010f14ec5d110d3bfec376c5532b",
"d6d581b8cf04ebd3b6eaa1b53f047ee1",
"0c63d413d3864570e70bb6618bf8a4b9585586688c32bba0a5ecc1362fada74ada32c52acfd1aa7444ba567b4e7daaecf7cc1cb29182af164ae5232b002868695635599807a9a7f07a1f137e97b1e1c9dabc89b6a5e4afa9db5855edaa575056a8f4f8242216242bb0c256310d9d329826ac353d715fa39f80cec144d6424558f9f70b98c920096e0f2c855d594885a00625880e9dfb734163cecef72cf030b8",
"fc5873e50de8faf4c6b84ba707b0854e9db9ab2e9f7d707fbba338c6843a18fc6facebaf663d26296fb329b4d26f18494c79e09e779647f9bafa87489630d79f4301610c2300c19dbf3148b7cac8c4f4944102754f332e92b6f7c5e75bc6179eb877a078d4719009021744c14f13fd2a55a2b9c44d18000685a845a4f632c7c56a77306efa66a24d05d088dcd7c13fe24fc447275965db9e4d37fbc9304448cd",
/*
* End-of-table marker.
*/
NULL
};
/*
* AES known-answer tests for CTR. Order: key, IV, plaintext, ciphertext.
*/
static const char *const KAT_AES_CTR[] = {
/*
* From RFC 3686.
*/
"ae6852f8121067cc4bf7a5765577f39e",
"000000300000000000000000",
"53696e676c6520626c6f636b206d7367",
"e4095d4fb7a7b3792d6175a3261311b8",
"7e24067817fae0d743d6ce1f32539163",
"006cb6dbc0543b59da48d90b",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
"5104a106168a72d9790d41ee8edad388eb2e1efc46da57c8fce630df9141be28",
"7691be035e5020a8ac6e618529f9a0dc",
"00e0017b27777f3f4a1786f0",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20212223",
"c1cf48a89f2ffdd9cf4652e9efdb72d74540a42bde6d7836d59a5ceaaef3105325b2072f",
"16af5b145fc9f579c175f93e3bfb0eed863d06ccfdb78515",
"0000004836733c147d6d93cb",
"53696e676c6520626c6f636b206d7367",
"4b55384fe259c9c84e7935a003cbe928",
"7c5cb2401b3dc33c19e7340819e0f69c678c3db8e6f6a91a",
"0096b03b020c6eadc2cb500d",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
"453243fc609b23327edfaafa7131cd9f8490701c5ad4a79cfc1fe0ff42f4fb00",
"02bf391ee8ecb159b959617b0965279bf59b60a786d3e0fe",
"0007bdfd5cbd60278dcc0912",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20212223",
"96893fc55e5c722f540b7dd1ddf7e758d288bc95c69165884536c811662f2188abee0935",
"776beff2851db06f4c8a0542c8696f6c6a81af1eec96b4d37fc1d689e6c1c104",
"00000060db5672c97aa8f0b2",
"53696e676c6520626c6f636b206d7367",
"145ad01dbf824ec7560863dc71e3e0c0",
"f6d66d6bd52d59bb0796365879eff886c66dd51a5b6a99744b50590c87a23884",
"00faac24c1585ef15a43d875",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
"f05e231b3894612c49ee000b804eb2a9b8306b508f839d6a5530831d9344af1c",
"ff7a617ce69148e4f1726e2f43581de2aa62d9f805532edff1eed687fb54153d",
"001cc5b751a51d70a1c11148",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20212223",
"eb6c52821d0bbbf7ce7594462aca4faab407df866569fd07f48cc0b583d6071f1ec0e6b8",
/*
* End-of-table marker.
*/
NULL
};
static void
monte_carlo_AES_encrypt(const br_block_cbcenc_class *ve,
char *skey, char *splain, char *scipher)
{
unsigned char key[32];
unsigned char buf[16];
unsigned char pbuf[16];
unsigned char cipher[16];
size_t key_len;
int i, j, k;
br_aes_gen_cbcenc_keys v_ec;
const br_block_cbcenc_class **ec;
ec = &v_ec.vtable;
key_len = hextobin(key, skey);
hextobin(buf, splain);
hextobin(cipher, scipher);
for (i = 0; i < 100; i ++) {
ve->init(ec, key, key_len);
for (j = 0; j < 1000; j ++) {
unsigned char iv[16];
memcpy(pbuf, buf, sizeof buf);
memset(iv, 0, sizeof iv);
ve->run(ec, iv, buf, sizeof buf);
}
switch (key_len) {
case 16:
for (k = 0; k < 16; k ++) {
key[k] ^= buf[k];
}
break;
case 24:
for (k = 0; k < 8; k ++) {
key[k] ^= pbuf[8 + k];
}
for (k = 0; k < 16; k ++) {
key[8 + k] ^= buf[k];
}
break;
default:
for (k = 0; k < 16; k ++) {
key[k] ^= pbuf[k];
key[16 + k] ^= buf[k];
}
break;
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
check_equals("MC AES encrypt", buf, cipher, sizeof buf);
}
static void
monte_carlo_AES_decrypt(const br_block_cbcdec_class *vd,
char *skey, char *scipher, char *splain)
{
unsigned char key[32];
unsigned char buf[16];
unsigned char pbuf[16];
unsigned char plain[16];
size_t key_len;
int i, j, k;
br_aes_gen_cbcdec_keys v_dc;
const br_block_cbcdec_class **dc;
dc = &v_dc.vtable;
key_len = hextobin(key, skey);
hextobin(buf, scipher);
hextobin(plain, splain);
for (i = 0; i < 100; i ++) {
vd->init(dc, key, key_len);
for (j = 0; j < 1000; j ++) {
unsigned char iv[16];
memcpy(pbuf, buf, sizeof buf);
memset(iv, 0, sizeof iv);
vd->run(dc, iv, buf, sizeof buf);
}
switch (key_len) {
case 16:
for (k = 0; k < 16; k ++) {
key[k] ^= buf[k];
}
break;
case 24:
for (k = 0; k < 8; k ++) {
key[k] ^= pbuf[8 + k];
}
for (k = 0; k < 16; k ++) {
key[8 + k] ^= buf[k];
}
break;
default:
for (k = 0; k < 16; k ++) {
key[k] ^= pbuf[k];
key[16 + k] ^= buf[k];
}
break;
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
check_equals("MC AES decrypt", buf, plain, sizeof buf);
}
static void
test_AES_generic(char *name,
const br_block_cbcenc_class *ve,
const br_block_cbcdec_class *vd,
const br_block_ctr_class *vc,
int with_MC, int with_CBC)
{
size_t u;
printf("Test %s: ", name);
fflush(stdout);
if (ve->block_size != 16 || vd->block_size != 16
|| ve->log_block_size != 4 || vd->log_block_size != 4)
{
fprintf(stderr, "%s failed: wrong block size\n", name);
exit(EXIT_FAILURE);
}
for (u = 0; KAT_AES[u]; u += 3) {
unsigned char key[32];
unsigned char plain[16];
unsigned char cipher[16];
unsigned char buf[16];
unsigned char iv[16];
size_t key_len;
br_aes_gen_cbcenc_keys v_ec;
br_aes_gen_cbcdec_keys v_dc;
const br_block_cbcenc_class **ec;
const br_block_cbcdec_class **dc;
ec = &v_ec.vtable;
dc = &v_dc.vtable;
key_len = hextobin(key, KAT_AES[u]);
hextobin(plain, KAT_AES[u + 1]);
hextobin(cipher, KAT_AES[u + 2]);
ve->init(ec, key, key_len);
memcpy(buf, plain, sizeof plain);
memset(iv, 0, sizeof iv);
ve->run(ec, iv, buf, sizeof buf);
check_equals("KAT AES encrypt", buf, cipher, sizeof cipher);
vd->init(dc, key, key_len);
memset(iv, 0, sizeof iv);
vd->run(dc, iv, buf, sizeof buf);
check_equals("KAT AES decrypt", buf, plain, sizeof plain);
}
if (with_CBC) {
for (u = 0; KAT_AES_CBC[u]; u += 4) {
unsigned char key[32];
unsigned char ivref[16];
unsigned char plain[200];
unsigned char cipher[200];
unsigned char buf[200];
unsigned char iv[16];
size_t key_len, data_len, v;
br_aes_gen_cbcenc_keys v_ec;
br_aes_gen_cbcdec_keys v_dc;
const br_block_cbcenc_class **ec;
const br_block_cbcdec_class **dc;
ec = &v_ec.vtable;
dc = &v_dc.vtable;
key_len = hextobin(key, KAT_AES_CBC[u]);
hextobin(ivref, KAT_AES_CBC[u + 1]);
data_len = hextobin(plain, KAT_AES_CBC[u + 2]);
hextobin(cipher, KAT_AES_CBC[u + 3]);
ve->init(ec, key, key_len);
memcpy(buf, plain, data_len);
memcpy(iv, ivref, 16);
ve->run(ec, iv, buf, data_len);
check_equals("KAT CBC AES encrypt",
buf, cipher, data_len);
vd->init(dc, key, key_len);
memcpy(iv, ivref, 16);
vd->run(dc, iv, buf, data_len);
check_equals("KAT CBC AES decrypt",
buf, plain, data_len);
memcpy(buf, plain, data_len);
memcpy(iv, ivref, 16);
for (v = 0; v < data_len; v += 16) {
ve->run(ec, iv, buf + v, 16);
}
check_equals("KAT CBC AES encrypt (2)",
buf, cipher, data_len);
memcpy(iv, ivref, 16);
for (v = 0; v < data_len; v += 16) {
vd->run(dc, iv, buf + v, 16);
}
check_equals("KAT CBC AES decrypt (2)",
buf, plain, data_len);
}
/*
* We want to check proper IV management for CBC:
* encryption and decryption must properly copy the _last_
* encrypted block as new IV, for all sizes.
*/
for (u = 1; u <= 35; u ++) {
br_hmac_drbg_context rng;
unsigned char x;
size_t key_len, data_len;
size_t v;
br_hmac_drbg_init(&rng, &br_sha256_vtable,
"seed for AES/CBC", 16);
x = u;
br_hmac_drbg_update(&rng, &x, 1);
data_len = u << 4;
for (key_len = 16; key_len <= 32; key_len += 16) {
unsigned char key[32];
unsigned char iv[16], iv1[16], iv2[16];
unsigned char plain[35 * 16];
unsigned char tmp1[sizeof plain];
unsigned char tmp2[sizeof plain];
br_aes_gen_cbcenc_keys v_ec;
br_aes_gen_cbcdec_keys v_dc;
const br_block_cbcenc_class **ec;
const br_block_cbcdec_class **dc;
br_hmac_drbg_generate(&rng, key, key_len);
br_hmac_drbg_generate(&rng, iv, sizeof iv);
br_hmac_drbg_generate(&rng, plain, data_len);
ec = &v_ec.vtable;
ve->init(ec, key, key_len);
memcpy(iv1, iv, sizeof iv);
memcpy(tmp1, plain, data_len);
ve->run(ec, iv1, tmp1, data_len);
check_equals("IV CBC AES (1)",
tmp1 + data_len - 16, iv1, 16);
memcpy(iv2, iv, sizeof iv);
memcpy(tmp2, plain, data_len);
for (v = 0; v < data_len; v += 16) {
ve->run(ec, iv2, tmp2 + v, 16);
}
check_equals("IV CBC AES (2)",
tmp2 + data_len - 16, iv2, 16);
check_equals("IV CBC AES (3)",
tmp1, tmp2, data_len);
dc = &v_dc.vtable;
vd->init(dc, key, key_len);
memcpy(iv1, iv, sizeof iv);
vd->run(dc, iv1, tmp1, data_len);
check_equals("IV CBC AES (4)", iv1, iv2, 16);
check_equals("IV CBC AES (5)",
tmp1, plain, data_len);
memcpy(iv2, iv, sizeof iv);
for (v = 0; v < data_len; v += 16) {
vd->run(dc, iv2, tmp2 + v, 16);
}
check_equals("IV CBC AES (6)", iv1, iv2, 16);
check_equals("IV CBC AES (7)",
tmp2, plain, data_len);
}
}
}
if (vc != NULL) {
if (vc->block_size != 16 || vc->log_block_size != 4) {
fprintf(stderr, "%s failed: wrong block size\n", name);
exit(EXIT_FAILURE);
}
for (u = 0; KAT_AES_CTR[u]; u += 4) {
unsigned char key[32];
unsigned char iv[12];
unsigned char plain[200];
unsigned char cipher[200];
unsigned char buf[200];
size_t key_len, data_len, v;
uint32_t c;
br_aes_gen_ctr_keys v_xc;
const br_block_ctr_class **xc;
xc = &v_xc.vtable;
key_len = hextobin(key, KAT_AES_CTR[u]);
hextobin(iv, KAT_AES_CTR[u + 1]);
data_len = hextobin(plain, KAT_AES_CTR[u + 2]);
hextobin(cipher, KAT_AES_CTR[u + 3]);
vc->init(xc, key, key_len);
memcpy(buf, plain, data_len);
vc->run(xc, iv, 1, buf, data_len);
check_equals("KAT CTR AES (1)", buf, cipher, data_len);
vc->run(xc, iv, 1, buf, data_len);
check_equals("KAT CTR AES (2)", buf, plain, data_len);
memcpy(buf, plain, data_len);
c = 1;
for (v = 0; v < data_len; v += 32) {
size_t clen;
clen = data_len - v;
if (clen > 32) {
clen = 32;
}
c = vc->run(xc, iv, c, buf + v, clen);
}
check_equals("KAT CTR AES (3)", buf, cipher, data_len);
memcpy(buf, plain, data_len);
c = 1;
for (v = 0; v < data_len; v += 16) {
size_t clen;
clen = data_len - v;
if (clen > 16) {
clen = 16;
}
c = vc->run(xc, iv, c, buf + v, clen);
}
check_equals("KAT CTR AES (4)", buf, cipher, data_len);
}
}
if (with_MC) {
monte_carlo_AES_encrypt(
ve,
"139a35422f1d61de3c91787fe0507afd",
"b9145a768b7dc489a096b546f43b231f",
"fb2649694783b551eacd9d5db6126d47");
monte_carlo_AES_decrypt(
vd,
"0c60e7bf20ada9baa9e1ddf0d1540726",
"b08a29b11a500ea3aca42c36675b9785",
"d1d2bfdc58ffcad2341b095bce55221e");
monte_carlo_AES_encrypt(
ve,
"b9a63e09e1dfc42e93a90d9bad739e5967aef672eedd5da9",
"85a1f7a58167b389cddc8a9ff175ee26",
"5d1196da8f184975e240949a25104554");
monte_carlo_AES_decrypt(
vd,
"4b97585701c03fbebdfa8555024f589f1482c58a00fdd9fd",
"d0bd0e02ded155e4516be83f42d347a4",
"b63ef1b79507a62eba3dafcec54a6328");
monte_carlo_AES_encrypt(
ve,
"f9e8389f5b80712e3886cc1fa2d28a3b8c9cd88a2d4a54c6aa86ce0fef944be0",
"b379777f9050e2a818f2940cbbd9aba4",
"c5d2cb3d5b7ff0e23e308967ee074825");
monte_carlo_AES_decrypt(
vd,
"2b09ba39b834062b9e93f48373b8dd018dedf1e5ba1b8af831ebbacbc92a2643",
"89649bd0115f30bd878567610223a59d",
"e3d3868f578caf34e36445bf14cefc68");
}
printf("done.\n");
fflush(stdout);
}
static void
test_AES_big(void)
{
test_AES_generic("AES_big",
&br_aes_big_cbcenc_vtable,
&br_aes_big_cbcdec_vtable,
&br_aes_big_ctr_vtable,
1, 1);
}
static void
test_AES_small(void)
{
test_AES_generic("AES_small",
&br_aes_small_cbcenc_vtable,
&br_aes_small_cbcdec_vtable,
&br_aes_small_ctr_vtable,
1, 1);
}
static void
test_AES_ct(void)
{
test_AES_generic("AES_ct",
&br_aes_ct_cbcenc_vtable,
&br_aes_ct_cbcdec_vtable,
&br_aes_ct_ctr_vtable,
1, 1);
}
static void
test_AES_ct64(void)
{
test_AES_generic("AES_ct64",
&br_aes_ct64_cbcenc_vtable,
&br_aes_ct64_cbcdec_vtable,
&br_aes_ct64_ctr_vtable,
1, 1);
}
static void
test_AES_x86ni(void)
{
const br_block_cbcenc_class *x_cbcenc;
const br_block_cbcdec_class *x_cbcdec;
const br_block_ctr_class *x_ctr;
int hcbcenc, hcbcdec, hctr;
x_cbcenc = br_aes_x86ni_cbcenc_get_vtable();
x_cbcdec = br_aes_x86ni_cbcdec_get_vtable();
x_ctr = br_aes_x86ni_ctr_get_vtable();
hcbcenc = (x_cbcenc != NULL);
hcbcdec = (x_cbcdec != NULL);
hctr = (x_ctr != NULL);
if (hcbcenc != hctr || hcbcdec != hctr) {
fprintf(stderr, "AES_x86ni availability mismatch (%d/%d/%d)\n",
hcbcenc, hcbcdec, hctr);
exit(EXIT_FAILURE);
}
if (hctr) {
test_AES_generic("AES_x86ni",
x_cbcenc, x_cbcdec, x_ctr, 1, 1);
} else {
printf("Test AES_x86ni: UNAVAILABLE\n");
}
}
static void
test_AES_pwr8(void)
{
const br_block_cbcenc_class *x_cbcenc;
const br_block_cbcdec_class *x_cbcdec;
const br_block_ctr_class *x_ctr;
int hcbcenc, hcbcdec, hctr;
x_cbcenc = br_aes_pwr8_cbcenc_get_vtable();
x_cbcdec = br_aes_pwr8_cbcdec_get_vtable();
x_ctr = br_aes_pwr8_ctr_get_vtable();
hcbcenc = (x_cbcenc != NULL);
hcbcdec = (x_cbcdec != NULL);
hctr = (x_ctr != NULL);
if (hcbcenc != hctr || hcbcdec != hctr) {
fprintf(stderr, "AES_pwr8 availability mismatch (%d/%d/%d)\n",
hcbcenc, hcbcdec, hctr);
exit(EXIT_FAILURE);
}
if (hctr) {
test_AES_generic("AES_pwr8",
x_cbcenc, x_cbcdec, x_ctr, 1, 1);
} else {
printf("Test AES_pwr8: UNAVAILABLE\n");
}
}
/*
* Custom CTR + CBC-MAC AES implementation. Can also do CTR-only, and
* CBC-MAC-only. The 'aes_big' implementation (CTR) is used. This is
* meant for comparisons.
*
* If 'ctr' is NULL then no encryption/decryption is done; otherwise,
* CTR encryption/decryption is performed (full-block counter) and the
* 'ctr' array is updated with the new counter value.
*
* If 'cbcmac' is NULL then no CBC-MAC is done; otherwise, CBC-MAC is
* applied on the encrypted data, with 'cbcmac' as IV and destination
* buffer for the output. If 'ctr' is not NULL and 'encrypt' is non-zero,
* then CBC-MAC is computed over the result of CTR processing; otherwise,
* CBC-MAC is computed over the input data itself.
*/
static void
do_aes_ctrcbc(const void *key, size_t key_len, int encrypt,
void *ctr, void *cbcmac, unsigned char *data, size_t len)
{
br_aes_big_ctr_keys bc;
int i;
br_aes_big_ctr_init(&bc, key, key_len);
for (i = 0; i < 2; i ++) {
/*
* CBC-MAC is computed on the encrypted data, so in
* first pass if decrypting, second pass if encrypting.
*/
if (cbcmac != NULL
&& ((encrypt && i == 1) || (!encrypt && i == 0)))
{
unsigned char zz[16];
size_t u;
memcpy(zz, cbcmac, sizeof zz);
for (u = 0; u < len; u += 16) {
unsigned char tmp[16];
size_t v;
for (v = 0; v < 16; v ++) {
tmp[v] = zz[v] ^ data[u + v];
}
memset(zz, 0, sizeof zz);
br_aes_big_ctr_run(&bc,
tmp, br_dec32be(tmp + 12), zz, 16);
}
memcpy(cbcmac, zz, sizeof zz);
}
/*
* CTR encryption/decryption is done only in the first pass.
* We process data block per block, because the CTR-only
* class uses a 32-bit counter, while the CTR+CBC-MAC
* class uses a 128-bit counter.
*/
if (ctr != NULL && i == 0) {
unsigned char zz[16];
size_t u;
memcpy(zz, ctr, sizeof zz);
for (u = 0; u < len; u += 16) {
int i;
br_aes_big_ctr_run(&bc,
zz, br_dec32be(zz + 12), data + u, 16);
for (i = 15; i >= 0; i --) {
zz[i] = (zz[i] + 1) & 0xFF;
if (zz[i] != 0) {
break;
}
}
}
memcpy(ctr, zz, sizeof zz);
}
}
}
static void
test_AES_CTRCBC_inner(const char *name, const br_block_ctrcbc_class *vt)
{
br_hmac_drbg_context rng;
size_t key_len;
printf("Test AES CTR/CBC-MAC %s: ", name);
fflush(stdout);
br_hmac_drbg_init(&rng, &br_sha256_vtable, name, strlen(name));
for (key_len = 16; key_len <= 32; key_len += 8) {
br_aes_gen_ctrcbc_keys bc;
unsigned char key[32];
size_t data_len;
br_hmac_drbg_generate(&rng, key, key_len);
vt->init(&bc.vtable, key, key_len);
for (data_len = 0; data_len <= 512; data_len += 16) {
unsigned char plain[512];
unsigned char data1[sizeof plain];
unsigned char data2[sizeof plain];
unsigned char ctr[16], cbcmac[16];
unsigned char ctr1[16], cbcmac1[16];
unsigned char ctr2[16], cbcmac2[16];
int i;
br_hmac_drbg_generate(&rng, plain, data_len);
for (i = 0; i <= 16; i ++) {
if (i == 0) {
br_hmac_drbg_generate(&rng, ctr, 16);
} else {
memset(ctr, 0, i - 1);
memset(ctr + i - 1, 0xFF, 17 - i);
}
br_hmac_drbg_generate(&rng, cbcmac, 16);
memcpy(data1, plain, data_len);
memcpy(ctr1, ctr, 16);
vt->ctr(&bc.vtable, ctr1, data1, data_len);
memcpy(data2, plain, data_len);
memcpy(ctr2, ctr, 16);
do_aes_ctrcbc(key, key_len, 1,
ctr2, NULL, data2, data_len);
check_equals("CTR-only data",
data1, data2, data_len);
check_equals("CTR-only counter",
ctr1, ctr2, 16);
memcpy(data1, plain, data_len);
memcpy(cbcmac1, cbcmac, 16);
vt->mac(&bc.vtable, cbcmac1, data1, data_len);
memcpy(data2, plain, data_len);
memcpy(cbcmac2, cbcmac, 16);
do_aes_ctrcbc(key, key_len, 1,
NULL, cbcmac2, data2, data_len);
check_equals("CBC-MAC-only",
cbcmac1, cbcmac2, 16);
memcpy(data1, plain, data_len);
memcpy(ctr1, ctr, 16);
memcpy(cbcmac1, cbcmac, 16);
vt->encrypt(&bc.vtable,
ctr1, cbcmac1, data1, data_len);
memcpy(data2, plain, data_len);
memcpy(ctr2, ctr, 16);
memcpy(cbcmac2, cbcmac, 16);
do_aes_ctrcbc(key, key_len, 1,
ctr2, cbcmac2, data2, data_len);
check_equals("encrypt: combined data",
data1, data2, data_len);
check_equals("encrypt: combined counter",
ctr1, ctr2, 16);
check_equals("encrypt: combined CBC-MAC",
cbcmac1, cbcmac2, 16);
memcpy(ctr1, ctr, 16);
memcpy(cbcmac1, cbcmac, 16);
vt->decrypt(&bc.vtable,
ctr1, cbcmac1, data1, data_len);
memcpy(ctr2, ctr, 16);
memcpy(cbcmac2, cbcmac, 16);
do_aes_ctrcbc(key, key_len, 0,
ctr2, cbcmac2, data2, data_len);
check_equals("decrypt: combined data",
data1, data2, data_len);
check_equals("decrypt: combined counter",
ctr1, ctr2, 16);
check_equals("decrypt: combined CBC-MAC",
cbcmac1, cbcmac2, 16);
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
}
printf("done.\n");
fflush(stdout);
}
static void
test_AES_CTRCBC_big(void)
{
test_AES_CTRCBC_inner("big", &br_aes_big_ctrcbc_vtable);
}
static void
test_AES_CTRCBC_small(void)
{
test_AES_CTRCBC_inner("small", &br_aes_small_ctrcbc_vtable);
}
static void
test_AES_CTRCBC_ct(void)
{
test_AES_CTRCBC_inner("ct", &br_aes_ct_ctrcbc_vtable);
}
static void
test_AES_CTRCBC_ct64(void)
{
test_AES_CTRCBC_inner("ct64", &br_aes_ct64_ctrcbc_vtable);
}
static void
test_AES_CTRCBC_x86ni(void)
{
const br_block_ctrcbc_class *vt;
vt = br_aes_x86ni_ctrcbc_get_vtable();
if (vt != NULL) {
test_AES_CTRCBC_inner("x86ni", vt);
} else {
printf("Test AES CTR/CBC-MAC x86ni: UNAVAILABLE\n");
}
}
static void
test_AES_CTRCBC_pwr8(void)
{
const br_block_ctrcbc_class *vt;
vt = br_aes_pwr8_ctrcbc_get_vtable();
if (vt != NULL) {
test_AES_CTRCBC_inner("pwr8", vt);
} else {
printf("Test AES CTR/CBC-MAC pwr8: UNAVAILABLE\n");
}
}
/*
* DES known-answer tests. Order: plaintext, key, ciphertext.
* (mostly from NIST SP 800-20).
*/
static const char *const KAT_DES[] = {
"10316E028C8F3B4A", "0000000000000000", "82DCBAFBDEAB6602",
"8000000000000000", "0000000000000000", "95A8D72813DAA94D",
"4000000000000000", "0000000000000000", "0EEC1487DD8C26D5",
"2000000000000000", "0000000000000000", "7AD16FFB79C45926",
"1000000000000000", "0000000000000000", "D3746294CA6A6CF3",
"0800000000000000", "0000000000000000", "809F5F873C1FD761",
"0400000000000000", "0000000000000000", "C02FAFFEC989D1FC",
"0200000000000000", "0000000000000000", "4615AA1D33E72F10",
"0100000000000000", "0000000000000000", "8CA64DE9C1B123A7",
"0080000000000000", "0000000000000000", "2055123350C00858",
"0040000000000000", "0000000000000000", "DF3B99D6577397C8",
"0020000000000000", "0000000000000000", "31FE17369B5288C9",
"0010000000000000", "0000000000000000", "DFDD3CC64DAE1642",
"0008000000000000", "0000000000000000", "178C83CE2B399D94",
"0004000000000000", "0000000000000000", "50F636324A9B7F80",
"0002000000000000", "0000000000000000", "A8468EE3BC18F06D",
"0001000000000000", "0000000000000000", "8CA64DE9C1B123A7",
"0000800000000000", "0000000000000000", "A2DC9E92FD3CDE92",
"0000400000000000", "0000000000000000", "CAC09F797D031287",
"0000200000000000", "0000000000000000", "90BA680B22AEB525",
"0000100000000000", "0000000000000000", "CE7A24F350E280B6",
"0000080000000000", "0000000000000000", "882BFF0AA01A0B87",
"0000040000000000", "0000000000000000", "25610288924511C2",
"0000020000000000", "0000000000000000", "C71516C29C75D170",
"0000010000000000", "0000000000000000", "8CA64DE9C1B123A7",
"0000008000000000", "0000000000000000", "5199C29A52C9F059",
"0000004000000000", "0000000000000000", "C22F0A294A71F29F",
"0000002000000000", "0000000000000000", "EE371483714C02EA",
"0000001000000000", "0000000000000000", "A81FBD448F9E522F",
"0000000800000000", "0000000000000000", "4F644C92E192DFED",
"0000000400000000", "0000000000000000", "1AFA9A66A6DF92AE",
"0000000200000000", "0000000000000000", "B3C1CC715CB879D8",
"0000000100000000", "0000000000000000", "8CA64DE9C1B123A7",
"0000000080000000", "0000000000000000", "19D032E64AB0BD8B",
"0000000040000000", "0000000000000000", "3CFAA7A7DC8720DC",
"0000000020000000", "0000000000000000", "B7265F7F447AC6F3",
"0000000010000000", "0000000000000000", "9DB73B3C0D163F54",
"0000000008000000", "0000000000000000", "8181B65BABF4A975",
"0000000004000000", "0000000000000000", "93C9B64042EAA240",
"0000000002000000", "0000000000000000", "5570530829705592",
"0000000001000000", "0000000000000000", "8CA64DE9C1B123A7",
"0000000000800000", "0000000000000000", "8638809E878787A0",
"0000000000400000", "0000000000000000", "41B9A79AF79AC208",
"0000000000200000", "0000000000000000", "7A9BE42F2009A892",
"0000000000100000", "0000000000000000", "29038D56BA6D2745",
"0000000000080000", "0000000000000000", "5495C6ABF1E5DF51",
"0000000000040000", "0000000000000000", "AE13DBD561488933",
"0000000000020000", "0000000000000000", "024D1FFA8904E389",
"0000000000010000", "0000000000000000", "8CA64DE9C1B123A7",
"0000000000008000", "0000000000000000", "D1399712F99BF02E",
"0000000000004000", "0000000000000000", "14C1D7C1CFFEC79E",
"0000000000002000", "0000000000000000", "1DE5279DAE3BED6F",
"0000000000001000", "0000000000000000", "E941A33F85501303",
"0000000000000800", "0000000000000000", "DA99DBBC9A03F379",
"0000000000000400", "0000000000000000", "B7FC92F91D8E92E9",
"0000000000000200", "0000000000000000", "AE8E5CAA3CA04E85",
"0000000000000100", "0000000000000000", "8CA64DE9C1B123A7",
"0000000000000080", "0000000000000000", "9CC62DF43B6EED74",
"0000000000000040", "0000000000000000", "D863DBB5C59A91A0",
"0000000000000020", "0000000000000000", "A1AB2190545B91D7",
"0000000000000010", "0000000000000000", "0875041E64C570F7",
"0000000000000008", "0000000000000000", "5A594528BEBEF1CC",
"0000000000000004", "0000000000000000", "FCDB3291DE21F0C0",
"0000000000000002", "0000000000000000", "869EFD7F9F265A09",
"0000000000000001", "0000000000000000", "8CA64DE9C1B123A7",
"0000000000000000", "8000000000000000", "95F8A5E5DD31D900",
"0000000000000000", "4000000000000000", "DD7F121CA5015619",
"0000000000000000", "2000000000000000", "2E8653104F3834EA",
"0000000000000000", "1000000000000000", "4BD388FF6CD81D4F",
"0000000000000000", "0800000000000000", "20B9E767B2FB1456",
"0000000000000000", "0400000000000000", "55579380D77138EF",
"0000000000000000", "0200000000000000", "6CC5DEFAAF04512F",
"0000000000000000", "0100000000000000", "0D9F279BA5D87260",
"0000000000000000", "0080000000000000", "D9031B0271BD5A0A",
"0000000000000000", "0040000000000000", "424250B37C3DD951",
"0000000000000000", "0020000000000000", "B8061B7ECD9A21E5",
"0000000000000000", "0010000000000000", "F15D0F286B65BD28",
"0000000000000000", "0008000000000000", "ADD0CC8D6E5DEBA1",
"0000000000000000", "0004000000000000", "E6D5F82752AD63D1",
"0000000000000000", "0002000000000000", "ECBFE3BD3F591A5E",
"0000000000000000", "0001000000000000", "F356834379D165CD",
"0000000000000000", "0000800000000000", "2B9F982F20037FA9",
"0000000000000000", "0000400000000000", "889DE068A16F0BE6",
"0000000000000000", "0000200000000000", "E19E275D846A1298",
"0000000000000000", "0000100000000000", "329A8ED523D71AEC",
"0000000000000000", "0000080000000000", "E7FCE22557D23C97",
"0000000000000000", "0000040000000000", "12A9F5817FF2D65D",
"0000000000000000", "0000020000000000", "A484C3AD38DC9C19",
"0000000000000000", "0000010000000000", "FBE00A8A1EF8AD72",
"0000000000000000", "0000008000000000", "750D079407521363",
"0000000000000000", "0000004000000000", "64FEED9C724C2FAF",
"0000000000000000", "0000002000000000", "F02B263B328E2B60",
"0000000000000000", "0000001000000000", "9D64555A9A10B852",
"0000000000000000", "0000000800000000", "D106FF0BED5255D7",
"0000000000000000", "0000000400000000", "E1652C6B138C64A5",
"0000000000000000", "0000000200000000", "E428581186EC8F46",
"0000000000000000", "0000000100000000", "AEB5F5EDE22D1A36",
"0000000000000000", "0000000080000000", "E943D7568AEC0C5C",
"0000000000000000", "0000000040000000", "DF98C8276F54B04B",
"0000000000000000", "0000000020000000", "B160E4680F6C696F",
"0000000000000000", "0000000010000000", "FA0752B07D9C4AB8",
"0000000000000000", "0000000008000000", "CA3A2B036DBC8502",
"0000000000000000", "0000000004000000", "5E0905517BB59BCF",
"0000000000000000", "0000000002000000", "814EEB3B91D90726",
"0000000000000000", "0000000001000000", "4D49DB1532919C9F",
"0000000000000000", "0000000000800000", "25EB5FC3F8CF0621",
"0000000000000000", "0000000000400000", "AB6A20C0620D1C6F",
"0000000000000000", "0000000000200000", "79E90DBC98F92CCA",
"0000000000000000", "0000000000100000", "866ECEDD8072BB0E",
"0000000000000000", "0000000000080000", "8B54536F2F3E64A8",
"0000000000000000", "0000000000040000", "EA51D3975595B86B",
"0000000000000000", "0000000000020000", "CAFFC6AC4542DE31",
"0000000000000000", "0000000000010000", "8DD45A2DDF90796C",
"0000000000000000", "0000000000008000", "1029D55E880EC2D0",
"0000000000000000", "0000000000004000", "5D86CB23639DBEA9",
"0000000000000000", "0000000000002000", "1D1CA853AE7C0C5F",
"0000000000000000", "0000000000001000", "CE332329248F3228",
"0000000000000000", "0000000000000800", "8405D1ABE24FB942",
"0000000000000000", "0000000000000400", "E643D78090CA4207",
"0000000000000000", "0000000000000200", "48221B9937748A23",
"0000000000000000", "0000000000000100", "DD7C0BBD61FAFD54",
"0000000000000000", "0000000000000080", "2FBC291A570DB5C4",
"0000000000000000", "0000000000000040", "E07C30D7E4E26E12",
"0000000000000000", "0000000000000020", "0953E2258E8E90A1",
"0000000000000000", "0000000000000010", "5B711BC4CEEBF2EE",
"0000000000000000", "0000000000000008", "CC083F1E6D9E85F6",
"0000000000000000", "0000000000000004", "D2FD8867D50D2DFE",
"0000000000000000", "0000000000000002", "06E7EA22CE92708F",
"0000000000000000", "0000000000000001", "166B40B44ABA4BD6",
"0000000000000000", "0000000000000000", "8CA64DE9C1B123A7",
"0101010101010101", "0101010101010101", "994D4DC157B96C52",
"0202020202020202", "0202020202020202", "E127C2B61D98E6E2",
"0303030303030303", "0303030303030303", "984C91D78A269CE3",
"0404040404040404", "0404040404040404", "1F4570BB77550683",
"0505050505050505", "0505050505050505", "3990ABF98D672B16",
"0606060606060606", "0606060606060606", "3F5150BBA081D585",
"0707070707070707", "0707070707070707", "C65242248C9CF6F2",
"0808080808080808", "0808080808080808", "10772D40FAD24257",
"0909090909090909", "0909090909090909", "F0139440647A6E7B",
"0A0A0A0A0A0A0A0A", "0A0A0A0A0A0A0A0A", "0A288603044D740C",
"0B0B0B0B0B0B0B0B", "0B0B0B0B0B0B0B0B", "6359916942F7438F",
"0C0C0C0C0C0C0C0C", "0C0C0C0C0C0C0C0C", "934316AE443CF08B",
"0D0D0D0D0D0D0D0D", "0D0D0D0D0D0D0D0D", "E3F56D7F1130A2B7",
"0E0E0E0E0E0E0E0E", "0E0E0E0E0E0E0E0E", "A2E4705087C6B6B4",
"0F0F0F0F0F0F0F0F", "0F0F0F0F0F0F0F0F", "D5D76E09A447E8C3",
"1010101010101010", "1010101010101010", "DD7515F2BFC17F85",
"1111111111111111", "1111111111111111", "F40379AB9E0EC533",
"1212121212121212", "1212121212121212", "96CD27784D1563E5",
"1313131313131313", "1313131313131313", "2911CF5E94D33FE1",
"1414141414141414", "1414141414141414", "377B7F7CA3E5BBB3",
"1515151515151515", "1515151515151515", "701AA63832905A92",
"1616161616161616", "1616161616161616", "2006E716C4252D6D",
"1717171717171717", "1717171717171717", "452C1197422469F8",
"1818181818181818", "1818181818181818", "C33FD1EB49CB64DA",
"1919191919191919", "1919191919191919", "7572278F364EB50D",
"1A1A1A1A1A1A1A1A", "1A1A1A1A1A1A1A1A", "69E51488403EF4C3",
"1B1B1B1B1B1B1B1B", "1B1B1B1B1B1B1B1B", "FF847E0ADF192825",
"1C1C1C1C1C1C1C1C", "1C1C1C1C1C1C1C1C", "521B7FB3B41BB791",
"1D1D1D1D1D1D1D1D", "1D1D1D1D1D1D1D1D", "26059A6A0F3F6B35",
"1E1E1E1E1E1E1E1E", "1E1E1E1E1E1E1E1E", "F24A8D2231C77538",
"1F1F1F1F1F1F1F1F", "1F1F1F1F1F1F1F1F", "4FD96EC0D3304EF6",
"2020202020202020", "2020202020202020", "18A9D580A900B699",
"2121212121212121", "2121212121212121", "88586E1D755B9B5A",
"2222222222222222", "2222222222222222", "0F8ADFFB11DC2784",
"2323232323232323", "2323232323232323", "2F30446C8312404A",
"2424242424242424", "2424242424242424", "0BA03D9E6C196511",
"2525252525252525", "2525252525252525", "3E55E997611E4B7D",
"2626262626262626", "2626262626262626", "B2522FB5F158F0DF",
"2727272727272727", "2727272727272727", "2109425935406AB8",
"2828282828282828", "2828282828282828", "11A16028F310FF16",
"2929292929292929", "2929292929292929", "73F0C45F379FE67F",
"2A2A2A2A2A2A2A2A", "2A2A2A2A2A2A2A2A", "DCAD4338F7523816",
"2B2B2B2B2B2B2B2B", "2B2B2B2B2B2B2B2B", "B81634C1CEAB298C",
"2C2C2C2C2C2C2C2C", "2C2C2C2C2C2C2C2C", "DD2CCB29B6C4C349",
"2D2D2D2D2D2D2D2D", "2D2D2D2D2D2D2D2D", "7D07A77A2ABD50A7",
"2E2E2E2E2E2E2E2E", "2E2E2E2E2E2E2E2E", "30C1B0C1FD91D371",
"2F2F2F2F2F2F2F2F", "2F2F2F2F2F2F2F2F", "C4427B31AC61973B",
"3030303030303030", "3030303030303030", "F47BB46273B15EB5",
"3131313131313131", "3131313131313131", "655EA628CF62585F",
"3232323232323232", "3232323232323232", "AC978C247863388F",
"3333333333333333", "3333333333333333", "0432ED386F2DE328",
"3434343434343434", "3434343434343434", "D254014CB986B3C2",
"3535353535353535", "3535353535353535", "B256E34BEDB49801",
"3636363636363636", "3636363636363636", "37F8759EB77E7BFC",
"3737373737373737", "3737373737373737", "5013CA4F62C9CEA0",
"3838383838383838", "3838383838383838", "8940F7B3EACA5939",
"3939393939393939", "3939393939393939", "E22B19A55086774B",
"3A3A3A3A3A3A3A3A", "3A3A3A3A3A3A3A3A", "B04A2AAC925ABB0B",
"3B3B3B3B3B3B3B3B", "3B3B3B3B3B3B3B3B", "8D250D58361597FC",
"3C3C3C3C3C3C3C3C", "3C3C3C3C3C3C3C3C", "51F0114FB6A6CD37",
"3D3D3D3D3D3D3D3D", "3D3D3D3D3D3D3D3D", "9D0BB4DB830ECB73",
"3E3E3E3E3E3E3E3E", "3E3E3E3E3E3E3E3E", "E96089D6368F3E1A",
"3F3F3F3F3F3F3F3F", "3F3F3F3F3F3F3F3F", "5C4CA877A4E1E92D",
"4040404040404040", "4040404040404040", "6D55DDBC8DEA95FF",
"4141414141414141", "4141414141414141", "19DF84AC95551003",
"4242424242424242", "4242424242424242", "724E7332696D08A7",
"4343434343434343", "4343434343434343", "B91810B8CDC58FE2",
"4444444444444444", "4444444444444444", "06E23526EDCCD0C4",
"4545454545454545", "4545454545454545", "EF52491D5468D441",
"4646464646464646", "4646464646464646", "48019C59E39B90C5",
"4747474747474747", "4747474747474747", "0544083FB902D8C0",
"4848484848484848", "4848484848484848", "63B15CADA668CE12",
"4949494949494949", "4949494949494949", "EACC0C1264171071",
"4A4A4A4A4A4A4A4A", "4A4A4A4A4A4A4A4A", "9D2B8C0AC605F274",
"4B4B4B4B4B4B4B4B", "4B4B4B4B4B4B4B4B", "C90F2F4C98A8FB2A",
"4C4C4C4C4C4C4C4C", "4C4C4C4C4C4C4C4C", "03481B4828FD1D04",
"4D4D4D4D4D4D4D4D", "4D4D4D4D4D4D4D4D", "C78FC45A1DCEA2E2",
"4E4E4E4E4E4E4E4E", "4E4E4E4E4E4E4E4E", "DB96D88C3460D801",
"4F4F4F4F4F4F4F4F", "4F4F4F4F4F4F4F4F", "6C69E720F5105518",
"5050505050505050", "5050505050505050", "0D262E418BC893F3",
"5151515151515151", "5151515151515151", "6AD84FD7848A0A5C",
"5252525252525252", "5252525252525252", "C365CB35B34B6114",
"5353535353535353", "5353535353535353", "1155392E877F42A9",
"5454545454545454", "5454545454545454", "531BE5F9405DA715",
"5555555555555555", "5555555555555555", "3BCDD41E6165A5E8",
"5656565656565656", "5656565656565656", "2B1FF5610A19270C",
"5757575757575757", "5757575757575757", "D90772CF3F047CFD",
"5858585858585858", "5858585858585858", "1BEA27FFB72457B7",
"5959595959595959", "5959595959595959", "85C3E0C429F34C27",
"5A5A5A5A5A5A5A5A", "5A5A5A5A5A5A5A5A", "F9038021E37C7618",
"5B5B5B5B5B5B5B5B", "5B5B5B5B5B5B5B5B", "35BC6FF838DBA32F",
"5C5C5C5C5C5C5C5C", "5C5C5C5C5C5C5C5C", "4927ACC8CE45ECE7",
"5D5D5D5D5D5D5D5D", "5D5D5D5D5D5D5D5D", "E812EE6E3572985C",
"5E5E5E5E5E5E5E5E", "5E5E5E5E5E5E5E5E", "9BB93A89627BF65F",
"5F5F5F5F5F5F5F5F", "5F5F5F5F5F5F5F5F", "EF12476884CB74CA",
"6060606060606060", "6060606060606060", "1BF17E00C09E7CBF",
"6161616161616161", "6161616161616161", "29932350C098DB5D",
"6262626262626262", "6262626262626262", "B476E6499842AC54",
"6363636363636363", "6363636363636363", "5C662C29C1E96056",
"6464646464646464", "6464646464646464", "3AF1703D76442789",
"6565656565656565", "6565656565656565", "86405D9B425A8C8C",
"6666666666666666", "6666666666666666", "EBBF4810619C2C55",
"6767676767676767", "6767676767676767", "F8D1CD7367B21B5D",
"6868686868686868", "6868686868686868", "9EE703142BF8D7E2",
"6969696969696969", "6969696969696969", "5FDFFFC3AAAB0CB3",
"6A6A6A6A6A6A6A6A", "6A6A6A6A6A6A6A6A", "26C940AB13574231",
"6B6B6B6B6B6B6B6B", "6B6B6B6B6B6B6B6B", "1E2DC77E36A84693",
"6C6C6C6C6C6C6C6C", "6C6C6C6C6C6C6C6C", "0F4FF4D9BC7E2244",
"6D6D6D6D6D6D6D6D", "6D6D6D6D6D6D6D6D", "A4C9A0D04D3280CD",
"6E6E6E6E6E6E6E6E", "6E6E6E6E6E6E6E6E", "9FAF2C96FE84919D",
"6F6F6F6F6F6F6F6F", "6F6F6F6F6F6F6F6F", "115DBC965E6096C8",
"7070707070707070", "7070707070707070", "AF531E9520994017",
"7171717171717171", "7171717171717171", "B971ADE70E5C89EE",
"7272727272727272", "7272727272727272", "415D81C86AF9C376",
"7373737373737373", "7373737373737373", "8DFB864FDB3C6811",
"7474747474747474", "7474747474747474", "10B1C170E3398F91",
"7575757575757575", "7575757575757575", "CFEF7A1C0218DB1E",
"7676767676767676", "7676767676767676", "DBAC30A2A40B1B9C",
"7777777777777777", "7777777777777777", "89D3BF37052162E9",
"7878787878787878", "7878787878787878", "80D9230BDAEB67DC",
"7979797979797979", "7979797979797979", "3440911019AD68D7",
"7A7A7A7A7A7A7A7A", "7A7A7A7A7A7A7A7A", "9626FE57596E199E",
"7B7B7B7B7B7B7B7B", "7B7B7B7B7B7B7B7B", "DEA0B796624BB5BA",
"7C7C7C7C7C7C7C7C", "7C7C7C7C7C7C7C7C", "E9E40542BDDB3E9D",
"7D7D7D7D7D7D7D7D", "7D7D7D7D7D7D7D7D", "8AD99914B354B911",
"7E7E7E7E7E7E7E7E", "7E7E7E7E7E7E7E7E", "6F85B98DD12CB13B",
"7F7F7F7F7F7F7F7F", "7F7F7F7F7F7F7F7F", "10130DA3C3A23924",
"8080808080808080", "8080808080808080", "EFECF25C3C5DC6DB",
"8181818181818181", "8181818181818181", "907A46722ED34EC4",
"8282828282828282", "8282828282828282", "752666EB4CAB46EE",
"8383838383838383", "8383838383838383", "161BFABD4224C162",
"8484848484848484", "8484848484848484", "215F48699DB44A45",
"8585858585858585", "8585858585858585", "69D901A8A691E661",
"8686868686868686", "8686868686868686", "CBBF6EEFE6529728",
"8787878787878787", "8787878787878787", "7F26DCF425149823",
"8888888888888888", "8888888888888888", "762C40C8FADE9D16",
"8989898989898989", "8989898989898989", "2453CF5D5BF4E463",
"8A8A8A8A8A8A8A8A", "8A8A8A8A8A8A8A8A", "301085E3FDE724E1",
"8B8B8B8B8B8B8B8B", "8B8B8B8B8B8B8B8B", "EF4E3E8F1CC6706E",
"8C8C8C8C8C8C8C8C", "8C8C8C8C8C8C8C8C", "720479B024C397EE",
"8D8D8D8D8D8D8D8D", "8D8D8D8D8D8D8D8D", "BEA27E3795063C89",
"8E8E8E8E8E8E8E8E", "8E8E8E8E8E8E8E8E", "468E5218F1A37611",
"8F8F8F8F8F8F8F8F", "8F8F8F8F8F8F8F8F", "50ACE16ADF66BFE8",
"9090909090909090", "9090909090909090", "EEA24369A19F6937",
"9191919191919191", "9191919191919191", "6050D369017B6E62",
"9292929292929292", "9292929292929292", "5B365F2FB2CD7F32",
"9393939393939393", "9393939393939393", "F0B00B264381DDBB",
"9494949494949494", "9494949494949494", "E1D23881C957B96C",
"9595959595959595", "9595959595959595", "D936BF54ECA8BDCE",
"9696969696969696", "9696969696969696", "A020003C5554F34C",
"9797979797979797", "9797979797979797", "6118FCEBD407281D",
"9898989898989898", "9898989898989898", "072E328C984DE4A2",
"9999999999999999", "9999999999999999", "1440B7EF9E63D3AA",
"9A9A9A9A9A9A9A9A", "9A9A9A9A9A9A9A9A", "79BFA264BDA57373",
"9B9B9B9B9B9B9B9B", "9B9B9B9B9B9B9B9B", "C50E8FC289BBD876",
"9C9C9C9C9C9C9C9C", "9C9C9C9C9C9C9C9C", "A399D3D63E169FA9",
"9D9D9D9D9D9D9D9D", "9D9D9D9D9D9D9D9D", "4B8919B667BD53AB",
"9E9E9E9E9E9E9E9E", "9E9E9E9E9E9E9E9E", "D66CDCAF3F6724A2",
"9F9F9F9F9F9F9F9F", "9F9F9F9F9F9F9F9F", "E40E81FF3F618340",
"A0A0A0A0A0A0A0A0", "A0A0A0A0A0A0A0A0", "10EDB8977B348B35",
"A1A1A1A1A1A1A1A1", "A1A1A1A1A1A1A1A1", "6446C5769D8409A0",
"A2A2A2A2A2A2A2A2", "A2A2A2A2A2A2A2A2", "17ED1191CA8D67A3",
"A3A3A3A3A3A3A3A3", "A3A3A3A3A3A3A3A3", "B6D8533731BA1318",
"A4A4A4A4A4A4A4A4", "A4A4A4A4A4A4A4A4", "CA439007C7245CD0",
"A5A5A5A5A5A5A5A5", "A5A5A5A5A5A5A5A5", "06FC7FDE1C8389E7",
"A6A6A6A6A6A6A6A6", "A6A6A6A6A6A6A6A6", "7A3C1F3BD60CB3D8",
"A7A7A7A7A7A7A7A7", "A7A7A7A7A7A7A7A7", "E415D80048DBA848",
"A8A8A8A8A8A8A8A8", "A8A8A8A8A8A8A8A8", "26F88D30C0FB8302",
"A9A9A9A9A9A9A9A9", "A9A9A9A9A9A9A9A9", "D4E00A9EF5E6D8F3",
"AAAAAAAAAAAAAAAA", "AAAAAAAAAAAAAAAA", "C4322BE19E9A5A17",
"ABABABABABABABAB", "ABABABABABABABAB", "ACE41A06BFA258EA",
"ACACACACACACACAC", "ACACACACACACACAC", "EEAAC6D17880BD56",
"ADADADADADADADAD", "ADADADADADADADAD", "3C9A34CA4CB49EEB",
"AEAEAEAEAEAEAEAE", "AEAEAEAEAEAEAEAE", "9527B0287B75F5A3",
"AFAFAFAFAFAFAFAF", "AFAFAFAFAFAFAFAF", "F2D9D1BE74376C0C",
"B0B0B0B0B0B0B0B0", "B0B0B0B0B0B0B0B0", "939618DF0AEFAAE7",
"B1B1B1B1B1B1B1B1", "B1B1B1B1B1B1B1B1", "24692773CB9F27FE",
"B2B2B2B2B2B2B2B2", "B2B2B2B2B2B2B2B2", "38703BA5E2315D1D",
"B3B3B3B3B3B3B3B3", "B3B3B3B3B3B3B3B3", "FCB7E4B7D702E2FB",
"B4B4B4B4B4B4B4B4", "B4B4B4B4B4B4B4B4", "36F0D0B3675704D5",
"B5B5B5B5B5B5B5B5", "B5B5B5B5B5B5B5B5", "62D473F539FA0D8B",
"B6B6B6B6B6B6B6B6", "B6B6B6B6B6B6B6B6", "1533F3ED9BE8EF8E",
"B7B7B7B7B7B7B7B7", "B7B7B7B7B7B7B7B7", "9C4EA352599731ED",
"B8B8B8B8B8B8B8B8", "B8B8B8B8B8B8B8B8", "FABBF7C046FD273F",
"B9B9B9B9B9B9B9B9", "B9B9B9B9B9B9B9B9", "B7FE63A61C646F3A",
"BABABABABABABABA", "BABABABABABABABA", "10ADB6E2AB972BBE",
"BBBBBBBBBBBBBBBB", "BBBBBBBBBBBBBBBB", "F91DCAD912332F3B",
"BCBCBCBCBCBCBCBC", "BCBCBCBCBCBCBCBC", "46E7EF47323A701D",
"BDBDBDBDBDBDBDBD", "BDBDBDBDBDBDBDBD", "8DB18CCD9692F758",
"BEBEBEBEBEBEBEBE", "BEBEBEBEBEBEBEBE", "E6207B536AAAEFFC",
"BFBFBFBFBFBFBFBF", "BFBFBFBFBFBFBFBF", "92AA224372156A00",
"C0C0C0C0C0C0C0C0", "C0C0C0C0C0C0C0C0", "A3B357885B1E16D2",
"C1C1C1C1C1C1C1C1", "C1C1C1C1C1C1C1C1", "169F7629C970C1E5",
"C2C2C2C2C2C2C2C2", "C2C2C2C2C2C2C2C2", "62F44B247CF1348C",
"C3C3C3C3C3C3C3C3", "C3C3C3C3C3C3C3C3", "AE0FEEB0495932C8",
"C4C4C4C4C4C4C4C4", "C4C4C4C4C4C4C4C4", "72DAF2A7C9EA6803",
"C5C5C5C5C5C5C5C5", "C5C5C5C5C5C5C5C5", "4FB5D5536DA544F4",
"C6C6C6C6C6C6C6C6", "C6C6C6C6C6C6C6C6", "1DD4E65AAF7988B4",
"C7C7C7C7C7C7C7C7", "C7C7C7C7C7C7C7C7", "76BF084C1535A6C6",
"C8C8C8C8C8C8C8C8", "C8C8C8C8C8C8C8C8", "AFEC35B09D36315F",
"C9C9C9C9C9C9C9C9", "C9C9C9C9C9C9C9C9", "C8078A6148818403",
"CACACACACACACACA", "CACACACACACACACA", "4DA91CB4124B67FE",
"CBCBCBCBCBCBCBCB", "CBCBCBCBCBCBCBCB", "2DABFEB346794C3D",
"CCCCCCCCCCCCCCCC", "CCCCCCCCCCCCCCCC", "FBCD12C790D21CD7",
"CDCDCDCDCDCDCDCD", "CDCDCDCDCDCDCDCD", "536873DB879CC770",
"CECECECECECECECE", "CECECECECECECECE", "9AA159D7309DA7A0",
"CFCFCFCFCFCFCFCF", "CFCFCFCFCFCFCFCF", "0B844B9D8C4EA14A",
"D0D0D0D0D0D0D0D0", "D0D0D0D0D0D0D0D0", "3BBD84CE539E68C4",
"D1D1D1D1D1D1D1D1", "D1D1D1D1D1D1D1D1", "CF3E4F3E026E2C8E",
"D2D2D2D2D2D2D2D2", "D2D2D2D2D2D2D2D2", "82F85885D542AF58",
"D3D3D3D3D3D3D3D3", "D3D3D3D3D3D3D3D3", "22D334D6493B3CB6",
"D4D4D4D4D4D4D4D4", "D4D4D4D4D4D4D4D4", "47E9CB3E3154D673",
"D5D5D5D5D5D5D5D5", "D5D5D5D5D5D5D5D5", "2352BCC708ADC7E9",
"D6D6D6D6D6D6D6D6", "D6D6D6D6D6D6D6D6", "8C0F3BA0C8601980",
"D7D7D7D7D7D7D7D7", "D7D7D7D7D7D7D7D7", "EE5E9FD70CEF00E9",
"D8D8D8D8D8D8D8D8", "D8D8D8D8D8D8D8D8", "DEF6BDA6CABF9547",
"D9D9D9D9D9D9D9D9", "D9D9D9D9D9D9D9D9", "4DADD04A0EA70F20",
"DADADADADADADADA", "DADADADADADADADA", "C1AA16689EE1B482",
"DBDBDBDBDBDBDBDB", "DBDBDBDBDBDBDBDB", "F45FC26193E69AEE",
"DCDCDCDCDCDCDCDC", "DCDCDCDCDCDCDCDC", "D0CFBB937CEDBFB5",
"DDDDDDDDDDDDDDDD", "DDDDDDDDDDDDDDDD", "F0752004EE23D87B",
"DEDEDEDEDEDEDEDE", "DEDEDEDEDEDEDEDE", "77A791E28AA464A5",
"DFDFDFDFDFDFDFDF", "DFDFDFDFDFDFDFDF", "E7562A7F56FF4966",
"E0E0E0E0E0E0E0E0", "E0E0E0E0E0E0E0E0", "B026913F2CCFB109",
"E1E1E1E1E1E1E1E1", "E1E1E1E1E1E1E1E1", "0DB572DDCE388AC7",
"E2E2E2E2E2E2E2E2", "E2E2E2E2E2E2E2E2", "D9FA6595F0C094CA",
"E3E3E3E3E3E3E3E3", "E3E3E3E3E3E3E3E3", "ADE4804C4BE4486E",
"E4E4E4E4E4E4E4E4", "E4E4E4E4E4E4E4E4", "007B81F520E6D7DA",
"E5E5E5E5E5E5E5E5", "E5E5E5E5E5E5E5E5", "961AEB77BFC10B3C",
"E6E6E6E6E6E6E6E6", "E6E6E6E6E6E6E6E6", "8A8DD870C9B14AF2",
"E7E7E7E7E7E7E7E7", "E7E7E7E7E7E7E7E7", "3CC02E14B6349B25",
"E8E8E8E8E8E8E8E8", "E8E8E8E8E8E8E8E8", "BAD3EE68BDDB9607",
"E9E9E9E9E9E9E9E9", "E9E9E9E9E9E9E9E9", "DFF918E93BDAD292",
"EAEAEAEAEAEAEAEA", "EAEAEAEAEAEAEAEA", "8FE559C7CD6FA56D",
"EBEBEBEBEBEBEBEB", "EBEBEBEBEBEBEBEB", "C88480835C1A444C",
"ECECECECECECECEC", "ECECECECECECECEC", "D6EE30A16B2CC01E",
"EDEDEDEDEDEDEDED", "EDEDEDEDEDEDEDED", "6932D887B2EA9C1A",
"EEEEEEEEEEEEEEEE", "EEEEEEEEEEEEEEEE", "0BFC865461F13ACC",
"EFEFEFEFEFEFEFEF", "EFEFEFEFEFEFEFEF", "228AEA0D403E807A",
"F0F0F0F0F0F0F0F0", "F0F0F0F0F0F0F0F0", "2A2891F65BB8173C",
"F1F1F1F1F1F1F1F1", "F1F1F1F1F1F1F1F1", "5D1B8FAF7839494B",
"F2F2F2F2F2F2F2F2", "F2F2F2F2F2F2F2F2", "1C0A9280EECF5D48",
"F3F3F3F3F3F3F3F3", "F3F3F3F3F3F3F3F3", "6CBCE951BBC30F74",
"F4F4F4F4F4F4F4F4", "F4F4F4F4F4F4F4F4", "9CA66E96BD08BC70",
"F5F5F5F5F5F5F5F5", "F5F5F5F5F5F5F5F5", "F5D779FCFBB28BF3",
"F6F6F6F6F6F6F6F6", "F6F6F6F6F6F6F6F6", "0FEC6BBF9B859184",
"F7F7F7F7F7F7F7F7", "F7F7F7F7F7F7F7F7", "EF88D2BF052DBDA8",
"F8F8F8F8F8F8F8F8", "F8F8F8F8F8F8F8F8", "39ADBDDB7363090D",
"F9F9F9F9F9F9F9F9", "F9F9F9F9F9F9F9F9", "C0AEAF445F7E2A7A",
"FAFAFAFAFAFAFAFA", "FAFAFAFAFAFAFAFA", "C66F54067298D4E9",
"FBFBFBFBFBFBFBFB", "FBFBFBFBFBFBFBFB", "E0BA8F4488AAF97C",
"FCFCFCFCFCFCFCFC", "FCFCFCFCFCFCFCFC", "67B36E2875D9631C",
"FDFDFDFDFDFDFDFD", "FDFDFDFDFDFDFDFD", "1ED83D49E267191D",
"FEFEFEFEFEFEFEFE", "FEFEFEFEFEFEFEFE", "66B2B23EA84693AD",
"FFFFFFFFFFFFFFFF", "FFFFFFFFFFFFFFFF", "7359B2163E4EDC58",
"0001020304050607", "0011223344556677", "3EF0A891CF8ED990",
"2BD6459F82C5B300", "EA024714AD5C4D84", "126EFE8ED312190A",
NULL
};
/*
* Known-answer tests for DES/3DES in CBC mode. Order: key, IV,
* plaintext, ciphertext.
*/
static const char *const KAT_DES_CBC[] = {
/*
* From NIST validation suite (tdesmmt.zip).
*/
"34a41a8c293176c1b30732ecfe38ae8a34a41a8c293176c1",
"f55b4855228bd0b4",
"7dd880d2a9ab411c",
"c91892948b6cadb4",
"70a88fa1dfb9942fa77f40157ffef2ad70a88fa1dfb9942f",
"ece08ce2fdc6ce80",
"bc225304d5a3a5c9918fc5006cbc40cc",
"27f67dc87af7ddb4b68f63fa7c2d454a",
"e091790be55be0bc0780153861a84adce091790be55be0bc",
"fd7d430f86fbbffe",
"03c7fffd7f36499c703dedc9df4de4a92dd4382e576d6ae9",
"053aeba85dd3a23bfbe8440a432f9578f312be60fb9f0035",
"857feacd16157c58e5347a70e56e578a857feacd16157c58",
"002dcb6d46ef0969",
"1f13701c7f0d7385307507a18e89843ebd295bd5e239ef109347a6898c6d3fd5",
"a0e4edde34f05bd8397ce279e49853e9387ba04be562f5fa19c3289c3f5a3391",
"a173545b265875ba852331fbb95b49a8a173545b265875ba",
"ab385756391d364c",
"d08894c565608d9ae51dda63b85b3b33b1703bb5e4f1abcbb8794e743da5d6f3bf630f2e9b6d5b54",
"370b47acf89ac6bdbb13c9a7336787dc41e1ad8beead32281d0609fb54968404bdf2894892590658",
"26376bcb2f23df1083cd684fe00ed3c726376bcb2f23df10",
"33acfb0f3d240ea6",
"903a1911da1e6877f23c1985a9b61786ef438e0ce1240885035ad60fc916b18e5d71a1fb9c5d1eff61db75c0076f6efb",
"7a4f7510f6ec0b93e2495d21a8355684d303a770ebda2e0e51ff33d72b20cb73e58e2e3de2ef6b2e12c504c0f181ba63",
"3e1f98135d027cec752f67765408a7913e1f98135d027cec",
"11f5f2304b28f68b",
"7c022f5af24f7925d323d4d0e20a2ce49272c5e764b22c806f4b6ddc406d864fe5bd1c3f45556d3eb30c8676c2f8b54a5a32423a0bd95a07",
"2bb4b131fa4ae0b4f0378a2cdb68556af6eee837613016d7ea936f3931f25f8b3ae351d5e9d00be665676e2400408b5db9892d95421e7f1a",
"13b9d549cd136ec7bf9e9810ef2cdcbf13b9d549cd136ec7",
"a82c1b1057badcc8",
"1fff1563bc1645b55cb23ea34a0049dfc06607150614b621dedcb07f20433402a2d869c95ac4a070c7a3da838c928a385f899c5d21ecb58f4e5cbdad98d39b8c",
"75f804d4a2c542a31703e23df26cc38861a0729090e6eae5672c1db8c0b09fba9b125bbca7d6c7d330b3859e6725c6d26de21c4e3af7f5ea94df3cde2349ce37",
"20320dfdad579bb57c6e4acd769dbadf20320dfdad579bb5",
"879201b5857ccdea",
"0431283cc8bb4dc7750a9d5c68578486932091632a12d0a79f2c54e3d122130881fff727050f317a40fcd1a8d13793458b99fc98254ba6a233e3d95b55cf5a3faff78809999ea4bf",
"85d17840eb2af5fc727027336bfd71a2b31bd14a1d9eb64f8a08bfc4f56eaa9ca7654a5ae698287869cc27324813730de4f1384e0b8cfbc472ff5470e3c5e4bd8ceb23dc2d91988c",
"23abb073a2df34cb3d1fdce6b092582c23abb073a2df34cb",
"7d7fbf19e8562d32",
"31e718fd95e6d7ca4f94763191add2674ab07c909d88c486916c16d60a048a0cf8cdb631cebec791362cd0c202eb61e166b65c1f65d0047c8aec57d3d84b9e17032442dce148e1191b06a12c284cc41e",
"c9a3f75ab6a7cd08a7fd53ca540aafe731d257ee1c379fadcc4cc1a06e7c12bddbeb7562c436d1da849ed072629e82a97b56d9becc25ff4f16f21c5f2a01911604f0b5c49df96cb641faee662ca8aa68",
"b5cb1504802326c73df186e3e352a20de643b0d63ee30e37",
"43f791134c5647ba",
"dcc153cef81d6f24",
"92538bd8af18d3ba",
"a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358",
"c2e999cb6249023c",
"c689aee38a301bb316da75db36f110b5",
"e9afaba5ec75ea1bbe65506655bb4ecb",
"1a5d4c0825072a15a8ad9dfdaeda8c048adffb85bc4fced0",
"7fcfa736f7548b6f",
"983c3edacd939406010e1bc6ff9e12320ac5008117fa8f84",
"d84fa24f38cf451ca2c9adc960120bd8ff9871584fe31cee",
"d98aadc76d4a3716158c32866efbb9ce834af2297379a49d",
"3c5220327c502b44",
"6174079dda53ca723ebf00a66837f8d5ce648c08acaa5ee45ffe62210ef79d3e",
"f5bd4d600bed77bec78409e3530ebda1d815506ed53103015b87e371ae000958",
"ef6d3e54266d978ffb0b8ce6689d803e2cd34cc802fd0252",
"38bae5bce06d0ad9",
"c4f228b537223cd01c0debb5d9d4e12ba71656618d119b2f8f0af29d23efa3a9e43c4c458a1b79a0",
"9e3289fb18379f55aa4e45a7e0e6df160b33b75f8627ad0954f8fdcb78cee55a4664caeda1000fe5",
"625bc19b19df83abfb2f5bec9d4f2062017525a75bc26e70",
"bd0cff364ff69a91",
"8152d2ab876c3c8201403a5a406d3feaf27319dbea6ad01e24f4d18203704b86de70da6bbb6d638e5aba3ff576b79b28",
"706fe7a973fac40e25b2b4499ce527078944c70e976d017b6af86a3a7a6b52943a72ba18a58000d2b61fdc3bfef2bc4a",
"b6383176046e6880a1023bf45768b5bf5119022fe054bfe5",
"ec13ca541c43401e",
"cd5a886e9af011346c4dba36a424f96a78a1ddf28aaa4188bf65451f4efaffc7179a6dd237c0ae35d9b672314e5cb032612597f7e462c6f3",
"b030f976f46277ee211c4a324d5c87555d1084513a1223d3b84416b52bbc28f4b77f3a9d8d0d91dc37d3dbe8af8be98f74674b02f9a38527",
"3d8cf273d343b9aedccddacb91ad86206737adc86b4a49a7",
"bb3a9a0c71c62ef0",
"1fde3991c32ce220b5b6666a9234f2fd7bd24b921829fd9cdc6eb4218be9eac9faa9c2351777349128086b6d58776bc86ff2f76ee1b3b2850a318462b8983fa1",
"422ce705a46bb52ad928dab6c863166d617c6fc24003633120d91918314bbf464cea7345c3c35f2042f2d6929735d74d7728f22fea618a0b9cf5b1281acb13fb",
"fbceb5cb646b925be0b92f7f6b493d5e5b16e9159732732a",
"2e17b3c7025ae86b",
"4c309bc8e1e464fdd2a2b8978645d668d455f7526bd8d7b6716a722f6a900b815c4a73cc30e788065c1dfca7bf5958a6cc5440a5ebe7f8691c20278cde95db764ff8ce8994ece89c",
"c02129bdf4bbbd75e71605a00b12c80db6b4e05308e916615011f09147ed915dd1bc67f27f9e027e4e13df36b55464a31c11b4d1fe3d855d89df492e1a7201b995c1ba16a8dbabee",
"9b162a0df8ad9b61c88676e3d586434570b902f12a2046e0",
"ebd6fefe029ad54b",
"f4c1c918e77355c8156f0fd778da52bff121ae5f2f44eaf4d2754946d0e10d1f18ce3a0176e69c18b7d20b6e0d0bee5eb5edfe4bd60e4d92adcd86bce72e76f94ee5cbcaa8b01cfddcea2ade575e66ac",
"1ff3c8709f403a8eff291aedf50c010df5c5ff64a8b205f1fce68564798897a390db16ee0d053856b75898009731da290fcc119dad987277aacef694872e880c4bb41471063fae05c89f25e4bd0cad6a",
NULL
};
static void
xor_buf(unsigned char *dst, const unsigned char *src, size_t len)
{
while (len -- > 0) {
*dst ++ ^= *src ++;
}
}
static void
monte_carlo_DES_encrypt(const br_block_cbcenc_class *ve)
{
unsigned char k1[8], k2[8], k3[8];
unsigned char buf[8];
unsigned char cipher[8];
int i, j;
br_des_gen_cbcenc_keys v_ec;
void *ec;
ec = &v_ec;
hextobin(k1, "9ec2372c86379df4");
hextobin(k2, "ad7ac4464f73805d");
hextobin(k3, "20c4f87564527c91");
hextobin(buf, "b624d6bd41783ab1");
hextobin(cipher, "eafd97b190b167fe");
for (i = 0; i < 400; i ++) {
unsigned char key[24];
memcpy(key, k1, 8);
memcpy(key + 8, k2, 8);
memcpy(key + 16, k3, 8);
ve->init(ec, key, sizeof key);
for (j = 0; j < 10000; j ++) {
unsigned char iv[8];
memset(iv, 0, sizeof iv);
ve->run(ec, iv, buf, sizeof buf);
switch (j) {
case 9997: xor_buf(k3, buf, 8); break;
case 9998: xor_buf(k2, buf, 8); break;
case 9999: xor_buf(k1, buf, 8); break;
}
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
check_equals("MC DES encrypt", buf, cipher, sizeof buf);
}
static void
monte_carlo_DES_decrypt(const br_block_cbcdec_class *vd)
{
unsigned char k1[8], k2[8], k3[8];
unsigned char buf[8];
unsigned char plain[8];
int i, j;
br_des_gen_cbcdec_keys v_dc;
void *dc;
dc = &v_dc;
hextobin(k1, "79b63486e0ce37e0");
hextobin(k2, "08e65231abae3710");
hextobin(k3, "1f5eb69e925ef185");
hextobin(buf, "2783aa729432fe96");
hextobin(plain, "44937ca532cdbf98");
for (i = 0; i < 400; i ++) {
unsigned char key[24];
memcpy(key, k1, 8);
memcpy(key + 8, k2, 8);
memcpy(key + 16, k3, 8);
vd->init(dc, key, sizeof key);
for (j = 0; j < 10000; j ++) {
unsigned char iv[8];
memset(iv, 0, sizeof iv);
vd->run(dc, iv, buf, sizeof buf);
switch (j) {
case 9997: xor_buf(k3, buf, 8); break;
case 9998: xor_buf(k2, buf, 8); break;
case 9999: xor_buf(k1, buf, 8); break;
}
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
check_equals("MC DES decrypt", buf, plain, sizeof buf);
}
static void
test_DES_generic(char *name,
const br_block_cbcenc_class *ve,
const br_block_cbcdec_class *vd,
int with_MC, int with_CBC)
{
size_t u;
printf("Test %s: ", name);
fflush(stdout);
if (ve->block_size != 8 || vd->block_size != 8) {
fprintf(stderr, "%s failed: wrong block size\n", name);
exit(EXIT_FAILURE);
}
for (u = 0; KAT_DES[u]; u += 3) {
unsigned char key[24];
unsigned char plain[8];
unsigned char cipher[8];
unsigned char buf[8];
unsigned char iv[8];
size_t key_len;
br_des_gen_cbcenc_keys v_ec;
br_des_gen_cbcdec_keys v_dc;
const br_block_cbcenc_class **ec;
const br_block_cbcdec_class **dc;
ec = &v_ec.vtable;
dc = &v_dc.vtable;
key_len = hextobin(key, KAT_DES[u]);
hextobin(plain, KAT_DES[u + 1]);
hextobin(cipher, KAT_DES[u + 2]);
ve->init(ec, key, key_len);
memcpy(buf, plain, sizeof plain);
memset(iv, 0, sizeof iv);
ve->run(ec, iv, buf, sizeof buf);
check_equals("KAT DES encrypt", buf, cipher, sizeof cipher);
vd->init(dc, key, key_len);
memset(iv, 0, sizeof iv);
vd->run(dc, iv, buf, sizeof buf);
check_equals("KAT DES decrypt", buf, plain, sizeof plain);
if (key_len == 8) {
memcpy(key + 8, key, 8);
memcpy(key + 16, key, 8);
ve->init(ec, key, 24);
memcpy(buf, plain, sizeof plain);
memset(iv, 0, sizeof iv);
ve->run(ec, iv, buf, sizeof buf);
check_equals("KAT DES->3 encrypt",
buf, cipher, sizeof cipher);
vd->init(dc, key, 24);
memset(iv, 0, sizeof iv);
vd->run(dc, iv, buf, sizeof buf);
check_equals("KAT DES->3 decrypt",
buf, plain, sizeof plain);
}
}
if (with_CBC) {
for (u = 0; KAT_DES_CBC[u]; u += 4) {
unsigned char key[24];
unsigned char ivref[8];
unsigned char plain[200];
unsigned char cipher[200];
unsigned char buf[200];
unsigned char iv[8];
size_t key_len, data_len, v;
br_des_gen_cbcenc_keys v_ec;
br_des_gen_cbcdec_keys v_dc;
const br_block_cbcenc_class **ec;
const br_block_cbcdec_class **dc;
ec = &v_ec.vtable;
dc = &v_dc.vtable;
key_len = hextobin(key, KAT_DES_CBC[u]);
hextobin(ivref, KAT_DES_CBC[u + 1]);
data_len = hextobin(plain, KAT_DES_CBC[u + 2]);
hextobin(cipher, KAT_DES_CBC[u + 3]);
ve->init(ec, key, key_len);
memcpy(buf, plain, data_len);
memcpy(iv, ivref, 8);
ve->run(ec, iv, buf, data_len);
check_equals("KAT CBC DES encrypt",
buf, cipher, data_len);
vd->init(dc, key, key_len);
memcpy(iv, ivref, 8);
vd->run(dc, iv, buf, data_len);
check_equals("KAT CBC DES decrypt",
buf, plain, data_len);
memcpy(buf, plain, data_len);
memcpy(iv, ivref, 8);
for (v = 0; v < data_len; v += 8) {
ve->run(ec, iv, buf + v, 8);
}
check_equals("KAT CBC DES encrypt (2)",
buf, cipher, data_len);
memcpy(iv, ivref, 8);
for (v = 0; v < data_len; v += 8) {
vd->run(dc, iv, buf + v, 8);
}
check_equals("KAT CBC DES decrypt (2)",
buf, plain, data_len);
}
}
if (with_MC) {
monte_carlo_DES_encrypt(ve);
monte_carlo_DES_decrypt(vd);
}
printf("done.\n");
fflush(stdout);
}
static void
test_DES_tab(void)
{
test_DES_generic("DES_tab",
&br_des_tab_cbcenc_vtable,
&br_des_tab_cbcdec_vtable,
1, 1);
}
static void
test_DES_ct(void)
{
test_DES_generic("DES_ct",
&br_des_ct_cbcenc_vtable,
&br_des_ct_cbcdec_vtable,
1, 1);
}
static const struct {
const char *skey;
const char *snonce;
uint32_t counter;
const char *splain;
const char *scipher;
} KAT_CHACHA20[] = {
{
"0000000000000000000000000000000000000000000000000000000000000000",
"000000000000000000000000",
0,
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586"
},
{
"0000000000000000000000000000000000000000000000000000000000000001",
"000000000000000000000002",
1,
"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f",
"a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221"
},
{
"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0",
"000000000000000000000002",
42,
"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e",
"62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1"
},
{ 0, 0, 0, 0, 0 }
};
static void
test_ChaCha20_generic(const char *name, br_chacha20_run cr)
{
size_t u;
printf("Test %s: ", name);
fflush(stdout);
if (cr == 0) {
printf("UNAVAILABLE\n");
return;
}
for (u = 0; KAT_CHACHA20[u].skey; u ++) {
unsigned char key[32], nonce[12], plain[400], cipher[400];
uint32_t cc;
size_t v, len;
hextobin(key, KAT_CHACHA20[u].skey);
hextobin(nonce, KAT_CHACHA20[u].snonce);
cc = KAT_CHACHA20[u].counter;
len = hextobin(plain, KAT_CHACHA20[u].splain);
hextobin(cipher, KAT_CHACHA20[u].scipher);
for (v = 0; v < len; v ++) {
unsigned char tmp[400];
size_t w;
uint32_t cc2;
memset(tmp, 0, sizeof tmp);
memcpy(tmp, plain, v);
if (cr(key, nonce, cc, tmp, v)
!= cc + (uint32_t)((v + 63) >> 6))
{
fprintf(stderr, "ChaCha20: wrong counter\n");
exit(EXIT_FAILURE);
}
if (memcmp(tmp, cipher, v) != 0) {
fprintf(stderr, "ChaCha20 KAT fail (1)\n");
exit(EXIT_FAILURE);
}
for (w = v; w < sizeof tmp; w ++) {
if (tmp[w] != 0) {
fprintf(stderr, "ChaCha20: overrun\n");
exit(EXIT_FAILURE);
}
}
for (w = 0, cc2 = cc; w < v; w += 64, cc2 ++) {
size_t x;
x = v - w;
if (x > 64) {
x = 64;
}
if (cr(key, nonce, cc2, tmp + w, x)
!= (cc2 + 1))
{
fprintf(stderr, "ChaCha20:"
" wrong counter (2)\n");
exit(EXIT_FAILURE);
}
}
if (memcmp(tmp, plain, v) != 0) {
fprintf(stderr, "ChaCha20 KAT fail (2)\n");
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_ChaCha20_ct(void)
{
test_ChaCha20_generic("ChaCha20_ct", &br_chacha20_ct_run);
}
static void
test_ChaCha20_sse2(void)
{
test_ChaCha20_generic("ChaCha20_sse2", br_chacha20_sse2_get());
}
static const struct {
const char *splain;
const char *saad;
const char *skey;
const char *snonce;
const char *scipher;
const char *stag;
} KAT_POLY1305[] = {
{
"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e",
"50515253c0c1c2c3c4c5c6c7",
"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
"070000004041424344454647",
"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116",
"1ae10b594f09e26a7e902ecbd0600691"
},
{ 0, 0, 0, 0, 0, 0 }
};
static void
test_Poly1305_inner(const char *name, br_poly1305_run ipoly,
br_poly1305_run iref)
{
size_t u;
br_hmac_drbg_context rng;
printf("Test %s: ", name);
fflush(stdout);
for (u = 0; KAT_POLY1305[u].skey; u ++) {
unsigned char key[32], nonce[12], plain[400], cipher[400];
unsigned char aad[400], tag[16], data[400], tmp[16];
size_t len, aad_len;
len = hextobin(plain, KAT_POLY1305[u].splain);
aad_len = hextobin(aad, KAT_POLY1305[u].saad);
hextobin(key, KAT_POLY1305[u].skey);
hextobin(nonce, KAT_POLY1305[u].snonce);
hextobin(cipher, KAT_POLY1305[u].scipher);
hextobin(tag, KAT_POLY1305[u].stag);
memcpy(data, plain, len);
ipoly(key, nonce, data, len,
aad, aad_len, tmp, br_chacha20_ct_run, 1);
check_equals("ChaCha20+Poly1305 KAT (1)", data, cipher, len);
check_equals("ChaCha20+Poly1305 KAT (2)", tmp, tag, 16);
ipoly(key, nonce, data, len,
aad, aad_len, tmp, br_chacha20_ct_run, 0);
check_equals("ChaCha20+Poly1305 KAT (3)", data, plain, len);
check_equals("ChaCha20+Poly1305 KAT (4)", tmp, tag, 16);
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
/*
* We compare the "ipoly" and "iref" implementations together on
* a bunch of pseudo-random messages.
*/
br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for Poly1305", 17);
for (u = 0; u < 100; u ++) {
unsigned char plain[100], aad[100], tmp[100];
unsigned char key[32], iv[12], tag1[16], tag2[16];
br_hmac_drbg_generate(&rng, key, sizeof key);
br_hmac_drbg_generate(&rng, iv, sizeof iv);
br_hmac_drbg_generate(&rng, plain, u);
br_hmac_drbg_generate(&rng, aad, u);
memcpy(tmp, plain, u);
memset(tmp + u, 0xFF, (sizeof tmp) - u);
ipoly(key, iv, tmp, u, aad, u, tag1,
&br_chacha20_ct_run, 1);
memset(tmp + u, 0x00, (sizeof tmp) - u);
iref(key, iv, tmp, u, aad, u, tag2,
&br_chacha20_ct_run, 0);
if (memcmp(tmp, plain, u) != 0) {
fprintf(stderr, "cross enc/dec failed\n");
exit(EXIT_FAILURE);
}
if (memcmp(tag1, tag2, sizeof tag1) != 0) {
fprintf(stderr, "cross MAC failed\n");
exit(EXIT_FAILURE);
}
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_Poly1305_ctmul(void)
{
test_Poly1305_inner("Poly1305_ctmul", &br_poly1305_ctmul_run,
&br_poly1305_i15_run);
}
static void
test_Poly1305_ctmul32(void)
{
test_Poly1305_inner("Poly1305_ctmul32", &br_poly1305_ctmul32_run,
&br_poly1305_i15_run);
}
static void
test_Poly1305_i15(void)
{
test_Poly1305_inner("Poly1305_i15", &br_poly1305_i15_run,
&br_poly1305_ctmul_run);
}
static void
test_Poly1305_ctmulq(void)
{
br_poly1305_run bp;
bp = br_poly1305_ctmulq_get();
if (bp == 0) {
printf("Test Poly1305_ctmulq: UNAVAILABLE\n");
} else {
test_Poly1305_inner("Poly1305_ctmulq", bp,
&br_poly1305_ctmul_run);
}
}
/*
* A 1024-bit RSA key, generated with OpenSSL.
*/
static const unsigned char RSA_N[] = {
0xBF, 0xB4, 0xA6, 0x2E, 0x87, 0x3F, 0x9C, 0x8D,
0xA0, 0xC4, 0x2E, 0x7B, 0x59, 0x36, 0x0F, 0xB0,
0xFF, 0xE1, 0x25, 0x49, 0xE5, 0xE6, 0x36, 0xB0,
0x48, 0xC2, 0x08, 0x6B, 0x77, 0xA7, 0xC0, 0x51,
0x66, 0x35, 0x06, 0xA9, 0x59, 0xDF, 0x17, 0x7F,
0x15, 0xF6, 0xB4, 0xE5, 0x44, 0xEE, 0x72, 0x3C,
0x53, 0x11, 0x52, 0xC9, 0xC9, 0x61, 0x4F, 0x92,
0x33, 0x64, 0x70, 0x43, 0x07, 0xF1, 0x3F, 0x7F,
0x15, 0xAC, 0xF0, 0xC1, 0x54, 0x7D, 0x55, 0xC0,
0x29, 0xDC, 0x9E, 0xCC, 0xE4, 0x1D, 0x11, 0x72,
0x45, 0xF4, 0xD2, 0x70, 0xFC, 0x34, 0xB2, 0x1F,
0xF3, 0xAD, 0x6A, 0xF0, 0xE5, 0x56, 0x11, 0xF8,
0x0C, 0x3A, 0x8B, 0x04, 0x46, 0x7C, 0x77, 0xD9,
0x41, 0x1F, 0x40, 0xBE, 0x93, 0x80, 0x9D, 0x23,
0x75, 0x80, 0x12, 0x26, 0x5A, 0x72, 0x1C, 0xDD,
0x47, 0xB3, 0x2A, 0x33, 0xD8, 0x19, 0x61, 0xE3
};
static const unsigned char RSA_E[] = {
0x01, 0x00, 0x01
};
/* unused
static const unsigned char RSA_D[] = {
0xAE, 0x56, 0x0B, 0x56, 0x7E, 0xDA, 0x83, 0x75,
0x6C, 0xC1, 0x5C, 0x00, 0x02, 0x96, 0x1E, 0x58,
0xF9, 0xA9, 0xF7, 0x2E, 0x27, 0xEB, 0x5E, 0xCA,
0x9B, 0xB0, 0x10, 0xD6, 0x22, 0x7F, 0xA4, 0x6E,
0xA2, 0x03, 0x10, 0xE6, 0xCB, 0x7B, 0x0D, 0x34,
0x1E, 0x76, 0x37, 0xF5, 0xD3, 0xE5, 0x00, 0x70,
0x09, 0x9E, 0xD4, 0x69, 0xFB, 0x40, 0x0A, 0x8B,
0xCB, 0x3E, 0xC8, 0xB4, 0xBC, 0xB1, 0x50, 0xEA,
0x9D, 0xD9, 0x89, 0x8A, 0x98, 0x40, 0x79, 0xD1,
0x07, 0x66, 0xA7, 0x90, 0x63, 0x82, 0xB1, 0xE0,
0x24, 0xD0, 0x89, 0x6A, 0xEC, 0xC5, 0xF3, 0x21,
0x7D, 0xB8, 0xA5, 0x45, 0x3A, 0x3B, 0x34, 0x42,
0xC2, 0x82, 0x3C, 0x8D, 0xFA, 0x5D, 0xA0, 0xA8,
0x24, 0xC8, 0x40, 0x22, 0x19, 0xCB, 0xB5, 0x85,
0x67, 0x69, 0x60, 0xE4, 0xD0, 0x7E, 0xA3, 0x3B,
0xF7, 0x70, 0x50, 0xC9, 0x5C, 0x97, 0x29, 0x49
};
*/
static const unsigned char RSA_P[] = {
0xF2, 0xE7, 0x6F, 0x66, 0x2E, 0xC4, 0x03, 0xD4,
0x89, 0x24, 0xCC, 0xE1, 0xCD, 0x3F, 0x01, 0x82,
0xC1, 0xFB, 0xAF, 0x44, 0xFA, 0xCC, 0x0E, 0xAA,
0x9D, 0x74, 0xA9, 0x65, 0xEF, 0xED, 0x4C, 0x87,
0xF0, 0xB3, 0xC6, 0xEA, 0x61, 0x85, 0xDE, 0x4E,
0x66, 0xB2, 0x5A, 0x9F, 0x7A, 0x41, 0xC5, 0x66,
0x57, 0xDF, 0x88, 0xF0, 0xB5, 0xF2, 0xC7, 0x7E,
0xE6, 0x55, 0x21, 0x96, 0x83, 0xD8, 0xAB, 0x57
};
static const unsigned char RSA_Q[] = {
0xCA, 0x0A, 0x92, 0xBF, 0x58, 0xB0, 0x2E, 0xF6,
0x66, 0x50, 0xB1, 0x48, 0x29, 0x42, 0x86, 0x6C,
0x98, 0x06, 0x7E, 0xB8, 0xB5, 0x4F, 0xFB, 0xC4,
0xF3, 0xC3, 0x36, 0x91, 0x07, 0xB6, 0xDB, 0xE9,
0x56, 0x3C, 0x51, 0x7D, 0xB5, 0xEC, 0x0A, 0xA9,
0x7C, 0x66, 0xF9, 0xD8, 0x25, 0xDE, 0xD2, 0x94,
0x5A, 0x58, 0xF1, 0x93, 0xE4, 0xF0, 0x5F, 0x27,
0xBD, 0x83, 0xC7, 0xCA, 0x48, 0x6A, 0xB2, 0x55
};
static const unsigned char RSA_DP[] = {
0xAF, 0x97, 0xBE, 0x60, 0x0F, 0xCE, 0x83, 0x36,
0x51, 0x2D, 0xD9, 0x2E, 0x22, 0x41, 0x39, 0xC6,
0x5C, 0x94, 0xA4, 0xCF, 0x28, 0xBD, 0xFA, 0x9C,
0x3B, 0xD6, 0xE9, 0xDE, 0x56, 0xE3, 0x24, 0x3F,
0xE1, 0x31, 0x14, 0xCA, 0xBA, 0x55, 0x1B, 0xAF,
0x71, 0x6D, 0xDD, 0x35, 0x0C, 0x1C, 0x1F, 0xA7,
0x2C, 0x3E, 0xDB, 0xAF, 0xA6, 0xD8, 0x2A, 0x7F,
0x01, 0xE2, 0xE8, 0xB4, 0xF5, 0xFA, 0xDB, 0x61
};
static const unsigned char RSA_DQ[] = {
0x29, 0xC0, 0x4B, 0x98, 0xFD, 0x13, 0xD3, 0x70,
0x99, 0xAE, 0x1D, 0x24, 0x83, 0x5A, 0x3A, 0xFB,
0x1F, 0xE3, 0x5F, 0xB6, 0x7D, 0xC9, 0x5C, 0x86,
0xD3, 0xB4, 0xC8, 0x86, 0xE9, 0xE8, 0x30, 0xC3,
0xA4, 0x4D, 0x6C, 0xAD, 0xA4, 0xB5, 0x75, 0x72,
0x96, 0xC1, 0x94, 0xE9, 0xC4, 0xD1, 0xAA, 0x04,
0x7C, 0x33, 0x1B, 0x20, 0xEB, 0xD3, 0x7C, 0x66,
0x72, 0xF4, 0x53, 0x8A, 0x0A, 0xB2, 0xF9, 0xCD
};
static const unsigned char RSA_IQ[] = {
0xE8, 0xEB, 0x04, 0x79, 0xA5, 0xC1, 0x79, 0xDE,
0xD5, 0x49, 0xA1, 0x0B, 0x48, 0xB9, 0x0E, 0x55,
0x74, 0x2C, 0x54, 0xEE, 0xA8, 0xB0, 0x01, 0xC2,
0xD2, 0x3C, 0x3E, 0x47, 0x3A, 0x7C, 0xC8, 0x3D,
0x2E, 0x33, 0x54, 0x4D, 0x40, 0x29, 0x41, 0x74,
0xBA, 0xE1, 0x93, 0x09, 0xEC, 0xE0, 0x1B, 0x4D,
0x1F, 0x2A, 0xCA, 0x4A, 0x0B, 0x5F, 0xE6, 0xBE,
0x59, 0x0A, 0xC4, 0xC9, 0xD9, 0x82, 0xAC, 0xE1
};
static const br_rsa_public_key RSA_PK = {
(void *)RSA_N, sizeof RSA_N,
(void *)RSA_E, sizeof RSA_E
};
static const br_rsa_private_key RSA_SK = {
1024,
(void *)RSA_P, sizeof RSA_P,
(void *)RSA_Q, sizeof RSA_Q,
(void *)RSA_DP, sizeof RSA_DP,
(void *)RSA_DQ, sizeof RSA_DQ,
(void *)RSA_IQ, sizeof RSA_IQ
};
/*
* A 2048-bit RSA key, generated with OpenSSL.
*/
static const unsigned char RSA2048_N[] = {
0xEA, 0xB1, 0xB0, 0x87, 0x60, 0xE2, 0x69, 0xF5,
0xC9, 0x3F, 0xCB, 0x4F, 0x9E, 0x7D, 0xD0, 0x56,
0x54, 0x8F, 0xF5, 0x59, 0x97, 0x04, 0x3F, 0x30,
0xE1, 0xFB, 0x7B, 0xF5, 0xA0, 0xEB, 0xA7, 0x7B,
0x29, 0x96, 0x7B, 0x32, 0x48, 0x48, 0xA4, 0x99,
0x90, 0x92, 0x48, 0xFB, 0xDC, 0xEC, 0x8A, 0x3B,
0xE0, 0x57, 0x6E, 0xED, 0x1C, 0x5B, 0x78, 0xCF,
0x07, 0x41, 0x96, 0x4C, 0x2F, 0xA2, 0xD1, 0xC8,
0xA0, 0x5F, 0xFC, 0x2A, 0x5B, 0x3F, 0xBC, 0xD7,
0xE6, 0x91, 0xF1, 0x44, 0xD6, 0xD8, 0x41, 0x66,
0x3E, 0x80, 0xEE, 0x98, 0x73, 0xD5, 0x32, 0x60,
0x7F, 0xDF, 0xBF, 0xB2, 0x0B, 0xA5, 0xCA, 0x11,
0x88, 0x1A, 0x0E, 0xA1, 0x61, 0x4C, 0x5A, 0x70,
0xCE, 0x12, 0xC0, 0x61, 0xF5, 0x50, 0x0E, 0xF6,
0xC1, 0xC2, 0x88, 0x8B, 0xE5, 0xCE, 0xAE, 0x90,
0x65, 0x23, 0xA7, 0xAD, 0xCB, 0x04, 0x17, 0x00,
0xA2, 0xDB, 0xB0, 0x21, 0x49, 0xDD, 0x3C, 0x2E,
0x8C, 0x47, 0x27, 0xF2, 0x84, 0x51, 0x63, 0xEB,
0xF8, 0xAF, 0x63, 0xA7, 0x89, 0xE1, 0xF0, 0x2F,
0xF9, 0x9C, 0x0A, 0x8A, 0xBC, 0x57, 0x05, 0xB0,
0xEF, 0xA0, 0xDA, 0x67, 0x70, 0xAF, 0x3F, 0xA4,
0x92, 0xFC, 0x4A, 0xAC, 0xEF, 0x89, 0x41, 0x58,
0x57, 0x63, 0x0F, 0x6A, 0x89, 0x68, 0x45, 0x4C,
0x20, 0xF9, 0x7F, 0x50, 0x9D, 0x8C, 0x52, 0xC4,
0xC1, 0x33, 0xCD, 0x42, 0x35, 0x12, 0xEC, 0x82,
0xF9, 0xC1, 0xB7, 0x60, 0x7B, 0x52, 0x61, 0xD0,
0xAE, 0xFD, 0x4B, 0x68, 0xB1, 0x55, 0x0E, 0xAB,
0x99, 0x24, 0x52, 0x60, 0x8E, 0xDB, 0x90, 0x34,
0x61, 0xE3, 0x95, 0x7C, 0x34, 0x64, 0x06, 0xCB,
0x44, 0x17, 0x70, 0x78, 0xC1, 0x1B, 0x87, 0x8F,
0xCF, 0xB0, 0x7D, 0x93, 0x59, 0x84, 0x49, 0xF5,
0x55, 0xBB, 0x48, 0xCA, 0xD3, 0x76, 0x1E, 0x7F
};
static const unsigned char RSA2048_E[] = {
0x01, 0x00, 0x01
};
static const unsigned char RSA2048_P[] = {
0xF9, 0xA7, 0xB5, 0xC4, 0xE8, 0x52, 0xEC, 0xB1,
0x33, 0x6A, 0x68, 0x32, 0x63, 0x2D, 0xBA, 0xE5,
0x61, 0x14, 0x69, 0x82, 0xC8, 0x31, 0x14, 0xD5,
0xC2, 0x6C, 0x1A, 0xBE, 0xA0, 0x68, 0xA6, 0xC5,
0xEA, 0x40, 0x59, 0xFB, 0x0A, 0x30, 0x3D, 0xD5,
0xDD, 0x94, 0xAE, 0x0C, 0x9F, 0xEE, 0x19, 0x0C,
0xA8, 0xF2, 0x85, 0x27, 0x60, 0xAA, 0xD5, 0x7C,
0x59, 0x91, 0x1F, 0xAF, 0x5E, 0x00, 0xC8, 0x2D,
0xCA, 0xB4, 0x70, 0xA1, 0xF8, 0x8C, 0x0A, 0xB3,
0x08, 0x95, 0x03, 0x9E, 0xA4, 0x6B, 0x9D, 0x55,
0x47, 0xE0, 0xEC, 0xB3, 0x21, 0x7C, 0xE4, 0x16,
0x91, 0xE3, 0xD7, 0x1B, 0x3D, 0x81, 0xF1, 0xED,
0x16, 0xF9, 0x05, 0x0E, 0xA6, 0x9F, 0x37, 0x73,
0x18, 0x1B, 0x9C, 0x9D, 0x33, 0xAD, 0x25, 0xEF,
0x3A, 0xC0, 0x4B, 0x34, 0x24, 0xF5, 0xFD, 0x59,
0xF5, 0x65, 0xE6, 0x92, 0x2A, 0x04, 0x06, 0x3D
};
static const unsigned char RSA2048_Q[] = {
0xF0, 0xA8, 0xA4, 0x20, 0xDD, 0xF3, 0x99, 0xE6,
0x1C, 0xB1, 0x21, 0xE8, 0x66, 0x68, 0x48, 0x00,
0x04, 0xE3, 0x21, 0xA3, 0xE8, 0xC5, 0xFD, 0x85,
0x6D, 0x2C, 0x98, 0xE3, 0x36, 0x39, 0x3E, 0x80,
0xB7, 0x36, 0xA5, 0xA9, 0xBB, 0xEB, 0x1E, 0xB8,
0xEB, 0x44, 0x65, 0xE8, 0x81, 0x7D, 0xE0, 0x87,
0xC1, 0x08, 0x94, 0xDD, 0x92, 0x40, 0xF4, 0x8B,
0x3C, 0xB5, 0xC1, 0xAD, 0x9D, 0x4C, 0x14, 0xCD,
0xD9, 0x2D, 0xB6, 0xE4, 0x99, 0xB3, 0x71, 0x63,
0x64, 0xE1, 0x31, 0x7E, 0x34, 0x95, 0x96, 0x52,
0x85, 0x27, 0xBE, 0x40, 0x10, 0x0A, 0x9E, 0x01,
0x1C, 0xBB, 0xB2, 0x5B, 0x40, 0x85, 0x65, 0x6E,
0xA0, 0x88, 0x73, 0xF6, 0x22, 0xCC, 0x23, 0x26,
0x62, 0xAD, 0x92, 0x57, 0x57, 0xF4, 0xD4, 0xDF,
0xD9, 0x7C, 0xDE, 0xAD, 0xD2, 0x1F, 0x32, 0x29,
0xBA, 0xE7, 0xE2, 0x32, 0xA1, 0xA0, 0xBF, 0x6B
};
static const unsigned char RSA2048_DP[] = {
0xB2, 0xF9, 0xD7, 0x66, 0xC5, 0x83, 0x05, 0x6A,
0x77, 0xC8, 0xB5, 0xD0, 0x41, 0xA7, 0xBC, 0x0F,
0xCB, 0x4B, 0xFD, 0xE4, 0x23, 0x2E, 0x84, 0x98,
0x46, 0x1C, 0x88, 0x03, 0xD7, 0x2D, 0x8F, 0x39,
0xDD, 0x98, 0xAA, 0xA9, 0x3D, 0x01, 0x9E, 0xA2,
0xDE, 0x8A, 0x43, 0x48, 0x8B, 0xB2, 0xFE, 0xC4,
0x43, 0xAE, 0x31, 0x65, 0x2C, 0x78, 0xEC, 0x39,
0x8C, 0x60, 0x6C, 0xCD, 0xA4, 0xDF, 0x7C, 0xA2,
0xCF, 0x6A, 0x12, 0x41, 0x1B, 0xD5, 0x11, 0xAA,
0x8D, 0xE1, 0x7E, 0x49, 0xD1, 0xE7, 0xD0, 0x50,
0x1E, 0x0A, 0x92, 0xC6, 0x4C, 0xA0, 0xA3, 0x47,
0xC6, 0xE9, 0x07, 0x01, 0xE1, 0x53, 0x72, 0x23,
0x9D, 0x4F, 0x82, 0x9F, 0xA1, 0x36, 0x0D, 0x63,
0x76, 0x89, 0xFC, 0xF9, 0xF9, 0xDD, 0x0C, 0x8F,
0xF7, 0x97, 0x79, 0x92, 0x75, 0x58, 0xE0, 0x7B,
0x08, 0x61, 0x38, 0x2D, 0xDA, 0xEF, 0x2D, 0xA5
};
static const unsigned char RSA2048_DQ[] = {
0x8B, 0x69, 0x56, 0x33, 0x08, 0x00, 0x8F, 0x3D,
0xC3, 0x8F, 0x45, 0x52, 0x48, 0xC8, 0xCE, 0x34,
0xDC, 0x9F, 0xEB, 0x23, 0xF5, 0xBB, 0x84, 0x62,
0xDF, 0xDC, 0xBE, 0xF0, 0x98, 0xBF, 0xCE, 0x9A,
0x68, 0x08, 0x4B, 0x2D, 0xA9, 0x83, 0xC9, 0xF7,
0x5B, 0xAA, 0xF2, 0xD2, 0x1E, 0xF9, 0x99, 0xB1,
0x6A, 0xBC, 0x9A, 0xE8, 0x44, 0x4A, 0x46, 0x9F,
0xC6, 0x5A, 0x90, 0x49, 0x0F, 0xDF, 0x3C, 0x0A,
0x07, 0x6E, 0xB9, 0x0D, 0x72, 0x90, 0x85, 0xF6,
0x0B, 0x41, 0x7D, 0x17, 0x5C, 0x44, 0xEF, 0xA0,
0xFC, 0x2C, 0x0A, 0xC5, 0x37, 0xC5, 0xBE, 0xC4,
0x6C, 0x2D, 0xBB, 0x63, 0xAB, 0x5B, 0xDB, 0x67,
0x9B, 0xAD, 0x90, 0x67, 0x9C, 0xBE, 0xDE, 0xF9,
0xE4, 0x9E, 0x22, 0x31, 0x60, 0xED, 0x9E, 0xC7,
0xD2, 0x48, 0xC9, 0x02, 0xAE, 0xBF, 0x8D, 0xA2,
0xA8, 0xF8, 0x9D, 0x8B, 0xB1, 0x1F, 0xDA, 0xE3
};
static const unsigned char RSA2048_IQ[] = {
0xB5, 0x48, 0xD4, 0x48, 0x5A, 0x33, 0xCD, 0x13,
0xFE, 0xC6, 0xF7, 0x01, 0x0A, 0x3E, 0x40, 0xA3,
0x45, 0x94, 0x6F, 0x85, 0xE4, 0x68, 0x66, 0xEC,
0x69, 0x6A, 0x3E, 0xE0, 0x62, 0x3F, 0x0C, 0xEF,
0x21, 0xCC, 0xDA, 0xAD, 0x75, 0x98, 0x12, 0xCA,
0x9E, 0x31, 0xDD, 0x95, 0x0D, 0xBD, 0x55, 0xEB,
0x92, 0xF7, 0x9E, 0xBD, 0xFC, 0x28, 0x35, 0x96,
0x31, 0xDC, 0x53, 0x80, 0xA3, 0x57, 0x89, 0x3C,
0x4A, 0xEC, 0x40, 0x75, 0x13, 0xAC, 0x4F, 0x36,
0x3A, 0x86, 0x9A, 0xA6, 0x58, 0xC9, 0xED, 0xCB,
0xD6, 0xBB, 0xB2, 0xD9, 0xAA, 0x04, 0xC4, 0xE8,
0x47, 0x3E, 0xBD, 0x14, 0x9B, 0x8F, 0x61, 0x70,
0x69, 0x66, 0x23, 0x62, 0x18, 0xE3, 0x52, 0x98,
0xE3, 0x22, 0xE9, 0x6F, 0xDA, 0x28, 0x68, 0x08,
0xB8, 0xB9, 0x8B, 0x97, 0x8B, 0x77, 0x3F, 0xCA,
0x9D, 0x9D, 0xBE, 0xD5, 0x2D, 0x3E, 0xC2, 0x11
};
static const br_rsa_public_key RSA2048_PK = {
(void *)RSA2048_N, sizeof RSA2048_N,
(void *)RSA2048_E, sizeof RSA2048_E
};
static const br_rsa_private_key RSA2048_SK = {
2048,
(void *)RSA2048_P, sizeof RSA2048_P,
(void *)RSA2048_Q, sizeof RSA2048_Q,
(void *)RSA2048_DP, sizeof RSA2048_DP,
(void *)RSA2048_DQ, sizeof RSA2048_DQ,
(void *)RSA2048_IQ, sizeof RSA2048_IQ
};
/*
* A 4096-bit RSA key, generated with OpenSSL.
*/
static const unsigned char RSA4096_N[] = {
0xAA, 0x17, 0x71, 0xBC, 0x92, 0x3E, 0xB5, 0xBD,
0x3E, 0x64, 0xCF, 0x03, 0x9B, 0x24, 0x65, 0x33,
0x5F, 0xB4, 0x47, 0x89, 0xE5, 0x63, 0xE4, 0xA0,
0x5A, 0x51, 0x95, 0x07, 0x73, 0xEE, 0x00, 0xF6,
0x3E, 0x31, 0x0E, 0xDA, 0x15, 0xC3, 0xAA, 0x21,
0x6A, 0xCD, 0xFF, 0x46, 0x6B, 0xDF, 0x0A, 0x7F,
0x8A, 0xC2, 0x25, 0x19, 0x47, 0x44, 0xD8, 0x52,
0xC1, 0x56, 0x25, 0x6A, 0xE0, 0xD2, 0x61, 0x11,
0x2C, 0xF7, 0x73, 0x9F, 0x5F, 0x74, 0xAA, 0xDD,
0xDE, 0xAF, 0x81, 0xF6, 0x0C, 0x1A, 0x3A, 0xF9,
0xC5, 0x47, 0x82, 0x75, 0x1D, 0x41, 0xF0, 0xB2,
0xFD, 0xBA, 0xE2, 0xA4, 0xA1, 0xB8, 0x32, 0x48,
0x06, 0x0D, 0x29, 0x2F, 0x44, 0x14, 0xF5, 0xAC,
0x54, 0x83, 0xC4, 0xB6, 0x85, 0x85, 0x9B, 0x1C,
0x05, 0x61, 0x28, 0x62, 0x24, 0xA8, 0xF0, 0xE6,
0x80, 0xA7, 0x91, 0xE8, 0xC7, 0x8E, 0x52, 0x17,
0xBE, 0xAF, 0xC6, 0x0A, 0xA3, 0xFB, 0xD1, 0x04,
0x15, 0x3B, 0x14, 0x35, 0xA5, 0x41, 0xF5, 0x30,
0xFE, 0xEF, 0x53, 0xA7, 0x89, 0x91, 0x78, 0x30,
0xBE, 0x3A, 0xB1, 0x4B, 0x2E, 0x4A, 0x0E, 0x25,
0x1D, 0xCF, 0x51, 0x54, 0x52, 0xF1, 0x88, 0x85,
0x36, 0x23, 0xDE, 0xBA, 0x66, 0x25, 0x60, 0x8D,
0x45, 0xD7, 0xD8, 0x10, 0x41, 0x64, 0xC7, 0x4B,
0xCE, 0x72, 0x13, 0xD7, 0x20, 0xF8, 0x2A, 0x74,
0xA5, 0x05, 0xF4, 0x5A, 0x90, 0xF4, 0x9C, 0xE7,
0xC9, 0xCF, 0x1E, 0xD5, 0x9C, 0xAC, 0xE5, 0x00,
0x83, 0x73, 0x9F, 0xE7, 0xC6, 0x93, 0xC0, 0x06,
0xA7, 0xB8, 0xF8, 0x46, 0x90, 0xC8, 0x78, 0x27,
0x2E, 0xCC, 0xC0, 0x2A, 0x20, 0xC5, 0xFC, 0x63,
0x22, 0xA1, 0xD6, 0x16, 0xAD, 0x9C, 0xD6, 0xFC,
0x7A, 0x6E, 0x9C, 0x98, 0x51, 0xEE, 0x6B, 0x6D,
0x8F, 0xEF, 0xCE, 0x7C, 0x5D, 0x16, 0xB0, 0xCE,
0x9C, 0xEE, 0x92, 0xCF, 0xB7, 0xEB, 0x41, 0x36,
0x3A, 0x6C, 0xF2, 0x0D, 0x26, 0x11, 0x2F, 0x6C,
0x27, 0x62, 0xA2, 0xCC, 0x63, 0x53, 0xBD, 0xFC,
0x9F, 0xBE, 0x9B, 0xBD, 0xE5, 0xA7, 0xDA, 0xD4,
0xF8, 0xED, 0x5E, 0x59, 0x2D, 0xAC, 0xCD, 0x13,
0xEB, 0xE5, 0x9E, 0x39, 0x82, 0x8B, 0xFD, 0xA8,
0xFB, 0xCB, 0x86, 0x27, 0xC7, 0x4B, 0x4C, 0xD0,
0xBA, 0x12, 0xD0, 0x76, 0x1A, 0xDB, 0x30, 0xC5,
0xB3, 0x2C, 0x4C, 0xC5, 0x32, 0x03, 0x05, 0x67,
0x8D, 0xD0, 0x14, 0x37, 0x59, 0x2B, 0xE3, 0x1C,
0x25, 0x3E, 0xA5, 0xE4, 0xF1, 0x0D, 0x34, 0xBB,
0xD5, 0xF6, 0x76, 0x45, 0x5B, 0x0F, 0x1E, 0x07,
0x0A, 0xBA, 0x9D, 0x71, 0x87, 0xDE, 0x45, 0x50,
0xE5, 0x0F, 0x32, 0xBB, 0x5C, 0x32, 0x2D, 0x40,
0xCD, 0x19, 0x95, 0x4E, 0xC5, 0x54, 0x3A, 0x9A,
0x46, 0x9B, 0x85, 0xFE, 0x53, 0xB7, 0xD8, 0x65,
0x6D, 0x68, 0x0C, 0xBB, 0xE3, 0x3D, 0x8E, 0x64,
0xBE, 0x27, 0x15, 0xAB, 0x12, 0x20, 0xD9, 0x84,
0xF5, 0x02, 0xE4, 0xBB, 0xDD, 0xAB, 0x59, 0x51,
0xF4, 0xE1, 0x79, 0xBE, 0xB8, 0xA3, 0x8E, 0xD1,
0x1C, 0xB0, 0xFA, 0x48, 0x76, 0xC2, 0x9D, 0x7A,
0x01, 0xA5, 0xAF, 0x8C, 0xBA, 0xAA, 0x4C, 0x06,
0x2B, 0x0A, 0x62, 0xF0, 0x79, 0x5B, 0x42, 0xFC,
0xF8, 0xBF, 0xD4, 0xDD, 0x62, 0x32, 0xE3, 0xCE,
0xF1, 0x2C, 0xE6, 0xED, 0xA8, 0x8A, 0x41, 0xA3,
0xC1, 0x1E, 0x07, 0xB6, 0x43, 0x10, 0x80, 0xB7,
0xF3, 0xD0, 0x53, 0x2A, 0x9A, 0x98, 0xA7, 0x4F,
0x9E, 0xA3, 0x3E, 0x1B, 0xDA, 0x93, 0x15, 0xF2,
0xF4, 0x20, 0xA5, 0xA8, 0x4F, 0x8A, 0xBA, 0xED,
0xB1, 0x17, 0x6C, 0x0F, 0xD9, 0x8F, 0x38, 0x11,
0xF3, 0xD9, 0x5E, 0x88, 0xA1, 0xA1, 0x82, 0x8B,
0x30, 0xD7, 0xC6, 0xCE, 0x4E, 0x30, 0x55, 0x57
};
static const unsigned char RSA4096_E[] = {
0x01, 0x00, 0x01
};
static const unsigned char RSA4096_P[] = {
0xD3, 0x7A, 0x22, 0xD8, 0x9B, 0xBF, 0x42, 0xB4,
0x53, 0x04, 0x10, 0x6A, 0x84, 0xFD, 0x7C, 0x1D,
0xF6, 0xF4, 0x10, 0x65, 0xAA, 0xE5, 0xE1, 0x4E,
0xB4, 0x37, 0xF7, 0xAC, 0xF7, 0xD3, 0xB2, 0x3B,
0xFE, 0xE7, 0x63, 0x42, 0xE9, 0xF0, 0x3C, 0xE0,
0x42, 0xB4, 0xBB, 0x09, 0xD0, 0xB2, 0x7C, 0x70,
0xA4, 0x11, 0x97, 0x90, 0x01, 0xD0, 0x0E, 0x7B,
0xAF, 0x7D, 0x30, 0x4E, 0x6B, 0x3A, 0xCC, 0x50,
0x4E, 0xAF, 0x2F, 0xC3, 0xC2, 0x4F, 0x7E, 0xC5,
0xB3, 0x76, 0x33, 0xFB, 0xA7, 0xB1, 0x96, 0xA5,
0x46, 0x41, 0xC6, 0xDA, 0x5A, 0xFD, 0x17, 0x0A,
0x6A, 0x86, 0x54, 0x83, 0xE1, 0x57, 0xE7, 0xAF,
0x8C, 0x42, 0xE5, 0x39, 0xF2, 0xC7, 0xFC, 0x4A,
0x3D, 0x3C, 0x94, 0x89, 0xC2, 0xC6, 0x2D, 0x0A,
0x5F, 0xD0, 0x21, 0x23, 0x5C, 0xC9, 0xC8, 0x44,
0x8A, 0x96, 0x72, 0x4D, 0x96, 0xC6, 0x17, 0x0C,
0x36, 0x43, 0x7F, 0xD8, 0xA0, 0x7A, 0x31, 0x7E,
0xCE, 0x13, 0xE3, 0x13, 0x2E, 0xE0, 0x91, 0xC2,
0x61, 0x13, 0x16, 0x8D, 0x99, 0xCB, 0xA9, 0x2C,
0x4D, 0x9D, 0xDD, 0x1D, 0x03, 0xE7, 0xA7, 0x50,
0xF4, 0x16, 0x43, 0xB1, 0x7F, 0x99, 0x61, 0x3F,
0xA5, 0x59, 0x91, 0x16, 0xC3, 0x06, 0x63, 0x59,
0xE9, 0xDA, 0xB5, 0x06, 0x2E, 0x0C, 0xD9, 0xAB,
0x93, 0x89, 0x12, 0x82, 0xFB, 0x90, 0xD9, 0x30,
0x60, 0xF7, 0x35, 0x2D, 0x18, 0x78, 0xEB, 0x2B,
0xA1, 0x06, 0x67, 0x37, 0xDE, 0x72, 0x20, 0xD2,
0x80, 0xE5, 0x2C, 0xD7, 0x5E, 0xC7, 0x67, 0x2D,
0x40, 0xE7, 0x7A, 0xCF, 0x4A, 0x69, 0x9D, 0xA7,
0x90, 0x9F, 0x3B, 0xDF, 0x07, 0x97, 0x64, 0x69,
0x06, 0x4F, 0xBA, 0xF4, 0xE5, 0xBD, 0x71, 0x60,
0x36, 0xB7, 0xA3, 0xDE, 0x76, 0xC5, 0x38, 0xD7,
0x1D, 0x9A, 0xFC, 0x36, 0x3D, 0x3B, 0xDC, 0xCF
};
static const unsigned char RSA4096_Q[] = {
0xCD, 0xE6, 0xC6, 0xA6, 0x42, 0x4C, 0x45, 0x65,
0x8B, 0x85, 0x76, 0xFC, 0x21, 0xB6, 0x57, 0x79,
0x3C, 0xE4, 0xE3, 0x85, 0x55, 0x2F, 0x59, 0xD3,
0x3F, 0x74, 0xAF, 0x9F, 0x11, 0x04, 0x10, 0x8B,
0xF9, 0x5F, 0x4D, 0x25, 0xEE, 0x20, 0xF9, 0x69,
0x3B, 0x02, 0xB6, 0x43, 0x0D, 0x0C, 0xED, 0x30,
0x31, 0x57, 0xE7, 0x9A, 0x57, 0x24, 0x6B, 0x4A,
0x5E, 0xA2, 0xBF, 0xD4, 0x47, 0x7D, 0xFA, 0x78,
0x51, 0x86, 0x80, 0x68, 0x85, 0x7C, 0x7B, 0x08,
0x4A, 0x35, 0x24, 0x4F, 0x8B, 0x24, 0x49, 0xF8,
0x16, 0x06, 0x9C, 0x57, 0x4E, 0x94, 0x4C, 0xBD,
0x6E, 0x53, 0x52, 0xC9, 0xC1, 0x64, 0x43, 0x22,
0x1E, 0xDD, 0xEB, 0xAC, 0x90, 0x58, 0xCA, 0xBA,
0x9C, 0xAC, 0xCF, 0xDD, 0x08, 0x6D, 0xB7, 0x31,
0xDB, 0x0D, 0x83, 0xE6, 0x50, 0xA6, 0x69, 0xB1,
0x1C, 0x68, 0x92, 0xB4, 0xB5, 0x76, 0xDE, 0xBD,
0x4F, 0xA5, 0x30, 0xED, 0x23, 0xFF, 0xE5, 0x80,
0x21, 0xAB, 0xED, 0xE6, 0xDC, 0x32, 0x3D, 0xF7,
0x45, 0xB8, 0x19, 0x3D, 0x8E, 0x15, 0x7C, 0xE5,
0x0D, 0xC8, 0x9B, 0x7D, 0x1F, 0x7C, 0x14, 0x14,
0x41, 0x09, 0xA7, 0xEB, 0xFB, 0xD9, 0x5F, 0x9A,
0x94, 0xB6, 0xD5, 0xA0, 0x2C, 0xAF, 0xB5, 0xEF,
0x5C, 0x5A, 0x8E, 0x34, 0xA1, 0x8F, 0xEB, 0x38,
0x0F, 0x31, 0x6E, 0x45, 0x21, 0x7A, 0xAA, 0xAF,
0x6C, 0xB1, 0x8E, 0xB2, 0xB9, 0xD4, 0x1E, 0xEF,
0x66, 0xD8, 0x4E, 0x3D, 0xF2, 0x0C, 0xF1, 0xBA,
0xFB, 0xA9, 0x27, 0xD2, 0x45, 0x54, 0x83, 0x4B,
0x10, 0xC4, 0x9A, 0x32, 0x9C, 0xC7, 0x9A, 0xCF,
0x4E, 0xBF, 0x07, 0xFC, 0x27, 0xB7, 0x96, 0x1D,
0xDE, 0x9D, 0xE4, 0x84, 0x68, 0x00, 0x9A, 0x9F,
0x3D, 0xE6, 0xC7, 0x26, 0x11, 0x48, 0x79, 0xFA,
0x09, 0x76, 0xC8, 0x25, 0x3A, 0xE4, 0x70, 0xF9
};
static const unsigned char RSA4096_DP[] = {
0x5C, 0xE3, 0x3E, 0xBF, 0x09, 0xD9, 0xFE, 0x80,
0x9A, 0x1E, 0x24, 0xDF, 0xC4, 0xBE, 0x5A, 0x70,
0x06, 0xF2, 0xB8, 0xE9, 0x0F, 0x21, 0x9D, 0xCF,
0x26, 0x15, 0x97, 0x32, 0x60, 0x40, 0x99, 0xFF,
0x04, 0x3D, 0xBA, 0x39, 0xBF, 0xEB, 0x87, 0xB1,
0xB1, 0x5B, 0x14, 0xF4, 0x80, 0xB8, 0x85, 0x34,
0x2C, 0xBC, 0x95, 0x67, 0xE9, 0x83, 0xEB, 0x78,
0xA4, 0x62, 0x46, 0x7F, 0x8B, 0x55, 0xEE, 0x3C,
0x2F, 0xF3, 0x7E, 0xF5, 0x6B, 0x39, 0xE3, 0xA3,
0x0E, 0xEA, 0x92, 0x76, 0xAC, 0xF7, 0xB2, 0x05,
0xB2, 0x50, 0x5D, 0xF9, 0xB7, 0x11, 0x87, 0xB7,
0x49, 0x86, 0xEB, 0x44, 0x6A, 0x0C, 0x64, 0x75,
0x95, 0x14, 0x24, 0xFF, 0x49, 0x06, 0x52, 0x68,
0x81, 0x71, 0x44, 0x85, 0x26, 0x0A, 0x49, 0xEA,
0x4E, 0x9F, 0x6A, 0x8E, 0xCF, 0xC8, 0xC9, 0xB0,
0x61, 0x77, 0x27, 0x89, 0xB0, 0xFA, 0x1D, 0x51,
0x7D, 0xDC, 0x34, 0x21, 0x80, 0x8B, 0x6B, 0x86,
0x19, 0x1A, 0x5F, 0x19, 0x23, 0xF3, 0xFB, 0xD1,
0xF7, 0x35, 0x9D, 0x28, 0x61, 0x2F, 0x35, 0x85,
0x82, 0x2A, 0x1E, 0xDF, 0x09, 0xC2, 0x0C, 0x99,
0xE0, 0x3C, 0x8F, 0x4B, 0x3D, 0x92, 0xAF, 0x46,
0x77, 0x68, 0x59, 0xF4, 0x37, 0x81, 0x6C, 0xCE,
0x27, 0x8B, 0xAB, 0x0B, 0xA5, 0xDA, 0x7B, 0x19,
0x83, 0xDA, 0x27, 0x49, 0x65, 0x1A, 0x00, 0x6B,
0xE1, 0x8B, 0x73, 0xCD, 0xF4, 0xFB, 0xD7, 0xBF,
0xF8, 0x20, 0x89, 0xE1, 0xDE, 0x51, 0x1E, 0xDD,
0x97, 0x44, 0x12, 0x68, 0x1E, 0xF7, 0x52, 0xF8,
0x6B, 0x93, 0xC1, 0x3B, 0x9F, 0xA1, 0xB8, 0x5F,
0xCB, 0x84, 0x45, 0x95, 0xF7, 0x0D, 0xA6, 0x4B,
0x03, 0x3C, 0xAE, 0x0F, 0xB7, 0x81, 0x78, 0x75,
0x1C, 0x53, 0x99, 0x24, 0xB3, 0xE2, 0x78, 0xCE,
0xF3, 0xF0, 0x09, 0x6C, 0x01, 0x85, 0x73, 0xBD
};
static const unsigned char RSA4096_DQ[] = {
0xCD, 0x88, 0xAC, 0x8B, 0x92, 0x6A, 0xA8, 0x6B,
0x71, 0x16, 0xCD, 0x6B, 0x6A, 0x0B, 0xA6, 0xCD,
0xF3, 0x27, 0x58, 0xA6, 0xE4, 0x1D, 0xDC, 0x40,
0xAF, 0x7B, 0x3F, 0x44, 0x3D, 0xAC, 0x1D, 0x08,
0x5C, 0xE9, 0xF1, 0x0D, 0x07, 0xE4, 0x0A, 0x94,
0x2C, 0xBF, 0xCC, 0x48, 0xAA, 0x62, 0x58, 0xF2,
0x5E, 0x8F, 0x2D, 0x36, 0x37, 0xFE, 0xB6, 0xCB,
0x0A, 0x24, 0xD3, 0xF0, 0x87, 0x5D, 0x0E, 0x05,
0xC4, 0xFB, 0xCA, 0x7A, 0x8B, 0xA5, 0x72, 0xFB,
0x17, 0x78, 0x6C, 0xC2, 0xAA, 0x56, 0x93, 0x2F,
0xFE, 0x6C, 0xA2, 0xEB, 0xD4, 0x18, 0xDD, 0x71,
0xCB, 0x0B, 0x89, 0xFC, 0xB3, 0xFB, 0xED, 0xB7,
0xC5, 0xB0, 0x29, 0x6D, 0x9C, 0xB9, 0xC5, 0xC4,
0xFA, 0x58, 0xD7, 0x36, 0x01, 0x0F, 0xE4, 0x6A,
0xF4, 0x0B, 0x4D, 0xBB, 0x3E, 0x8E, 0x9F, 0xBA,
0x98, 0x6D, 0x1A, 0xE5, 0x20, 0xAF, 0x84, 0x30,
0xDD, 0xAC, 0x3C, 0x66, 0xBC, 0x24, 0xD9, 0x67,
0x4A, 0x35, 0x61, 0xC9, 0xAD, 0xCC, 0xC9, 0x66,
0x68, 0x46, 0x19, 0x8C, 0x04, 0xA5, 0x16, 0x83,
0x5F, 0x7A, 0xFD, 0x1B, 0xAD, 0xAE, 0x22, 0x2D,
0x05, 0xAF, 0x29, 0xDC, 0xBB, 0x0E, 0x86, 0x0C,
0xBC, 0x9E, 0xB6, 0x28, 0xA9, 0xF2, 0xCC, 0x5E,
0x1F, 0x86, 0x95, 0xA5, 0x9C, 0x11, 0x19, 0xF0,
0x5F, 0xDA, 0x2C, 0x04, 0xFE, 0x22, 0x80, 0xF7,
0x94, 0x3C, 0xBA, 0x01, 0x56, 0xD6, 0x93, 0xFA,
0xCE, 0x62, 0xE5, 0xD7, 0x98, 0x23, 0xAB, 0xB9,
0xC7, 0x35, 0x57, 0xF6, 0xE2, 0x16, 0x36, 0xE9,
0x5B, 0xD7, 0xA5, 0x45, 0x18, 0x93, 0x77, 0xC9,
0xB1, 0x05, 0xA8, 0x66, 0xE1, 0x0E, 0xB5, 0xDF,
0x23, 0x35, 0xE1, 0xC2, 0xFA, 0x3E, 0x80, 0x1A,
0xAD, 0xA4, 0x0C, 0xEF, 0xC7, 0x18, 0xDE, 0x09,
0xE6, 0x20, 0x98, 0x31, 0xF1, 0xD3, 0xCF, 0xA1
};
static const unsigned char RSA4096_IQ[] = {
0x76, 0xD7, 0x75, 0xDF, 0xA3, 0x0C, 0x9D, 0x64,
0x6E, 0x00, 0x82, 0x2E, 0x5C, 0x5E, 0x43, 0xC4,
0xD2, 0x28, 0xB0, 0xB1, 0xA8, 0xD8, 0x26, 0x91,
0xA0, 0xF5, 0xC8, 0x69, 0xFF, 0x24, 0x33, 0xAB,
0x67, 0xC7, 0xA3, 0xAE, 0xBB, 0x17, 0x27, 0x5B,
0x5A, 0xCD, 0x67, 0xA3, 0x70, 0x91, 0x9E, 0xD5,
0xF1, 0x97, 0x00, 0x0A, 0x30, 0x64, 0x3D, 0x9B,
0xBF, 0xB5, 0x8C, 0xAC, 0xC7, 0x20, 0x0A, 0xD2,
0x76, 0x36, 0x36, 0x5D, 0xE4, 0xAC, 0x5D, 0xBC,
0x44, 0x32, 0xB0, 0x76, 0x33, 0x40, 0xDD, 0x29,
0x22, 0xE0, 0xFF, 0x55, 0x4C, 0xCE, 0x3F, 0x43,
0x34, 0x95, 0x94, 0x7C, 0x22, 0x0D, 0xAB, 0x20,
0x38, 0x70, 0xC3, 0x4A, 0x19, 0xCF, 0x81, 0xCE,
0x79, 0x28, 0x6C, 0xC2, 0xA3, 0xB3, 0x48, 0x20,
0x2D, 0x3E, 0x74, 0x45, 0x2C, 0xAA, 0x9F, 0xA5,
0xC2, 0xE3, 0x2D, 0x41, 0x95, 0xBD, 0x78, 0xAB,
0x6A, 0xA8, 0x7A, 0x45, 0x52, 0xE2, 0x66, 0xE7,
0x6C, 0x38, 0x03, 0xA5, 0xDA, 0xAD, 0x94, 0x3C,
0x6A, 0xA1, 0xA2, 0xD5, 0xCD, 0xDE, 0x05, 0xCC,
0x6E, 0x3D, 0x8A, 0xF6, 0x9A, 0xA5, 0x0F, 0xA9,
0x18, 0xC4, 0xF9, 0x9C, 0x2F, 0xB3, 0xF1, 0x30,
0x38, 0x60, 0x69, 0x09, 0x67, 0x2C, 0xE9, 0x42,
0x68, 0x3C, 0x70, 0x32, 0x1A, 0x44, 0x32, 0x02,
0x82, 0x9F, 0x60, 0xE8, 0xA4, 0x42, 0x74, 0xA2,
0xA2, 0x5A, 0x99, 0xDC, 0xC8, 0xCA, 0x15, 0x4D,
0xFF, 0xF1, 0x8A, 0x23, 0xD8, 0xD3, 0xB1, 0x9A,
0xB4, 0x0B, 0xBB, 0xE8, 0x38, 0x74, 0x0C, 0x52,
0xC7, 0x8B, 0x63, 0x4C, 0xEA, 0x7D, 0x5F, 0x58,
0x34, 0x53, 0x3E, 0x23, 0x10, 0xBB, 0x60, 0x6B,
0x52, 0x9D, 0x89, 0x9F, 0xF0, 0x5F, 0xCE, 0xB3,
0x9C, 0x0E, 0x75, 0x0F, 0x87, 0xF6, 0x66, 0xA5,
0x4C, 0x94, 0x84, 0xFE, 0x94, 0xB9, 0x04, 0xB7
};
static const br_rsa_public_key RSA4096_PK = {
(void *)RSA4096_N, sizeof RSA4096_N,
(void *)RSA4096_E, sizeof RSA4096_E
};
static const br_rsa_private_key RSA4096_SK = {
4096,
(void *)RSA4096_P, sizeof RSA4096_P,
(void *)RSA4096_Q, sizeof RSA4096_Q,
(void *)RSA4096_DP, sizeof RSA4096_DP,
(void *)RSA4096_DQ, sizeof RSA4096_DQ,
(void *)RSA4096_IQ, sizeof RSA4096_IQ
};
static void
test_RSA_core(const char *name, br_rsa_public fpub, br_rsa_private fpriv)
{
unsigned char t1[512], t2[512], t3[512];
size_t len;
printf("Test %s: ", name);
fflush(stdout);
/*
* A KAT test (computed with OpenSSL).
*/
len = hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D");
hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3");
memcpy(t3, t1, len);
if (!fpub(t3, len, &RSA_PK)) {
fprintf(stderr, "RSA public operation failed (1)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA pub", t2, t3, len);
if (!fpriv(t3, &RSA_SK)) {
fprintf(stderr, "RSA private operation failed (1)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA priv (1)", t1, t3, len);
/*
* Another KAT test, with a (fake) hash value slightly different
* (last byte is 0xD9 instead of 0xD3).
*/
len = hextobin(t1, "32C2DB8B2C73BBCA9960CB3F11FEDEE7B699359EF2EEC3A632E56B7FF3DE2F371E5179BAB03F17E0BB20D2891ACAB679F95DA9B43A01DAAD192FADD25D8ACCF1498EC80F5BBCAC88EA59D60E3BC9D3CE27743981DE42385FFFFF04DD2D716E1A46C04A28ECAF6CD200DAB81083A830D61538D69BB39A183107BD50302AA6BC28");
hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD9");
memcpy(t3, t1, len);
if (!fpub(t3, len, &RSA_PK)) {
fprintf(stderr, "RSA public operation failed (2)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA pub", t2, t3, len);
if (!fpriv(t3, &RSA_SK)) {
fprintf(stderr, "RSA private operation failed (2)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA priv (2)", t1, t3, len);
/*
* Third KAT vector is invalid, because the encrypted value is
* out of range: instead of x, value is x+n (where n is the
* modulus). Mathematically, this still works, but implementations
* are supposed to reject such cases.
*/
len = hextobin(t1, "F27781B9B3B358583A24F9BA6B34EE98B67A5AE8D8D4FA567BA773EB6B85EF88848680640A1E2F5FD117876E5FB928B64C6EFC7E03632A3F4C941E15657C0C705F3BB8D0B03A0249143674DB1FE6E5406D690BF2DA76EA7FF3AC6FCE12C7801252FAD52D332BE4AB41F9F8CF1728CDF98AB8E8C20E0C350E4F707A6402C01E0B");
hextobin(t2, "BFB6A62E873F9C8DA0C42E7B59360FB0FFE12549E5E636B048C2086B77A7C051663506A959DF177F15F6B4E544EE723C531152C9C9614F923364704307F13F7F15ACF0C1547D55C029DC9ECCE41D117245F4D270FC34B21FF3AD6AEFE58633281540902F547F79F3461F44D33CCB2D094231ADCC76BE25511B4513BB70491DBC");
memcpy(t3, t1, len);
if (fpub(t3, len, &RSA_PK)) {
size_t u;
fprintf(stderr, "RSA public operation should have failed"
" (value out of range)\n");
fprintf(stderr, "x = ");
for (u = 0; u < len; u ++) {
fprintf(stderr, "%02X", t3[u]);
}
fprintf(stderr, "\n");
exit(EXIT_FAILURE);
}
memcpy(t3, t2, len);
if (fpriv(t3, &RSA_SK)) {
size_t u;
fprintf(stderr, "RSA private operation should have failed"
" (value out of range)\n");
fprintf(stderr, "x = ");
for (u = 0; u < len; u ++) {
fprintf(stderr, "%02X", t3[u]);
}
fprintf(stderr, "\n");
exit(EXIT_FAILURE);
}
/*
* RSA-2048 test vector.
*/
len = hextobin(t1, "B188ED4EF173A30AED3889926E3CF1CE03FE3BAA7AB122B119A8CD529062F235A7B321008FB898894A624B3E6C8C5374950E78FAC86651345FE2ABA0791968284F23B0D794F8DCDDA924518854822CB7FF2AA9F205AACD909BB5EA541534CC00DBC2EF7727B9FE1BAFE6241B931E8BD01E13632E5AF9E94F4A335772B61F24D6F6AA642AEABB173E36F546CB02B19A1E5D4E27E3EB67F2E986E9F084D4BD266543800B1DC96088A05DFA9AFA595398E9A766D41DD8DA4F74F36C9D74867F0BF7BFA8622EE43C79DA0CEAC14B5D39DE074BDB89D84145BC19D8B2D0EA74DBF2DC29E907BF7C7506A2603CD8BC25EFE955D0125EDB2685EF158B020C9FC539242A");
hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D060960864801650304020105000420A5A0A792A09438811584A68E240C6C89F1FB1C53C0C86E270B942635F4F6B24A");
memcpy(t3, t1, len);
if (!fpub(t3, len, &RSA2048_PK)) {
fprintf(stderr, "RSA public operation failed (2048)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA pub", t2, t3, len);
if (!fpriv(t3, &RSA2048_SK)) {
fprintf(stderr, "RSA private operation failed (2048)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA priv (2048)", t1, t3, len);
/*
* RSA-4096 test vector.
*/
len = hextobin(t1, "7D35B6B4D85252D08A2658C0B04126CC617B0E56B2A782A5FA2722AD05BD49538111682C12DA2C5FA1B9C30FB1AB8DA2C6A49EB4226A4D32290CF091FBB22EC499C7B18192C230B29F957DAF551F1EAD1917BA9E03D757100BD1F96B829708A6188A3927436113BB21E175D436BBB7A90E20162203FFB8F675313DFB21EFDA3EA0C7CC9B605AE7FB47E2DD2A9C4D5F124D7DE1B690AF9ADFEDC6055E0F9D2C9A891FB2501F3055D6DA7E94D51672BA1E86AEB782E4B020F70E0DF5399262909FC5B4770B987F2826EF2099A15F3CD5A0D6FE82E0C85FBA2C53C77305F534A7B0C7EA0D5244E37F1C1318EEF7079995F0642E4AB80EB0ED60DB4955FB652ED372DAC787581054A827C37A25C7B4DE7AE7EF3D099D47D6682ADF02BCC4DE04DDF2920F7124CF5B4955705E4BDB97A0BF341B584797878B4D3795134A9469FB391E4E4988F0AA451027CBC2ED6121FC23B26BF593E3C51DEDD53B62E23050D5B41CA34204679916A87AF1B17873A0867924D0C303942ADA478B769487FCEF861D4B20DCEE6942CCB84184833CDB258167258631C796BC1977D001354E2EE168ABE3B45FC969EA7F22B8E133C57A10FBB25ED19694E89C399CF7723B3C0DF0CC9F57A8ED0959EFC392FB31B8ADAEA969E2DEE8282CB245E5677368F00CCE4BA52C07C16BE7F9889D57191D5B2FE552D72B3415C64C09EE622457766EC809344A1EFE");
hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D0609608648016503040201050004205B60DD5AD5B3C62E0DA25FD0D8CB26325E1CE32CC9ED234B288235BCCF6ED2C8");
memcpy(t3, t1, len);
if (!fpub(t3, len, &RSA4096_PK)) {
fprintf(stderr, "RSA public operation failed (4096)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA pub", t2, t3, len);
if (!fpriv(t3, &RSA4096_SK)) {
fprintf(stderr, "RSA private operation failed (4096)\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA priv (4096)", t1, t3, len);
printf("done.\n");
fflush(stdout);
}
static const unsigned char SHA1_OID[] = {
0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A
};
static void
test_RSA_sign(const char *name, br_rsa_private fpriv,
br_rsa_pkcs1_sign fsign, br_rsa_pkcs1_vrfy fvrfy)
{
unsigned char t1[128], t2[128];
unsigned char hv[20], tmp[20];
unsigned char rsa_n[128], rsa_e[3], rsa_p[64], rsa_q[64];
unsigned char rsa_dp[64], rsa_dq[64], rsa_iq[64];
br_rsa_public_key rsa_pk;
br_rsa_private_key rsa_sk;
unsigned char hv2[64], tmp2[64], sig[128];
br_sha1_context hc;
size_t u;
printf("Test %s: ", name);
fflush(stdout);
/*
* Verify the KAT test (computed with OpenSSL).
*/
hextobin(t1, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D");
br_sha1_init(&hc);
br_sha1_update(&hc, "test", 4);
br_sha1_out(&hc, hv);
if (!fvrfy(t1, sizeof t1, SHA1_OID, sizeof tmp, &RSA_PK, tmp)) {
fprintf(stderr, "Signature verification failed\n");
exit(EXIT_FAILURE);
}
check_equals("Extracted hash value", hv, tmp, sizeof tmp);
/*
* Regenerate the signature. This should yield the same value as
* the KAT test, since PKCS#1 v1.5 signatures are deterministic
* (except the usual detail about hash function parameter
* encoding, but OpenSSL uses the same convention as BearSSL).
*/
if (!fsign(SHA1_OID, hv, 20, &RSA_SK, t2)) {
fprintf(stderr, "Signature generation failed\n");
exit(EXIT_FAILURE);
}
check_equals("Regenerated signature", t1, t2, sizeof t1);
/*
* Use the raw private core to generate fake signatures, where
* one byte of the padded hash value is altered. They should all be
* rejected.
*/
hextobin(t2, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003021300906052B0E03021A05000414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3");
for (u = 0; u < (sizeof t2) - 20; u ++) {
memcpy(t1, t2, sizeof t2);
t1[u] ^= 0x01;
if (!fpriv(t1, &RSA_SK)) {
fprintf(stderr, "RSA private key operation failed\n");
exit(EXIT_FAILURE);
}
if (fvrfy(t1, sizeof t1, SHA1_OID, sizeof tmp, &RSA_PK, tmp)) {
fprintf(stderr,
"Signature verification should have failed\n");
exit(EXIT_FAILURE);
}
printf(".");
fflush(stdout);
}
/*
* Another KAT test, which historically showed a bug.
*/
rsa_pk.n = rsa_n;
rsa_pk.nlen = hextobin(rsa_n, "E65DAEF196D22C300B3DAE1CE5157EDF821BB6038E419D8D363A8B2DA84A1321042330E6F87A8BD8FE6BA1D2A17031955ED2315CC5FD2397197E238A5E0D2D0AFD25717E814EC4D2BBA887327A3C5B3A450FD8D547BDFCBB0F73B997CA13DD5E7572C4D5BAA764A349BAB2F868ACF4574AE2C7AEC94B77D2EE00A21B6CB175BB");
rsa_pk.e = rsa_e;
rsa_pk.elen = hextobin(rsa_e, "010001");
rsa_sk.n_bitlen = 1024;
rsa_sk.p = rsa_p;
rsa_sk.plen = hextobin(rsa_p, "FF58513DBA4F3F42DFDFD3E6AFB6BD62DE27E06BA3C9D9F9B542CB21228C2AAE67936514161C8FDC1A248A50195CAF22ADC50DA89BFED1B9EEFBB37304241357");
rsa_sk.q = rsa_q;
rsa_sk.qlen = hextobin(rsa_q, "E6F4F66818B7442297DDEB45E9B3D438E5B57BB5EF86EFF2462AD6B9C10F383517CDD2E7E36EAD4BEBCC57CFE8AA985F7E7B38B96D30FFBE9ED9FE21B1CFB63D");
rsa_sk.dp = rsa_dp;
rsa_sk.dplen = hextobin(rsa_dp, "6F89517B682D83919F9EF2BDBA955526A1A9C382E139A3A84AC01160B8E9871F458901C7035D988D6931FAE4C01F57350BB89E9DBEFE50F829E6F25CD43B39E3");
rsa_sk.dq = rsa_dq;
rsa_sk.dqlen = hextobin(rsa_dq, "409E08D2D7176F58BE64B88EB6F4394C31F8B4C412600E821A5FA1F416AFCB6A0F5EE6C33A3E9CFDC0DB4B3640427A9F3D23FC9AE491F0FBC435F98433DB8981");
rsa_sk.iq = rsa_iq;
rsa_sk.iqlen = hextobin(rsa_iq, "CF333D6AD66D02B4D11C8C23CA669D14D71803ADC3943BE03B1E48F52F385BCFDDFD0F85AD02A984E504FC6612549D4E7867B7D09DD13196BFC3FAA4B57393A9");
hextobin(sig, "CFB84D161E6DB130736FC6212EBE575571AF341CEF5757C19952A5364C90E3C47549E520E26253DAE70F645F31FA8B5DA9AE282741D3CA4B1CC365B7BD75D6D61D4CFD9AD9EDD17D23E0BA7D9775138DBABC7FF2A57587FE1EA1B51E8F3C68326E26FF89D8CF92BDD4C787D04857DFC3266E6B33B92AA08809929C72642F35C2");
hextobin(hv2, "F66C62B38E1CC69C378C0E16574AE5C6443FDFA3E85C6205C00B3231CAA3074EC1481BDC22AB575E6CF3CCD9EDA6B39F83923FC0E6475C799D257545F77233B4");
if (!fsign(BR_HASH_OID_SHA512, hv2, 64, &rsa_sk, t2)) {
fprintf(stderr, "Signature generation failed (2)\n");
exit(EXIT_FAILURE);
}
check_equals("Regenerated signature (2)", t2, sig, sizeof t2);
if (!fvrfy(t2, sizeof t2, BR_HASH_OID_SHA512,
sizeof tmp2, &rsa_pk, tmp2))
{
fprintf(stderr, "Signature verification failed (2)\n");
exit(EXIT_FAILURE);
}
check_equals("Extracted hash value (2)", hv2, tmp2, sizeof tmp2);
printf(" done.\n");
fflush(stdout);
}
/*
* Fake RNG that returns exactly the provided bytes.
*/
typedef struct {
const br_prng_class *vtable;
unsigned char buf[128];
size_t ptr, len;
} rng_fake_ctx;
static void rng_fake_init(rng_fake_ctx *cc,
const void *params, const void *seed, size_t len);
static void rng_fake_generate(rng_fake_ctx *cc, void *dst, size_t len);
static void rng_fake_update(rng_fake_ctx *cc, const void *src, size_t len);
static const br_prng_class rng_fake_vtable = {
sizeof(rng_fake_ctx),
(void (*)(const br_prng_class **,
const void *, const void *, size_t))&rng_fake_init,
(void (*)(const br_prng_class **,
void *, size_t))&rng_fake_generate,
(void (*)(const br_prng_class **,
const void *, size_t))&rng_fake_update
};
static void
rng_fake_init(rng_fake_ctx *cc, const void *params,
const void *seed, size_t len)
{
(void)params;
if (len > sizeof cc->buf) {
fprintf(stderr, "seed is too large (%lu bytes)\n",
(unsigned long)len);
exit(EXIT_FAILURE);
}
cc->vtable = &rng_fake_vtable;
memcpy(cc->buf, seed, len);
cc->ptr = 0;
cc->len = len;
}
static void
rng_fake_generate(rng_fake_ctx *cc, void *dst, size_t len)
{
if (len > (cc->len - cc->ptr)) {
fprintf(stderr, "asking for more data than expected\n");
exit(EXIT_FAILURE);
}
memcpy(dst, cc->buf + cc->ptr, len);
cc->ptr += len;
}
static void
rng_fake_update(rng_fake_ctx *cc, const void *src, size_t len)
{
(void)cc;
(void)src;
(void)len;
fprintf(stderr, "unexpected update\n");
exit(EXIT_FAILURE);
}
/*
* Test vectors from pkcs-1v2-1d2-vec.zip (originally from ftp.rsa.com).
* There are ten RSA keys, and for each RSA key, there are 6 messages,
* each with an explicit salt.
*
* Field order:
* modulus (n)
* public exponent (e)
* first factor (p)
* second factor (q)
* first private exponent (dp)
* second private exponent (dq)
* CRT coefficient (iq)
* message 1
* salt 1 (20-byte random value)
* signature 1
* message 2
* salt 2 (20-byte random value)
* signature 2
* ...
* message 6
* salt 6 (20-byte random value)
* signature 6
*
* This pattern is repeated for all keys. The array stops on a NULL.
*/
static const char *KAT_RSA_PSS[] = {
/* 1024-bit key */
"a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",
"010001",
"33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325",
"e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443",
"b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd",
"28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979",
"1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729",
"27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d",
"cdc87da223d786df3b45e0bbbc721326d1ee2af806cc315475cc6f0d9c66e1b62371d45ce2392e1ac92844c310102f156a0d8d52c1f4c40ba3aa65095786cb769757a6563ba958fed0bcc984e8b517a3d5f515b23b8a41e74aa867693f90dfb061a6e86dfaaee64472c00e5f20945729cbebe77f06ce78e08f4098fba41f9d6193c0317e8b60d4b6084acb42d29e3808a3bc372d85e331170fcbf7cc72d0b71c296648b3a4d10f416295d0807aa625cab2744fd9ea8fd223c42537029828bd16be02546f130fd2e33b936d2676e08aed1b73318b750a0167d0",
"dee959c7e06411361420ff80185ed57f3e6776af",
"9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c",
"851384cdfe819c22ed6c4ccb30daeb5cf059bc8e1166b7e3530c4c233e2b5f8f71a1cca582d43ecc72b1bca16dfc7013226b9e",
"ef2869fa40c346cb183dab3d7bffc98fd56df42d",
"3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843",
"a4b159941761c40c6a82f2b80d1b94f5aa2654fd17e12d588864679b54cd04ef8bd03012be8dc37f4b83af7963faff0dfa225477437c48017ff2be8191cf3955fc07356eab3f322f7f620e21d254e5db4324279fe067e0910e2e81ca2cab31c745e67a54058eb50d993cdb9ed0b4d029c06d21a94ca661c3ce27fae1d6cb20f4564d66ce4767583d0e5f060215b59017be85ea848939127bd8c9c4d47b51056c031cf336f17c9980f3b8f5b9b6878e8b797aa43b882684333e17893fe9caa6aa299f7ed1a18ee2c54864b7b2b99b72618fb02574d139ef50f019c9eef416971338e7d470",
"710b9c4747d800d4de87f12afdce6df18107cc77",
"666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1",
"bc656747fa9eafb3f0",
"056f00985de14d8ef5cea9e82f8c27bef720335e",
"4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87",
"b45581547e5427770c768e8b82b75564e0ea4e9c32594d6bff706544de0a8776c7a80b4576550eee1b2acabc7e8b7d3ef7bb5b03e462c11047eadd00629ae575480ac1470fe046f13a2bf5af17921dc4b0aa8b02bee6334911651d7f8525d10f32b51d33be520d3ddf5a709955a3dfe78283b9e0ab54046d150c177f037fdccc5be4ea5f68b5e5a38c9d7edcccc4975f455a6909b4",
"80e70ff86a08de3ec60972b39b4fbfdcea67ae8e",
"1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad",
"10aae9a0ab0b595d0841207b700d48d75faedde3b775cd6b4cc88ae06e4694ec74ba18f8520d4f5ea69cbbe7cc2beba43efdc10215ac4eb32dc302a1f53dc6c4352267e7936cfebf7c8d67035784a3909fa859c7b7b59b8e39c5c2349f1886b705a30267d402f7486ab4f58cad5d69adb17ab8cd0ce1caf5025af4ae24b1fb8794c6070cc09a51e2f9911311e3877d0044c71c57a993395008806b723ac38373d395481818528c1e7053739282053529510e935cd0fa77b8fa53cc2d474bd4fb3cc5c672d6ffdc90a00f9848712c4bcfe46c60573659b11e6457e861f0f604b6138d144f8ce4e2da73",
"a8ab69dd801f0074c2a1fc60649836c616d99681",
"2a34f6125e1f6b0bf971e84fbd41c632be8f2c2ace7de8b6926e31ff93e9af987fbc06e51e9be14f5198f91f3f953bd67da60a9df59764c3dc0fe08e1cbef0b75f868d10ad3fba749fef59fb6dac46a0d6e504369331586f58e4628f39aa278982543bc0eeb537dc61958019b394fb273f215858a0a01ac4d650b955c67f4c58",
/* 1025-bit key */
"01d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c9",
"010001",
"027d147e4673057377fd1ea201565772176a7dc38358d376045685a2e787c23c15576bc16b9f444402d6bfc5d98a3e88ea13ef67c353eca0c0ddba9255bd7b8bb50a644afdfd1dd51695b252d22e7318d1b6687a1c10ff75545f3db0fe602d5f2b7f294e3601eab7b9d1cecd767f64692e3e536ca2846cb0c2dd486a39fa75b1",
"016601e926a0f8c9e26ecab769ea65a5e7c52cc9e080ef519457c644da6891c5a104d3ea7955929a22e7c68a7af9fcad777c3ccc2b9e3d3650bce404399b7e59d1",
"014eafa1d4d0184da7e31f877d1281ddda625664869e8379e67ad3b75eae74a580e9827abd6eb7a002cb5411f5266797768fb8e95ae40e3e8a01f35ff89e56c079",
"e247cce504939b8f0a36090de200938755e2444b29539a7da7a902f6056835c0db7b52559497cfe2c61a8086d0213c472c78851800b171f6401de2e9c2756f31",
"b12fba757855e586e46f64c38a70c68b3f548d93d787b399999d4c8f0bbd2581c21e19ed0018a6d5d3df86424b3abcad40199d31495b61309f27c1bf55d487c1",
"564b1e1fa003bda91e89090425aac05b91da9ee25061e7628d5f51304a84992fdc33762bd378a59f030a334d532bd0dae8f298ea9ed844636ad5fb8cbdc03cad",
"daba032066263faedb659848115278a52c44faa3a76f37515ed336321072c40a9d9b53bc05014078adf520875146aae70ff060226dcb7b1f1fc27e9360",
"57bf160bcb02bb1dc7280cf0458530b7d2832ff7",
"014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3",
"e4f8601a8a6da1be34447c0959c058570c3668cfd51dd5f9ccd6ad4411fe8213486d78a6c49f93efc2ca2288cebc2b9b60bd04b1e220d86e3d4848d709d032d1e8c6a070c6af9a499fcf95354b14ba6127c739de1bb0fd16431e46938aec0cf8ad9eb72e832a7035de9b7807bdc0ed8b68eb0f5ac2216be40ce920c0db0eddd3860ed788efaccaca502d8f2bd6d1a7c1f41ff46f1681c8f1f818e9c4f6d91a0c7803ccc63d76a6544d843e084e363b8acc55aa531733edb5dee5b5196e9f03e8b731b3776428d9e457fe3fbcb3db7274442d785890e9cb0854b6444dace791d7273de1889719338a77fe",
"7f6dd359e604e60870e898e47b19bf2e5a7b2a90",
"010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea",
"52a1d96c8ac39e41e455809801b927a5b445c10d902a0dcd3850d22a66d2bb0703e67d5867114595aabf5a7aeb5a8f87034bbb30e13cfd4817a9be76230023606d0286a3faf8a4d22b728ec518079f9e64526e3a0cc7941aa338c437997c680ccac67c66bfa1",
"fca862068bce2246724b708a0519da17e648688c",
"007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4",
"a7182c83ac18be6570a106aa9d5c4e3dbbd4afaeb0c60c4a23e1969d79ff",
"8070ef2de945c02387684ba0d33096732235d440",
"009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b",
"86a83d4a72ee932a4f5630af6579a386b78fe88999e0abd2d49034a4bfc854dd94f1094e2e8cd7a179d19588e4aefc1b1bd25e95e3dd461f",
"17639a4e88d722c4fca24d079a8b29c32433b0c9",
"00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf",
"049f9154d871ac4a7c7ab45325ba7545a1ed08f70525b2667cf1",
"37810def1055ed922b063df798de5d0aabf886ee",
"00475b1648f814a8dc0abdc37b5527f543b666bb6e39d30e5b49d3b876dccc58eac14e32a2d55c2616014456ad2f246fc8e3d560da3ddf379a1c0bd200f10221df078c219a151bc8d4ec9d2fc2564467811014ef15d8ea01c2ebbff8c2c8efab38096e55fcbe3285c7aa558851254faffa92c1c72b78758663ef4582843139d7a6",
/* 1026-bit key */
"02f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a443",
"010001",
"651451733b56de5ac0a689a4aeb6e6894a69014e076c88dd7a667eab3232bbccd2fc44ba2fa9c31db46f21edd1fdb23c5c128a5da5bab91e7f952b67759c7cff705415ac9fa0907c7ca6178f668fb948d869da4cc3b7356f4008dfd5449d32ee02d9a477eb69fc29266e5d9070512375a50fbbcc27e238ad98425f6ebbf88991",
"01bd36e18ece4b0fdb2e9c9d548bd1a7d6e2c21c6fdc35074a1d05b1c6c8b3d558ea2639c9a9a421680169317252558bd148ad215aac550e2dcf12a82d0ebfe853",
"01b1b656ad86d8e19d5dc86292b3a192fdf6e0dd37877bad14822fa00190cab265f90d3f02057b6f54d6ecb14491e5adeacebc48bf0ebd2a2ad26d402e54f61651",
"1f2779fd2e3e5e6bae05539518fba0cd0ead1aa4513a7cba18f1cf10e3f68195693d278a0f0ee72f89f9bc760d80e2f9d0261d516501c6ae39f14a476ce2ccf5",
"011a0d36794b04a854aab4b2462d439a5046c91d940b2bc6f75b62956fef35a2a6e63c5309817f307bbff9d59e7e331bd363f6d66849b18346adea169f0ae9aec1",
"0b30f0ecf558752fb3a6ce4ba2b8c675f659eba6c376585a1b39712d038ae3d2b46fcb418ae15d0905da6440e1513a30b9b7d6668fbc5e88e5ab7a175e73ba35",
"594b37333bbb2c84524a87c1a01f75fcec0e3256f108e38dca36d70d0057",
"f31ad6c8cf89df78ed77feacbcc2f8b0a8e4cfaa",
"0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f",
"8b769528884a0d1ffd090cf102993e796dadcfbddd38e44ff6324ca451",
"fcf9f0e1f199a3d1d0da681c5b8606fc642939f7",
"02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af",
"1abdba489c5ada2f995ed16f19d5a94d9e6ec34a8d84f84557d26e5ef9b02b22887e3f9a4b690ad1149209c20c61431f0c017c36c2657b35d7b07d3f5ad8708507a9c1b831df835a56f831071814ea5d3d8d8f6ade40cba38b42db7a2d3d7a29c8f0a79a7838cf58a9757fa2fe4c40df9baa193bfc6f92b123ad57b07ace3e6ac068c9f106afd9eeb03b4f37c25dbfbcfb3071f6f9771766d072f3bb070af6605532973ae25051",
"986e7c43dbb671bd41b9a7f4b6afc80e805f2423",
"0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c",
"8fb431f5ee792b6c2ac7db53cc428655aeb32d03f4e889c5c25de683c461b53acf89f9f8d3aabdf6b9f0c2a1de12e15b49edb3919a652fe9491c25a7fce1f722c2543608b69dc375ec",
"f8312d9c8eea13ec0a4c7b98120c87509087c478",
"0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8",
"fef4161dfaaf9c5295051dfc1ff3810c8c9ec2e866f7075422c8ec4216a9c4ff49427d483cae10c8534a41b2fd15fee06960ec6fb3f7a7e94a2f8a2e3e43dc4a40576c3097ac953b1de86f0b4ed36d644f23ae14425529622464ca0cbf0b1741347238157fab59e4de5524096d62baec63ac64",
"50327efec6292f98019fc67a2a6638563e9b6e2d",
"021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83",
"efd237bb098a443aeeb2bf6c3f8c81b8c01b7fcb3feb",
"b0de3fc25b65f5af96b1d5cc3b27d0c6053087b3",
"012fafec862f56e9e92f60ab0c77824f4299a0ca734ed26e0644d5d222c7f0bde03964f8e70a5cb65ed44e44d56ae0edf1ff86ca032cc5dd4404dbb76ab854586c44eed8336d08d457ce6c03693b45c0f1efef93624b95b8ec169c616d20e5538ebc0b6737a6f82b4bc0570924fc6b35759a3348426279f8b3d7744e2d222426ce",
/* 1027-bit key */
"054adb7886447efe6f57e0368f06cf52b0a3370760d161cef126b91be7f89c421b62a6ec1da3c311d75ed50e0ab5fff3fd338acc3aa8a4e77ee26369acb81ba900fa83f5300cf9bb6c53ad1dc8a178b815db4235a9a9da0c06de4e615ea1277ce559e9c108de58c14a81aa77f5a6f8d1335494498848c8b95940740be7bf7c3705",
"010001",
"fa041f8cd9697ceed38ec8caa275523b4dd72b09a301d3541d72f5d31c05cbce2d6983b36183af10690bd46c46131e35789431a556771dd0049b57461bf060c1f68472e8a67c25f357e5b6b4738fa541a730346b4a07649a2dfa806a69c975b6aba64678acc7f5913e89c622f2d8abb1e3e32554e39df94ba60c002e387d9011",
"029232336d2838945dba9dd7723f4e624a05f7375b927a87abe6a893a1658fd49f47f6c7b0fa596c65fa68a23f0ab432962d18d4343bd6fd671a5ea8d148413995",
"020ef5efe7c5394aed2272f7e81a74f4c02d145894cb1b3cab23a9a0710a2afc7e3329acbb743d01f680c4d02afb4c8fde7e20930811bb2b995788b5e872c20bb1",
"026e7e28010ecf2412d9523ad704647fb4fe9b66b1a681581b0e15553a89b1542828898f27243ebab45ff5e1acb9d4df1b051fbc62824dbc6f6c93261a78b9a759",
"012ddcc86ef655998c39ddae11718669e5e46cf1495b07e13b1014cd69b3af68304ad2a6b64321e78bf3bbca9bb494e91d451717e2d97564c6549465d0205cf421",
"010600c4c21847459fe576703e2ebecae8a5094ee63f536bf4ac68d3c13e5e4f12ac5cc10ab6a2d05a199214d1824747d551909636b774c22cac0b837599abcc75",
"9fb03b827c8217d9",
"ed7c98c95f30974fbe4fbddcf0f28d6021c0e91d",
"0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948",
"0ca2ad77797ece86de5bf768750ddb5ed6a3116ad99bbd17edf7f782f0db1cd05b0f677468c5ea420dc116b10e80d110de2b0461ea14a38be68620392e7e893cb4ea9393fb886c20ff790642305bf302003892e54df9f667509dc53920df583f50a3dd61abb6fab75d600377e383e6aca6710eeea27156e06752c94ce25ae99fcbf8592dbe2d7e27453cb44de07100ebb1a2a19811a478adbeab270f94e8fe369d90b3ca612f9f",
"22d71d54363a4217aa55113f059b3384e3e57e44",
"049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598",
"288062afc08fcdb7c5f8650b29837300461dd5676c17a20a3c8fb5148949e3f73d66b3ae82c7240e27c5b3ec4328ee7d6ddf6a6a0c9b5b15bcda196a9d0c76b119d534d85abd123962d583b76ce9d180bce1ca",
"4af870fbc6516012ca916c70ba862ac7e8243617",
"03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad",
"6f4f9ab9501199cef55c6cf408fe7b36c557c49d420a4763d2463c8ad44b3cfc5be2742c0e7d9b0f6608f08c7f47b693ee",
"40d2e180fae1eac439c190b56c2c0e14ddf9a226",
"0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f",
"e17d20385d501955823c3f666254c1d3dd36ad5168b8f18d286fdcf67a7dad94097085fab7ed86fe2142a28771717997ef1a7a08884efc39356d76077aaf82459a7fad45848875f2819b098937fe923bcc9dc442d72d754d812025090c9bc03db3080c138dd63b355d0b4b85d6688ac19f4de15084a0ba4e373b93ef4a555096691915dc23c00e954cdeb20a47cd55d16c3d8681d46ed7f2ed5ea42795be17baed25f0f4d113b3636addd585f16a8b5aec0c8fa9c5f03cbf3b9b73",
"2497dc2b4615dfae5a663d49ffd56bf7efc11304",
"022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a",
"afbc19d479249018fdf4e09f618726440495de11ddeee38872d775fcea74a23896b5343c9c38d46af0dba224d047580cc60a65e9391cf9b59b36a860598d4e8216722f993b91cfae87bc255af89a6a199bca4a391eadbc3a24903c0bd667368f6be78e3feabfb4ffd463122763740ffbbefeab9a25564bc5d1c24c93e422f75073e2ad72bf45b10df00b52a147128e73fee33fa3f0577d77f80fbc2df1bed313290c12777f50",
"a334db6faebf11081a04f87c2d621cdec7930b9b",
"00938dcb6d583046065f69c78da7a1f1757066a7fa75125a9d2929f0b79a60b627b082f11f5b196f28eb9daa6f21c05e5140f6aef1737d2023075c05ecf04a028c686a2ab3e7d5a0664f295ce12995e890908b6ad21f0839eb65b70393a7b5afd9871de0caa0cedec5b819626756209d13ab1e7bb9546a26ff37e9a51af9fd562e",
/* 1028-bit key */
"0d10f661f29940f5ed39aa260966deb47843679d2b6fb25b3de370f3ac7c19916391fd25fb527ebfa6a4b4df45a1759d996c4bb4ebd18828c44fc52d0191871740525f47a4b0cc8da325ed8aa676b0d0f626e0a77f07692170acac8082f42faa7dc7cd123e730e31a87985204cabcbe6670d43a2dd2b2ddef5e05392fc213bc507",
"010001",
"03ce08b104fff396a979bd3e4e46925b6319ddb63acbcfd819f17d16b8077b3a87101ff34b77fe48b8b205a96e9151ba8ecea64d0cce7b23c3e6a6b83058bc49dae816ae736db5a4708e2ad435232b567f9096ce59ff28061e79ab1c02d717e6b23cea6db8eb5192fa7c1eab227dba74621c45601896eef13792c8440beb15aac1",
"03f2f331f4142d4f24b43aa10279a89652d4e7537221a1a7b2a25deb551e5de9ac497411c227a94e45f91c2d1c13cc046cf4ce14e32d058734210d44a87ee1b73f",
"034f090d73b55803030cf0361a5d8081bfb79f851523feac0a2124d08d4013ff08487771a870d0479dc0686c62f7718dfecf024b17c9267678059171339cc00839",
"02aa663adbf51ab887a018cb426e78bc2fe182dcb2f7bcb50441d17fdf0f06798b5071c6e2f5feb4d54ad8182311c1ef62d4c49f18d1f51f54b2d2cffba4da1be5",
"02bbe706078b5c0b391512d411db1b199b5a5664b84042ead37fe994ae72b9532dfbfb3e9e6981a0fbb806513141b7c2163fe56c395e4bfaee57e3833f9b918df9",
"0242b6cd00d30a767aee9a898ead453c8eaea63d500b7d1e00713edae51ce36b23b664df26e63e266ec8f76e6e63ed1ba41eb033b120f7ea5212ae21a98fbc16",
"30c7d557458b436decfdc14d06cb7b96b06718c48d7de57482a868ae7f065870a6216506d11b779323dfdf046cf5775129134b4d5689e4d9c0ce1e12d7d4b06cb5fc5820decfa41baf59bf257b32f025b7679b445b9499c92555145885992f1b76f84891ee4d3be0f5150fd5901e3a4c8ed43fd36b61d022e65ad5008dbf33293c22bfbfd07321f0f1d5fa9fdf0014c2fcb0358aad0e354b0d29",
"081b233b43567750bd6e78f396a88b9f6a445151",
"0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d",
"e7b32e1556ea1b2795046ac69739d22ac8966bf11c116f614b166740e96b90653e5750945fcf772186c03790a07fda323e1a61916b06ee2157db3dff80d67d5e39a53ae268c8f09ed99a732005b0bc6a04af4e08d57a00e7201b3060efaadb73113bfc087fd837093aa25235b8c149f56215f031c24ad5bde7f29960df7d524070f7449c6f785084be1a0f733047f336f9154738674547db02a9f44dfc6e60301081e1ce99847f3b5b601ff06b4d5776a9740b9aa0d34058fd3b906e4f7859dfb07d7173e5e6f6350adac21f27b2307469",
"bd0ce19549d0700120cbe51077dbbbb00a8d8b09",
"08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e",
"8d8396e36507fe1ef6a19017548e0c716674c2fec233adb2f775665ec41f2bd0ba396b061a9daa7e866f7c23fd3531954300a342f924535ea1498c48f6c879932865fc02000c528723b7ad0335745b51209a0afed932af8f0887c219004d2abd894ea92559ee3198af3a734fe9b9638c263a728ad95a5ae8ce3eb15839f3aa7852bb390706e7760e43a71291a2e3f827237deda851874c517665f545f27238df86557f375d09ccd8bd15d8ccf61f5d78ca5c7f5cde782e6bf5d0057056d4bad98b3d2f9575e824ab7a33ff57b0ac100ab0d6ead7aa0b50f6e4d3e5ec0b966b",
"815779a91b3a8bd049bf2aeb920142772222c9ca",
"05e0fdbdf6f756ef733185ccfa8ced2eb6d029d9d56e35561b5db8e70257ee6fd019d2f0bbf669fe9b9821e78df6d41e31608d58280f318ee34f559941c8df13287574bac000b7e58dc4f414ba49fb127f9d0f8936638c76e85356c994f79750f7fa3cf4fd482df75e3fb9978cd061f7abb17572e6e63e0bde12cbdcf18c68b979",
"328c659e0a6437433cceb73c14",
"9aec4a7480d5bbc42920d7ca235db674989c9aac",
"0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1",
"f37b962379a47d415a376eec8973150bcb34edd5ab654041b61430560c2144582ba133c867d852d6b8e23321901302ecb45b09ec88b1527178fa043263f3067d9ffe973032a99f4cb08ad2c7e0a2456cdd57a7df56fe6053527a5aeb67d7e552063c1ca97b1beffa7b39e997caf27878ea0f62cbebc8c21df4c889a202851e949088490c249b6e9acf1d8063f5be2343989bf95c4da01a2be78b4ab6b378015bc37957f76948b5e58e440c28453d40d7cfd57e7d690600474ab5e75973b1ea0c5f1e45d14190afe2f4eb6d3bdf71f1d2f8bb156a1c295d04aaeb9d689dce79ed62bc443e",
"e20c1e9878512c39970f58375e1549a68b64f31d",
"0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd",
"c6103c330c1ef718c141e47b8fa859be4d5b96259e7d142070ecd485839dba5a8369c17c1114035e532d195c74f44a0476a2d3e8a4da210016caced0e367cb867710a4b5aa2df2b8e5daf5fdc647807d4d5ebb6c56b9763ccdae4dea3308eb0ac2a89501cb209d2639fa5bf87ce790747d3cb2d295e84564f2f637824f0c13028129b0aa4a422d162282",
"23291e4a3307e8bbb776623ab34e4a5f4cc8a8db",
"02802dccfa8dfaf5279bf0b4a29ba1b157611faeaaf419b8919d15941900c1339e7e92e6fae562c53e6cc8e84104b110bce03ad18525e3c49a0eadad5d3f28f244a8ed89edbafbb686277cfa8ae909714d6b28f4bf8e293aa04c41efe7c0a81266d5c061e2575be032aa464674ff71626219bd74cc45f0e7ed4e3ff96eee758e8f",
/* 1029-bit key */
"164ca31cff609f3a0e7101b039f2e4fe6dd37519ab98598d179e174996598071f47d3a04559158d7be373cf1aa53f0aa6ef09039e5678c2a4c63900514c8c4f8aaed5de12a5f10b09c311af8c0ffb5b7a297f2efc63b8d6b0510931f0b98e48bf5fc6ec4e7b8db1ffaeb08c38e02adb8f03a48229c99e969431f61cb8c4dc698d1",
"010001",
"03b664ee3b7566723fc6eaf28abb430a3980f1126c81de8ad709eab39ac9dcd0b1550b3729d87068e952009df544534c1f50829a78f4591eb8fd57140426a6bb0405b6a6f51a57d9267b7bbc653391a699a2a90dac8ae226bcc60fa8cd934c73c7b03b1f6b818158631838a8612e6e6ea92be24f8324faf5b1fd8587225267ba6f",
"04f0548c9626ab1ebf1244934741d99a06220efa2a5856aa0e75730b2ec96adc86be894fa2803b53a5e85d276acbd29ab823f80a7391bb54a5051672fb04eeb543",
"0483e0ae47915587743ff345362b555d3962d98bb6f15f848b4c92b1771ca8ed107d8d3ee65ec44517dd0faa481a387e902f7a2e747c269e7ea44480bc538b8e5b",
"03a8e8aea9920c1aa3b2f0d846e4b850d81ca306a51c83544f949f64f90dcf3f8e2661f07e561220a180388fbe273e70e2e5dca83a0e1348dd6490c731d6ece1ab",
"0135bdcdb60bf2197c436ed34b32cd8b4fc77778832ba76703551fb242b301699593af77fd8fc394a8526ad23cc41a03806bd897fe4b0ea646558aaddcc99e8a25",
"0304c03d9c736503a984abbd9ba22301407c4a2ab1dd85766481b60d45401152e692be14f4121d9aa3fd6e0b4d1d3a973538a31d42ee6e1e5ef620231a2bbaf35f",
"0a20b774addc2fa51245ed7cb9da609e50cac6636a52543f97458eed7340f8d53ffc64918f949078ee03ef60d42b5fec246050bd5505cd8cb597bad3c4e713b0ef30644e76adabb0de01a1561efb255158c74fc801e6e919e581b46f0f0ddd08e4f34c7810b5ed8318f91d7c8c",
"5b4ea2ef629cc22f3b538e016904b47b1e40bfd5",
"04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1",
"2aaff6631f621ce615760a9ebce94bb333077ad86488c861d4b76d29c1f48746c611ae1e03ced4445d7cfa1fe5f62e1b3f08452bde3b6ef81973bafbb57f97bceef873985395b8260589aa88cb7db50ab469262e551bdcd9a56f275a0ac4fe484700c35f3dbf2b469ede864741b86fa59172a360ba95a02e139be50ddfb7cf0b42faeabbfbbaa86a4497699c4f2dfd5b08406af7e14144427c253ec0efa20eaf9a8be8cd49ce1f1bc4e93e619cf2aa8ed4fb39bc8590d0f7b96488f7317ac9abf7bee4e3a0e715",
"83146a9e782722c28b014f98b4267bda2ac9504f",
"0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773",
"0f6195d04a6e6fc7e2c9600dbf840c39ea8d4d624fd53507016b0e26858a5e0aecd7ada543ae5c0ab3a62599cba0a54e6bf446e262f989978f9ddf5e9a41",
"a87b8aed07d7b8e2daf14ddca4ac68c4d0aabff8",
"086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456",
"337d25fe9810ebca0de4d4658d3ceb8e0fe4c066aba3bcc48b105d3bf7e0257d44fecea6596f4d0c59a08402833678f70620f9138dfeb7ded905e4a6d5f05c473d55936652e2a5df43c0cfda7bacaf3087f4524b06cf42157d01539739f7fddec9d58125df31a32eab06c19b71f1d5bf",
"a37932f8a7494a942d6f767438e724d6d0c0ef18",
"0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f",
"84ec502b072e8287789d8f9235829ea3b187afd4d4c785611bda5f9eb3cb96717efa7007227f1c08cbcb972e667235e0fb7d431a6570326d2ecce35adb373dc753b3be5f829b89175493193fab16badb41371b3aac0ae670076f24bef420c135add7cee8d35fbc944d79fafb9e307a13b0f556cb654a06f973ed22672330197ef5a748bf826a5db2383a25364b686b9372bb2339aeb1ac9e9889327d016f1670776db06201adbdcaf8a5e3b74e108b73",
"7b790c1d62f7b84e94df6af28917cf571018110e",
"02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b",
"9906d89f97a9fdedd3ccd824db687326f30f00aa25a7fca2afcb3b0f86cd41e73f0e8ff7d2d83f59e28ed31a5a0d551523374de22e4c7e8ff568b386ee3dc41163f10bf67bb006261c9082f9af90bf1d9049a6b9fae71c7f84fbe6e55f02789de774f230f115026a4b4e96c55b04a95da3aacbb2cece8f81764a1f1c99515411087cf7d34aeded0932c183",
"fbbe059025b69b89fb14ae2289e7aaafe60c0fcd",
"0a40a16e2fe2b38d1df90546167cf9469c9e3c3681a3442b4b2c2f581deb385ce99fc6188bb02a841d56e76d301891e24560550fcc2a26b55f4ccb26d837d350a154bcaca8392d98fa67959e9727b78cad03269f56968fc56b68bd679926d83cc9cb215550645ccda31c760ff35888943d2d8a1d351e81e5d07b86182e751081ef",
/* 1030-bit key */
"37c9da4a66c8c408b8da27d0c9d79f8ccb1eafc1d2fe48746d940b7c4ef5dee18ad12647cefaa0c4b3188b221c515386759b93f02024b25ab9242f8357d8f3fd49640ee5e643eaf6c64deefa7089727c8ff03993333915c6ef21bf5975b6e50d118b51008ec33e9f01a0a545a10a836a43ddbca9d8b5c5d3548022d7064ea29ab3",
"010001",
"3bed999052d957bc06d651eef6e3a98094b1621bd38b5449bd6c4aea3de7e084679a4484ded25be0f0826cf3377825414b14d4d61db14de626fbb80e5f4faec956f9a0a2d24f99576380f084eb62e46a57d554278b535626193ce02060575eb66c5798d36f6c5d40fb00d809b42a73102c1c74ee95bd71420fffef6318b52c29",
"07eefb424b0e3a40e4208ee5afb280b22317308114dde0b4b64f730184ec68da6ce2867a9f48ed7726d5e2614ed04a5410736c8c714ee702474298c6292af07535",
"070830dbf947eac0228de26314b59b66994cc60e8360e75d3876298f8f8a7d141da064e5ca026a973e28f254738cee669c721b034cb5f8e244dadd7cd1e159d547",
"0524d20c3d95cff75af2313483227d8702717aa576de155f960515501adb1d70e1c04de91b75b161dbf0398356127ededa7bbc19a32dc1621cc9f53c265d0ce331",
"05f984a1f23c938d6a0e89724bcf3dd93f9946926037fe7c6b13a29e5284855f89089591d440975627bf5c9e3a8b5ca79c772ad273e40d321af4a6c97dfded78d3",
"ddd918adada29dcab981ff9acba4257023c09a3801ccce098ce268f855d0df570cd6e7b9b14bd9a5a9254cbc315be6f8ba1e2546ddd569c5ea19eed8353bde5e",
"9ead0e01945640674eb41cad435e2374eaefa8ad7197d97913c44957d8d83f40d76ee60e39bf9c0f9eaf3021421a074d1ade962c6e9d3dc3bb174fe4dfe652b09115495b8fd2794174020a0602b5ca51848cfc96ce5eb57fc0a2adc1dda36a7cc452641a14911b37e45bfa11daa5c7ecdb74f6d0100d1d3e39e752800e203397de0233077b9a88855537fae927f924380d780f98e18dcff39c5ea741b17d6fdd1885bc9d581482d771ceb562d78a8bf88f0c75b11363e5e36cd479ceb0545f9da84203e0e6e508375cc9e844b88b7ac7a0a201ea0f1bee9a2c577920ca02c01b9d8320e974a56f4efb5763b96255abbf8037bf1802cf018f56379493e569a9",
"b7867a59958cb54328f8775e6546ec06d27eaa50",
"187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823",
"8d80d2d08dbd19c154df3f14673a14bd03735231f24e86bf153d0e69e74cbff7b1836e664de83f680124370fc0f96c9b65c07a366b644c4ab3",
"0c09582266df086310821ba7e18df64dfee6de09",
"10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8",
"808405cdfc1a58b9bb0397c720722a81fffb76278f335917ef9c473814b3e016ba2973cd2765f8f3f82d6cc38aa7f8551827fe8d1e3884b7e61c94683b8f82f1843bdae2257eeec9812ad4c2cf283c34e0b0ae0fe3cb990cf88f2ef9",
"28039dcfe106d3b8296611258c4a56651c9e92dd",
"2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1",
"f337b9bad937de22a1a052dff11134a8ce26976202981939b91e0715ae5e609649da1adfcef3f4cca59b238360e7d1e496c7bf4b204b5acff9bbd6166a1d87a36ef2247373751039f8a800b8399807b3a85f44893497c0d05fb7017b82228152de6f25e6116dcc7503c786c875c28f3aa607e94ab0f19863ab1b5073770b0cd5f533acde30c6fb953cf3da680264e30fc11bff9a19bffab4779b6223c3fb3fe0f71abade4eb7c09c41e24c22d23fa148e6a173feb63984d1bc6ee3a02d915b752ceaf92a3015eceb38ca586c6801b37c34cefb2cff25ea23c08662dcab26a7a93a285d05d3044c",
"a77821ebbbef24628e4e12e1d0ea96de398f7b0f",
"32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19",
"45013cebafd960b255476a8e2598b9aa32efbe6dc1f34f4a498d8cf5a2b4548d08c55d5f95f7bcc9619163056f2d58b52fa032",
"9d5ad8eb452134b65dc3a98b6a73b5f741609cd6",
"07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1",
"2358097086c899323e75d9c90d0c09f12d9d54edfbdf70a9c2eb5a04d8f36b9b2bdf2aabe0a5bda1968937f9d6ebd3b6b257efb3136d4131f9acb59b85e2602c2a3fcdc835494a1f4e5ec18b226c80232b36a75a45fdf09a7ea9e98efbde1450d1194bf12e15a4c5f9eb5c0bce5269e0c3b28cfab655d81a61a20b4be2f54459bb25a0db94c52218be109a7426de83014424789aaa90e5056e632a698115e282c1a56410f26c2072f193481a9dcd880572005e64f4082ecf",
"3f2efc595880a7d47fcf3cba04983ea54c4b73fb",
"18da3cdcfe79bfb77fd9c32f377ad399146f0a8e810620233271a6e3ed3248903f5cdc92dc79b55d3e11615aa056a795853792a3998c349ca5c457e8ca7d29d796aa24f83491709befcfb1510ea513c92829a3f00b104f655634f320752e130ec0ccf6754ff893db302932bb025eb60e87822598fc619e0e981737a9a4c4152d33",
/* 1031-bit key */
"495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f",
"010001",
"6c66ffe98980c38fcdeab5159898836165f4b4b817c4f6a8d486ee4ea9130fe9b9092bd136d184f95f504a607eac565846d2fdd6597a8967c7396ef95a6eeebb4578a643966dca4d8ee3de842de63279c618159c1ab54a89437b6a6120e4930afb52a4ba6ced8a4947ac64b30a3497cbe701c2d6266d517219ad0ec6d347dbe9",
"08dad7f11363faa623d5d6d5e8a319328d82190d7127d2846c439b0ab72619b0a43a95320e4ec34fc3a9cea876422305bd76c5ba7be9e2f410c8060645a1d29edb",
"0847e732376fc7900f898ea82eb2b0fc418565fdae62f7d9ec4ce2217b97990dd272db157f99f63c0dcbb9fbacdbd4c4dadb6df67756358ca4174825b48f49706d",
"05c2a83c124b3621a2aa57ea2c3efe035eff4560f33ddebb7adab81fce69a0c8c2edc16520dda83d59a23be867963ac65f2cc710bbcfb96ee103deb771d105fd85",
"04cae8aa0d9faa165c87b682ec140b8ed3b50b24594b7a3b2c220b3669bb819f984f55310a1ae7823651d4a02e99447972595139363434e5e30a7e7d241551e1b9",
"07d3e47bf686600b11ac283ce88dbb3f6051e8efd04680e44c171ef531b80b2b7c39fc766320e2cf15d8d99820e96ff30dc69691839c4b40d7b06e45307dc91f3f",
"81332f4be62948415ea1d899792eeacf6c6e1db1da8be13b5cea41db2fed467092e1ff398914c714259775f595f8547f735692a575e6923af78f22c6997ddb90fb6f72d7bb0dd5744a31decd3dc3685849836ed34aec596304ad11843c4f88489f209735f5fb7fdaf7cec8addc5818168f880acbf490d51005b7a8e84e43e54287977571dd99eea4b161eb2df1f5108f12a4142a83322edb05a75487a3435c9a78ce53ed93bc550857d7a9fb",
"1d65491d79c864b373009be6f6f2467bac4c78fa",
"0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5",
"e2f96eaf0e05e7ba326ecca0ba7fd2f7c02356f3cede9d0faabf4fcc8e60a973e5595fd9ea08",
"435c098aa9909eb2377f1248b091b68987ff1838",
"2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e",
"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7",
"c6ebbe76df0c4aea32c474175b2f136862d04529",
"2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96",
"dbc5f750a7a14be2b93e838d18d14a8695e52e8add9c0ac733b8f56d2747e529a0cca532dd49b902aefed514447f9e81d16195c2853868cb9b30f7d0d495c69d01b5c5d50b27045db3866c2324a44a110b1717746de457d1c8c45c3cd2a92970c3d59632055d4c98a41d6e99e2a3ddd5f7f9979ab3cd18f37505d25141de2a1bff17b3a7dce9419ecc385cf11d72840f19953fd0509251f6cafde2893d0e75c781ba7a5012ca401a4fa99e04b3c3249f926d5afe82cc87dab22c3c1b105de48e34ace9c9124e59597ac7ebf8",
"021fdcc6ebb5e19b1cb16e9c67f27681657fe20a",
"1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7",
"04dc251be72e88e5723485b6383a637e2fefe07660c519a560b8bc18bdedb86eae2364ea53ba9dca6eb3d2e7d6b806af42b3e87f291b4a8881d5bf572cc9a85e19c86acb28f098f9da0383c566d3c0f58cfd8f395dcf602e5cd40e8c7183f714996e2297ef",
"c558d7167cbb4508ada042971e71b1377eea4269",
"33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee",
"0ea37df9a6fea4a8b610373c24cf390c20fa6e2135c400c8a34f5c183a7e8ea4c9ae090ed31759f42dc77719cca400ecdcc517acfc7ac6902675b2ef30c509665f3321482fc69a9fb570d15e01c845d0d8e50d2a24cbf1cf0e714975a5db7b18d9e9e9cb91b5cb16869060ed18b7b56245503f0caf90352b8de81cb5a1d9c6336092f0cd",
"76fd4e64fdc98eb927a0403e35a084e76ba9f92a",
"1ed1d848fb1edb44129bd9b354795af97a069a7a00d0151048593e0c72c3517ff9ff2a41d0cb5a0ac860d736a199704f7cb6a53986a88bbd8abcc0076a2ce847880031525d449da2ac78356374c536e343faa7cba42a5aaa6506087791c06a8e989335aed19bfab2d5e67e27fb0c2875af896c21b6e8e7309d04e4f6727e69463e",
/* 1536-bit key */
"e6bd692ac96645790403fdd0f5beb8b9bf92ed10007fc365046419dd06c05c5b5b2f48ecf989e4ce269109979cbb40b4a0ad24d22483d1ee315ad4ccb1534268352691c524f6dd8e6c29d224cf246973aec86c5bf6b1401a850d1b9ad1bb8cbcec47b06f0f8c7f45d3fc8f319299c5433ddbc2b3053b47ded2ecd4a4caefd614833dc8bb622f317ed076b8057fe8de3f84480ad5e83e4a61904a4f248fb397027357e1d30e463139815c6fd4fd5ac5b8172a45230ecb6318a04f1455d84e5a8b",
"010001",
"6a7fd84fb85fad073b34406db74f8d61a6abc12196a961dd79565e9da6e5187bce2d980250f7359575359270d91590bb0e427c71460b55d51410b191bcf309fea131a92c8e702738fa719f1e0041f52e40e91f229f4d96a1e6f172e15596b4510a6daec26105f2bebc53316b87bdf21311666070e8dfee69d52c71a976caae79c72b68d28580dc686d9f5129d225f82b3d615513a882b3db91416b48ce08888213e37eeb9af800d81cab328ce420689903c00c7b5fd31b75503a6d419684d629",
"f8eb97e98df12664eefdb761596a69ddcd0e76daece6ed4bf5a1b50ac086f7928a4d2f8726a77e515b74da41988f220b1cc87aa1fc810ce99a82f2d1ce821edced794c6941f42c7a1a0b8c4d28c75ec60b652279f6154a762aed165d47dee367",
"ed4d71d0a6e24b93c2e5f6b4bbe05f5fb0afa042d204fe3378d365c2f288b6a8dad7efe45d153eef40cacc7b81ff934002d108994b94a5e4728cd9c963375ae49965bda55cbf0efed8d6553b4027f2d86208a6e6b489c176128092d629e49d3d",
"2bb68bddfb0c4f56c8558bffaf892d8043037841e7fa81cfa61a38c5e39b901c8ee71122a5da2227bd6cdeeb481452c12ad3d61d5e4f776a0ab556591befe3e59e5a7fddb8345e1f2f35b9f4cee57c32414c086aec993e9353e480d9eec6289f",
"4ff897709fad079746494578e70fd8546130eeab5627c49b080f05ee4ad9f3e4b7cba9d6a5dff113a41c3409336833f190816d8a6bc42e9bec56b7567d0f3c9c696db619b245d901dd856db7c8092e77e9a1cccd56ee4dba42c5fdb61aec2669",
"77b9d1137b50404a982729316efafc7dfe66d34e5a182600d5f30a0a8512051c560d081d4d0a1835ec3d25a60f4e4d6aa948b2bf3dbb5b124cbbc3489255a3a948372f6978496745f943e1db4f18382ceaa505dfc65757bb3f857a58dce52156",
"a88e265855e9d7ca36c68795f0b31b591cd6587c71d060a0b3f7f3eaef43795922028bc2b6ad467cfc2d7f659c5385aa70ba3672cdde4cfe4970cc7904601b278872bf51321c4a972f3c95570f3445d4f57980e0f20df54846e6a52c668f1288c03f95006ea32f562d40d52af9feb32f0fa06db65b588a237b34e592d55cf979f903a642ef64d2ed542aa8c77dc1dd762f45a59303ed75e541ca271e2b60ca709e44fa0661131e8d5d4163fd8d398566ce26de8730e72f9cca737641c244159420637028df0a18079d6208ea8b4711a2c750f5",
"c0a425313df8d7564bd2434d311523d5257eed80",
"586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e",
"c8c9c6af04acda414d227ef23e0820c3732c500dc87275e95b0d095413993c2658bc1d988581ba879c2d201f14cb88ced153a01969a7bf0a7be79c84c1486bc12b3fa6c59871b6827c8ce253ca5fefa8a8c690bf326e8e37cdb96d90a82ebab69f86350e1822e8bd536a2e",
"b307c43b4850a8dac2f15f32e37839ef8c5c0e91",
"80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958",
"0afad42ccd4fc60654a55002d228f52a4a5fe03b8bbb08ca82daca558b44dbe1266e50c0e745a36d9d2904e3408abcd1fd569994063f4a75cc72f2fee2a0cd893a43af1c5b8b487df0a71610024e4f6ddf9f28ad0813c1aab91bcb3c9064d5ff742deffea657094139369e5ea6f4a96319a5cc8224145b545062758fefd1fe3409ae169259c6cdfd6b5f2958e314faecbe69d2cace58ee55179ab9b3e6d1ecc14a557c5febe988595264fc5da1c571462eca798a18a1a4940cdab4a3e92009ccd42e1e947b1314e32238a2dece7d23a89b5b30c751fd0a4a430d2c548594",
"9a2b007e80978bbb192c354eb7da9aedfc74dbf5",
"484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca",
"1dfd43b46c93db82629bdae2bd0a12b882ea04c3b465f5cf93023f01059626dbbe99f26bb1be949dddd16dc7f3debb19a194627f0b224434df7d8700e9e98b06e360c12fdbe3d19f51c9684eb9089ecbb0a2f0450399d3f59eac7294085d044f5393c6ce737423d8b86c415370d389e30b9f0a3c02d25d0082e8ad6f3f1ef24a45c3cf82b383367063a4d4613e4264f01b2dac2e5aa42043f8fb5f69fa871d14fb273e767a531c40f02f343bc2fb45a0c7e0f6be2561923a77211d66a6e2dbb43c366350beae22da3ac2c1f5077096fcb5c4bf255f7574351ae0b1e1f03632817c0856d4a8ba97afbdc8b85855402bc56926fcec209f9ea8",
"70f382bddf4d5d2dd88b3bc7b7308be632b84045",
"84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e",
"1bdc6e7c98fb8cf54e9b097b66a831e9cfe52d9d4888448ee4b0978093ba1d7d73ae78b3a62ba4ad95cd289ccb9e005226bb3d178bccaa821fb044a4e21ee97696c14d0678c94c2dae93b0ad73922218553daa7e44ebe57725a7a45cc72b9b2138a6b17c8db411ce8279ee1241aff0a8bec6f77f87edb0c69cb27236e3435a800b192e4f11e519e3fe30fc30eaccca4fbb41769029bf708e817a9e683805be67fa100984683b74838e3bcffa79366eed1d481c76729118838f31ba8a048a93c1be4424598e8df6328b7a77880a3f9c7e2e8dfca8eb5a26fb86bdc556d42bbe01d9fa6ed80646491c9341",
"d689257a86effa68212c5e0c619eca295fb91b67",
"82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c",
"88c7a9f1360401d90e53b101b61c5325c3c75db1b411fbeb8e830b75e96b56670ad245404e16793544ee354bc613a90cc9848715a73db5893e7f6d279815c0c1de83ef8e2956e3a56ed26a888d7a9cdcd042f4b16b7fa51ef1a0573662d16a302d0ec5b285d2e03ad96529c87b3d374db372d95b2443d061b6b1a350ba87807ed083afd1eb05c3f52f4eba5ed2227714fdb50b9d9d9dd6814f62f6272fcd5cdbce7a9ef797",
"c25f13bf67d081671a0481a1f1820d613bba2276",
"a7fdb0d259165ca2c88d00bbf1028a867d337699d061193b17a9648e14ccbbaadeacaacdec815e7571294ebb8a117af205fa078b47b0712c199e3ad05135c504c24b81705115740802487992ffd511d4afc6b854491eb3f0dd523139542ff15c3101ee85543517c6a3c79417c67e2dd9aa741e9a29b06dcb593c2336b3670ae3afbac7c3e76e215473e866e338ca244de00b62624d6b9426822ceae9f8cc460895f41250073fd45c5a1e7b425c204a423a699159f6903e710b37a7bb2bc8049f",
/* 2048-bit key */
"a5dd867ac4cb02f90b9457d48c14a770ef991c56c39c0ec65fd11afa8937cea57b9be7ac73b45c0017615b82d622e318753b6027c0fd157be12f8090fee2a7adcd0eef759f88ba4997c7a42d58c9aa12cb99ae001fe521c13bb5431445a8d5ae4f5e4c7e948ac227d3604071f20e577e905fbeb15dfaf06d1de5ae6253d63a6a2120b31a5da5dabc9550600e20f27d3739e2627925fea3cc509f21dff04e6eea4549c540d6809ff9307eede91fff58733d8385a237d6d3705a33e391900992070df7adf1357cf7e3700ce3667de83f17b8df1778db381dce09cb4ad058a511001a738198ee27cf55a13b754539906582ec8b174bd58d5d1f3d767c613721ae05",
"010001",
"2d2ff567b3fe74e06191b7fded6de112290c670692430d5969184047da234c9693deed1673ed429539c969d372c04d6b47e0f5b8cee0843e5c22835dbd3b05a0997984ae6058b11bc4907cbf67ed84fa9ae252dfb0d0cd49e618e35dfdfe59bca3ddd66c33cebbc77ad441aa695e13e324b518f01c60f5a85c994ad179f2a6b5fbe93402b11767be01bf073444d6ba1dd2bca5bd074d4a5fae3531ad1303d84b30d897318cbbba04e03c2e66de6d91f82f96ea1d4bb54a5aae102d594657f5c9789553512b296dea29d8023196357e3e3a6e958f39e3c2344038ea604b31edc6f0f7ff6e7181a57c92826a268f86768e96f878562fc71d85d69e448612f7048f",
"cfd50283feeeb97f6f08d73cbc7b3836f82bbcd499479f5e6f76fdfcb8b38c4f71dc9e88bd6a6f76371afd65d2af1862b32afb34a95f71b8b132043ffebe3a952baf7592448148c03f9c69b1d68e4ce5cf32c86baf46fed301ca1ab403069b32f456b91f71898ab081cd8c4252ef5271915c9794b8f295851da7510f99cb73eb",
"cc4e90d2a1b3a065d3b2d1f5a8fce31b544475664eab561d2971b99fb7bef844e8ec1f360b8c2ac8359692971ea6a38f723fcc211f5dbcb177a0fdac5164a1d4ff7fbb4e829986353cb983659a148cdd420c7d31ba3822ea90a32be46c030e8c17e1fa0ad37859e06b0aa6fa3b216d9cbe6c0e22339769c0a615913e5da719cf",
"1c2d1fc32f6bc4004fd85dfde0fbbf9a4c38f9c7c4e41dea1aa88234a201cd92f3b7da526583a98ad85bb360fb983b711e23449d561d1778d7a515486bcbf47b46c9e9e1a3a1f77000efbeb09a8afe47e5b857cda99cb16d7fff9b712e3bd60ca96d9c7973d616d46934a9c050281c004399ceff1db7dda78766a8a9b9cb0873",
"cb3b3c04caa58c60be7d9b2debb3e39643f4f57397be08236a1e9eafaa706536e71c3acfe01cc651f23c9e05858fee13bb6a8afc47df4edc9a4ba30bcecb73d0157852327ee789015c2e8dee7b9f05a0f31ac94eb6173164740c5c95147cd5f3b5ae2cb4a83787f01d8ab31f27c2d0eea2dd8a11ab906aba207c43c6ee125331",
"12f6b2cf1374a736fad05616050f96ab4b61d1177c7f9d525a29f3d180e77667e99d99abf0525d0758660f3752655b0f25b8df8431d9a8ff77c16c12a0a5122a9f0bf7cfd5a266a35c159f991208b90316ff444f3e0b6bd0e93b8a7a2448e957e3dda6cfcf2266b106013ac46808d3b3887b3b00344baac9530b4ce708fc32b6",
"883177e5126b9be2d9a9680327d5370c6f26861f5820c43da67a3ad609",
"04e215ee6ff934b9da70d7730c8734abfcecde89",
"82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666",
"dd670a01465868adc93f26131957a50c52fb777cdbaa30892c9e12361164ec13979d43048118e4445db87bee58dd987b3425d02071d8dbae80708b039dbb64dbd1de5657d9fed0c118a54143742e0ff3c87f74e45857647af3f79eb0a14c9d75ea9a1a04b7cf478a897a708fd988f48e801edb0b7039df8c23bb3c56f4e821ac",
"8b2bdd4b40faf545c778ddf9bc1a49cb57f9b71b",
"14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3",
"48b2b6a57a63c84cea859d65c668284b08d96bdcaabe252db0e4a96cb1bac6019341db6fbefb8d106b0e90eda6bcc6c6262f37e7ea9c7e5d226bd7df85ec5e71efff2f54c5db577ff729ff91b842491de2741d0c631607df586b905b23b91af13da12304bf83eca8a73e871ff9db",
"4e96fc1b398f92b44671010c0dc3efd6e20c2d73",
"6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb",
"0b8777c7f839baf0a64bbbdbc5ce79755c57a205b845c174e2d2e90546a089c4e6ec8adffa23a7ea97bae6b65d782b82db5d2b5a56d22a29a05e7c4433e2b82a621abba90add05ce393fc48a840542451a",
"c7cd698d84b65128d8835e3a8b1eb0e01cb541ec",
"34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb",
"f1036e008e71e964dadc9219ed30e17f06b4b68a955c16b312b1eddf028b74976bed6b3f6a63d4e77859243c9cccdc98016523abb02483b35591c33aad81213bb7c7bb1a470aabc10d44256c4d4559d916",
"efa8bff96212b2f4a3f371a10d574152655f5dfb",
"7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc",
"25f10895a87716c137450bb9519dfaa1f207faa942ea88abf71e9c17980085b555aebab76264ae2a3ab93c2d12981191ddac6fb5949eb36aee3c5da940f00752c916d94608fa7d97ba6a2915b688f20323d4e9d96801d89a72ab5892dc2117c07434fcf972e058cf8c41ca4b4ff554f7d5068ad3155fced0f3125bc04f9193378a8f5c4c3b8cb4dd6d1cc69d30ecca6eaa51e36a05730e9e342e855baf099defb8afd7",
"ad8b1523703646224b660b550885917ca2d1df28",
"6d3b5b87f67ea657af21f75441977d2180f91b2c5f692de82955696a686730d9b9778d970758ccb26071c2209ffbd6125be2e96ea81b67cb9b9308239fda17f7b2b64ecda096b6b935640a5a1cb42a9155b1c9ef7a633a02c59f0d6ee59b852c43b35029e73c940ff0410e8f114eed46bbd0fae165e42be2528a401c3b28fd818ef3232dca9f4d2a0f5166ec59c42396d6c11dbc1215a56fa17169db9575343ef34f9de32a49cdc3174922f229c23e18e45df9353119ec4319cedce7a17c64088c1f6f52be29634100b3919d38f3d1ed94e6891e66a73b8fb849f5874df59459e298c7bbce2eee782a195aa66fe2d0732b25e595f57d3e061b1fc3e4063bf98f",
NULL
};
static void
test_RSA_PSS(const char *name,
br_rsa_pss_sign sign, br_rsa_pss_vrfy vrfy)
{
size_t u;
printf("Test %s: ", name);
fflush(stdout);
u = 0;
while (KAT_RSA_PSS[u] != NULL) {
unsigned char n[512];
unsigned char e[8];
unsigned char d[512];
unsigned char p[256];
unsigned char q[256];
unsigned char dp[256];
unsigned char dq[256];
unsigned char iq[256];
br_rsa_public_key pk;
br_rsa_private_key sk;
size_t v;
pk.n = n;
pk.nlen = hextobin(n, KAT_RSA_PSS[u ++]);
pk.e = e;
pk.elen = hextobin(e, KAT_RSA_PSS[u ++]);
/*
* 'd' is in the test vectors, but we don't use it.
*/
hextobin(d, KAT_RSA_PSS[u ++]);
for (v = 0; n[v] == 0; v ++);
sk.n_bitlen = BIT_LENGTH(n[v]) + ((pk.nlen - 1 - v) << 3);
sk.p = p;
sk.plen = hextobin(p, KAT_RSA_PSS[u ++]);
sk.q = q;
sk.qlen = hextobin(q, KAT_RSA_PSS[u ++]);
sk.dp = dp;
sk.dplen = hextobin(dp, KAT_RSA_PSS[u ++]);
sk.dq = dq;
sk.dqlen = hextobin(dq, KAT_RSA_PSS[u ++]);
sk.iq = iq;
sk.iqlen = hextobin(iq, KAT_RSA_PSS[u ++]);
for (v = 0; v < 6; v ++) {
unsigned char plain[512], salt[128], sig[512];
size_t plain_len, salt_len, sig_len;
rng_fake_ctx rng;
unsigned char hash[20], tmp[513];
br_sha1_context sc;
plain_len = hextobin(plain, KAT_RSA_PSS[u ++]);
salt_len = hextobin(salt, KAT_RSA_PSS[u ++]);
sig_len = hextobin(sig, KAT_RSA_PSS[u ++]);
br_sha1_init(&sc);
br_sha1_update(&sc, plain, plain_len);
br_sha1_out(&sc, hash);
rng_fake_init(&rng, NULL, salt, salt_len);
memset(tmp, 0, sizeof tmp);
if (sign(&rng.vtable,
&br_sha1_vtable, &br_sha1_vtable,
hash, salt_len, &sk, tmp) != 1)
{
fprintf(stderr, "signature failed\n");
}
if (rng.ptr != rng.len) {
fprintf(stderr, "salt not fully consumed\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA/PSS sign", tmp, sig, sig_len);
if (vrfy(sig, sig_len,
&br_sha1_vtable, &br_sha1_vtable,
hash, salt_len, &pk) != 1)
{
fprintf(stderr, "verification failed\n");
exit(EXIT_FAILURE);
}
sig[sig_len >> 1] ^= 0x01;
if (vrfy(sig, sig_len,
&br_sha1_vtable, &br_sha1_vtable,
hash, salt_len, &pk) != 0)
{
fprintf(stderr,
"verification should have failed\n");
exit(EXIT_FAILURE);
}
printf(".");
fflush(stdout);
}
}
printf(" done.\n");
fflush(stdout);
}
/*
* Test vectors from pkcs-1v2-1d2-vec.zip (originally from ftp.rsa.com).
* There are ten RSA keys, and for each RSA key, there are 6 messages,
* each with an explicit seed.
*
* Field order:
* modulus (n)
* public exponent (e)
* first factor (p)
* second factor (q)
* first private exponent (dp)
* second private exponent (dq)
* CRT coefficient (iq)
* cleartext 1
* seed 1 (20-byte random value)
* ciphertext 1
* cleartext 2
* seed 2 (20-byte random value)
* ciphertext 2
* ...
* cleartext 6
* seed 6 (20-byte random value)
* ciphertext 6
*
* This pattern is repeated for all keys. The array stops on a NULL.
*/
static const char *KAT_RSA_OAEP[] = {
/* 1024-bit key, from oeap-int.txt */
"BBF82F090682CE9C2338AC2B9DA871F7368D07EED41043A440D6B6F07454F51FB8DFBAAF035C02AB61EA48CEEB6FCD4876ED520D60E1EC4619719D8A5B8B807FAFB8E0A3DFC737723EE6B4B7D93A2584EE6A649D060953748834B2454598394EE0AAB12D7B61A51F527A9A41F6C1687FE2537298CA2A8F5946F8E5FD091DBDCB",
"11",
"EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632124EF0236E5D1E3B7E28FAE7AA040A2D5B252176459D1F397541BA2A58FB6599",
"C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D869840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503",
"54494CA63EBA0337E4E24023FCD69A5AEB07DDDC0183A4D0AC9B54B051F2B13ED9490975EAB77414FF59C1F7692E9A2E202B38FC910A474174ADC93C1F67C981",
"471E0290FF0AF0750351B7F878864CA961ADBD3A8A7E991C5C0556A94C3146A7F9803F8F6F8AE342E931FD8AE47A220D1B99A495849807FE39F9245A9836DA3D",
"B06C4FDABB6301198D265BDBAE9423B380F271F73453885093077FCD39E2119FC98632154F5883B167A967BF402B4E9E2E0F9656E698EA3666EDFB25798039F7",
/* oaep-int.txt contains only one message, so we repeat it six
times to respect our array format. */
"D436E99569FD32A7C8A05BBC90D32C49",
"AAFD12F659CAE63489B479E5076DDEC2F06CB58F",
"1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955",
"D436E99569FD32A7C8A05BBC90D32C49",
"AAFD12F659CAE63489B479E5076DDEC2F06CB58F",
"1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955",
"D436E99569FD32A7C8A05BBC90D32C49",
"AAFD12F659CAE63489B479E5076DDEC2F06CB58F",
"1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955",
"D436E99569FD32A7C8A05BBC90D32C49",
"AAFD12F659CAE63489B479E5076DDEC2F06CB58F",
"1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955",
"D436E99569FD32A7C8A05BBC90D32C49",
"AAFD12F659CAE63489B479E5076DDEC2F06CB58F",
"1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955",
"D436E99569FD32A7C8A05BBC90D32C49",
"AAFD12F659CAE63489B479E5076DDEC2F06CB58F",
"1253E04DC0A5397BB44A7AB87E9BF2A039A33D1E996FC82A94CCD30074C95DF763722017069E5268DA5D1C0B4F872CF653C11DF82314A67968DFEAE28DEF04BB6D84B1C31D654A1970E5783BD6EB96A024C2CA2F4A90FE9F2EF5C9C140E5BB48DA9536AD8700C84FC9130ADEA74E558D51A74DDF85D8B50DE96838D6063E0955",
/* 1024-bit key */
"A8B3B284AF8EB50B387034A860F146C4919F318763CD6C5598C8AE4811A1E0ABC4C7E0B082D693A5E7FCED675CF4668512772C0CBC64A742C6C630F533C8CC72F62AE833C40BF25842E984BB78BDBF97C0107D55BDB662F5C4E0FAB9845CB5148EF7392DD3AAFF93AE1E6B667BB3D4247616D4F5BA10D4CFD226DE88D39F16FB",
"010001",
"D32737E7267FFE1341B2D5C0D150A81B586FB3132BED2F8D5262864A9CB9F30AF38BE448598D413A172EFB802C21ACF1C11C520C2F26A471DCAD212EAC7CA39D",
"CC8853D1D54DA630FAC004F471F281C7B8982D8224A490EDBEB33D3E3D5CC93C4765703D1DD791642F1F116A0DD852BE2419B2AF72BFE9A030E860B0288B5D77",
"0E12BF1718E9CEF5599BA1C3882FE8046A90874EEFCE8F2CCC20E4F2741FB0A33A3848AEC9C9305FBECBD2D76819967D4671ACC6431E4037968DB37878E695C1",
"95297B0F95A2FA67D00707D609DFD4FC05C89DAFC2EF6D6EA55BEC771EA333734D9251E79082ECDA866EFEF13C459E1A631386B7E354C899F5F112CA85D71583",
"4F456C502493BDC0ED2AB756A3A6ED4D67352A697D4216E93212B127A63D5411CE6FA98D5DBEFD73263E3728142743818166ED7DD63687DD2A8CA1D2F4FBD8E1",
"6628194E12073DB03BA94CDA9EF9532397D50DBA79B987004AFEFE34",
"18B776EA21069D69776A33E96BAD48E1DDA0A5EF",
"354FE67B4A126D5D35FE36C777791A3F7BA13DEF484E2D3908AFF722FAD468FB21696DE95D0BE911C2D3174F8AFCC201035F7B6D8E69402DE5451618C21A535FA9D7BFC5B8DD9FC243F8CF927DB31322D6E881EAA91A996170E657A05A266426D98C88003F8477C1227094A0D9FA1E8C4024309CE1ECCCB5210035D47AC72E8A",
"750C4047F547E8E41411856523298AC9BAE245EFAF1397FBE56F9DD5",
"0CC742CE4A9B7F32F951BCB251EFD925FE4FE35F",
"640DB1ACC58E0568FE5407E5F9B701DFF8C3C91E716C536FC7FCEC6CB5B71C1165988D4A279E1577D730FC7A29932E3F00C81515236D8D8E31017A7A09DF4352D904CDEB79AA583ADCC31EA698A4C05283DABA9089BE5491F67C1A4EE48DC74BBBE6643AEF846679B4CB395A352D5ED115912DF696FFE0702932946D71492B44",
"D94AE0832E6445CE42331CB06D531A82B1DB4BAAD30F746DC916DF24D4E3C2451FFF59A6423EB0E1D02D4FE646CF699DFD818C6E97B051",
"2514DF4695755A67B288EAF4905C36EEC66FD2FD",
"423736ED035F6026AF276C35C0B3741B365E5F76CA091B4E8C29E2F0BEFEE603595AA8322D602D2E625E95EB81B2F1C9724E822ECA76DB8618CF09C5343503A4360835B5903BC637E3879FB05E0EF32685D5AEC5067CD7CC96FE4B2670B6EAC3066B1FCF5686B68589AAFB7D629B02D8F8625CA3833624D4800FB081B1CF94EB",
"52E650D98E7F2A048B4F86852153B97E01DD316F346A19F67A85",
"C4435A3E1A18A68B6820436290A37CEFB85DB3FB",
"45EAD4CA551E662C9800F1ACA8283B0525E6ABAE30BE4B4ABA762FA40FD3D38E22ABEFC69794F6EBBBC05DDBB11216247D2F412FD0FBA87C6E3ACD888813646FD0E48E785204F9C3F73D6D8239562722DDDD8771FEC48B83A31EE6F592C4CFD4BC88174F3B13A112AAE3B9F7B80E0FC6F7255BA880DC7D8021E22AD6A85F0755",
"8DA89FD9E5F974A29FEFFB462B49180F6CF9E802",
"B318C42DF3BE0F83FEA823F5A7B47ED5E425A3B5",
"36F6E34D94A8D34DAACBA33A2139D00AD85A9345A86051E73071620056B920E219005855A213A0F23897CDCD731B45257C777FE908202BEFDD0B58386B1244EA0CF539A05D5D10329DA44E13030FD760DCD644CFEF2094D1910D3F433E1C7C6DD18BC1F2DF7F643D662FB9DD37EAD9059190F4FA66CA39E869C4EB449CBDC439",
"26521050844271",
"E4EC0982C2336F3A677F6A356174EB0CE887ABC2",
"42CEE2617B1ECEA4DB3F4829386FBD61DAFBF038E180D837C96366DF24C097B4AB0FAC6BDF590D821C9F10642E681AD05B8D78B378C0F46CE2FAD63F74E0AD3DF06B075D7EB5F5636F8D403B9059CA761B5C62BB52AA45002EA70BAACE08DED243B9D8CBD62A68ADE265832B56564E43A6FA42ED199A099769742DF1539E8255",
/* 1025-bit key */
"01947C7FCE90425F47279E70851F25D5E62316FE8A1DF19371E3E628E260543E4901EF6081F68C0B8141190D2AE8DABA7D1250EC6DB636E944EC3722877C7C1D0A67F14B1694C5F0379451A43E49A32DDE83670B73DA91A1C99BC23B436A60055C610F0BAF99C1A079565B95A3F1526632D1D4DA60F20EDA25E653C4F002766F45",
"010001",
"0159DBDE04A33EF06FB608B80B190F4D3E22BCC13AC8E4A081033ABFA416EDB0B338AA08B57309EA5A5240E7DC6E54378C69414C31D97DDB1F406DB3769CC41A43",
"012B652F30403B38B40995FD6FF41A1ACC8ADA70373236B7202D39B2EE30CFB46DB09511F6F307CC61CC21606C18A75B8A62F822DF031BA0DF0DAFD5506F568BD7",
"436EF508DE736519C2DA4C580D98C82CB7452A3FB5EFADC3B9C7789A1BC6584F795ADDBBD32439C74686552ECB6C2C307A4D3AF7F539EEC157248C7B31F1A255",
"012B15A89F3DFB2B39073E73F02BDD0C1A7B379DD435F05CDDE2EFF9E462948B7CEC62EE9050D5E0816E0785A856B49108DCB75F3683874D1CA6329A19013066FF",
"0270DB17D5914B018D76118B24389A7350EC836B0063A21721236FD8EDB6D89B51E7EEB87B611B7132CB7EA7356C23151C1E7751507C786D9EE1794170A8C8E8",
"8FF00CAA605C702830634D9A6C3D42C652B58CF1D92FEC570BEEE7",
"8C407B5EC2899E5099C53E8CE793BF94E71B1782",
"0181AF8922B9FCB4D79D92EBE19815992FC0C1439D8BCD491398A0F4AD3A329A5BD9385560DB532683C8B7DA04E4B12AED6AACDF471C34C9CDA891ADDCC2DF3456653AA6382E9AE59B54455257EB099D562BBE10453F2B6D13C59C02E10F1F8ABB5DA0D0570932DACF2D0901DB729D0FEFCC054E70968EA540C81B04BCAEFE720E",
"2D",
"B600CF3C2E506D7F16778C910D3A8B003EEE61D5",
"018759FF1DF63B2792410562314416A8AEAF2AC634B46F940AB82D64DBF165EEE33011DA749D4BAB6E2FCD18129C9E49277D8453112B429A222A8471B070993998E758861C4D3F6D749D91C4290D332C7A4AB3F7EA35FF3A07D497C955FF0FFC95006B62C6D296810D9BFAB024196C7934012C2DF978EF299ABA239940CBA10245",
"74FC88C51BC90F77AF9D5E9A4A70133D4B4E0B34DA3C37C7EF8E",
"A73768AEEAA91F9D8C1ED6F9D2B63467F07CCAE3",
"018802BAB04C60325E81C4962311F2BE7C2ADCE93041A00719C88F957575F2C79F1B7BC8CED115C706B311C08A2D986CA3B6A9336B147C29C6F229409DDEC651BD1FDD5A0B7F610C9937FDB4A3A762364B8B3206B4EA485FD098D08F63D4AA8BB2697D027B750C32D7F74EAF5180D2E9B66B17CB2FA55523BC280DA10D14BE2053",
"A7EB2A5036931D27D4E891326D99692FFADDA9BF7EFD3E34E622C4ADC085F721DFE885072C78A203B151739BE540FA8C153A10F00A",
"9A7B3B0E708BD96F8190ECAB4FB9B2B3805A8156",
"00A4578CBC176318A638FBA7D01DF15746AF44D4F6CD96D7E7C495CBF425B09C649D32BF886DA48FBAF989A2117187CAFB1FB580317690E3CCD446920B7AF82B31DB5804D87D01514ACBFA9156E782F867F6BED9449E0E9A2C09BCECC6AA087636965E34B3EC766F2FE2E43018A2FDDEB140616A0E9D82E5331024EE0652FC7641",
"2EF2B066F854C33F3BDCBB5994A435E73D6C6C",
"EB3CEBBC4ADC16BB48E88C8AEC0E34AF7F427FD3",
"00EBC5F5FDA77CFDAD3C83641A9025E77D72D8A6FB33A810F5950F8D74C73E8D931E8634D86AB1246256AE07B6005B71B7F2FB98351218331CE69B8FFBDC9DA08BBC9C704F876DEB9DF9FC2EC065CAD87F9090B07ACC17AA7F997B27ACA48806E897F771D95141FE4526D8A5301B678627EFAB707FD40FBEBD6E792A25613E7AEC",
"8A7FB344C8B6CB2CF2EF1F643F9A3218F6E19BBA89C0",
"4C45CF4D57C98E3D6D2095ADC51C489EB50DFF84",
"010839EC20C27B9052E55BEFB9B77E6FC26E9075D7A54378C646ABDF51E445BD5715DE81789F56F1803D9170764A9E93CB78798694023EE7393CE04BC5D8F8C5A52C171D43837E3ACA62F609EB0AA5FFB0960EF04198DD754F57F7FBE6ABF765CF118B4CA443B23B5AAB266F952326AC4581100644325F8B721ACD5D04FF14EF3A",
/* 2048-bit key */
"AE45ED5601CEC6B8CC05F803935C674DDBE0D75C4C09FD7951FC6B0CAEC313A8DF39970C518BFFBA5ED68F3F0D7F22A4029D413F1AE07E4EBE9E4177CE23E7F5404B569E4EE1BDCF3C1FB03EF113802D4F855EB9B5134B5A7C8085ADCAE6FA2FA1417EC3763BE171B0C62B760EDE23C12AD92B980884C641F5A8FAC26BDAD4A03381A22FE1B754885094C82506D4019A535A286AFEB271BB9BA592DE18DCF600C2AEEAE56E02F7CF79FC14CF3BDC7CD84FEBBBF950CA90304B2219A7AA063AEFA2C3C1980E560CD64AFE779585B6107657B957857EFDE6010988AB7DE417FC88D8F384C4E6E72C3F943E0C31C0C4A5CC36F879D8A3AC9D7D59860EAADA6B83BB",
"010001",
"ECF5AECD1E5515FFFACBD75A2816C6EBF49018CDFB4638E185D66A7396B6F8090F8018C7FD95CC34B857DC17F0CC6516BB1346AB4D582CADAD7B4103352387B70338D084047C9D9539B6496204B3DD6EA442499207BEC01F964287FF6336C3984658336846F56E46861881C10233D2176BF15A5E96DDC780BC868AA77D3CE769",
"BC46C464FC6AC4CA783B0EB08A3C841B772F7E9B2F28BABD588AE885E1A0C61E4858A0FB25AC299990F35BE85164C259BA1175CDD7192707135184992B6C29B746DD0D2CABE142835F7D148CC161524B4A09946D48B828473F1CE76B6CB6886C345C03E05F41D51B5C3A90A3F24073C7D74A4FE25D9CF21C75960F3FC3863183",
"C73564571D00FB15D08A3DE9957A50915D7126E9442DACF42BC82E862E5673FF6A008ED4D2E374617DF89F17A160B43B7FDA9CB6B6B74218609815F7D45CA263C159AA32D272D127FAF4BC8CA2D77378E8AEB19B0AD7DA3CB3DE0AE7314980F62B6D4B0A875D1DF03C1BAE39CCD833EF6CD7E2D9528BF084D1F969E794E9F6C1",
"2658B37F6DF9C1030BE1DB68117FA9D87E39EA2B693B7E6D3A2F70947413EEC6142E18FB8DFCB6AC545D7C86A0AD48F8457170F0EFB26BC48126C53EFD1D16920198DC2A1107DC282DB6A80CD3062360BA3FA13F70E4312FF1A6CD6B8FC4CD9C5C3DB17C6D6A57212F73AE29F619327BAD59B153858585BA4E28B60A62A45E49",
"6F38526B3925085534EF3E415A836EDE8B86158A2C7CBFECCB0BD834304FEC683BA8D4F479C433D43416E63269623CEA100776D85AFF401D3FFF610EE65411CE3B1363D63A9709EEDE42647CEA561493D54570A879C18682CD97710B96205EC31117D73B5F36223FADD6E8BA90DD7C0EE61D44E163251E20C7F66EB305117CB8",
"8BBA6BF82A6C0F86D5F1756E97956870B08953B06B4EB205BC1694EE",
"47E1AB7119FEE56C95EE5EAAD86F40D0AA63BD33",
"53EA5DC08CD260FB3B858567287FA91552C30B2FEBFBA213F0AE87702D068D19BAB07FE574523DFB42139D68C3C5AFEEE0BFE4CB7969CBF382B804D6E61396144E2D0E60741F8993C3014B58B9B1957A8BABCD23AF854F4C356FB1662AA72BFCC7E586559DC4280D160C126785A723EBEEBEFF71F11594440AAEF87D10793A8774A239D4A04C87FE1467B9DAF85208EC6C7255794A96CC29142F9A8BD418E3C1FD67344B0CD0829DF3B2BEC60253196293C6B34D3F75D32F213DD45C6273D505ADF4CCED1057CB758FC26AEEFA441255ED4E64C199EE075E7F16646182FDB464739B68AB5DAFF0E63E9552016824F054BF4D3C8C90A97BB6B6553284EB429FCC",
"E6AD181F053B58A904F2457510373E57",
"6D17F5B4C1FFAC351D195BF7B09D09F09A4079CF",
"A2B1A430A9D657E2FA1C2BB5ED43FFB25C05A308FE9093C01031795F5874400110828AE58FB9B581CE9DDDD3E549AE04A0985459BDE6C626594E7B05DC4278B2A1465C1368408823C85E96DC66C3A30983C639664FC4569A37FE21E5A195B5776EED2DF8D8D361AF686E750229BBD663F161868A50615E0C337BEC0CA35FEC0BB19C36EB2E0BBCC0582FA1D93AACDB061063F59F2CE1EE43605E5D89ECA183D2ACDFE9F81011022AD3B43A3DD417DAC94B4E11EA81B192966E966B182082E71964607B4F8002F36299844A11F2AE0FAEAC2EAE70F8F4F98088ACDCD0AC556E9FCCC511521908FAD26F04C64201450305778758B0538BF8B5BB144A828E629795",
"510A2CF60E866FA2340553C94EA39FBC256311E83E94454B4124",
"385387514DECCC7C740DD8CDF9DAEE49A1CBFD54",
"9886C3E6764A8B9A84E84148EBD8C3B1AA8050381A78F668714C16D9CFD2A6EDC56979C535D9DEE3B44B85C18BE8928992371711472216D95DDA98D2EE8347C9B14DFFDFF84AA48D25AC06F7D7E65398AC967B1CE90925F67DCE049B7F812DB0742997A74D44FE81DBE0E7A3FEAF2E5C40AF888D550DDBBE3BC20657A29543F8FC2913B9BD1A61B2AB2256EC409BBD7DC0D17717EA25C43F42ED27DF8738BF4AFC6766FF7AFF0859555EE283920F4C8A63C4A7340CBAFDDC339ECDB4B0515002F96C932B5B79167AF699C0AD3FCCFDF0F44E85A70262BF2E18FE34B850589975E867FF969D48EABF212271546CDC05A69ECB526E52870C836F307BD798780EDE",
"BCDD190DA3B7D300DF9A06E22CAAE2A75F10C91FF667B7C16BDE8B53064A2649A94045C9",
"5CACA6A0F764161A9684F85D92B6E0EF37CA8B65",
"6318E9FB5C0D05E5307E1683436E903293AC4642358AAA223D7163013ABA87E2DFDA8E60C6860E29A1E92686163EA0B9175F329CA3B131A1EDD3A77759A8B97BAD6A4F8F4396F28CF6F39CA58112E48160D6E203DAA5856F3ACA5FFED577AF499408E3DFD233E3E604DBE34A9C4C9082DE65527CAC6331D29DC80E0508A0FA7122E7F329F6CCA5CFA34D4D1DA417805457E008BEC549E478FF9E12A763C477D15BBB78F5B69BD57830FC2C4ED686D79BC72A95D85F88134C6B0AFE56A8CCFBC855828BB339BD17909CF1D70DE3335AE07039093E606D655365DE6550B872CD6DE1D440EE031B61945F629AD8A353B0D40939E96A3C450D2A8D5EEE9F678093C8",
"A7DD6C7DC24B46F9DD5F1E91ADA4C3B3DF947E877232A9",
"95BCA9E3859894B3DD869FA7ECD5BBC6401BF3E4",
"75290872CCFD4A4505660D651F56DA6DAA09CA1301D890632F6A992F3D565CEE464AFDED40ED3B5BE9356714EA5AA7655F4A1366C2F17C728F6F2C5A5D1F8E28429BC4E6F8F2CFF8DA8DC0E0A9808E45FD09EA2FA40CB2B6CE6FFFF5C0E159D11B68D90A85F7B84E103B09E682666480C657505C0929259468A314786D74EAB131573CF234BF57DB7D9E66CC6748192E002DC0DEEA930585F0831FDCD9BC33D51F79ED2FFC16BCF4D59812FCEBCAA3F9069B0E445686D644C25CCF63B456EE5FA6FFE96F19CDF751FED9EAF35957754DBF4BFEA5216AA1844DC507CB2D080E722EBA150308C2B5FF1193620F1766ECF4481BAFB943BD292877F2136CA494ABA0",
"EAF1A73A1B0C4609537DE69CD9228BBCFB9A8CA8C6C3EFAF056FE4A7F4634ED00B7C39EC6922D7B8EA2C04EBAC",
"9F47DDF42E97EEA856A9BDBC714EB3AC22F6EB32",
"2D207A73432A8FB4C03051B3F73B28A61764098DFA34C47A20995F8115AA6816679B557E82DBEE584908C6E69782D7DEB34DBD65AF063D57FCA76A5FD069492FD6068D9984D209350565A62E5C77F23038C12CB10C6634709B547C46F6B4A709BD85CA122D74465EF97762C29763E06DBC7A9E738C78BFCA0102DC5E79D65B973F28240CAAB2E161A78B57D262457ED8195D53E3C7AE9DA021883C6DB7C24AFDD2322EAC972AD3C354C5FCEF1E146C3A0290FB67ADF007066E00428D2CEC18CE58F9328698DEFEF4B2EB5EC76918FDE1C198CBB38B7AFC67626A9AEFEC4322BFD90D2563481C9A221F78C8272C82D1B62AB914E1C69F6AF6EF30CA5260DB4A46",
NULL
};
static void
test_RSA_OAEP(const char *name,
br_rsa_oaep_encrypt menc, br_rsa_oaep_decrypt mdec)
{
size_t u;
printf("Test %s: ", name);
fflush(stdout);
u = 0;
while (KAT_RSA_OAEP[u] != NULL) {
unsigned char n[512];
unsigned char e[8];
unsigned char p[256];
unsigned char q[256];
unsigned char dp[256];
unsigned char dq[256];
unsigned char iq[256];
br_rsa_public_key pk;
br_rsa_private_key sk;
size_t v;
pk.n = n;
pk.nlen = hextobin(n, KAT_RSA_OAEP[u ++]);
pk.e = e;
pk.elen = hextobin(e, KAT_RSA_OAEP[u ++]);
for (v = 0; n[v] == 0; v ++);
sk.n_bitlen = BIT_LENGTH(n[v]) + ((pk.nlen - 1 - v) << 3);
sk.p = p;
sk.plen = hextobin(p, KAT_RSA_OAEP[u ++]);
sk.q = q;
sk.qlen = hextobin(q, KAT_RSA_OAEP[u ++]);
sk.dp = dp;
sk.dplen = hextobin(dp, KAT_RSA_OAEP[u ++]);
sk.dq = dq;
sk.dqlen = hextobin(dq, KAT_RSA_OAEP[u ++]);
sk.iq = iq;
sk.iqlen = hextobin(iq, KAT_RSA_OAEP[u ++]);
for (v = 0; v < 6; v ++) {
unsigned char plain[512], seed[128], cipher[512];
size_t plain_len, seed_len, cipher_len;
rng_fake_ctx rng;
unsigned char tmp[513];
size_t len;
plain_len = hextobin(plain, KAT_RSA_OAEP[u ++]);
seed_len = hextobin(seed, KAT_RSA_OAEP[u ++]);
cipher_len = hextobin(cipher, KAT_RSA_OAEP[u ++]);
rng_fake_init(&rng, NULL, seed, seed_len);
len = menc(&rng.vtable, &br_sha1_vtable, NULL, 0, &pk,
tmp, sizeof tmp, plain, plain_len);
if (len != cipher_len) {
fprintf(stderr,
"wrong encrypted length: %lu vs %lu\n",
(unsigned long)len,
(unsigned long)cipher_len);
}
if (rng.ptr != rng.len) {
fprintf(stderr, "seed not fully consumed\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA/OAEP encrypt", tmp, cipher, len);
if (mdec(&br_sha1_vtable, NULL, 0,
&sk, tmp, &len) != 1)
{
fprintf(stderr, "decryption failed\n");
exit(EXIT_FAILURE);
}
if (len != plain_len) {
fprintf(stderr,
"wrong decrypted length: %lu vs %lu\n",
(unsigned long)len,
(unsigned long)plain_len);
}
check_equals("KAT RSA/OAEP decrypt", tmp, plain, len);
/*
* Try with a different label; it should fail.
*/
memcpy(tmp, cipher, cipher_len);
len = cipher_len;
if (mdec(&br_sha1_vtable, "T", 1,
&sk, tmp, &len) != 0)
{
fprintf(stderr, "decryption should have failed"
" (wrong label)\n");
exit(EXIT_FAILURE);
}
/*
* Try with a the wrong length; it should fail.
*/
tmp[0] = 0x00;
memcpy(tmp + 1, cipher, cipher_len);
len = cipher_len + 1;
if (mdec(&br_sha1_vtable, "T", 1,
&sk, tmp, &len) != 0)
{
fprintf(stderr, "decryption should have failed"
" (wrong length)\n");
exit(EXIT_FAILURE);
}
printf(".");
fflush(stdout);
}
}
printf(" done.\n");
fflush(stdout);
}
static void
test_RSA_keygen(const char *name, br_rsa_keygen kg, br_rsa_compute_modulus cm,
br_rsa_compute_pubexp ce, br_rsa_compute_privexp cd,
br_rsa_public pub, br_rsa_pkcs1_sign sign, br_rsa_pkcs1_vrfy vrfy)
{
br_hmac_drbg_context rng;
int i;
printf("Test %s: ", name);
fflush(stdout);
br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for RSA keygen", 19);
for (i = 0; i <= 42; i ++) {
unsigned size;
uint32_t pubexp, z;
br_rsa_private_key sk;
br_rsa_public_key pk, pk2;
unsigned char kbuf_priv[BR_RSA_KBUF_PRIV_SIZE(2048)];
unsigned char kbuf_pub[BR_RSA_KBUF_PUB_SIZE(2048)];
unsigned char n2[256], d[256], msg1[256], msg2[256];
uint32_t mod[256];
uint32_t cc;
size_t u, v;
- unsigned char sig[257], hv[32], hv2[sizeof hv];
+ unsigned char sig[257], hv[32], hv2[32];
unsigned mask1, mask2;
int j;
if (i <= 35) {
size = 1024 + i;
pubexp = 17;
} else if (i <= 40) {
size = 2048;
pubexp = (i << 1) - 69;
} else {
size = 2048;
pubexp = 0xFFFFFFFF;
}
if (!kg(&rng.vtable,
&sk, kbuf_priv, &pk, kbuf_pub, size, pubexp))
{
fprintf(stderr, "RSA key pair generation failure\n");
exit(EXIT_FAILURE);
}
z = pubexp;
for (u = pk.elen; u > 0; u --) {
if (pk.e[u - 1] != (z & 0xFF)) {
fprintf(stderr, "wrong public exponent\n");
exit(EXIT_FAILURE);
}
z >>= 8;
}
if (z != 0) {
fprintf(stderr, "truncated public exponent\n");
exit(EXIT_FAILURE);
}
memset(mod, 0, sizeof mod);
for (u = 0; u < sk.plen; u ++) {
for (v = 0; v < sk.qlen; v ++) {
mod[u + v] += (uint32_t)sk.p[sk.plen - 1 - u]
* (uint32_t)sk.q[sk.qlen - 1 - v];
}
}
cc = 0;
for (u = 0; u < sk.plen + sk.qlen; u ++) {
mod[u] += cc;
cc = mod[u] >> 8;
mod[u] &= 0xFF;
}
for (u = 0; u < pk.nlen; u ++) {
if (mod[pk.nlen - 1 - u] != pk.n[u]) {
fprintf(stderr, "wrong modulus\n");
exit(EXIT_FAILURE);
}
}
if (sk.n_bitlen != size) {
fprintf(stderr, "wrong key size\n");
exit(EXIT_FAILURE);
}
if (pk.nlen != (size + 7) >> 3) {
fprintf(stderr, "wrong modulus size (bytes)\n");
exit(EXIT_FAILURE);
}
mask1 = 0x01 << ((size + 7) & 7);
mask2 = 0xFF & -mask1;
if ((pk.n[0] & mask2) != mask1) {
fprintf(stderr, "wrong modulus size (bits)\n");
exit(EXIT_FAILURE);
}
if (cm(NULL, &sk) != pk.nlen) {
fprintf(stderr, "wrong recomputed modulus length\n");
exit(EXIT_FAILURE);
}
if (cm(n2, &sk) != pk.nlen || memcmp(pk.n, n2, pk.nlen) != 0) {
fprintf(stderr, "wrong recomputed modulus value\n");
exit(EXIT_FAILURE);
}
z = ce(&sk);
if (z != pubexp) {
fprintf(stderr,
"wrong recomputed pubexp: %lu (exp: %lu)\n",
(unsigned long)z, (unsigned long)pubexp);
exit(EXIT_FAILURE);
}
if (cd(NULL, &sk, pubexp) != pk.nlen) {
fprintf(stderr,
"wrong recomputed privexp length (1)\n");
exit(EXIT_FAILURE);
}
if (cd(d, &sk, pubexp) != pk.nlen) {
fprintf(stderr,
"wrong recomputed privexp length (2)\n");
exit(EXIT_FAILURE);
}
/*
* To check that the private exponent is correct, we make
* it into a _public_ key, and use the public-key operation
* to perform the modular exponentiation.
*/
pk2 = pk;
pk2.e = d;
pk2.elen = pk.nlen;
rng.vtable->generate(&rng.vtable, msg1, pk.nlen);
msg1[0] = 0x00;
memcpy(msg2, msg1, pk.nlen);
if (!pub(msg2, pk.nlen, &pk2) || !pub(msg2, pk.nlen, &pk)) {
fprintf(stderr, "public-key operation error\n");
exit(EXIT_FAILURE);
}
if (memcmp(msg1, msg2, pk.nlen) != 0) {
fprintf(stderr, "wrong recomputed privexp\n");
exit(EXIT_FAILURE);
}
/*
* We test the RSA operation over a some random messages.
*/
for (j = 0; j < 20; j ++) {
rng.vtable->generate(&rng.vtable, hv, sizeof hv);
memset(sig, 0, sizeof sig);
sig[pk.nlen] = 0x00;
if (!sign(BR_HASH_OID_SHA256,
hv, sizeof hv, &sk, sig))
{
fprintf(stderr,
"signature error (%d)\n", j);
exit(EXIT_FAILURE);
}
if (sig[pk.nlen] != 0x00) {
fprintf(stderr,
"signature length error (%d)\n", j);
exit(EXIT_FAILURE);
}
if (!vrfy(sig, pk.nlen, BR_HASH_OID_SHA256, sizeof hv,
&pk, hv2))
{
fprintf(stderr,
"signature verif error (%d)\n", j);
exit(EXIT_FAILURE);
}
if (memcmp(hv, hv2, sizeof hv) != 0) {
fprintf(stderr,
"signature extract error (%d)\n", j);
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_RSA_i15(void)
{
test_RSA_core("RSA i15 core", &br_rsa_i15_public, &br_rsa_i15_private);
test_RSA_sign("RSA i15 sign", &br_rsa_i15_private,
&br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy);
test_RSA_OAEP("RSA i15 OAEP",
&br_rsa_i15_oaep_encrypt, &br_rsa_i15_oaep_decrypt);
test_RSA_PSS("RSA i15 PSS",
&br_rsa_i15_pss_sign, &br_rsa_i15_pss_vrfy);
test_RSA_keygen("RSA i15 keygen", &br_rsa_i15_keygen,
&br_rsa_i15_compute_modulus, &br_rsa_i15_compute_pubexp,
&br_rsa_i15_compute_privexp, &br_rsa_i15_public,
&br_rsa_i15_pkcs1_sign, &br_rsa_i15_pkcs1_vrfy);
}
static void
test_RSA_i31(void)
{
test_RSA_core("RSA i31 core", &br_rsa_i31_public, &br_rsa_i31_private);
test_RSA_sign("RSA i31 sign", &br_rsa_i31_private,
&br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy);
test_RSA_OAEP("RSA i31 OAEP",
&br_rsa_i31_oaep_encrypt, &br_rsa_i31_oaep_decrypt);
test_RSA_PSS("RSA i31 PSS",
&br_rsa_i31_pss_sign, &br_rsa_i31_pss_vrfy);
test_RSA_keygen("RSA i31 keygen", &br_rsa_i31_keygen,
&br_rsa_i31_compute_modulus, &br_rsa_i31_compute_pubexp,
&br_rsa_i31_compute_privexp, &br_rsa_i31_public,
&br_rsa_i31_pkcs1_sign, &br_rsa_i31_pkcs1_vrfy);
}
static void
test_RSA_i32(void)
{
test_RSA_core("RSA i32 core", &br_rsa_i32_public, &br_rsa_i32_private);
test_RSA_sign("RSA i32 sign", &br_rsa_i32_private,
&br_rsa_i32_pkcs1_sign, &br_rsa_i32_pkcs1_vrfy);
test_RSA_OAEP("RSA i32 OAEP",
&br_rsa_i32_oaep_encrypt, &br_rsa_i32_oaep_decrypt);
test_RSA_PSS("RSA i32 PSS",
&br_rsa_i32_pss_sign, &br_rsa_i32_pss_vrfy);
}
static void
test_RSA_i62(void)
{
br_rsa_public pub;
br_rsa_private priv;
br_rsa_pkcs1_sign sign;
br_rsa_pkcs1_vrfy vrfy;
br_rsa_pss_sign pss_sign;
br_rsa_pss_vrfy pss_vrfy;
br_rsa_oaep_encrypt menc;
br_rsa_oaep_decrypt mdec;
br_rsa_keygen kgen;
pub = br_rsa_i62_public_get();
priv = br_rsa_i62_private_get();
sign = br_rsa_i62_pkcs1_sign_get();
vrfy = br_rsa_i62_pkcs1_vrfy_get();
pss_sign = br_rsa_i62_pss_sign_get();
pss_vrfy = br_rsa_i62_pss_vrfy_get();
menc = br_rsa_i62_oaep_encrypt_get();
mdec = br_rsa_i62_oaep_decrypt_get();
kgen = br_rsa_i62_keygen_get();
if (pub) {
if (!priv || !sign || !vrfy || !pss_sign || !pss_vrfy
|| !menc || !mdec || !kgen)
{
fprintf(stderr, "Inconsistent i62 availability\n");
exit(EXIT_FAILURE);
}
test_RSA_core("RSA i62 core", pub, priv);
test_RSA_sign("RSA i62 sign", priv, sign, vrfy);
test_RSA_OAEP("RSA i62 OAEP", menc, mdec);
test_RSA_PSS("RSA i62 PSS", pss_sign, pss_vrfy);
test_RSA_keygen("RSA i62 keygen", kgen,
&br_rsa_i31_compute_modulus, &br_rsa_i31_compute_pubexp,
&br_rsa_i31_compute_privexp, pub,
sign, vrfy);
} else {
if (priv || sign || vrfy || pss_sign || pss_vrfy
|| menc || mdec || kgen)
{
fprintf(stderr, "Inconsistent i62 availability\n");
exit(EXIT_FAILURE);
}
printf("Test RSA i62: UNAVAILABLE\n");
}
}
#if 0
static void
test_RSA_signatures(void)
{
uint32_t n[40], e[2], p[20], q[20], dp[20], dq[20], iq[20], x[40];
unsigned char hv[20], sig[128];
unsigned char ref[128], tmp[128];
br_sha1_context hc;
printf("Test RSA signatures: ");
fflush(stdout);
/*
* Decode RSA key elements.
*/
br_int_decode(n, sizeof n / sizeof n[0], RSA_N, sizeof RSA_N);
br_int_decode(e, sizeof e / sizeof e[0], RSA_E, sizeof RSA_E);
br_int_decode(p, sizeof p / sizeof p[0], RSA_P, sizeof RSA_P);
br_int_decode(q, sizeof q / sizeof q[0], RSA_Q, sizeof RSA_Q);
br_int_decode(dp, sizeof dp / sizeof dp[0], RSA_DP, sizeof RSA_DP);
br_int_decode(dq, sizeof dq / sizeof dq[0], RSA_DQ, sizeof RSA_DQ);
br_int_decode(iq, sizeof iq / sizeof iq[0], RSA_IQ, sizeof RSA_IQ);
/*
* Decode reference signature (computed with OpenSSL).
*/
hextobin(ref, "45A3DC6A106BCD3BD0E48FB579643AA3FF801E5903E80AA9B43A695A8E7F454E93FA208B69995FF7A6D5617C2FEB8E546375A664977A48931842AAE796B5A0D64393DCA35F3490FC157F5BD83B9D58C2F7926E6AE648A2BD96CAB8FCCD3D35BB11424AD47D973FF6D69CA774841AEC45DFAE99CCF79893E7047FDE6CB00AA76D");
/*
* Recompute signature. Since PKCS#1 v1.5 signatures are
* deterministic, we should get the same as the reference signature.
*/
br_sha1_init(&hc);
br_sha1_update(&hc, "test", 4);
br_sha1_out(&hc, hv);
if (!br_rsa_sign(sig, sizeof sig, p, q, dp, dq, iq, br_sha1_ID, hv)) {
fprintf(stderr, "RSA-1024/SHA-1 sig generate failed\n");
exit(EXIT_FAILURE);
}
check_equals("KAT RSA-sign 1", sig, ref, sizeof sig);
/*
* Verify signature.
*/
if (!br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) {
fprintf(stderr, "RSA-1024/SHA-1 sig verify failed\n");
exit(EXIT_FAILURE);
}
hv[5] ^= 0x01;
if (br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) {
fprintf(stderr, "RSA-1024/SHA-1 sig verify should have failed\n");
exit(EXIT_FAILURE);
}
hv[5] ^= 0x01;
/*
* Generate a signature with the alternate encoding (no NULL) and
* verify it.
*/
hextobin(tmp, "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00301F300706052B0E03021A0414A94A8FE5CCB19BA61C4C0873D391E987982FBBD3");
br_int_decode(x, sizeof x / sizeof x[0], tmp, sizeof tmp);
x[0] = n[0];
br_rsa_private_core(x, p, q, dp, dq, iq);
br_int_encode(sig, sizeof sig, x);
if (!br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) {
fprintf(stderr, "RSA-1024/SHA-1 sig verify (alt) failed\n");
exit(EXIT_FAILURE);
}
hv[5] ^= 0x01;
if (br_rsa_verify(sig, sizeof sig, n, e, br_sha1_ID, hv)) {
fprintf(stderr, "RSA-1024/SHA-1 sig verify (alt) should have failed\n");
exit(EXIT_FAILURE);
}
hv[5] ^= 0x01;
printf("done.\n");
fflush(stdout);
}
#endif
/*
* From: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
*/
static const char *const KAT_GHASH[] = {
"66e94bd4ef8a2c3b884cfa59ca342b2e",
"",
"",
"00000000000000000000000000000000",
"66e94bd4ef8a2c3b884cfa59ca342b2e",
"",
"0388dace60b6a392f328c2b971b2fe78",
"f38cbb1ad69223dcc3457ae5b6b0f885",
"b83b533708bf535d0aa6e52980d53b78",
"",
"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985",
"7f1b32b81b820d02614f8895ac1d4eac",
"b83b533708bf535d0aa6e52980d53b78",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091",
"698e57f70e6ecc7fd9463b7260a9ae5f",
"b83b533708bf535d0aa6e52980d53b78",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598",
"df586bb4c249b92cb6922877e444d37b",
"b83b533708bf535d0aa6e52980d53b78",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5",
"1c5afe9760d3932f3c9a878aac3dc3de",
"aae06992acbf52a3e8f4a96ec9300bd7",
"",
"98e7247c07f0fe411c267e4384b0f600",
"e2c63f0ac44ad0e02efa05ab6743d4ce",
"466923ec9ae682214f2c082badb39249",
"",
"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256",
"51110d40f6c8fff0eb1ae33445a889f0",
"466923ec9ae682214f2c082badb39249",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710",
"ed2ce3062e4a8ec06db8b4c490e8a268",
"466923ec9ae682214f2c082badb39249",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7",
"1e6a133806607858ee80eaf237064089",
"466923ec9ae682214f2c082badb39249",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b",
"82567fb0b4cc371801eadec005968e94",
"dc95c078a2408989ad48a21492842087",
"",
"cea7403d4d606b6e074ec5d3baf39d18",
"83de425c5edc5d498f382c441041ca92",
"acbef20579b4b8ebce889bac8732dad7",
"",
"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad",
"4db870d37cb75fcb46097c36230d1612",
"acbef20579b4b8ebce889bac8732dad7",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662",
"8bd0c4d8aacd391e67cca447e8c38f65",
"acbef20579b4b8ebce889bac8732dad7",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f",
"75a34288b8c68f811c52b2e9a2f97f63",
"acbef20579b4b8ebce889bac8732dad7",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f",
"d5ffcf6fc5ac4d69722187421a7f170b",
NULL,
};
static void
test_GHASH(const char *name, br_ghash gh)
{
size_t u;
printf("Test %s: ", name);
fflush(stdout);
for (u = 0; KAT_GHASH[u]; u += 4) {
unsigned char h[16];
unsigned char a[100];
size_t a_len;
unsigned char c[100];
size_t c_len;
unsigned char p[16];
unsigned char y[16];
unsigned char ref[16];
hextobin(h, KAT_GHASH[u]);
a_len = hextobin(a, KAT_GHASH[u + 1]);
c_len = hextobin(c, KAT_GHASH[u + 2]);
hextobin(ref, KAT_GHASH[u + 3]);
memset(y, 0, sizeof y);
gh(y, h, a, a_len);
gh(y, h, c, c_len);
memset(p, 0, sizeof p);
br_enc32be(p + 4, (uint32_t)a_len << 3);
br_enc32be(p + 12, (uint32_t)c_len << 3);
gh(y, h, p, sizeof p);
check_equals("KAT GHASH", y, ref, sizeof ref);
}
for (u = 0; u <= 1024; u ++) {
unsigned char key[32], iv[12];
unsigned char buf[1024 + 32];
unsigned char y0[16], y1[16];
char tmp[100];
memset(key, 0, sizeof key);
memset(iv, 0, sizeof iv);
br_enc32be(key, u);
memset(buf, 0, sizeof buf);
br_chacha20_ct_run(key, iv, 1, buf, sizeof buf);
memcpy(y0, buf, 16);
br_ghash_ctmul32(y0, buf + 16, buf + 32, u);
memcpy(y1, buf, 16);
gh(y1, buf + 16, buf + 32, u);
sprintf(tmp, "XREF %s (len = %u)", name, (unsigned)u);
check_equals(tmp, y0, y1, 16);
if ((u & 31) == 0) {
printf(".");
fflush(stdout);
}
}
printf("done.\n");
fflush(stdout);
}
static void
test_GHASH_ctmul(void)
{
test_GHASH("GHASH_ctmul", br_ghash_ctmul);
}
static void
test_GHASH_ctmul32(void)
{
test_GHASH("GHASH_ctmul32", br_ghash_ctmul32);
}
static void
test_GHASH_ctmul64(void)
{
test_GHASH("GHASH_ctmul64", br_ghash_ctmul64);
}
static void
test_GHASH_pclmul(void)
{
br_ghash gh;
gh = br_ghash_pclmul_get();
if (gh == 0) {
printf("Test GHASH_pclmul: UNAVAILABLE\n");
} else {
test_GHASH("GHASH_pclmul", gh);
}
}
static void
test_GHASH_pwr8(void)
{
br_ghash gh;
gh = br_ghash_pwr8_get();
if (gh == 0) {
printf("Test GHASH_pwr8: UNAVAILABLE\n");
} else {
test_GHASH("GHASH_pwr8", gh);
}
}
/*
* From: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
*
* Order: key, plaintext, AAD, IV, ciphertext, tag
*/
static const char *const KAT_GCM[] = {
"00000000000000000000000000000000",
"",
"",
"000000000000000000000000",
"",
"58e2fccefa7e3061367f1d57a4e7455a",
"00000000000000000000000000000000",
"00000000000000000000000000000000",
"",
"000000000000000000000000",
"0388dace60b6a392f328c2b971b2fe78",
"ab6e47d42cec13bdf53a67b21257bddf",
"feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
"",
"cafebabefacedbaddecaf888",
"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985",
"4d5c2af327cd64a62cf35abd2ba6fab4",
"feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"cafebabefacedbaddecaf888",
"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091",
"5bc94fbc3221a5db94fae95ae7121a47",
"feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"cafebabefacedbad",
"61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598",
"3612d2e79e3b0785561be14aaca2fccb",
"feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
"8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5",
"619cc5aefffe0bfa462af43c1699d050",
"000000000000000000000000000000000000000000000000",
"",
"",
"000000000000000000000000",
"",
"cd33b28ac773f74ba00ed1f312572435",
"000000000000000000000000000000000000000000000000",
"00000000000000000000000000000000",
"",
"000000000000000000000000",
"98e7247c07f0fe411c267e4384b0f600",
"2ff58d80033927ab8ef4d4587514f0fb",
"feffe9928665731c6d6a8f9467308308feffe9928665731c",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
"",
"cafebabefacedbaddecaf888",
"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256",
"9924a7c8587336bfb118024db8674a14",
"feffe9928665731c6d6a8f9467308308feffe9928665731c",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"cafebabefacedbaddecaf888",
"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710",
"2519498e80f1478f37ba55bd6d27618c",
"feffe9928665731c6d6a8f9467308308feffe9928665731c",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"cafebabefacedbad",
"0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7",
"65dcc57fcf623a24094fcca40d3533f8",
"feffe9928665731c6d6a8f9467308308feffe9928665731c",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
"d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b",
"dcf566ff291c25bbb8568fc3d376a6d9",
"0000000000000000000000000000000000000000000000000000000000000000",
"",
"",
"000000000000000000000000",
"",
"530f8afbc74536b9a963b4f1c4cb738b",
"0000000000000000000000000000000000000000000000000000000000000000",
"00000000000000000000000000000000",
"",
"000000000000000000000000",
"cea7403d4d606b6e074ec5d3baf39d18",
"d0d1c8a799996bf0265b98b5d48ab919",
"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
"",
"cafebabefacedbaddecaf888",
"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad",
"b094dac5d93471bdec1a502270e3cc6c",
"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"cafebabefacedbaddecaf888",
"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662",
"76fc6ece0f4e1768cddf8853bb2d551b",
"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"cafebabefacedbad",
"c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f",
"3a337dbf46a792c45e454913fe2ea8f2",
"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
"feedfacedeadbeeffeedfacedeadbeefabaddad2",
"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
"5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f",
"a44a8266ee1c8eb0c8b5d4cf5ae9f19a",
NULL
};
static void
test_GCM(void)
{
size_t u;
printf("Test GCM: ");
fflush(stdout);
for (u = 0; KAT_GCM[u]; u += 6) {
unsigned char key[32];
unsigned char plain[100];
unsigned char aad[100];
unsigned char iv[100];
unsigned char cipher[100];
unsigned char tag[100];
size_t key_len, plain_len, aad_len, iv_len;
br_aes_ct_ctr_keys bc;
br_gcm_context gc;
unsigned char tmp[100], out[16];
size_t v, tag_len;
key_len = hextobin(key, KAT_GCM[u]);
plain_len = hextobin(plain, KAT_GCM[u + 1]);
aad_len = hextobin(aad, KAT_GCM[u + 2]);
iv_len = hextobin(iv, KAT_GCM[u + 3]);
hextobin(cipher, KAT_GCM[u + 4]);
hextobin(tag, KAT_GCM[u + 5]);
br_aes_ct_ctr_init(&bc, key, key_len);
br_gcm_init(&gc, &bc.vtable, br_ghash_ctmul32);
memset(tmp, 0x54, sizeof tmp);
/*
* Basic operation.
*/
memcpy(tmp, plain, plain_len);
br_gcm_reset(&gc, iv, iv_len);
br_gcm_aad_inject(&gc, aad, aad_len);
br_gcm_flip(&gc);
br_gcm_run(&gc, 1, tmp, plain_len);
br_gcm_get_tag(&gc, out);
check_equals("KAT GCM 1", tmp, cipher, plain_len);
check_equals("KAT GCM 2", out, tag, 16);
br_gcm_reset(&gc, iv, iv_len);
br_gcm_aad_inject(&gc, aad, aad_len);
br_gcm_flip(&gc);
br_gcm_run(&gc, 0, tmp, plain_len);
check_equals("KAT GCM 3", tmp, plain, plain_len);
if (!br_gcm_check_tag(&gc, tag)) {
fprintf(stderr, "Tag not verified (1)\n");
exit(EXIT_FAILURE);
}
for (v = plain_len; v < sizeof tmp; v ++) {
if (tmp[v] != 0x54) {
fprintf(stderr, "overflow on data\n");
exit(EXIT_FAILURE);
}
}
/*
* Byte-by-byte injection.
*/
br_gcm_reset(&gc, iv, iv_len);
for (v = 0; v < aad_len; v ++) {
br_gcm_aad_inject(&gc, aad + v, 1);
}
br_gcm_flip(&gc);
for (v = 0; v < plain_len; v ++) {
br_gcm_run(&gc, 1, tmp + v, 1);
}
check_equals("KAT GCM 4", tmp, cipher, plain_len);
if (!br_gcm_check_tag(&gc, tag)) {
fprintf(stderr, "Tag not verified (2)\n");
exit(EXIT_FAILURE);
}
br_gcm_reset(&gc, iv, iv_len);
for (v = 0; v < aad_len; v ++) {
br_gcm_aad_inject(&gc, aad + v, 1);
}
br_gcm_flip(&gc);
for (v = 0; v < plain_len; v ++) {
br_gcm_run(&gc, 0, tmp + v, 1);
}
br_gcm_get_tag(&gc, out);
check_equals("KAT GCM 5", tmp, plain, plain_len);
check_equals("KAT GCM 6", out, tag, 16);
/*
* Check that alterations are detected.
*/
for (v = 0; v < aad_len; v ++) {
memcpy(tmp, cipher, plain_len);
br_gcm_reset(&gc, iv, iv_len);
aad[v] ^= 0x04;
br_gcm_aad_inject(&gc, aad, aad_len);
aad[v] ^= 0x04;
br_gcm_flip(&gc);
br_gcm_run(&gc, 0, tmp, plain_len);
check_equals("KAT GCM 7", tmp, plain, plain_len);
if (br_gcm_check_tag(&gc, tag)) {
fprintf(stderr, "Tag should have changed\n");
exit(EXIT_FAILURE);
}
}
/*
* Tag truncation.
*/
for (tag_len = 1; tag_len <= 16; tag_len ++) {
memset(out, 0x54, sizeof out);
memcpy(tmp, plain, plain_len);
br_gcm_reset(&gc, iv, iv_len);
br_gcm_aad_inject(&gc, aad, aad_len);
br_gcm_flip(&gc);
br_gcm_run(&gc, 1, tmp, plain_len);
br_gcm_get_tag_trunc(&gc, out, tag_len);
check_equals("KAT GCM 8", out, tag, tag_len);
for (v = tag_len; v < sizeof out; v ++) {
if (out[v] != 0x54) {
fprintf(stderr, "overflow on tag\n");
exit(EXIT_FAILURE);
}
}
memcpy(tmp, plain, plain_len);
br_gcm_reset(&gc, iv, iv_len);
br_gcm_aad_inject(&gc, aad, aad_len);
br_gcm_flip(&gc);
br_gcm_run(&gc, 1, tmp, plain_len);
if (!br_gcm_check_tag_trunc(&gc, out, tag_len)) {
fprintf(stderr, "Tag not verified (3)\n");
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
/*
* From "The EAX Mode of Operation (A Two-Pass Authenticated Encryption
* Scheme Optimized for Simplicity and Efficiency)" (Bellare, Rogaway,
* Wagner), presented at FSE 2004. Full article is available at:
* http://web.cs.ucdavis.edu/~rogaway/papers/eax.html
*
* EAX specification concatenates the authentication tag at the end of
* the ciphertext; in our API and the vectors below, the tag is separate.
*
* Order is: plaintext, key, nonce, header, ciphertext, tag.
*/
static const char *const KAT_EAX[] = {
"",
"233952dee4d5ed5f9b9c6d6ff80ff478",
"62ec67f9c3a4a407fcb2a8c49031a8b3",
"6bfb914fd07eae6b",
"",
"e037830e8389f27b025a2d6527e79d01",
"f7fb",
"91945d3f4dcbee0bf45ef52255f095a4",
"becaf043b0a23d843194ba972c66debd",
"fa3bfd4806eb53fa",
"19dd",
"5c4c9331049d0bdab0277408f67967e5",
"1a47cb4933",
"01f74ad64077f2e704c0f60ada3dd523",
"70c3db4f0d26368400a10ed05d2bff5e",
"234a3463c1264ac6",
"d851d5bae0",
"3a59f238a23e39199dc9266626c40f80",
"481c9e39b1",
"d07cf6cbb7f313bdde66b727afd3c5e8",
"8408dfff3c1a2b1292dc199e46b7d617",
"33cce2eabff5a79d",
"632a9d131a",
"d4c168a4225d8e1ff755939974a7bede",
"40d0c07da5e4",
"35b6d0580005bbc12b0587124557d2c2",
"fdb6b06676eedc5c61d74276e1f8e816",
"aeb96eaebe2970e9",
"071dfe16c675",
"cb0677e536f73afe6a14b74ee49844dd",
"4de3b35c3fc039245bd1fb7d",
"bd8e6e11475e60b268784c38c62feb22",
"6eac5c93072d8e8513f750935e46da1b",
"d4482d1ca78dce0f",
"835bb4f15d743e350e728414",
"abb8644fd6ccb86947c5e10590210a4f",
"8b0a79306c9ce7ed99dae4f87f8dd61636",
"7c77d6e813bed5ac98baa417477a2e7d",
"1a8c98dcd73d38393b2bf1569deefc19",
"65d2017990d62528",
"02083e3979da014812f59f11d52630da30",
"137327d10649b0aa6e1c181db617d7f2",
"1bda122bce8a8dbaf1877d962b8592dd2d56",
"5fff20cafab119ca2fc73549e20f5b0d",
"dde59b97d722156d4d9aff2bc7559826",
"54b9f04e6a09189a",
"2ec47b2c4954a489afc7ba4897edcdae8cc3",
"3b60450599bd02c96382902aef7f832a",
"6cf36720872b8513f6eab1a8a44438d5ef11",
"a4a4782bcffd3ec5e7ef6d8c34a56123",
"b781fcf2f75fa5a8de97a9ca48e522ec",
"899a175897561d7e",
"0de18fd0fdd91e7af19f1d8ee8733938b1e8",
"e7f6d2231618102fdb7fe55ff1991700",
"ca40d7446e545ffaed3bd12a740a659ffbbb3ceab7",
"8395fcf1e95bebd697bd010bc766aac3",
"22e7add93cfc6393c57ec0b3c17d6b44",
"126735fcc320d25a",
"cb8920f87a6c75cff39627b56e3ed197c552d295a7",
"cfc46afc253b4652b1af3795b124ab6e",
NULL
};
static void
test_EAX_inner(const char *name, const br_block_ctrcbc_class *vt)
{
size_t u;
printf("Test EAX %s: ", name);
fflush(stdout);
for (u = 0; KAT_EAX[u]; u += 6) {
unsigned char plain[100];
unsigned char key[32];
unsigned char nonce[100];
unsigned char aad[100];
unsigned char cipher[100];
unsigned char tag[100];
size_t plain_len, key_len, nonce_len, aad_len;
br_aes_gen_ctrcbc_keys bc;
br_eax_context ec;
br_eax_state st;
unsigned char tmp[100], out[16];
size_t v, tag_len;
plain_len = hextobin(plain, KAT_EAX[u]);
key_len = hextobin(key, KAT_EAX[u + 1]);
nonce_len = hextobin(nonce, KAT_EAX[u + 2]);
aad_len = hextobin(aad, KAT_EAX[u + 3]);
hextobin(cipher, KAT_EAX[u + 4]);
hextobin(tag, KAT_EAX[u + 5]);
vt->init(&bc.vtable, key, key_len);
br_eax_init(&ec, &bc.vtable);
memset(tmp, 0x54, sizeof tmp);
/*
* Basic operation.
*/
memcpy(tmp, plain, plain_len);
br_eax_reset(&ec, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
br_eax_run(&ec, 1, tmp, plain_len);
br_eax_get_tag(&ec, out);
check_equals("KAT EAX 1", tmp, cipher, plain_len);
check_equals("KAT EAX 2", out, tag, 16);
br_eax_reset(&ec, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
br_eax_run(&ec, 0, tmp, plain_len);
check_equals("KAT EAX 3", tmp, plain, plain_len);
if (!br_eax_check_tag(&ec, tag)) {
fprintf(stderr, "Tag not verified (1)\n");
exit(EXIT_FAILURE);
}
for (v = plain_len; v < sizeof tmp; v ++) {
if (tmp[v] != 0x54) {
fprintf(stderr, "overflow on data\n");
exit(EXIT_FAILURE);
}
}
/*
* Byte-by-byte injection.
*/
br_eax_reset(&ec, nonce, nonce_len);
for (v = 0; v < aad_len; v ++) {
br_eax_aad_inject(&ec, aad + v, 1);
}
br_eax_flip(&ec);
for (v = 0; v < plain_len; v ++) {
br_eax_run(&ec, 1, tmp + v, 1);
}
check_equals("KAT EAX 4", tmp, cipher, plain_len);
if (!br_eax_check_tag(&ec, tag)) {
fprintf(stderr, "Tag not verified (2)\n");
exit(EXIT_FAILURE);
}
br_eax_reset(&ec, nonce, nonce_len);
for (v = 0; v < aad_len; v ++) {
br_eax_aad_inject(&ec, aad + v, 1);
}
br_eax_flip(&ec);
for (v = 0; v < plain_len; v ++) {
br_eax_run(&ec, 0, tmp + v, 1);
}
br_eax_get_tag(&ec, out);
check_equals("KAT EAX 5", tmp, plain, plain_len);
check_equals("KAT EAX 6", out, tag, 16);
/*
* Check that alterations are detected.
*/
for (v = 0; v < aad_len; v ++) {
memcpy(tmp, cipher, plain_len);
br_eax_reset(&ec, nonce, nonce_len);
aad[v] ^= 0x04;
br_eax_aad_inject(&ec, aad, aad_len);
aad[v] ^= 0x04;
br_eax_flip(&ec);
br_eax_run(&ec, 0, tmp, plain_len);
check_equals("KAT EAX 7", tmp, plain, plain_len);
if (br_eax_check_tag(&ec, tag)) {
fprintf(stderr, "Tag should have changed\n");
exit(EXIT_FAILURE);
}
}
/*
* Tag truncation.
*/
for (tag_len = 1; tag_len <= 16; tag_len ++) {
memset(out, 0x54, sizeof out);
memcpy(tmp, plain, plain_len);
br_eax_reset(&ec, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
br_eax_run(&ec, 1, tmp, plain_len);
br_eax_get_tag_trunc(&ec, out, tag_len);
check_equals("KAT EAX 8", out, tag, tag_len);
for (v = tag_len; v < sizeof out; v ++) {
if (out[v] != 0x54) {
fprintf(stderr, "overflow on tag\n");
exit(EXIT_FAILURE);
}
}
memcpy(tmp, plain, plain_len);
br_eax_reset(&ec, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
br_eax_run(&ec, 1, tmp, plain_len);
if (!br_eax_check_tag_trunc(&ec, out, tag_len)) {
fprintf(stderr, "Tag not verified (3)\n");
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
/*
* For capture tests, we need the message to be non-empty.
*/
if (plain_len == 0) {
continue;
}
/*
* Captured state, pre-AAD. This requires the AAD and the
* message to be non-empty.
*/
br_eax_capture(&ec, &st);
if (aad_len > 0) {
br_eax_reset_pre_aad(&ec, &st, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
memcpy(tmp, plain, plain_len);
br_eax_run(&ec, 1, tmp, plain_len);
br_eax_get_tag(&ec, out);
check_equals("KAT EAX 9", tmp, cipher, plain_len);
check_equals("KAT EAX 10", out, tag, 16);
br_eax_reset_pre_aad(&ec, &st, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
br_eax_run(&ec, 0, tmp, plain_len);
br_eax_get_tag(&ec, out);
check_equals("KAT EAX 11", tmp, plain, plain_len);
check_equals("KAT EAX 12", out, tag, 16);
}
/*
* Captured state, post-AAD. This requires the message to
* be non-empty.
*/
br_eax_reset(&ec, nonce, nonce_len);
br_eax_aad_inject(&ec, aad, aad_len);
br_eax_flip(&ec);
br_eax_get_aad_mac(&ec, &st);
br_eax_reset_post_aad(&ec, &st, nonce, nonce_len);
memcpy(tmp, plain, plain_len);
br_eax_run(&ec, 1, tmp, plain_len);
br_eax_get_tag(&ec, out);
check_equals("KAT EAX 13", tmp, cipher, plain_len);
check_equals("KAT EAX 14", out, tag, 16);
br_eax_reset_post_aad(&ec, &st, nonce, nonce_len);
br_eax_run(&ec, 0, tmp, plain_len);
br_eax_get_tag(&ec, out);
check_equals("KAT EAX 15", tmp, plain, plain_len);
check_equals("KAT EAX 16", out, tag, 16);
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_EAX(void)
{
const br_block_ctrcbc_class *x_ctrcbc;
test_EAX_inner("aes_big", &br_aes_big_ctrcbc_vtable);
test_EAX_inner("aes_small", &br_aes_small_ctrcbc_vtable);
test_EAX_inner("aes_ct", &br_aes_ct_ctrcbc_vtable);
test_EAX_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable);
x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable();
if (x_ctrcbc != NULL) {
test_EAX_inner("aes_x86ni", x_ctrcbc);
} else {
printf("Test EAX aes_x86ni: UNAVAILABLE\n");
}
x_ctrcbc = br_aes_pwr8_ctrcbc_get_vtable();
if (x_ctrcbc != NULL) {
test_EAX_inner("aes_pwr8", x_ctrcbc);
} else {
printf("Test EAX aes_pwr8: UNAVAILABLE\n");
}
}
/*
* From NIST SP 800-38C, appendix C.
*
* CCM specification concatenates the authentication tag at the end of
* the ciphertext; in our API and the vectors below, the tag is separate.
*
* Order is: key, nonce, aad, plaintext, ciphertext, tag.
*/
static const char *const KAT_CCM[] = {
"404142434445464748494a4b4c4d4e4f",
"10111213141516",
"0001020304050607",
"20212223",
"7162015b",
"4dac255d",
"404142434445464748494a4b4c4d4e4f",
"1011121314151617",
"000102030405060708090a0b0c0d0e0f",
"202122232425262728292a2b2c2d2e2f",
"d2a1f0e051ea5f62081a7792073d593d",
"1fc64fbfaccd",
"404142434445464748494a4b4c4d4e4f",
"101112131415161718191a1b",
"000102030405060708090a0b0c0d0e0f10111213",
"202122232425262728292a2b2c2d2e2f3031323334353637",
"e3b201a9f5b71a7a9b1ceaeccd97e70b6176aad9a4428aa5",
"484392fbc1b09951",
"404142434445464748494a4b4c4d4e4f",
"101112131415161718191a1b1c",
NULL,
"202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
"69915dad1e84c6376a68c2967e4dab615ae0fd1faec44cc484828529463ccf72",
"b4ac6bec93e8598e7f0dadbcea5b",
NULL
};
static void
test_CCM_inner(const char *name, const br_block_ctrcbc_class *vt)
{
size_t u;
printf("Test CCM %s: ", name);
fflush(stdout);
for (u = 0; KAT_CCM[u]; u += 6) {
unsigned char plain[100];
unsigned char key[32];
unsigned char nonce[100];
unsigned char aad_buf[100], *aad;
unsigned char cipher[100];
unsigned char tag[100];
size_t plain_len, key_len, nonce_len, aad_len, tag_len;
br_aes_gen_ctrcbc_keys bc;
br_ccm_context ec;
unsigned char tmp[100], out[16];
size_t v;
key_len = hextobin(key, KAT_CCM[u]);
nonce_len = hextobin(nonce, KAT_CCM[u + 1]);
if (KAT_CCM[u + 2] == NULL) {
aad_len = 65536;
aad = malloc(aad_len);
if (aad == NULL) {
fprintf(stderr, "OOM error\n");
exit(EXIT_FAILURE);
}
for (v = 0; v < 65536; v ++) {
aad[v] = (unsigned char)v;
}
} else {
aad = aad_buf;
aad_len = hextobin(aad, KAT_CCM[u + 2]);
}
plain_len = hextobin(plain, KAT_CCM[u + 3]);
hextobin(cipher, KAT_CCM[u + 4]);
tag_len = hextobin(tag, KAT_CCM[u + 5]);
vt->init(&bc.vtable, key, key_len);
br_ccm_init(&ec, &bc.vtable);
memset(tmp, 0x54, sizeof tmp);
/*
* Basic operation.
*/
memcpy(tmp, plain, plain_len);
if (!br_ccm_reset(&ec, nonce, nonce_len,
aad_len, plain_len, tag_len))
{
fprintf(stderr, "CCM reset failed\n");
exit(EXIT_FAILURE);
}
br_ccm_aad_inject(&ec, aad, aad_len);
br_ccm_flip(&ec);
br_ccm_run(&ec, 1, tmp, plain_len);
if (br_ccm_get_tag(&ec, out) != tag_len) {
fprintf(stderr, "CCM returned wrong tag length\n");
exit(EXIT_FAILURE);
}
check_equals("KAT CCM 1", tmp, cipher, plain_len);
check_equals("KAT CCM 2", out, tag, tag_len);
br_ccm_reset(&ec, nonce, nonce_len,
aad_len, plain_len, tag_len);
br_ccm_aad_inject(&ec, aad, aad_len);
br_ccm_flip(&ec);
br_ccm_run(&ec, 0, tmp, plain_len);
check_equals("KAT CCM 3", tmp, plain, plain_len);
if (!br_ccm_check_tag(&ec, tag)) {
fprintf(stderr, "Tag not verified (1)\n");
exit(EXIT_FAILURE);
}
for (v = plain_len; v < sizeof tmp; v ++) {
if (tmp[v] != 0x54) {
fprintf(stderr, "overflow on data\n");
exit(EXIT_FAILURE);
}
}
/*
* Byte-by-byte injection.
*/
br_ccm_reset(&ec, nonce, nonce_len,
aad_len, plain_len, tag_len);
for (v = 0; v < aad_len; v ++) {
br_ccm_aad_inject(&ec, aad + v, 1);
}
br_ccm_flip(&ec);
for (v = 0; v < plain_len; v ++) {
br_ccm_run(&ec, 1, tmp + v, 1);
}
check_equals("KAT CCM 4", tmp, cipher, plain_len);
if (!br_ccm_check_tag(&ec, tag)) {
fprintf(stderr, "Tag not verified (2)\n");
exit(EXIT_FAILURE);
}
br_ccm_reset(&ec, nonce, nonce_len,
aad_len, plain_len, tag_len);
for (v = 0; v < aad_len; v ++) {
br_ccm_aad_inject(&ec, aad + v, 1);
}
br_ccm_flip(&ec);
for (v = 0; v < plain_len; v ++) {
br_ccm_run(&ec, 0, tmp + v, 1);
}
br_ccm_get_tag(&ec, out);
check_equals("KAT CCM 5", tmp, plain, plain_len);
check_equals("KAT CCM 6", out, tag, tag_len);
/*
* Check that alterations are detected.
*/
for (v = 0; v < aad_len; v ++) {
memcpy(tmp, cipher, plain_len);
br_ccm_reset(&ec, nonce, nonce_len,
aad_len, plain_len, tag_len);
aad[v] ^= 0x04;
br_ccm_aad_inject(&ec, aad, aad_len);
aad[v] ^= 0x04;
br_ccm_flip(&ec);
br_ccm_run(&ec, 0, tmp, plain_len);
check_equals("KAT CCM 7", tmp, plain, plain_len);
if (br_ccm_check_tag(&ec, tag)) {
fprintf(stderr, "Tag should have changed\n");
exit(EXIT_FAILURE);
}
/*
* When the AAD is really big, we don't want to do
* the complete quadratic operation.
*/
if (v >= 32) {
break;
}
}
if (aad != aad_buf) {
free(aad);
}
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_CCM(void)
{
const br_block_ctrcbc_class *x_ctrcbc;
test_CCM_inner("aes_big", &br_aes_big_ctrcbc_vtable);
test_CCM_inner("aes_small", &br_aes_small_ctrcbc_vtable);
test_CCM_inner("aes_ct", &br_aes_ct_ctrcbc_vtable);
test_CCM_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable);
x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable();
if (x_ctrcbc != NULL) {
test_CCM_inner("aes_x86ni", x_ctrcbc);
} else {
printf("Test CCM aes_x86ni: UNAVAILABLE\n");
}
x_ctrcbc = br_aes_pwr8_ctrcbc_get_vtable();
if (x_ctrcbc != NULL) {
test_CCM_inner("aes_pwr8", x_ctrcbc);
} else {
printf("Test CCM aes_pwr8: UNAVAILABLE\n");
}
}
static void
test_EC_inner(const char *sk, const char *sU,
const br_ec_impl *impl, int curve)
{
unsigned char bk[70];
unsigned char eG[150], eU[150];
uint32_t n[22], n0i;
size_t klen, ulen, nlen;
const br_ec_curve_def *cd;
br_hmac_drbg_context rng;
int i;
klen = hextobin(bk, sk);
ulen = hextobin(eU, sU);
switch (curve) {
case BR_EC_secp256r1:
cd = &br_secp256r1;
break;
case BR_EC_secp384r1:
cd = &br_secp384r1;
break;
case BR_EC_secp521r1:
cd = &br_secp521r1;
break;
default:
fprintf(stderr, "Unknown curve: %d\n", curve);
exit(EXIT_FAILURE);
break;
}
if (ulen != cd->generator_len) {
fprintf(stderr, "KAT vector wrong (%lu / %lu)\n",
(unsigned long)ulen,
(unsigned long)cd->generator_len);
}
memcpy(eG, cd->generator, ulen);
if (impl->mul(eG, ulen, bk, klen, curve) != 1) {
fprintf(stderr, "KAT multiplication failed\n");
exit(EXIT_FAILURE);
}
if (memcmp(eG, eU, ulen) != 0) {
fprintf(stderr, "KAT mul: mismatch\n");
exit(EXIT_FAILURE);
}
/*
* Test the two-point-mul function. We want to test the basic
* functionality, and the following special cases:
* x = y
* x + y = curve order
*/
nlen = cd->order_len;
br_i31_decode(n, cd->order, nlen);
n0i = br_i31_ninv31(n[1]);
br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for EC", 11);
for (i = 0; i < 10; i ++) {
unsigned char ba[80], bb[80], bx[80], by[80], bz[80];
uint32_t a[22], b[22], x[22], y[22], z[22], t1[22], t2[22];
uint32_t r;
unsigned char eA[160], eB[160], eC[160], eD[160];
/*
* Generate random a and b, and compute A = a*G and B = b*G.
*/
br_hmac_drbg_generate(&rng, ba, sizeof ba);
br_i31_decode_reduce(a, ba, sizeof ba, n);
br_i31_encode(ba, nlen, a);
br_hmac_drbg_generate(&rng, bb, sizeof bb);
br_i31_decode_reduce(b, bb, sizeof bb, n);
br_i31_encode(bb, nlen, b);
memcpy(eA, cd->generator, ulen);
impl->mul(eA, ulen, ba, nlen, cd->curve);
memcpy(eB, cd->generator, ulen);
impl->mul(eB, ulen, bb, nlen, cd->curve);
/*
* Generate random x and y (modulo n).
*/
br_hmac_drbg_generate(&rng, bx, sizeof bx);
br_i31_decode_reduce(x, bx, sizeof bx, n);
br_i31_encode(bx, nlen, x);
br_hmac_drbg_generate(&rng, by, sizeof by);
br_i31_decode_reduce(y, by, sizeof by, n);
br_i31_encode(by, nlen, y);
/*
* Compute z = a*x + b*y (mod n).
*/
memcpy(t1, x, sizeof x);
br_i31_to_monty(t1, n);
br_i31_montymul(z, a, t1, n, n0i);
memcpy(t1, y, sizeof y);
br_i31_to_monty(t1, n);
br_i31_montymul(t2, b, t1, n, n0i);
r = br_i31_add(z, t2, 1);
r |= br_i31_sub(z, n, 0) ^ 1;
br_i31_sub(z, n, r);
br_i31_encode(bz, nlen, z);
/*
* Compute C = x*A + y*B with muladd(), and also
* D = z*G with mul(). The two points must match.
*/
memcpy(eC, eA, ulen);
if (impl->muladd(eC, eB, ulen,
bx, nlen, by, nlen, cd->curve) != 1)
{
fprintf(stderr, "muladd() failed (1)\n");
exit(EXIT_FAILURE);
}
memcpy(eD, cd->generator, ulen);
if (impl->mul(eD, ulen, bz, nlen, cd->curve) != 1) {
fprintf(stderr, "mul() failed (1)\n");
exit(EXIT_FAILURE);
}
if (memcmp(eC, eD, nlen) != 0) {
fprintf(stderr, "mul() / muladd() mismatch\n");
exit(EXIT_FAILURE);
}
/*
* Also recomputed D = z*G with mulgen(). This must
* again match.
*/
memset(eD, 0, ulen);
if (impl->mulgen(eD, bz, nlen, cd->curve) != ulen) {
fprintf(stderr, "mulgen() failed: wrong length\n");
exit(EXIT_FAILURE);
}
if (memcmp(eC, eD, nlen) != 0) {
fprintf(stderr, "mulgen() / muladd() mismatch\n");
exit(EXIT_FAILURE);
}
/*
* Check with x*A = y*B. We do so by setting b = x and y = a.
*/
memcpy(b, x, sizeof x);
br_i31_encode(bb, nlen, b);
memcpy(eB, cd->generator, ulen);
impl->mul(eB, ulen, bb, nlen, cd->curve);
memcpy(y, a, sizeof a);
br_i31_encode(by, nlen, y);
memcpy(t1, x, sizeof x);
br_i31_to_monty(t1, n);
br_i31_montymul(z, a, t1, n, n0i);
memcpy(t1, y, sizeof y);
br_i31_to_monty(t1, n);
br_i31_montymul(t2, b, t1, n, n0i);
r = br_i31_add(z, t2, 1);
r |= br_i31_sub(z, n, 0) ^ 1;
br_i31_sub(z, n, r);
br_i31_encode(bz, nlen, z);
memcpy(eC, eA, ulen);
if (impl->muladd(eC, eB, ulen,
bx, nlen, by, nlen, cd->curve) != 1)
{
fprintf(stderr, "muladd() failed (2)\n");
exit(EXIT_FAILURE);
}
memcpy(eD, cd->generator, ulen);
if (impl->mul(eD, ulen, bz, nlen, cd->curve) != 1) {
fprintf(stderr, "mul() failed (2)\n");
exit(EXIT_FAILURE);
}
if (memcmp(eC, eD, nlen) != 0) {
fprintf(stderr,
"mul() / muladd() mismatch (x*A=y*B)\n");
exit(EXIT_FAILURE);
}
/*
* Check with x*A + y*B = 0. At that point, b = x, so we
* just need to set y = -a (mod n).
*/
memcpy(y, n, sizeof n);
br_i31_sub(y, a, 1);
br_i31_encode(by, nlen, y);
memcpy(eC, eA, ulen);
if (impl->muladd(eC, eB, ulen,
bx, nlen, by, nlen, cd->curve) != 0)
{
fprintf(stderr, "muladd() should have failed\n");
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
}
static void
test_EC_P256_carry_inner(const br_ec_impl *impl, const char *sP, const char *sQ)
{
- unsigned char P[65], Q[sizeof P], k[1];
+ unsigned char P[65], Q[65], k[1];
size_t plen, qlen;
plen = hextobin(P, sP);
qlen = hextobin(Q, sQ);
if (plen != sizeof P || qlen != sizeof P) {
fprintf(stderr, "KAT is incorrect\n");
exit(EXIT_FAILURE);
}
k[0] = 0x10;
if (impl->mul(P, plen, k, 1, BR_EC_secp256r1) != 1) {
fprintf(stderr, "P-256 multiplication failed\n");
exit(EXIT_FAILURE);
}
check_equals("P256_carry", P, Q, plen);
printf(".");
fflush(stdout);
}
static void
test_EC_P256_carry(const br_ec_impl *impl)
{
test_EC_P256_carry_inner(impl,
"0435BAA24B2B6E1B3C88E22A383BD88CC4B9A3166E7BCF94FF6591663AE066B33B821EBA1B4FC8EA609A87EB9A9C9A1CCD5C9F42FA1365306F64D7CAA718B8C978",
"0447752A76CA890328D34E675C4971EC629132D1FC4863EDB61219B72C4E58DC5E9D51E7B293488CFD913C3CF20E438BB65C2BA66A7D09EABB45B55E804260C5EB");
test_EC_P256_carry_inner(impl,
"04DCAE9D9CE211223602024A6933BD42F77B6BF4EAB9C8915F058C149419FADD2CC9FC0707B270A1B5362BA4D249AFC8AC3DA1EFCA8270176EEACA525B49EE19E6",
"048DAC7B0BE9B3206FCE8B24B6B4AEB122F2A67D13E536B390B6585CA193427E63F222388B5F51D744D6F5D47536D89EEEC89552BCB269E7828019C4410DFE980A");
}
static void
test_EC_KAT(const char *name, const br_ec_impl *impl, uint32_t curve_mask)
{
printf("Test %s: ", name);
fflush(stdout);
if (curve_mask & ((uint32_t)1 << BR_EC_secp256r1)) {
test_EC_inner(
"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721",
"0460FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB67903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299",
impl, BR_EC_secp256r1);
test_EC_P256_carry(impl);
}
if (curve_mask & ((uint32_t)1 << BR_EC_secp384r1)) {
test_EC_inner(
"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5",
"04EC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC138015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720",
impl, BR_EC_secp384r1);
}
if (curve_mask & ((uint32_t)1 << BR_EC_secp521r1)) {
test_EC_inner(
"00FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538",
"0401894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A400493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5",
impl, BR_EC_secp521r1);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_EC_keygen(const char *name, const br_ec_impl *impl, uint32_t curves)
{
int curve;
br_hmac_drbg_context rng;
printf("Test %s keygen: ", name);
fflush(stdout);
br_hmac_drbg_init(&rng, &br_sha256_vtable, "seed for EC keygen", 18);
br_hmac_drbg_update(&rng, name, strlen(name));
for (curve = -1; curve <= 35; curve ++) {
br_ec_private_key sk;
br_ec_public_key pk;
unsigned char kbuf_priv[BR_EC_KBUF_PRIV_MAX_SIZE];
unsigned char kbuf_pub[BR_EC_KBUF_PUB_MAX_SIZE];
if (curve < 0 || curve >= 32 || ((curves >> curve) & 1) == 0) {
if (br_ec_keygen(&rng.vtable, impl,
&sk, kbuf_priv, curve) != 0)
{
fprintf(stderr, "br_ec_keygen() did not"
" reject unsupported curve %d\n",
curve);
exit(EXIT_FAILURE);
}
sk.curve = curve;
if (br_ec_compute_pub(impl, NULL, NULL, &sk) != 0) {
fprintf(stderr, "br_ec_keygen() did not"
" reject unsupported curve %d\n",
curve);
exit(EXIT_FAILURE);
}
} else {
size_t len, u;
unsigned char tmp_priv[sizeof kbuf_priv];
unsigned char tmp_pub[sizeof kbuf_pub];
unsigned z;
len = br_ec_keygen(&rng.vtable, impl,
NULL, NULL, curve);
if (len == 0) {
fprintf(stderr, "br_ec_keygen() rejects"
" supported curve %d\n", curve);
exit(EXIT_FAILURE);
}
if (len > sizeof kbuf_priv) {
fprintf(stderr, "oversized kbuf_priv\n");
exit(EXIT_FAILURE);
}
memset(kbuf_priv, 0, sizeof kbuf_priv);
if (br_ec_keygen(&rng.vtable, impl,
NULL, kbuf_priv, curve) != len)
{
fprintf(stderr, "kbuf_priv length mismatch\n");
exit(EXIT_FAILURE);
}
z = 0;
for (u = 0; u < len; u ++) {
z |= kbuf_priv[u];
}
if (z == 0) {
fprintf(stderr, "kbuf_priv not initialized\n");
exit(EXIT_FAILURE);
}
for (u = len; u < sizeof kbuf_priv; u ++) {
if (kbuf_priv[u] != 0) {
fprintf(stderr, "kbuf_priv overflow\n");
exit(EXIT_FAILURE);
}
}
if (br_ec_keygen(&rng.vtable, impl,
NULL, tmp_priv, curve) != len)
{
fprintf(stderr, "tmp_priv length mismatch\n");
exit(EXIT_FAILURE);
}
if (memcmp(kbuf_priv, tmp_priv, len) == 0) {
fprintf(stderr, "keygen stutter\n");
exit(EXIT_FAILURE);
}
memset(&sk, 0, sizeof sk);
if (br_ec_keygen(&rng.vtable, impl,
&sk, kbuf_priv, curve) != len)
{
fprintf(stderr,
"kbuf_priv length mismatch (2)\n");
exit(EXIT_FAILURE);
}
if (sk.curve != curve || sk.x != kbuf_priv
|| sk.xlen != len)
{
fprintf(stderr, "sk not initialized\n");
exit(EXIT_FAILURE);
}
len = br_ec_compute_pub(impl, NULL, NULL, &sk);
if (len > sizeof kbuf_pub) {
fprintf(stderr, "oversized kbuf_pub\n");
exit(EXIT_FAILURE);
}
memset(kbuf_pub, 0, sizeof kbuf_pub);
if (br_ec_compute_pub(impl, NULL,
kbuf_pub, &sk) != len)
{
fprintf(stderr, "kbuf_pub length mismatch\n");
exit(EXIT_FAILURE);
}
for (u = len; u < sizeof kbuf_pub; u ++) {
if (kbuf_pub[u] != 0) {
fprintf(stderr, "kbuf_pub overflow\n");
exit(EXIT_FAILURE);
}
}
memset(&pk, 0, sizeof pk);
if (br_ec_compute_pub(impl, &pk,
tmp_pub, &sk) != len)
{
fprintf(stderr, "tmp_pub length mismatch\n");
exit(EXIT_FAILURE);
}
if (memcmp(kbuf_pub, tmp_pub, len) != 0) {
fprintf(stderr, "pubkey mismatch\n");
exit(EXIT_FAILURE);
}
if (pk.curve != curve || pk.q != tmp_pub
|| pk.qlen != len)
{
fprintf(stderr, "pk not initialized\n");
exit(EXIT_FAILURE);
}
if (impl->mulgen(kbuf_pub,
sk.x, sk.xlen, curve) != len
|| memcmp(pk.q, kbuf_pub, len) != 0)
{
fprintf(stderr, "wrong pubkey\n");
exit(EXIT_FAILURE);
}
}
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_EC_prime_i15(void)
{
test_EC_KAT("EC_prime_i15", &br_ec_prime_i15,
(uint32_t)1 << BR_EC_secp256r1
| (uint32_t)1 << BR_EC_secp384r1
| (uint32_t)1 << BR_EC_secp521r1);
test_EC_keygen("EC_prime_i15", &br_ec_prime_i15,
(uint32_t)1 << BR_EC_secp256r1
| (uint32_t)1 << BR_EC_secp384r1
| (uint32_t)1 << BR_EC_secp521r1);
}
static void
test_EC_prime_i31(void)
{
test_EC_KAT("EC_prime_i31", &br_ec_prime_i31,
(uint32_t)1 << BR_EC_secp256r1
| (uint32_t)1 << BR_EC_secp384r1
| (uint32_t)1 << BR_EC_secp521r1);
test_EC_keygen("EC_prime_i31", &br_ec_prime_i31,
(uint32_t)1 << BR_EC_secp256r1
| (uint32_t)1 << BR_EC_secp384r1
| (uint32_t)1 << BR_EC_secp521r1);
}
static void
test_EC_p256_m15(void)
{
test_EC_KAT("EC_p256_m15", &br_ec_p256_m15,
(uint32_t)1 << BR_EC_secp256r1);
test_EC_keygen("EC_p256_m15", &br_ec_p256_m15,
(uint32_t)1 << BR_EC_secp256r1);
}
static void
test_EC_p256_m31(void)
{
test_EC_KAT("EC_p256_m31", &br_ec_p256_m31,
(uint32_t)1 << BR_EC_secp256r1);
test_EC_keygen("EC_p256_m31", &br_ec_p256_m31,
(uint32_t)1 << BR_EC_secp256r1);
}
static void
test_EC_p256_m62(void)
{
const br_ec_impl *ec;
ec = br_ec_p256_m62_get();
if (ec != NULL) {
test_EC_KAT("EC_p256_m62", ec,
(uint32_t)1 << BR_EC_secp256r1);
test_EC_keygen("EC_p256_m62", ec,
(uint32_t)1 << BR_EC_secp256r1);
} else {
printf("Test EC_p256_m62: UNAVAILABLE\n");
printf("Test EC_p256_m62 keygen: UNAVAILABLE\n");
}
}
static void
test_EC_p256_m64(void)
{
const br_ec_impl *ec;
ec = br_ec_p256_m64_get();
if (ec != NULL) {
test_EC_KAT("EC_p256_m64", ec,
(uint32_t)1 << BR_EC_secp256r1);
test_EC_keygen("EC_p256_m64", ec,
(uint32_t)1 << BR_EC_secp256r1);
} else {
printf("Test EC_p256_m64: UNAVAILABLE\n");
printf("Test EC_p256_m64 keygen: UNAVAILABLE\n");
}
}
const struct {
const char *scalar_le;
const char *u_in;
const char *u_out;
} C25519_KAT[] = {
{ "A546E36BF0527C9D3B16154B82465EDD62144C0AC1FC5A18506A2244BA449AC4",
"E6DB6867583030DB3594C1A424B15F7C726624EC26B3353B10A903A6D0AB1C4C",
"C3DA55379DE9C6908E94EA4DF28D084F32ECCF03491C71F754B4075577A28552" },
{ "4B66E9D4D1B4673C5AD22691957D6AF5C11B6421E0EA01D42CA4169E7918BA0D",
"E5210F12786811D3F4B7959D0538AE2C31DBE7106FC03C3EFC4CD549C715A493",
"95CBDE9476E8907D7AADE45CB4B873F88B595A68799FA152E6F8F7647AAC7957" },
{ 0, 0, 0 }
};
static void
revbytes(unsigned char *buf, size_t len)
{
size_t u;
for (u = 0; u < (len >> 1); u ++) {
unsigned t;
t = buf[u];
buf[u] = buf[len - 1 - u];
buf[len - 1 - u] = t;
}
}
static void
test_EC_c25519(const char *name, const br_ec_impl *iec)
{
unsigned char bu[32], bk[32], br[32];
size_t v;
int i;
printf("Test %s: ", name);
fflush(stdout);
for (v = 0; C25519_KAT[v].scalar_le; v ++) {
hextobin(bk, C25519_KAT[v].scalar_le);
revbytes(bk, sizeof bk);
hextobin(bu, C25519_KAT[v].u_in);
hextobin(br, C25519_KAT[v].u_out);
if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) {
fprintf(stderr, "Curve25519 multiplication failed\n");
exit(EXIT_FAILURE);
}
if (memcmp(bu, br, sizeof bu) != 0) {
fprintf(stderr, "Curve25519 failed KAT\n");
exit(EXIT_FAILURE);
}
printf(".");
fflush(stdout);
}
printf(" ");
fflush(stdout);
memset(bu, 0, sizeof bu);
bu[0] = 0x09;
memcpy(bk, bu, sizeof bu);
for (i = 1; i <= 1000; i ++) {
revbytes(bk, sizeof bk);
if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) {
fprintf(stderr, "Curve25519 multiplication failed"
" (iter=%d)\n", i);
exit(EXIT_FAILURE);
}
revbytes(bk, sizeof bk);
for (v = 0; v < sizeof bu; v ++) {
unsigned t;
t = bu[v];
bu[v] = bk[v];
bk[v] = t;
}
if (i == 1 || i == 1000) {
const char *sref;
sref = (i == 1)
? "422C8E7A6227D7BCA1350B3E2BB7279F7897B87BB6854B783C60E80311AE3079"
: "684CF59BA83309552800EF566F2F4D3C1C3887C49360E3875F2EB94D99532C51";
hextobin(br, sref);
if (memcmp(bk, br, sizeof bk) != 0) {
fprintf(stderr,
"Curve25519 failed KAT (iter=%d)\n", i);
exit(EXIT_FAILURE);
}
}
if (i % 100 == 0) {
printf(".");
fflush(stdout);
}
}
printf(" done.\n");
fflush(stdout);
}
static void
test_EC_c25519_i15(void)
{
test_EC_c25519("EC_c25519_i15", &br_ec_c25519_i15);
test_EC_keygen("EC_c25519_i15", &br_ec_c25519_i15,
(uint32_t)1 << BR_EC_curve25519);
}
static void
test_EC_c25519_i31(void)
{
test_EC_c25519("EC_c25519_i31", &br_ec_c25519_i31);
test_EC_keygen("EC_c25519_i31", &br_ec_c25519_i31,
(uint32_t)1 << BR_EC_curve25519);
}
static void
test_EC_c25519_m15(void)
{
test_EC_c25519("EC_c25519_m15", &br_ec_c25519_m15);
test_EC_keygen("EC_c25519_m15", &br_ec_c25519_m15,
(uint32_t)1 << BR_EC_curve25519);
}
static void
test_EC_c25519_m31(void)
{
test_EC_c25519("EC_c25519_m31", &br_ec_c25519_m31);
test_EC_keygen("EC_c25519_m31", &br_ec_c25519_m31,
(uint32_t)1 << BR_EC_curve25519);
}
static void
test_EC_c25519_m62(void)
{
const br_ec_impl *ec;
ec = br_ec_c25519_m62_get();
if (ec != NULL) {
test_EC_c25519("EC_c25519_m62", ec);
test_EC_keygen("EC_c25519_m62", ec,
(uint32_t)1 << BR_EC_curve25519);
} else {
printf("Test EC_c25519_m62: UNAVAILABLE\n");
printf("Test EC_c25519_m62 keygen: UNAVAILABLE\n");
}
}
static void
test_EC_c25519_m64(void)
{
const br_ec_impl *ec;
ec = br_ec_c25519_m64_get();
if (ec != NULL) {
test_EC_c25519("EC_c25519_m64", ec);
test_EC_keygen("EC_c25519_m64", ec,
(uint32_t)1 << BR_EC_curve25519);
} else {
printf("Test EC_c25519_m64: UNAVAILABLE\n");
printf("Test EC_c25519_m64 keygen: UNAVAILABLE\n");
}
}
static const unsigned char EC_P256_PUB_POINT[] = {
0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D,
0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D,
0x68, 0xC0, 0x49, 0xB8, 0x92, 0x3B, 0x61, 0xFA,
0x6C, 0xE6, 0x69, 0x62, 0x2E, 0x60, 0xF2, 0x9F,
0xB6, 0x79, 0x03, 0xFE, 0x10, 0x08, 0xB8, 0xBC,
0x99, 0xA4, 0x1A, 0xE9, 0xE9, 0x56, 0x28, 0xBC,
0x64, 0xF2, 0xF1, 0xB2, 0x0C, 0x2D, 0x7E, 0x9F,
0x51, 0x77, 0xA3, 0xC2, 0x94, 0xD4, 0x46, 0x22,
0x99
};
static const unsigned char EC_P256_PRIV_X[] = {
0xC9, 0xAF, 0xA9, 0xD8, 0x45, 0xBA, 0x75, 0x16,
0x6B, 0x5C, 0x21, 0x57, 0x67, 0xB1, 0xD6, 0x93,
0x4E, 0x50, 0xC3, 0xDB, 0x36, 0xE8, 0x9B, 0x12,
0x7B, 0x8A, 0x62, 0x2B, 0x12, 0x0F, 0x67, 0x21
};
static const br_ec_public_key EC_P256_PUB = {
BR_EC_secp256r1,
(unsigned char *)EC_P256_PUB_POINT, sizeof EC_P256_PUB_POINT
};
static const br_ec_private_key EC_P256_PRIV = {
BR_EC_secp256r1,
(unsigned char *)EC_P256_PRIV_X, sizeof EC_P256_PRIV_X
};
static const unsigned char EC_P384_PUB_POINT[] = {
0x04, 0xEC, 0x3A, 0x4E, 0x41, 0x5B, 0x4E, 0x19,
0xA4, 0x56, 0x86, 0x18, 0x02, 0x9F, 0x42, 0x7F,
0xA5, 0xDA, 0x9A, 0x8B, 0xC4, 0xAE, 0x92, 0xE0,
0x2E, 0x06, 0xAA, 0xE5, 0x28, 0x6B, 0x30, 0x0C,
0x64, 0xDE, 0xF8, 0xF0, 0xEA, 0x90, 0x55, 0x86,
0x60, 0x64, 0xA2, 0x54, 0x51, 0x54, 0x80, 0xBC,
0x13, 0x80, 0x15, 0xD9, 0xB7, 0x2D, 0x7D, 0x57,
0x24, 0x4E, 0xA8, 0xEF, 0x9A, 0xC0, 0xC6, 0x21,
0x89, 0x67, 0x08, 0xA5, 0x93, 0x67, 0xF9, 0xDF,
0xB9, 0xF5, 0x4C, 0xA8, 0x4B, 0x3F, 0x1C, 0x9D,
0xB1, 0x28, 0x8B, 0x23, 0x1C, 0x3A, 0xE0, 0xD4,
0xFE, 0x73, 0x44, 0xFD, 0x25, 0x33, 0x26, 0x47,
0x20
};
static const unsigned char EC_P384_PRIV_X[] = {
0x6B, 0x9D, 0x3D, 0xAD, 0x2E, 0x1B, 0x8C, 0x1C,
0x05, 0xB1, 0x98, 0x75, 0xB6, 0x65, 0x9F, 0x4D,
0xE2, 0x3C, 0x3B, 0x66, 0x7B, 0xF2, 0x97, 0xBA,
0x9A, 0xA4, 0x77, 0x40, 0x78, 0x71, 0x37, 0xD8,
0x96, 0xD5, 0x72, 0x4E, 0x4C, 0x70, 0xA8, 0x25,
0xF8, 0x72, 0xC9, 0xEA, 0x60, 0xD2, 0xED, 0xF5
};
static const br_ec_public_key EC_P384_PUB = {
BR_EC_secp384r1,
(unsigned char *)EC_P384_PUB_POINT, sizeof EC_P384_PUB_POINT
};
static const br_ec_private_key EC_P384_PRIV = {
BR_EC_secp384r1,
(unsigned char *)EC_P384_PRIV_X, sizeof EC_P384_PRIV_X
};
static const unsigned char EC_P521_PUB_POINT[] = {
0x04, 0x01, 0x89, 0x45, 0x50, 0xD0, 0x78, 0x59,
0x32, 0xE0, 0x0E, 0xAA, 0x23, 0xB6, 0x94, 0xF2,
0x13, 0xF8, 0xC3, 0x12, 0x1F, 0x86, 0xDC, 0x97,
0xA0, 0x4E, 0x5A, 0x71, 0x67, 0xDB, 0x4E, 0x5B,
0xCD, 0x37, 0x11, 0x23, 0xD4, 0x6E, 0x45, 0xDB,
0x6B, 0x5D, 0x53, 0x70, 0xA7, 0xF2, 0x0F, 0xB6,
0x33, 0x15, 0x5D, 0x38, 0xFF, 0xA1, 0x6D, 0x2B,
0xD7, 0x61, 0xDC, 0xAC, 0x47, 0x4B, 0x9A, 0x2F,
0x50, 0x23, 0xA4, 0x00, 0x49, 0x31, 0x01, 0xC9,
0x62, 0xCD, 0x4D, 0x2F, 0xDD, 0xF7, 0x82, 0x28,
0x5E, 0x64, 0x58, 0x41, 0x39, 0xC2, 0xF9, 0x1B,
0x47, 0xF8, 0x7F, 0xF8, 0x23, 0x54, 0xD6, 0x63,
0x0F, 0x74, 0x6A, 0x28, 0xA0, 0xDB, 0x25, 0x74,
0x1B, 0x5B, 0x34, 0xA8, 0x28, 0x00, 0x8B, 0x22,
0xAC, 0xC2, 0x3F, 0x92, 0x4F, 0xAA, 0xFB, 0xD4,
0xD3, 0x3F, 0x81, 0xEA, 0x66, 0x95, 0x6D, 0xFE,
0xAA, 0x2B, 0xFD, 0xFC, 0xF5
};
static const unsigned char EC_P521_PRIV_X[] = {
0x00, 0xFA, 0xD0, 0x6D, 0xAA, 0x62, 0xBA, 0x3B,
0x25, 0xD2, 0xFB, 0x40, 0x13, 0x3D, 0xA7, 0x57,
0x20, 0x5D, 0xE6, 0x7F, 0x5B, 0xB0, 0x01, 0x8F,
0xEE, 0x8C, 0x86, 0xE1, 0xB6, 0x8C, 0x7E, 0x75,
0xCA, 0xA8, 0x96, 0xEB, 0x32, 0xF1, 0xF4, 0x7C,
0x70, 0x85, 0x58, 0x36, 0xA6, 0xD1, 0x6F, 0xCC,
0x14, 0x66, 0xF6, 0xD8, 0xFB, 0xEC, 0x67, 0xDB,
0x89, 0xEC, 0x0C, 0x08, 0xB0, 0xE9, 0x96, 0xB8,
0x35, 0x38
};
static const br_ec_public_key EC_P521_PUB = {
BR_EC_secp521r1,
(unsigned char *)EC_P521_PUB_POINT, sizeof EC_P521_PUB_POINT
};
static const br_ec_private_key EC_P521_PRIV = {
BR_EC_secp521r1,
(unsigned char *)EC_P521_PRIV_X, sizeof EC_P521_PRIV_X
};
typedef struct {
const br_ec_public_key *pub;
const br_ec_private_key *priv;
const br_hash_class *hf;
const char *msg;
const char *sk;
const char *sraw;
const char *sasn1;
} ecdsa_kat_vector;
const ecdsa_kat_vector ECDSA_KAT[] = {
/* Test vectors for P-256, from RFC 6979. */
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha1_vtable, "sample",
"882905F1227FD620FBF2ABF21244F0BA83D0DC3A9103DBBEE43A1FB858109DB4",
"61340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D326D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB",
"3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha224_vtable, "sample",
"103F90EE9DC52E5E7FB5132B7033C63066D194321491862059967C715985D473",
"53B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3FB9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C",
"3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha256_vtable, "sample",
"A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60",
"EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8",
"3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha384_vtable, "sample",
"09F634B188CEFD98E7EC88B1AA9852D734D0BC272F7D2A47DECC6EBEB375AAD4",
"0EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF77194861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954",
"304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha512_vtable, "sample",
"5FA81C63109BADB88C1F367B47DA606DA28CAD69AA22C4FE6AD7DF73A7173AA5",
"8496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F002362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE",
"30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha1_vtable, "test",
"8C9520267C55D6B980DF741E56B4ADEE114D84FBFA2E62137954164028632A2E",
"0CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A8901B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1",
"304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha224_vtable, "test",
"669F4426F2688B8BE0DB3A6BD1989BDAEFFF84B649EEB84F3DD26080F667FAA7",
"C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D",
"3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha256_vtable, "test",
"D16B6AE827F17175E040871A1C7EC3500192C4C92677336EC2537ACAEE0008E0",
"F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D38367019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083",
"3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha384_vtable, "test",
"16AEFFA357260B04B1DD199693960740066C1A8F3E8EDD79070AA914D361B3B8",
"83910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB68DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C",
"304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C"
},
{
&EC_P256_PUB,
&EC_P256_PRIV,
&br_sha512_vtable, "test",
"6915D11632ACA3C40D5D51C08DAF9C555933819548784480E93499000D9F0B7F",
"461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A0439AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55",
"30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55"
},
/* Test vectors for P-384, from RFC 6979. */
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha1_vtable, "sample",
"4471EF7518BB2C7C20F62EAE1C387AD0C5E8E470995DB4ACF694466E6AB096630F29E5938D25106C3C340045A2DB01A7",
"EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443",
"3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha224_vtable, "sample",
"A4E4D2F0E729EB786B31FC20AD5D849E304450E0AE8E3E341134A5C1AFA03CAB8083EE4E3C45B06A5899EA56C51B5879",
"42356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601229DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D",
"3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha256_vtable, "sample",
"180AE9F9AEC5438A44BC159A1FCB277C7BE54FA20E7CF404B490650A8ACC414E375572342863C899F9F2EDF9747A9B60",
"21B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CDF3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0",
"3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha384_vtable, "sample",
"94ED910D1A099DAD3254E9242AE85ABDE4BA15168EAF0CA87A555FD56D10FBCA2907E3E83BA95368623B8C4686915CF9",
"94EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4699EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8",
"306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha512_vtable, "sample",
"92FC3C7183A883E24216D1141F1A8976C5B0DD797DFA597E3D7B32198BD35331A4E966532593A52980D0E3AAA5E10EC3",
"ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD7882433709512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5",
"3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha1_vtable, "test",
"66CC2C8F4D303FC962E5FF6A27BD79F84EC812DDAE58CF5243B64A4AD8094D47EC3727F3A3C186C15054492E30698497",
"4BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282",
"306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha224_vtable, "test",
"18FA39DB95AA5F561F30FA3591DC59C0FA3653A80DAFFA0B48D1A4C6DFCBFF6E3D33BE4DC5EB8886A8ECD093F2935726",
"E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E7207041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66",
"3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha256_vtable, "test",
"0CFAC37587532347DC3389FDC98286BBA8C73807285B184C83E62E26C401C0FAA48DD070BA79921A3457ABFF2D630AD7",
"6D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B2D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265",
"306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha384_vtable, "test",
"015EE46A5BF88773ED9123A5AB0807962D193719503C527B031B4C2D225092ADA71F4A459BC0DA98ADB95837DB8312EA",
"8203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DBDDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5",
"30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5"
},
{
&EC_P384_PUB,
&EC_P384_PRIV,
&br_sha512_vtable, "test",
"3780C4F67CB15518B6ACAE34C9F83568D2E12E47DEAB6C50A4E4EE5319D1E8CE0E2CC8A136036DC4B9C00E6888F66B6C",
"A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736",
"3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736"
},
/* Test vectors for P-521, from RFC 6979. */
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha1_vtable, "sample",
"0089C071B419E1C2820962321787258469511958E80582E95D8378E0C2CCDB3CB42BEDE42F50E3FA3C71F5A76724281D31D9C89F0F91FC1BE4918DB1C03A5838D0F9",
"00343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D00E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16",
"3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha224_vtable, "sample",
"0121415EC2CD7726330A61F7F3FA5DE14BE9436019C4DB8CB4041F3B54CF31BE0493EE3F427FB906393D895A19C9523F3A1D54BB8702BD4AA9C99DAB2597B92113F3",
"01776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E0050CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F",
"308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha256_vtable, "sample",
"00EDF38AFCAAECAB4383358B34D67C9F2216C8382AAEA44A3DAD5FDC9C32575761793FEF24EB0FC276DFC4F6E3EC476752F043CF01415387470BCBD8678ED2C7E1A0",
"01511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A7004A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC",
"308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha384_vtable, "sample",
"01546A108BC23A15D6F21872F7DED661FA8431DDBD922D0DCDB77CC878C8553FFAD064C95A920A750AC9137E527390D2D92F153E66196966EA554D9ADFCB109C4211",
"01EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C6745101F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61",
"308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha512_vtable, "sample",
"01DAE2EA071F8110DC26882D4D5EAE0621A3256FC8847FB9022E2B7D28E6F10198B1574FDD03A9053C08A1854A168AA5A57470EC97DD5CE090124EF52A2F7ECBFFD3",
"00C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA00617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A",
"308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha1_vtable, "test",
"00BB9F2BF4FE1038CCF4DABD7139A56F6FD8BB1386561BD3C6A4FC818B20DF5DDBA80795A947107A1AB9D12DAA615B1ADE4F7A9DC05E8E6311150F47F5C57CE8B222",
"013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D036701E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF",
"3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha224_vtable, "test",
"0040D09FCF3C8A5F62CF4FB223CBBB2B9937F6B0577C27020A99602C25A01136987E452988781484EDBBCF1C47E554E7FC901BC3085E5206D9F619CFF07E73D6F706",
"01C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB0177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4",
"308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha256_vtable, "test",
"001DE74955EFAABC4C4F17F8E84D881D1310B5392D7700275F82F145C61E843841AF09035BF7A6210F5A431A6A9E81C9323354A9E69135D44EBD2FCAA7731B909258",
"000E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA800CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86",
"30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha384_vtable, "test",
"01F1FC4A349A7DA9A9E116BFDD055DC08E78252FF8E23AC276AC88B1770AE0B5DCEB1ED14A4916B769A523CE1E90BA22846AF11DF8B300C38818F713DADD85DE0C88",
"014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C0133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979",
"3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979"
},
{
&EC_P521_PUB,
&EC_P521_PRIV,
&br_sha512_vtable, "test",
"016200813020EC986863BEDFC1B121F605C1215645018AEA1A7B215A564DE9EB1B38A67AA1128B80CE391C4FB71187654AAA3431027BFC7F395766CA988C964DC56D",
"013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D01FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3",
"3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3"
},
/* Terminator for list of test vectors. */
{
0, 0, 0, 0, 0, 0, 0
}
};
static void
test_ECDSA_KAT(const br_ec_impl *iec,
br_ecdsa_sign sign, br_ecdsa_vrfy vrfy, int asn1)
{
size_t u;
for (u = 0;; u ++) {
const ecdsa_kat_vector *kv;
unsigned char hash[64];
size_t hash_len;
unsigned char sig[150], sig2[150];
size_t sig_len, sig2_len;
br_hash_compat_context hc;
kv = &ECDSA_KAT[u];
if (kv->pub == 0) {
break;
}
kv->hf->init(&hc.vtable);
kv->hf->update(&hc.vtable, kv->msg, strlen(kv->msg));
kv->hf->out(&hc.vtable, hash);
hash_len = (kv->hf->desc >> BR_HASHDESC_OUT_OFF)
& BR_HASHDESC_OUT_MASK;
if (asn1) {
sig_len = hextobin(sig, kv->sasn1);
} else {
sig_len = hextobin(sig, kv->sraw);
}
if (vrfy(iec, hash, hash_len,
kv->pub, sig, sig_len) != 1)
{
fprintf(stderr, "ECDSA KAT verify failed (1)\n");
exit(EXIT_FAILURE);
}
hash[0] ^= 0x80;
if (vrfy(iec, hash, hash_len,
kv->pub, sig, sig_len) != 0)
{
fprintf(stderr, "ECDSA KAT verify shoud have failed\n");
exit(EXIT_FAILURE);
}
hash[0] ^= 0x80;
if (vrfy(iec, hash, hash_len,
kv->pub, sig, sig_len) != 1)
{
fprintf(stderr, "ECDSA KAT verify failed (2)\n");
exit(EXIT_FAILURE);
}
sig2_len = sign(iec, kv->hf, hash, kv->priv, sig2);
if (sig2_len == 0) {
fprintf(stderr, "ECDSA KAT sign failed\n");
exit(EXIT_FAILURE);
}
if (sig2_len != sig_len || memcmp(sig, sig2, sig_len) != 0) {
fprintf(stderr, "ECDSA KAT wrong signature value\n");
exit(EXIT_FAILURE);
}
printf(".");
fflush(stdout);
}
}
static void
test_ECDSA_i31(void)
{
printf("Test ECDSA/i31: ");
fflush(stdout);
printf("[raw]");
fflush(stdout);
test_ECDSA_KAT(&br_ec_prime_i31,
&br_ecdsa_i31_sign_raw, &br_ecdsa_i31_vrfy_raw, 0);
printf(" [asn1]");
fflush(stdout);
test_ECDSA_KAT(&br_ec_prime_i31,
&br_ecdsa_i31_sign_asn1, &br_ecdsa_i31_vrfy_asn1, 1);
printf(" done.\n");
fflush(stdout);
}
static void
test_ECDSA_i15(void)
{
printf("Test ECDSA/i15: ");
fflush(stdout);
printf("[raw]");
fflush(stdout);
test_ECDSA_KAT(&br_ec_prime_i15,
&br_ecdsa_i15_sign_raw, &br_ecdsa_i15_vrfy_raw, 0);
printf(" [asn1]");
fflush(stdout);
test_ECDSA_KAT(&br_ec_prime_i31,
&br_ecdsa_i15_sign_asn1, &br_ecdsa_i15_vrfy_asn1, 1);
printf(" done.\n");
fflush(stdout);
}
static void
test_modpow_i31(void)
{
br_hmac_drbg_context hc;
int k;
printf("Test ModPow/i31: ");
br_hmac_drbg_init(&hc, &br_sha256_vtable, "seed modpow", 11);
for (k = 10; k <= 500; k ++) {
size_t blen;
unsigned char bm[128], bx[128], bx1[128], bx2[128];
unsigned char be[128];
unsigned mask;
uint32_t x1[35], m1[35];
uint16_t x2[70], m2[70];
uint32_t tmp1[1000];
uint16_t tmp2[2000];
blen = (k + 7) >> 3;
br_hmac_drbg_generate(&hc, bm, blen);
br_hmac_drbg_generate(&hc, bx, blen);
br_hmac_drbg_generate(&hc, be, blen);
bm[blen - 1] |= 0x01;
mask = 0xFF >> ((int)(blen << 3) - k);
bm[0] &= mask;
bm[0] |= (mask - (mask >> 1));
bx[0] &= (mask >> 1);
br_i31_decode(m1, bm, blen);
br_i31_decode_mod(x1, bx, blen, m1);
br_i31_modpow_opt(x1, be, blen, m1, br_i31_ninv31(m1[1]),
tmp1, (sizeof tmp1) / (sizeof tmp1[0]));
br_i31_encode(bx1, blen, x1);
br_i15_decode(m2, bm, blen);
br_i15_decode_mod(x2, bx, blen, m2);
br_i15_modpow_opt(x2, be, blen, m2, br_i15_ninv15(m2[1]),
tmp2, (sizeof tmp2) / (sizeof tmp2[0]));
br_i15_encode(bx2, blen, x2);
check_equals("ModPow i31/i15", bx1, bx2, blen);
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static void
test_modpow_i62(void)
{
br_hmac_drbg_context hc;
int k;
printf("Test ModPow/i62: ");
br_hmac_drbg_init(&hc, &br_sha256_vtable, "seed modpow", 11);
for (k = 10; k <= 500; k ++) {
size_t blen;
unsigned char bm[128], bx[128], bx1[128], bx2[128];
unsigned char be[128];
unsigned mask;
uint32_t x1[35], m1[35];
uint16_t x2[70], m2[70];
uint64_t tmp1[500];
uint16_t tmp2[2000];
blen = (k + 7) >> 3;
br_hmac_drbg_generate(&hc, bm, blen);
br_hmac_drbg_generate(&hc, bx, blen);
br_hmac_drbg_generate(&hc, be, blen);
bm[blen - 1] |= 0x01;
mask = 0xFF >> ((int)(blen << 3) - k);
bm[0] &= mask;
bm[0] |= (mask - (mask >> 1));
bx[0] &= (mask >> 1);
br_i31_decode(m1, bm, blen);
br_i31_decode_mod(x1, bx, blen, m1);
br_i62_modpow_opt(x1, be, blen, m1, br_i31_ninv31(m1[1]),
tmp1, (sizeof tmp1) / (sizeof tmp1[0]));
br_i31_encode(bx1, blen, x1);
br_i15_decode(m2, bm, blen);
br_i15_decode_mod(x2, bx, blen, m2);
br_i15_modpow_opt(x2, be, blen, m2, br_i15_ninv15(m2[1]),
tmp2, (sizeof tmp2) / (sizeof tmp2[0]));
br_i15_encode(bx2, blen, x2);
check_equals("ModPow i62/i15", bx1, bx2, blen);
printf(".");
fflush(stdout);
}
printf(" done.\n");
fflush(stdout);
}
static int
eq_name(const char *s1, const char *s2)
{
for (;;) {
int c1, c2;
for (;;) {
c1 = *s1 ++;
if (c1 >= 'A' && c1 <= 'Z') {
c1 += 'a' - 'A';
} else {
switch (c1) {
case '-': case '_': case '.': case ' ':
continue;
}
}
break;
}
for (;;) {
c2 = *s2 ++;
if (c2 >= 'A' && c2 <= 'Z') {
c2 += 'a' - 'A';
} else {
switch (c2) {
case '-': case '_': case '.': case ' ':
continue;
}
}
break;
}
if (c1 != c2) {
return 0;
}
if (c1 == 0) {
return 1;
}
}
}
#define STU(x) { &test_ ## x, #x }
static const struct {
void (*fn)(void);
const char *name;
} tfns[] = {
STU(MD5),
STU(SHA1),
STU(SHA224),
STU(SHA256),
STU(SHA384),
STU(SHA512),
STU(MD5_SHA1),
STU(multihash),
STU(HMAC),
STU(HKDF),
STU(SHAKE),
STU(HMAC_DRBG),
STU(AESCTR_DRBG),
STU(PRF),
STU(AES_big),
STU(AES_small),
STU(AES_ct),
STU(AES_ct64),
STU(AES_pwr8),
STU(AES_x86ni),
STU(AES_CTRCBC_big),
STU(AES_CTRCBC_small),
STU(AES_CTRCBC_ct),
STU(AES_CTRCBC_ct64),
STU(AES_CTRCBC_x86ni),
STU(AES_CTRCBC_pwr8),
STU(DES_tab),
STU(DES_ct),
STU(ChaCha20_ct),
STU(ChaCha20_sse2),
STU(Poly1305_ctmul),
STU(Poly1305_ctmul32),
STU(Poly1305_ctmulq),
STU(Poly1305_i15),
STU(RSA_i15),
STU(RSA_i31),
STU(RSA_i32),
STU(RSA_i62),
STU(GHASH_ctmul),
STU(GHASH_ctmul32),
STU(GHASH_ctmul64),
STU(GHASH_pclmul),
STU(GHASH_pwr8),
STU(CCM),
STU(EAX),
STU(GCM),
STU(EC_prime_i15),
STU(EC_prime_i31),
STU(EC_p256_m15),
STU(EC_p256_m31),
STU(EC_p256_m62),
STU(EC_p256_m64),
STU(EC_c25519_i15),
STU(EC_c25519_i31),
STU(EC_c25519_m15),
STU(EC_c25519_m31),
STU(EC_c25519_m62),
STU(EC_c25519_m64),
STU(ECDSA_i15),
STU(ECDSA_i31),
STU(modpow_i31),
STU(modpow_i62),
{ 0, 0 }
};
int
main(int argc, char *argv[])
{
size_t u;
if (argc <= 1) {
printf("usage: testcrypto all | name...\n");
printf("individual test names:\n");
for (u = 0; tfns[u].name; u ++) {
printf(" %s\n", tfns[u].name);
}
} else {
for (u = 0; tfns[u].name; u ++) {
int i;
for (i = 1; i < argc; i ++) {
if (eq_name(argv[i], tfns[u].name)
|| eq_name(argv[i], "all"))
{
tfns[u].fn();
break;
}
}
}
}
return 0;
}
diff --git a/contrib/bearssl/test/test_x509.c b/contrib/bearssl/test/test_x509.c
index 2c61cf5dd245..c00706839bd3 100644
--- a/contrib/bearssl/test/test_x509.c
+++ b/contrib/bearssl/test/test_x509.c
@@ -1,2058 +1,2094 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#ifdef _WIN32
#include <windows.h>
#else
#include <unistd.h>
#endif
#include "bearssl.h"
#define STR(x) STR_(x)
#define STR_(x) #x
#ifdef SRCDIRNAME
#define DIRNAME STR(SRCDIRNAME) "/test/x509"
#else
#define DIRNAME "test/x509"
#endif
#define CONFFILE DIRNAME "/alltests.txt"
#define DEFAULT_TIME "2016-08-30T18:00:00Z"
static void *
xmalloc(size_t len)
{
void *buf;
if (len == 0) {
return NULL;
}
buf = malloc(len);
if (buf == NULL) {
fprintf(stderr, "error: cannot allocate %lu byte(s)\n",
(unsigned long)len);
exit(EXIT_FAILURE);
}
return buf;
}
static void
xfree(void *buf)
{
if (buf != NULL) {
free(buf);
}
}
static char *
xstrdup(const char *name)
{
size_t n;
char *s;
if (name == NULL) {
return NULL;
}
n = strlen(name) + 1;
s = xmalloc(n);
memcpy(s, name, n);
return s;
}
typedef struct {
char *buf;
size_t ptr, len;
} string_builder;
static string_builder *
SB_new(void)
{
string_builder *sb;
sb = xmalloc(sizeof *sb);
sb->len = 8;
sb->buf = xmalloc(sb->len);
sb->ptr = 0;
return sb;
}
static void
SB_expand(string_builder *sb, size_t extra_len)
{
size_t nlen;
char *nbuf;
if (extra_len < (sb->len - sb->ptr)) {
return;
}
nlen = sb->len << 1;
if (extra_len > (nlen - sb->ptr)) {
nlen = sb->ptr + extra_len;
}
nbuf = xmalloc(nlen);
memcpy(nbuf, sb->buf, sb->ptr);
xfree(sb->buf);
sb->buf = nbuf;
sb->len = nlen;
}
static void
SB_append_char(string_builder *sb, int c)
{
SB_expand(sb, 1);
sb->buf[sb->ptr ++] = c;
}
/* unused
static void
SB_append_string(string_builder *sb, const char *s)
{
size_t n;
n = strlen(s);
SB_expand(sb, n);
memcpy(sb->buf + sb->ptr, s, n);
sb->ptr += n;
}
*/
/* unused
static char *
SB_to_string(string_builder *sb)
{
char *s;
s = xmalloc(sb->ptr + 1);
memcpy(s, sb->buf, sb->ptr);
s[sb->ptr] = 0;
return s;
}
*/
static char *
SB_contents(string_builder *sb)
{
return sb->buf;
}
static size_t
SB_length(string_builder *sb)
{
return sb->ptr;
}
static void
SB_set_length(string_builder *sb, size_t len)
{
if (sb->ptr < len) {
SB_expand(sb, len - sb->ptr);
memset(sb->buf + sb->ptr, ' ', len - sb->ptr);
}
sb->ptr = len;
}
static void
SB_reset(string_builder *sb)
{
SB_set_length(sb, 0);
}
static void
SB_free(string_builder *sb)
{
xfree(sb->buf);
xfree(sb);
}
typedef struct ht_elt_ {
char *name;
void *value;
struct ht_elt_ *next;
} ht_elt;
typedef struct {
size_t size;
ht_elt **buckets;
size_t num_buckets;
} HT;
static HT *
HT_new(void)
{
HT *ht;
size_t u;
ht = xmalloc(sizeof *ht);
ht->size = 0;
ht->num_buckets = 8;
ht->buckets = xmalloc(ht->num_buckets * sizeof(ht_elt *));
for (u = 0; u < ht->num_buckets; u ++) {
ht->buckets[u] = NULL;
}
return ht;
}
static uint32_t
hash_string(const char *name)
{
uint32_t hc;
hc = 0;
while (*name) {
int x;
hc = (hc << 5) - hc;
x = *(const unsigned char *)name;
if (x >= 'A' && x <= 'Z') {
x += 'a' - 'A';
}
hc += (uint32_t)x;
name ++;
}
return hc;
}
static int
eqstring(const char *s1, const char *s2)
{
while (*s1 && *s2) {
int x1, x2;
x1 = *(const unsigned char *)s1;
x2 = *(const unsigned char *)s2;
if (x1 >= 'A' && x1 <= 'Z') {
x1 += 'a' - 'A';
}
if (x2 >= 'A' && x2 <= 'Z') {
x2 += 'a' - 'A';
}
if (x1 != x2) {
return 0;
}
s1 ++;
s2 ++;
}
return !(*s1 || *s2);
}
static void
HT_expand(HT *ht)
{
size_t n, n2, u;
ht_elt **new_buckets;
n = ht->num_buckets;
n2 = n << 1;
new_buckets = xmalloc(n2 * sizeof *new_buckets);
for (u = 0; u < n2; u ++) {
new_buckets[u] = NULL;
}
for (u = 0; u < n; u ++) {
ht_elt *e, *f;
f = NULL;
for (e = ht->buckets[u]; e != NULL; e = f) {
uint32_t hc;
size_t v;
hc = hash_string(e->name);
v = (size_t)(hc & ((uint32_t)n2 - 1));
f = e->next;
e->next = new_buckets[v];
new_buckets[v] = e;
}
}
xfree(ht->buckets);
ht->buckets = new_buckets;
ht->num_buckets = n2;
}
static void *
HT_put(HT *ht, const char *name, void *value)
{
uint32_t hc;
size_t k;
ht_elt *e, **prev;
hc = hash_string(name);
k = (size_t)(hc & ((uint32_t)ht->num_buckets - 1));
prev = &ht->buckets[k];
e = *prev;
while (e != NULL) {
if (eqstring(name, e->name)) {
void *old_value;
old_value = e->value;
if (value == NULL) {
*prev = e->next;
xfree(e->name);
xfree(e);
ht->size --;
} else {
e->value = value;
}
return old_value;
}
prev = &e->next;
e = *prev;
}
if (value != NULL) {
e = xmalloc(sizeof *e);
e->name = xstrdup(name);
e->value = value;
e->next = ht->buckets[k];
ht->buckets[k] = e;
ht->size ++;
if (ht->size > ht->num_buckets) {
HT_expand(ht);
}
}
return NULL;
}
/* unused
static void *
HT_remove(HT *ht, const char *name)
{
return HT_put(ht, name, NULL);
}
*/
static void *
HT_get(const HT *ht, const char *name)
{
uint32_t hc;
size_t k;
ht_elt *e;
hc = hash_string(name);
k = (size_t)(hc & ((uint32_t)ht->num_buckets - 1));
for (e = ht->buckets[k]; e != NULL; e = e->next) {
if (eqstring(name, e->name)) {
return e->value;
}
}
return NULL;
}
static void
HT_clear(HT *ht, void (*free_value)(void *value))
{
size_t u;
for (u = 0; u < ht->num_buckets; u ++) {
ht_elt *e, *f;
f = NULL;
for (e = ht->buckets[u]; e != NULL; e = f) {
f = e->next;
xfree(e->name);
if (free_value != 0) {
free_value(e->value);
}
xfree(e);
}
ht->buckets[u] = NULL;
}
ht->size = 0;
}
static void
HT_free(HT *ht, void (*free_value)(void *value))
{
HT_clear(ht, free_value);
xfree(ht->buckets);
xfree(ht);
}
/* unused
static size_t
HT_size(HT *ht)
{
return ht->size;
}
*/
static unsigned char *
read_all(FILE *f, size_t *len)
{
unsigned char *buf;
size_t ptr, blen;
blen = 1024;
buf = xmalloc(blen);
ptr = 0;
for (;;) {
size_t rlen;
if (ptr == blen) {
unsigned char *buf2;
blen <<= 1;
buf2 = xmalloc(blen);
memcpy(buf2, buf, ptr);
xfree(buf);
buf = buf2;
}
rlen = fread(buf + ptr, 1, blen - ptr, f);
if (rlen == 0) {
unsigned char *buf3;
buf3 = xmalloc(ptr);
memcpy(buf3, buf, ptr);
xfree(buf);
*len = ptr;
return buf3;
}
ptr += rlen;
}
}
static unsigned char *
read_file(const char *name, size_t *len)
{
FILE *f;
unsigned char *buf;
#ifdef DIRNAME
char *dname;
dname = xmalloc(strlen(DIRNAME) + strlen(name) + 2);
sprintf(dname, "%s/%s", DIRNAME, name);
name = dname;
#endif
f = fopen(name, "rb");
if (f == NULL) {
fprintf(stderr, "could not open file '%s'\n", name);
exit(EXIT_FAILURE);
}
buf = read_all(f, len);
if (ferror(f)) {
fprintf(stderr, "read error on file '%s'\n", name);
exit(EXIT_FAILURE);
}
fclose(f);
#ifdef DIRNAME
xfree(dname);
#endif
return buf;
}
static int
parse_dec(const char *s, unsigned len, int *val)
{
int acc;
acc = 0;
while (len -- > 0) {
int c;
c = *s ++;
if (c >= '0' && c <= '9') {
acc = (acc * 10) + (c - '0');
} else {
return -1;
}
}
*val = acc;
return 0;
}
static int
parse_choice(const char *s, const char *acceptable)
{
int c;
c = *s;
while (*acceptable) {
if (c == *acceptable ++) {
return 0;
}
}
return -1;
}
static int
month_length(int year, int month)
{
static const int base_month_length[] = {
31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
};
int x;
x = base_month_length[month - 1];
if (month == 2 && year % 4 == 0
&& (year % 100 != 0 || year % 400 == 0))
{
x ++;
}
return x;
}
/*
* Convert a time string to a days+seconds count. Returned value is 0
* on success, -1 on error.
*/
static int
string_to_time(const char *s, uint32_t *days, uint32_t *seconds)
{
int year, month, day, hour, minute, second;
int day_of_year, leaps, i;
if (parse_dec(s, 4, &year) < 0) {
return -1;
}
s += 4;
if (parse_choice(s ++, "-:/ ") < 0) {
return -1;
}
if (parse_dec(s, 2, &month) < 0) {
return -1;
}
s += 2;
if (parse_choice(s ++, "-:/ ") < 0) {
return -1;
}
if (parse_dec(s, 2, &day) < 0) {
return -1;
}
s += 2;
if (parse_choice(s ++, " T") < 0) {
return -1;
}
if (parse_dec(s, 2, &hour) < 0) {
return -1;
}
s += 2;
if (parse_choice(s ++, "-:/ ") < 0) {
return -1;
}
if (parse_dec(s, 2, &minute) < 0) {
return -1;
}
s += 2;
if (parse_choice(s ++, "-:/ ") < 0) {
return -1;
}
if (parse_dec(s, 2, &second) < 0) {
return -1;
}
s += 2;
if (*s == '.') {
while (*s && *s >= '0' && *s <= '9') {
s ++;
}
}
if (*s) {
if (*s ++ != 'Z') {
return -1;
}
if (*s) {
return -1;
}
}
if (month < 1 || month > 12) {
return -1;
}
day_of_year = 0;
for (i = 1; i < month; i ++) {
day_of_year += month_length(year, i);
}
if (day < 1 || day > month_length(year, month)) {
return -1;
}
day_of_year += (day - 1);
leaps = (year + 3) / 4 - (year + 99) / 100 + (year + 399) / 400;
if (hour > 23 || minute > 59 || second > 60) {
return -1;
}
*days = (uint32_t)year * 365 + (uint32_t)leaps + day_of_year;
*seconds = (uint32_t)hour * 3600 + minute * 60 + second;
return 0;
}
static FILE *conf;
static int conf_delayed_char;
static long conf_linenum;
static string_builder *line_builder;
static long current_linenum;
static void
conf_init(const char *fname)
{
conf = fopen(fname, "r");
if (conf == NULL) {
fprintf(stderr, "could not open file '%s'\n", fname);
exit(EXIT_FAILURE);
}
conf_delayed_char = -1;
conf_linenum = 1;
line_builder = SB_new();
}
static void
conf_close(void)
{
if (conf != NULL) {
if (ferror(conf)) {
fprintf(stderr, "read error on configuration file\n");
exit(EXIT_FAILURE);
}
fclose(conf);
conf = NULL;
}
if (line_builder != NULL) {
SB_free(line_builder);
line_builder = NULL;
}
}
/*
* Get next character from the config file.
*/
static int
conf_next_low(void)
{
int x;
x = conf_delayed_char;
if (x >= 0) {
conf_delayed_char = -1;
} else {
x = fgetc(conf);
if (x == EOF) {
x = -1;
}
}
if (x == '\r') {
x = fgetc(conf);
if (x == EOF) {
x = -1;
}
if (x != '\n') {
conf_delayed_char = x;
x = '\n';
}
}
if (x == '\n') {
conf_linenum ++;
}
return x;
}
static int
is_ws(int x)
{
return x <= 32;
}
static int
is_name_char(int c)
{
return (c >= 'A' && c <= 'Z')
|| (c >= 'a' && c <= 'z')
|| (c >= '0' && c <= '9')
|| (c == '_' || c == '-' || c == '.');
}
/*
* Read a complete line. This handles line continuation; empty lines and
* comment lines are skipped; leading and trailing whitespace is removed.
* Returned value is 0 (line read) or -1 (no line, EOF reached). The line
* contents are accumulated in the line_builder.
*/
static int
conf_next_line(void)
{
for (;;) {
int c;
int lcwb;
SB_reset(line_builder);
/*
* Get first non-whitespace character. This skips empty
* lines. Comment lines (first non-whitespace character
* is a semicolon) are also skipped.
*/
for (;;) {
c = conf_next_low();
if (c < 0) {
return -1;
}
if (is_ws(c)) {
continue;
}
if (c == ';') {
for (;;) {
c = conf_next_low();
if (c < 0) {
return -1;
}
if (c == '\n') {
break;
}
}
continue;
}
break;
}
/*
* Read up the remaining of the line. The line continuation
* sequence (final backslash) is detected and processed.
*/
current_linenum = conf_linenum;
lcwb = (c == '\\');
SB_append_char(line_builder, c);
for (;;) {
c = conf_next_low();
if (c < 0) {
break;
}
if (lcwb) {
if (c == '\n') {
SB_set_length(line_builder,
SB_length(line_builder) - 1);
}
lcwb = 0;
continue;
}
if (c == '\n') {
break;
} else if (c == '\\') {
lcwb = 1;
}
SB_append_char(line_builder, c);
}
/*
* Remove trailing whitespace (if any).
*/
for (;;) {
size_t u;
u = SB_length(line_builder);
if (u == 0 || !is_ws(
SB_contents(line_builder)[u - 1]))
{
break;
}
SB_set_length(line_builder, u - 1);
}
/*
* We might end up with a totally empty line (in case there
* was a line continuation but nothing else), in which case
* we must loop.
*/
if (SB_length(line_builder) > 0) {
return 0;
}
}
}
/*
* Test whether the current line is a section header. If yes, then the
* header name is extracted, and returned as a newly allocated string.
* Otherwise, NULL is returned.
*/
static char *
parse_header_name(void)
{
char *buf, *name;
size_t u, v, w, len;
buf = SB_contents(line_builder);
len = SB_length(line_builder);
if (len < 2 || buf[0] != '[' || buf[len - 1] != ']') {
return NULL;
}
u = 1;
v = len - 1;
while (u < v && is_ws(buf[u])) {
u ++;
}
while (u < v && is_ws(buf[v - 1])) {
v --;
}
if (u == v) {
return NULL;
}
for (w = u; w < v; w ++) {
if (!is_name_char(buf[w])) {
return NULL;
}
}
len = v - u;
name = xmalloc(len + 1);
memcpy(name, buf + u, len);
name[len] = 0;
return name;
}
/*
* Parse the current line as a 'name = value' pair. The pair is pushed into
* the provided hash table. On error (including a duplicate key name),
* this function returns -1; otherwise, it returns 0.
*/
static int
parse_keyvalue(HT *d)
{
char *buf, *name, *value;
size_t u, len;
buf = SB_contents(line_builder);
len = SB_length(line_builder);
for (u = 0; u < len; u ++) {
if (!is_name_char(buf[u])) {
break;
}
}
if (u == 0) {
return -1;
}
name = xmalloc(u + 1);
memcpy(name, buf, u);
name[u] = 0;
if (HT_get(d, name) != NULL) {
xfree(name);
return -1;
}
while (u < len && is_ws(buf[u])) {
u ++;
}
if (u >= len || buf[u] != '=') {
xfree(name);
return -1;
}
u ++;
while (u < len && is_ws(buf[u])) {
u ++;
}
value = xmalloc(len - u + 1);
memcpy(value, buf + u, len - u);
value[len - u] = 0;
HT_put(d, name, value);
xfree(name);
return 0;
}
/*
* Public keys, indexed by name. Elements are pointers to br_x509_pkey
* structures.
*/
static HT *keys;
/*
* Trust anchors, indexed by name. Elements are pointers to
* test_trust_anchor structures.
*/
static HT *trust_anchors;
typedef struct {
unsigned char *dn;
size_t dn_len;
unsigned flags;
char *key_name;
} test_trust_anchor;
/*
* Test case: trust anchors, certificates (file names), key type and
* usage, expected status and EE public key.
*/
typedef struct {
char *name;
char **ta_names;
char **cert_names;
char *servername;
unsigned key_type_usage;
unsigned status;
char *ee_key_name;
unsigned hashes;
uint32_t days, seconds;
} test_case;
static test_case *all_chains;
static size_t all_chains_ptr, all_chains_len;
static void
free_key(void *value)
{
br_x509_pkey *pk;
pk = value;
switch (pk->key_type) {
case BR_KEYTYPE_RSA:
xfree((void *)pk->key.rsa.n);
xfree((void *)pk->key.rsa.e);
break;
case BR_KEYTYPE_EC:
xfree((void *)pk->key.ec.q);
break;
default:
fprintf(stderr, "unknown key type: %d\n", pk->key_type);
exit(EXIT_FAILURE);
break;
}
xfree(pk);
}
static void
free_trust_anchor(void *value)
{
test_trust_anchor *ttc;
ttc = value;
xfree(ttc->dn);
xfree(ttc->key_name);
xfree(ttc);
}
static void
free_test_case_contents(test_case *tc)
{
size_t u;
xfree(tc->name);
for (u = 0; tc->ta_names[u]; u ++) {
xfree(tc->ta_names[u]);
}
xfree(tc->ta_names);
for (u = 0; tc->cert_names[u]; u ++) {
xfree(tc->cert_names[u]);
}
xfree(tc->cert_names);
xfree(tc->servername);
xfree(tc->ee_key_name);
}
static char *
get_value(char *objtype, HT *objdata, long linenum, char *name)
{
char *value;
value = HT_get(objdata, name);
if (value == NULL) {
fprintf(stderr,
"missing property '%s' in section '%s' (line %ld)\n",
name, objtype, linenum);
exit(EXIT_FAILURE);
}
return value;
}
static unsigned char *
parse_hex(const char *name, long linenum, const char *value, size_t *len)
{
unsigned char *buf;
buf = NULL;
for (;;) {
size_t u, ptr;
int acc, z;
ptr = 0;
acc = 0;
z = 0;
for (u = 0; value[u]; u ++) {
int c;
c = value[u];
if (c >= '0' && c <= '9') {
c -= '0';
} else if (c >= 'A' && c <= 'F') {
c -= 'A' - 10;
} else if (c >= 'a' && c <= 'f') {
c -= 'a' - 10;
} else if (c == ' ' || c == ':') {
continue;
} else {
fprintf(stderr, "invalid hexadecimal character"
" in '%s' (line %ld)\n",
name, linenum);
exit(EXIT_FAILURE);
}
if (z) {
if (buf != NULL) {
buf[ptr] = (acc << 4) + c;
}
ptr ++;
} else {
acc = c;
}
z = !z;
}
if (z) {
fprintf(stderr, "invalid hexadecimal value (partial"
" byte) in '%s' (line %ld)\n",
name, linenum);
exit(EXIT_FAILURE);
}
if (buf == NULL) {
buf = xmalloc(ptr);
} else {
*len = ptr;
return buf;
}
}
}
static char **
split_names(const char *value)
{
char **names;
size_t len;
names = NULL;
len = strlen(value);
for (;;) {
size_t u, ptr;
ptr = 0;
u = 0;
while (u < len) {
size_t v;
while (u < len && is_ws(value[u])) {
u ++;
}
v = u;
while (v < len && !is_ws(value[v])) {
v ++;
}
if (v > u) {
if (names != NULL) {
char *name;
name = xmalloc(v - u + 1);
memcpy(name, value + u, v - u);
name[v - u] = 0;
names[ptr] = name;
}
ptr ++;
}
u = v;
}
if (names == NULL) {
names = xmalloc((ptr + 1) * sizeof *names);
} else {
names[ptr] = NULL;
return names;
}
}
}
static int
string_to_hash(const char *name)
{
char tmp[20];
size_t u, v;
for (u = 0, v = 0; name[u]; u ++) {
int c;
c = name[u];
if ((c >= '0' && c <= '9')
|| (c >= 'A' && c <= 'Z')
|| (c >= 'a' && c <= 'z'))
{
tmp[v ++] = c;
if (v == sizeof tmp) {
return -1;
}
}
}
tmp[v] = 0;
if (eqstring(tmp, "md5")) {
return br_md5_ID;
} else if (eqstring(tmp, "sha1")) {
return br_sha1_ID;
} else if (eqstring(tmp, "sha224")) {
return br_sha224_ID;
} else if (eqstring(tmp, "sha256")) {
return br_sha256_ID;
} else if (eqstring(tmp, "sha384")) {
return br_sha384_ID;
} else if (eqstring(tmp, "sha512")) {
return br_sha512_ID;
} else {
return -1;
}
}
static int
string_to_curve(const char *name)
{
char tmp[20];
size_t u, v;
for (u = 0, v = 0; name[u]; u ++) {
int c;
c = name[u];
if ((c >= '0' && c <= '9')
|| (c >= 'A' && c <= 'Z')
|| (c >= 'a' && c <= 'z'))
{
tmp[v ++] = c;
if (v == sizeof tmp) {
return -1;
}
}
}
tmp[v] = 0;
if (eqstring(tmp, "p256") || eqstring(tmp, "secp256r1")) {
return BR_EC_secp256r1;
} else if (eqstring(tmp, "p384") || eqstring(tmp, "secp384r1")) {
return BR_EC_secp384r1;
} else if (eqstring(tmp, "p521") || eqstring(tmp, "secp521r1")) {
return BR_EC_secp521r1;
} else {
return -1;
}
}
static void
parse_object(char *objtype, HT *objdata, long linenum)
{
char *name;
name = get_value(objtype, objdata, linenum, "name");
if (eqstring(objtype, "key")) {
char *stype;
br_x509_pkey *pk;
stype = get_value(objtype, objdata, linenum, "type");
pk = xmalloc(sizeof *pk);
if (eqstring(stype, "RSA")) {
char *sn, *se;
sn = get_value(objtype, objdata, linenum, "n");
se = get_value(objtype, objdata, linenum, "e");
pk->key_type = BR_KEYTYPE_RSA;
pk->key.rsa.n = parse_hex("modulus", linenum,
sn, &pk->key.rsa.nlen);
pk->key.rsa.e = parse_hex("exponent", linenum,
se, &pk->key.rsa.elen);
} else if (eqstring(stype, "EC")) {
char *sc, *sq;
int curve;
sc = get_value(objtype, objdata, linenum, "curve");
sq = get_value(objtype, objdata, linenum, "q");
curve = string_to_curve(sc);
if (curve < 0) {
fprintf(stderr, "unknown curve name: '%s'"
" (line %ld)\n", sc, linenum);
exit(EXIT_FAILURE);
}
pk->key_type = BR_KEYTYPE_EC;
pk->key.ec.curve = curve;
pk->key.ec.q = parse_hex("public point", linenum,
sq, &pk->key.ec.qlen);
} else {
fprintf(stderr, "unknown key type '%s' (line %ld)\n",
stype, linenum);
exit(EXIT_FAILURE);
}
if (HT_put(keys, name, pk) != NULL) {
fprintf(stderr, "duplicate key: '%s' (line %ld)\n",
name, linenum);
exit(EXIT_FAILURE);
}
} else if (eqstring(objtype, "anchor")) {
char *dnfile, *kname, *tatype;
test_trust_anchor *tta;
dnfile = get_value(objtype, objdata, linenum, "DN_file");
kname = get_value(objtype, objdata, linenum, "key");
tatype = get_value(objtype, objdata, linenum, "type");
tta = xmalloc(sizeof *tta);
tta->dn = read_file(dnfile, &tta->dn_len);
tta->key_name = xstrdup(kname);
if (eqstring(tatype, "CA")) {
tta->flags = BR_X509_TA_CA;
} else if (eqstring(tatype, "EE")) {
tta->flags = 0;
} else {
fprintf(stderr,
"unknown trust anchor type: '%s' (line %ld)\n",
tatype, linenum);
}
if (HT_put(trust_anchors, name, tta) != NULL) {
fprintf(stderr,
"duplicate trust anchor: '%s' (line %ld)\n",
name, linenum);
exit(EXIT_FAILURE);
}
} else if (eqstring(objtype, "chain")) {
test_case tc;
char *ktype, *kusage, *sstatus, *shashes, *stime;
ktype = get_value(objtype, objdata, linenum, "keytype");
kusage = get_value(objtype, objdata, linenum, "keyusage");
sstatus = get_value(objtype, objdata, linenum, "status");
tc.name = xstrdup(name);
tc.ta_names = split_names(
get_value(objtype, objdata, linenum, "anchors"));
tc.cert_names = split_names(
get_value(objtype, objdata, linenum, "chain"));
tc.servername = xstrdup(HT_get(objdata, "servername"));
if (eqstring(ktype, "RSA")) {
tc.key_type_usage = BR_KEYTYPE_RSA;
} else if (eqstring(ktype, "EC")) {
tc.key_type_usage = BR_KEYTYPE_EC;
} else {
fprintf(stderr,
"unknown key type: '%s' (line %ld)\n",
ktype, linenum);
exit(EXIT_FAILURE);
}
if (eqstring(kusage, "KEYX")) {
tc.key_type_usage |= BR_KEYTYPE_KEYX;
} else if (eqstring(kusage, "SIGN")) {
tc.key_type_usage |= BR_KEYTYPE_SIGN;
} else {
fprintf(stderr,
"unknown key usage: '%s' (line %ld)\n",
kusage, linenum);
exit(EXIT_FAILURE);
}
tc.status = (unsigned)atoi(sstatus);
if (tc.status == 0) {
tc.ee_key_name = xstrdup(
get_value(objtype, objdata, linenum, "eekey"));
} else {
tc.ee_key_name = NULL;
}
shashes = HT_get(objdata, "hashes");
if (shashes == NULL) {
tc.hashes = (unsigned)-1;
} else {
char **hns;
size_t u;
tc.hashes = 0;
hns = split_names(shashes);
for (u = 0;; u ++) {
char *hn;
int id;
hn = hns[u];
if (hn == NULL) {
break;
}
id = string_to_hash(hn);
if (id < 0) {
fprintf(stderr,
"unknown hash function '%s'"
" (line %ld)\n", hn, linenum);
exit(EXIT_FAILURE);
}
tc.hashes |= (unsigned)1 << id;
xfree(hn);
}
xfree(hns);
}
stime = HT_get(objdata, "time");
if (stime == NULL) {
stime = DEFAULT_TIME;
}
if (string_to_time(stime, &tc.days, &tc.seconds) < 0) {
fprintf(stderr, "invalid time string '%s' (line %ld)\n",
stime, linenum);
exit(EXIT_FAILURE);
}
if (all_chains_ptr == all_chains_len) {
if (all_chains_len == 0) {
all_chains_len = 8;
all_chains = xmalloc(
all_chains_len * sizeof *all_chains);
} else {
test_case *ntc;
size_t nlen;
nlen = all_chains_len << 1;
ntc = xmalloc(nlen * sizeof *ntc);
memcpy(ntc, all_chains,
all_chains_len * sizeof *all_chains);
xfree(all_chains);
all_chains = ntc;
all_chains_len = nlen;
}
}
all_chains[all_chains_ptr ++] = tc;
} else {
fprintf(stderr, "unknown section type '%s' (line %ld)\n",
objtype, linenum);
exit(EXIT_FAILURE);
}
}
static void
process_conf_file(const char *fname)
{
char *objtype;
HT *objdata;
long objlinenum;
keys = HT_new();
trust_anchors = HT_new();
all_chains = NULL;
all_chains_ptr = 0;
all_chains_len = 0;
conf_init(fname);
objtype = NULL;
objdata = HT_new();
objlinenum = 0;
for (;;) {
char *hname;
if (conf_next_line() < 0) {
break;
}
hname = parse_header_name();
if (hname != NULL) {
if (objtype != NULL) {
parse_object(objtype, objdata, objlinenum);
HT_clear(objdata, xfree);
xfree(objtype);
}
objtype = hname;
objlinenum = current_linenum;
continue;
}
if (objtype == NULL) {
fprintf(stderr, "no current section (line %ld)\n",
current_linenum);
exit(EXIT_FAILURE);
}
if (parse_keyvalue(objdata) < 0) {
fprintf(stderr, "wrong configuration, line %ld\n",
current_linenum);
exit(EXIT_FAILURE);
}
}
if (objtype != NULL) {
parse_object(objtype, objdata, objlinenum);
xfree(objtype);
}
HT_free(objdata, xfree);
conf_close();
}
static const struct {
int id;
const br_hash_class *impl;
} hash_impls[] = {
{ br_md5_ID, &br_md5_vtable },
{ br_sha1_ID, &br_sha1_vtable },
{ br_sha224_ID, &br_sha224_vtable },
{ br_sha256_ID, &br_sha256_vtable },
{ br_sha384_ID, &br_sha384_vtable },
{ br_sha512_ID, &br_sha512_vtable },
{ 0, NULL }
};
typedef struct {
unsigned char *data;
size_t len;
} blob;
static int
eqbigint(const unsigned char *b1, size_t b1_len,
const unsigned char *b2, size_t b2_len)
{
while (b1_len > 0 && *b1 == 0) {
b1 ++;
b1_len --;
}
while (b2_len > 0 && *b2 == 0) {
b2 ++;
b2_len --;
}
return b1_len == b2_len && memcmp(b1, b2, b1_len) == 0;
}
static int
eqpkey(const br_x509_pkey *pk1, const br_x509_pkey *pk2)
{
if (pk1 == pk2) {
return 1;
}
if (pk1 == NULL || pk2 == NULL) {
return 0;
}
if (pk1->key_type != pk2->key_type) {
return 0;
}
switch (pk1->key_type) {
case BR_KEYTYPE_RSA:
return eqbigint(pk1->key.rsa.n, pk1->key.rsa.nlen,
pk2->key.rsa.n, pk2->key.rsa.nlen)
&& eqbigint(pk1->key.rsa.e, pk1->key.rsa.elen,
pk2->key.rsa.e, pk2->key.rsa.elen);
case BR_KEYTYPE_EC:
return pk1->key.ec.curve == pk2->key.ec.curve
&& pk1->key.ec.qlen == pk2->key.ec.qlen
&& memcmp(pk1->key.ec.q,
pk2->key.ec.q, pk1->key.ec.qlen) == 0;
default:
fprintf(stderr, "unknown key type: %d\n", pk1->key_type);
exit(EXIT_FAILURE);
break;
}
return 0;
}
static size_t max_dp_usage;
static size_t max_rp_usage;
+static int
+check_time(void *ctx, uint32_t nbd, uint32_t nbs, uint32_t nad, uint32_t nas)
+{
+ test_case *tc;
+
+ tc = ctx;
+ if (tc->days < nbd || (tc->days == nbd && tc->seconds < nbs)) {
+ return -1;
+ }
+ if (tc->days > nad || (tc->days == nad && tc->seconds > nas)) {
+ return 1;
+ }
+ return 0;
+}
+
static void
run_test_case(test_case *tc)
{
br_x509_minimal_context ctx;
br_x509_trust_anchor *anchors;
size_t num_anchors;
size_t u;
const br_hash_class *dnhash;
size_t num_certs;
blob *certs;
br_x509_pkey *ee_pkey_ref;
const br_x509_pkey *ee_pkey;
unsigned usages;
unsigned status;
+ int j;
printf("%s: ", tc->name);
fflush(stdout);
/*
* Get the hash function to use for hashing DN. We can use just
* any supported hash function, but for the elegance of things,
* we will use one of the hash function implementations
* supported for this test case (with SHA-1 as fallback).
*/
dnhash = &br_sha1_vtable;
for (u = 0; hash_impls[u].id; u ++) {
if ((tc->hashes & ((unsigned)1 << (hash_impls[u].id))) != 0) {
dnhash = hash_impls[u].impl;
}
}
/*
* Get trust anchors.
*/
for (num_anchors = 0; tc->ta_names[num_anchors]; num_anchors ++);
anchors = xmalloc(num_anchors * sizeof *anchors);
for (u = 0; tc->ta_names[u]; u ++) {
test_trust_anchor *tta;
br_x509_pkey *tak;
tta = HT_get(trust_anchors, tc->ta_names[u]);
if (tta == NULL) {
fprintf(stderr, "no such trust anchor: '%s'\n",
tc->ta_names[u]);
exit(EXIT_FAILURE);
}
tak = HT_get(keys, tta->key_name);
if (tak == NULL) {
fprintf(stderr, "no such public key: '%s'\n",
tta->key_name);
exit(EXIT_FAILURE);
}
anchors[u].dn.data = tta->dn;
anchors[u].dn.len = tta->dn_len;
anchors[u].flags = tta->flags;
anchors[u].pkey = *tak;
}
/*
* Read all relevant certificates.
*/
for (num_certs = 0; tc->cert_names[num_certs]; num_certs ++);
certs = xmalloc(num_certs * sizeof *certs);
for (u = 0; u < num_certs; u ++) {
certs[u].data = read_file(tc->cert_names[u], &certs[u].len);
}
/*
* Get expected EE public key (if any).
*/
if (tc->ee_key_name == NULL) {
ee_pkey_ref = NULL;
} else {
ee_pkey_ref = HT_get(keys, tc->ee_key_name);
if (ee_pkey_ref == NULL) {
fprintf(stderr, "no such public key: '%s'\n",
tc->ee_key_name);
exit(EXIT_FAILURE);
}
}
/*
- * Initialise the engine.
+ * We do the test twice, to exercise distinct API functions.
*/
- br_x509_minimal_init(&ctx, dnhash, anchors, num_anchors);
- for (u = 0; hash_impls[u].id; u ++) {
- int id;
+ for (j = 0; j < 2; j ++) {
+ /*
+ * Initialise the engine.
+ */
+ br_x509_minimal_init(&ctx, dnhash, anchors, num_anchors);
+ for (u = 0; hash_impls[u].id; u ++) {
+ int id;
+
+ id = hash_impls[u].id;
+ if ((tc->hashes & ((unsigned)1 << id)) != 0) {
+ br_x509_minimal_set_hash(&ctx,
+ id, hash_impls[u].impl);
+ }
+ }
+ br_x509_minimal_set_rsa(&ctx, br_rsa_pkcs1_vrfy_get_default());
+ br_x509_minimal_set_ecdsa(&ctx,
+ br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
- id = hash_impls[u].id;
- if ((tc->hashes & ((unsigned)1 << id)) != 0) {
- br_x509_minimal_set_hash(&ctx, id, hash_impls[u].impl);
+ /*
+ * Set the validation date.
+ */
+ if (j == 0) {
+ br_x509_minimal_set_time(&ctx, tc->days, tc->seconds);
+ } else {
+ br_x509_minimal_set_time_callback(&ctx,
+ tc, &check_time);
}
- }
- br_x509_minimal_set_rsa(&ctx, br_rsa_pkcs1_vrfy_get_default());
- br_x509_minimal_set_ecdsa(&ctx,
- br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
- /*
- * Set the validation date.
- */
- br_x509_minimal_set_time(&ctx, tc->days, tc->seconds);
+ /*
+ * Put "canaries" to detect actual stack usage.
+ */
+ for (u = 0; u < (sizeof ctx.dp_stack) / sizeof(uint32_t);
+ u ++)
+ {
+ ctx.dp_stack[u] = 0xA7C083FE;
+ }
+ for (u = 0; u < (sizeof ctx.rp_stack) / sizeof(uint32_t);
+ u ++)
+ {
+ ctx.rp_stack[u] = 0xA7C083FE;
+ }
- /*
- * Put "canaries" to detect actual stack usage.
- */
- for (u = 0; u < (sizeof ctx.dp_stack) / sizeof(uint32_t); u ++) {
- ctx.dp_stack[u] = 0xA7C083FE;
- }
- for (u = 0; u < (sizeof ctx.rp_stack) / sizeof(uint32_t); u ++) {
- ctx.rp_stack[u] = 0xA7C083FE;
- }
+ /*
+ * Run the engine. We inject certificates by chunks of 100
+ * bytes in order to exercise the coroutine API.
+ */
+ ctx.vtable->start_chain(&ctx.vtable, tc->servername);
+ for (u = 0; u < num_certs; u ++) {
+ size_t v;
- /*
- * Run the engine. We inject certificates by chunks of 100 bytes
- * in order to exercise the coroutine API.
- */
- ctx.vtable->start_chain(&ctx.vtable, tc->servername);
- for (u = 0; u < num_certs; u ++) {
- size_t v;
+ ctx.vtable->start_cert(&ctx.vtable, certs[u].len);
+ v = 0;
+ while (v < certs[u].len) {
+ size_t w;
- ctx.vtable->start_cert(&ctx.vtable, certs[u].len);
- v = 0;
- while (v < certs[u].len) {
- size_t w;
+ w = certs[u].len - v;
+ if (w > 100) {
+ w = 100;
+ }
+ ctx.vtable->append(&ctx.vtable,
+ certs[u].data + v, w);
+ v += w;
+ }
+ ctx.vtable->end_cert(&ctx.vtable);
+ }
+ status = ctx.vtable->end_chain(&ctx.vtable);
+ ee_pkey = ctx.vtable->get_pkey(&ctx.vtable, &usages);
- w = certs[u].len - v;
- if (w > 100) {
- w = 100;
+ /*
+ * Check key type and usage.
+ */
+ if (ee_pkey != NULL) {
+ unsigned ktu;
+
+ ktu = ee_pkey->key_type | usages;
+ if (tc->key_type_usage != (ktu & tc->key_type_usage)) {
+ fprintf(stderr, "wrong key type + usage"
+ " (expected 0x%02X, got 0x%02X)\n",
+ tc->key_type_usage, ktu);
+ exit(EXIT_FAILURE);
}
- ctx.vtable->append(&ctx.vtable, certs[u].data + v, w);
- v += w;
}
- ctx.vtable->end_cert(&ctx.vtable);
- }
- status = ctx.vtable->end_chain(&ctx.vtable);
- ee_pkey = ctx.vtable->get_pkey(&ctx.vtable, &usages);
- /*
- * Check key type and usage.
- */
- if (ee_pkey != NULL) {
- unsigned ktu;
-
- ktu = ee_pkey->key_type | usages;
- if (tc->key_type_usage != (ktu & tc->key_type_usage)) {
- fprintf(stderr, "wrong key type + usage"
- " (expected 0x%02X, got 0x%02X)\n",
- tc->key_type_usage, ktu);
+ /*
+ * Check results. Note that we may still get a public key if
+ * the path is "not trusted" (but otherwise fine).
+ */
+ if (status != tc->status) {
+ fprintf(stderr, "wrong status (got %d, expected %d)\n",
+ status, tc->status);
+ exit(EXIT_FAILURE);
+ }
+ if (status == BR_ERR_X509_NOT_TRUSTED) {
+ ee_pkey = NULL;
+ }
+ if (!eqpkey(ee_pkey, ee_pkey_ref)) {
+ fprintf(stderr, "wrong EE public key\n");
exit(EXIT_FAILURE);
}
- }
-
- /*
- * Check results. Note that we may still get a public key if
- * the path is "not trusted" (but otherwise fine).
- */
- if (status != tc->status) {
- fprintf(stderr, "wrong status (got %d, expected %d)\n",
- status, tc->status);
- exit(EXIT_FAILURE);
- }
- if (status == BR_ERR_X509_NOT_TRUSTED) {
- ee_pkey = NULL;
- }
- if (!eqpkey(ee_pkey, ee_pkey_ref)) {
- fprintf(stderr, "wrong EE public key\n");
- exit(EXIT_FAILURE);
- }
- /*
- * Check stack usage.
- */
- for (u = (sizeof ctx.dp_stack) / sizeof(uint32_t); u > 0; u --) {
- if (ctx.dp_stack[u - 1] != 0xA7C083FE) {
- if (max_dp_usage < u) {
- max_dp_usage = u;
+ /*
+ * Check stack usage.
+ */
+ for (u = (sizeof ctx.dp_stack) / sizeof(uint32_t);
+ u > 0; u --)
+ {
+ if (ctx.dp_stack[u - 1] != 0xA7C083FE) {
+ if (max_dp_usage < u) {
+ max_dp_usage = u;
+ }
+ break;
}
- break;
}
- }
- for (u = (sizeof ctx.rp_stack) / sizeof(uint32_t); u > 0; u --) {
- if (ctx.rp_stack[u - 1] != 0xA7C083FE) {
- if (max_rp_usage < u) {
- max_rp_usage = u;
+ for (u = (sizeof ctx.rp_stack) / sizeof(uint32_t);
+ u > 0; u --)
+ {
+ if (ctx.rp_stack[u - 1] != 0xA7C083FE) {
+ if (max_rp_usage < u) {
+ max_rp_usage = u;
+ }
+ break;
}
- break;
}
}
/*
* Release everything.
*/
for (u = 0; u < num_certs; u ++) {
xfree(certs[u].data);
}
xfree(certs);
xfree(anchors);
printf("OK\n");
}
/*
* A custom structure for tests, synchronised with the test certificate
* names.crt.
*
* If num is 1 or more, then this is a DN element with OID '1.1.1.1.num'.
* If num is -1 or less, then this is a SAN element of type -num.
* If num is 0, then this is a SAN element of type OtherName with
* OID 1.3.6.1.4.1.311.20.2.3 (Microsoft UPN).
*/
typedef struct {
int num;
int status;
const char *expected;
} name_element_test;
static name_element_test names_ref[] = {
/* === DN tests === */
{
/* [12] 66:6f:6f */
1, 1, "foo"
},
{
/* [12] 62:61:72 */
1, 1, "bar"
},
{
/* [18] 31:32:33:34 */
2, 1, "1234"
},
{
/* [19] 66:6f:6f */
3, 1, "foo"
},
{
/* [20] 66:6f:6f */
4, 1, "foo"
},
{
/* [22] 66:6f:6f */
5, 1, "foo"
},
{
/* [30] 00:66:00:6f:00:6f */
6, 1, "foo"
},
{
/* [30] fe:ff:00:66:00:6f:00:6f */
7, 1, "foo"
},
{
/* [30] ff:fe:66:00:6f:00:6f:00 */
8, 1, "foo"
},
{
/* [20] 63:61:66:e9 */
9, 1, "caf\xC3\xA9"
},
{
/* [12] 63:61:66:c3:a9 */
10, 1, "caf\xC3\xA9"
},
{
/* [12] 63:61:66:e0:83:a9 */
11, -1, NULL
},
{
/* [12] 63:61:66:e3:90:8c */
12, 1, "caf\xE3\x90\x8C"
},
{
/* [30] 00:63:00:61:00:66:34:0c */
13, 1, "caf\xE3\x90\x8C"
},
{
/* [12] 63:61:66:c3 */
14, -1, NULL
},
{
/* [30] d8:42:df:f4:00:67:00:6f */
15, 1, "\xF0\xA0\xAF\xB4go"
},
{
/* [30] 00:66:d8:42 */
16, -1, NULL
},
{
/* [30] d8:42:00:66 */
17, -1, NULL
},
{
/* [30] df:f4:00:66 */
18, -1, NULL
},
{
/* [12] 66:00:6f */
19, -1, NULL
},
{
/* [30] 00:00:34:0c */
20, -1, NULL
},
{
/* [30] 34:0c:00:00:00:66 */
21, -1, NULL
},
{
/* [12] ef:bb:bf:66:6f:6f */
22, 1, "foo"
},
{
/* [30] 00:66:ff:fe:00:6f */
23, -1, NULL
},
{
/* [30] 00:66:ff:fd:00:6f */
24, 1, "f\xEF\xBF\xBDo"
},
/* === Value not found in the DN === */
{
127, 0, NULL
},
/* === SAN tests === */
{
/* SAN OtherName (Microsoft UPN) */
0, 1, "foo@bar.com"
},
{
/* SAN rfc822Name */
-1, 1, "bar@foo.com"
},
{
/* SAN dNSName */
-2, 1, "example.com"
},
{
/* SAN dNSName */
-2, 1, "www.example.com"
},
{
/* uniformResourceIdentifier */
-6, 1, "http://www.example.com/"
}
};
static void
free_name_elements(br_name_element *elts, size_t num)
{
size_t u;
for (u = 0; u < num; u ++) {
xfree((void *)elts[u].oid);
xfree(elts[u].buf);
}
xfree(elts);
}
static void
test_name_extraction(void)
{
unsigned char *data;
size_t len;
br_x509_minimal_context ctx;
uint32_t days, seconds;
size_t u;
unsigned status;
br_name_element *names;
size_t num_names;
int good;
printf("Name extraction: ");
fflush(stdout);
data = read_file("names.crt", &len);
br_x509_minimal_init(&ctx, &br_sha256_vtable, NULL, 0);
for (u = 0; hash_impls[u].id; u ++) {
int id;
id = hash_impls[u].id;
br_x509_minimal_set_hash(&ctx, id, hash_impls[u].impl);
}
br_x509_minimal_set_rsa(&ctx, br_rsa_pkcs1_vrfy_get_default());
br_x509_minimal_set_ecdsa(&ctx,
br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
string_to_time(DEFAULT_TIME, &days, &seconds);
br_x509_minimal_set_time(&ctx, days, seconds);
num_names = (sizeof names_ref) / (sizeof names_ref[0]);
names = xmalloc(num_names * sizeof *names);
for (u = 0; u < num_names; u ++) {
int num;
unsigned char *oid;
num = names_ref[u].num;
if (num > 0) {
oid = xmalloc(5);
oid[0] = 4;
oid[1] = 0x29;
oid[2] = 0x01;
oid[3] = 0x01;
oid[4] = num;
} else if (num == 0) {
oid = xmalloc(13);
oid[0] = 0x00;
oid[1] = 0x00;
oid[2] = 0x0A;
oid[3] = 0x2B;
oid[4] = 0x06;
oid[5] = 0x01;
oid[6] = 0x04;
oid[7] = 0x01;
oid[8] = 0x82;
oid[9] = 0x37;
oid[10] = 0x14;
oid[11] = 0x02;
oid[12] = 0x03;
} else {
oid = xmalloc(2);
oid[0] = 0x00;
oid[1] = -num;
}
names[u].oid = oid;
names[u].buf = xmalloc(256);
names[u].len = 256;
}
br_x509_minimal_set_name_elements(&ctx, names, num_names);
/*
* Put "canaries" to detect actual stack usage.
*/
for (u = 0; u < (sizeof ctx.dp_stack) / sizeof(uint32_t); u ++) {
ctx.dp_stack[u] = 0xA7C083FE;
}
for (u = 0; u < (sizeof ctx.rp_stack) / sizeof(uint32_t); u ++) {
ctx.rp_stack[u] = 0xA7C083FE;
}
/*
* Run the engine. Since we set no trust anchor, we expect a status
* of "not trusted".
*/
ctx.vtable->start_chain(&ctx.vtable, NULL);
ctx.vtable->start_cert(&ctx.vtable, len);
ctx.vtable->append(&ctx.vtable, data, len);
ctx.vtable->end_cert(&ctx.vtable);
status = ctx.vtable->end_chain(&ctx.vtable);
if (status != BR_ERR_X509_NOT_TRUSTED) {
fprintf(stderr, "wrong status: %u\n", status);
exit(EXIT_FAILURE);
}
/*
* Check stack usage.
*/
for (u = (sizeof ctx.dp_stack) / sizeof(uint32_t); u > 0; u --) {
if (ctx.dp_stack[u - 1] != 0xA7C083FE) {
if (max_dp_usage < u) {
max_dp_usage = u;
}
break;
}
}
for (u = (sizeof ctx.rp_stack) / sizeof(uint32_t); u > 0; u --) {
if (ctx.rp_stack[u - 1] != 0xA7C083FE) {
if (max_rp_usage < u) {
max_rp_usage = u;
}
break;
}
}
good = 1;
for (u = 0; u < num_names; u ++) {
if (names[u].status != names_ref[u].status) {
printf("ERR: name %u (id=%d): status=%d, expected=%d\n",
(unsigned)u, names_ref[u].num,
names[u].status, names_ref[u].status);
if (names[u].status > 0) {
unsigned char *p;
printf(" obtained:");
p = (unsigned char *)names[u].buf;
while (*p) {
printf(" %02X", *p ++);
}
printf("\n");
}
good = 0;
continue;
}
if (names_ref[u].expected == NULL) {
if (names[u].buf[0] != 0) {
printf("ERR: name %u not zero-terminated\n",
(unsigned)u);
good = 0;
continue;
}
} else {
if (strcmp(names[u].buf, names_ref[u].expected) != 0) {
unsigned char *p;
printf("ERR: name %u (id=%d): wrong value\n",
(unsigned)u, names_ref[u].num);
printf(" expected:");
p = (unsigned char *)names_ref[u].expected;
while (*p) {
printf(" %02X", *p ++);
}
printf("\n");
printf(" obtained:");
p = (unsigned char *)names[u].buf;
while (*p) {
printf(" %02X", *p ++);
}
printf("\n");
good = 0;
continue;
}
}
}
if (!good) {
exit(EXIT_FAILURE);
}
/*
for (u = 0; u < num_names; u ++) {
printf("%u: (%d)", (unsigned)u, names[u].status);
if (names[u].status > 0) {
size_t v;
for (v = 0; names[u].buf[v]; v ++) {
printf(" %02x", names[u].buf[v]);
}
}
printf("\n");
}
*/
xfree(data);
free_name_elements(names, num_names);
printf("OK\n");
}
int
main(int argc, const char *argv[])
{
size_t u;
#ifdef SRCDIRNAME
/*
* We want to change the current directory to that of the
* executable, so that test files are reliably located. We
* do that only if SRCDIRNAME is defined (old Makefile would
* not do that).
*/
if (argc >= 1) {
const char *arg, *c;
arg = argv[0];
for (c = arg + strlen(arg);; c --) {
int sep, r;
#ifdef _WIN32
sep = (*c == '/') || (*c == '\\');
#else
sep = (*c == '/');
#endif
if (sep) {
size_t len;
char *dn;
len = 1 + (c - arg);
dn = xmalloc(len + 1);
memcpy(dn, arg, len);
dn[len] = 0;
#ifdef _WIN32
r = _chdir(dn);
#else
r = chdir(dn);
#endif
if (r != 0) {
fprintf(stderr, "warning: could not"
" set directory to '%s'\n", dn);
}
xfree(dn);
break;
}
if (c == arg) {
break;
}
}
}
#else
(void)argc;
(void)argv;
#endif
process_conf_file(CONFFILE);
max_dp_usage = 0;
max_rp_usage = 0;
for (u = 0; u < all_chains_ptr; u ++) {
run_test_case(&all_chains[u]);
}
test_name_extraction();
printf("Maximum data stack usage: %u\n", (unsigned)max_dp_usage);
printf("Maximum return stack usage: %u\n", (unsigned)max_rp_usage);
HT_free(keys, free_key);
HT_free(trust_anchors, free_trust_anchor);
for (u = 0; u < all_chains_ptr; u ++) {
free_test_case_contents(&all_chains[u]);
}
xfree(all_chains);
return 0;
}
diff --git a/contrib/bearssl/tools/sslio.c b/contrib/bearssl/tools/sslio.c
index ef7dd3f6765a..be07c2c098ca 100644
--- a/contrib/bearssl/tools/sslio.c
+++ b/contrib/bearssl/tools/sslio.c
@@ -1,760 +1,760 @@
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <errno.h>
#ifdef _WIN32
#include <winsock2.h>
#include <ws2tcpip.h>
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <fcntl.h>
#include <poll.h>
#define SOCKET int
#define INVALID_SOCKET (-1)
#endif
#include "brssl.h"
static void
dump_blob(const char *name, const void *data, size_t len)
{
const unsigned char *buf;
size_t u;
buf = data;
fprintf(stderr, "%s (len = %lu)", name, (unsigned long)len);
for (u = 0; u < len; u ++) {
if ((u & 15) == 0) {
fprintf(stderr, "\n%08lX ", (unsigned long)u);
} else if ((u & 7) == 0) {
fprintf(stderr, " ");
}
fprintf(stderr, " %02x", buf[u]);
}
fprintf(stderr, "\n");
}
/*
* Inspect the provided data in case it is a "command" to trigger a
* special behaviour. If the command is recognised, then it is executed
* and this function returns 1. Otherwise, this function returns 0.
*/
static int
run_command(br_ssl_engine_context *cc, unsigned char *buf, size_t len)
{
/*
* A single static slot for saving session parameters.
*/
static br_ssl_session_parameters slot;
static int slot_used = 0;
size_t u;
if (len < 2 || len > 3) {
return 0;
}
if (len == 3 && (buf[1] != '\r' || buf[2] != '\n')) {
return 0;
}
if (len == 2 && buf[1] != '\n') {
return 0;
}
switch (buf[0]) {
case 'Q':
fprintf(stderr, "closing...\n");
br_ssl_engine_close(cc);
return 1;
case 'R':
if (br_ssl_engine_renegotiate(cc)) {
fprintf(stderr, "renegotiating...\n");
} else {
fprintf(stderr, "not renegotiating.\n");
}
return 1;
case 'F':
/*
* Session forget is nominally client-only. But the
* session parameters are in the engine structure, which
* is the first field of the client context, so the cast
* still works properly. On the server, this forgetting
* has no effect.
*/
fprintf(stderr, "forgetting session...\n");
br_ssl_client_forget_session((br_ssl_client_context *)cc);
return 1;
case 'S':
fprintf(stderr, "saving session parameters...\n");
br_ssl_engine_get_session_parameters(cc, &slot);
fprintf(stderr, " id = ");
for (u = 0; u < slot.session_id_len; u ++) {
fprintf(stderr, "%02X", slot.session_id[u]);
}
fprintf(stderr, "\n");
slot_used = 1;
return 1;
case 'P':
if (slot_used) {
fprintf(stderr, "restoring session parameters...\n");
fprintf(stderr, " id = ");
for (u = 0; u < slot.session_id_len; u ++) {
fprintf(stderr, "%02X", slot.session_id[u]);
}
fprintf(stderr, "\n");
br_ssl_engine_set_session_parameters(cc, &slot);
return 1;
}
return 0;
default:
return 0;
}
}
#ifdef _WIN32
typedef struct {
unsigned char buf[1024];
size_t ptr, len;
} in_buffer;
static int
in_return_bytes(in_buffer *bb, unsigned char *buf, size_t len)
{
if (bb->ptr < bb->len) {
size_t clen;
if (buf == NULL) {
return 1;
}
clen = bb->len - bb->ptr;
if (clen > len) {
clen = len;
}
memcpy(buf, bb->buf + bb->ptr, clen);
bb->ptr += clen;
if (bb->ptr == bb->len) {
bb->ptr = bb->len = 0;
}
return (int)clen;
}
return 0;
}
/*
* A buffered version of in_read(), using a buffer to return only
* full lines when feasible.
*/
static int
in_read_buffered(HANDLE h_in, in_buffer *bb, unsigned char *buf, size_t len)
{
int n;
if (len == 0) {
return 0;
}
n = in_return_bytes(bb, buf, len);
if (n != 0) {
return n;
}
for (;;) {
INPUT_RECORD inrec;
DWORD v;
if (!PeekConsoleInput(h_in, &inrec, 1, &v)) {
fprintf(stderr, "ERROR: PeekConsoleInput()"
" failed with 0x%08lX\n",
(unsigned long)GetLastError());
return -1;
}
if (v == 0) {
return 0;
}
if (!ReadConsoleInput(h_in, &inrec, 1, &v)) {
fprintf(stderr, "ERROR: ReadConsoleInput()"
" failed with 0x%08lX\n",
(unsigned long)GetLastError());
return -1;
}
if (v == 0) {
return 0;
}
if (inrec.EventType == KEY_EVENT
&& inrec.Event.KeyEvent.bKeyDown)
{
int c;
c = inrec.Event.KeyEvent.uChar.AsciiChar;
if (c == '\n' || c == '\r' || c == '\t'
|| (c >= 32 && c != 127))
{
if (c == '\r') {
c = '\n';
}
bb->buf[bb->ptr ++] = (unsigned char)c;
printf("%c", c);
fflush(stdout);
bb->len = bb->ptr;
if (bb->len == sizeof bb->buf || c == '\n') {
bb->ptr = 0;
return in_return_bytes(bb, buf, len);
}
}
}
}
}
static int
in_avail_buffered(HANDLE h_in, in_buffer *bb)
{
return in_read_buffered(h_in, bb, NULL, 1);
}
#endif
/* see brssl.h */
int
run_ssl_engine(br_ssl_engine_context *cc, unsigned long fd, unsigned flags)
{
int hsdetails;
int retcode;
int verbose;
int trace;
#ifdef _WIN32
WSAEVENT fd_event;
int can_send, can_recv;
HANDLE h_in, h_out;
in_buffer bb;
#endif
hsdetails = 0;
retcode = 0;
verbose = (flags & RUN_ENGINE_VERBOSE) != 0;
trace = (flags & RUN_ENGINE_TRACE) != 0;
/*
* Print algorithm details.
*/
if (verbose) {
const char *rngname;
fprintf(stderr, "Algorithms:\n");
br_prng_seeder_system(&rngname);
fprintf(stderr, " RNG: %s\n", rngname);
if (cc->iaes_cbcenc != 0) {
fprintf(stderr, " AES/CBC (enc): %s\n",
get_algo_name(cc->iaes_cbcenc, 0));
}
if (cc->iaes_cbcdec != 0) {
fprintf(stderr, " AES/CBC (dec): %s\n",
get_algo_name(cc->iaes_cbcdec, 0));
}
if (cc->iaes_ctr != 0) {
fprintf(stderr, " AES/CTR: %s\n",
- get_algo_name(cc->iaes_cbcdec, 0));
+ get_algo_name(cc->iaes_ctr, 0));
}
if (cc->iaes_ctrcbc != 0) {
fprintf(stderr, " AES/CCM: %s\n",
get_algo_name(cc->iaes_ctrcbc, 0));
}
if (cc->ides_cbcenc != 0) {
fprintf(stderr, " DES/CBC (enc): %s\n",
get_algo_name(cc->ides_cbcenc, 0));
}
if (cc->ides_cbcdec != 0) {
fprintf(stderr, " DES/CBC (dec): %s\n",
get_algo_name(cc->ides_cbcdec, 0));
}
if (cc->ighash != 0) {
fprintf(stderr, " GHASH (GCM): %s\n",
get_algo_name(cc->ighash, 0));
}
if (cc->ichacha != 0) {
fprintf(stderr, " ChaCha20: %s\n",
get_algo_name(cc->ichacha, 0));
}
if (cc->ipoly != 0) {
fprintf(stderr, " Poly1305: %s\n",
get_algo_name(cc->ipoly, 0));
}
if (cc->iec != 0) {
fprintf(stderr, " EC: %s\n",
get_algo_name(cc->iec, 0));
}
if (cc->iecdsa != 0) {
fprintf(stderr, " ECDSA: %s\n",
get_algo_name(cc->iecdsa, 0));
}
if (cc->irsavrfy != 0) {
fprintf(stderr, " RSA (vrfy): %s\n",
get_algo_name(cc->irsavrfy, 0));
}
}
#ifdef _WIN32
fd_event = WSA_INVALID_EVENT;
can_send = 0;
can_recv = 0;
bb.ptr = bb.len = 0;
#endif
/*
* On Unix systems, we need to follow three descriptors:
* standard input (0), standard output (1), and the socket
* itself (for both read and write). This is done with a poll()
* call.
*
* On Windows systems, we use WSAEventSelect() to associate
* an event handle with the network activity, and we use
* WaitForMultipleObjectsEx() on that handle and the standard
* input handle, when appropriate. Standard output is assumed
* to be always writeable, and standard input to be the console;
* this does not work well (or at all) with redirections (to
* pipes or files) but it should be enough for a debug tool
* (TODO: make something that handles redirections as well).
*/
#ifdef _WIN32
fd_event = WSACreateEvent();
if (fd_event == WSA_INVALID_EVENT) {
fprintf(stderr, "ERROR: WSACreateEvent() failed with %d\n",
WSAGetLastError());
retcode = -2;
goto engine_exit;
}
WSAEventSelect(fd, fd_event, FD_READ | FD_WRITE | FD_CLOSE);
h_in = GetStdHandle(STD_INPUT_HANDLE);
h_out = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleMode(h_in, ENABLE_ECHO_INPUT
| ENABLE_LINE_INPUT
| ENABLE_PROCESSED_INPUT
| ENABLE_PROCESSED_OUTPUT
| ENABLE_WRAP_AT_EOL_OUTPUT);
#else
/*
* Make sure that stdin and stdout are non-blocking.
*/
fcntl(0, F_SETFL, O_NONBLOCK);
fcntl(1, F_SETFL, O_NONBLOCK);
#endif
/*
* Perform the loop.
*/
for (;;) {
unsigned st;
int sendrec, recvrec, sendapp, recvapp;
#ifdef _WIN32
HANDLE pfd[2];
DWORD wt;
#else
struct pollfd pfd[3];
int n;
#endif
size_t u, k_fd, k_in, k_out;
int sendrec_ok, recvrec_ok, sendapp_ok, recvapp_ok;
/*
* Get current engine state.
*/
st = br_ssl_engine_current_state(cc);
if (st == BR_SSL_CLOSED) {
int err;
err = br_ssl_engine_last_error(cc);
if (err == BR_ERR_OK) {
if (verbose) {
fprintf(stderr,
"SSL closed normally\n");
}
retcode = 0;
goto engine_exit;
} else {
fprintf(stderr, "ERROR: SSL error %d", err);
retcode = err;
if (err >= BR_ERR_SEND_FATAL_ALERT) {
err -= BR_ERR_SEND_FATAL_ALERT;
fprintf(stderr,
" (sent alert %d)\n", err);
} else if (err >= BR_ERR_RECV_FATAL_ALERT) {
err -= BR_ERR_RECV_FATAL_ALERT;
fprintf(stderr,
" (received alert %d)\n", err);
} else {
const char *ename;
ename = find_error_name(err, NULL);
if (ename == NULL) {
ename = "unknown";
}
fprintf(stderr, " (%s)\n", ename);
}
goto engine_exit;
}
}
/*
* Compute descriptors that must be polled, depending
* on engine state.
*/
sendrec = ((st & BR_SSL_SENDREC) != 0);
recvrec = ((st & BR_SSL_RECVREC) != 0);
sendapp = ((st & BR_SSL_SENDAPP) != 0);
recvapp = ((st & BR_SSL_RECVAPP) != 0);
if (verbose && sendapp && !hsdetails) {
char csn[80];
const char *pname;
fprintf(stderr, "Handshake completed\n");
fprintf(stderr, " version: ");
switch (cc->session.version) {
case BR_SSL30:
fprintf(stderr, "SSL 3.0");
break;
case BR_TLS10:
fprintf(stderr, "TLS 1.0");
break;
case BR_TLS11:
fprintf(stderr, "TLS 1.1");
break;
case BR_TLS12:
fprintf(stderr, "TLS 1.2");
break;
default:
fprintf(stderr, "unknown (0x%04X)",
(unsigned)cc->session.version);
break;
}
fprintf(stderr, "\n");
get_suite_name_ext(
cc->session.cipher_suite, csn, sizeof csn);
fprintf(stderr, " cipher suite: %s\n", csn);
if (uses_ecdhe(cc->session.cipher_suite)) {
get_curve_name_ext(
br_ssl_engine_get_ecdhe_curve(cc),
csn, sizeof csn);
fprintf(stderr,
" ECDHE curve: %s\n", csn);
}
fprintf(stderr, " secure renegotiation: %s\n",
cc->reneg == 1 ? "no" : "yes");
pname = br_ssl_engine_get_selected_protocol(cc);
if (pname != NULL) {
fprintf(stderr,
" protocol name (ALPN): %s\n",
pname);
}
hsdetails = 1;
}
k_fd = (size_t)-1;
k_in = (size_t)-1;
k_out = (size_t)-1;
u = 0;
#ifdef _WIN32
/*
* If we recorded that we can send or receive data, and we
* want to do exactly that, then we don't wait; we just do
* it.
*/
recvapp_ok = 0;
sendrec_ok = 0;
recvrec_ok = 0;
sendapp_ok = 0;
if (sendrec && can_send) {
sendrec_ok = 1;
} else if (recvrec && can_recv) {
recvrec_ok = 1;
} else if (recvapp) {
recvapp_ok = 1;
} else if (sendapp && in_avail_buffered(h_in, &bb)) {
sendapp_ok = 1;
} else {
/*
* If we cannot do I/O right away, then we must
* wait for some event, and try again.
*/
pfd[u] = (HANDLE)fd_event;
k_fd = u;
u ++;
if (sendapp) {
pfd[u] = h_in;
k_in = u;
u ++;
}
wt = WaitForMultipleObjectsEx(u, pfd,
FALSE, INFINITE, FALSE);
if (wt == WAIT_FAILED) {
fprintf(stderr, "ERROR:"
" WaitForMultipleObjectsEx()"
" failed with 0x%08lX",
(unsigned long)GetLastError());
retcode = -2;
goto engine_exit;
}
if (wt == k_fd) {
WSANETWORKEVENTS e;
if (WSAEnumNetworkEvents(fd, fd_event, &e)) {
fprintf(stderr, "ERROR:"
" WSAEnumNetworkEvents()"
" failed with %d\n",
WSAGetLastError());
retcode = -2;
goto engine_exit;
}
if (e.lNetworkEvents & (FD_WRITE | FD_CLOSE)) {
can_send = 1;
}
if (e.lNetworkEvents & (FD_READ | FD_CLOSE)) {
can_recv = 1;
}
}
continue;
}
#else
if (sendrec || recvrec) {
pfd[u].fd = fd;
pfd[u].revents = 0;
pfd[u].events = 0;
if (sendrec) {
pfd[u].events |= POLLOUT;
}
if (recvrec) {
pfd[u].events |= POLLIN;
}
k_fd = u;
u ++;
}
if (sendapp) {
pfd[u].fd = 0;
pfd[u].revents = 0;
pfd[u].events = POLLIN;
k_in = u;
u ++;
}
if (recvapp) {
pfd[u].fd = 1;
pfd[u].revents = 0;
pfd[u].events = POLLOUT;
k_out = u;
u ++;
}
n = poll(pfd, u, -1);
if (n < 0) {
if (errno == EINTR) {
continue;
}
perror("ERROR: poll()");
retcode = -2;
goto engine_exit;
}
if (n == 0) {
continue;
}
/*
* We transform closures/errors into read+write accesses
* so as to force the read() or write() call that will
* detect the situation.
*/
while (u -- > 0) {
if (pfd[u].revents & (POLLERR | POLLHUP)) {
pfd[u].revents |= POLLIN | POLLOUT;
}
}
recvapp_ok = recvapp && (pfd[k_out].revents & POLLOUT) != 0;
sendrec_ok = sendrec && (pfd[k_fd].revents & POLLOUT) != 0;
recvrec_ok = recvrec && (pfd[k_fd].revents & POLLIN) != 0;
sendapp_ok = sendapp && (pfd[k_in].revents & POLLIN) != 0;
#endif
/*
* We give preference to outgoing data, on stdout and on
* the socket.
*/
if (recvapp_ok) {
unsigned char *buf;
size_t len;
#ifdef _WIN32
DWORD wlen;
#else
ssize_t wlen;
#endif
buf = br_ssl_engine_recvapp_buf(cc, &len);
#ifdef _WIN32
if (!WriteFile(h_out, buf, len, &wlen, NULL)) {
if (verbose) {
fprintf(stderr, "stdout closed...\n");
}
retcode = -2;
goto engine_exit;
}
#else
wlen = write(1, buf, len);
if (wlen <= 0) {
if (verbose) {
fprintf(stderr, "stdout closed...\n");
}
retcode = -2;
goto engine_exit;
}
#endif
br_ssl_engine_recvapp_ack(cc, wlen);
continue;
}
if (sendrec_ok) {
unsigned char *buf;
size_t len;
int wlen;
buf = br_ssl_engine_sendrec_buf(cc, &len);
wlen = send(fd, buf, len, 0);
if (wlen <= 0) {
#ifdef _WIN32
int err;
err = WSAGetLastError();
if (err == EWOULDBLOCK
|| err == WSAEWOULDBLOCK)
{
can_send = 0;
continue;
}
#else
if (errno == EINTR || errno == EWOULDBLOCK) {
continue;
}
#endif
if (verbose) {
fprintf(stderr, "socket closed...\n");
}
retcode = -1;
goto engine_exit;
}
if (trace) {
dump_blob("Outgoing bytes", buf, wlen);
}
br_ssl_engine_sendrec_ack(cc, wlen);
continue;
}
if (recvrec_ok) {
unsigned char *buf;
size_t len;
int rlen;
buf = br_ssl_engine_recvrec_buf(cc, &len);
rlen = recv(fd, buf, len, 0);
if (rlen == 0) {
if (verbose) {
fprintf(stderr, "socket closed...\n");
}
retcode = -1;
goto engine_exit;
}
if (rlen < 0) {
#ifdef _WIN32
int err;
err = WSAGetLastError();
if (err == EWOULDBLOCK
|| err == WSAEWOULDBLOCK)
{
can_recv = 0;
continue;
}
#else
if (errno == EINTR || errno == EWOULDBLOCK) {
continue;
}
#endif
if (verbose) {
fprintf(stderr, "socket broke...\n");
}
retcode = -1;
goto engine_exit;
}
if (trace) {
dump_blob("Incoming bytes", buf, rlen);
}
br_ssl_engine_recvrec_ack(cc, rlen);
continue;
}
if (sendapp_ok) {
unsigned char *buf;
size_t len;
#ifdef _WIN32
int rlen;
#else
ssize_t rlen;
#endif
buf = br_ssl_engine_sendapp_buf(cc, &len);
#ifdef _WIN32
rlen = in_read_buffered(h_in, &bb, buf, len);
#else
rlen = read(0, buf, len);
#endif
if (rlen <= 0) {
if (verbose) {
fprintf(stderr, "stdin closed...\n");
}
br_ssl_engine_close(cc);
} else if (!run_command(cc, buf, rlen)) {
br_ssl_engine_sendapp_ack(cc, rlen);
}
br_ssl_engine_flush(cc, 0);
continue;
}
/* We should never reach that point. */
fprintf(stderr, "ERROR: poll() misbehaves\n");
retcode = -2;
goto engine_exit;
}
/*
* Release allocated structures.
*/
engine_exit:
#ifdef _WIN32
if (fd_event != WSA_INVALID_EVENT) {
WSACloseEvent(fd_event);
}
#endif
return retcode;
}
diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc
index e0faf287a245..921b5e7bc1d8 100644
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@@ -1,168 +1,170 @@
# $FreeBSD$
.if empty(BEARSSL)
.include "../libbearssl/Makefile.inc"
.endif
.if !target(_${__this}_)
_${__this}_:
libsecureboot_src:= ${.PARSEDIR}
CFLAGS+= -I${libsecureboot_src}/h
+CFLAGS+= -DHAVE_BR_X509_TIME_CHECK
+
.PATH: ${.PARSEDIR}
SRCS+= \
readfile.c \
brf.c \
vesigned.c \
vets.c
.if ${.CURDIR:M*libsecureboot*} != ""
SRCS+= veta.c
.endif
CFLAGS+= ${XCFLAGS.${.TARGET:T:R}:U}
# we use a couple of files from ${BEARSSL}/tools
BRSSL_CFLAGS+= -I${BEARSSL}/tools
BRSSL_SRCS+= \
${BEARSSL}/tools/xmem.c \
${BEARSSL}/tools/vector.c
BRSSL_DEPS= \
brf.c \
vets.c \
veta.c
.if ${MK_LOADER_EFI_SECUREBOOT} != "no"
BRSSL_DEPS+= \
efi_init.c \
efi_variables.c
.endif
# we do not need/want nested objdirs
OBJS_SRCS_FILTER = T R
SRCS+= ${BRSSL_SRCS}
# extract the last cert from a chain (should be rootCA)
_LAST_PEM_USE: .USE
sed "1,`grep -n .-END ${.ALLSRC:M*.pem} | tail -2 | head -1 | sed 's,:.*,,'`d" ${.ALLSRC:M*.pem} > ${.TARGET}
# extract 2nd last cert from chain - we use this for self-test
_2ndLAST_PEM_USE: .USE
sed -n "`grep -n .-BEGIN ${.ALLSRC:M*.pem} | tail -2 | \
sed 's,:.*,,' | xargs | (read a b; echo $$a,$$(($$b - 1)))`p" ${.ALLSRC:M*.pem} > ${.TARGET}
# list of hashes we support
VE_HASH_LIST?= SHA256
# list of signatures we support
# some people don't trust ECDSA
VE_SIGNATURE_LIST?= RSA
# this list controls our search for signatures so will not be sorted
# note: for X509 signatures we assume we can replace the trailing
# "sig" with "certs" to find the certificate chain
# eg. for manifest.esig we use manifest.ecerts
VE_SIGNATURE_EXT_LIST?= sig
# needs to be yes for FIPS 140-2 compliance
VE_SELF_TESTS?= no
# rules to populate the [tv]*.pem files we use to generate ta.h
# and can add/alter VE_*_LIST as desired.
.-include "local.trust.mk"
# this is what we use as our trust anchor
CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
.if ${VE_SELF_TESTS} != "no"
XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
.endif
# clean these up
VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:tu:O:u}
# define what we are supporting
CFLAGS+= ${VE_HASH_LIST:@H@-DVE_$H_SUPPORT@} \
${VE_SIGNATURE_LIST:@S@-DVE_$S_SUPPORT@}
.if ${VE_SIGNATURE_LIST:MOPENPGP} != ""
.include "openpgp/Makefile.inc"
.endif
.if ${VE_SELF_TESTS} != "no"
# The input used for hash KATs
# we use a string by default so it is independent of any other test
VE_HASH_KAT_STRLEN?= strlen
.if ${VE_HASH_KAT_STRLEN} == "strlen"
VE_HASH_KAT_STR?= self-tests-are-good
VE_HASH_KAT_STR_INPUT= echo -n
XCFLAGS.vets+= -DVE_HASH_KAT_STR=\"${VE_HASH_KAT_STR}\"
.else
VE_HASH_KAT_STR?= vc_PEM
VE_HASH_KAT_STR_INPUT= cat
VE_HASH_KAT_STRLEN= sizeof
XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR}
.endif
XCFLAGS.vets+= -DVE_HASH_KAT_STRLEN=${VE_HASH_KAT_STRLEN}
.endif
# this should be updated occassionally this is 2019-01-01Z
SOURCE_DATE_EPOCH?= 1546329600
.if ${MK_REPRODUCIBLE_BUILD} == "yes"
BUILD_UTC?= ${SOURCE_DATE_EPOCH}
.endif
# BUILD_UTC provides a basis for the loader's notion of time
# By default we use the mtime of BUILD_UTC_FILE
.if empty(BUILD_UTC_FILE)
BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
.endif
# you can of course set BUILD_UTC to any value you like
BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}
# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
#
# If we are doing self-tests, we define another arrary vc_PEM
# containing certificates that we can verify for each trust anchor.
# This is typically a subordinate CA cert.
# Finally we generate a hash of VE_HASH_KAT_STR
# using each supported hash method
# to use as a Known Answer Test (needed for FIPS 140-2)
#
TA_PEM_LIST ?= ${.ALLSRC:N*crl*:Mt*.pem}
VC_PEM_LIST ?= ${.ALLSRC:N*crl*:Mv*.pem}
vets.o vets.po vets.pico: ta.h
ta.h:
@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
cat ${TA_PEM_LIST:O:u} /dev/null | \
file2c -sx 'static const char ta_PEM[] = {' '};'; \
echo "${.newline}${VE_HASH_LIST:O:u:@H@static char vh_$H[] = \"`${VE_HASH_KAT_STR_INPUT} ${VE_HASH_KAT_STR} | ${$H:U${H:tl}}`\";${.newline}@}"; ) > ${.TARGET}
.if ${VE_SELF_TESTS} != "no"
( cat ${VC_PEM_LIST:O:u} /dev/null | \
file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET}
.endif
echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
# This header records our preference for signature extensions.
vesigned.o vesigned.po vesigned.pico: vse.h
vse.h:
@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
echo "static const char *signature_exts[] = {"; \
echo '${VE_SIGNATURE_EXT_LIST:O:u:@e@"$e",${.newline}@}'; \
echo 'NULL };' ) > ${.TARGET}
.for s in ${BRSSL_SRCS} ${BRSSL_DEPS}
.ifdef BRSSL_SED
$s: brssl.h
.endif
XCFLAGS.${s:R}+= ${BRSSL_CFLAGS}
.endfor
.endif
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
index 5ad53d3a3fac..4375dfa76a89 100644
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -1,1143 +1,1143 @@
/*-
* Copyright (c) 2017-2018, Juniper Networks, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
/**
* @file vets.c - trust store
* @brief verify signatures
*
* We leverage code from BearSSL www.bearssl.org
*/
#include <sys/time.h>
#include <stdarg.h>
#define NEED_BRSSL_H
#include "libsecureboot-priv.h"
#include <brssl.h>
#include <ta.h>
#ifndef TRUST_ANCHOR_STR
# define TRUST_ANCHOR_STR ta_PEM
#endif
#define EPOCH_YEAR 1970
#define AVG_SECONDS_PER_YEAR 31556952L
#define SECONDS_PER_DAY 86400
#define SECONDS_PER_YEAR 365 * SECONDS_PER_DAY
#ifndef VE_UTC_MAX_JUMP
# define VE_UTC_MAX_JUMP 20 * SECONDS_PER_YEAR
#endif
#define X509_DAYS_TO_UTC0 719528
int DebugVe = 0;
#ifndef VE_VERIFY_FLAGS
# define VE_VERIFY_FLAGS VEF_VERBOSE
#endif
int VerifyFlags = VE_VERIFY_FLAGS;
typedef VECTOR(br_x509_certificate) cert_list;
typedef VECTOR(hash_data) digest_list;
static anchor_list trust_anchors = VEC_INIT;
static anchor_list forbidden_anchors = VEC_INIT;
static digest_list forbidden_digests = VEC_INIT;
static int anchor_verbose = 0;
void
ve_anchor_verbose_set(int n)
{
anchor_verbose = n;
}
int
ve_anchor_verbose_get(void)
{
return (anchor_verbose);
}
void
ve_debug_set(int n)
{
DebugVe = n;
}
/*
* For embedded systems (and boot loaders)
* we do not want to enforce certificate validity post install.
* It is generally unacceptible for infrastructure to stop working
* just because it has not been updated recently.
*/
static int enforce_validity = 0;
void
ve_enforce_validity_set(int i)
{
enforce_validity = i;
}
static char ebuf[512];
char *
ve_error_get(void)
{
return (ebuf);
}
int
ve_error_set(const char *fmt, ...)
{
int rc;
va_list ap;
va_start(ap, fmt);
ebuf[0] = '\0';
rc = 0;
if (fmt) {
#ifdef STAND_H
vsprintf(ebuf, fmt, ap); /* no vsnprintf in libstand */
ebuf[sizeof(ebuf) - 1] = '\0';
rc = strlen(ebuf);
#else
rc = vsnprintf(ebuf, sizeof(ebuf), fmt, ap);
#endif
}
va_end(ap);
return (rc);
}
#define isleap(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
/*
* The *approximate* date.
*
* When certificate verification fails for being
* expired or not yet valid, it helps to indicate
* our current date.
* Since libsa lacks strftime and gmtime,
* this simple implementation suffices.
*/
static const char *
gdate(char *buf, size_t bufsz, time_t clock)
{
int days[] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
int year, y, m, d;
y = clock / AVG_SECONDS_PER_YEAR;
year = EPOCH_YEAR + y;
for (y = EPOCH_YEAR; y < year; y++) {
clock -= SECONDS_PER_YEAR;
if (isleap(y))
clock -= SECONDS_PER_DAY;
}
d = clock / SECONDS_PER_DAY;
for (m = 0; d > 1 && m < 12; m++) {
if (d > days[m]) {
d -= days[m];
if (m == 1 && d > 0 && isleap(year))
d--;
} else
break;
}
d++;
if (d > days[m]) {
d = 1;
m++;
if (m >= 12) {
year++;
m = 0;
}
}
(void)snprintf(buf, bufsz, "%04d-%02d-%02d", year, m+1, d);
return(buf);
}
/* this is the time we use for verifying certs */
#ifdef UNIT_TEST
extern time_t ve_utc;
time_t ve_utc = 0;
#else
static time_t ve_utc = 0;
#endif
/**
* @brief
* set ve_utc used for certificate verification
*
* @param[in] utc
* time - ignored unless greater than current value
* and not a leap of 20 years or more.
*/
void
ve_utc_set(time_t utc)
{
if (utc > ve_utc &&
(ve_utc == 0 || (utc - ve_utc) < VE_UTC_MAX_JUMP)) {
DEBUG_PRINTF(2, ("Set ve_utc=%jd\n", (intmax_t)utc));
ve_utc = utc;
}
}
static void
free_cert_contents(br_x509_certificate *xc)
{
xfree(xc->data);
}
/*
* a bit of a dance to get commonName from a certificate
*/
static char *
x509_cn_get(br_x509_certificate *xc, char *buf, size_t len)
{
br_x509_minimal_context mc;
br_name_element cn;
unsigned char cn_oid[4];
int err;
if (buf == NULL)
return (buf);
/*
* We want the commonName field
* the OID we want is 2,5,4,3 - but DER encoded
*/
cn_oid[0] = 3;
cn_oid[1] = 0x55;
cn_oid[2] = 4;
cn_oid[3] = 3;
cn.oid = cn_oid;
cn.buf = buf;
cn.len = len;
cn.buf[0] = '\0';
br_x509_minimal_init(&mc, &br_sha256_vtable, NULL, 0);
br_x509_minimal_set_name_elements(&mc, &cn, 1);
/* the below actually does the work - updates cn.status */
mc.vtable->start_chain(&mc.vtable, NULL);
mc.vtable->start_cert(&mc.vtable, xc->data_len);
mc.vtable->append(&mc.vtable, xc->data, xc->data_len);
mc.vtable->end_cert(&mc.vtable);
/* we don' actually care about cert status - just its name */
err = mc.vtable->end_chain(&mc.vtable);
if (!cn.status)
buf = NULL;
return (buf);
}
/* ASN parsing related defines */
#define ASN1_PRIMITIVE_TAG 0x1F
#define ASN1_INF_LENGTH 0x80
#define ASN1_LENGTH_MASK 0x7F
/*
* Get TBS part of certificate.
* Since BearSSL doesn't provide any API to do this,
* it has to be implemented here.
*/
static void*
X509_to_tbs(unsigned char* cert, size_t* output_size)
{
unsigned char *result;
size_t tbs_size;
int size, i;
if (cert == NULL)
return (NULL);
/* Strip two sequences to get to the TBS section */
for (i = 0; i < 2; i++) {
/*
* XXX: We don't need to support extended tags since
* they should not be present in certificates.
*/
if ((*cert & ASN1_PRIMITIVE_TAG) == ASN1_PRIMITIVE_TAG)
return (NULL);
cert++;
if (*cert == ASN1_INF_LENGTH)
return (NULL);
size = *cert & ASN1_LENGTH_MASK;
tbs_size = 0;
/* Size can either be stored on a single or multiple bytes */
if (*cert & (ASN1_LENGTH_MASK + 1)) {
cert++;
while (*cert == 0 && size > 0) {
cert++;
size--;
}
while (size-- > 0) {
tbs_size <<= 8;
tbs_size |= *(cert++);
}
}
if (i == 0)
result = cert;
}
tbs_size += (cert - result);
if (output_size != NULL)
*output_size = tbs_size;
return (result);
}
void
ve_forbidden_digest_add(hash_data *digest, size_t num)
{
while (num--)
VEC_ADD(forbidden_digests, digest[num]);
}
static size_t
ve_anchors_add(br_x509_certificate *xcs, size_t num, anchor_list *anchors,
const char *anchors_name)
{
br_x509_trust_anchor ta;
size_t u;
for (u = 0; u < num; u++) {
if (certificate_to_trust_anchor_inner(&ta, &xcs[u]) < 0) {
break;
}
VEC_ADD(*anchors, ta);
if (anchor_verbose && anchors_name) {
char buf[64];
char *cp;
cp = x509_cn_get(&xcs[u], buf, sizeof(buf));
if (cp) {
printf("x509_anchor(%s) %s\n", cp, anchors_name);
}
}
}
return (u);
}
/**
* @brief
* add certs to our trust store
*/
size_t
ve_trust_anchors_add(br_x509_certificate *xcs, size_t num)
{
return (ve_anchors_add(xcs, num, &trust_anchors, "trusted"));
}
size_t
ve_forbidden_anchors_add(br_x509_certificate *xcs, size_t num)
{
return (ve_anchors_add(xcs, num, &forbidden_anchors, "forbidden"));
}
/**
* @brief add trust anchors in buf
*
* Assume buf contains x509 certificates, but if not and
* we support OpenPGP try adding as that.
*
* @return number of anchors added
*/
size_t
ve_trust_anchors_add_buf(unsigned char *buf, size_t len)
{
br_x509_certificate *xcs;
size_t num;
num = 0;
xcs = parse_certificates(buf, len, &num);
if (xcs != NULL) {
num = ve_trust_anchors_add(xcs, num);
#ifdef VE_OPENPGP_SUPPORT
} else {
num = openpgp_trust_add_buf(buf, len);
#endif
}
return (num);
}
/**
* @brief revoke trust anchors in buf
*
* Assume buf contains x509 certificates, but if not and
* we support OpenPGP try revoking keyId
*
* @return number of anchors revoked
*/
size_t
ve_trust_anchors_revoke(unsigned char *buf, size_t len)
{
br_x509_certificate *xcs;
size_t num;
num = 0;
xcs = parse_certificates(buf, len, &num);
if (xcs != NULL) {
num = ve_forbidden_anchors_add(xcs, num);
#ifdef VE_OPENPGP_SUPPORT
} else {
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
num = openpgp_trust_revoke((char *)buf);
#endif
}
return (num);
}
/**
* @brief
* initialize our trust_anchors from ta_PEM
*/
int
ve_trust_init(void)
{
static int once = -1;
if (once >= 0)
return (once);
once = 0; /* to be sure */
#ifdef BUILD_UTC
ve_utc_set(BUILD_UTC); /* ensure sanity */
#endif
ve_utc_set(time(NULL));
ve_error_set(NULL); /* make sure it is empty */
#ifdef VE_PCR_SUPPORT
ve_pcr_init();
#endif
#ifdef TRUST_ANCHOR_STR
if (TRUST_ANCHOR_STR != NULL && strlen(TRUST_ANCHOR_STR) != 0ul)
ve_trust_anchors_add_buf(__DECONST(unsigned char *,
TRUST_ANCHOR_STR), sizeof(TRUST_ANCHOR_STR));
#endif
once = (int) VEC_LEN(trust_anchors);
#ifdef VE_OPENPGP_SUPPORT
once += openpgp_trust_init();
#endif
return (once);
}
#ifdef HAVE_BR_X509_TIME_CHECK
static int
-verify_time_cb(void *tctx,
+verify_time_cb(void *tctx __unused,
uint32_t not_before_days, uint32_t not_before_seconds,
uint32_t not_after_days, uint32_t not_after_seconds)
{
time_t not_before;
time_t not_after;
int rc;
#ifdef UNIT_TEST
char date[12], nb_date[12], na_date[12];
#endif
if (enforce_validity) {
not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
if (ve_utc < not_before)
rc = -1;
else if (ve_utc > not_after)
rc = 1;
else
rc = 0;
#ifdef UNIT_TEST
printf("notBefore %s notAfter %s date %s rc %d\n",
gdate(nb_date, sizeof(nb_date), not_before),
gdate(na_date, sizeof(na_date), not_after),
gdate(date, sizeof(date), ve_utc), rc);
#endif
} else
rc = 0; /* don't fail */
return rc;
}
#endif
/**
* if we can verify the certificate chain in "certs",
* return the public key and if "xcp" is !NULL the associated
* certificate
*/
static br_x509_pkey *
verify_signer_xcs(br_x509_certificate *xcs,
size_t num,
br_name_element *elts, size_t num_elts,
anchor_list *anchors)
{
br_x509_minimal_context mc;
br_x509_certificate *xc;
size_t u;
cert_list chain = VEC_INIT;
const br_x509_pkey *tpk;
br_x509_pkey *pk;
unsigned int usages;
int err;
DEBUG_PRINTF(5, ("verify_signer: %zu certs in chain\n", num));
VEC_ADDMANY(chain, xcs, num);
if (VEC_LEN(chain) == 0) {
ve_error_set("ERROR: no/invalid certificate chain\n");
return (NULL);
}
DEBUG_PRINTF(5, ("verify_signer: %zu trust anchors\n",
VEC_LEN(*anchors)));
br_x509_minimal_init(&mc, &br_sha256_vtable,
&VEC_ELT(*anchors, 0),
VEC_LEN(*anchors));
#ifdef VE_ECDSA_SUPPORT
br_x509_minimal_set_ecdsa(&mc,
&br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1);
#endif
#ifdef VE_RSA_SUPPORT
br_x509_minimal_set_rsa(&mc, &br_rsa_i31_pkcs1_vrfy);
#endif
#if defined(UNIT_TEST) && defined(VE_DEPRECATED_RSA_SHA1_SUPPORT)
/* This is deprecated! do not enable unless you absolutely have to */
br_x509_minimal_set_hash(&mc, br_sha1_ID, &br_sha1_vtable);
#endif
br_x509_minimal_set_hash(&mc, br_sha256_ID, &br_sha256_vtable);
#ifdef VE_SHA384_SUPPORT
br_x509_minimal_set_hash(&mc, br_sha384_ID, &br_sha384_vtable);
#endif
#ifdef VE_SHA512_SUPPORT
br_x509_minimal_set_hash(&mc, br_sha512_ID, &br_sha512_vtable);
#endif
br_x509_minimal_set_name_elements(&mc, elts, num_elts);
#ifdef HAVE_BR_X509_TIME_CHECK
br_x509_minimal_set_time_callback(&mc, NULL, verify_time_cb);
#else
#if defined(_STANDALONE) || defined(UNIT_TEST)
/*
* Clock is probably bogus so we use ve_utc.
*/
mc.days = (ve_utc / SECONDS_PER_DAY) + X509_DAYS_TO_UTC0;
mc.seconds = (ve_utc % SECONDS_PER_DAY);
#endif
#endif
mc.vtable->start_chain(&mc.vtable, NULL);
for (u = 0; u < VEC_LEN(chain); u ++) {
xc = &VEC_ELT(chain, u);
mc.vtable->start_cert(&mc.vtable, xc->data_len);
mc.vtable->append(&mc.vtable, xc->data, xc->data_len);
mc.vtable->end_cert(&mc.vtable);
switch (mc.err) {
case 0:
case BR_ERR_X509_OK:
case BR_ERR_X509_EXPIRED:
break;
default:
printf("u=%zu mc.err=%d\n", u, mc.err);
break;
}
}
err = mc.vtable->end_chain(&mc.vtable);
pk = NULL;
if (err) {
char date[12];
switch (err) {
case 54:
ve_error_set("Validation failed, certificate not valid as of %s",
gdate(date, sizeof(date), ve_utc));
break;
default:
ve_error_set("Validation failed, err = %d", err);
break;
}
} else {
tpk = mc.vtable->get_pkey(&mc.vtable, &usages);
if (tpk != NULL) {
pk = xpkeydup(tpk);
}
}
VEC_CLEAR(chain);
return (pk);
}
/*
* Check if digest of one of the certificates from verified chain
* is present in the forbidden database.
* Since UEFI allows to store three types of digests
* all of them have to be checked separately.
*/
static int
check_forbidden_digests(br_x509_certificate *xcs, size_t num)
{
unsigned char sha256_digest[br_sha256_SIZE];
unsigned char sha384_digest[br_sha384_SIZE];
unsigned char sha512_digest[br_sha512_SIZE];
void *tbs;
hash_data *digest;
br_hash_compat_context ctx;
const br_hash_class *md;
size_t tbs_len, i;
int have_sha256, have_sha384, have_sha512;
if (VEC_LEN(forbidden_digests) == 0)
return (0);
/*
* Iterate through certificates, extract their To-Be-Signed section,
* and compare its digest against the ones in the forbidden database.
*/
while (num--) {
tbs = X509_to_tbs(xcs[num].data, &tbs_len);
if (tbs == NULL) {
printf("Failed to obtain TBS part of certificate\n");
return (1);
}
have_sha256 = have_sha384 = have_sha512 = 0;
for (i = 0; i < VEC_LEN(forbidden_digests); i++) {
digest = &VEC_ELT(forbidden_digests, i);
switch (digest->hash_size) {
case br_sha256_SIZE:
if (!have_sha256) {
have_sha256 = 1;
md = &br_sha256_vtable;
md->init(&ctx.vtable);
md->update(&ctx.vtable, tbs, tbs_len);
md->out(&ctx.vtable, sha256_digest);
}
if (!memcmp(sha256_digest,
digest->data,
br_sha256_SIZE))
return (1);
break;
case br_sha384_SIZE:
if (!have_sha384) {
have_sha384 = 1;
md = &br_sha384_vtable;
md->init(&ctx.vtable);
md->update(&ctx.vtable, tbs, tbs_len);
md->out(&ctx.vtable, sha384_digest);
}
if (!memcmp(sha384_digest,
digest->data,
br_sha384_SIZE))
return (1);
break;
case br_sha512_SIZE:
if (!have_sha512) {
have_sha512 = 1;
md = &br_sha512_vtable;
md->init(&ctx.vtable);
md->update(&ctx.vtable, tbs, tbs_len);
md->out(&ctx.vtable, sha512_digest);
}
if (!memcmp(sha512_digest,
digest->data,
br_sha512_SIZE))
return (1);
break;
}
}
}
return (0);
}
static br_x509_pkey *
verify_signer(const char *certs,
br_name_element *elts, size_t num_elts)
{
br_x509_certificate *xcs;
br_x509_pkey *pk;
size_t num;
pk = NULL;
ve_trust_init();
xcs = read_certificates(certs, &num);
if (xcs == NULL) {
ve_error_set("cannot read certificates\n");
return (NULL);
}
/*
* Check if either
* 1. There is a direct match between cert from forbidden_anchors
* and a cert from chain.
* 2. CA that signed the chain is found in forbidden_anchors.
*/
if (VEC_LEN(forbidden_anchors) > 0)
pk = verify_signer_xcs(xcs, num, elts, num_elts, &forbidden_anchors);
if (pk != NULL) {
ve_error_set("Certificate is on forbidden list\n");
xfreepkey(pk);
pk = NULL;
goto out;
}
pk = verify_signer_xcs(xcs, num, elts, num_elts, &trust_anchors);
if (pk == NULL)
goto out;
/*
* Check if hash of tbs part of any certificate in chain
* is on the forbidden list.
*/
if (check_forbidden_digests(xcs, num)) {
ve_error_set("Certificate hash is on forbidden list\n");
xfreepkey(pk);
pk = NULL;
}
out:
free_certificates(xcs, num);
return (pk);
}
/**
* we need a hex digest including trailing newline below
*/
char *
hexdigest(char *buf, size_t bufsz, unsigned char *foo, size_t foo_len)
{
char const hex2ascii[] = "0123456789abcdef";
size_t i;
/* every binary byte is 2 chars in hex + newline + null */
if (bufsz < (2 * foo_len) + 2)
return (NULL);
for (i = 0; i < foo_len; i++) {
buf[i * 2] = hex2ascii[foo[i] >> 4];
buf[i * 2 + 1] = hex2ascii[foo[i] & 0x0f];
}
buf[i * 2] = 0x0A; /* we also want a newline */
buf[i * 2 + 1] = '\0';
return (buf);
}
/**
* @brief
* verify file against sigfile using pk
*
* When we generated the signature in sigfile,
* we hashed (sha256) file, and sent that to signing server
* which hashed (sha256) that hash.
*
* To verify we need to replicate that result.
*
* @param[in] pk
* br_x509_pkey
*
* @paramp[in] file
* file to be verified
*
* @param[in] sigfile
* signature (PEM encoded)
*
* @return NULL on error, otherwise content of file.
*/
#ifdef VE_ECDSA_SUPPORT
static unsigned char *
verify_ec(br_x509_pkey *pk, const char *file, const char *sigfile)
{
#ifdef VE_ECDSA_HASH_AGAIN
char *hex, hexbuf[br_sha512_SIZE * 2 + 2];
#endif
unsigned char rhbuf[br_sha512_SIZE];
br_sha256_context ctx;
unsigned char *fcp, *scp;
size_t flen, slen, plen;
pem_object *po;
const br_ec_impl *ec;
br_ecdsa_vrfy vrfy;
if ((fcp = read_file(file, &flen)) == NULL)
return (NULL);
if ((scp = read_file(sigfile, &slen)) == NULL) {
free(fcp);
return (NULL);
}
if ((po = decode_pem(scp, slen, &plen)) == NULL) {
free(fcp);
free(scp);
return (NULL);
}
br_sha256_init(&ctx);
br_sha256_update(&ctx, fcp, flen);
br_sha256_out(&ctx, rhbuf);
#ifdef VE_ECDSA_HASH_AGAIN
hex = hexdigest(hexbuf, sizeof(hexbuf), rhbuf, br_sha256_SIZE);
/* now hash that */
if (hex) {
br_sha256_init(&ctx);
br_sha256_update(&ctx, hex, strlen(hex));
br_sha256_out(&ctx, rhbuf);
}
#endif
ec = br_ec_get_default();
vrfy = br_ecdsa_vrfy_asn1_get_default();
if (!vrfy(ec, rhbuf, br_sha256_SIZE, &pk->key.ec, po->data,
po->data_len)) {
free(fcp);
fcp = NULL;
}
free(scp);
return (fcp);
}
#endif
#if defined(VE_RSA_SUPPORT) || defined(VE_OPENPGP_SUPPORT)
/**
* @brief verify an rsa digest
*
* @return 0 on failure
*/
int
verify_rsa_digest (br_rsa_public_key *pkey,
const unsigned char *hash_oid,
unsigned char *mdata, size_t mlen,
unsigned char *sdata, size_t slen)
{
br_rsa_pkcs1_vrfy vrfy;
unsigned char vhbuf[br_sha512_SIZE];
vrfy = br_rsa_pkcs1_vrfy_get_default();
if (!vrfy(sdata, slen, hash_oid, mlen, pkey, vhbuf) ||
memcmp(vhbuf, mdata, mlen) != 0) {
return (0); /* fail */
}
return (1); /* ok */
}
#endif
/**
* @brief
* verify file against sigfile using pk
*
* When we generated the signature in sigfile,
* we hashed (sha256) file, and sent that to signing server
* which hashed (sha256) that hash.
*
* Or (deprecated) we simply used sha1 hash directly.
*
* To verify we need to replicate that result.
*
* @param[in] pk
* br_x509_pkey
*
* @paramp[in] file
* file to be verified
*
* @param[in] sigfile
* signature (PEM encoded)
*
* @return NULL on error, otherwise content of file.
*/
#ifdef VE_RSA_SUPPORT
static unsigned char *
verify_rsa(br_x509_pkey *pk, const char *file, const char *sigfile)
{
unsigned char rhbuf[br_sha512_SIZE];
const unsigned char *hash_oid;
const br_hash_class *md;
br_hash_compat_context mctx;
unsigned char *fcp, *scp;
size_t flen, slen, plen, hlen;
pem_object *po;
if ((fcp = read_file(file, &flen)) == NULL)
return (NULL);
if ((scp = read_file(sigfile, &slen)) == NULL) {
free(fcp);
return (NULL);
}
if ((po = decode_pem(scp, slen, &plen)) == NULL) {
free(fcp);
free(scp);
return (NULL);
}
switch (po->data_len) {
#if defined(UNIT_TEST) && defined(VE_DEPRECATED_RSA_SHA1_SUPPORT)
case 256:
// this is our old deprecated sig method
md = &br_sha1_vtable;
hlen = br_sha1_SIZE;
hash_oid = BR_HASH_OID_SHA1;
break;
#endif
default:
md = &br_sha256_vtable;
hlen = br_sha256_SIZE;
hash_oid = BR_HASH_OID_SHA256;
break;
}
md->init(&mctx.vtable);
md->update(&mctx.vtable, fcp, flen);
md->out(&mctx.vtable, rhbuf);
if (!verify_rsa_digest(&pk->key.rsa, hash_oid,
rhbuf, hlen, po->data, po->data_len)) {
free(fcp);
fcp = NULL;
}
free(scp);
return (fcp);
}
#endif
/**
* @brief
* verify a signature and return content of signed file
*
* @param[in] sigfile
* file containing signature
* we derrive path of signed file and certificate change from
* this.
*
* @param[in] flags
* only bit 1 significant so far
*
* @return NULL on error otherwise content of signed file
*/
unsigned char *
verify_sig(const char *sigfile, int flags)
{
br_x509_pkey *pk;
br_name_element cn;
char cn_buf[80];
unsigned char cn_oid[4];
char pbuf[MAXPATHLEN];
char *cp;
unsigned char *ucp;
size_t n;
DEBUG_PRINTF(5, ("verify_sig: %s\n", sigfile));
n = strlcpy(pbuf, sigfile, sizeof(pbuf));
if (n > (sizeof(pbuf) - 5) || strcmp(&sigfile[n - 3], "sig") != 0)
return (NULL);
cp = strcpy(&pbuf[n - 3], "certs");
/*
* We want the commonName field
* the OID we want is 2,5,4,3 - but DER encoded
*/
cn_oid[0] = 3;
cn_oid[1] = 0x55;
cn_oid[2] = 4;
cn_oid[3] = 3;
cn.oid = cn_oid;
cn.buf = cn_buf;
cn.len = sizeof(cn_buf);
pk = verify_signer(pbuf, &cn, 1);
if (!pk) {
printf("cannot verify: %s: %s\n", pbuf, ve_error_get());
return (NULL);
}
for (; cp > pbuf; cp--) {
if (*cp == '.') {
*cp = '\0';
break;
}
}
switch (pk->key_type) {
#ifdef VE_ECDSA_SUPPORT
case BR_KEYTYPE_EC:
ucp = verify_ec(pk, pbuf, sigfile);
break;
#endif
#ifdef VE_RSA_SUPPORT
case BR_KEYTYPE_RSA:
ucp = verify_rsa(pk, pbuf, sigfile);
break;
#endif
default:
ucp = NULL; /* not supported */
}
xfreepkey(pk);
if (!ucp) {
printf("Unverified %s (%s)\n", pbuf,
cn.status ? cn_buf : "unknown");
} else if ((flags & VEF_VERBOSE) != 0) {
printf("Verified %s signed by %s\n", pbuf,
cn.status ? cn_buf : "someone we trust");
}
return (ucp);
}
/**
* @brief verify hash matches
*
* We have finished hashing a file,
* see if we got the desired result.
*
* @param[in] ctx
* pointer to hash context
*
* @param[in] md
* pointer to hash class
*
* @param[in] path
* name of the file we are checking
*
* @param[in] want
* the expected result
*
* @param[in] hlen
* size of hash output
*
* @return 0 on success
*/
int
ve_check_hash(br_hash_compat_context *ctx, const br_hash_class *md,
const char *path, const char *want, size_t hlen)
{
char hexbuf[br_sha512_SIZE * 2 + 2];
unsigned char hbuf[br_sha512_SIZE];
char *hex;
int rc;
int n;
md->out(&ctx->vtable, hbuf);
#ifdef VE_PCR_SUPPORT
ve_pcr_update(path, hbuf, hlen);
#endif
hex = hexdigest(hexbuf, sizeof(hexbuf), hbuf, hlen);
if (!hex)
return (VE_FINGERPRINT_WRONG);
n = 2*hlen;
if ((rc = strncmp(hex, want, n))) {
ve_error_set("%s: %.*s != %.*s", path, n, hex, n, want);
rc = VE_FINGERPRINT_WRONG;
}
return (rc ? rc : VE_FINGERPRINT_OK);
}
#ifdef VE_HASH_KAT_STR
static int
test_hash(const br_hash_class *md, size_t hlen,
const char *hname, const char *s, size_t slen, const char *want)
{
br_hash_compat_context mctx;
md->init(&mctx.vtable);
md->update(&mctx.vtable, s, slen);
return (ve_check_hash(&mctx, md, hname, want, hlen) != VE_FINGERPRINT_OK);
}
#endif
#define ve_test_hash(n, N) \
printf("Testing hash: " #n "\t\t\t\t%s\n", \
test_hash(&br_ ## n ## _vtable, br_ ## n ## _SIZE, #n, \
VE_HASH_KAT_STR, VE_HASH_KAT_STRLEN(VE_HASH_KAT_STR), \
vh_ ## N) ? "Failed" : "Passed")
/**
* @brief
* run self tests on hash and signature verification
*
* Test that the hash methods (SHA1 and SHA256) work.
* Test that we can verify a certificate for each supported
* Root CA.
*
* @return cached result.
*/
int
ve_self_tests(void)
{
static int once = -1;
#ifdef VERIFY_CERTS_STR
br_x509_certificate *xcs;
br_x509_pkey *pk;
br_name_element cn;
char cn_buf[80];
unsigned char cn_oid[4];
size_t num;
size_t u;
#endif
if (once >= 0)
return (once);
once = 0;
DEBUG_PRINTF(5, ("Self tests...\n"));
#ifdef VE_HASH_KAT_STR
#ifdef VE_SHA1_SUPPORT
ve_test_hash(sha1, SHA1);
#endif
#ifdef VE_SHA256_SUPPORT
ve_test_hash(sha256, SHA256);
#endif
#ifdef VE_SHA384_SUPPORT
ve_test_hash(sha384, SHA384);
#endif
#ifdef VE_SHA512_SUPPORT
ve_test_hash(sha512, SHA512);
#endif
#endif
#ifdef VERIFY_CERTS_STR
xcs = parse_certificates(__DECONST(unsigned char *, VERIFY_CERTS_STR),
sizeof(VERIFY_CERTS_STR), &num);
if (xcs != NULL) {
/*
* We want the commonName field
* the OID we want is 2,5,4,3 - but DER encoded
*/
cn_oid[0] = 3;
cn_oid[1] = 0x55;
cn_oid[2] = 4;
cn_oid[3] = 3;
cn.oid = cn_oid;
cn.buf = cn_buf;
for (u = 0; u < num; u ++) {
cn.len = sizeof(cn_buf);
if ((pk = verify_signer_xcs(&xcs[u], 1, &cn, 1, &trust_anchors)) != NULL) {
free_cert_contents(&xcs[u]);
once++;
printf("Testing verify certificate: %s\tPassed\n",
cn.status ? cn_buf : "");
xfreepkey(pk);
}
}
if (!once)
printf("Testing verify certificate:\t\t\tFailed\n");
xfree(xcs);
}
#endif /* VERIFY_CERTS_STR */
#ifdef VE_OPENPGP_SUPPORT
if (!openpgp_self_tests())
once++;
#endif
return (once);
}